Get Violations

Synopsis

URI
/public_api/v1/device_control/get_violations/
HTTP Method
POST
Required License
Cortex XDR Prevent or Cortex XDR Pro per Endpoint

Description

Gets a list of device control violations filtered by selected fields. You can retrieve up to 100 violations.
When filtering by multiple fields:
  • Response is concatenated using AND condition (OR is not supported).
  • Maximum result set size is 100.
  • Offset is the zero-based number of incidents from the start of the result set.

Fields

The body of this request contains a JSON object with the following fields:
You can send a request to retrieve either
all
or
filtered
results.
Field
Description
request_data
(
Required
) A dictionary containing the API request fields.
An empty dictionary returns all results.
filters
Provides an array of filtered fields. Each JSON object must contain the following keywords:
  • field
    String that identifies the violation field the filter is matching. Filters are based on the following keywords:
    • endpoint_id_list
      —List of endpoint IDs
    • type
      —Type of violation
    • timestamp
      —Timestamp of the violation
    • ip_list
      —List of IP addresses
    • vendor
      —Name of vendor
    • vendor_id
      —Vendor ID
    • product
      —Name of product
    • product_id
      —Product ID
    • serial
      —Serial Number
    • hostname
      —Hostname
    • violation_id_list
      —List of violation IDs
    • username
      —Username
  • operator
    String that identifies the comparison operator you want to use for this filter. Valid keywords are:
    • IN
      —Permitted for all fields except
      timestamp
      .
    • GTE
      and
      LTE
      —Permitted only for
      timestamp
      .
  • value
    Value that this filter must match. The contents of this field will differ depending on the violation field that you specified for this filter:
    • timestamp
      —Integer, in UTC timezone epoch milliseconds
    • violation_id_list
      - list of integers
    • ip_list
      - must contain an IP string
    • type
      - must be either
      cd-rom
      ,
      disk drive
      ,
      floppy disk
      ,
      portable device
    • All other fields need to be list of strings.
search_from
Integer representing the starting offset within the query result set from which you want violations returned.
Violations are returned as a zero-based list. Any violation indexed less than this value is not returned in the final result set and defaults to zero.
search_to
An integer representing the end of offset within the result set after which you do not want violations returned.
Violations in the violation list that are indexed higher than this value are not returned in the final results set. Defaults to zero, which returns all alerts to the end of the list.
sort
Identifies the sort order for the result set. By default the sort is defined as
creation_time
and
desc
.
  • field
    - String, can be any of the
    field
    keynames.
  • keyword
    —String, can be either
    asc
    (ascending order) or
    desc
    (descending order).
Request Example
Request all results:
curl -X POST https://api-{fqdn}/public_api/v1/device_control/get_violations/ \ -H "x-xdr-auth-id:{API_KEY_ID}" \ -H "Authorization:{API_KEY}" \ -H "Content-Type:application/json" \ -d '{ "request_data":{} }'
Request filtered results:
curl -X POST https://api-{fqdn}.xdr.pan.com/public_api/v1/device_control/get_violations/ \ -H "x-xdr-auth-id:{key_id}" \ -H "Authorization:{key}" \ -H "Content-Type:application/json" \ -d'{ "request_data": { "filters": [ { "field": "type", "operator": "in", "value": ["disk drivE"] } ], "search_to":1 } }'

Success Response

Upon success, the HTTP response code is 200. In addition, this API returns a JSON object containing the query status, as well as an array of JSON objects, each of which represents a single alert.
Field
Description
reply
JSON object containing the query result.
total_count
Number of total results of this filter without paging.
result_count
Number of alerts actually returned as result (integer).
violations
A list of violations (list).
Success Response Example
{ "reply":{ "total_count": 10, "result_count":1, "violations":[ { "hostname":"<host name>", "username":"test", "ip":"<IP address>", "timestamp":1576260019000, "violation_id":11, "type":"Disk Drive", "vendor_id":"<vendor ID>", "vendor":"<vendor name>", "product_id":"<product ID>", "product":"<product name>", "serial":"<serial number>", "endpoint_id":"<endpoint ID>" } ] } }

Error Response

Upon error, the reply includes an HTTP response code, an error message, and additional information describing the error. The HTTP response code is one of the following:
Field
Description
400
Bad Request. Got an invalid JSON.
401
Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
402
Unauthorized access. User does not have the required license type to run this API.
403
Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
500
Internal server error. A unified status for API communication type errors.
Error Response Format
{"reply": {"err_code": STATUS_CODE, "err_msg": GENERAL_MESSAGE, "err_extra": EXTRA_DATA}}

Recommended For You