Get a list of CDR-related Findings
Specify the details such as cloudType, severity etc, to view the security threat findings.
Permissions required:
To access CDR threat findings via the API, users must have the following minimum permission level:
- Read permission for the connector and regional inventory information.
Input ParametersInput Parameters
| Parameter Name | Mandatory/Optional | Data Type | Description |
|---|---|---|---|
| query | Mandatory | String | Specify the QQL query token to filter the CDR findings. Example: tc.findings.cloudProvider: AWS |
| startAt | Mandatory | String | Specify the starting timestamp or date for the findings you wish to retrieve. Example: 2025-01-27T08:54:41.396Z |
| endAt | Mandatory | String | Specify the ending timestamp or date for the findings you wish to retrieve. Example: 2025-05-28T23:59:59.999Z |
| offSet | Optional | String | Specify the number of findings data to skip before starting to retrieve data. Example: 20 |
| limit | Optional | String | Specify the number of findings data to return in the response. Example: 100 |
| cloudProvider | Optional | String | Specify the cloud provider name. Accepted values: "AWS", "AZURE","GCP". |
| cloudAccount | Optional | Integer | Specify the cloud account number. Example: 123456789012. |
| severity | Optional | String | Specify the findings severity. Accepted values: "LOW", "MEDIUM","HIGH", "CRITICAL". |
| time | Optional | Integer | Specify either an exact time and date, or a date/time range, to retrieve the threat findings. Accepted Format:[ MM:DD:YYYY::HH:MM or MM:DD:YYYY::HH:MM - MM:DD:YYYY::HH:MM ] Example: [05-13-2025 15:20:00] or [05-12-2025 15:20 - 05-13-2025 15:20] |
| alertClass | Optional | String | Specify the alert class of the threat findings. Example: API Activity, Network Activity etc. |
| category | Optional | String | Specify the category of the threat findings. Example: Data Protection etc. |
| cloudIdentifier | Optional | String | Specify either the account, subscription, or project information to view threat findings for that identifer. Example: 123456789012. |
| affectedResource | Optional | String | Specify either the IP address, or cloudID to view threat findings for the affected resource. Example: my-bucket-name. |
| remoteResource | Optional | String | Specify the IP address to view threat findings for a specific resource. Example: 19X.XXX.X.X00. |
| resourceType | Optional | String | Specify to view threat findings related to virtual machines. Example: BUCKET. |
| hash | Optional | String | Specify the specific threat finding hash. Example: a1b2c3d4e5f6. |
| region | Optional | String | Specify to view threat findings based on the specified region. Example: us-east-1 |
| remote.country | Optional | String | Specify the country name to filter the threat findings by location. Example: United States |
| remote.city | Optional | String | Specify the city name to filter the threat findings by specific locations. Example: San Ramon |
API Request
curl --location '<qualys_base_url>/cdr-api/rest/v1/findings?query=tc.findings.affectedResource%3AOktaSSO_Compute%20and%20tc.findings.cloudProvider%3AAWS%20&startAt=2025-05-06T05%3A02%3A09.207Z&endAt=2025-05-13T23%3A59%3A59.999Z&limit=100' \ --header 'Authorization: Bearer <JWT Token>' \ --header 'Accept: application/json'
API Response
{
"content": [
{
"customerUuid": "exxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx63e",
"cloudType": "AWS",
"collectorType": "cspSignal",
"resourceType": "IAM_USER",
"uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxfa6",
"resourceId": "OktaSSO_Compute",
"threatClass": "api_activity",
"threatType": null,
"threatCategory": "Recon_MaliciousIPCaller.Custom",
"cspAccount": "9xxxxxxxxxx5",
"cspRegion": "us-west-2",
"deploymentName": null,
"triggeredResource": "7x.xxx.xxx.xx6",
"affectedResource": "OktaSSO_Compute",
"severity": 3,
"eventMessage": "The reconnaissance API DescribeInstances was invoked from an IP address on a custom threat list.",
"timestamp": "2025-05-09T20:00:42.000+00:00",
"triggeredResourceGeoLocation": "37.7558,-121.9527",
"triggeredResourceCity": "San Ramon",
"triggeredResourceCountry": "United States",
"hash": null,
"vpcId": null,
"protocol": null,
"affectedResourcePort": null,
"responseTime": null,
"remoteIpDetails": {
"geoLocation": "3x.xxxx,-xxx.x178",
"city": "Oakland",
"country": "United States",
"ipAddress": "7x.xxx.xxx.xx6"
},
"networkInformation": null,
"correlationId": null,
"qlp": null,
"pod": null,
"podLabels": null,
"containerName": null,
"processName": null
},
{
"customerUuid": "exxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx63e",
"cloudType": "AWS",
"collectorType": "cspSignal",
"resourceType": "IAM_USER",
"uuid": "cxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxea",
"resourceId": "OktaSSO_Compute",
"threatClass": "api_activity",
"threatType": null,
"threatCategory": "Recon_MaliciousIPCaller.Custom",
"cspAccount": "9xxxxxxxxxx5",
"cspRegion": "us-west-2",
"deploymentName": null,
"triggeredResource": "7x.xxx.xxx.xx6",
"affectedResource": "OktaSSO_Compute",
"severity": 3,
"eventMessage": "The reconnaissance API DescribeAutoScalingGroups was invoked from an IP address on a custom threat list.",
"timestamp": "2025-05-09T20:00:42.000+00:00",
"triggeredResourceGeoLocation": "37.7558,-121.9527",
"triggeredResourceCity": "San Ramon",
"triggeredResourceCountry": "United States",
"hash": null,
"vpcId": null,
"protocol": null,
"affectedResourcePort": null,
"responseTime": null,
"remoteIpDetails": {
"geoLocation": "3x.xxxx,-xxx.x178",
"city": "Oakland",
"country": "United States",
"ipAddress": "7x.xxx.xxx.xx6"
},
"networkInformation": null,
"correlationId": null,
"qlp": null,
"pod": null,
"podLabels": null,
"containerName": null,
"processName": null
}
],
"pageable": {
"pageNumber": 0,
"pageSize": 2,
"sort": {
"sorted": false,
"empty": true,
"unsorted": true
},
"offset": 0,
"paged": true,
"unpaged": false
},
"totalPages": 23,
"totalElements": 45,
"last": false,
"number": 0,
"size": 2,
"numberOfElements": 2,
"sort": {
"sorted": false,
"empty": true,
"unsorted": true
},
"first": true,
"empty": false
}
API Request
curl -X Get header 'accept: application/json' --header 'authorization: basic <value>' ' <qualys_base_url>/cdr-api/rest/v1/findings/help
The successful response to this request will return the list of input parameters for the API.
API Request
curl -X Get header 'accept: application/json' --header 'authorization: basic <value>' ' <qualys_base_url>/cdr-api/rest/v1/findings
The successful response to this request will return a list of threat findings sorted in descending order of date.
API Request
curl -X Get header 'accept: application/json' --header 'authorization: basic <value>' ' <qualys_base_url>/cdr-api/rest/v1/findings? cloudProvider=aws
The successful response to this request will return a list of threat findings sorted in descending order of date for the AWS cloud type.