Fetch Events Using SearchAfter

For API version information, refer to the API Version History section.

Non-Versioned | V1.0

Non-Versioned

This API retrieves large sets of events (such as logs, security incidents, or audit records), especially when dealing with paginated data. 

This API involves a two-step process: an Initial Request to start the process and a Follow-Up Request to complete it. Both steps are necessary to ensure the full execution of the API operation. 

GET/ioc/events/searchAfter

Input Parameters for Fetch EventsInput Parameters for Fetch Events

Input Parameters

Mandatory/Optional

Format

Description

Authorization

Mandatory

String

Authorization parameter authenticates the Qualys Enterprise TruRisk™  Platform. Prepend token with "Bearer" and a space. For example: Bearer authToken.

filter

Optional

String

Filter the events list by providing a query using Qualys syntax. Refer to the How to Search topic in the online help for assistance with creating your query.

For example - event.datetime:["2024-09-15T00:30:00.000Z".."2024-09-22T18:29:59.999Z"] AND action: 'Created'

You can filter events based on the time they are generated on the event (event.datetime) or the time they are processed at Qualys (event.eventprocesstime). If you want to fetch events by date AND time, it is recommended to use the "event.datetime" or "event.eventprocesstime" parameter. 

pageNumber

Optional

String

The pageNumber parameter returns the page to be returned. It starts from the value zero

pageSize

Optional

String

The pageSize parameter mentions the number of records per page to be included in the response. The default value is 10.

include_attributes

Optional

String

include_attribute parameter includes certain attributes in the search. The search results generated are provided using a comma-separated list. The API response fetches only the included attributes.

For example: include_attributes = _type, _id, processName

exclude_attributes

Optional

String

exclude_attribute parameter excludes certain attributes from the search. The search results generated are provided using a comma-separated list.

For example: exclude_attributes = _type, _id, processName

Note: You need not exclude attributes if you have included specific attributes using the include_attributes parameter. Attributes that are not included are by default excluded.

searchAfterValues

Optional

Array

Enter a value for pagination to start fetching the next set of results.

For example: 1722538573707,b2xxx2c4-xxx9-352f-8xx6-axxce3xx37ax

Note: This is the value from the searchAfterValue header returned in the previous response. If not provided, the API will return the first page of results.

Sample - Initial RequestSample - Initial Request

API request

curl -X GET "<qualys_base_url>/ioc/events/searchAfter" --header "accept:
*/*" --header "Authorization: Bearer <token>"  

Response

[
{
"dateTime": "2023-10-02T00:00:12.299+0000",
"eventProcessedTime": "2023-10-01T23:58:06.530+0000",
"file": {
"fullPath":
"C:\\$WINDOWS.~BT\\Work\\MachineIndependent\\Working\\agentmgr\\CCSIAgent
\\005A4BDD\\USER00000001\\S-1-5-21-3853312163-935010464-3409451040-500-
Keyboard.reg",
"extension": "reg",
"fileName": "S-1-5-21-3853312163-935010464-3409451040-500-
Keyboard.reg",
"sha256":
"X1XXbc0834586XX785df94a468ab7d6XXXXX320df08a9a60f1eXXXXb95c529XX",
"writeDate": "2023-10-01T23:59:58.018+0000",
"macroEmbedded": false,
"path":
"C:\\$WINDOWS.~BT\\Work\\MachineIndependent\\Working\\agentmgr\\CCSIAgent
\\005A4BDD\\USER00000001",
"createdDate": "2023-10-01T23:59:58.018+0000",
"size": 4848,
"accessDate": "2023-10-01T23:59:58.018+0000",
"nonPEFile": true,
"fileType": "Registration Entries",
"md5": "aXX30a3XX7ebf6376XXb4325af2daXXX"
},
"eventSource": "EDR",
"action": "CREATED",
"indicator2": [
{
"sha256":
"X1XXbc0834586XX785df94a468ab7d6XXXXX320df08a9a60f1eXXXXb95c529XX",
"verdict": "UNKNOWN",
"rowId": "-3516754699100620536"
}
],
"id": "RTF_c58XXX14-5cXX-3f47-9XXX-dXXX675588XX_2-10-2023",
"type": "FILE",
"asset": {
"fullOSName": "Microsoft Windows 10 Pro 10.0.18362 Build 18362",
"hostName": "PN-POD1-RD",
"agentId": "eXX6820d-6XXe-XXa2-a458-6833XX88bXX7",
"interfaces": [
{
"macAddress": "xx:50:xx:xx:xx:BE",
"ipAddress": "10.xx.xx.210",
"interfaceName": "Intel(R) 82574L Gigabit Network Connection",
"gatewayAddress": "10.113.226.1"
}
],
"netBiosName": "PN-POD1-RD",
"isQuarantineHost": false,
"platform": "Windows",
"assetType": "HOST",
"tags": [
{
"name": "Cloud Agent",
"uuid": "XXe676XX-XX78-4fXX-XX5f-6XXX0bc2XX1b"
},
{
"name": "Dynamic One",
"uuid": "6aXXfeaX-4XXe-4XX9-82XX-46XX132dXXX6"
},
{
"name": "DynamicTag",
"uuid": "XXX788fX-fXX4-XX3b-abXX-XX2d85X08XX8"
}
]
},
"uniqueId": "-3516754699100620536"
},
{
"dateTime": "2023-10-02T00:00:12.627+0000",
"eventProcessedTime": "2023-10-01T23:58:06.531+0000",
"file": {
"fullPath":
"C:\\$WINDOWS.~BT\\Work\\MachineIndependent\\Working\\agentmgr\\CCSIAgent
\\005A4BDD\\USER00000000\\S-1-5-21-3853312163-935010464-3409451040-1001-
CTF.reg",
"extension": "reg",
"fileName": "S-1-5-21-3853312163-935010464-3409451040-1001-
CTF.reg",
"sha256":
"X1XXbc0834586XX785df94a468ab7d6XXXXX320df08a9a60f1eXXXXb95c529XX",
"writeDate": "2023-10-02T00:00:03.939+0000",
"macroEmbedded": false,
"path":
"C:\\$WINDOWS.~BT\\Work\\MachineIndependent\\Working\\agentmgr\\CCSIAgent
\\005A4BDD\\USER00000000",
"createdDate": "2023-10-02T00:00:03.939+0000",
"size": 10926,
"accessDate": "2023-10-02T00:00:03.939+0000",
"nonPEFile": true,
"fileType": "Registration Entries",
"md5": "dXXfc2071c05828XXX93b2XXX62bbXXX"
},
...
{
"name": "Dynamic One",
"uuid": "6aXXfeaX-4XXe-4XX9-82XX-46XX132dXXX6"
},
{
"name": "DynamicTag",
"uuid": "XXX788fX-fXX4-XX3b-abXX-XX2d85X08XX8"
}
]
},
"uniqueId": "-6530935410104234747"
},
{
"dateTime": "2023-10-02T00:00:12.799+0000",
"score": "0",
"scoreSource": "REVERSING_LAB",
..
},
"uniqueId": "-8065662183459215061"
},
{
"dateTime": "2023-10-02T00:00:12.361+0000",
"eventProcessedTime": "2023-10-01T23:58:07.467+0000",
"file": {
"fullPath":
"C:\\$WINDOWS.~BT\\Work\\MachineIndependent\\Working\\agentmgr\\CCSIAgent
\\005A4BDD\\USER00000001\\S-1-5-21-3853312163-935010464-3409451040-500-
CTF.reg",
"extension": "reg",
"fileName": "S-1-5-21-3853312163-935010464-3409451040-500-
CTF.reg",
.. [
{
"name": "Cloud Agent",
"uuid": "XXe676XX-XX78-4fXX-XX5f-6XXX0bc2XX1b"
},
{
"name": "Dynamic One",
"uuid": "6aXXfeaX-4XXe-4XX9-82XX-46XX132dXXX6"
},
{
"name": "DynamicTag",
"uuid": "XXX788fX-fXX4-XX3b-abXX-XX2d85X08XX8"
}
]
},
"uniqueId": "2520718635903176326"
}
]

Sample - Follow-up RequestSample - Follow-up Request

Next API Request

curl -X GET
"<qualys_base_url>/ioc/events/searchAfter?searchAfterValues=1696204830256
,RTF_XX87dc71-bXXX-3XXX-8940-c297XXXf3c57_2-10-2023" --header "accept:
*/*" --header "Authorization: Bearer <token>"

Response

{
    "data":count:55279
}

Response Field DescriptionsResponse Field Descriptions

Dataset Name

Field Name

Data Type

Description

Event count Integer Count of events.

Response Codes

The response codes for this API are as follows:

HTTP Status Code Description
200 | OK: Get data The request was successful, and the data was returned.
204 | No Content: All data received The request was successful, but there is no data to return.
400 | Bad Request: Data not found The request was invalid or malformed (e.g., missing parameters, invalid syntax).

V1.0

This API retrieves large sets of events (such as logs, security incidents, or audit records), especially when dealing with paginated data. 

This API involves a two-step process: an Initial Request to start the process and a Follow-Up Request to complete it. Both steps are necessary to ensure the full execution of the API operation. 

GET/ioc/v1/events/searchAfter

Input Parameters for Fetch EventsInput Parameters for Fetch Events

Input Parameters

Mandatory/Optional

Format

Description

Authorization

Mandatory

String

Authorization parameter authenticates the Qualys Enterprise TruRisk™  Platform. Prepend token with "Bearer" and a space. For example: Bearer authToken.

filter

Optional

String

Filter the events list by providing a query using Qualys syntax. Refer to the How to Search topic in the online help for assistance with creating your query.

For example - event.datetime:["2024-09-15T00:30:00.000Z".."2024-09-22T18:29:59.999Z"] AND action: 'Created'

You can filter events based on the time they are generated on the event (event.datetime) or the time they are processed at Qualys (event.eventprocesstime). If you want to fetch events by date AND time, it is recommended to use the "event.datetime" or "event.eventprocesstime" parameter. 

pageNumber

Optional

String

The pageNumber parameter returns the page to be returned. It starts from the value zero

pageSize

Optional

String

The pageSize parameter mentions the number of records per page to be included in the response. The default value is 10.

include_attributes

Optional

String

include_attribute parameter includes certain attributes in the search. The search results generated are provided using a comma-separated list. The API response fetches only the included attributes.

For example: include_attributes = _type, _id, processName

exclude_attributes

Optional

String

exclude_attribute parameter excludes certain attributes from the search. The search results generated are provided using a comma-separated list.

For example: exclude_attributes = _type, _id, processName

Note: You need not exclude attributes if you have included specific attributes using the include_attributes parameter. Attributes that are not included are by default excluded.

searchAfterValues

Optional

Array

Enter a value for pagination to start fetching the next set of results.

For example: 1722538573707,b2xxx2c4-xxx9-352f-8xx6-axxce3xx37ax

Note: This is the value from the searchAfterValue header returned in the previous response. If not provided, the API will return the first page of results.

Sample - Initial RequestSample - Initial Request

API request

curl -X GET "<qualys_base_url>/ioc/v1/events/searchAfter" --header "accept:
*/*" --header "Authorization: Bearer <token>"  

Response

[
{
"dateTime": "2023-10-02T00:00:12.299+0000",
"eventProcessedTime": "2023-10-01T23:58:06.530+0000",
"file": {
"fullPath":
"C:\\$WINDOWS.~BT\\Work\\MachineIndependent\\Working\\agentmgr\\CCSIAgent
\\005A4BDD\\USER00000001\\S-1-5-21-3853312163-935010464-3409451040-500-
Keyboard.reg",
"extension": "reg",
"fileName": "S-1-5-21-3853312163-935010464-3409451040-500-
Keyboard.reg",
"sha256":
"X1XXbc0834586XX785df94a468ab7d6XXXXX320df08a9a60f1eXXXXb95c529XX",
"writeDate": "2023-10-01T23:59:58.018+0000",
"macroEmbedded": false,
"path":
"C:\\$WINDOWS.~BT\\Work\\MachineIndependent\\Working\\agentmgr\\CCSIAgent
\\005A4BDD\\USER00000001",
"createdDate": "2023-10-01T23:59:58.018+0000",
"size": 4848,
"accessDate": "2023-10-01T23:59:58.018+0000",
"nonPEFile": true,
"fileType": "Registration Entries",
"md5": "aXX30a3XX7ebf6376XXb4325af2daXXX"
},
"eventSource": "EDR",
"action": "CREATED",
"indicator2": [
{
"sha256":
"X1XXbc0834586XX785df94a468ab7d6XXXXX320df08a9a60f1eXXXXb95c529XX",
"verdict": "UNKNOWN",
"rowId": "-3516754699100620536"
}
],
"id": "RTF_c58XXX14-5cXX-3f47-9XXX-dXXX675588XX_2-10-2023",
"type": "FILE",
"asset": {
"fullOSName": "Microsoft Windows 10 Pro 10.0.18362 Build 18362",
"hostName": "PN-POD1-RD",
"agentId": "eXX6820d-6XXe-XXa2-a458-6833XX88bXX7",
"interfaces": [
{
"macAddress": "xx:50:xx:xx:xx:BE",
"ipAddress": "10.xx.xx.210",
"interfaceName": "Intel(R) 82574L Gigabit Network Connection",
"gatewayAddress": "10.113.226.1"
}
],
"netBiosName": "PN-POD1-RD",
"isQuarantineHost": false,
"platform": "Windows",
"assetType": "HOST",
"tags": [
{
"name": "Cloud Agent",
"uuid": "XXe676XX-XX78-4fXX-XX5f-6XXX0bc2XX1b"
},
{
"name": "Dynamic One",
"uuid": "6aXXfeaX-4XXe-4XX9-82XX-46XX132dXXX6"
},
{
"name": "DynamicTag",
"uuid": "XXX788fX-fXX4-XX3b-abXX-XX2d85X08XX8"
}
]
},
"uniqueId": "-3516754699100620536"
},
{
"dateTime": "2023-10-02T00:00:12.627+0000",
"eventProcessedTime": "2023-10-01T23:58:06.531+0000",
"file": {
"fullPath":
"C:\\$WINDOWS.~BT\\Work\\MachineIndependent\\Working\\agentmgr\\CCSIAgent
\\005A4BDD\\USER00000000\\S-1-5-21-3853312163-935010464-3409451040-1001-
CTF.reg",
"extension": "reg",
"fileName": "S-1-5-21-3853312163-935010464-3409451040-1001-
CTF.reg",
"sha256":
"X1XXbc0834586XX785df94a468ab7d6XXXXX320df08a9a60f1eXXXXb95c529XX",
"writeDate": "2023-10-02T00:00:03.939+0000",
"macroEmbedded": false,
"path":
"C:\\$WINDOWS.~BT\\Work\\MachineIndependent\\Working\\agentmgr\\CCSIAgent
\\005A4BDD\\USER00000000",
"createdDate": "2023-10-02T00:00:03.939+0000",
"size": 10926,
"accessDate": "2023-10-02T00:00:03.939+0000",
"nonPEFile": true,
"fileType": "Registration Entries",
"md5": "dXXfc2071c05828XXX93b2XXX62bbXXX"
},
...
{
"name": "Dynamic One",
"uuid": "6aXXfeaX-4XXe-4XX9-82XX-46XX132dXXX6"
},
{
"name": "DynamicTag",
"uuid": "XXX788fX-fXX4-XX3b-abXX-XX2d85X08XX8"
}
]
},
"uniqueId": "-6530935410104234747"
},
{
"dateTime": "2023-10-02T00:00:12.799+0000",
"score": "0",
"scoreSource": "REVERSING_LAB",
..
},
"uniqueId": "-8065662183459215061"
},
{
"dateTime": "2023-10-02T00:00:12.361+0000",
"eventProcessedTime": "2023-10-01T23:58:07.467+0000",
"file": {
"fullPath":
"C:\\$WINDOWS.~BT\\Work\\MachineIndependent\\Working\\agentmgr\\CCSIAgent
\\005A4BDD\\USER00000001\\S-1-5-21-3853312163-935010464-3409451040-500-
CTF.reg",
"extension": "reg",
"fileName": "S-1-5-21-3853312163-935010464-3409451040-500-
CTF.reg",
.. [
{
"name": "Cloud Agent",
"uuid": "XXe676XX-XX78-4fXX-XX5f-6XXX0bc2XX1b"
},
{
"name": "Dynamic One",
"uuid": "6aXXfeaX-4XXe-4XX9-82XX-46XX132dXXX6"
},
{
"name": "DynamicTag",
"uuid": "XXX788fX-fXX4-XX3b-abXX-XX2d85X08XX8"
}
]
},
"uniqueId": "2520718635903176326"
}
]

Sample - Follow-up RequestSample - Follow-up Request

Next API Request

curl -X GET
"<qualys_base_url>/ioc/v1/events/searchAfter?searchAfterValues=1696204830256
,RTF_XX87dc71-bXXX-3XXX-8940-c297XXXf3c57_2-10-2023" --header "accept:
*/*" --header "Authorization: Bearer <token>"

Response

{
    "data":count:55279
}

Response Field DescriptionsResponse Field Descriptions

Dataset Name

Field Name

Data Type

Description

Event count Integer Count of events.

Response Codes

The response codes for this API are as follows:

HTTP Status Code Description
200 | OK: Get data The request was successful, and the data was returned.
204 | No Content: All data received The request was successful, but there is no data to return.
400 | Bad Request: Data not found The request was invalid or malformed (e.g., missing parameters, invalid syntax).

API Version History

The following table depicts the information about the different versions of this API along with the status:

API Version API Status Release Date
/ioc/events/searchAfter Active  
/ioc/v1/events/searchAfter Active May 2025