Retrieve a list of alert IDs and the associated PCAP triggering packets of PAN NGFW type alerts returned when running the Get Alerts and Get Extra Incident Data APIs. Maximum result set size is 100.
Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB
Authorization
String
required
{api_key}
{api_key}
authorization_example
x-xdr-auth-id
String
required
{api_key_id}
{api_key_id}
xXdrAuthId_example
Accept-Encoding
String
For retrieving a compressed gzipped response
For retrieving a compressed gzipped response
acceptEncoding_example
gzip
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'Authorization: authorization_example'
-H
'x-xdr-auth-id: xXdrAuthId_example'
-H
'Accept-Encoding: acceptEncoding_example'
'https://api-yourfqdn/public_api/v1/alerts/get_alerts_pcap'
-d
''
import http.client
conn = http.client.HTTPSConnection("api-yourfqdn")
payload = "{\"request_data\":{\"filters\":[{\"field\":\"severity\",\"operator\":\"in\",\"value\":[\"medium\",\"high\"]}],\"search_from\":\"0\",\"search_to\":\"5\",\"sort\":{\"field\":\"severity\",\"keyword\":\"asc\"}}}"
headers = {
'Authorization': "SOME_STRING_VALUE",
'x-xdr-auth-id': "SOME_STRING_VALUE",
'Accept-Encoding': "SOME_STRING_VALUE",
'content-type': "application/json"
}
conn.request("POST", "/public_api/v1/alerts/get_alerts_pcap", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-yourfqdn/public_api/v1/alerts/get_alerts_pcap")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["Authorization"] = 'SOME_STRING_VALUE'
request["x-xdr-auth-id"] = 'SOME_STRING_VALUE'
request["Accept-Encoding"] = 'SOME_STRING_VALUE'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"filters\":[{\"field\":\"severity\",\"operator\":\"in\",\"value\":[\"medium\",\"high\"]}],\"search_from\":\"0\",\"search_to\":\"5\",\"sort\":{\"field\":\"severity\",\"keyword\":\"asc\"}}}"
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify({
"request_data": {
"filters": [
{
"field": "severity",
"operator": "in",
"value": [
"medium",
"high"
]
}
],
"search_from": "0",
"search_to": "5",
"sort": {
"field": "severity",
"keyword": "asc"
}
}
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-yourfqdn/public_api/v1/alerts/get_alerts_pcap");
xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE");
xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
xhr.setRequestHeader("Accept-Encoding", "SOME_STRING_VALUE");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/alerts/get_alerts_pcap")
.header("Authorization", "SOME_STRING_VALUE")
.header("x-xdr-auth-id", "SOME_STRING_VALUE")
.header("Accept-Encoding", "SOME_STRING_VALUE")
.header("content-type", "application/json")
.body("{\"request_data\":{\"filters\":[{\"field\":\"severity\",\"operator\":\"in\",\"value\":[\"medium\",\"high\"]}],\"search_from\":\"0\",\"search_to\":\"5\",\"sort\":{\"field\":\"severity\",\"keyword\":\"asc\"}}}")
.asString();import Foundation
let headers = [
"Authorization": "SOME_STRING_VALUE",
"x-xdr-auth-id": "SOME_STRING_VALUE",
"Accept-Encoding": "SOME_STRING_VALUE",
"content-type": "application/json"
]
let parameters = ["request_data": [
"filters": [
[
"field": "severity",
"operator": "in",
"value": ["medium", "high"]
]
],
"search_from": "0",
"search_to": "5",
"sort": [
"field": "severity",
"keyword": "asc"
]
]] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/alerts/get_alerts_pcap")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-yourfqdn/public_api/v1/alerts/get_alerts_pcap",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"request_data\":{\"filters\":[{\"field\":\"severity\",\"operator\":\"in\",\"value\":[\"medium\",\"high\"]}],\"search_from\":\"0\",\"search_to\":\"5\",\"sort\":{\"field\":\"severity\",\"keyword\":\"asc\"}}}",
CURLOPT_HTTPHEADER => [
"Accept-Encoding: SOME_STRING_VALUE",
"Authorization: SOME_STRING_VALUE",
"content-type: application/json",
"x-xdr-auth-id: SOME_STRING_VALUE"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/alerts/get_alerts_pcap");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "Accept-Encoding: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"filters\":[{\"field\":\"severity\",\"operator\":\"in\",\"value\":[\"medium\",\"high\"]}],\"search_from\":\"0\",\"search_to\":\"5\",\"sort\":{\"field\":\"severity\",\"keyword\":\"asc\"}}}");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-yourfqdn/public_api/v1/alerts/get_alerts_pcap");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "SOME_STRING_VALUE");
request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
request.AddHeader("Accept-Encoding", "SOME_STRING_VALUE");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"filters\":[{\"field\":\"severity\",\"operator\":\"in\",\"value\":[\"medium\",\"high\"]}],\"search_from\":\"0\",\"search_to\":\"5\",\"sort\":{\"field\":\"severity\",\"keyword\":\"asc\"}}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);request_dataobject
filtersarrayAn array of filter fields.
An array of filter fields.
fieldobject (Enum)Identifies the alert field the filter is matching. Filters are based on the following keywords:
alert_id_list: List of integers of the Alert IDalert_source: List of strings of the Alert sourceseverity: List of strings of the Alert severitycreation_time: Integer of the Creation time
Identifies the alert field the filter is matching. Filters are based on the following keywords:
alert_id_list: List of integers of the Alert IDalert_source: List of strings of the Alert sourceseverity: List of strings of the Alert severitycreation_time: Integer of the Creation time
operatorobject (Enum)String that identifies the comparison operator you want to use for this filter. Values keywords:
in:
alert_id, alert_source, and severity.
gte or lte:creation_time.
String that identifies the comparison operator you want to use for this filter. Values keywords:
in:
alert_id,alert_source, andseverity.gteorlte:creation_time.
valueinteger or array[['integer', 'string']]Value that this filter must match. The contents of this field will differ depending on the alert field that you specified for this filter:
creation_time: Integer representing the number of seconds or milliseconds after the Unix epoch, UTC timezone. The value is returned in the response under the detection_timestamp field, and represented in console under the TIMESTAMP field.alert_id_list: List of integers. Each item in the list must be an alert ID.severity: Valid values are low, medium, high, critical, informational, unknown.
Value that this filter must match. The contents of this field will differ depending on the alert field that you specified for this filter:
creation_time: Integer representing the number of seconds or milliseconds after the Unix epoch, UTC timezone. The value is returned in the response under thedetection_timestampfield, and represented in console under the TIMESTAMP field.alert_id_list: List of integers. Each item in the list must be an alert ID.severity: Valid values arelow,medium,high,critical,informational,unknown.
search_fromstringAn integer representing the starting offset within the query result set from which you want alerts returned.
Alerts are returned as a zero-based list. Any alert indexed less than this value is not returned in the final result set and defaults to zero.
An integer representing the starting offset within the query result set from which you want alerts returned. Alerts are returned as a zero-based list. Any alert indexed less than this value is not returned in the final result set and defaults to zero.
search_tostringAn integer representing the end offset within the result set after which you do not want alerts returned.
Alerts in the alerts list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all alerts to the end of the list.
An integer representing the end offset within the result set after which you do not want alerts returned. Alerts in the alerts list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all alerts to the end of the list.
sortobjectrequiredIdentifies the sort order for the result set. By default the sort is defined as creation_time, DESC.
Identifies the sort order for the result set. By default the sort is defined as creation_time, DESC.
fieldobject (Enum)The field you want to sort by.
The field you want to sort by.
keywordobject (Enum)Whether to sort in ascending or descending order.
Whether to sort in ascending or descending order.
{
"request_data": {}
}{
"request_data": {
"filters": [
{
"field": "severity",
"operator": "in",
"value": [
"medium",
"high"
]
}
],
"search_from": 0,
"search_to": 5,
"sort": {
"field": "severity",
"keyword": "asc"
}
}
}Successful response
replyobject
total_countintegerNumber of total results of this filter without paging. If filter returned 10,000 results or more than 9,999 will be the value and you can use paging to view the entire set of data.
Number of total results of this filter without paging. If filter returned 10,000 results or more than 9,999 will be the value and you can use paging to view the entire set of data.
result_countintegerNumber of alerts actually returned as result.
Number of alerts actually returned as result.
alertsarray
idstring
pcap_datastringFor alerts without PCAP data an empty string is returned.
For alerts without PCAP data an empty string is returned.
{
"reply": [
{
"id": 283839,
"pcap_data": ""
},
{
"id": 319541,
"pcap_data": "<pcap_data>"
}
]
}Bad Request. Got an invalid JSON.
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Unauthorized access. User does not have the required license type to run this API.
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}Internal server error. A unified status for API communication type errors.
The query result upon error.
err_codestringHTTP response code.
HTTP response code.
err_msgstringError message.
Error message.
"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"err_extrastringAdditional information describing the error.
Additional information describing the error.
{
"err_code": "example",
"err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
"err_extra": "example"
}