Get detection
Relative path: /v1/detections/{detectionUuid}
Parameters in path
Name |
Type |
Required |
Description |
|---|---|---|---|
detectionUuid |
string |
Yes |
Reference to [detection]. type: Detection |
Responses
Display Schema instead of an Example or vice-versa
Code |
Description |
Example |
Schema |
|---|---|---|---|
200 |
Successful response. |
{
"detection": {
"category": "DETECTION_CATEGORY_UNSPECIFIED",
"context": {
"circumstances": "string",
"deviceUuid": "string",
"process": {
"path": "string"
},
"userName": "string"
},
"displayName": "string",
"networkCommunication": {
"direction": "NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED",
"localIpAddress": "string",
"localPort": 0,
"protocolName": "string",
"remoteIpAddress": "string",
"remotePort": 0
},
"objectHashSha1": "string",
"objectName": "string",
"objectTypeName": "string",
"objectUrl": "string",
"occurTime": "string",
"responses": [
{
"description": "string",
"deviceRestartRequired": true,
"displayName": "string",
"protectionName": "string"
}
],
"severityLevel": "SEVERITY_LEVEL_UNSPECIFIED",
"typeName": "string",
"uuid": "string"
}
} |
{
"$ref": "incident_managementv1GetDetectionResponse",
"detection": {
"$ref": "incident_managementv1Detection",
"description": "Descriptor of one specific detection occurrence. Detection occurs in some [DetectionContext] and is followed by [DetectionResponse]s. [Detection] can be resolved, which means it no longer poses a security risk.",
"category": {
"$ref": "incident_managementv1DetectionCategory",
"type": "string",
"description": "Category of detection. Deprecated. DETECTION_CATEGORY_UNSPECIFIED: fallback DETECTION_CATEGORY_CORRELATION_RULE: When hit of EDR rule is detected. ESET Inspect On-Prem: Rules guide - DETECTION_CATEGORY_FIREWALL_RULE: When hit of firewall rule is detected. - DETECTION_CATEGORY_ANTIVIRUS: For ThreatSense detections. - DETECTION_CATEGORY_HIPS: When host intrusion is detected. - DETECTION_CATEGORY_NETWORK_INTRUSION: When network intrusion is detected. - DETECTION_CATEGORY_HIPS_RULE: When hit of HIPS rule is detected. - DETECTION_CATEGORY_WEB_ACCESS: When access to web is detected. - DETECTION_CATEGORY_VULNERABILITY: When application vulnerability is detected. - DETECTION_CATEGORY_APPLICATION_PATCH: When application patch is detected. - DETECTION_CATEGORY_SUSPICIOUS_ACTIVITY: When suspicious activity is detected.",
"default": "DETECTION_CATEGORY_UNSPECIFIED",
"enum": [
"DETECTION_CATEGORY_UNSPECIFIED",
"DETECTION_CATEGORY_CORRELATION_RULE",
"DETECTION_CATEGORY_FIREWALL_RULE",
"DETECTION_CATEGORY_ANTIVIRUS",
"DETECTION_CATEGORY_HIPS",
"DETECTION_CATEGORY_NETWORK_INTRUSION",
"DETECTION_CATEGORY_HIPS_RULE",
"DETECTION_CATEGORY_WEB_ACCESS",
"DETECTION_CATEGORY_VULNERABILITY",
"DETECTION_CATEGORY_APPLICATION_PATCH",
"DETECTION_CATEGORY_SUSPICIOUS_ACTIVITY"
]
},
"context": {
"$ref": "v1DetectionContext",
"description": "Context of a [detection].",
"circumstances": {
"type": "string",
"description": "Human-friendly description of [detection]'s circumstances."
},
"deviceUuid": {
"type": "string",
"description": "Reference to a [device] with detection. Device details must be fetched from device management. Info: This field leads to former - Computer Name - Computer Description - Computer Tags - Group Name - IP Address type: device_management.v1.Device"
},
"process": {
"$ref": "incident_managementv1Process",
"description": "Process descriptor.",
"path": {
"type": "string",
"description": "Disk path to the executable."
}
},
"userName": {
"type": "string",
"description": "User name in whose context the detection occurred. It is an arbitrary string, for example, on Windows: Windows App Development: User Name Formats"
}
},
"displayName": {
"type": "string",
"description": "Human-friendly name of the detection. This value can be used to look up details at Threatminer. Examples: 'Win32/Kingsoft.B' 'Rule_name_100663' '(Blocked by) PUA blacklist'"
},
"networkCommunication": {
"$ref": "v1NetworkCommunication",
"description": "Descriptor of network communication.",
"direction": {
"$ref": "v1NetworkCommunicationDirection",
"type": "string",
"description": "Direction of network communication. NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED: fallback NETWORK_COMMUNICATION_DIRECTION_INBOUND: The direction from remote host towards local host (the device where detection occurred). NETWORK_COMMUNICATION_DIRECTION_OUTBOUND: The direction from local host (the device where detection occurred) towards remote host.",
"default": "NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED",
"enum": [
"NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED",
"NETWORK_COMMUNICATION_DIRECTION_INBOUND",
"NETWORK_COMMUNICATION_DIRECTION_OUTBOUND"
]
},
"localIpAddress": {
"type": "string",
"description": "IPv4 or IPv6 address of the device (that is, the device where detection occurred). From the device's point of view, the local side is always the device's side. The remote side is not on the device. That is irrespective of communication direction."
},
"localPort": {
"type": "integer",
"description": "TCP or UDP port on the device (that is, the device where detection occurred). From the device's point of view, the local side is always the device's side. The remote side is not on the device. That is irrespective of communication direction.",
"format": "int64"
},
"protocolName": {
"type": "string",
"description": "Human-readable name of the protocol used to communicate between local and remote hosts."
},
"remoteIpAddress": {
"type": "string",
"description": "IPv4 or IPv6 address of the remote host (that is, not the device where detection occurred). From the device's point of view, the local side is always the device's side. The remote side is not on the device. That is irrespective of communication direction."
},
"remotePort": {
"type": "integer",
"description": "TCP or UDP port on the remote host (that is, not the device where detection occurred). From the device's point of view, the local side is always the device's side. The remote side is not on the device. That is irrespective of communication direction.",
"format": "int64"
}
},
"objectHashSha1": {
"type": "string",
"description": "SHA-1 hash of the content of the scanned object."
},
"objectName": {
"type": "string",
"description": "Name/path of the scanned object. Examples: 'http://roxlock.com' 'eicar.com'"
},
"objectTypeName": {
"type": "string",
"description": "Human-friendly type name of the scanned object. Examples: 'File' 'Memory'"
},
"objectUrl": {
"type": "string",
"description": "URL (uniform resource locator) of the scanned object."
},
"occurTime": {
"type": "string",
"description": "Timestamp of detection occurrence. Info: Named by using the Google naming convention: Time and Duration",
"format": "date-time"
},
"responses": [
{
"$ref": "incident_managementv1DetectionResponse",
"description": {
"type": "string",
"description": "Human-readable description of the response."
},
"deviceRestartRequired": {
"type": "boolean",
"description": "Response needs restart of the device to be completed."
},
"displayName": {
"type": "string",
"description": "Human-friendly name of the response."
},
"protectionName": {
"type": "string",
"description": "Human-readable name of the protection that performed the response."
}
}
],
"severityLevel": {
"$ref": "dotnodincident_managementv1SeverityLevel",
"type": "string",
"description": "Severity levels abstracted to cover all the possible GUIs. Vocabulary is leaving interpretation of severity level completely to API client. info: This approach is inevitable on the SIEM level as many contributing sources exist. Keeping the local names for severity levels never fits all the GUIs. SEVERITY_LEVEL_UNSPECIFIED: fallback SEVERITY_LEVEL_DIAGNOSTIC: In some GUIs known as Debug SEVERITY_LEVEL_INFORMATIONAL: In some GUIs known as Info or Information SEVERITY_LEVEL_LOW: In some GUIs known as Warning SEVERITY_LEVEL_MEDIUM: In some GUIs known as Error or Threat SEVERITY_LEVEL_HIGH: In some GUIs known as Critical",
"default": "SEVERITY_LEVEL_UNSPECIFIED",
"enum": [
"SEVERITY_LEVEL_UNSPECIFIED",
"SEVERITY_LEVEL_DIAGNOSTIC",
"SEVERITY_LEVEL_INFORMATIONAL",
"SEVERITY_LEVEL_LOW",
"SEVERITY_LEVEL_MEDIUM",
"SEVERITY_LEVEL_HIGH"
]
},
"typeName": {
"type": "string",
"description": "Human-friendly type of the detection. Examples: 'Potentially unwanted application' 'Trojan' 'Test file' 'TCP Port scanning attack' Deprecated in favor of enumerated type."
},
"uuid": {
"type": "string",
"description": "Unique identifier of the entity. Must be collision-free - two identifiers created anywhere in the world must not collide within entity parent scope. Unless a member of aggregate, the entity scope is always global. Although most of the times compliant with RFC 4122: A Universally Unique IDentifier (UUID) URN Namespace, do not rely on it being a RFC UUID. Treat it as an opaque identifier. RFC UUID can be recognized by being formatted according to the template xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx, as explained on Wikipedia. UUID is used for referencing an entity, even across domains. Example: '123e4567-e89b-12d3-a456-426614174000'"
}
}
} |
202 |
Response took too long; request cached. Response can be retrieved later using the response-id header. |
null |
[] |
400 |
One of the errors: 1. Bad or missing authorization. 2. Validation error. Invalid argument provided. |
null |
[] |
401 |
Token has expired or is invalid. |
null |
[] |
403 |
Access denied. Check permissions. |
null |
[] |
404 |
Requested resource not found. |
null |
[] |
429 |
Rate limit reached. Try again later. |
null |
[] |
500 |
Internal server failure. Try again later. |
null |
[] |
502 |
Internal server failure. Try again later. |
null |
[] |
503 |
Environment under maintenance. Try again later. |
null |
[] |
504 |
Action took too long; timeout reached |
null |
[] |