post
/public_api/v1/alerts/get_alerts_pcap
Retrieve a list of alert IDs and the associated PCAP triggering packets of PAN NGFW type alerts returned when running the Get Alerts and Get Extra Incident Data APIs. Maximum result set size is 100.
Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB
CURL
curl -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/alerts/get_alerts_pcap" \
-d '{
"request_data" : {
"filters" : [ {
"field" : "severity",
"operator" : "in",
"value" : [ "medium", "high" ]
} ],
"search_from" : 0,
"search_to" : 5,
"sort" : {
"field" : "severity",
"keyword" : "asc"
}
}
}'
Response
{
"reply": [
{
"id": 283839,
"pcap_data": ""
},
{
"id": 319541,
"pcap_data": "<pcap_data>"
}
]
}
Request
Body
optional
Note: You can send a request to retrieve either all or filtered results.
Example:
{"request_data":{}}
request_data
optional
filters
optional
Array
An array of filter fields.
field
required
String
(Enum)
Identifies the alert field the filter is matching. Filters are based on the following keywords:
alert_id_list
: List of integers of the Alert IDalert_source
: List of strings of the Alert sourceseverity
: List of strings of the Alert severitycreation_time
: Integer of the Creation time
Allowed values:
alert_id_list
alert_source
severity
creation_time
operator
required
String
(Enum)
String that identifies the comparison operator you want to use for this filter. Values keywords:
in
:
alert_id
,alert_source
, andseverity
.gte
orlte
:creation_time
.
Allowed values:
in
gte
lte
value
required
Array
of objects
Value that this filter must match. The contents of this field will differ depending on the alert field that you specified for this filter:
creation_time
: Integer representing the number of seconds or milliseconds after the Unix epoch, UTC timezone. The value is returned in the response under thedetection_timestamp
field, and represented in console under the TIMESTAMP field.alert_id_list
: List of integers. Each item in the list must be an alert ID.severity
: Valid values arelow
,medium
,high
,critical
,informational
,unknown
.
search_from
optional
String
An integer representing the starting offset within the query result set from which you want alerts returned.
Alerts are returned as a zero-based list. Any alert indexed less than this value is not returned in the final result set and defaults to zero.
search_to
optional
String
An integer representing the end offset within the result set after which you do not want alerts returned.
Alerts in the alerts list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all alerts to the end of the list.
sort
optional
Identifies the sort order for the result set. By default the sort is defined as creation_time, DESC.
field
required
String
(Enum)
The field you want to sort by.
Allowed values:
creation_time
severity
keyword
required
String
(Enum)
Whether to sort in ascending or descending order.
Allowed values:
asc
desc
Responses