Export Threats
GET {{baseUrl}}/web/api/v2.1/threats/export?k8sNodeName__contains=ex&filePath__contains=ex&analystVerdictsNin=ex&confidenceLevelsNin=ex&agentIds=ex&createdAt__gte=ex&incidentStatusesNin=ex&initiatedByUsername__contains=ex&classificationsNin=ex&k8sPodName__contains=ex&k8sNamespaceLabels__contains=ex&agentIsActive=ex&updatedAt__gte=ex&detectionEnginesNin=ex&k8sNamespaceName__contains=ex&osTypesNin=ex¬eExists=ex&tenant=ex&resolved=ex&rebootRequired=ex&detectionAgentDomain__contains=ex&engines=ex&externalTicketExists=ex&updatedAt__gt=ex&agentVersions=ex&contentHash__contains=ex&k8sControllerName__contains=ex&collectionIds=ex&updatedAt__lte=ex&k8sPodLabels__contains=ex&siteIds=ex&groupIds=ex&threatDetails__contains=ex&detectionAgentVersion__contains=ex&accountIds=ex&mitigationStatuses=ex&containerImageName__contains=ex&agentMachineTypesNin=ex&contentHashes=ex&originatedProcess__contains=ex&publisherName__contains=ex&containerLabels__contains=ex&createdAt__lte=ex&classifications=ex&confidenceLevels=ex&ids=ex&initiatedBy=ex&externalTicketId__contains=ex&agentVersionsNin=ex&externalTicketIds=ex&osTypes=ex&displayName=ex&storylines=ex&storyline__contains=ex&query=ex&pendingActions=ex&k8sClusterName__contains=ex&initiatedByNin=ex&detectionEngines=ex&enginesNin=ex&osNamesNin=ex&incidentStatuses=ex&createdAt__gt=ex&updatedAt__lt=ex&createdAt__lt=ex&mitigatedPreemptively=ex&failedActions=ex&realtimeAgentVersion__contains=ex&k8sControllerLabels__contains=ex&uuid__contains=ex&analystVerdicts=ex&countsFor=ex&containerName__contains=ex&classificationSourcesNin=ex&commandLineArguments__contains=ex&osArchs=ex&computerName__contains=ex&mitigationStatusesNin=ex&osNames=ex&classificationSources=ex&agentMachineTypes=ex
Export data of threats (as seen in the Console > Incidents) that match the filter. Note: Use the filter. This command exports only 20,000 items (each datum is an item).
Request Params
| Key | Datatype | Required | Description |
|---|---|---|---|
k8sNodeName__contains | string | Free-text filter by the endpoint Kubernetes node name (supports multiple values) | |
filePath__contains | string | Free-text filter by file path (supports multiple values). Example: "\MyUser\Downloads". | |
analystVerdictsNin | string | Exclude threats with specific analyst verdicts. Example: "true_positive,suspicious". | |
confidenceLevelsNin | string | Exclude threats with specific confidence level. Example: "malicious". | |
agentIds | string | List of Agent IDs. Example: "225494730938493804,225494730938493915". | |
createdAt__gte | string | Created at greater or equal than. Example: "2018-02-27T04:49:26.257525Z". | |
incidentStatusesNin | string | Exclude threats with specific incident statuses. Example: "unresolved,in_progress". | |
initiatedByUsername__contains | string | Free-text filter by the username that initiated that threat (supports multiple values). Example: "John,John Doe". | |
classificationsNin | string | List of threat classifications not to search | |
k8sPodName__contains | string | Free-text filter by the endpoint Kubernetes pod name (supports multiple values) | |
k8sNamespaceLabels__contains | string | Free-text filter by the endpoint Kubernetes namespace labels (supports multiple values) | |
agentIsActive | string | Include Agents currently connected to the Management Console | |
updatedAt__gte | string | Updated at greater or equal than. Example: "2018-02-27T04:49:26.257525Z". | |
detectionEnginesNin | string | Excluded engines. Example: "reputation". | |
k8sNamespaceName__contains | string | Free-text filter by the endpoint Kubernetes namespace name (supports multiple values) | |
osTypesNin | string | Excluded OS types. Example: "macos". | |
noteExists | string | The threat contains at least one note | |
tenant | string | Indicates a Global (tenant) scope request | |
resolved | string | This is used for backward-compatibility with API 2.0. | |
rebootRequired | string | A reboot is required on any endpoint for at least one action on the threat | |
detectionAgentDomain__contains | string | Free-text filter by Agent domain at detection time (supports multiple values). Example: "sentinel,sentinelone.com". | |
engines | string | Included engines. Example: "reputation". | |
externalTicketExists | string | The threat contains ticket number | |
updatedAt__gt | string | Updated at greater than. Example: "2018-02-27T04:49:26.257525Z". | |
agentVersions | string | Include Agent versions. Example: "2.5.1.1320". | |
contentHash__contains | string | Free-text filter by file content hash (supports multiple values). Example: "5f09bcff3". | |
k8sControllerName__contains | string | Free-text filter by the endpoint Kubernetes controller name (supports multiple values) | |
collectionIds | string | List of collection IDs to search. Example: "225494730938493804,225494730938493915". | |
updatedAt__lte | string | Updated at lesser or equal than. Example: "2018-02-27T04:49:26.257525Z". | |
k8sPodLabels__contains | string | Free-text filter by the endpoint Kubernetes pod labels (supports multiple values) | |
siteIds | string | List of Site IDs to filter by. Example: "225494730938493804,225494730938493915". | |
groupIds | string | List of Group IDs to filter by. Example: "225494730938493804,225494730938493915". | |
threatDetails__contains | string | Free-text filter by threat details(supports multiple values). Example: "malware.exe,virus.exe". | |
detectionAgentVersion__contains | string | Free-text filter by Agent version at detection time (supports multiple values). Example: "1.1.1.1,2.2.". | |
accountIds | string | List of Account IDs to filter by. Example: "225494730938493804,225494730938493915". | |
mitigationStatuses | string | Filter threats by a specific status. Example: "not_mitigated". | |
containerImageName__contains | string | Free-text filter by the endpoint container image name (supports multiple values) | |
agentMachineTypesNin | string | Excluded Agent machine types. Example: "unknown". | |
contentHashes | string | List of sha1 hashes to search for. Example: "d,d,d,5,0,3,0,a,3,d,0,2,9,f,3,8,4,5,f,c,1,0,5,2,4,1,9,8,2,9,f,0,8,f,3,1,2,2,4,0". | |
originatedProcess__contains | string | Free-text filter by the originated process name of the threat (supports multiple values) | |
publisherName__contains | string | Free-text filter by threat's publisher name (supports multiple values). Example: "GOOGLE,Apple Inc.". | |
containerLabels__contains | string | Free-text filter by the endpoint container labels (supports multiple values) | |
createdAt__lte | string | Created at lesser or equal than. Example: "2018-02-27T04:49:26.257525Z". | |
classifications | string | List of threat classifications to search | |
confidenceLevels | string | Filter threats by a specific confidence level. Example: "malicious". | |
ids | string | List of threat IDs. Example: "225494730938493804,225494730938493915". | |
initiatedBy | string | Only include threats from specific initiating sources. Example: "agent_policy,dv_command". | |
externalTicketId__contains | string | Free-text filter by the threat external ticket ID (supports multiple values) | |
agentVersionsNin | string | Excluded Agent versions. Example: "2.5.1.1320". | |
externalTicketIds | string | External ticket ID for the threat | |
osTypes | string | Included OS types. Example: "macos". | |
displayName | string | Display name | |
storylines | string | List of Agent context to search for | |
storyline__contains | string | Free-text filter by threat storyline (supports multiple values). Example: "0000C2E97648,0006FC73-77B4-470F-AAC7-". | |
query | string | Full text search for fields: threat_details, content_hash, computer_name, file_path, uuid, detection_agent_version, realtime_agent_version, detection_agent_domain, command_line_arguments, initiated_by_username, storyline, originated_process, k8s_cluster_name, k8s_node_name, k8s_namespace_name, k8s_namespace_labels, k8s_controller_name, k8s_controller_labels, k8s_pod_name, k8s_pod_labels, container_name, container_image_name, container_labels, external_ticket_id | |
pendingActions | string | At least one action is pending for the Agent for the threat | |
k8sClusterName__contains | string | Free-text filter by the endpoint Kubernetes cluster name (supports multiple values) | |
initiatedByNin | string | Exclude threats with specific initiating sources. Example: "agent_policy,dv_command". | |
detectionEngines | string | Included engines. Example: "reputation". | |
enginesNin | string | Excluded engines. Example: "reputation". | |
osNamesNin | string | Generated by shuffler.io OpenAPI | |
incidentStatuses | string | Filter threats by a specific incident status. Example: "unresolved,in_progress". | |
createdAt__gt | string | Created at greater than. Example: "2018-02-27T04:49:26.257525Z". | |
updatedAt__lt | string | Updated at lesser than. Example: "2018-02-27T04:49:26.257525Z". | |
createdAt__lt | string | Created at lesser than. Example: "2018-02-27T04:49:26.257525Z". | |
mitigatedPreemptively | string | If the threat was detected pre-execution or post-execution | |
failedActions | string | At least one action failed on the threat | |
realtimeAgentVersion__contains | string | Free-text filter by Agent version at current time (supports multiple values). Example: "1.1.1.1,2.2.". | |
k8sControllerLabels__contains | string | Free-text filter by the endpoint Kubernetes controller labels (supports multiple values) | |
uuid__contains | string | Free-text filter by Agent UUID (supports multiple values). Example: "e92-01928,b055". | |
analystVerdicts | string | Filter threats by a specific analyst verdict. Example: "true_positive,suspicious". | |
countsFor | string | comma-separated list of fields to be shown. Example: "osTypes,machineTypes". | |
containerName__contains | string | Free-text filter by the endpoint container name (supports multiple values) | |
classificationSourcesNin | string | Classification sources list to exclude. Example: "Cloud". | |
commandLineArguments__contains | string | Free-text filter by threat command line arguments (supports multiple values). Example: "/usr/sbin/,wget". | |
osArchs | string | Included OS Architectures. Example: "32 bit". | |
computerName__contains | string | Free-text filter by computer name (supports multiple values). Example: "john-office,WIN". | |
mitigationStatusesNin | string | Filter threats not by a specific status. Example: "not_mitigated". | |
osNames | string | Generated by shuffler.io OpenAPI | |
classificationSources | string | Classification sources list. Example: "Cloud". | |
agentMachineTypes | string | Include Agent machine types. Example: "unknown". |
HEADERS
| Key | Datatype | Required | Description |
|---|---|---|---|
Content-Type | null |