Search CIEM Access

Cortex XSIAM Platform APIs
post /public_api/v1/ciem/access/search

Retrieves a list of access entries based on specified filters, sorting, and pagination.

Required license: Cortex Cloud Runtime Security or Cortex Cloud Posture Management

Request headers
x-xdr-auth-id String required

{api_key_id}
Example: xXdrAuthId_example
Authorization String required

{api_key}
Example: authorization_example
Content-Type String required

Specifies the request body format.
Example: contentType_example
CLIENT REQUEST
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'x-xdr-auth-id: xXdrAuthId_example' -H 'Authorization: authorization_example' -H 'Content-Type: contentType_example'
'https://api-yourfqdn/public_api/v1/ciem/access/search'
-d '{ "filter" : { "AND" : [ { "search_field" : "dest_cloud_resource_id", "search_type" : "EQ", "search_value" : "abc" } ] }, "sort" : [ { "field" : "dest_cloud_resource_id", "order" : "DESC" } ], "metadata" : { "next_page_token" : "some_base64_string" } }'
import http.client conn = http.client.HTTPSConnection("api-yourfqdn") payload = "{\"filter\":{\"AND\":[{\"search_field\":\"dest_cloud_resource_id\",\"search_type\":\"EQ\",\"search_value\":\"abc\"}]},\"sort\":[{\"field\":\"dest_cloud_resource_id\",\"order\":\"DESC\"}],\"metadata\":{\"next_page_token\":\"some_base64_string\"}}" headers = { 'x-xdr-auth-id': "SOME_STRING_VALUE", 'Authorization': "SOME_STRING_VALUE", 'Content-Type': "SOME_STRING_VALUE", 'content-type': "application/json" } conn.request("POST", "/public_api/v1/ciem/access/search", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))
require 'uri' require 'net/http' require 'openssl' url = URI("https://api-yourfqdn/public_api/v1/ciem/access/search") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["x-xdr-auth-id"] = 'SOME_STRING_VALUE' request["Authorization"] = 'SOME_STRING_VALUE' request["Content-Type"] = 'SOME_STRING_VALUE' request["content-type"] = 'application/json' request.body = "{\"filter\":{\"AND\":[{\"search_field\":\"dest_cloud_resource_id\",\"search_type\":\"EQ\",\"search_value\":\"abc\"}]},\"sort\":[{\"field\":\"dest_cloud_resource_id\",\"order\":\"DESC\"}],\"metadata\":{\"next_page_token\":\"some_base64_string\"}}" response = http.request(request) puts response.read_body
const data = JSON.stringify({ "filter": { "AND": [ { "search_field": "dest_cloud_resource_id", "search_type": "EQ", "search_value": "abc" } ] }, "sort": [ { "field": "dest_cloud_resource_id", "order": "DESC" } ], "metadata": { "next_page_token": "some_base64_string" } }); const xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } }); xhr.open("POST", "https://api-yourfqdn/public_api/v1/ciem/access/search"); xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE"); xhr.setRequestHeader("Content-Type", "SOME_STRING_VALUE"); xhr.setRequestHeader("content-type", "application/json"); xhr.send(data);
HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/ciem/access/search") .header("x-xdr-auth-id", "SOME_STRING_VALUE") .header("Authorization", "SOME_STRING_VALUE") .header("Content-Type", "SOME_STRING_VALUE") .header("content-type", "application/json") .body("{\"filter\":{\"AND\":[{\"search_field\":\"dest_cloud_resource_id\",\"search_type\":\"EQ\",\"search_value\":\"abc\"}]},\"sort\":[{\"field\":\"dest_cloud_resource_id\",\"order\":\"DESC\"}],\"metadata\":{\"next_page_token\":\"some_base64_string\"}}") .asString();
import Foundation let headers = [ "x-xdr-auth-id": "SOME_STRING_VALUE", "Authorization": "SOME_STRING_VALUE", "Content-Type": "SOME_STRING_VALUE", "content-type": "application/json" ] let parameters = [ "filter": ["AND": [ [ "search_field": "dest_cloud_resource_id", "search_type": "EQ", "search_value": "abc" ] ]], "sort": [ [ "field": "dest_cloud_resource_id", "order": "DESC" ] ], "metadata": ["next_page_token": "some_base64_string"] ] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/ciem/access/search")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()
<?php $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://api-yourfqdn/public_api/v1/ciem/access/search", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"filter\":{\"AND\":[{\"search_field\":\"dest_cloud_resource_id\",\"search_type\":\"EQ\",\"search_value\":\"abc\"}]},\"sort\":[{\"field\":\"dest_cloud_resource_id\",\"order\":\"DESC\"}],\"metadata\":{\"next_page_token\":\"some_base64_string\"}}", CURLOPT_HTTPHEADER => [ "Authorization: SOME_STRING_VALUE", "Content-Type: SOME_STRING_VALUE", "content-type: application/json", "x-xdr-auth-id: SOME_STRING_VALUE" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }
CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST"); curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/ciem/access/search"); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "Content-Type: SOME_STRING_VALUE"); headers = curl_slist_append(headers, "content-type: application/json"); curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"filter\":{\"AND\":[{\"search_field\":\"dest_cloud_resource_id\",\"search_type\":\"EQ\",\"search_value\":\"abc\"}]},\"sort\":[{\"field\":\"dest_cloud_resource_id\",\"order\":\"DESC\"}],\"metadata\":{\"next_page_token\":\"some_base64_string\"}}"); CURLcode ret = curl_easy_perform(hnd);
var client = new RestClient("https://api-yourfqdn/public_api/v1/ciem/access/search"); var request = new RestRequest(Method.POST); request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE"); request.AddHeader("Authorization", "SOME_STRING_VALUE"); request.AddHeader("Content-Type", "SOME_STRING_VALUE"); request.AddHeader("content-type", "application/json"); request.AddParameter("SOME_STRING_VALUE", "{\"filter\":{\"AND\":[{\"search_field\":\"dest_cloud_resource_id\",\"search_type\":\"EQ\",\"search_value\":\"abc\"}]},\"sort\":[{\"field\":\"dest_cloud_resource_id\",\"order\":\"DESC\"}],\"metadata\":{\"next_page_token\":\"some_base64_string\"}}", ParameterType.RequestBody); IRestResponse response = client.Execute(request);
Body parameters
required
application/json
filterobject

Optional filters to apply to the search results.

ANDarray

A list of filter conditions. Currently only supports AND logic.

[
search_fieldstring (Enum)required

Identifies the field to filter.

Allowed values:"access_levels""account_access_transformed""dest_cloud_account_id""dest_cloud_account_name""dest_cloud_region""dest_cloud_resource_id""dest_cloud_resource_name""dest_cloud_resource_type""dest_cloud_resource_uai""dest_cloud_service_name""destCategory""destination_access_labels""excessive_policies_count""grantedby_cloud_entity_id""grantedby_cloud_entity_name""grantedby_cloud_entity_type""grantedby_cloud_entity_uai""granterCategory""last_used""permission_scope""source_cloud_account_id""source_cloud_account_is_vendor""source_cloud_account_name""source_cloud_region""source_cloud_resource_id""source_cloud_resource_name""source_cloud_resource_type""source_cloud_resource_uai""source_cloud_service_name""sourceCategory""sourceVendorName""unused_actions_count"
search_typestring (Enum)required

Identifies the comparison operator you want to use for this filter. Valid values are:

  • EQ
Allowed values:"EQ"
search_valuestringrequired

Value that this filter must match.

]
sortarray

Optional sorting criteria for the search results.

[
fieldstring (Enum)required

The field to sort by.

Allowed values:"account_access_transformed""dest_cloud_account_id""dest_cloud_account_name""dest_cloud_resource_id""dest_cloud_resource_name""dest_cloud_resource_type""dest_cloud_resource_uai""dest_cloud_service_name""excessive_policies_count""grantedby_cloud_entity_id""grantedby_cloud_entity_name""grantedby_cloud_entity_type""grantedby_cloud_entity_uai""is_last_access_supported""last_used""permission_scope""source_cloud_account_id""source_cloud_account_is_vendor""source_cloud_account_name""source_cloud_resource_id""source_cloud_resource_name""source_cloud_resource_type""source_cloud_resource_uai""source_cloud_service_name""unused_actions_count"
orderstring (Enum)required

The sort order.

Allowed values:"ASC""DESC"
]
metadataobject

Optional metadata for pagination.

next_page_tokenstring

A token provided by a previous response to fetch the next page of results.

REQUEST
{ "filter": { "AND": [ { "search_field": "dest_cloud_resource_id", "search_type": "EQ", "search_value": "abc" } ] }, "sort": [ { "field": "dest_cloud_resource_id", "order": "DESC" } ], "metadata": { "next_page_token": "some_base64_string" } }
Responses

Successful response with CIEM access data.

Body
application/json
dataarray

An array of access entries.

[
access_levelsarray[string]

Access levels granted

account_access_transformedstring

Transformed account access details

dest_cloud_account_idstring

Destination account ID

dest_cloud_account_namestring

Name of the destination cloud account

dest_cloud_regionstring

Destination region

dest_cloud_resource_idstring

Destination resource ID

dest_cloud_resource_namestring

Name of the destination resource

dest_cloud_resource_typestring

Type of the destination resource

dest_cloud_resource_uaistring

Destination resource UAI

dest_cloud_service_namestring

Name of the destination cloud service

dest_categorystring (Enum)

Category of the destination entity. Valid values include:

  • Human: All cloud, identity provider (IdP), and platform users.
  • Non-human: Machine identities that can assume permissions and perform cloud Identity and Access Management (IAM) actions such as VMs and functions.
  • Cloud Service Account: A category unifying AWS roles, Microsoft Azure service accounts and managed identities, and GCP service accounts.
  • IAM Group: IAM group, which is a collection of IAM users.
  • IAM Policy: Permission documents, such as AWS policies, Azure roles, and GCP roles.
Allowed values:"Human""Non-human""Cloud Service Account""IAM Group""IAM Policy"
destination_access_labelsarray[string]

Labels describing access to data

excessive_policies_countinteger

Number of excessive policies

grantedby_cloud_entity_idstring

Granted by cloud entity ID

grantedby_cloud_entity_namestring

Name of the cloud entity that granted access

grantedby_cloud_entity_typestring

Type of the cloud entity that granted access

grantedby_cloud_entity_uaistring

Granted by cloud entity UAI

granter_categorystring

Category of the granter entity

is_last_access_supportedboolean

Indicates if last access is supported

last_usedstringdate-time

Timestamp of when access was last used

permission_scopestring

Scope of the permission

source_cloud_account_idstring

Source account ID

source_cloud_account_is_vendorboolean

Indicates if the source account is a known vendor

source_cloud_account_namestring

Name of the source cloud account

source_cloud_regionstring

Source region

source_cloud_resource_idstring

Source resource ID

source_cloud_resource_namestring

Name of the source resource

source_cloud_resource_typestring

Type of the source resource

source_cloud_resource_uaistring

Source resource UAI

source_cloud_service_namestring

Name of the source cloud service

source_categorystring (Enum)

Category of the source entity. Valid values include:

  • Human: All cloud, identity provider (IdP), and platform users.
  • Non-human: Machine identities that can assume permissions and perform cloud Identity and Access Management (IAM) actions such as VMs and functions.
  • Cloud Service Account: A category unifying AWS roles, Microsoft Azure service accounts and managed identities, and GCP service accounts.
  • IAM Group: IAM group, which is a collection of IAM users.
  • IAM Policy: Permission documents, such as AWS policies, Azure roles, and GCP roles.
Allowed values:"Human""Non-human""Cloud Service Account""IAM Group""IAM Policy"
source_vendor_namestring

Name of the source vendor

unused_actions_countinteger

Number of unused actions

]
metadataobject

Metadata for pagination.

next_page_tokenstring

A token to retrieve the next page of results, if available.

filter_countintegerint32

The number of results after applying filters.

total_countintegerint32

The total number of available results, ignoring pagination.

RESPONSE
{ "data": [ { "access_levels": [ "Read", "Write" ], "account_access_transformed": "admin_access", "dest_cloud_account_name": "prod-account", "dest_cloud_resource_name": "S3 Bucket", "dest_cloud_resource_type": "AWS::S3::Bucket", "dest_cloud_service_name": "Amazon S3", "dest_category": "Cloud Service Account", "destination_access_labels": [], "excessive_policies_count": 5, "grantedby_cloud_entity_name": "AdminRole", "grantedby_cloud_entity_type": "IAM Role", "granter_category": "IAM Group", "last_used": "2023-01-15T10:30:00Z", "permission_scope": "Global", "source_cloud_account_name": "dev-account", "source_cloud_account_is_vendor": false, "source_cloud_resource_name": "EC2 Instance", "source_cloud_resource_type": "AWS::EC2::Instance", "source_cloud_service_name": "Amazon EC2", "source_category": "Human", "source_vendor_name": "AWS", "unused_actions_count": 10 } ], "metadata": { "next_page_token": "another_base64_string" }, "filter_count": 100, "total_count": 500 }

Bad Request. Invalid JSON.

Body
application/json
replyobject
err_codeinteger
err_msgstring
err_extraobject
err_msgstring
RESPONSE
{ "reply": { "err_code": 400, "err_msg": "Invalid Request Body", "err_extra": { "err_msg": "The request body contains invalid JSON or malformed parameters for CIEM Access Search." } } }

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
application/json
replyobject
err_codeinteger
err_msgstring
err_extraobject
err_msgstring
RESPONSE
{ "reply": { "err_code": 401, "err_msg": "Authentication Failed", "err_extra": { "err_msg": "Invalid API key or key ID provided. Please check your authentication credentials." } } }

Unauthorized access. User does not have the required license type to run this API.

Body
application/json
replyobject
err_codeinteger
err_msgstring
err_extraobject
err_msgstring
RESPONSE
{ "reply": { "err_code": 402, "err_msg": "License Required", "err_extra": { "err_msg": "Your account does not have the necessary license to access the CIEM Access Search API." } } }

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
application/json
replyobject
err_codeinteger
err_msgstring
err_extraobject
err_msgstring
RESPONSE
{ "reply": { "err_code": 403, "err_msg": "Forbidden Access", "err_extra": { "err_msg": "The provided API key lacks the required RBAC permissions for the CIEM Access Search operation." } } }

Internal server error. A unified status for API communication type errors.

Body
application/json
replyobject
err_codeinteger
err_msgstring
err_extraobject
err_msgstring
RESPONSE
{ "reply": { "err_code": 500, "err_msg": "An error occurred while processing CIEM Access Search query", "err_extra": { "err_msg": "Internal server issue encountered during CIEM Access Search." } } }