REST API Detections
List of detections
HTTP request:
GET api/v1/detections |
URL query:
Pagination:
$top |
The system query option requests the number of items in the queried collection to be included in the result. |
$skip |
The system query option requests the number of items in the queried collection to be skipped and not included in the result. |
$count |
The system query option enables clients to request a count of the matching resources included with the resources in the response. if set to $count=1, the number of detections is returned. |
Sorting:
$orderBy |
The system query option enables clients to request resources in ascending order using $orderBy=asc or descending order using $orderBy=desc. If not specified, the order is ascending. |
Filtering:
$filter |
The system query option enables clients to filter a collection of resources addressed by a request URL. The query supports the following operators eq, ne, gt, ge, lt, le, and, or, and (). Operators can be combined with values to filter data. For instance, resolved eq 0 will report only unresolved detections. |
|
Example GET api/v1/detections?$skip=100&$orderBy=creationTime desc |
For other examples, follow System Query Options
Request header: Authorization token
Request body: none
Response: JSON object with the following properties:
value |
|
computerId |
unique identifier of a computer in ESET Inspect Database |
computerName |
shows the name of a computer that raised the detection |
computerUuid |
unique identifier of a computer in ESET Inspect Database |
creationTime |
the time of the detection |
id |
unique identifier of detection in ESET Inspect Database |
moduleId |
unique identifier of the executable in ESET Inspect Database |
moduleLgAge |
number of days visible in the LiveGrid® |
moduleLgPopularity |
how many computers reported an executable to LiveGrid® |
moduleLgReputation |
LiveGrid® reputation is a number from 1 to 9, indicating how safe the file is. 1-2 Red is malicious, 3-7 Yellow is suspicious, 8-9 Green is safe |
moduleName |
the executable that triggered the detection |
moduleSha1 |
the hash of the executable that triggered the detection |
moduleSignatureType |
Information whether the file is signed or not and how it is signed. Based on its return value: 90 = Trusted 80 = Valid 75 = AdHoc 70 = None 60= Invalid |
moduleSigner |
if the file is signed, here you can see the signer of the file |
note |
if available, show note |
priority |
the priority of the detection (default 0, otherwise set by ESET Inspect Administrator) |
processCommandLine |
show the argument used with the command |
processId |
unique identifier of a process in ESET Inspect Database |
processUser |
the user account logged on the computer at the time of detection trigger |
processCommandLine |
show the argument used with the command |
processId |
unique identifier of a process in ESET Inspect Database |
processUser |
the user account that was logged on the computer at the time of detection trigger |
resolved |
true/false depends if the user marked the detection as resolved |
ruleName |
the name of the rule that triggered the detection |
ruleId |
the integer id of a rule |
ruleUuid |
the Uuid id of a rule |
severity |
shows the severity of the detection |
severityScore |
a more precise definition of severity. 1-39 > Info 40-69 > Warning 70 - 100 > Threat |
threatName |
the name of the threat, that can be found in this list http://www.virusradar.com/en/threat_encyclopaedia |
threatUri |
the URI (uniform resource identifier) which caused this detection to trigger |
type |
ESET type of the detections: UnknownAlarm = 0 RuleActivated = 1 - rule based detection MalwareFoundOnDisk = 2 - malware found on disk by Endpoint MalwareFoundInMemory = 3 - malware found in memory by Endpoint ExploitDetected = 4 - exploit detected by Endpoint FirewallDetection = 5 BlockedAddress = 7 - url blocked by firewall CryptoBlockerDetection = 8 - cryptoBlocker detection |
uuid |
unique identifier of a detection |
List of detections - filtering
URL query:
$filter |
parameter enables the user to filter detections using an expression built out of: Fields: id, resolved, creationTime Operators: eq, ne, gt, ge, lt, le, and, or, and () |
|
Example GET api/v1/detections?$filter=resolved eq false and creationTime ge 2020-01-20T20:11:00Z |
Get detection details
HTTP request:
GET api/v1/detections/{id} |
URL query:
$idType |
if $idType=sha1 {id} in URL is interpreted as sha1 of a module |
Request header: Authorization token
Request body: none
Response: JSON object with detection data:
computerId |
unique identifier of a computer in ESET Inspect Database |
computerName |
shows the name of a computer that raised the detection |
computerUuid |
unique identifier of a computer in ESET Inspect Database |
creationTime |
the time of the detection |
handled |
shows whether an action was taken against this detection |
id |
unique identifier of detection in ESET Inspect Database |
moduleFirstSeenLocally |
when an executable was first seen on any computer |
moduleId |
unique identifier of the executable in ESET Inspect Database |
moduleLastExecutedLocally |
when was executable executed last time on any computer |
moduleLgAge |
number of days visible in the LiveGrid® |
moduleLgPopularity |
how many computers reported an executable to LiveGrid® |
moduleLgReputation |
LiveGrid® reputation is a number from 1 to 9, indicating how safe the file is. 1-2 Red is malicious, 3-7 Yellow is suspicious, 8-9 Green is safe |
moduleName |
the executable that triggered the detection |
moduleSha1 |
the hash of the executable that triggered the detection |
moduleSignatureType |
information whether the file is signed or not and how it is signed (Trusted/Valid/None/Invalid/Unknown) |
moduleSigner |
if the file is signed, here you can see the signer of the file |
note |
if available, a comment is shown |
priority |
the priority of the detection( default 0, otherwise set by ESET Inspect Administrator) |
processCommandLine |
show the argument used with the command |
processId |
unique identifier of a process in ESET Inspect Database |
processPath |
the path on the disk where the executable is located |
processUser |
the user account that was logged on the computer at the time of detection trigger |
resolved |
true/false depends if the user marked the detection as resolved |
ruleName |
the name of the rule that triggered the detection |
ruleId |
the integer id of a rule |
ruleUuid |
the Uuid id of a rule |
severity |
shows the severity of the detection |
severityScore |
a more precise definition of severity. 1-39 > Info 40-69 > Warning 70 - 100 > Threat |
threatName |
the name of the threat that can be found in this list http://www.virusradar.com/en/threat_encyclopaedia |
threatUri |
the URI (uniform resource identifier) which caused this detection to trigger |
type |
ESET type of the detections: UnknownAlarm = 0 RuleActivated = 1 - rule based detection MalwareFoundOnDisk = 2 - malware found on disk by Endpoint MalwareFoundInMemory = 3 - malware found in memory by Endpoint ExploitDetected = 4 - exploit detected by Endpoint FirewallDetection = 5 BlockedAddress = 7 - url blocked by firewall CryptoBlockerDetection = 8 - cryptoBlocker detection |
uuid |
unique identifier of a detection |
Update detection
HTTP request:
PATCH api/v1/detections/{id} |
URL query:
$idType |
if $idType=sha1 {id} in URL is interpreted as sha1 of a module |
Request header: Authorization token
Request body: JSON object with the following properties:
resolved |
when set to true, the detection is marked as resolved |
priority |
|
note |
enable to add a note |