ESET Online Help

Search
Select the category
Select the topic

REST API Detections

List of detections

HTTP request:

GET api/v1/detections

URL query:

Pagination:

$top

Requests to include the number of items in the queried collection.

$skip

Requests to skip and not include the number of items in the queried collection.

$count

Enables clients to request a count of the matching resources included with the resources in the response. If set to $count=1, the number of detections is returned.

Sorting:

$orderBy

Enables clients to request resources in ascending order using $orderBy=asc or descending order using $orderBy=desc. The default order is ascending.

Filtering:

$filter

Enables clients to filter resources addressed by a request URL. The query supports the following operators eq, ne, gt, ge, lt, le, and, or, and (). Operators can combine with values to filter data. For instance, resolved eq 0 will report only unresolved detections.

Example:


example

GET api/v1/detections?$skip=100&$orderBy=creationTime desc

For other examples, follow System Query Options

Request header: Authorization token

Request body: None

Response: JSON object with the following properties:

Value

Description

computerId

A computer's unique identifier in the ESET Inspect Database

computerName

The computer's name that raised the detection

computerUuid

A computer's unique identifier in the ESET Inspect Database

creationTime

Time of the detection

id

Unique detection identifier in the ESET Inspect Database

moduleId

Unique executable identifier in the ESET Inspect Database

moduleLgAge

Number of days visible in the LiveGrid®

moduleLgPopularity

How many computers reported an executable to LiveGrid®

moduleLgReputation

A number from 1 to 9, indicating how safe the file is: 1–2 (red) is malicious, 3–7 (yellow) is suspicious, 8–9 (green) is safe

moduleName

The executable that triggered the detection

moduleSha1

The executable's hash that triggered the detection

moduleSignatureType

Information on if and how the file is signed. Based on its return value:

90 = Trusted

80 = Valid

75 = AdHoc

70 = None

60= Invalid

moduleSigner

The file signer's name, if available

note

Shows a note

priority

The detection's priority (default 0, otherwise set by ESET Inspect Administrator)

processCommandLine

Shows the argument used with the command

processId

Unique process identifier in the ESET Inspect Database

processUser

The user account logged on to the computer at the time of a detection trigger

processCommandLine

The argument used with the command

processId

Unique identifier of a process in ESET Inspect Database

processUser

The user account logged on at the time of the detection trigger

resolved

True/false; if user marked the detection as resolved

ruleName

The rule's name that triggered the detection

ruleId

A rule's integer ID

ruleUuid

A rule's Uuid ID

severity

Shows the detection severity

severityScore

A precise severity definition: 1–39 > Info 40–69 > Warning 70–100 > Threat

threatName

The threat's name, that can be found in this list http://www.virusradar.com/en/threat_encyclopaedia

threatUri

The URI (uniform resource identifier) that caused the detection to trigger

type

ESET type of the detections:

UnknownAlarm = 0

RuleActivated = 1: rule-based detection

MalwareFoundOnDisk = 2: malware found on disk by Endpoint

MalwareFoundInMemory = 3: malware found in memory by Endpoint

ExploitDetected = 4: exploit detected by Endpoint

FirewallDetection = 5

BlockedAddress = 7: URL blocked by firewall

CryptoBlockerDetection = 8: cryptoBlocker detection

uuid

A detection's unique identifier.

List of detections - filtering

URL query:

$filter

Allows the user to filter detections with an expression built from:

Fields: id, resolved, creationTime

Operators: eq, ne, gt, ge, lt, le, and, or, and ()

Example:

GET api/v1/detections?$filter=resolved eq false and creationTime ge 2020-01-20T20:11:00Z

Get detection details

HTTP request:

GET api/v1/detections/{id}

URL query:

$idType

if $idType=sha1 {id} in URL is interpreted as sha1 of a module

Request header: Authorization token

Request body: None

Response: JSON object with detection data:

computerId

A computer's unique identifier in the ESET Inspect Database

computerName

The computer's name that raised the detection

computerUuid

A computer's unique identifier in the ESET Inspect Database

creationTime

The time of the detection

handled

Shows if action was taken against this detection

id

Unique detection identifier in the ESET Inspect Database

moduleFirstSeenLocally

When an executable was first seen on any computer

moduleId

An executable's unique identifier in the ESET Inspect Database

moduleLastExecutedLocally

When the executable was last executed on any computer

moduleLgAge

Number of days visible in the LiveGrid®

moduleLgPopularity

How many computers reported an executable to LiveGrid®

moduleLgReputation

A number from 1 to 9, indicating how safe the file is: 1–2 (red) is malicious, 3–7 (yellow) is suspicious, 8–9 (green) is safe

moduleName

The executable that triggered the detection.

moduleSha1

The executable’s hash that triggered the detection

moduleSignatureType

Information on if and how the file is signed

moduleSigner

The file signer, if applicable

note

A comment

priority

The detection's priority ( default 0, otherwise set by the ESET Inspect Administrator)

processCommandLine

Shows the argument used with the command

processId

A process's unique identifier in the ESET Inspect Database

processPath

The disk path where the executable is located

processUser

The logged user's name when the detection triggered

resolved

True/false; if user marked the detection as resolved

ruleName

The rule's name that triggered the detection

ruleId

A rule's integer id

ruleUuid

A rule's Uuid id

severity

The detection's severity

severityScore

A precise severity definition: 1–39 > Info 40–69 > Warning 70–100 > Threat

threatName

The threat's name, that can be found in this list http://www.virusradar.com/en/threat_encyclopaedia

threatUri

The URI (uniform resource identifier) that caused the detection to trigger

type

ESET type of the detections:

UnknownAlarm = 0

RuleActivated = 1: rule based detection

MalwareFoundOnDisk = 2: malware found on disk by Endpoint

MalwareFoundInMemory = 3: malware found in memory by Endpoint

ExploitDetected = 4: exploit detected by Endpoint

FirewallDetection = 5

BlockedAddress = 7: URL blocked by firewall

CryptoBlockerDetection = 8: cryptoBlocker detection

uuid

A detection's unique identifier

Update detection

HTTP request:

PATCH api/v1/detections/{id}

URL query:

$idType

if $idType=sha1 {id} in URL is interpreted as sha1 of a module

Request header: Authorization token

Request body: JSON object with the following properties:

resolved

When set to true, the detection is marked as resolved

priority

 

note

Enable to add a note