ESET Online Help

Search
Select the category
Select the topic

GET Get detection

Relative path: /v1/detections/{detectionUuid}

Parameters in path

Name

Type

Required

Description

detectionUuid

string

Yes

[Detection] reference.

type: Detection



Responses

Display Schema instead of an Example or vice-versa

Code

Description

Example

Schema

200

Successful response.

{
  "detection": {
    "category": "DETECTION_CATEGORY_UNSPECIFIED",
    "context": {
      "circumstances": "string",
      "deviceUuid": "string",
      "process": {
        "path": "string"
      },
      "userName": "string"
    },
    "displayName": "string",
    "networkCommunication": {
      "direction": "NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED",
      "localIpAddress": "string",
      "localPort": 0,
      "protocolName": "string",
      "remoteIpAddress": "string",
      "remotePort": 0
    },
    "objectHashSha1": "string",
    "objectName": "string",
    "objectTypeName": "string",
    "objectUrl": "string",
    "occurTime": "string",
    "responses": [
      {
        "description": "string",
        "deviceRestartRequired": true,
        "displayName": "string",
        "protectionName": "string"
      }
    ],
    "severityLevel": "SEVERITY_LEVEL_UNSPECIFIED",
    "typeName": "string",
    "uuid": "string"
  }
}
{
  "$ref": "incident_managementv1GetDetectionResponse",
  "detection": {
    "$ref": "incident_managementv1Detection",
    "description": "Descriptor of one particular detection occurrence. Detections occurs in some [DetectionContext] and is followed by [DetectionResponse]s. [Detection] can be resolved what means it no longer pose security risk.",
    "category": {
      "$ref": "incident_managementv1DetectionCategory",
      "type": "string",
      "description": "Category of detection. Deprecated. DETECTION_CATEGORY_UNSPECIFIED: fallback DETECTION_CATEGORY_CORRELATION_RULE: When hit of EDR rule is detected. https://help.eset.com/ei_rules/latest/en-US/ - DETECTION_CATEGORY_FIREWALL_RULE: When hit of firewall rule is detected. - DETECTION_CATEGORY_ANTIVIRUS: For ThreatSense detections. - DETECTION_CATEGORY_HIPS: When host intrusion is detected. - DETECTION_CATEGORY_NETWORK_INTRUSION: When network intrusion is detected. - DETECTION_CATEGORY_HIPS_RULE: When hit of HIPS rule is detected. - DETECTION_CATEGORY_WEB_ACCESS: When access to web is detected. - DETECTION_CATEGORY_VULNERABILITY: When application vulnerability is detected. - DETECTION_CATEGORY_APPLICATION_PATCH: When application patch is detected. - DETECTION_CATEGORY_SUSPICIOUS_ACTIVITY: When suspicious activity is detected.",
      "default": "DETECTION_CATEGORY_UNSPECIFIED",
      "enum": [
        "DETECTION_CATEGORY_UNSPECIFIED",
        "DETECTION_CATEGORY_CORRELATION_RULE",
        "DETECTION_CATEGORY_FIREWALL_RULE",
        "DETECTION_CATEGORY_ANTIVIRUS",
        "DETECTION_CATEGORY_HIPS",
        "DETECTION_CATEGORY_NETWORK_INTRUSION",
        "DETECTION_CATEGORY_HIPS_RULE",
        "DETECTION_CATEGORY_WEB_ACCESS",
        "DETECTION_CATEGORY_VULNERABILITY",
        "DETECTION_CATEGORY_APPLICATION_PATCH",
        "DETECTION_CATEGORY_SUSPICIOUS_ACTIVITY"
      ]
    },
    "context": {
      "$ref": "v1DetectionContext",
      "description": "Context of a [detection].",
      "circumstances": {
        "type": "string",
        "description": "Human-friendly description of [detection]'s circumstances."
      },
      "deviceUuid": {
        "type": "string",
        "description": "Reference to a [device] with detection. Device details must be fetched from device management. Info: This field leads to former - Computer Name - Computer Description - Computer Tags - Group Name - IP Address type: device_management.v1.Device"
      },
      "process": {
        "$ref": "incident_managementv1Process",
        "description": "Process descriptor.",
        "path": {
          "type": "string",
          "description": "Disk path to the executable."
        }
      },
      "userName": {
        "type": "string",
        "description": "User name in whose context detection occurred. It is an arbitrary string, for example on windows: https://docs.microsoft.com/en-us/windows/win32/secauthn/user-name-formats"
      }
    },
    "displayName": {
      "type": "string",
      "description": "Human-friendly name of the detection. This value can be used to look up details at https://www.threatminer.org/. Examples: 'Win32/Kingsoft.B' 'Rule_name_100663' '(Blocked by )PUA blacklist'"
    },
    "networkCommunication": {
      "$ref": "v1NetworkCommunication",
      "description": "Descriptor of network communication.",
      "direction": {
        "$ref": "v1NetworkCommunicationDirection",
        "type": "string",
        "description": "Direction of network communication. NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED: fallback NETWORK_COMMUNICATION_DIRECTION_INBOUND: The direction from remote host towards local host (the device where detection occurred). NETWORK_COMMUNICATION_DIRECTION_OUTBOUND: The direction from local host (the device where detection occurred) towards remote host.",
        "default": "NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED",
        "enum": [
          "NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED",
          "NETWORK_COMMUNICATION_DIRECTION_INBOUND",
          "NETWORK_COMMUNICATION_DIRECTION_OUTBOUND"
        ]
      },
      "localIpAddress": {
        "type": "string",
        "description": "IPv4 or IPv6 address of the device (i.e. the device where detection occurred). From device's point of view, the local side is always the device's side. The remote side is not on the device. That is irrespective of communication direction."
      },
      "localPort": {
        "type": "integer",
        "description": "TCP or UDP port on the device (i.e. the device where detection occurred). From device's point of view, the local side is always the device's side. The remote side is not on the device. That is irrespective of communication direction.",
        "format": "int64"
      },
      "protocolName": {
        "type": "string",
        "description": "Human readable name of the protocol used to communicate between local and remote hosts."
      },
      "remoteIpAddress": {
        "type": "string",
        "description": "IPv4 or IPv6 address of the remote host (i.e. not the device where detection occurred). From device's point of view, the local side is always the device's side. The remote side is not on the device. That is irrespective of communication direction."
      },
      "remotePort": {
        "type": "integer",
        "description": "TCP or UDP port on the remote host (i.e. not the device where detection occurred). From device's point of view, the local side is always the device's side. The remote side is not on the device. That is irrespective of communication direction.",
        "format": "int64"
      }
    },
    "objectHashSha1": {
      "type": "string",
      "description": "SHA1 hash of content of scanned object."
    },
    "objectName": {
      "type": "string",
      "description": "Name/path of scanned object. Examples: 'http://roxlock.com' 'eicar.com'"
    },
    "objectTypeName": {
      "title": "Human-friendly type name of scanned object",
      "type": "string",
      "description": "Examples: 'File' 'Memory'"
    },
    "objectUrl": {
      "type": "string",
      "description": "URL (uniform resource locator) of scanned object."
    },
    "occurTime": {
      "type": "string",
      "description": "Timestamp of detection occurrence. Info: Named by using google naming convention: https://cloud.google.com/apis/design/naming_convention#time_and_duration",
      "format": "date-time"
    },
    "responses": [
      {
        "$ref": "incident_managementv1DetectionResponse",
        "description": {
          "type": "string",
          "description": "Human-readable description of the response."
        },
        "deviceRestartRequired": {
          "type": "boolean",
          "description": "Response needs restart of the device to be completed."
        },
        "displayName": {
          "type": "string",
          "description": "Human-friendly name of the response."
        },
        "protectionName": {
          "type": "string",
          "description": "Human-readable name of the protection that performed the response."
        }
      }
    ],
    "severityLevel": {
      "$ref": "dotnodincident_managementv1SeverityLevel",
      "type": "string",
      "description": "Severity levels abstracted to cover all the possible GUIs. Vocabulary is leaving interpretation of severity level completely to API client. info: This approach is inevitable on the SIEM level as many contributing sources exist. Keeping the local names for severity levels never fits all the GUIs. SEVERITY_LEVEL_UNSPECIFIED: fallback SEVERITY_LEVEL_DIAGNOSTIC: In some GUIs known Debug SEVERITY_LEVEL_INFORMATIONAL: In some GUIs known as Info or Information SEVERITY_LEVEL_LOW: In some GUIs known Warning SEVERITY_LEVEL_MEDIUM: In some GUIs known as Error or Threat SEVERITY_LEVEL_HIGH: In some GUIs known as Critical",
      "default": "SEVERITY_LEVEL_UNSPECIFIED",
      "enum": [
        "SEVERITY_LEVEL_UNSPECIFIED",
        "SEVERITY_LEVEL_DIAGNOSTIC",
        "SEVERITY_LEVEL_INFORMATIONAL",
        "SEVERITY_LEVEL_LOW",
        "SEVERITY_LEVEL_MEDIUM",
        "SEVERITY_LEVEL_HIGH"
      ]
    },
    "typeName": {
      "type": "string",
      "description": "Human-friendly type of detection. Examples: 'Potentially unwanted application' 'Trojan' 'Test file' 'TCP Port scanning attack' Deprecated in favor of enumerated type."
    },
    "uuid": {
      "type": "string",
      "description": "Unique identifier of the entity. Must be collision free - two identifiers created anywhere in the world must not collide within entity parent scope. Unless a member of aggregate, the entity scope is always global. Although most of the times compliant with RFC 4122: A Universally Unique IDentifier (UUID) URN Namespace, do not rely on it being a RFC UUID. Treat it as an opaque identifier. RFC UUID can be recognized by being formatted according to template xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx, as explained on wikipedia. UUID is used for referencing an entity, even across domains. Example: '123e4567-e89b-12d3-a456-426614174000'"
    }
  }
}

202

Response took too long; request cached. Response can be retrieved later using the response-id header.

null
[]

400

One of the errors: 1. Bad or missing authorization. 2. Validation error. Invalid argument provided.

null
[]

401

Token has expired or is invalid.

null
[]

403

Access denied. Check permissions.

null
[]

404

Requested resource not found.

null
[]

429

Rate limit reached. Try again later.

null
[]

500

Internal server failure. Try again later.

null
[]

502

Internal server failure. Try again later.

null
[]

503

Environment under maintenance. Try again later.

null
[]

504

Action took too long; timeout reached

null
[]