Retrieve issue exceptions based on filters

Cortex XSIAM Platform APIs
post /public_api/v1/issue_exceptions/search/

This endpoint retrieves a list of issue exceptions that match the specified filter criteria. It supports filtering along with sorting and pagination.

Required permission: Exception Management Admin View, Exception Approver Admin View

Required license: Cortex XSIAM Premium or Cortex XSIAM Enterprise or Cortex XSIAM NG SIEM or Cortex XSIAM Enterprise Plus.

Request headers
Authorization String required

{api_key}
Example: authorization_example
x-xdr-auth-id String required

{api_key_id}
Example: xXdrAuthId_example
CLIENT REQUEST
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'Authorization: authorization_example' -H 'x-xdr-auth-id: xXdrAuthId_example'
'https://api-yourfqdn/public_api/v1/issue_exceptions/search/'
-d ''
import http.client conn = http.client.HTTPSConnection("api-yourfqdn") payload = "{\"request_data\":{\"filters\":{\"SEARCH_FIELD\":\"EXCEPTION_ID\",\"SEARCH_TYPE\":\"EQ\",\"SEARCH_VALUE\":\"string\"},\"search_from\":0,\"search_to\":100,\"sort\":{\"FIELD\":\"string\",\"ORDER\":\"ASC\"}}}" headers = { 'Authorization': "SOME_STRING_VALUE", 'x-xdr-auth-id': "SOME_STRING_VALUE", 'content-type': "application/json" } conn.request("POST", "/public_api/v1/issue_exceptions/search/", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))
require 'uri' require 'net/http' require 'openssl' url = URI("https://api-yourfqdn/public_api/v1/issue_exceptions/search/") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["Authorization"] = 'SOME_STRING_VALUE' request["x-xdr-auth-id"] = 'SOME_STRING_VALUE' request["content-type"] = 'application/json' request.body = "{\"request_data\":{\"filters\":{\"SEARCH_FIELD\":\"EXCEPTION_ID\",\"SEARCH_TYPE\":\"EQ\",\"SEARCH_VALUE\":\"string\"},\"search_from\":0,\"search_to\":100,\"sort\":{\"FIELD\":\"string\",\"ORDER\":\"ASC\"}}}" response = http.request(request) puts response.read_body
const data = JSON.stringify({ "request_data": { "filters": { "SEARCH_FIELD": "EXCEPTION_ID", "SEARCH_TYPE": "EQ", "SEARCH_VALUE": "string" }, "search_from": 0, "search_to": 100, "sort": { "FIELD": "string", "ORDER": "ASC" } } }); const xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } }); xhr.open("POST", "https://api-yourfqdn/public_api/v1/issue_exceptions/search/"); xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE"); xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); xhr.setRequestHeader("content-type", "application/json"); xhr.send(data);
HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/issue_exceptions/search/") .header("Authorization", "SOME_STRING_VALUE") .header("x-xdr-auth-id", "SOME_STRING_VALUE") .header("content-type", "application/json") .body("{\"request_data\":{\"filters\":{\"SEARCH_FIELD\":\"EXCEPTION_ID\",\"SEARCH_TYPE\":\"EQ\",\"SEARCH_VALUE\":\"string\"},\"search_from\":0,\"search_to\":100,\"sort\":{\"FIELD\":\"string\",\"ORDER\":\"ASC\"}}}") .asString();
import Foundation let headers = [ "Authorization": "SOME_STRING_VALUE", "x-xdr-auth-id": "SOME_STRING_VALUE", "content-type": "application/json" ] let parameters = ["request_data": [ "filters": [ "SEARCH_FIELD": "EXCEPTION_ID", "SEARCH_TYPE": "EQ", "SEARCH_VALUE": "string" ], "search_from": 0, "search_to": 100, "sort": [ "FIELD": "string", "ORDER": "ASC" ] ]] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/issue_exceptions/search/")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()
<?php $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://api-yourfqdn/public_api/v1/issue_exceptions/search/", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"request_data\":{\"filters\":{\"SEARCH_FIELD\":\"EXCEPTION_ID\",\"SEARCH_TYPE\":\"EQ\",\"SEARCH_VALUE\":\"string\"},\"search_from\":0,\"search_to\":100,\"sort\":{\"FIELD\":\"string\",\"ORDER\":\"ASC\"}}}", CURLOPT_HTTPHEADER => [ "Authorization: SOME_STRING_VALUE", "content-type: application/json", "x-xdr-auth-id: SOME_STRING_VALUE" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }
CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST"); curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/issue_exceptions/search/"); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "content-type: application/json"); curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"filters\":{\"SEARCH_FIELD\":\"EXCEPTION_ID\",\"SEARCH_TYPE\":\"EQ\",\"SEARCH_VALUE\":\"string\"},\"search_from\":0,\"search_to\":100,\"sort\":{\"FIELD\":\"string\",\"ORDER\":\"ASC\"}}}"); CURLcode ret = curl_easy_perform(hnd);
var client = new RestClient("https://api-yourfqdn/public_api/v1/issue_exceptions/search/"); var request = new RestRequest(Method.POST); request.AddHeader("Authorization", "SOME_STRING_VALUE"); request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); request.AddHeader("content-type", "application/json"); request.AddParameter("application/json", "{\"request_data\":{\"filters\":{\"SEARCH_FIELD\":\"EXCEPTION_ID\",\"SEARCH_TYPE\":\"EQ\",\"SEARCH_VALUE\":\"string\"},\"search_from\":0,\"search_to\":100,\"sort\":{\"FIELD\":\"string\",\"ORDER\":\"ASC\"}}}", ParameterType.RequestBody); IRestResponse response = client.Execute(request);
Body parameters
application/json
request_dataobject
filtersobject

Filter criteria using AND/OR structure. Each filter condition contains SEARCH_FIELD, SEARCH_TYPE, and SEARCH_VALUE.

SEARCH_FIELDstring (Enum)

String that identifies the exception field the filter is matching.

Allowed values:"EXCEPTION_ID""EXTERNAL_EXCEPTION_ID""NAME""STATUS""EXPIRATION_TS""IMPACTED_ISSUES_COUNT""BACKWARD_SCAN_STATUS""JUSTIFICATION_CATEGORY""REQUESTOR_NAME""APPROVER_NAME""CREATED_TS""APPROVAL_TS""JUSTIFICATION_TEXT""APPROVAL_JUSTIFICATION""REQUESTOR_EMAIL""APPROVER_EMAIL"
SEARCH_TYPEstring (Enum)

Identifies the comparison operator to use for this filter. The following list shows which operators can be used for each filter field:

  • EQ / NEQ - use with all fields
  • GTE / LTE / GT / LT - use with EXCEPTION_ID, EXPIRATION_TS, IMPACTED_ISSUES_COUNT, CREATED_TS, APPROVAL_TS
  • IN - use with EXCEPTION_ID, STATUS, BACKWARD_SCAN_STATUS, JUSTIFICATION_CATEGORY
  • CONTAINS / CONTAINS_NOT — use with EXTERNAL_EXCEPTION_ID, NAME, REQUESTOR_NAME, APPROVER_NAME, JUSTIFICATION_TEXT, APPROVAL_JUSTIFICATION, REQUESTOR_EMAIL, APPROVER_EMAIL
Allowed values:"EQ""NEQ""GTE""LTE""GT""LT""IN""CONTAINS""CONTAINS_NOT"
SEARCH_VALUEobject

Value that this filter must match. The contents of this field will differ depending on the field that you specified for this filter:

  • EXCEPTION_ID — Integer, e.g. 1, 42
  • EXTERNAL_EXCEPTION_ID — String, e.g. "EXT-001"
  • NAME — String, e.g. "CVE Exception"
  • STATUS — String. Values are: APPROVED, DISABLED, EXPIRED, NO_DECISION_MADE, PENDING_DECISION, REJECTED, SELF_APPROVED
  • EXPIRATION_TS — Epoch milliseconds, e.g. 1712448000000
  • IMPACTED_ISSUES_COUNT — Integer, e.g. 0, 10, 100
  • BACKWARD_SCAN_STATUS — String. Values are: COMPLETED, FAILED, IN_PROGRESS, PENDING
  • JUSTIFICATION_CATEGORY — String. Values are: COMPENSATING_CONTROL, PLANNED_REMEDIATION, RISK_ACCEPTED, VENDOR_DEPENDENCY
  • REQUESTOR_NAME — String, e.g. "John Doe"
  • APPROVER_NAME — String, e.g. "Jane Smith"
  • CREATED_TS — Epoch milliseconds, e.g. 1712448000000
  • APPROVAL_TS — Epoch milliseconds, e.g. 1712448000000
  • JUSTIFICATION_TEXT — String, e.g. "Risk accepted per policy"
  • APPROVAL_JUSTIFICATION — String, e.g. "Approved by security team"
  • REQUESTOR_EMAIL — String, e.g. "john@example.com"
  • APPROVER_EMAIL — String, e.g. "jane@example.com"
string

Value that this filter must match. The contents of this field will differ depending on the field that you specified for this filter:

  • EXCEPTION_ID — Integer, e.g. 1, 42
  • EXTERNAL_EXCEPTION_ID — String, e.g. "EXT-001"
  • NAME — String, e.g. "CVE Exception"
  • STATUS — String. Values are: APPROVED, DISABLED, EXPIRED, NO_DECISION_MADE, PENDING_DECISION, REJECTED, SELF_APPROVED
  • EXPIRATION_TS — Epoch milliseconds, e.g. 1712448000000
  • IMPACTED_ISSUES_COUNT — Integer, e.g. 0, 10, 100
  • BACKWARD_SCAN_STATUS — String. Values are: COMPLETED, FAILED, IN_PROGRESS, PENDING
  • JUSTIFICATION_CATEGORY — String. Values are: COMPENSATING_CONTROL, PLANNED_REMEDIATION, RISK_ACCEPTED, VENDOR_DEPENDENCY
  • REQUESTOR_NAME — String, e.g. "John Doe"
  • APPROVER_NAME — String, e.g. "Jane Smith"
  • CREATED_TS — Epoch milliseconds, e.g. 1712448000000
  • APPROVAL_TS — Epoch milliseconds, e.g. 1712448000000
  • JUSTIFICATION_TEXT — String, e.g. "Risk accepted per policy"
  • APPROVAL_JUSTIFICATION — String, e.g. "Approved by security team"
  • REQUESTOR_EMAIL — String, e.g. "john@example.com"
  • APPROVER_EMAIL — String, e.g. "jane@example.com"
integer

Value that this filter must match. The contents of this field will differ depending on the field that you specified for this filter:

  • EXCEPTION_ID — Integer, e.g. 1, 42
  • EXTERNAL_EXCEPTION_ID — String, e.g. "EXT-001"
  • NAME — String, e.g. "CVE Exception"
  • STATUS — String. Values are: APPROVED, DISABLED, EXPIRED, NO_DECISION_MADE, PENDING_DECISION, REJECTED, SELF_APPROVED
  • EXPIRATION_TS — Epoch milliseconds, e.g. 1712448000000
  • IMPACTED_ISSUES_COUNT — Integer, e.g. 0, 10, 100
  • BACKWARD_SCAN_STATUS — String. Values are: COMPLETED, FAILED, IN_PROGRESS, PENDING
  • JUSTIFICATION_CATEGORY — String. Values are: COMPENSATING_CONTROL, PLANNED_REMEDIATION, RISK_ACCEPTED, VENDOR_DEPENDENCY
  • REQUESTOR_NAME — String, e.g. "John Doe"
  • APPROVER_NAME — String, e.g. "Jane Smith"
  • CREATED_TS — Epoch milliseconds, e.g. 1712448000000
  • APPROVAL_TS — Epoch milliseconds, e.g. 1712448000000
  • JUSTIFICATION_TEXT — String, e.g. "Risk accepted per policy"
  • APPROVAL_JUSTIFICATION — String, e.g. "Approved by security team"
  • REQUESTOR_EMAIL — String, e.g. "john@example.com"
  • APPROVER_EMAIL — String, e.g. "jane@example.com"
Array
search_frominteger

Starting index for pagination.

search_tointeger

Ending index for pagination.

Default:100
sortobject

Sort configuration

FIELDstring

Field name to sort by

ORDERstring (Enum)

Sort direction

Allowed values:"ASC""DESC"
REQUEST
{ "request_data": {} }
{ "request_data": { "filters": { "AND": [ { "SEARCH_FIELD": "STATUS", "SEARCH_TYPE": "EQ", "SEARCH_VALUE": "APPROVED" } ] }, "search_from": 0, "search_to": 50, "sort": { "FIELD": "EXCEPTION_ID", "ORDER": "DESC" } } }
{ "request_data": { "filters": { "AND": [ { "SEARCH_FIELD": "NAME", "SEARCH_TYPE": "CONTAINS", "SEARCH_VALUE": "CVE-2024" } ] }, "search_from": 0, "search_to": 25 } }
Responses

Exceptions retrieved successfully

Body
application/json
replyobject
exceptionsarray

List of matching exception objects

[
exception_idinteger

Auto-incremented exception ID

external_exception_idstring

External tracking ID

namestring

Exception name

statusstring (Enum)

Exception status

Allowed values:"APPROVED""DISABLED""EXPIRED""NO_DECISION_MADE""PENDING_DECISION""REJECTED""SELF_APPROVED"
rulestring

JSON-encoded filter rule

pretty_rulestring

Human-readable representation of the rule

justification_textstring

Justification text

justification_categorystring (Enum)

Justification category

Allowed values:"COMPENSATING_CONTROL""PLANNED_REMEDIATION""RISK_ACCEPTED""VENDOR_DEPENDENCY"
approval_justificationstring

Approval decision justification

requestor_namestring

Name of the user who requested the exception

requestor_emailstring

Email of the user who requested the exception

approver_emailstring

Email of the assigned approver

approver_namestring

Name of the assigned approver

created_tsstringdate-time

Creation timestamp

modified_tsstringdate-time

Last modification timestamp

approval_tsstringdate-time

Approval decision timestamp

expiration_tsstringdate-time

Exception expiration timestamp

impacted_issues_countinteger

Number of issues impacted by this exception

backward_scan_statusstring (Enum)

Status of backward scan

Allowed values:"COMPLETED""FAILED""IN_PROGRESS""PENDING"
backward_scan_tsstringdate-time

Timestamp of the last backward scan

reversion_scan_statusstring (Enum)

Reversion scan status

Allowed values:"COMPLETED""FAILED""IN_PROGRESS""PENDING"
reversion_scan_tsstringdate-time

Timestamp of the last reversion scan

]
filter_countinteger

Number of exceptions matching the applied filters

total_countinteger

Total number of exceptions (ignoring filters)

RESPONSE
{ "reply": { "exceptions": [ { "exception_id": 1, "external_exception_id": null, "name": "CVE-2024-1234 Exception", "status": "APPROVED", "rule": "{\"filter\":{\"AND\":[{\"SEARCH_FIELD\":\"cve_id\",\"SEARCH_TYPE\":\"EQ\",\"SEARCH_VALUE\":\"CVE-2024-1234\"}]}}", "pretty_rule": "[\"cve_id = CVE-2024-1234\"]", "justification_text": "Risk accepted for legacy hosts", "justification_category": "RISK_ACCEPTED", "approval_justification": null, "requestor_name": "John Doe", "requestor_email": "john.doe@example.com", "approver_email": "security-lead@example.com", "approver_name": "Jane Smith", "created_ts": "2025-01-15T10:30:00Z", "modified_ts": "2025-01-15T10:30:00Z", "approval_ts": "2025-01-15T11:00:00Z", "expiration_ts": "2025-06-30T23:59:59Z", "impacted_issues_count": 150, "backward_scan_status": "COMPLETED", "backward_scan_ts": "2025-01-15T11:05:00Z", "reversion_scan_status": null, "reversion_scan_ts": null } ], "filter_count": 1, "total_count": 10 } }

Bad request

Body
application/json
errorstring
Example:"Invalid request data"
RESPONSE
{ "error": "Invalid request data" }

Unauthorized access

Body
application/json
errorstring
Example:"Unauthorized request"
RESPONSE
{ "error": "Unauthorized request" }

Internal server error

Body
application/json
errorstring
Example:"Internal server error"
RESPONSE
{ "error": "Internal server error" }