Get All Services

Cortex Xpanse REST API

post /public_api/v1/assets/get_external_services/

Get a complete or filtered list of all your external services.
The maximum result limit is 500.
Required License: Cortex Xpanse Expander

Request headers
authorization
String
required
api-key
Example: {{api_key}}
x-xdr-auth-id
String
required
api-key-id
Example: {{api_key_id}}
Body parameters
required
request_dataObject
filtersArray
[
fieldString (Enum)

String that identifies the service field the filter is matching. Filters are based on the following case-sensitive keywords: - active_classifications - business_units_list - discovery_type - domain - externally_detected_providers - externally_inferred_cves - first_observed - inactive_classifications - ip_address - ipv6_address - is_active - last_observed - protocol - service_name - service_type - service_type_list - tags

Allowed values:"service_name""protocol""service_type""ip_address""domain""externally_detected_providers""externally_inferred_cves""discovery_type""active_classifications""inactive_classifications""is_active""confirmed_vulnerable_cve_ids""confirmed_not_vulnerable_cve_ids""vulnerability_test_status""tags""service_type_list""business_units_list""ipv6_address""last_observed""first_observed"
operatorString (Enum)

String that identifies the comparison operator you want to use for this filter. Valid keywords and values are: - contains / not_contains— use with externally_detected_providers, domain, externally_inferred_cves, active_classifications, inactive_classifications, service_name, service_type, protocol - eq / neq— use with service_name, service_type, protocol, ip_address - gte— Filters data from a specific timestamp onwards. Use with first_observed, last_observed - in— use with is_active, discovery_type, business_units_list, tags, ip_address - lte— Filters data up to a specific timestamp. Use with first_observed, last_observed - range— Filters data between two specific timestamps. Use with first_observed, last_observed - relative_timestamp— Filters data relative to the current time (e.g., last 30 days). Use with first_observed, last_observed

Allowed values:"in""contains""neq""eq""not_contains""gte""lte""range""relative_timestamp"
valueObject

Value that this filter must match. The contents of this field will differ depending on the services field that you specified for this filter: - active_classifications — String - business_units_list — String or list of strings in the format "BU name" or "BU:BU name", for example “Acme & Co, Inc.” or “BU:Acme & Co, Inc.” - discovery_type — String. Values are: colocated_on_ip, directly_discovered, unknown. - domain — String - externally_detected_providers — String - externally_inferred_cves — String - first_observed — values in milliseconds format - with gte or lte operator, specify a specific date or time as a timestamp in milliseconds format - with range operator, specify "to" and "from" values as timestamps in milliseconds format "value": { "from": "{{previous30Days}}","to": "{{previous7Days}}" - with relative_timestamp operator, specify time interval to look back on (24H, 7D, 30D, etc.) as a value in milliseconds format - inactive_classifications — String - ip_address — List of strings - ipv6_address — String - is_active — String. Values are:yes, no - last_observed — values in milliseconds format - with gte or lte operator, specify a specific date or time as a timestamp in milliseconds format - with range operator, specify "to" and "from" values as timestamps in milliseconds format, as follows "value": { "from": "{{previous30Days}}","to": "{{previous7Days}}" - with relative_timestamp operator, specify time interval to look back on (24H, 7D, 30D, etc.) as a value in milliseconds format - protocol — String - service_name — String - service_type — String - service_type_list — String - tags — List of strings indicating the tags to filter on in the format "tag-family:tag-name", for example "AR:registered to you".

]
search_fromInteger

An integer representing the start offset index of results.

search_toInteger

An integer representing the start offset index of results. Use this field to specify the number of results on a page when using page token pagination.

sortObject

Identifies the sort order for the result set.

fieldString (Enum)

Values are: - service_name - first_observed - last_observed By default, case-sensitive, sort is defined as service_name.

Allowed values:"first_observed""service_name""last_observed"
keywordString (Enum)

Can be either ASC (ascending order) or DESC (descending order). Default is ASC. Values are case sensitive.

Allowed values:"ASC""asc""DESC""desc"
Free-Form object
use_page_tokenBoolean

Use "use_page_token":true in the initial request to paginate the response data.

next_page_tokenString

If "use_page_token":true was included in the initial request, the response for that request will include a page token.
Use "next_page_token":"string" to pass that page token into the next request to paginate the next set of data.

vulnerability_test_resultsObject (Enum)

Includes vulnerability test results from the last 14 days for each service in the response.

Allowed values:true
Free-Form object
REQUEST BODY
{ "request_data": { "search_from": 0, "next_page_token": "next_page_token", "vulnerability_test_results": true, "filters": [ { "field": "service_name", "value": "ExternalServicesFilter_value", "operator": "in" }, { "field": "service_name", "value": "ExternalServicesFilter_value", "operator": "in" } ], "sort": { "field": "service_name", "keyword": "asc" }, "search_to": 0, "use_page_token": true } }
{ "request_data": { "filters": [ { "field": "service_name", "operator": "in", "value": "string" } ], "search_from": 0, "search_to": 500, "sort": { "field": "service_name", "keyword": "asc" }, "use_page_token": true, "next_page_token": "string" } }
CLIENT REQUEST
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'authorization: {{api_key}}' -H 'x-xdr-auth-id: {{api_key_id}}'
'https://api-}/public_api/v1/assets/get_external_services/'
-d '{ "request_data" : { "search_from" : 0, "next_page_token" : "next_page_token", "vulnerability_test_results" : true, "filters" : [ { "field" : "service_name", "value" : "ExternalServicesFilter_value", "operator" : "in" }, { "field" : "service_name", "value" : "ExternalServicesFilter_value", "operator" : "in" } ], "sort" : { "field" : "service_name", "keyword" : "asc" }, "search_to" : 0, "use_page_token" : true } }'
import http.client conn = http.client.HTTPSConnection("api-") payload = "{\"request_data\":{\"filters\":[{\"field\":\"service_name\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":500,\"sort\":{\"field\":\"first_observed\",\"keyword\":\"ASC\"},\"use_page_token\":true,\"next_page_token\":\"string\",\"vulnerability_test_results\":true}}" headers = { 'authorization': "{{api_key}}", 'x-xdr-auth-id': "{{api_key_id}}", 'content-type': "application/json" } conn.request("POST", "%7B%7Bfqdn%7D%7D/public_api/v1/assets/get_external_services/", payload, headers) res = conn.getresponse() data = res.read() print(data.decode("utf-8"))
require 'uri' require 'net/http' require 'openssl' url = URI("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/assets/get_external_services/") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE request = Net::HTTP::Post.new(url) request["authorization"] = '{{api_key}}' request["x-xdr-auth-id"] = '{{api_key_id}}' request["content-type"] = 'application/json' request.body = "{\"request_data\":{\"filters\":[{\"field\":\"service_name\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":500,\"sort\":{\"field\":\"first_observed\",\"keyword\":\"ASC\"},\"use_page_token\":true,\"next_page_token\":\"string\",\"vulnerability_test_results\":true}}" response = http.request(request) puts response.read_body
const data = JSON.stringify({ "request_data": { "filters": [ { "field": "service_name", "operator": "in", "value": "string" } ], "search_from": 0, "search_to": 500, "sort": { "field": "first_observed", "keyword": "ASC" }, "use_page_token": true, "next_page_token": "string", "vulnerability_test_results": true } }); const xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } }); xhr.open("POST", "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/assets/get_external_services/"); xhr.setRequestHeader("authorization", "{{api_key}}"); xhr.setRequestHeader("x-xdr-auth-id", "{{api_key_id}}"); xhr.setRequestHeader("content-type", "application/json"); xhr.send(data);
HttpResponse<String> response = Unirest.post("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/assets/get_external_services/") .header("authorization", "{{api_key}}") .header("x-xdr-auth-id", "{{api_key_id}}") .header("content-type", "application/json") .body("{\"request_data\":{\"filters\":[{\"field\":\"service_name\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":500,\"sort\":{\"field\":\"first_observed\",\"keyword\":\"ASC\"},\"use_page_token\":true,\"next_page_token\":\"string\",\"vulnerability_test_results\":true}}") .asString();
import Foundation let headers = [ "authorization": "{{api_key}}", "x-xdr-auth-id": "{{api_key_id}}", "content-type": "application/json" ] let parameters = ["request_data": [ "filters": [ [ "field": "service_name", "operator": "in", "value": "string" ] ], "search_from": 0, "search_to": 500, "sort": [ "field": "first_observed", "keyword": "ASC" ], "use_page_token": true, "next_page_token": "string", "vulnerability_test_results": true ]] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/assets/get_external_services/")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume()
<?php $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/assets/get_external_services/", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "{\"request_data\":{\"filters\":[{\"field\":\"service_name\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":500,\"sort\":{\"field\":\"first_observed\",\"keyword\":\"ASC\"},\"use_page_token\":true,\"next_page_token\":\"string\",\"vulnerability_test_results\":true}}", CURLOPT_HTTPHEADER => [ "authorization: {{api_key}}", "content-type: application/json", "x-xdr-auth-id: {{api_key_id}}" ], ]); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; }
CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST"); curl_easy_setopt(hnd, CURLOPT_URL, "https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/assets/get_external_services/"); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "authorization: {{api_key}}"); headers = curl_slist_append(headers, "x-xdr-auth-id: {{api_key_id}}"); headers = curl_slist_append(headers, "content-type: application/json"); curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"filters\":[{\"field\":\"service_name\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":500,\"sort\":{\"field\":\"first_observed\",\"keyword\":\"ASC\"},\"use_page_token\":true,\"next_page_token\":\"string\",\"vulnerability_test_results\":true}}"); CURLcode ret = curl_easy_perform(hnd);
var client = new RestClient("https://api-/%7B%7Bfqdn%7D%7D/public_api/v1/assets/get_external_services/"); var request = new RestRequest(Method.POST); request.AddHeader("authorization", "{{api_key}}"); request.AddHeader("x-xdr-auth-id", "{{api_key_id}}"); request.AddHeader("content-type", "application/json"); request.AddParameter("application/json", "{\"request_data\":{\"filters\":[{\"field\":\"service_name\",\"operator\":\"in\",\"value\":\"string\"}],\"search_from\":0,\"search_to\":500,\"sort\":{\"field\":\"first_observed\",\"keyword\":\"ASC\"},\"use_page_token\":true,\"next_page_token\":\"string\",\"vulnerability_test_results\":true}}", ParameterType.RequestBody); IRestResponse response = client.Execute(request);
Responses

OK

Body
replyObject
total_countInteger
result_countInteger
external_servicesArray
[
service_idString
service_nameString
service_typeString
ip_addressArray[string]
domainArray[string]
externally_detected_providersArray[string]
is_activeString
first_observedInteger
last_observedInteger
portInteger
protocolString
active_classificationsArray[string]
inactive_classificationsArray[string]
discovery_typeString
externally_inferred_vulnerability_scoreString
externally_inferred_cvesArray[string]
tls_versionsArray
[
tlsVersionString
cipherSuiteString
firstObservedInteger
lastObservedInteger
activityStatusString
Free-Form object
]
inferred_cves_observedArray
[
inferredCveArray
[
cveIdString
cvssScoreV2String
cveSeverityV2String
cvssScoreV3Number
cveSeverityV3String
inferredCveMatchMetadataArray
[
inferredCveMatchTypeString
productString
confidenceString
vendorString
versionString
Free-Form object
]
epssScoreString
cvssTemporalScoreV3String
cvssTemporalScoreV2String
publishedExploitsCountString
reportedExploitedInTheWildString
firstExploitPublishedString
firstReportedThreatActorString
firstReportedRansomwareString
firstReportedBotnetString
lastExploitPublishedString
lastReportedThreatActorString
lastReportedRansomwareString
lastReportedBotnetString
cisaKevDateAddedString
Free-Form object
]
activityStatusString
lastObservedInteger
firstObservedInteger
Free-Form object
]
cloud_management_statusString
tagsArray[string]
vulnerability_test_statusString
confirmed_vulnerable_cve_idsArray[string]
confirmed_not_vulnerable_cve_idsArray[string]
ipv6_addressArray[string]
asm_asset_idsArray[string]
geolocationsArray
[
latitudeNumber
longitudeNumber
countryCodeString
cityString
regionCodeString
timeZoneString
Free-Form object
]
business_unitsArray
[
[
creation_timeInteger
familyString
family_aliasString
idString
is_activeInteger
nameString
parent_idString
update_timeInteger
Free-Form object
]
]
Free-Form object
]
next_page_tokenString

This attribute is only returned if use_page_token is provided in the request with value true

Free-Form object
Free-Form object
RESPONSE
{ "reply": { "total_count": 1, "result_count": 1, "external_services": [ { "service_id": "2b6da586-46ca-3804-bbba-e5b02d8e53bb", "service_name": "Kerberos at x.x.x.x:88", "service_type": "Kerberos", "ip_address": [ "x.x.x.x" ], "domain": [], "externally_detected_providers": [ "On Prem" ], "is_active": "Active", "first_observed": 1710233760000, "last_observed": 1711956600000, "port": 88, "protocol": "TCP", "active_classifications": [ "Kerberos" ], "inactive_classifications": [], "discovery_type": "DirectlyDiscovered", "externally_inferred_vulnerability_score": null, "externally_inferred_cves": [], "tls_versions": [], "inferred_cves_observed": [], "cloud_management_status": "Not Applicable", "tags": [ "AR:Registered to You", "BU:Mustang UAT 8507355851529627158" ], "vulnerability_test_status": true, "confirmed_vulnerable_cve_ids": [ "CVE-2019-3396", "CVE-2022-26134", "CVE-2021-26084" ], "confirmed_not_vulnerable_cve_ids": [ "CVE-2021-26085" ], "vulnerability_test_results": [], "ipv6_address": [], "asm_asset_ids": [ "0b3ea202-f3fc-3176-8b5d-791afe2c0bd0" ], "geolocations": [ { "latitude": 55.75, "longitude": 37.58, "countryCode": "RU", "city": "MOSCOW", "regionCode": null, "timeZone": null } ], "business_units": [ [ { "creation_time": 1712001753495, "family": "business_units", "family_alias": "BU", "id": "BU:e9b79919-f6df-4723-af55-f080d5bf9e41", "is_active": 1, "name": "Mustang UAT 8507355851529627158", "parent_id": null, "update_time": 1712001753495 } ] ] } ] } }

Bad Request. Got an invalid JSON.

Body
replyObject

The query results upon error.

Free-Form object
RESPONSE
{ "reply": {} }

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
replyObject

The query results upon error.

Free-Form object
RESPONSE
{ "reply": {} }

Unauthorized access. User does not have the required license type to run this API.

Body
replyObject

The query results upon error.

Free-Form object
RESPONSE
{ "reply": {} }

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
replyObject

The query results upon error.

Free-Form object
RESPONSE
{ "reply": {} }

Unprocessable Entity

Body
codeInteger

Error code

statusString

Error name

messageString

Error message

errorsObject

Errors

RESPONSE
{ "code": 0, "status": "status_example", "message": "message_example", "errors": {} }

Internal server error. A unified status for API communication type errors.

Body
replyObject

The query results upon error.

Free-Form object
RESPONSE
{ "reply": {} }