Execute an XQL query.
For more information on how to run XQL queries, see Running XQL Query APIs.
Required license: Cortex XDR Pro per Endpoint or Cortex XDR Pro per GB
Authorization
String
required
authorization_example
x-xdr-auth-id
String
required
xXdrAuthId_example
request_dataObjectrequired
queryString
String of the XQL query.
tenantsArray[string]
Note: This is only used when querying tenants managed by Managed Security Services Providers (MSSP).
List of strings used for running APIs on local and Managed Security tenants. Valid values: - For single tenant (local tenant) query, enter a single-item list with your tenant_id. Additional valid values are, empty list ([]) or null (default). - For multi-tenant investigations (Managed Security parent who investigate children and/or local), enter multi-item list with the required tenant_id. List of IDs can contain the parent, children, or both parent and children.
timeframeObject
Integer in timestamp epoch milliseconds. Valid values include: - Absolute Unix timestamp representing a date period: {"from" : 1598907600000, "to" : 1599080399000} = date period: 31/08/20 09:00:00 PM UTC - 02/09/20 8:59:59 PM UTC - Relative Unix timestamp representing the last 24 hours: {"relativeTime": 86400000} = (246060*1000 = 86400000).
fromString
Use for an absolute timeframe in Unix timestamp.
toString
Use for an absolute timeframe in Unix timestamp.
relativeTimeString
Use for a relative Unix timestamp.
{
"request_data": {
"query": "dataset=xdr_data | fields event_id, event_type, event_sub_type | limit 3",
"tenants": [
"431509831",
"401387390"
],
"timeframe": {
"from": "1598907600000",
"to": "1599080399000"
}
}
}
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'Authorization: authorization_example'
-H
'x-xdr-auth-id: xXdrAuthId_example'
'https://api-yourfqdn/public_api/v1/xql/start_xql_query'
-d
''