Execute an XQL query.
For more information on how to run XQL queries, see Running XQL Query APIs.
Required license: Cortex XDR Pro per Endpoint or Cortex XDR Pro per GB
curl -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" -H "Authorization: authorization_example" -H "x-xdr-auth-id: xXdrAuthId_example" \
"https://api-yourfqdn/public_api/v1/xql/start_xql_query" \
-d '{
"request_data" : {
"query" : "dataset=xdr_data | fields event_id, event_type, event_sub_type | limit 3",
"tenants" : [ ],
"timeframe" : {
"from" : 1598907600000,
"to" : 1599080399000
}
}
}'
authorization_example
xXdrAuthId_example
{"request_data":{"query":"dataset=xdr_data | fields event_id, event_type, event_sub_type | limit 3","tenants":["431509831","401387390"],"timeframe":{"from":1598907600000,"to":1599080399000}}}
Note: This is only used when querying tenants managed by Managed Security Services Providers (MSSP).
List of strings used for running APIs on local and Managed Security tenants. Valid values:
- For single tenant (local tenant) query, enter a single-item list with your tenant_id. Additional valid values are, empty list ([]) or null (default).
- For multi-tenant investigations (Managed Security parent who investigate children and/or local), enter multi-item list with the required tenant_id. List of IDs can contain the parent, children, or both parent and children.
Integer in timestamp epoch milliseconds. Valid values include:
- Absolute Unix timestamp representing a date period: {"from" : 1598907600000, "to" : 1599080399000} = date period: 31/08/20 09:00:00 PM UTC - 02/09/20 8:59:59 PM UTC
- Relative Unix timestamp representing the last 24 hours: {"relativeTime": 86400000} = (246060*1000 = 86400000).
Successful response
Bad Request. Invalid JSON.
{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
Unauthorized access. User does not have the required license type to run this API.
{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}
Internal server error. A unified status for API communication type errors.
{"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}