Get data from a lookup dataset

Cortex XSIAM Platform APIs
post /public_api/v1/xql/lookups/get_data

Get data from a lookup dataset according to the specified filter fields. All lookup entries matching any of the filter blocks are returned. To match a filter block, a lookup entry must match all the specified fields as if there were an AND operator between them. If no filters are specified, return all lookup entries.

Note:

  • The maximum number of entries returned is 10,000.
  • Requests time out after three minutes.

Required license: Cortex XSIAM Premium or Cortex XSIAM Enterprise or Cortex XSIAM NG SIEM

Request headers
Authorization String required

{api_key}
Example: authorization_example
x-xdr-auth-id String required

{api_key_id}
Example: xXdrAuthId_example
CLIENT REQUEST
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'Authorization: authorization_example' -H 'x-xdr-auth-id: xXdrAuthId_example'
'https://api-yourfqdn/public_api/v1/xql/lookups/get_data'
-d ''
import http.client conn = http.client.HTTPSConnection("api-yourfqdn") payload = "{\"request_data\":{\"dataset_name\":\"string\",\"filters\":[{\"property1\":\"string\",\"property2\":\"string\"}],\"limit\":0}}" headers = { 'Authorization': "SOME_STRING_VALUE", 'x-xdr-auth-id': "SOME_STRING_VALUE", 'content-type': "application/json" } conn.request("POST", "/public_api/v1/xql/lookups/get_data", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))
require 'uri' require 'net/http' require 'openssl' url = URI("https://api-yourfqdn/public_api/v1/xql/lookups/get_data") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["Authorization"] = 'SOME_STRING_VALUE' request["x-xdr-auth-id"] = 'SOME_STRING_VALUE' request["content-type"] = 'application/json' request.body = "{\"request_data\":{\"dataset_name\":\"string\",\"filters\":[{\"property1\":\"string\",\"property2\":\"string\"}],\"limit\":0}}" response = http.request(request) puts response.read_body
const data = JSON.stringify({ "request_data": { "dataset_name": "string", "filters": [ { "property1": "string", "property2": "string" } ], "limit": 0 } }); const xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } }); xhr.open("POST", "https://api-yourfqdn/public_api/v1/xql/lookups/get_data"); xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE"); xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); xhr.setRequestHeader("content-type", "application/json"); xhr.send(data);
HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/xql/lookups/get_data") .header("Authorization", "SOME_STRING_VALUE") .header("x-xdr-auth-id", "SOME_STRING_VALUE") .header("content-type", "application/json") .body("{\"request_data\":{\"dataset_name\":\"string\",\"filters\":[{\"property1\":\"string\",\"property2\":\"string\"}],\"limit\":0}}") .asString();
import Foundation let headers = [ "Authorization": "SOME_STRING_VALUE", "x-xdr-auth-id": "SOME_STRING_VALUE", "content-type": "application/json" ] let parameters = ["request_data": [ "dataset_name": "string", "filters": [ [ "property1": "string", "property2": "string" ] ], "limit": 0 ]] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/xql/lookups/get_data")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()
<?php $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://api-yourfqdn/public_api/v1/xql/lookups/get_data", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"request_data\":{\"dataset_name\":\"string\",\"filters\":[{\"property1\":\"string\",\"property2\":\"string\"}],\"limit\":0}}", CURLOPT_HTTPHEADER => [ "Authorization: SOME_STRING_VALUE", "content-type: application/json", "x-xdr-auth-id: SOME_STRING_VALUE" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }
CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST"); curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/xql/lookups/get_data"); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "content-type: application/json"); curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"dataset_name\":\"string\",\"filters\":[{\"property1\":\"string\",\"property2\":\"string\"}],\"limit\":0}}"); CURLcode ret = curl_easy_perform(hnd);
var client = new RestClient("https://api-yourfqdn/public_api/v1/xql/lookups/get_data"); var request = new RestRequest(Method.POST); request.AddHeader("Authorization", "SOME_STRING_VALUE"); request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); request.AddHeader("content-type", "application/json"); request.AddParameter("application/json", "{\"request_data\":{\"dataset_name\":\"string\",\"filters\":[{\"property1\":\"string\",\"property2\":\"string\"}],\"limit\":0}}", ParameterType.RequestBody); IRestResponse response = client.Execute(request);
Body parameters
application/json
request_dataobject
dataset_namestringrequired

Name of the dataset to query.

filtersarray

Key-value pairs of fields to query in a dataset. A lookup entry must match all the specified fields as if there were an AND operator between them. You can use one or more fields, up to the number of fields in the schema.

[
Additional propertiesstring
]
limitinteger

The maximum number of results to return. If this is not specified, return all lookup entries that match the filter criteria.

REQUEST
{ "request_data": { "dataset_name": "users", "filters": [ { "uid": "123", "username": "john" }, { "department": "dev", "zipcode": "58674" } ], "limit": 20 } }
Responses

OK

Body
application/json
dataobject
Additional propertiesstring
filter_countinteger

Number of entries that match the filter.

total_countinteger

Total number of entries.

RESPONSE
{ "reply": { "data": [ { "uid": "uid5", "salary": 5.1, "zipcode": 70005, "birthday": 386418165000, "is_admin": true, "username": "username5", "_insert_time": 1718807765000, "_update_time": 1718807765000, "_collector_name": "Console", "_collector_type": "Console" }, { "uid": "uid6", "salary": 6.1, "zipcode": 70006, "birthday": 386418165000, "is_admin": true, "username": "username6", "_insert_time": 1718807765000, "_update_time": 1718807765000, "_collector_name": "Console", "_collector_type": "Console" } ], "filter count": 2, "total count": 10 } }