Get Endpoint

Get a list of filtered endpoints.

Synopsis

URI	/public_api/v1/endpoints/get_endpoint/
HTTP Method	POST
Required License	Cortex XDR Prevent or Cortex XDR Pro per Endpoint

Description

Gets a list of filtered endpoints.

Response is concatenated using AND condition (OR is not supported).

Maximum result set size is 100.

Offset is the zero-based number of incidents from the start of the result set.

Request Fields

The body of this request contains a JSON object with the following fields:

You can send a request to retrieve either all
or filtered
results.

Field	Description
request_data	(`Required`) A dictionary containing the API request fields. An empty dictionary returns all results.
filters	Provides an array of filtered fields. Each JSON object must contain the following keyword: field String that identifies the field the filter is matching. Filters are based on the following keywords: endpoint_id_list —List of endpoint IDs. endpoint_status —Status of the endpoint ID. dist_name —Distribution / Installation Package name. first_seen —When the agent was first seen. last_seen —When the agent was last seen. ip_list —List of IP addresses. group_name —Group name the agent belongs to. platform —Platform name. alias —Alias name isolate —If the endpoint was isolated. hostname —Hostname operator String that identifies the comparison operator you want to use for this filter. Valid keywords and values are: in endpoint_id_list , dist_name , group_name , alias , hostname , username —List of strings. endpoint_status — connected or disconnected ip_list —List of strings, for example 192.168.5.12 . platform — windows , linux , macos , android isolate — isolated or unisolated scan_status — none , pending , in_progress , canceled , aborted , pending_cancellation , success , or error gte / lte first_seen and last_seen —Integer in timestamp epoch milliseconds. value Value that this filter must match. The contents of this field will differ depending on the endpoint field that you specified for this filter: first_seen , last_seen —Integer representing the number of milliseconds after the Unix epoch, UTC timezone. endpoint_id_list , distribution_name , hostname , alias , group_name —List of strings. endpoint_status —Must contain only the following valid values: connected or disconnected ip_list —String list of IP addresses. platform - Must contain only the following valid values: windows , linux , macos , or android . isolate - Must contain only the following valid values: isolated or unisolated .
search_from	An integer representing the start offset within the query result set from which you want endpoints returned. Endpoints are returned as a zero-based list. Any endpoint indexed less than this value is not returned in the final result set and defaults to zero.
search_to	An integer representing the end offset within the result set after which you do not want endpoints returned. Endpoint in the endpoint list that are indexed higher than this value are not returned in the final results set. Defaults to 100, which returns all endpoints to the end of the list.
sort	Identifies the sort order for the result set. field —String, either endpoint_id , first_seen , or last_seen . By default the sort is defined as: last_seen and desc . keyword —String, either asc (ascending order) or desc (descending order)

Request Example

Request all results:

curl -X POST https://api-{fqdn}/public_api/v1/endpoints/get_endpoint/ \
-H "x-xdr-auth-id:{API_KEY_ID}" \
-H "Authorization:{API_KEY}" \
-H "Content-Type:application/json" \
-d '{ 
   "request_data":{}
   }'

Request filtered results:

curl -X POST https://api-{fqdn}/public_api/v1/endpoints/get_endpoint/ \
-H "x-xdr-auth-id:{API_KEY_ID}" \
-H "Authorization:{API_KEY}" \
-H "Content-Type:application/json" \
-d '{
   "request_data":{
      "search_from":0,
      "search_to":1,
      "sort":{
         "field":"endpoint_id",
         "keyword":"ASC"
      },
      "filters":[
         {
            "field":"group_name",
            "operator":"in",
            "value":[
               "Test-Group-01"
            ]
         },
         {
            "field":"endpoint_status",
            "operator":"in",
            "value":[
               "disconnected"
            ]
         },
         {
            "field":"dist_name",
            "operator":"in",
            "value":[
               "papi-test"
            ]
         },
         {
            "field":"scan_status",
            "operator":"in",
            "value":[
               "none",
               "pending",
               "in_progress",
               "pending_cancellation",
               "aborted",
               "success",
               "canceled",
               "error"
            ]
         }
      ]
   }
}'

Success Response

Upon success, the HTTP response code is 200. In addition, this API returns a JSON object containing the query status, as well as an array of JSON objects, each of which represents a single endpoint.

Field	Description
reply	JSON object containing the query result.
total_count	Number of total results of this filter without paging.
result_count	Number of endpoints actually returned as result (integer).
endpoints	A list of endpoints (list).

Success Response Example


{
   "reply":{
      "total_count":1,
      "result_count":1,
      "endpoints":[
         {
            "endpoint_id":"<endpoint ID>",
            "endpoint_name":"<endpoint name>",
            "endpointTags":"<tag name>",
            "endpoint_type":"<endpoint type>",
            "endpoint_status":"CONNECTED",
            "os_type":"AGENT_OS_WINDOWS",
            "os_version":"8.0.xxx","
            "ip":[
               "<IP address>"
            ],
            "users":[
               "XDR"
            ],
            "domain":"WORKGROUP",
            "alias":"",
            "first_seen":1606218761377,
            "last_seen":1606218769163,
            "content_version":"",
            "installation_package":"XDR",
            "active_directory":null,
            "install_date":1606218762089,
            "endpoint_version":"<version>",
            "is_isolated":"AGENT_UNISOLATED",
            "isolated_date":null,
            "group_name":[            
            ],
            "operational_status":"PARTIALLY_PROTECTED",
            "operational_status_description":"[{\"name\": \"generalStatus\", \"error_code\": 10004}]",
            "scan_status":"SCAN_STATUS_NONE",
            "content_release_timestamp":1636285746000,
            "last_content_update_time":1636381954285,
            "content_status":"up_to_date",
            "operating_system": "Debian 10.11",
                "mac_address": [
                    "42:00:00:00:00:00"
                ],
                "assigned_prevention_policy": "Linux Default",
                "assigned_extensions_policy": ""
         }
      ]
   }
}

Error Response

Upon error, the reply includes an HTTP response code, an error message, and additional information describing the error. The HTTP response code is one of the following:

Field	Description
400	Bad Request. Got an invalid JSON.
401	Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
402	Unauthorized access. User does not have the required license type to run this API.
403	Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
500	Internal server error. A unified status for API communication type errors.

Error Response Format

{"reply": {"err_code": STATUS_CODE, "err_msg": GENERAL_MESSAGE, "err_extra": EXTRA_DATA}}

Document:Cortex XDR™ API Reference

Get Endpoint

Table of Contents

Get Endpoint

Synopsis

Description

Request Fields

Success Response

Error Response

Recommended For You

Document:Cortex XDR™ API Reference

Get Endpoint

Table of Contents

Get Endpoint

Synopsis

Description

Request Fields

Success Response

Error Response

Recommended For You

Recommended Videos