Get Audit Agent Report

Retrieve agent event reports.

Synopsis

URI
/public_api/v1/audits/agents_reports/
HTTP Method
POST
Required License
Cortex XDR Prevent or Cortex XDR Pro per Endpoint

Description

Get agent event reports.
  • Response is concatenated using AND condition (OR is not supported).
  • Maximum result set size is 100.
  • Offset is the zero-based number of incidents from the start of the result set.

Request Fields

The body of this request contains a JSON object with the following fields:
You can send a request to retrieve either
all
or
filtered
results.
Field
Description
request_data
(
Required
) A dictionary containing the API request fields.
An empty dictionary returns all results.
filters
Provides an array of filtered fields. Each JSON object must contain the following keywords:
  • field
    String that identifies a list. Filters are based on the following keywords:
    • endpoint_id
      —Represents the endpoint ID.
    • endpoint_name
      —Represents the endpoint name.
    • type
      - Type of report.
    • sub_type
      —Subtype of report.
    • result
      —Result type.
    • timestamp
      —Report timestamp.
    • domain
      —Domain of the agent.
    • xdr_version
      —XDR version.
    • category
      —Type of event category.
    • timestamp
      —Integer in timestamp epoch milliseconds
  • String that identifies the comparison operator you want to use for this filter. Valid keywords and values are:
    operator
    in
    • endpoint_id
      ,
      endpoint_name
      ,
      type
      ,
      sub_type
      ,
      result
      ,
      domain
      ,
      xdr_version
      —List of strings
    • timestamp
      — Integer in timestamp Unix epoch milliseconds
    • category
      status
      ,
      audit
      , or
      monitoring
      gte
      /
      lte
    • timestamp
      — Integer in ts epoch milliseconds
  • value
    Value that this filter must match:
    • timestamp
      —Integer representing the number of milliseconds after the Unix epoch, UTC timezone.
    • All other fields require a string value. In the case of
      in
      operator, the value is a list of possible values enclosed in square brackets.
search_from
An integer representing the starting offset within the query result set from which you want agent reports returned.
Reports are returned as a zero-based list. Any report indexed less than this value is not returned in the final result set and defaults to zero.
search_to
An integer representing the end offset within the result set after which you do not want agent reports returned.
Reports in the agent report list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all reports to the end of the list.
sort
Identifies the sort order for the result set. By default the sort is defined as
creation-_time
and
desc
.
  • field
    —String, either
    type
    ,
    category
    ,
    trapsversion
    ,
    timestamp
    , or
    domain
  • keyword
    —String, either
    asc
    (ascending order) or
    desc
    (descending order).
Request Example
Request all results:
curl -X POST https://api-{fqdn}/public_api/v1/audits/agents_reports/ \ -H "x-xdr-auth-id:{API_KEY_ID}" \ -H "Authorization:{API_KEY}" \ -H "Content-Type:application/json" \ -d '{ "request_data":{} }'
Code copied to clipboard
Unable to copy due to lack of browser support.
Request filtered results:
curl -X POST https://api-{fqdn}/public_api/v1/audits/agents_reports/ \ -H "x-xdr-auth-id:{API_KEY_ID}" \ -H "Authorization:{API_KEY}" \ -H "Content-Type:application/json" \ -d '{ "request_data":{ "filters":[ { "field":"trapsversion", "operator":"in", "value":[ "<version value>", "<version value>" ] }, { "field":"timestamp", "operator":"gte", "value":0 }, { "field":"domain", "operator":"in", "value":[ "WORKGROUP" ] } ], "sort":{ "field":"timestamp", "keyword":"asc" } } }'
Code copied to clipboard
Unable to copy due to lack of browser support.

Success Response

Upon success, the HTTP response code is 200. In addition, this API returns a JSON object containing the query status, as well as an array of JSON objects, each of which represents a single agent report.
Field
Description
reply
JSON object containing the query result.
total_count
Number of total results of this filter without paging.
result_count
Number of returned items (integer).
endpoints
List of audit items:
  • TIMESTAMP integer, epoch time in milliseconds, UTC timezone
  • RECEIVEDTIME integer, epoch time in milliseconds, UTC timezone
  • ENDPOINTID string
  • ENDPOINTNAME string
  • DOMAIN string
  • TRAPSVERSION string
  • CATEGORY string
  • TYPE string
  • SUBTYPE string
  • (Optional) RESULT string
  • (Optional) REASON string
  • DESCRIPTION string
Success Response Example
{ "reply":{ "total_count": 10, "result_count":1, "data":[ { "TIMESTAMP":1572427859369.953, "RECEIVEDTIME":1572427936626.636, "ENDPOINTID":"<endpoint ID>", "ENDPOINTNAME":"<endpoint name>", "DOMAIN":"WORKGROUP", "TRAPSVERSION":"<version>", "CATEGORY":"Status", "TYPE":"Agent Status", "SUBTYPE":"Fully Protected", "RESULT":null, "REASON":null, "DESCRIPTION":"DESKTOP-4LC01UI is fully protected" } ] } }
Code copied to clipboard
Unable to copy due to lack of browser support.

Error Response

Upon error, the reply includes an HTTP response code, an error message, and additional information describing the error. The HTTP response code is one of the following:
Field
Description
400
Bad Request. Got an invalid JSON.
401
Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
402
Unauthorized access. User does not have the required license type to run this API.
403
Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
500
Internal server error. A unified status for API communication type errors.
Error Response Format
{"reply": {"err_code": STATUS_CODE, "err_msg": GENERAL_MESSAGE, "err_extra": EXTRA_DATA}}
Code copied to clipboard
Unable to copy due to lack of browser support.

Recommended For You