post
/public_api/v1/endpoints/scan
Run a scan on selected endpoints. - Response is concatenated using AND condition (OR is not supported). - Offset is the zero-based number of incidents from the start of the result set.
Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB
CURL
curl -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/endpoints/scan" \
-d '{
"request_data" : {
"incident_id" : "incident_id",
"filters" : [ {
"field" : "field",
"value" : [ "value", "value" ],
"operator" : "in"
}, {
"field" : "field",
"value" : [ "value", "value" ],
"operator" : "in"
} ]
}
}'
Request
Body
optional
Note: You can send a request to retrieve either all or filtered results.
Example:
{"request_data":{"filters":"all"}}
request_data
required
A dictionary containing the API request fields.
filters
required
Array
(Enum)
An array of filter fields. To scan all endpoints, use the value
all
.
Allowed values:
all
field
required
String
String that identifies a list the filters match. Filters are based on the following keywords:
endpoint_id_list
: List of endpoint IDs.dist_name
: Name of the distribution list.first_seen
: When an endpoint was first seen.last_seen
: When an endpoint was last seen.ip_list
: List of IP addresses.group_name
: Name of endpoint group.platform
: Type of operating system.alias
: Endpoint alias name.isolate
: If an endpoint has been isolated.hostname
: Name of host.
operator
required
String
(Enum)
String that identifies the comparison operator you want to use for this filter. Valid keywords and values are:
in
endpoint_id_list
,dist_name
,group_name
,alias
,hostname
,username
: List of stringsip_list
: List of strings, for example 192.168.5.12platform
: Permitted values arewindows
,linux
,macos
,android
isolate
: Permitted values areisolated
orunisolated
scan_status
: Permitted values arenone
,pending
,in_progress
,canceled
,aborted
,pending_cancellation
,success
, orerror
gte
/lte
first_seen
andlast_seen
: Integer in timestamp epoch milliseconds.
Allowed values:
in
gte
lte
value
required
Array
of strings
Value that this filter must match. Valid keywords:
first_seen
,last_seen
: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.endpoint_id_list
,dist_name
,hostname
,alias
,group_name
: List of stringsip_list
: Must contain an IP address stringisolate
: Must beisolated
orunisolated
.platform
: Must be eitherwindows
,linux
,macos
, orandroid
.
incident_id
optional
String
Incident ID.
When included in the request, the Scan Endpoints action will appear in the Cortex XDR Incident View Timeline tab.
Responses