Get Audit Agent Report

post /public_api/v1/audits/agents_reports

Get agent event reports.

Response is concatenated using AND condition (OR is not supported).
Maximum result set size is 100.
Offset is the zero-based number of cases from the start of the result set.

Required license: Cortex XSIAM Premium or Cortex XSIAM Enterprise. In Cortex NG SIEM, requires endpoints or the Cortex Cloud Runtime Security add-on.

Request headers

Authorization String required

{api_key}

Example: authorization_example

x-xdr-auth-id String required

{api_key_id}

Example: xXdrAuthId_example

CLIENT REQUEST

          curl -X 'POST'

        -H
        'Accept: application/json'
      
        -H
        'Content-Type: application/json'
      
          -H
          'Authorization: authorization_example'
          -H
          'x-xdr-auth-id: xXdrAuthId_example'
      
      'https://api-yourfqdn/public_api/v1/audits/agents_reports'
    
      -d
      ''

import http.client

conn = http.client.HTTPSConnection("api-yourfqdn")

payload = "{\"request_data\":{\"filters\":[{\"field\":\"endpoint_id\",\"operator\":\"in\",\"value\":[\"string\"]}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"type\",\"keyword\":\"asc\"}}}"

headers = {
    'Authorization': "SOME_STRING_VALUE",
    'x-xdr-auth-id': "SOME_STRING_VALUE",
    'content-type': "application/json"
    }

conn.request("POST", "/public_api/v1/audits/agents_reports", payload, headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))

require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://api-yourfqdn/public_api/v1/audits/agents_reports")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Post.new(url)
request["Authorization"] = 'SOME_STRING_VALUE'
request["x-xdr-auth-id"] = 'SOME_STRING_VALUE'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"filters\":[{\"field\":\"endpoint_id\",\"operator\":\"in\",\"value\":[\"string\"]}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"type\",\"keyword\":\"asc\"}}}"

response = http.request(request)
puts response.read_body

const data = JSON.stringify({
  "request_data": {
    "filters": [
      {
        "field": "endpoint_id",
        "operator": "in",
        "value": [
          "string"
        ]
      }
    ],
    "search_from": 0,
    "search_to": 100,
    "sort": {
      "field": "type",
      "keyword": "asc"
    }
  }
});

const xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
  if (this.readyState === this.DONE) {
    console.log(this.responseText);
  }
});

xhr.open("POST", "https://api-yourfqdn/public_api/v1/audits/agents_reports");
xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE");
xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
xhr.setRequestHeader("content-type", "application/json");

xhr.send(data);

HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/audits/agents_reports")
  .header("Authorization", "SOME_STRING_VALUE")
  .header("x-xdr-auth-id", "SOME_STRING_VALUE")
  .header("content-type", "application/json")
  .body("{\"request_data\":{\"filters\":[{\"field\":\"endpoint_id\",\"operator\":\"in\",\"value\":[\"string\"]}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"type\",\"keyword\":\"asc\"}}}")
  .asString();

import Foundation

let headers = [
  "Authorization": "SOME_STRING_VALUE",
  "x-xdr-auth-id": "SOME_STRING_VALUE",
  "content-type": "application/json"
]
let parameters = ["request_data": [
    "filters": [
      [
        "field": "endpoint_id",
        "operator": "in",
        "value": ["string"]
      ]
    ],
    "search_from": 0,
    "search_to": 100,
    "sort": [
      "field": "type",
      "keyword": "asc"
    ]
  ]] as [String : Any]

let postData = JSONSerialization.data(withJSONObject: parameters, options: [])

let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/audits/agents_reports")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
  }
})

dataTask.resume()

<?php

$curl = curl_init();

curl_setopt_array($curl, [
  CURLOPT_URL => "https://api-yourfqdn/public_api/v1/audits/agents_reports",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "{\"request_data\":{\"filters\":[{\"field\":\"endpoint_id\",\"operator\":\"in\",\"value\":[\"string\"]}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"type\",\"keyword\":\"asc\"}}}",
  CURLOPT_HTTPHEADER => [
    "Authorization: SOME_STRING_VALUE",
    "content-type: application/json",
    "x-xdr-auth-id: SOME_STRING_VALUE"
  ],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}

CURL *hnd = curl_easy_init();

curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/audits/agents_reports");

struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);

curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"filters\":[{\"field\":\"endpoint_id\",\"operator\":\"in\",\"value\":[\"string\"]}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"type\",\"keyword\":\"asc\"}}}");

CURLcode ret = curl_easy_perform(hnd);

var client = new RestClient("https://api-yourfqdn/public_api/v1/audits/agents_reports");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "SOME_STRING_VALUE");
request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"filters\":[{\"field\":\"endpoint_id\",\"operator\":\"in\",\"value\":[\"string\"]}],\"search_from\":0,\"search_to\":100,\"sort\":{\"field\":\"type\",\"keyword\":\"asc\"}}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);

Body parameters

application/json

request_dataobject

A dictionary containing the API request fields. An empty dictionary returns all results.

filtersarray

An array of filter fields.

[

fieldstring (Enum)

Identifies a list. Filters are based on the following keywords:

endpoint_id: The endpoint ID.
endpoint_name: The endpoint name.
type: Type of report.
sub_type: Subtype of report.
result: Result type.
timestamp: Report timestamp.
domain: Domain of the agent.
xdr_version: XDR version.
category: Type of event category.
timestamp: Integer in timestamp epoch milliseconds

Allowed values:"endpoint_id""endpoint_name""type""sub_type""result""timestamp""domain""xdr_version""category""trapsversion"

operatorstring (Enum)

identifies the comparison operator you want to use for this filter. Valid keywords and values are: in

endpoint_id, endpoint_name, type, sub_type, result, domain, xdr_version, category: List of strings gte / lte
timestamp

Allowed values:"in""gte""lte"

valueobject

Value that this filter must match:

timestamp: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.
All other fields require a string value. In the case of in operator, the value is a list of possible values enclosed in square brackets.
category: Permitted values are: status, monitoring, or audit.

One of

Array

integer

Value that this filter must match:

timestamp: Integer representing the number of milliseconds after the Unix epoch, UTC timezone.
All other fields require a string value. In the case of in operator, the value is a list of possible values enclosed in square brackets.
category: Permitted values are: status, monitoring, or audit.

]

search_frominteger

An integer representing the starting offset within the query result set from which you want agent reports returned. Reports are returned as a zero-based list. Any report indexed less than this value is not returned in the final result set and defaults to zero.

search_tointeger

An integer representing the end offset within the result set after which you do not want agent reports returned. Reports in the agent report list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all reports to the end ofthe list.

Default:100

sortobjectrequired

Identifies the sort order for the result set.

fieldstring (Enum)

The field you want to sort by.

Allowed values:"type""category""trapsversion""timestamp""domain"

keywordstring (Enum)

Whether to sort in ascending or descending order.

Default:"desc"

Allowed values:"asc""desc"

REQUEST

{
  "request_data": {}
}

{
  "request_data": {
    "filters": [
      {
        "field": "trapsversion",
        "operator": "in",
        "value": [
          "<version value>",
          "<version value>"
        ]
      },
      {
        "field": "timestamp",
        "operator": "gte",
        "value": 0
      },
      {
        "field": "domain",
        "operator": "in",
        "value": [
          "WORKGROUP"
        ]
      }
    ],
    "sort": {
      "field": "timestamp",
      "keyword": "asc"
    }
  }
}

Responses

Body

application/json

replyobject

JSON object containing the query result.

total_countinteger

Number of total results of this filter without paging.

result_countinteger

Number of returned items.

dataarray

List of audit items.

[

TIMESTAMPnumberfloat

Epoch time in milliseconds, UTC timezone.

RECEIVEDTIMEnumber

Epoch time in milliseconds, UTC timezone.

ENDPOINTIDstring

ENDPOINTNAMEstring

DOMAINstring

TRAPSVERSIONstring

CATEGORYstring

TYPEstring

SUBTYPEstring

RESULTstring

REASONstring

DESCRIPTIONstring

]

RESPONSE
{
  "reply": {
    "total_count": 0,
    "result_count": 0,
    "data": [
      {
        "TIMESTAMP": 0.1,
        "RECEIVEDTIME": 0.1,
        "ENDPOINTID": "example",
        "ENDPOINTNAME": "example",
        "DOMAIN": "example",
        "TRAPSVERSION": "example",
        "CATEGORY": "example",
        "TYPE": "example",
        "SUBTYPE": "example",
        "RESULT": "example",
        "REASON": "example",
        "DESCRIPTION": "example"
      }
    ]
  }
}

Bad Request. Got an invalid JSON.

Body

application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"

err_extrastring

Additional information describing the error.

RESPONSE
{
  "err_code": "example",
  "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
  "err_extra": "example"
}

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, ID, or other invalid authentication parameters.

Body

application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"

err_extrastring

Additional information describing the error.

RESPONSE
{
  "err_code": "example",
  "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
  "err_extra": "example"
}

Unauthorized access. User does not have the required license type to run this API.

Body

application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"

err_extrastring

Additional information describing the error.

RESPONSE
{
  "err_code": "example",
  "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
  "err_extra": "example"
}

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body

application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"

err_extrastring

Additional information describing the error.

RESPONSE
{
  "err_code": "example",
  "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
  "err_extra": "example"
}

Internal server error. A unified status for API communication type errors.

Body

application/json

The query result upon error.

err_codestring

HTTP response code.

err_msgstring

Error message.

Example:"{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}"

err_extrastring

Additional information describing the error.

RESPONSE
{
  "err_code": "example",
  "err_msg": "{\"line\": 1, \"column\": 19, \"message\": \"no viable alternative at input '|alter2'\"}",
  "err_extra": "example"
}