GET DTA Discovery
The GET /dta_discovery method is used to return flows and rollups between endpoints within a time window. This method returns HTTP 200 OK on a success with requested records.
Table 12: GET DTA Discovery Input Parameters
| Name | In | Description |
|---|---|---|
| columns | query |
An array of strings indicating the columns to return. For example: columns=clientIp&columns=clientName&columns=serverIp&columns=serverName&columns=serviceName&columns=byteVolume&columns=cipherSuite
|
| filter | query |
A string indicating a query to limit the results. The default is to return all records. For example: clientIp = '10.4.3.10' AND cipherEnc IN ('AES 128 GCM')
Or, URL encoded: clientIp%20%3D%20%2710.4.3.10%27%20AND%20cipherEnc%20IN%20%28%27AES%20128%20GCM%27%29
Tip: The filter option on the evidence page when configured with the Discovery API Selector can be used to test and build filters for use with the API (see Filtering).
|
| sorts | query |
An array of strings indicating one or more sort keys and whether the sort should be ascending (asc) or descending (desc). The order is required if a sort key is specified. For example (URL encoded): sorts=clientIp%20asc&sorts=cipherKex%20desc
|
| timeFrame | query |
An object providing the timeframe for which results should be returned. Time can be provided as relative to now, in epoch time, or in materialized time. The default begin time is 0. The default end time is now. For example. materialized time: timeFrame[materializedView]=last30Days
Or, URL encoded: timeFrame%5BmaterializedView%5D=last30Days
Epoch time: timeFrame[begin]=1758993950&timeFrame[end]=1759166750
Or, URL encoded: timeFrame%5Bbegin%5D=1758993950&timeFrame%5Bend%5D=1759166750
Time relative to now (range 48-24 hours before now): timeFrame[begin]=now minus 48 hours&timeFrame[end]=now minus 24 hours
Time relative to now (range 24 hours before now): timeFrame[begin]=now minus 24 hours&timeFrame[end]=now
Time relative to now (all time before now): timeFrame[begin]=0&timeFrame[end]=now
Or, URL encoded: timeFrame%5Bbegin%5D=now%20minus%2048%20hours&timeFrame%5Bend%5D=now%20minus%2024%20hours
timeFrame%5Bbegin%5D=now%20minus%2048%20hours&timeFrame%5Bend%5D=now
timeFrame%5Bbegin%5D=0&timeFrame%5Bend%5D=now
|
| offset | query | An integer that specifies how many multiples of the limit to skip and offset by before returning results, to enable paging. |
| limit | query | An integer that specifies how many results to return per page. Very large values can result in long processing time. |
| returnAsStream | query |
A Boolean that, when true, sends the response as a single streaming HTTP body (e.g., chunked transfer) instead of paging. The client must read the payload progressively (without loading it all into memory). Use this (or returnAsZipFile) for large result sets to avoid multiple paged requests with limit/offset. The default is false. |
| returnAsZipFile | query |
A Boolean that, when true, returns the response as a ZIP file. Sets Content-Disposition: attachment; filename="<name>.zip" and typically reduces payload size. Use this (or returnAsStream) for large result sets to avoid multiple paged requests with limit/offset. The default is false. |
| reportFilteredCount | query |
A Boolean indicating whether to return the total count of rows after the filter is applied (true) or not (false). The default is false. Note: This parameter is ignored when requesting a text/csv response (see Common Request Headers).
|
| reportTotalCount | query |
A Boolean indicating whether to return the total count of rows before the filter is applied (true) or not (false). The default is false. Note: This parameter is ignored when requesting a text/csv response (see Common Request Headers).
|
Table 13: GET DTA Discovery Response Data
| Name | Description |
|---|---|
| rows | An array of objects containing the requested records. |
| filteredCount | An integer indicating the total count of rows after the filter was applied, if reportFilteredCount was true. |
| totalCount | An integer indicating the total count of rows before the filter was applied, if reportTotalCount was true. |
TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. certificate usage:
API_KEY='<YOUR-API-KEY>'
HUB='https://<YOUR-HUB-SERVER>'
curl -sS -G "$HUB/api/v1/dta_discovery" \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H "x-api-key: $API_KEY" \
--data-urlencode 'columns=clientIp' \
--data-urlencode 'columns=clientName' \
--data-urlencode 'columns=serverIp' \
--data-urlencode 'columns=serverName' \
--data-urlencode 'columns=serviceName' \
--data-urlencode 'columns=certSubject' \
--data-urlencode 'columns=byteVolume' \
--data-urlencode 'columns=latest' \
--data-urlencode 'sorts=clientIp asc' \
--data-urlencode 'timeFrame[begin]=now minus 24 hours' \
--data-urlencode 'timeFrame[end]=now' \
--data-urlencode 'reportTotalCount=false' \
--data-urlencode 'reportFilteredCount=false' \
--data-urlencode 'limit=20'Using curl to query about SSH The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. usage:
API_KEY='<YOUR-API-KEY>'
HUB='https://<YOUR-HUB-SERVER>'
curl -sS -G "$HUB/api/v1/dta_discovery" \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H "x-api-key: $API_KEY" \
--data-urlencode 'columns=clientIp' \
--data-urlencode 'columns=clientName' \
--data-urlencode 'columns=serverIp' \
--data-urlencode 'columns=serverName' \
--data-urlencode 'columns=serviceName' \
--data-urlencode 'columns=sshKex' \
--data-urlencode 'columns=byteVolume' \
--data-urlencode 'columns=latest' \
--data-urlencode 'sorts=clientIp asc' \
--data-urlencode 'timeFrame[begin]=now minus 24 hours' \
--data-urlencode 'timeFrame[end]=now' \
--data-urlencode 'reportTotalCount=false' \
--data-urlencode 'reportFilteredCount=false' \
--data-urlencode 'limit=20' \
--data-urlencode 'filter=sshKex is not null' Was this page helpful? Provide Feedback