Get All Services

Cortex XSIAM Platform APIs
post /public_api/v1/assets/get_external_services

Get a complete or filtered list of all your external services.

The maximum result limit is 500.

Required license: Cortex XSIAM Premium. In Cortex XSIAM Enterprise and Cortex NG SIEM, requires the ASM add-on.

Request headers
authorization String required

api-key
Example: authorization_example
x-xdr-auth-id String required

api-key-id
Example: xXdrAuthId_example
CLIENT REQUEST
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'authorization: authorization_example' -H 'x-xdr-auth-id: xXdrAuthId_example'
'https://api-yourfqdn/public_api/v1/assets/get_external_services'
-d ''
import http.client conn = http.client.HTTPSConnection("api-yourfqdn") payload = "{\"request_data\":{\"filters\":{\"field\":\"active_classifications\",\"operator\":\"contains\",\"value\":\"string\"},\"vulnerability_test_results\":true,\"search_from\":0,\"search_to\":5000,\"sort\":{\"keyword\":\"string\",\"field\":\"string\"}}}" headers = { 'authorization': "SOME_STRING_VALUE", 'x-xdr-auth-id': "SOME_STRING_VALUE", 'content-type': "application/json" } conn.request("POST", "/public_api/v1/assets/get_external_services", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))
require 'uri' require 'net/http' require 'openssl' url = URI("https://api-yourfqdn/public_api/v1/assets/get_external_services") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["authorization"] = 'SOME_STRING_VALUE' request["x-xdr-auth-id"] = 'SOME_STRING_VALUE' request["content-type"] = 'application/json' request.body = "{\"request_data\":{\"filters\":{\"field\":\"active_classifications\",\"operator\":\"contains\",\"value\":\"string\"},\"vulnerability_test_results\":true,\"search_from\":0,\"search_to\":5000,\"sort\":{\"keyword\":\"string\",\"field\":\"string\"}}}" response = http.request(request) puts response.read_body
const data = JSON.stringify({ "request_data": { "filters": { "field": "active_classifications", "operator": "contains", "value": "string" }, "vulnerability_test_results": true, "search_from": 0, "search_to": 5000, "sort": { "keyword": "string", "field": "string" } } }); const xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } }); xhr.open("POST", "https://api-yourfqdn/public_api/v1/assets/get_external_services"); xhr.setRequestHeader("authorization", "SOME_STRING_VALUE"); xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); xhr.setRequestHeader("content-type", "application/json"); xhr.send(data);
HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/assets/get_external_services") .header("authorization", "SOME_STRING_VALUE") .header("x-xdr-auth-id", "SOME_STRING_VALUE") .header("content-type", "application/json") .body("{\"request_data\":{\"filters\":{\"field\":\"active_classifications\",\"operator\":\"contains\",\"value\":\"string\"},\"vulnerability_test_results\":true,\"search_from\":0,\"search_to\":5000,\"sort\":{\"keyword\":\"string\",\"field\":\"string\"}}}") .asString();
import Foundation let headers = [ "authorization": "SOME_STRING_VALUE", "x-xdr-auth-id": "SOME_STRING_VALUE", "content-type": "application/json" ] let parameters = ["request_data": [ "filters": [ "field": "active_classifications", "operator": "contains", "value": "string" ], "vulnerability_test_results": true, "search_from": 0, "search_to": 5000, "sort": [ "keyword": "string", "field": "string" ] ]] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/assets/get_external_services")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()
<?php $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://api-yourfqdn/public_api/v1/assets/get_external_services", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"request_data\":{\"filters\":{\"field\":\"active_classifications\",\"operator\":\"contains\",\"value\":\"string\"},\"vulnerability_test_results\":true,\"search_from\":0,\"search_to\":5000,\"sort\":{\"keyword\":\"string\",\"field\":\"string\"}}}", CURLOPT_HTTPHEADER => [ "authorization: SOME_STRING_VALUE", "content-type: application/json", "x-xdr-auth-id: SOME_STRING_VALUE" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }
CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST"); curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/assets/get_external_services"); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "authorization: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "content-type: application/json"); curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"filters\":{\"field\":\"active_classifications\",\"operator\":\"contains\",\"value\":\"string\"},\"vulnerability_test_results\":true,\"search_from\":0,\"search_to\":5000,\"sort\":{\"keyword\":\"string\",\"field\":\"string\"}}}"); CURLcode ret = curl_easy_perform(hnd);
var client = new RestClient("https://api-yourfqdn/public_api/v1/assets/get_external_services"); var request = new RestRequest(Method.POST); request.AddHeader("authorization", "SOME_STRING_VALUE"); request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); request.AddHeader("content-type", "application/json"); request.AddParameter("application/json", "{\"request_data\":{\"filters\":{\"field\":\"active_classifications\",\"operator\":\"contains\",\"value\":\"string\"},\"vulnerability_test_results\":true,\"search_from\":0,\"search_to\":5000,\"sort\":{\"keyword\":\"string\",\"field\":\"string\"}}}", ParameterType.RequestBody); IRestResponse response = client.Execute(request);
Body parameters
application/json
request_dataobjectrequired
filtersobject

An array of filter fields.

fieldstring (Enum)

String that identifies the service field the filter is matching. Filters are based on the following case-sensitive keywords:

  • active_classifications
  • business_units_list
  • discovery_type
  • domain
  • externally_detected_providers
  • externally_inferred_cves
  • inactive_classifications
  • ip_address
  • ipv6_address
  • is_active
  • protocol
  • service_name
  • service_type
  • service_type_list
  • tags
Allowed values:"active_classifications""business_units_list""discovery_type""domain""externally_detected_providers""externally_inferred_cves""inactive_classifications""ip_address""ipv6_address""is_active""protocol""service_name""service_type""service_type_list""tags"
operatorstring (Enum)

String that identifies the comparison operator you want to use for this filter. Valid keywords and values are:

  • contains / not_contains— use with externally_detected_providers, domain, externally_inferred_cves, active_classifications, inactive_classifications, service_name, service_type, protocol
  • eq / neq— use with service_name, service_type, protocol, ip_address
  • in — use with is_active, discovery_type, business_units_list, tags
Allowed values:"contains""not_contains""eq""neq""in"
valueobject

Value that this filter must match. The contents of this field will differ depending on the services field that you specified for this filter:

  • active_classifications — String
  • business_units_list — String or list of strings in the format "BU name" or "BU:BU name", for example “Acme & Co, Inc.” or “BU:Acme & Co, Inc.”
  • discovery_type — String. Values are: colocated_on_ip, directly_discovered, unknown.
  • domain — String
  • externally_detected_providers — String
  • externally_inferred_cves — String
  • inactive_classifications — String
  • ip_address — String
  • ipv6_address— String
  • is_active — String. Values are:yes, no
  • protocol — string
  • service_name — String
  • service_type — String
  • service_type_list — String
  • tags — List of strings indicating the tags to filter on in the format "tag-family:tag-name", for example "AR:registered to you".
string

Value that this filter must match. The contents of this field will differ depending on the services field that you specified for this filter:

  • active_classifications — String
  • business_units_list — String or list of strings in the format "BU name" or "BU:BU name", for example “Acme & Co, Inc.” or “BU:Acme & Co, Inc.”
  • discovery_type — String. Values are: colocated_on_ip, directly_discovered, unknown.
  • domain — String
  • externally_detected_providers — String
  • externally_inferred_cves — String
  • inactive_classifications — String
  • ip_address — String
  • ipv6_address— String
  • is_active — String. Values are:yes, no
  • protocol — string
  • service_name — String
  • service_type — String
  • service_type_list — String
  • tags — List of strings indicating the tags to filter on in the format "tag-family:tag-name", for example "AR:registered to you".
Array
vulnerability_test_resultsboolean (Enum)

Use this field with the value true to get vulnerability test results for the last 14 days for each service. Using this field will slow down the endpoint.

Allowed values:true
search_frominteger

An integer representing the start offset index of results.

search_tointeger

An integer representing the start offset index of results. Use this field to specify the number of results on a page when using page token pagination.

Default:5000
sortobject

Identifies the sort order for the result set.

keywordstring

Can be either ASC (ascending order) or DESC (descending order). Default is ASC. Values are case sensitive.

fieldstring

Values are:

  • service_name
  • first_observed
  • last_observed By default, case-sensitive, sort is defined as service_name.
REQUEST
{ "request_data": { "filters": [ { "field": "string", "operator": "string", "value": "string" } ], "use_page_token": true } }
{ "request_data": { "filters": [ { "field": "discovery_type", "operator": "in", "value": [ "colocated_on_ip", "directly_discovery" ] }, { "field": "service_name", "operator": "contains", "value": "apache" } ], "search_from": 0, "search_to": 500 } }
Responses

OK

Body
application/json
replyobject
total_countinteger
result_countinteger
external_servicesarray
[
service_idstring
service_namestring
service_typestring
ip_addressarray[string]
domainarray[string]
externally_detected_providersarray[string]
is_activestring
first_observedinteger
last_observedinteger
portinteger
protocolstring
active_classificationsarray[string]
inactive_classificationsarray[string]
discovery_typestring
business_unitsarray[string]
externally_inferred_vulnerability_scorestring
externally_inferred_cvesarray
[
]
tls_versionsarray
[
]
inferred_cves_observedarray
[
]
cloud_management_statusstring
]
RESPONSE
{ "reply": { "total_count": 0, "result_count": 0, "external_services": [ { "service_id": "string", "service_name": "string", "service_type": "string", "ip_address": [ "string" ], "domain": [ "string" ], "externally_detected_providers": [ "string" ], "is_active": "string", "first_observed": 0, "last_observed": 0, "port": 0, "protocol": "string", "active_classifications": [ "string" ], "inactive_classifications": [ "string" ], "discovery_type": "string", "business_units": [ "string" ], "externally_inferred_vulnerability_score": "null", "externally_inferred_cves": [ {} ], "tls_versions": [ {} ], "inferred_cves_observed": [ {} ], "cloud_management_status": "null" } ] } }
{ "reply": { "total_count": 2, "result_count": 2, "external_services": [ { "service_id": "<service_id>", "service_name": "Server", "service_type": "AServer", "ip_address": [ "<ip_address>" ], "domain": [], "externally_detected_providers": [ "On Prem" ], "is_active": "Active", "first_observed": 1647152340000, "last_observed": 1649499420000, "port": 8009, "protocol": "TCP", "active_classifications": [ "AServer" ], "inactive_classifications": [], "discovery_type": "DirectlyDiscovered", "business_units": [ "Business Unit 1" ], "externally_inferred_vulnerability_score": "null", "externally_inferred_cves": [], "tls_versions": [], "inferred_cves_observed": [] }, { "service_id": "<service_id>", "service_name": "HTTP Server", "service_type": "HttpServer", "ip_address": [ "ip_address" ], "domain": [ "email.test.org" ], "externally_detected_providers": [ "Demo" ], "is_active": "Inactive", "first_observed": 1647087420000, "last_observed": 1647087420000, "port": 80, "protocol": "TCP", "active_classifications": [], "inactive_classifications": [ "HttpServer", "NginxWebServer", "ServerSoftware" ], "discovery_type": "ColocatedOnIp", "business_units": [ "Test - Import-Export" ], "externally_inferred_vulnerability_score": "null", "externally_inferred_cves": [], "cloud_management_status": "null" } ] } }

Bad Request. Got invalid JSON.

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Unauthorized access. User does not have the required license type to run this API.

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }

Internal server error. A unified status for API communication type errors.

Body
application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"
err_extrastring

Additional information describing the error.

RESPONSE
{ "err_code": "example", "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}", "err_extra": "example" }