Get detection
Relative path: /v1/detections/{detectionUuid}
Parameters in path
Name |
Type |
Required |
Description |
|---|---|---|---|
detectionUuid |
string |
Yes |
[Detection] reference. type: Detection |
Responses
Display Schema instead of an Example or vice-versa
Code |
Description |
Example |
Schema |
|---|---|---|---|
200 |
Successful response. |
{
"detection": {
"category": "DETECTION_CATEGORY_UNSPECIFIED",
"context": {
"circumstances": "string",
"deviceUuid": "string",
"process": {
"path": "string"
},
"userName": "string"
},
"displayName": "string",
"networkCommunication": {
"direction": "NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED",
"localIpAddress": "string",
"localPort": 0,
"protocolName": "string",
"remoteIpAddress": "string",
"remotePort": 0
},
"objectHashSha1": "string",
"objectName": "string",
"objectTypeName": "string",
"objectUrl": "string",
"occurTime": "string",
"responses": [
{
"description": "string",
"deviceRestartRequired": true,
"displayName": "string",
"protectionName": "string"
}
],
"severityLevel": "SEVERITY_LEVEL_UNSPECIFIED",
"typeName": "string",
"uuid": "string"
}
} |
{
"$ref": "incident_managementv1GetDetectionResponse",
"detection": {
"$ref": "incident_managementv1Detection",
"description": "Detection descriptor. Detections occurs in some [DetectionContext] and is followed by [DetectionResponse]s. [Detection] can be resolved what means it no longer pose security risk.",
"category": {
"$ref": "incident_managementv1DetectionCategory",
"type": "string",
"description": "Category of detection. Deprecated because offers incorrect classification of detections (based on implementation details we want to hide from users). DETECTION_CATEGORY_UNSPECIFIED: fallback DETECTION_CATEGORY_CORRELATION_RULE: When hit of correlation rule is detected. https://help.eset.com/tools/ei/ei_rules_guide_1.7.pdf - DETECTION_CATEGORY_FIREWALL_RULE: When hit of firewall rule is detected. - DETECTION_CATEGORY_ANTIVIRUS: For ThreatSense detections. - DETECTION_CATEGORY_HIPS: When host intrusion is detected. - DETECTION_CATEGORY_NETWORK_INTRUSION: When network intrusion is detected. - DETECTION_CATEGORY_HIPS_RULE: When hit of HIPS rule is detected. - DETECTION_CATEGORY_WEB_ACCESS: When access to web is detected. - DETECTION_CATEGORY_VULNERABILITY: When application vulnerability is detected. - DETECTION_CATEGORY_APPLICATION_PATCH: When application patch is detected.",
"default": "DETECTION_CATEGORY_UNSPECIFIED",
"enum": [
"DETECTION_CATEGORY_UNSPECIFIED",
"DETECTION_CATEGORY_CORRELATION_RULE",
"DETECTION_CATEGORY_FIREWALL_RULE",
"DETECTION_CATEGORY_ANTIVIRUS",
"DETECTION_CATEGORY_HIPS",
"DETECTION_CATEGORY_NETWORK_INTRUSION",
"DETECTION_CATEGORY_HIPS_RULE",
"DETECTION_CATEGORY_WEB_ACCESS",
"DETECTION_CATEGORY_VULNERABILITY",
"DETECTION_CATEGORY_APPLICATION_PATCH"
]
},
"context": {
"$ref": "v1DetectionContext",
"description": "Context of a [detection].",
"circumstances": {
"type": "string",
"description": "Human-friendly description of [detection]'s circumstances."
},
"deviceUuid": {
"title": "Reference to [device]",
"type": "string",
"description": "info: This field leads to former - Computer Name - Computer Description - Computer Tags - Group Name - IP Address type: device_management.v1.Device"
},
"process": {
"$ref": "incident_managementv1Process",
"description": "Process descriptor.",
"path": {
"type": "string",
"description": "Disk path to the executable."
}
},
"userName": {
"type": "string",
"description": "User name in whose context detection occurred. It is arbitrary string, for example on windows: https://docs.microsoft.com/en-us/windows/win32/secauthn/user-name-formats"
}
},
"displayName": {
"type": "string",
"description": "Human-friendly name of the detection. This value can be used to look up details at https://www.threatminer.org/. Examples: 'Win32/Kingsoft.B' 'Rule_name_100663' '(Blocked by )PUA blacklist'"
},
"networkCommunication": {
"$ref": "v1NetworkCommunication",
"description": "Descriptor of network communication.",
"direction": {
"$ref": "v1NetworkCommunicationDirection",
"type": "string",
"description": "Direction of network communication. NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED: fallback NETWORK_COMMUNICATION_DIRECTION_INBOUND: The direction from remote host towards local host (the device where detection occurred). NETWORK_COMMUNICATION_DIRECTION_OUTBOUND: The direction from local host (the device where detection occurred) towards remote host.",
"default": "NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED",
"enum": [
"NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED",
"NETWORK_COMMUNICATION_DIRECTION_INBOUND",
"NETWORK_COMMUNICATION_DIRECTION_OUTBOUND"
]
},
"localIpAddress": {
"type": "string",
"description": "IPv4 or IPv6 address of the device (i.e. the device where detection occurred). From device's point of view, the local side is always the device's side. The remote side is not on the device. That is irrespective of communication direction."
},
"localPort": {
"type": "integer",
"description": "TCP or UDP port on the device (i.e. the device where detection occurred). From device's point of view, the local side is always the device's side. The remote side is not on the device. That is irrespective of communication direction.",
"format": "int64"
},
"protocolName": {
"type": "string",
"description": "Human readable name of the protocol used to communicate between local and remote hosts."
},
"remoteIpAddress": {
"type": "string",
"description": "IPv4 or IPv6 address of the remote host (i.e. not the device where detection occurred). From device's point of view, the local side is always the device's side. The remote side is not on the device. That is irrespective of communication direction."
},
"remotePort": {
"type": "integer",
"description": "TCP or UDP port on the remote host (i.e. not the device where detection occurred). From device's point of view, the local side is always the device's side. The remote side is not on the device. That is irrespective of communication direction.",
"format": "int64"
}
},
"objectHashSha1": {
"type": "string",
"description": "SHA1 hash of content of scanned object."
},
"objectName": {
"type": "string",
"description": "Name/path of scanned object. Examples: 'http://roxlock.com' 'eicar.com'"
},
"objectTypeName": {
"title": "Human-friendly type name of scanned object",
"type": "string",
"description": "Examples: 'File' 'Memory'"
},
"objectUrl": {
"type": "string",
"description": "URL (uniform resource locator) of scanned object."
},
"occurTime": {
"type": "string",
"description": "Timestamp of detection occurrence. info: Named by using google naming convention: https://cloud.google.com/apis/design/naming_convention#time_and_duration",
"format": "date-time"
},
"responses": [
{
"$ref": "incident_managementv1DetectionResponse",
"description": {
"type": "string",
"description": "Human-readable description of the response."
},
"deviceRestartRequired": {
"type": "boolean",
"description": "Response needs restart of the device to be completed."
},
"displayName": {
"type": "string",
"description": "Human-friendly name of the response."
},
"protectionName": {
"type": "string",
"description": "Human-readable name of the protection that performed the response."
}
}
],
"severityLevel": {
"$ref": "dotnodincident_managementv1SeverityLevel",
"type": "string",
"description": "Severity levels abstracted to cover all the possible GUIs. Vocabulary is leaving interpretation of severity level completely to API client. info: This approach is inevitable on the SIEM level as many contributing sources exist. Keeping the local names for severity levels never fits all the GUIs. SEVERITY_LEVEL_UNSPECIFIED: fallback SEVERITY_LEVEL_DIAGNOSTIC: In some GUIs known Debug SEVERITY_LEVEL_INFORMATIONAL: In some GUIs known as Info or Information SEVERITY_LEVEL_LOW: In some GUIs known Warning SEVERITY_LEVEL_MEDIUM: In some GUIs known as Error or Threat SEVERITY_LEVEL_HIGH: In some GUIs known as Critical",
"default": "SEVERITY_LEVEL_UNSPECIFIED",
"enum": [
"SEVERITY_LEVEL_UNSPECIFIED",
"SEVERITY_LEVEL_DIAGNOSTIC",
"SEVERITY_LEVEL_INFORMATIONAL",
"SEVERITY_LEVEL_LOW",
"SEVERITY_LEVEL_MEDIUM",
"SEVERITY_LEVEL_HIGH"
]
},
"typeName": {
"type": "string",
"description": "Human-friendly type of detection. Examples: 'Potentially unwanted application' 'Trojan' 'Test file' 'TCP Port scanning attack' Deprecated in favor of enumerated type."
},
"uuid": {
"type": "string",
"description": "Universally Unique Identifier References use this identifier so it must be filled in all the cases except resource creation. Compliant with RFC 4122: A Universally Unique IDentifier (UUID) URN Namespace Formatted according to template xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx, as explained on wikipedia. For example: '123e4567-e89b-12d3-a456-426614174000'"
}
}
} |
202 |
Response took too long; request cached. Response can be retrieved later using the response-id header. |
null |
[] |
400 |
One of the errors: 1. Bad or missing authorization. 2. Validation error. Invalid argument provided. |
null |
[] |
401 |
Token has expired or is invalid. |
null |
[] |
403 |
Access denied. Check permissions. |
null |
[] |
404 |
Requested resource not found. |
null |
[] |
429 |
Rate limit reached. Try again later. |
null |
[] |
500 |
Internal server failure. Try again later. |
null |
[] |
502 |
Internal server failure. Try again later. |
null |
[] |
503 |
Environment under maintenance. Try again later. |
null |
[] |
504 |
Action took too long; timeout reached |
null |
[] |