Fetch Events Using SearchAfter
For API version information, refer to the API Version History section.
Non-Versioned
This API retrieves large sets of events (such as logs, security incidents, or audit records), especially when dealing with paginated data.
This API involves a two-step process: an Initial Request to start the process and a Follow-Up Request to complete it. Both steps are necessary to ensure the full execution of the API operation.
Input Parameters for Fetch EventsInput Parameters for Fetch Events
Input Parameters |
Mandatory/Optional |
Format |
Description |
---|---|---|---|
Authorization |
Mandatory |
String |
Authorization parameter authenticates the Qualys Enterprise TruRisk™ Platform. Prepend token with "Bearer" and a space. For example: Bearer authToken. |
filter |
Optional |
String |
Filter the events list by providing a query using Qualys syntax. Refer to the How to Search topic in the online help for assistance with creating your query. For example - event.datetime:["2024-09-15T00:30:00.000Z".."2024-09-22T18:29:59.999Z"] AND action: 'Created' You can filter events based on the time they are generated on the event (event.datetime) or the time they are processed at Qualys (event.eventprocesstime). If you want to fetch events by date AND time, it is recommended to use the "event.datetime" or "event.eventprocesstime" parameter. |
pageNumber |
Optional |
String |
The pageNumber parameter returns the page to be returned. It starts from the value zero |
pageSize |
Optional |
String |
The pageSize parameter mentions the number of records per page to be included in the response. The default value is 10. |
include_attributes |
Optional |
String |
include_attribute parameter includes certain attributes in the search. The search results generated are provided using a comma-separated list. The API response fetches only the included attributes. For example: include_attributes = _type, _id, processName |
exclude_attributes |
Optional |
String |
exclude_attribute parameter excludes certain attributes from the search. The search results generated are provided using a comma-separated list. For example: exclude_attributes = _type, _id, processName Note: You need not exclude attributes if you have included specific attributes using the include_attributes parameter. Attributes that are not included are by default excluded. |
searchAfterValues |
Optional |
Array |
Enter a value for pagination to start fetching the next set of results. For example: 1722538573707,b2xxx2c4-xxx9-352f-8xx6-axxce3xx37ax Note: This is the value from the searchAfterValue header returned in the previous response. If not provided, the API will return the first page of results. |
Sample - Initial RequestSample - Initial Request
API request
curl -X GET "<qualys_base_url>/ioc/events/searchAfter" --header "accept:
*/*" --header "Authorization: Bearer <token>"
Response
[ { "dateTime": "2023-10-02T00:00:12.299+0000", "eventProcessedTime": "2023-10-01T23:58:06.530+0000", "file": { "fullPath": "C:\\$WINDOWS.~BT\\Work\\MachineIndependent\\Working\\agentmgr\\CCSIAgent \\005A4BDD\\USER00000001\\S-1-5-21-3853312163-935010464-3409451040-500- Keyboard.reg", "extension": "reg", "fileName": "S-1-5-21-3853312163-935010464-3409451040-500- Keyboard.reg", "sha256": "X1XXbc0834586XX785df94a468ab7d6XXXXX320df08a9a60f1eXXXXb95c529XX", "writeDate": "2023-10-01T23:59:58.018+0000", "macroEmbedded": false, "path": "C:\\$WINDOWS.~BT\\Work\\MachineIndependent\\Working\\agentmgr\\CCSIAgent \\005A4BDD\\USER00000001", "createdDate": "2023-10-01T23:59:58.018+0000", "size": 4848, "accessDate": "2023-10-01T23:59:58.018+0000", "nonPEFile": true, "fileType": "Registration Entries", "md5": "aXX30a3XX7ebf6376XXb4325af2daXXX" }, "eventSource": "EDR", "action": "CREATED", "indicator2": [ { "sha256": "X1XXbc0834586XX785df94a468ab7d6XXXXX320df08a9a60f1eXXXXb95c529XX", "verdict": "UNKNOWN", "rowId": "-3516754699100620536" } ], "id": "RTF_c58XXX14-5cXX-3f47-9XXX-dXXX675588XX_2-10-2023", "type": "FILE", "asset": { "fullOSName": "Microsoft Windows 10 Pro 10.0.18362 Build 18362", "hostName": "PN-POD1-RD", "agentId": "eXX6820d-6XXe-XXa2-a458-6833XX88bXX7", "interfaces": [ { "macAddress": "xx:50:xx:xx:xx:BE", "ipAddress": "10.xx.xx.210", "interfaceName": "Intel(R) 82574L Gigabit Network Connection", "gatewayAddress": "10.113.226.1" } ], "netBiosName": "PN-POD1-RD", "isQuarantineHost": false, "platform": "Windows", "assetType": "HOST", "tags": [ { "name": "Cloud Agent", "uuid": "XXe676XX-XX78-4fXX-XX5f-6XXX0bc2XX1b" }, { "name": "Dynamic One", "uuid": "6aXXfeaX-4XXe-4XX9-82XX-46XX132dXXX6" }, { "name": "DynamicTag", "uuid": "XXX788fX-fXX4-XX3b-abXX-XX2d85X08XX8" } ] }, "uniqueId": "-3516754699100620536" }, { "dateTime": "2023-10-02T00:00:12.627+0000", "eventProcessedTime": "2023-10-01T23:58:06.531+0000", "file": { "fullPath": "C:\\$WINDOWS.~BT\\Work\\MachineIndependent\\Working\\agentmgr\\CCSIAgent \\005A4BDD\\USER00000000\\S-1-5-21-3853312163-935010464-3409451040-1001- CTF.reg", "extension": "reg", "fileName": "S-1-5-21-3853312163-935010464-3409451040-1001- CTF.reg", "sha256": "X1XXbc0834586XX785df94a468ab7d6XXXXX320df08a9a60f1eXXXXb95c529XX", "writeDate": "2023-10-02T00:00:03.939+0000", "macroEmbedded": false, "path": "C:\\$WINDOWS.~BT\\Work\\MachineIndependent\\Working\\agentmgr\\CCSIAgent \\005A4BDD\\USER00000000", "createdDate": "2023-10-02T00:00:03.939+0000", "size": 10926, "accessDate": "2023-10-02T00:00:03.939+0000", "nonPEFile": true, "fileType": "Registration Entries", "md5": "dXXfc2071c05828XXX93b2XXX62bbXXX" }, ... { "name": "Dynamic One", "uuid": "6aXXfeaX-4XXe-4XX9-82XX-46XX132dXXX6" }, { "name": "DynamicTag", "uuid": "XXX788fX-fXX4-XX3b-abXX-XX2d85X08XX8" } ] }, "uniqueId": "-6530935410104234747" }, { "dateTime": "2023-10-02T00:00:12.799+0000", "score": "0", "scoreSource": "REVERSING_LAB", .. }, "uniqueId": "-8065662183459215061" }, { "dateTime": "2023-10-02T00:00:12.361+0000", "eventProcessedTime": "2023-10-01T23:58:07.467+0000", "file": { "fullPath": "C:\\$WINDOWS.~BT\\Work\\MachineIndependent\\Working\\agentmgr\\CCSIAgent \\005A4BDD\\USER00000001\\S-1-5-21-3853312163-935010464-3409451040-500- CTF.reg", "extension": "reg", "fileName": "S-1-5-21-3853312163-935010464-3409451040-500- CTF.reg", .. [ { "name": "Cloud Agent", "uuid": "XXe676XX-XX78-4fXX-XX5f-6XXX0bc2XX1b" }, { "name": "Dynamic One", "uuid": "6aXXfeaX-4XXe-4XX9-82XX-46XX132dXXX6" }, { "name": "DynamicTag", "uuid": "XXX788fX-fXX4-XX3b-abXX-XX2d85X08XX8" } ] }, "uniqueId": "2520718635903176326" } ]
Sample - Follow-up RequestSample - Follow-up Request
Next API Request
curl -X GET
"<qualys_base_url>/ioc/events/searchAfter?searchAfterValues=1696204830256
,RTF_XX87dc71-bXXX-3XXX-8940-c297XXXf3c57_2-10-2023" --header "accept:
*/*" --header "Authorization: Bearer <token>"
Response
{ "data":count:55279 }
Response Field DescriptionsResponse Field Descriptions
Dataset Name |
Field Name |
Data Type |
Description |
---|---|---|---|
Event | count | Integer | Count of events. |
Response Codes
The response codes for this API are as follows:
HTTP Status Code | Description |
200 | OK: Get data | The request was successful, and the data was returned. |
204 | No Content: All data received | The request was successful, but there is no data to return. |
400 | Bad Request: Data not found | The request was invalid or malformed (e.g., missing parameters, invalid syntax). |
V1.0
This API retrieves large sets of events (such as logs, security incidents, or audit records), especially when dealing with paginated data.
This API involves a two-step process: an Initial Request to start the process and a Follow-Up Request to complete it. Both steps are necessary to ensure the full execution of the API operation.
Input Parameters for Fetch EventsInput Parameters for Fetch Events
Input Parameters |
Mandatory/Optional |
Format |
Description |
---|---|---|---|
Authorization |
Mandatory |
String |
Authorization parameter authenticates the Qualys Enterprise TruRisk™ Platform. Prepend token with "Bearer" and a space. For example: Bearer authToken. |
filter |
Optional |
String |
Filter the events list by providing a query using Qualys syntax. Refer to the How to Search topic in the online help for assistance with creating your query. For example - event.datetime:["2024-09-15T00:30:00.000Z".."2024-09-22T18:29:59.999Z"] AND action: 'Created' You can filter events based on the time they are generated on the event (event.datetime) or the time they are processed at Qualys (event.eventprocesstime). If you want to fetch events by date AND time, it is recommended to use the "event.datetime" or "event.eventprocesstime" parameter. |
pageNumber |
Optional |
String |
The pageNumber parameter returns the page to be returned. It starts from the value zero |
pageSize |
Optional |
String |
The pageSize parameter mentions the number of records per page to be included in the response. The default value is 10. |
include_attributes |
Optional |
String |
include_attribute parameter includes certain attributes in the search. The search results generated are provided using a comma-separated list. The API response fetches only the included attributes. For example: include_attributes = _type, _id, processName |
exclude_attributes |
Optional |
String |
exclude_attribute parameter excludes certain attributes from the search. The search results generated are provided using a comma-separated list. For example: exclude_attributes = _type, _id, processName Note: You need not exclude attributes if you have included specific attributes using the include_attributes parameter. Attributes that are not included are by default excluded. |
searchAfterValues |
Optional |
Array |
Enter a value for pagination to start fetching the next set of results. For example: 1722538573707,b2xxx2c4-xxx9-352f-8xx6-axxce3xx37ax Note: This is the value from the searchAfterValue header returned in the previous response. If not provided, the API will return the first page of results. |
Sample - Initial RequestSample - Initial Request
API request
curl -X GET "<qualys_base_url>/ioc/v1/events/searchAfter" --header "accept:
*/*" --header "Authorization: Bearer <token>"
Response
[ { "dateTime": "2023-10-02T00:00:12.299+0000", "eventProcessedTime": "2023-10-01T23:58:06.530+0000", "file": { "fullPath": "C:\\$WINDOWS.~BT\\Work\\MachineIndependent\\Working\\agentmgr\\CCSIAgent \\005A4BDD\\USER00000001\\S-1-5-21-3853312163-935010464-3409451040-500- Keyboard.reg", "extension": "reg", "fileName": "S-1-5-21-3853312163-935010464-3409451040-500- Keyboard.reg", "sha256": "X1XXbc0834586XX785df94a468ab7d6XXXXX320df08a9a60f1eXXXXb95c529XX", "writeDate": "2023-10-01T23:59:58.018+0000", "macroEmbedded": false, "path": "C:\\$WINDOWS.~BT\\Work\\MachineIndependent\\Working\\agentmgr\\CCSIAgent \\005A4BDD\\USER00000001", "createdDate": "2023-10-01T23:59:58.018+0000", "size": 4848, "accessDate": "2023-10-01T23:59:58.018+0000", "nonPEFile": true, "fileType": "Registration Entries", "md5": "aXX30a3XX7ebf6376XXb4325af2daXXX" }, "eventSource": "EDR", "action": "CREATED", "indicator2": [ { "sha256": "X1XXbc0834586XX785df94a468ab7d6XXXXX320df08a9a60f1eXXXXb95c529XX", "verdict": "UNKNOWN", "rowId": "-3516754699100620536" } ], "id": "RTF_c58XXX14-5cXX-3f47-9XXX-dXXX675588XX_2-10-2023", "type": "FILE", "asset": { "fullOSName": "Microsoft Windows 10 Pro 10.0.18362 Build 18362", "hostName": "PN-POD1-RD", "agentId": "eXX6820d-6XXe-XXa2-a458-6833XX88bXX7", "interfaces": [ { "macAddress": "xx:50:xx:xx:xx:BE", "ipAddress": "10.xx.xx.210", "interfaceName": "Intel(R) 82574L Gigabit Network Connection", "gatewayAddress": "10.113.226.1" } ], "netBiosName": "PN-POD1-RD", "isQuarantineHost": false, "platform": "Windows", "assetType": "HOST", "tags": [ { "name": "Cloud Agent", "uuid": "XXe676XX-XX78-4fXX-XX5f-6XXX0bc2XX1b" }, { "name": "Dynamic One", "uuid": "6aXXfeaX-4XXe-4XX9-82XX-46XX132dXXX6" }, { "name": "DynamicTag", "uuid": "XXX788fX-fXX4-XX3b-abXX-XX2d85X08XX8" } ] }, "uniqueId": "-3516754699100620536" }, { "dateTime": "2023-10-02T00:00:12.627+0000", "eventProcessedTime": "2023-10-01T23:58:06.531+0000", "file": { "fullPath": "C:\\$WINDOWS.~BT\\Work\\MachineIndependent\\Working\\agentmgr\\CCSIAgent \\005A4BDD\\USER00000000\\S-1-5-21-3853312163-935010464-3409451040-1001- CTF.reg", "extension": "reg", "fileName": "S-1-5-21-3853312163-935010464-3409451040-1001- CTF.reg", "sha256": "X1XXbc0834586XX785df94a468ab7d6XXXXX320df08a9a60f1eXXXXb95c529XX", "writeDate": "2023-10-02T00:00:03.939+0000", "macroEmbedded": false, "path": "C:\\$WINDOWS.~BT\\Work\\MachineIndependent\\Working\\agentmgr\\CCSIAgent \\005A4BDD\\USER00000000", "createdDate": "2023-10-02T00:00:03.939+0000", "size": 10926, "accessDate": "2023-10-02T00:00:03.939+0000", "nonPEFile": true, "fileType": "Registration Entries", "md5": "dXXfc2071c05828XXX93b2XXX62bbXXX" }, ... { "name": "Dynamic One", "uuid": "6aXXfeaX-4XXe-4XX9-82XX-46XX132dXXX6" }, { "name": "DynamicTag", "uuid": "XXX788fX-fXX4-XX3b-abXX-XX2d85X08XX8" } ] }, "uniqueId": "-6530935410104234747" }, { "dateTime": "2023-10-02T00:00:12.799+0000", "score": "0", "scoreSource": "REVERSING_LAB", .. }, "uniqueId": "-8065662183459215061" }, { "dateTime": "2023-10-02T00:00:12.361+0000", "eventProcessedTime": "2023-10-01T23:58:07.467+0000", "file": { "fullPath": "C:\\$WINDOWS.~BT\\Work\\MachineIndependent\\Working\\agentmgr\\CCSIAgent \\005A4BDD\\USER00000001\\S-1-5-21-3853312163-935010464-3409451040-500- CTF.reg", "extension": "reg", "fileName": "S-1-5-21-3853312163-935010464-3409451040-500- CTF.reg", .. [ { "name": "Cloud Agent", "uuid": "XXe676XX-XX78-4fXX-XX5f-6XXX0bc2XX1b" }, { "name": "Dynamic One", "uuid": "6aXXfeaX-4XXe-4XX9-82XX-46XX132dXXX6" }, { "name": "DynamicTag", "uuid": "XXX788fX-fXX4-XX3b-abXX-XX2d85X08XX8" } ] }, "uniqueId": "2520718635903176326" } ]
Sample - Follow-up RequestSample - Follow-up Request
Next API Request
curl -X GET
"<qualys_base_url>/ioc/v1/events/searchAfter?searchAfterValues=1696204830256
,RTF_XX87dc71-bXXX-3XXX-8940-c297XXXf3c57_2-10-2023" --header "accept:
*/*" --header "Authorization: Bearer <token>"
Response
{ "data":count:55279 }
Response Field DescriptionsResponse Field Descriptions
Dataset Name |
Field Name |
Data Type |
Description |
---|---|---|---|
Event | count | Integer | Count of events. |
Response Codes
The response codes for this API are as follows:
HTTP Status Code | Description |
200 | OK: Get data | The request was successful, and the data was returned. |
204 | No Content: All data received | The request was successful, but there is no data to return. |
400 | Bad Request: Data not found | The request was invalid or malformed (e.g., missing parameters, invalid syntax). |
API Version History
The following table depicts the information about the different versions of this API along with the status:
API Version | API Status | Release Date |
/ioc/events/searchAfter | Active | |
/ioc/v1/events/searchAfter | Active | May 2025 |