Search & Query API
DRAFT — Internal Developer Use Only
This API reference is for internal development teams.
Overview
What it is: The search and query API provides flexible access to Discovery's identity data through three mechanisms: named report execution, SSRM (Server-Side Row Model) queries with filtering and sorting, and filter value lookups. It also supports CSV export, flyout panel data, and event approval workflows.
Why it matters: This is the primary data retrieval interface for downstream products. Hydden Control's bulk data synchronization, KPI calculation, and custom dashboard widgets all depend on these endpoints to pull account, owner, group, and threat data from Discovery.
Endpoints
| Method | Path | Description | Auth |
|---|---|---|---|
GET | /api/v1/global/search | List all available report definitions | JWT |
POST | /api/v1/global/search/{id} | Execute a named report | JWT |
POST | /api/v1/global/ssrmquery/{id} | Execute SSRM query with filters/sorting | JWT |
POST | /api/v1/global/ssrmquery | Execute default SSRM query (GlobalSearchOwner) | JWT |
POST | /api/v1/global/filters/{id} | Get unique filter values for a report | JWT |
POST | /api/v1/global/export/{id} | Export report results as CSV | JWT |
POST | /api/v1/global/ssrmexport/{id} | Export SSRM query results as CSV | JWT |
POST | /api/v1/global/upload/{id} | Upload data for validation | JWT |
POST | /api/v1/global/flyout/{mode} | Get flyout panel data by risk level | JWT |
POST | /api/v1/global/approveevent/{id} | Approve a workflow event | JWT |
POST | /api/v1/global/denyevent/{id} | Deny a workflow event | JWT |
GET /api/v1/global/search
List all available report definitions. Returns the catalog of saved searches and reports that can be executed via the other endpoints.
Request:
http
GET /api/v1/global/search
Authorization: Bearer <token>Response (200): Array of available report definitions with their IDs and metadata.
POST /api/v1/global/ssrmquery/{id}
Execute a server-side row model query by its pre-configured ID. This is the primary endpoint for paginated, filtered, sorted data retrieval.
Path parameters:
| Parameter | Type | Description |
|---|---|---|
id | string | Pre-configured query/report identifier (see Saved Search Catalog) |
Request body (ReportRequest):
http
POST /api/v1/global/ssrmquery/0000CaOuQ1VIhqJGvtje3vbefsg
Authorization: Bearer <token>
Content-Type: application/json
{
"id": "0000CaOuQ1VIhqJGvtje3vbefsg",
"args": {},
"limit": 500,
"offset": 0,
"filterModelBytes": "eyJwcmluY2lwYWwudHlwZSI6eyJ2YWx1ZXMiOlsiVXNlciBBY2NvdW50Il0sImZpbHRlclR5cGUiOiJzZXQifX0=",
"sortModelBytes": "W3siY29sSWQiOiJwcmluY2lwYWwubmFtZSIsInNvcnQiOiJhc2MifV0=",
"rowGroupColsBytes": "",
"groupKeys": [],
"quickFilterText": "",
"ignoreSorting": false
}ReportRequest fields
| Field | Type | Description |
|---|---|---|
id | string | Report/query identifier |
args | map<string, string> | Query parameters (e.g., actoremail, actorid) |
limit | int64 | Maximum rows to return |
offset | int64 | Starting row offset for pagination |
filterModelBytes | bytes | Base64-encoded JSON filter model (see Filter Model) |
sortModelBytes | bytes | Base64-encoded JSON sort model (see Sort Model) |
rowGroupColsBytes | bytes | Base64-encoded JSON row group columns |
groupKeys | string[] | Group hierarchy keys for drill-down |
quickFilterText | string | Free-text search across all columns |
ignoreSorting | bool | Skip sorting for faster results |
Response (200):
json
{
"totalCount": 15420,
"viewTime": 1707696000000,
"columns": [
{
"field": "principal.name",
"displayName": "Account Name",
"columnType": "string",
"filterType": "text",
"defaultColumn": true
},
{
"field": "principal.type",
"displayName": "Account Type",
"columnType": "string",
"filterType": "set"
},
{
"field": "principal.status",
"displayName": "Status",
"columnType": "string",
"filterType": "set"
}
],
"rows": [
{
"id": "acc-uuid-001",
"principal.name": "jdoe",
"principal.type": "User Account",
"principal.status": "Enabled",
"__childCount": 0
}
]
}QueryResult fields
| Field | Type | Description |
|---|---|---|
totalCount | int64 | Total matching rows (for pagination math) |
viewTime | int64 | Data snapshot timestamp (ms since epoch) |
columns | QueryColumn[] | Column definitions with metadata |
rows | map<string, any>[] | Row data as key-value objects |
params | QueryParamDefinition[] | Parameter definitions (if the report accepts arguments) |
QueryColumn fields
| Field | Type | Description |
|---|---|---|
field | string | Column identifier (used in filter/sort models) |
displayName | string | Human-readable column name |
columnType | string | Data type (string, number, date) |
filterType | string | Filter UI type: set, text, number, date |
defaultColumn | bool | Whether this column is shown by default |
hide | bool | Whether this column is hidden |
sortdirection | string | Default sort direction (asc / desc) |
subReport | string | Sub-report ID for drill-down |
isDate | bool | Whether this is a date column |
isEdge | bool | Whether this is a relationship edge |
groupBy | string | Group-by field for aggregation |
Pagination pattern: Iterate by incrementing offset by limit until offset >= totalCount.
Filter Model
The filter model is a JSON object where keys are column field names and values define the filter criteria. It is sent as base64-encoded bytes in filterModelBytes.
Set filter (multi-select)
Select rows where the field value matches one of the given values:
json
{
"principal.type": {
"values": ["User Account", "Service Account"],
"filterType": "set"
}
}Text filter
| Operator | SQL equivalent |
|---|---|
contains | LIKE '%value%' |
notContains | NOT LIKE '%value%' |
equals | = value |
notEqual | != value |
startsWith | LIKE 'value%' |
endsWith | LIKE '%value' |
blank | IS NULL OR = '' |
notBlank | IS NOT NULL AND != '' |
json
{
"principal.name": {
"filterType": "text",
"type": "contains",
"filter": "admin"
}
}Number filter
| Operator | SQL equivalent |
|---|---|
equals | CAST(field AS FLOAT) = value |
notEqual | CAST(field AS FLOAT) != value |
greaterThan | CAST(field AS FLOAT) > value |
greaterThanOrEqual | CAST(field AS FLOAT) >= value |
lessThan | CAST(field AS FLOAT) < value |
lessThanOrEqual | CAST(field AS FLOAT) <= value |
inRange | BETWEEN value AND valueTo |
blank | = 0 OR IS NULL |
notBlank | != 0 AND IS NOT NULL |
json
{
"event.eventage": {
"filterType": "number",
"type": "lessThanOrEqual",
"filter": 31
}
}Combined filters
Multiple field filters are ANDed together:
json
{
"principal.type": {
"values": ["User Account"],
"filterType": "set"
},
"principal.status": {
"values": ["Enabled"],
"filterType": "set"
},
"event.eventage": {
"filterType": "number",
"type": "lessThanOrEqual",
"filter": 31
}
}Sort Model
The sort model is a JSON array sent as base64-encoded bytes in sortModelBytes. Each entry specifies a column and direction:
json
[
{
"colId": "principal.name",
"sort": "asc",
"sortIndex": 0
},
{
"colId": "principalsystem.platform",
"sort": "desc",
"sortIndex": 1
}
]| Field | Type | Description |
|---|---|---|
colId | string | Column field identifier |
sort | string | Direction: asc or desc |
sortIndex | number | Sort priority (0 = primary) |
POST /api/v1/global/filters/{id}
Get unique values for filter dropdowns. Returns the distinct values available for set-type filters on a given report.
Request:
http
POST /api/v1/global/filters/0000CaOuQ1VIhqJGvtje3vbefsg
Authorization: Bearer <token>
Content-Type: application/json
{
"id": "0000CaOuQ1VIhqJGvtje3vbefsg",
"limit": 1000,
"offset": 0
}POST /api/v1/global/search/{id}
Execute a named report/search by ID with pagination.
Request:
http
POST /api/v1/global/search/5giWu96fvwE0N3LVgm60eKfI6X6
Authorization: Bearer <token>
Content-Type: application/json
{
"offset": 0,
"limit": 100
}Response: Same QueryResult format as the SSRM endpoint.
POST /api/v1/global/flyout/{mode}
Get flyout panel data grouped by risk severity. Returns multiple query results for different data categories.
Path parameters:
| Parameter | Type | Description |
|---|---|---|
mode | string | Risk level: critical (score ≥ 75), moderate (25–75), or any other value for low (score ≤ 25) |
Request:
http
POST /api/v1/global/flyout/critical
Authorization: Bearer <token>
Content-Type: application/json
{
"limit": 5,
"offset": 0
}Response (200):
json
{
"top 5": {
"totalCount": 5,
"columns": [ "..." ],
"rows": [ "..." ]
},
"threat": {
"totalCount": 12,
"columns": [ "..." ],
"rows": [ "..." ]
},
"platform": {
"totalCount": 3,
"columns": [ "..." ],
"rows": [ "..." ]
},
"service account": {
"totalCount": 8,
"columns": [ "..." ],
"rows": [ "..." ]
},
"distribution": {
"totalCount": 4,
"columns": [ "..." ],
"rows": [ "..." ]
}
}| Response key | Internal search | Description |
|---|---|---|
top 5 | FlyoutData | Top risky accounts at this severity |
threat | FlyoutDataThreat | Threat score details |
platform | FlyoutDataPlatform | Platform distribution |
service account | FlyoutDataService | Service account breakdown |
distribution | FlyoutDistribution | Risk distribution data |
POST /api/v1/global/export/{id}
Export report results as CSV file download.
http
POST /api/v1/global/export/0000CaOuQ1VIhqJGvtje3vbefsg
Authorization: Bearer <token>
Content-Type: application/json
{
"id": "0000CaOuQ1VIhqJGvtje3vbefsg",
"limit": 10000,
"offset": 0
}POST /api/v1/global/ssrmexport/{id}
Export SSRM query results as CSV, with full filter/sort support.
http
POST /api/v1/global/ssrmexport/0000CaOuQ1VIhqJGvtje3vbefsg
Authorization: Bearer <token>
Content-Type: application/json
{
"id": "0000CaOuQ1VIhqJGvtje3vbefsg",
"filterModelBytes": "...",
"sortModelBytes": "...",
"limit": 50000,
"offset": 0
}Saved Search Catalog
Discovery includes 60+ built-in saved searches. Each has a unique ID used in the SSRM and report endpoints.
SavedSearch structure
| Field | Type | Description |
|---|---|---|
id | string | Unique identifier (used as path parameter) |
name | string | Display name |
report | string | Underlying report engine ID |
filterModel | string | Default JSON filter configuration |
columnState | string | Default column visibility/ordering |
search | string | Default quick search text |
favorite | bool | Marked as favorite |
builtIn | bool | System-provided (not user-created) |
library | bool | Part of the search library |
identity | bool | Targets identity/owner data |
group | bool | Targets group data |
principal | bool | Targets account/principal data |
Account & principal searches
| ID | Name | Category | Fields |
|---|---|---|---|
0000CaOuQ1VIhqJGvtje3vbefsg | General Account Query | Accounts | view |
0000CZNzRfoREvBuaNZ9CwSAvws | Vaulted Accounts | Accounts | view |
0000CbuesIiBcSJlsPk6jzuIcrm | Vaulted Account Management | Accounts | view |
0000IrdpnFudkVXDaoLGubUBIbe | Account Vault Status | Accounts | view |
E2SVTGeGpWjnxmj1Y5pYJlZE2YR | Account Z Score | Accounts | view |
794IndeqvqzIqrjzy5CgCfBtwxx | Account Z Score Threats | Accounts | view |
DYhMbWB3zsTqwK6CvcSmobhAXEw | Account Status | Accounts | view |
RbhOuwKIQL4aJtFm1j8SVYQ29yL | Password Secret Age | Accounts | view |
N0Ta8FDwqzBURecu551neptjE7q | Stale Accounts | Accounts | view |
Qo5kWAQD7nuQQQZeqIoMAsK7qyM | Password Secret Never Set | Accounts | view |
Ge30SKv50HEhUA5O448tDjCmgOM | Account Changes By Date | Accounts | view |
YsSAjcNRh6x8V0zGBlQp1BmlMzp | Login Activity | Accounts | view |
73L8y7WdXW63AA98rKYVSMl45p8 | Failed Logins | Accounts | view |
a5k2RS1OHV0iwKq0BPxi9CErUMk | Session Activity | Accounts | view |
AIlACtQBw19GgDHYH8qsrhbYnsY | Accounts Created | Accounts | view |
B5wzD0WU4ggdhAo7BNiXpLdZjBG | Account Threat Scores | Accounts | view |
Ah5pa2KZuMZho0wnmLrLonor6mU | Compromised Accounts | Accounts | view |
4LVYPMbrR6LSouqXafAU8tZp6kA | Login Audit | Accounts | view |
MfNMq5Z7a3ftAO1IjOGpehoPoNN | Account Login Audit | Accounts | view |
APa4DUQNWCiXqU6JMWLZaYxxzZG | Account Groups | Accounts | view |
EPFi08RwfU6yV1VrhZ4OsYfc3iz | Account Classification | Accounts | view |
MGiNLIsVvc2UQEdeBIyv4bSBGSN | Account Scores | Accounts | view |
1gbrYrq61lu5dymofZGYu8ACOTT | Account Role Membership | Accounts | view |
Group searches
| ID | Name | Category | Fields |
|---|---|---|---|
Od1oCfsGRnV77zCWNvi6YFg9E2d | General Group Query | Groups | view |
US6oSTzOLxZ9LyK2shh5nMysTk5 | Expanded Group Membership | Groups | view |
6dIqKgxTygmSilzBx4kNSNzJR5Q | Direct Group Membership | Groups | view |
TUdfgfRUd5ZFVDlgi5Ix5tf1Lmb | Groups By Date | Groups | view |
Da90sRZm6VkElZh5tpwhPm7Ihtd | Group Changes By Date | Groups | view |
AKXH3V3MPiHZD5xfmqaveYlZUnx | Groups By Member Count | Groups | view |
2rkv9qq7HWNwiEuk97chCdnAO8B | Privileged Groups | Groups | view |
WkjkxGR0LE99gvzmTcYdQt9VJyF | Group Login Audit | Groups | view |
0qwQBiyYucYSQbvfkdSQi4U84m7 | Group Membership | Groups | view |
Owner & identity searches
| ID | Name | Category | Fields |
|---|---|---|---|
VkAGnFi7Yjdy14x9x4WZT0DtcS2 | Owner Threat Scores | Owners | view |
K5Wb75il7Or3lxfFdmr4gfwsbkn | Owner Account Data | Owners | view |
4rAqYWwpS7R7ev4qvomlzaxW8b4 | Owner Login Audit | Owners | view |
Qe2RsFtZUMDkIRkpnky8xxHe5UY | Owner Account MFA | Owners | view |
4W3yZV5j7Joi0lFvuwz48I5kT0t | Owner Account Risk | Owners | view |
XheILctS3gRnDWLhbRBnSCmVZpa | Owner Group Membership | Owners | view |
VixlNXPx92So7lQ8b6nwpDlT7vg | Owner Group Membership (Bulk) | Owners | view |
T2MBuk8ZhWZ2zSAJMvwf8dR1GRg | Mapped Owners | Owners | view |
GcN0B8yAZVqXi3SvOjLVeL581I8 | Owner Role Membership | Owners | view |
Global search (cross-entity)
| ID | Name | Entity | Fields |
|---|---|---|---|
GjJXh07y2K3xrTOwohZjde4SkLU | Global Search | Accounts | view |
NFZg0Ss2HDfKd8VIsY0RMJwTDzF | Global Search | Owners | view |
3QJOML6Yg7Hem6MtAsar9lleE6A | Global Search | Groups | view |
Compliance & insights
| ID | Name | Fields |
|---|---|---|
EUo14Qdnd04fogoYMKGv8JjOTFj | Insights And Recommendations NIST CSF V2.0 | view |
LC9DrZsZWuAtK2VbcvQwsElgodt | Insights And Recommendations CIS V8 | view |
7CPLbSf0cZHim76HO8j2a7HJNWE | Insights And Recommendations CRITIER4 V2 | view |
O2IMv9WseU6NVITC3gPw8Vto4wE | Permissions | view |
Cs9H6go9QfNKGuNuUaiUuGbmnQY | Entitlements | view |
LEtIh62OjUxex7u2iJU9cQQAD0M | Privileged Roles | view |
Scoring & classification
| ID | Name | Fields |
|---|---|---|
Hz0YvM5S8FCRjXmnoKSkYtSsEyp | Scores | view |
Z8ANF0znZTCuoW3hWazJZrL3GaO | Scores Testing | view |
Sh8AOdOMlTD4SyzmLbzgEOVJUlL | Score Edges | view |
ZaWWoHqOrOBPZU6v3kwQINT2KWm | Classification Edges | view |
Flyout searches
| ID | Name | Fields |
|---|---|---|
J4sUtdVNIXJZBgEtHZqYpfFQXXy | Flyout Data | view |
UGWfuXAU0s77MuWYbxVwtQKh2JI | Flyout Data Threat | view |
UYxpUZMKDRTazl2CPsTlVfWMD3U | Flyout Data Platform | view |
QLzXWkDyPj1fydf3fBRnCIkYBr1 | Flyout Data Service | view |
EDYoMksgyE4CYlFs0cphqM7pYQA | Flyout Distribution | view |
Mapping & export
| ID | Name | Fields |
|---|---|---|
WJk4TU9UZ7fNmIWZtvHaSjyxZkL | Mapped Accounts | view |
6opzOoSgU9NYwW9WLR9uuLLGiVE | Mapped Accounts Bulk | view |
FHddWu8ylCTNmncivqiThqriqF1 | General Resource Query | view |
YOmamp53l581Tw6YJAAHP55qJVd | Users Export | view |
2duji0UlFRUKO3iGjfPrCtkJOvp | Groups Export | view |
OBXNfYIw71ZiwfwQ297xZAkMfxE | CyberArk Onboarding | view |
HxM4qza1UFtGdLpVFEQWRljN746 | Approvals | view |
WG2mnQ36yVa30jAeWJ0jwEPC5bR | Stub Report | view |
Vault-related
| ID | Name | Fields |
|---|---|---|
7J3TaqEtCgXB7sDwWhwZcT1YgM8 | Account Key Vault Objects | view |
7Dt6XcnjJOzpexYxZlz7kIN1zCF | Group Key Vault Objects | view |
a62mQQOqiTzBN8F2sFMNJyiY0F0 | Group User Key Vault Objects | view |
Control Integration — Data Sync
Control uses specific saved search IDs to synchronize identity data from Discovery into its local cache. This cached data feeds the KPI calculation engine that powers Control's custom dashboards.
Primary sync queries
| Purpose | Method | Query ID | Fields |
|---|---|---|---|
| Sync all accounts | POST /global/ssrmquery/{id} | ASpnJ4bLpFRGBZxEwAEPullOFx5 | view |
| Sync account owners | POST /global/ssrmquery/{id} | UVYaMSAx8evNujhC75QELLRej2T | view |
| Bulk owner accounts | POST /global/ssrmquery/{id} | DUrG0M5i1MYn0H99KwSpezBqLtt | view |
| Bulk group memberships | POST /global/ssrmquery/{id} | W8fSFbTri7TqbXWgdZVpBjLZMNn | view |
| List groups | POST /global/search/{id} | 5giWu96fvwE0N3LVgm60eKfI6X6 | view |
| List owner accounts | POST /global/search/{id} | MG4VCGoPBLa1aHtSHRziTeHvb34 | view |
| List owner groups | POST /global/search/{id} | GlLjXWQNzXixQCqikR3K9mJMoTa | view |
| Get group members | GET /global/search/{id}?groupId={gid} | 8XYzi8x3XmVmA47OehS6q1K8Jia | view |
Pagination pattern
Control iterates through all pages using offset-based pagination:
offset = 0
while offset < totalCount:
response = POST /global/ssrmquery/{id} { offset, limit: 500 }
process(response.rows)
offset += limitKPI data flow
Discovery data flows through Control's dashboard system as follows:
Diagram description: A left-to-right flow diagram showing the KPI data flow. The Discovery API sends SSRM queries and dashboard endpoint data to the Control Cache. The cache feeds entity data to the KPI Calculator, which applies filters and aggregation to produce KPI Results. These results are delivered as time series or data points to Dashboard Widgets.
Control's KPI calculator supports these aggregation functions over cached Discovery data:
| Function | Description |
|---|---|
COUNT | Count matching records |
DISTINCT_COUNT | Count unique values |
SUM | Sum a numeric field |
AVG | Average a numeric field |
MIN | Minimum value |
MAX | Maximum value |
And these filter operators:
| Operator | Description |
|---|---|
EQUALS | Exact match |
NOT_EQUALS | Exclude value |
IN | Comma-separated value list |
CONTAINS | Substring match |
GREATER_THAN | Numeric greater than |
LESS_THAN | Numeric less than |
GREATER_THAN_OR_EQUAL | Numeric greater than or equal |
LESS_THAN_OR_EQUAL | Numeric less than or equal |
IS_NULL | Field is null |
IS_NOT_NULL | Field is not null |