Quick reference to functions available in the XdrApi object and its TypeScript signature. Full TSDoc reference available in the project repository
Upload alerts from external alert sources in Cortex XDR format. Cortex XDR displays alerts that are parsed successfully in related incidents and views. You can send 600 alerts per minute. Each request can contain a maximum of 60 alerts.
Get agent event reports.
Get audit management logs.
Retrieve the quarantine status for a selected file.
Gets a list of device violations filtered by selected fields.
Create an installation package. This is an async call that returns the distribution ID, it does not mean that the creation succeeded. To confirm the package has been created, check the status of the distribution by running the Get Distribution Status API.
Check the status of the installation package.
Get the distribution URL for downloading the installation package.
Gets a list of filtered endpoints. Response is concatenated using AND condition (OR is not supported). Maximum result set size is 100
Gets a list of your endpoints
Isolate one or more endpoints in a single request
Unisolate one or more endpoints in a single request
Run a scan on selected endpoints
Cancel the scan of selected endpoints. A scan can only be aborted if the selected endpoints are in Pending or in Progress status.
Delete selected endpoints in the Cortex XDR app. You can delete up to 100 endpoints.
Get the policy name for a specific endpoint
- retrieveFile Retrieve files from selected endpoints. You can retrieve up to 20 files, from no more than 100 endpoints.
Quarantine file on selected endpoints.
Restore a quarantined file on a requested endpoints.
Blacklist requested files which have not already been blacklisted or whitelisted.
Whitelist requested files which have not already been blacklisted or whitelisted.
Get a list of incidents filtered by a list of incident IDs, modification time, or creation time.
Get extra data fields of a specific incident including alerts and key artifacts.
Update one or more fields of a specific incident. Missing fields are ignored.