ESET Online Help

Search
Select the category
Select the topic

GET Get list of detections

Relative path: /v1/detections

Return list of all the [detection]s matching criteria.

Query parameters

Name

Type

Description

deviceUuid

string

Include only [detections] occurred on referenced [device].

type: device_management.v1.Device

endTime

string

Include only incidents whose detections occurred before end_time (excluding).

detection.occur_time < end_time

info: https://cloud.google.com/apis/design/design_patterns#representing_ranges

startTime

string

Include only incidents whose detections occurred after start_time (including).

detection.occur_time >= start_time

info: https://cloud.google.com/apis/design/design_patterns#representing_ranges

pageSize

integer

Limit for pagination purposes.

info: For more information, refer to Paginating Requests in APIs

or https://cloud.google.com/apis/design/design_patterns#list_pagination

pageToken

string

Page token of current page.

info: For more information, refer to Paginating Requests in APIs

or https://cloud.google.com/apis/design/design_patterns#list_pagination



Responses

Display Schema instead of an Example or vice-versa

Code

Description

Example

Schema

200

Successful response.

{
  "detections": [
    {
      "category": "DETECTION_CATEGORY_UNSPECIFIED",
      "context": {
        "circumstances": "string",
        "deviceUuid": "string",
        "process": {
          "path": "string"
        },
        "userName": "string"
      },
      "displayName": "string",
      "networkCommunication": {
        "direction": "NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED",
        "localIpAddress": "string",
        "localPort": 0,
        "protocolName": "string",
        "remoteIpAddress": "string",
        "remotePort": 0
      },
      "objectHashSha1": "string",
      "objectName": "string",
      "objectTypeName": "string",
      "objectUrl": "string",
      "occurTime": "string",
      "responses": [
        {
          "description": "string",
          "deviceRestartRequired": true,
          "displayName": "string",
          "protectionName": "string"
        }
      ],
      "severityLevel": "SEVERITY_LEVEL_UNSPECIFIED",
      "typeName": "string",
      "uuid": "string"
    }
  ],
  "nextPageToken": "string",
  "totalSize": 0
}
{
  "$ref": "incident_managementv1ListDetectionsResponse",
  "detections": [
    {
      "$ref": "incident_managementv1Detection",
      "description": "Detection descriptor. Detections occurs in some [DetectionContext] and is followed by [DetectionResponse]s. [Detection] can be resolved what means it no longer pose security risk.",
      "category": {
        "$ref": "incident_managementv1DetectionCategory",
        "type": "string",
        "description": "Category of detection. Deprecated because offers incorrect classification of detections (based on implementation details we want to hide from users). DETECTION_CATEGORY_UNSPECIFIED: fallback DETECTION_CATEGORY_CORRELATION_RULE: When hit of correlation rule is detected. https://help.eset.com/tools/ei/ei_rules_guide_1.7.pdf - DETECTION_CATEGORY_FIREWALL_RULE: When hit of firewall rule is detected. - DETECTION_CATEGORY_ANTIVIRUS: For ThreatSense detections. - DETECTION_CATEGORY_HIPS: When host intrusion is detected. - DETECTION_CATEGORY_NETWORK_INTRUSION: When network intrusion is detected. - DETECTION_CATEGORY_HIPS_RULE: When hit of HIPS rule is detected. - DETECTION_CATEGORY_WEB_ACCESS: When access to web is detected. - DETECTION_CATEGORY_VULNERABILITY: When application vulnerability is detected. - DETECTION_CATEGORY_APPLICATION_PATCH: When application patch is detected.",
        "default": "DETECTION_CATEGORY_UNSPECIFIED",
        "enum": [
          "DETECTION_CATEGORY_UNSPECIFIED",
          "DETECTION_CATEGORY_CORRELATION_RULE",
          "DETECTION_CATEGORY_FIREWALL_RULE",
          "DETECTION_CATEGORY_ANTIVIRUS",
          "DETECTION_CATEGORY_HIPS",
          "DETECTION_CATEGORY_NETWORK_INTRUSION",
          "DETECTION_CATEGORY_HIPS_RULE",
          "DETECTION_CATEGORY_WEB_ACCESS",
          "DETECTION_CATEGORY_VULNERABILITY",
          "DETECTION_CATEGORY_APPLICATION_PATCH"
        ]
      },
      "context": {
        "$ref": "v1DetectionContext",
        "description": "Context of a [detection].",
        "circumstances": {
          "type": "string",
          "description": "Human-friendly description of [detection]'s circumstances."
        },
        "deviceUuid": {
          "title": "Reference to [device]",
          "type": "string",
          "description": "info: This field leads to former - Computer Name - Computer Description - Computer Tags - Group Name - IP Address type: device_management.v1.Device"
        },
        "process": {
          "$ref": "incident_managementv1Process",
          "description": "Process descriptor.",
          "path": {
            "type": "string",
            "description": "Disk path to the executable."
          }
        },
        "userName": {
          "type": "string",
          "description": "User name in whose context detection occurred. It is arbitrary string, for example on windows: https://docs.microsoft.com/en-us/windows/win32/secauthn/user-name-formats"
        }
      },
      "displayName": {
        "type": "string",
        "description": "Human-friendly name of the detection. This value can be used to look up details at https://www.threatminer.org/. Examples: 'Win32/Kingsoft.B' 'Rule_name_100663' '(Blocked by )PUA blacklist'"
      },
      "networkCommunication": {
        "$ref": "v1NetworkCommunication",
        "description": "Descriptor of network communication.",
        "direction": {
          "$ref": "v1NetworkCommunicationDirection",
          "type": "string",
          "description": "Direction of network communication. NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED: fallback NETWORK_COMMUNICATION_DIRECTION_INBOUND: The direction from remote host towards local host (the device where detection occurred). NETWORK_COMMUNICATION_DIRECTION_OUTBOUND: The direction from local host (the device where detection occurred) towards remote host.",
          "default": "NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED",
          "enum": [
            "NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED",
            "NETWORK_COMMUNICATION_DIRECTION_INBOUND",
            "NETWORK_COMMUNICATION_DIRECTION_OUTBOUND"
          ]
        },
        "localIpAddress": {
          "type": "string",
          "description": "IPv4 or IPv6 address of the device (i.e. the device where detection occurred). From device's point of view, the local side is always the device's side. The remote side is not on the device. That is irrespective of communication direction."
        },
        "localPort": {
          "type": "integer",
          "description": "TCP or UDP port on the device (i.e. the device where detection occurred). From device's point of view, the local side is always the device's side. The remote side is not on the device. That is irrespective of communication direction.",
          "format": "int64"
        },
        "protocolName": {
          "type": "string",
          "description": "Human readable name of the protocol used to communicate between local and remote hosts."
        },
        "remoteIpAddress": {
          "type": "string",
          "description": "IPv4 or IPv6 address of the remote host (i.e. not the device where detection occurred). From device's point of view, the local side is always the device's side. The remote side is not on the device. That is irrespective of communication direction."
        },
        "remotePort": {
          "type": "integer",
          "description": "TCP or UDP port on the remote host (i.e. not the device where detection occurred). From device's point of view, the local side is always the device's side. The remote side is not on the device. That is irrespective of communication direction.",
          "format": "int64"
        }
      },
      "objectHashSha1": {
        "type": "string",
        "description": "SHA1 hash of content of scanned object."
      },
      "objectName": {
        "type": "string",
        "description": "Name/path of scanned object. Examples: 'http://roxlock.com' 'eicar.com'"
      },
      "objectTypeName": {
        "title": "Human-friendly type name of scanned object",
        "type": "string",
        "description": "Examples: 'File' 'Memory'"
      },
      "objectUrl": {
        "type": "string",
        "description": "URL (uniform resource locator) of scanned object."
      },
      "occurTime": {
        "type": "string",
        "description": "Timestamp of detection occurrence. info: Named by using google naming convention: https://cloud.google.com/apis/design/naming_convention#time_and_duration",
        "format": "date-time"
      },
      "responses": [
        {
          "$ref": "incident_managementv1DetectionResponse",
          "description": {
            "type": "string",
            "description": "Human-readable description of the response."
          },
          "deviceRestartRequired": {
            "type": "boolean",
            "description": "Response needs restart of the device to be completed."
          },
          "displayName": {
            "type": "string",
            "description": "Human-friendly name of the response."
          },
          "protectionName": {
            "type": "string",
            "description": "Human-readable name of the protection that performed the response."
          }
        }
      ],
      "severityLevel": {
        "$ref": "dotnodincident_managementv1SeverityLevel",
        "type": "string",
        "description": "Severity levels abstracted to cover all the possible GUIs. Vocabulary is leaving interpretation of severity level completely to API client. info: This approach is inevitable on the SIEM level as many contributing sources exist. Keeping the local names for severity levels never fits all the GUIs. SEVERITY_LEVEL_UNSPECIFIED: fallback SEVERITY_LEVEL_DIAGNOSTIC: In some GUIs known Debug SEVERITY_LEVEL_INFORMATIONAL: In some GUIs known as Info or Information SEVERITY_LEVEL_LOW: In some GUIs known Warning SEVERITY_LEVEL_MEDIUM: In some GUIs known as Error or Threat SEVERITY_LEVEL_HIGH: In some GUIs known as Critical",
        "default": "SEVERITY_LEVEL_UNSPECIFIED",
        "enum": [
          "SEVERITY_LEVEL_UNSPECIFIED",
          "SEVERITY_LEVEL_DIAGNOSTIC",
          "SEVERITY_LEVEL_INFORMATIONAL",
          "SEVERITY_LEVEL_LOW",
          "SEVERITY_LEVEL_MEDIUM",
          "SEVERITY_LEVEL_HIGH"
        ]
      },
      "typeName": {
        "type": "string",
        "description": "Human-friendly type of detection. Examples: 'Potentially unwanted application' 'Trojan' 'Test file' 'TCP Port scanning attack' Deprecated in favor of enumerated type."
      },
      "uuid": {
        "type": "string",
        "description": "Universally Unique Identifier References use this identifier so it must be filled in all the cases except resource creation. Compliant with RFC 4122: A Universally Unique IDentifier (UUID) URN Namespace Formatted according to template xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx, as explained on wikipedia. For example: '123e4567-e89b-12d3-a456-426614174000'"
      }
    }
  ],
  "nextPageToken": {
    "type": "string",
    "description": "Page token of next page. info: For more information, refer to Paginating Requests in APIs or https://cloud.google.com/apis/design/design_patterns#list_pagination"
  },
  "totalSize": {
    "type": "integer",
    "description": "The total count of items in the list irrespective of pagination. info: One of the standard fields Page_size might differ for every call (it is an input parameter), so the calculation of the total number of pages is the caller's responsibility.",
    "format": "int64"
  }
}

202

Response took too long; request cached. Response can be retrieved later using the response-id header.

null
[]

400

One of the errors: 1. Bad or missing authorization. 2. Validation error. Invalid argument provided.

null
[]

401

Token has expired or is invalid.

null
[]

403

Access denied. Check permissions.

null
[]

404

Requested resource not found.

null
[]

429

Rate limit reached. Try again later.

null
[]

500

Internal server failure. Try again later.

null
[]

502

Internal server failure. Try again later.

null
[]

503

Environment under maintenance. Try again later.

null
[]

504

Action took too long; timeout reached

null
[]