Retrieve PCAP Packet

post /public_api/v1/alerts/get_alerts_pcap

Retrieve a list of alert IDs and the associated PCAP triggering packets of PAN NGFW type alerts returned when running the Get Alerts and Get Extra Incident Data APIs. Maximum result set size is 100.

Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

CURL

  curl -X POST \

-H "Accept: application/json" \
 -H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/alerts/get_alerts_pcap" \
 -d '{
  "request_data" : {
    "filters" : [ {
      "field" : "severity",
      "operator" : "in",
      "value" : [ "medium", "high" ]
    } ],
    "search_from" : 0,
    "search_to" : 5,
    "sort" : {
      "field" : "severity",
      "keyword" : "asc"
    }
  }
}'
  

Response

                {
    "reply": [
        {
            "id": 283839,
            "pcap_data": ""
        },
        {
            "id": 319541,
            "pcap_data": "<pcap_data>"
        }
    ]
}
              

Request

Body

optional

Note: You can send a request to retrieve either all or filtered results.

Example: {"request_data":{}}

request_data

optional

filters

optional

Array

An array of filter fields.

field

required

String (Enum)

Identifies the alert field the filter is matching. Filters are based on the following keywords:

alert_id_list: List of integers of the Alert ID
alert_source: List of strings of the Alert source
severity: List of strings of the Alert severity
creation_time: Integer of the Creation time

Allowed values:

alert_id_list

alert_source

severity

creation_time

operator

required

String (Enum)

String that identifies the comparison operator you want to use for this filter. Values keywords: in:

alert_id, alert_source, and severity. gte or lte:
creation_time.

Allowed values:

gte

lte

value

required

Array of objects

Value that this filter must match. The contents of this field will differ depending on the alert field that you specified for this filter:

creation_time: Integer representing the number of seconds or milliseconds after the Unix epoch, UTC timezone. The value is returned in the response under the detection_timestamp field, and represented in console under the TIMESTAMP field.
alert_id_list: List of integers. Each item in the list must be an alert ID.
severity: Valid values are low, medium, high, critical, informational, unknown.

search_from

optional

String

An integer representing the starting offset within the query result set from which you want alerts returned. Alerts are returned as a zero-based list. Any alert indexed less than this value is not returned in the final result set and defaults to zero.

search_to

optional

String

An integer representing the end offset within the result set after which you do not want alerts returned. Alerts in the alerts list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all alerts to the end of the list.

sort

optional

Identifies the sort order for the result set. By default the sort is defined as creation_time, DESC.

field

required

String (Enum)

The field you want to sort by.

Allowed values:

creation_time

severity

keyword

required

String (Enum)

Whether to sort in ascending or descending order.

Allowed values:

asc

desc

Responses

Successful response

Body

optional

total_count

optional

Integer

Number of total results of this filter without paging. If filter returned 10,000 results or more than 9,999 will be the value and you can use paging to view the entire set of data.

result_count

optional

Integer

Number of alerts actually returned as result.

alerts

optional

Array

optional

String

pcap_data

optional

String

For alerts without PCAP data an empty string is returned.

Bad Request. Got an invalid JSON.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Unauthorized access. User does not have the required license type to run this API.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Internal server error. A unified status for API communication type errors.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.