REST API Detections
List of detections
HTTP request:
GET api/v1/detections |
URL query:
Pagination:
$top |
Requests to include the number of items in the queried collection. |
$skip |
Requests to skip and not include the number of items in the queried collection. |
$count |
Enables clients to request a count of the matching resources included with the resources in the response. If set to $count=1, the number of detections is returned. |
Sorting:
$orderBy |
Enables clients to request resources in ascending order using $orderBy=asc or descending order using $orderBy=desc. The default order is ascending. |
Filtering:
$filter |
Enables clients to filter resources addressed by a request URL. The query supports the following operators eq, ne, gt, ge, lt, le, and, or, and (). Operators can combine with values to filter data. For instance, resolved eq 0 will report only unresolved detections. |
Example:
GET api/v1/detections?$skip=100&$orderBy=creationTime desc |
For other examples, follow System Query Options
Request header: Authorization token
Request body: None
Response: JSON object with the following properties:
Value |
Description |
---|---|
computerId |
A computer's unique identifier in the ESET Inspect Database |
computerName |
The computer's name that raised the detection |
computerUuid |
A computer's unique identifier in the ESET Inspect Database |
creationTime |
Time of the detection |
id |
Unique detection identifier in the ESET Inspect Database |
moduleId |
Unique executable identifier in the ESET Inspect Database |
moduleLgAge |
Number of days visible in the LiveGrid® |
moduleLgPopularity |
How many computers reported an executable to LiveGrid® |
moduleLgReputation |
A number from 1 to 9, indicating how safe the file is: 1–2 (red) is malicious, 3–7 (yellow) is suspicious, 8–9 (green) is safe |
moduleName |
The executable that triggered the detection |
moduleSha1 |
The executable's hash that triggered the detection |
moduleSignatureType |
Information on if and how the file is signed. Based on its return value: 90 = Trusted 80 = Valid 75 = AdHoc 70 = None 60= Invalid |
moduleSigner |
The file signer's name, if available |
note |
Shows a note |
priority |
The detection's priority (default 0, otherwise set by ESET Inspect Administrator) |
processCommandLine |
Shows the argument used with the command |
processId |
Unique process identifier in the ESET Inspect Database |
processUser |
The user account logged on to the computer at the time of a detection trigger |
processCommandLine |
The argument used with the command |
processId |
Unique identifier of a process in ESET Inspect Database |
processUser |
The user account logged on at the time of the detection trigger |
resolved |
True/false; if user marked the detection as resolved |
ruleName |
The rule's name that triggered the detection |
ruleId |
A rule's integer ID |
ruleUuid |
A rule's Uuid ID |
severity |
Shows the detection severity |
severityScore |
A precise severity definition: 1–39 > Info 40–69 > Warning 70–100 > Threat |
threatName |
The threat's name, that can be found in this list http://www.virusradar.com/en/threat_encyclopaedia |
threatUri |
The URI (uniform resource identifier) that caused the detection to trigger |
type |
ESET type of the detections: UnknownAlarm = 0 RuleActivated = 1: rule-based detection MalwareFoundOnDisk = 2: malware found on disk by Endpoint MalwareFoundInMemory = 3: malware found in memory by Endpoint ExploitDetected = 4: exploit detected by Endpoint FirewallDetection = 5 BlockedAddress = 7: URL blocked by firewall CryptoBlockerDetection = 8: cryptoBlocker detection |
uuid |
A detection's unique identifier. |
List of detections - filtering
URL query:
$filter |
Allows the user to filter detections with an expression built from: Fields: id, resolved, creationTime Operators: eq, ne, gt, ge, lt, le, and, or, and () |
Example:
GET api/v1/detections?$filter=resolved eq false and creationTime ge 2020-01-20T20:11:00Z |
Get detection details
HTTP request:
GET api/v1/detections/{id} |
URL query:
$idType |
if $idType=sha1 {id} in URL is interpreted as sha1 of a module |
Request header: Authorization token
Request body: None
Response: JSON object with detection data:
computerId |
A computer's unique identifier in the ESET Inspect Database |
computerName |
The computer's name that raised the detection |
computerUuid |
A computer's unique identifier in the ESET Inspect Database |
creationTime |
The time of the detection |
handled |
Shows if action was taken against this detection |
id |
Unique detection identifier in the ESET Inspect Database |
moduleFirstSeenLocally |
When an executable was first seen on any computer |
moduleId |
An executable's unique identifier in the ESET Inspect Database |
moduleLastExecutedLocally |
When the executable was last executed on any computer |
moduleLgAge |
Number of days visible in the LiveGrid® |
moduleLgPopularity |
How many computers reported an executable to LiveGrid® |
moduleLgReputation |
A number from 1 to 9, indicating how safe the file is: 1–2 (red) is malicious, 3–7 (yellow) is suspicious, 8–9 (green) is safe |
moduleName |
The executable that triggered the detection. |
moduleSha1 |
The executable’s hash that triggered the detection |
moduleSignatureType |
Information on if and how the file is signed |
moduleSigner |
The file signer, if applicable |
note |
A comment |
priority |
The detection's priority ( default 0, otherwise set by the ESET Inspect Administrator) |
processCommandLine |
Shows the argument used with the command |
processId |
A process's unique identifier in the ESET Inspect Database |
processPath |
The disk path where the executable is located |
processUser |
The logged user's name when the detection triggered |
resolved |
True/false; if user marked the detection as resolved |
ruleName |
The rule's name that triggered the detection |
ruleId |
A rule's integer id |
ruleUuid |
A rule's Uuid id |
severity |
The detection's severity |
severityScore |
A precise severity definition: 1–39 > Info 40–69 > Warning 70–100 > Threat |
threatName |
The threat's name, that can be found in this list http://www.virusradar.com/en/threat_encyclopaedia |
threatUri |
The URI (uniform resource identifier) that caused the detection to trigger |
type |
ESET type of the detections: UnknownAlarm = 0 RuleActivated = 1: rule based detection MalwareFoundOnDisk = 2: malware found on disk by Endpoint MalwareFoundInMemory = 3: malware found in memory by Endpoint ExploitDetected = 4: exploit detected by Endpoint FirewallDetection = 5 BlockedAddress = 7: URL blocked by firewall CryptoBlockerDetection = 8: cryptoBlocker detection |
uuid |
A detection's unique identifier |
Update detection
HTTP request:
PATCH api/v1/detections/{id} |
URL query:
$idType |
if $idType=sha1 {id} in URL is interpreted as sha1 of a module |
Request header: Authorization token
Request body: JSON object with the following properties:
resolved |
When set to true, the detection is marked as resolved |
priority |
|
note |
Enable to add a note |