REST API Detections

List of detections

HTTP request: GET api/v1/detections

URL query:

Pagination:

o$top—system query option requests the number of items in the queried collection to be included in the result

o$skip—system query option requests the number of items in the queried collection that are to be skipped and not included in the result

o$count—system query option allows clients to request a count of the matching resources included with the resources in the response. if set to $count=1, the number of detections is returned.

Sorting:

o$orderBy—system query option allows clients to request resources in either ascending order using asc or descending order using desc. If not specified the order is in ascending way

Filtering:

o$filter—system query option allows clients to filter a collection of resources that are addressed by a request URL. The query supports the following operators eq, ne, gt, ge, lt, le, and, or, and (). Operators can be combined with values to filter data. For instance, “resolved eq 0” will report only unresolved detections.

Example: GET api/v1/detections?$skip=100&$orderBy=creationTime desc

For other examples follow System Query Options

Request header: Authorization token

Request body: none

Response: JSON object with the following properties:

value — an array of detections:

computerId—unique identifier of a computer in EEI database

computerName—shows the name of a computer that raised the detection

computerUuid—unique identifier of a computer in EEI database

creationTime—the time of the detection

id—unique identifier of detection in EEI database

moduleId—unique identifier of the executable in EEI database

moduleLgAge—number of days visible in the LiveGrid®

moduleLgPopularity—how many computers reported an executable to LiveGrid®

moduleLgReputation—LiveGrid® reputation is a number from 1 to 9, indicating how safe the file is. 1-2 Red is malicious, 3-7 Yellow is suspicious, 8-9 Green is safe

moduleName—the executable that triggered the detection

moduleSha1—hash of the executable, that triggered the detection

moduleSignatureType—information whether the file is signed or not and how it is signed. Based on its return value:

o90 = Trusted

o80 = Valid

o75 = AdHoc

o70 = None

o60= Invalid

moduleSigner—if the file is signed, here you can see the signer of the file

note—if available a note is shown

priority—the priority of the detection( default 0, otherwise set by EEI Administrator)

processCommandLine—show the argument used with the command

processId—unique identifier of a process in EEI database

processUser—the user account that was logged on the computer at the time of detection trigger

resolved—true/false depends if the user marked the detection as resolved

ruleName—the name of the rule that triggered the detection

ruleId—the integer id of a rule

ruleUuid—the uid id of a rule

severity—shows the severity of the detection

severityScore—a more precise definition of severity. 1-39 > Info 40-69 > Warning 70 - 100 > Threat

threatName—the name of the threat, that can be found in this list http://www.virusradar.com/en/threat_encyclopaedia

threatUri—the URI(uniform resource identifier) which caused this detection to trigger

type—ESET type of the detections:

oUnknownAlarm = 0

oRuleActivated = 1—rule based detection

oMalwareFoundOnDisk = 2—malware found on disk by Endpoint

oMalwareFoundInMemory = 3—malware found in memory by Endpoint

oExploitDetected = 4—exploit detected by Endpoint

oFirewallDetection = 5

oBlockedAddress = 7—url blocked by firewall

oCryptoBlockerDetection = 8—cryptoBlocker detection

uuid—unique identifier of a detection

 

List of detections - filtering

$filter parameter allows the user to filter detections using an expression built out of:

Fields: id, resolved, creationTime

Operators: eq, ne, gt, ge, lt, le, and, or, and ()

 

Example:
GET api/v1/detections?$filter=resolved eq false and creationTime ge 2020-01-20T20:11:00Z

 

Get detection details

HTTP request: GET api/v1/detections/{id}

URL query:

$idType—if $idType=sha1 {id} in URL is interpreted as sha1 of a module

Request header: Authorization token

Request body: none

Response: JSON object with detection data:

computerId—unique identifier of a computer in EEI database

computerName—shows the name of a computer that raised the detection

computerUuid—unique identifier of a computer in EEI database

creationTime—the time of the detection

handled—shows whether an action was taken against this detection

id—unique identifier of detection in EEI database

moduleFirstSeenLocally—when an executable was first seen on any computer

moduleId—unique identifier of the executable in EEI database

moduleLastExecutedLocally—when was executable executed last time on any computer

moduleLgAge—number of days visible in the LiveGrid®

moduleLgPopularity—how many computers reported an executable to LiveGrid®

moduleLgReputation—LiveGrid® reputation is a number from 1 to 9, indicating how safe the file is. 1-2 Red is malicious, 3-7 Yellow is suspicious, 8-9 Green is safe

moduleName—the executable that triggered the detection

moduleSha1—hash of the executable, that triggered the detection

moduleSignatureType—information whether the file is signed or not and how it is signed (Trusted/Valid/None/Invalid/Unknown)

moduleSigner—if the file is signed, here you can see the signer of the file

note—if available a comment is shown

priority—the priority of the detection( default 0, otherwise set by EEI Administrator)

processCommandLine—show the argument used with the command

processId—unique identifier of a process in EEI database

processPath —path on the disk where the executable is located

processUser—the user account that was logged on the computer at the time of detection trigger

resolved—true/false depends if the user marked the detection as resolved

ruleName—the name of the rule that triggered the detection

ruleId—the integer id of a rule

ruleUuid—the uid id of a rule

severity—shows the severity of the detection

severityScore—a more precise definition of severity. 1-39 > Info 40-69 > Warning 70 - 100 > Threat

threatName—the name of the threat, that can be found in this list http://www.virusradar.com/en/threat_encyclopaedia

threatUri—the URI(uniform resource identifier) which caused this detection to trigger

type—ESET type of the detections:

oUnknownAlarm = 0,

oRuleActivated

oMalwareFoundOnDisk

oMalwareFoundInMemory

oExploitDetected

oFirewallDetection

oBlockedAddress

oCryptoBlockerDetection

uuid—unique identifier of a detection

Update detection

HTTP request: PATCH api/v1/detections/{id}

URL query:

$idType—if $idType=sha1 {id} in URL is interpreted as sha1 of a module

Request header: Authorization token

Request body: JSON object with the following properties:

resolved—when set to true the detection is marked as resolved

priority

note—allows to add a note