Get batch of detections
Relative path: /v2/detections:batchGet
The operation is atomic: it fails for all resources or succeed for all resources (no partial success).
If the operation covers multiple locations and at least one location is down, the operation fails.
Info: Modeled after https://google.aip.dev/231
Request body
Display Schema instead of an Example or vice-versa
Type |
Required |
Example |
Schema |
---|---|---|---|
application/json |
No |
{ "detectionUuids": [ "string" ] } |
{ "$ref": "v2BatchGetDetectionsRequest", "detectionUuids": [ { "type": "string" } ] } |
Responses
Display Schema instead of an Example or vice-versa
Code |
Description |
Example |
Schema |
---|---|---|---|
200 |
A successful response. |
{ "detections": [ { "category": "DETECTION_CATEGORY_UNSPECIFIED", "circumstances": "string", "cloudOfficeTenantUuid": "string", "device": { "displayName": "string", "uuid": "string" }, "displayName": "string", "edrRuleUuid": "string", "email": { "attachments": [ { "containedFiles": [ null ], "hashSha1": "string", "hashSha2256": "string", "isReadOnly": true, "lastEditor": { "email": "string", "userUuid": "string", "userName": "string" }, "origin": "OBJECT_ORIGIN_UNSPECIFIED", "path": "string", "reference": "string", "sizeBytes": "string", "storages": [ { "displayName": "string", "msSharepointRootSiteUuid": "string", "archiveReference": "string", "cloudDriveUserUuid": "string", "emailReference": "string", "msSharepointSiteUuid": "string", "msTeamsTeamUuid": "string" } ] } ], "bodyParts": [ { "containedFiles": [ null ], "hashSha1": "string", "hashSha2256": "string", "isReadOnly": true, "lastEditor": { "email": "string", "userUuid": "string", "userName": "string" }, "origin": "OBJECT_ORIGIN_UNSPECIFIED", "path": "string", "reference": "string", "sizeBytes": "string", "storages": [ { "displayName": "string", "msSharepointRootSiteUuid": "string", "archiveReference": "string", "cloudDriveUserUuid": "string", "emailReference": "string", "msSharepointSiteUuid": "string", "msTeamsTeamUuid": "string" } ] } ], "cc": "string", "containedUrls": [ "string" ], "from": "string", "headers": [ "string" ], "internetMessageId": "string", "isReadOnly": true, "mailboxUserUuid": "string", "origin": "OBJECT_ORIGIN_UNSPECIFIED", "reference": "string", "senderIpAddress": "string", "subject": "string", "to": "string" }, "file": { "containedFiles": [ null ], "hashSha1": "string", "hashSha2256": "string", "isReadOnly": true, "lastEditor": { "email": "string", "userUuid": "string", "userName": "string" }, "origin": "OBJECT_ORIGIN_UNSPECIFIED", "path": "string", "reference": "string", "sizeBytes": "string", "storages": [ { "displayName": "string", "msSharepointRootSiteUuid": "string", "archiveReference": "string", "cloudDriveUserUuid": "string", "emailReference": "string", "msSharepointSiteUuid": "string", "msTeamsTeamUuid": "string" } ] }, "networkTraffic": { "direction": "NETWORK_TRAFFIC_DIRECTION_UNSPECIFIED", "localIpAddress": "string", "localMacAddress": "string", "localPort": 0, "protocolKeyword": "string", "remoteIpAddress": "string", "remoteMacAddress": "string", "remotePort": 0 }, "note": "string", "objectHashSha1": "string", "objectName": "string", "objectSizeBytes": "string", "objectTypeName": "string", "objectUrl": "string", "occurTime": "string", "process": { "commandLine": "string", "path": "string", "uuid": "string" }, "resolved": true, "responses": [ { "actionType": "OBJECT_ACTION_TYPE_UNSPECIFIED", "description": "string", "deviceRestartRequired": true, "displayName": "string", "protectionName": "string", "emailReference": "string", "fileReference": "string" } ], "scanUuid": "string", "severityLevel": "SEVERITY_LEVEL_UNSPECIFIED", "severityScore": 0, "triggeringEvent": { "type": "UNSPECIFIED", "data": {} }, "typeName": "string", "userName": "string", "uuid": "string" } ] } |
{ "$ref": "v2BatchGetDetectionsResponse", "detections": [ { "$ref": "incident_managementv2Detection", "description": "Descriptor of one particular detection occurrence. Detections occurs in some [DetectionContext] and is followed by [DetectionResponse]s. [Detection] can be resolved what means it no longer pose security risk.", "category": { "$ref": "incident_managementv2DetectionCategory", "type": "string", "description": "Category of detection. Deprecated because offers incorrect classification of detections (based on implementation details we want to hide from users). DETECTION_CATEGORY_UNSPECIFIED: fallback DETECTION_CATEGORY_EDR_RULE: When hit of EDR rule is detected. For more on rules see https://help.eset.com/ei_rules/latest/en-US/. - DETECTION_CATEGORY_FIREWALL_RULE: When hit of firewall rule is detected. - DETECTION_CATEGORY_ANTIVIRUS: For ThreatSense detections. - DETECTION_CATEGORY_HIPS: When host intrusion is detected. - DETECTION_CATEGORY_NETWORK_INTRUSION: When network intrusion is detected. - DETECTION_CATEGORY_HIPS_RULE: When hit of HIPS rule is detected. - DETECTION_CATEGORY_WEB_ACCESS: When access to web is detected. - DETECTION_CATEGORY_VULNERABILITY: When application vulnerability is detected. - DETECTION_CATEGORY_APPLICATION_PATCH: When application patch is detected. - DETECTION_CATEGORY_SUSPICIOUS_ACTIVITY: When suspicious activity is detected.", "default": "DETECTION_CATEGORY_UNSPECIFIED", "enum": [ "DETECTION_CATEGORY_UNSPECIFIED", "DETECTION_CATEGORY_EDR_RULE", "DETECTION_CATEGORY_FIREWALL_RULE", "DETECTION_CATEGORY_ANTIVIRUS", "DETECTION_CATEGORY_HIPS", "DETECTION_CATEGORY_NETWORK_INTRUSION", "DETECTION_CATEGORY_HIPS_RULE", "DETECTION_CATEGORY_WEB_ACCESS", "DETECTION_CATEGORY_VULNERABILITY", "DETECTION_CATEGORY_APPLICATION_PATCH", "DETECTION_CATEGORY_SUSPICIOUS_ACTIVITY" ] }, "circumstances": { "type": "string", "description": "Human-friendly and plain English description of [detection]'s circumstances. For example: 'Event occurred during an attempt to access the web by the application: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe (8BD6BEB1AF61231295A22145AA0251FA24FE5622).'" }, "cloudOfficeTenantUuid": { "type": "string", "description": "Reference to [cloud office tenant]. If empty or null, the detection occurred outside any cloud office tenant scope. type: cloud_office_protection.v1.CloudOfficeTenant" }, "device": { "$ref": "v2Device", "description": "Descriptor of the [device] with detection. Full device details must be fetched from device management.", "displayName": { "type": "string", "description": "Human friendly name of the device with detection." }, "uuid": { "type": "string", "description": "Unique identifier of the entity. Must be collision free - two identifiers created anywhere in the world must not collide within entity parent scope. Unless a member of aggregate, the entity scope is always global. Although most of the times compliant with RFC 4122: A Universally Unique IDentifier (UUID) URN Namespace, do not rely on it being a RFC UUID. Treat it as an opaque identifier. RFC UUID can be recognized by being formatted according to template xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx, as explained on wikipedia. UUID is used for referencing an entity, even across domains. Example: '123e4567-e89b-12d3-a456-426614174000'", "readOnly": true } }, "displayName": { "type": "string", "description": "Human-friendly name of the detection. This value can be used to look up details at https://www.threatminer.org/. Examples: 'Win32/Kingsoft.B' 'Rule_name_100663' '(Blocked by )PUA blacklist'" }, "edrRuleUuid": { "title": "Alert", "type": "string", "description": "EI Rules are mixture of Alerts and Actions https://help.eset.com/ei_rules/latest/en-US/. This breaks barrier between Detection and Response. Our competitors respect this barrier and provide strictly DETECTION rules (called correlation rules). https://www.exabeam.com/siem/siem-threat-detection-rules-or-models/ https://www.ibm.com/docs/en/qsip/7.4?topic=siem-rule Snort https://www.howtoforge.com/writing-snort-rules-on-engarde Actions are: - alert - log - pass NIPS: https://www.ibm.com/docs/en/snips/4.6.0?topic=rules-configuring-snort - reaction is configured separately Detection rules: https://docs.datadoghq.com/security_platform/detection_rules/ Incident rules: https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-security/sescloud/Endpoint-Detection-and-Response/Incident-Rules.html type: EdrRule" }, "email": { "$ref": "v1Email", "attachments": [ { "$ref": "v1File", "description": "Describes file. File can be contained within other structures, such as email (attachment), archive or Miscrosoft Sharepoint Site. Those structures form parents of the file.", "containedFiles": [ { "$ref": "v1File" } ], "hashSha1": { "type": "string", "description": "SHA-1 (Secure Hash Algorithm 1) digest of file's content." }, "hashSha2256": { "type": "string", "description": "SHA-2 256 (Secure Hash Algorithm 2) 256 digest of file's content." }, "isReadOnly": { "type": "boolean", "description": "True if the scanned object was read-only and cannot be modified/cleaned/deleted." }, "lastEditor": { "$ref": "v1ObjectEditor", "description": "Details of user who edited an object.", "email": { "type": "string", "description": "Email of the user." }, "userUuid": { "type": "string", "description": "Reference to [user]. type: _draft.User" }, "userName": { "type": "string", "description": "Name of the user (e.g. login)." } }, "origin": { "$ref": "v1ObjectOrigin", "type": "string", "description": "Object origin denotes a system managing object's life-cycle. This is necessary to be known for actions that manipulate with object, such as delete, quarantine, move and so on. OBJECT_ORIGIN_UNSPECIFIED: fallback OBJECT_ORIGIN_MS_OFFICE365: Object originates in Microsoft Office 365. OBJECT_ORIGIN_GOOGLE_WORKSPACE: Object originates in Google Workspace. OBJECT_ORIGIN_DEVICE: Object originates from a device.", "default": "OBJECT_ORIGIN_UNSPECIFIED", "enum": [ "OBJECT_ORIGIN_UNSPECIFIED", "OBJECT_ORIGIN_MS_OFFICE365", "OBJECT_ORIGIN_GOOGLE_WORKSPACE", "OBJECT_ORIGIN_DEVICE" ] }, "path": { "type": "string", "description": "File path. Absolute path is absolute within storage. For example: /documents/trip.xml might be absolute within Microsoft Sharepoint Site." }, "reference": { "type": "string", "description": "How the file is referred to. Files can be hosted in various systems with different types of indexing (e.g. URI, UUID, etc.). Object reference must be unique within one parent object (e,g, email or archive) to ensure referential integrity. Optimally, the reference should be universally unique identifier. That prevents from ambiguities during pairing of the object with scan results with actions." }, "sizeBytes": { "type": "string", "description": "File size in bytes.", "format": "uint64" }, "storages": [ { "$ref": "v1FileStorage", "description": "File storage represents a different storage location. This could include email, archive, Microsoft Sharepoint Site, Hyper-V Volume, etc. File path is relative to this storage.", "displayName": { "type": "string", "description": "Human readable name of the storage. For example, a name of Microsoft Teams Team or name the archive file." }, "msSharepointRootSiteUuid": { "type": "string", "description": "Reference to [Microsoft Sharepoint root site]. Only valid if the object originates in Sharepoint site. type: quarantine_management.v1-alpha.MicrosoftSharepointSite" }, "archiveReference": { "type": "string", "description": "Reference to the archive containing the file. Can be an URL or path to the parent archive." }, "cloudDriveUserUuid": { "type": "string", "description": "If the file resides in the cloud on a cloud drive (for example, Google Drive or Microsoft OneDrive), this attribute references the user who owns that drive. type: user_management.v1.User" }, "emailReference": { "type": "string", "description": "Reference to the email containing the file. The file itself can be part of the email body, an email attachment, or part of an attached archive." }, "msSharepointSiteUuid": { "type": "string", "description": "Reference to [Microsoft Sharepoint site]. type: quarantine_management.v1-alpha.MicrosoftSharepointSite" }, "msTeamsTeamUuid": { "type": "string", "description": "Reference to [Microsoft Teams team]. type: quarantine_management.v1-alpha.MicrosoftTeamsTeam" } } ] } ], "bodyParts": [ { "$ref": "v1File", "description": "Describes file. File can be contained within other structures, such as email (attachment), archive or Miscrosoft Sharepoint Site. Those structures form parents of the file.", "containedFiles": [ { "$ref": "v1File" } ], "hashSha1": { "type": "string", "description": "SHA-1 (Secure Hash Algorithm 1) digest of file's content." }, "hashSha2256": { "type": "string", "description": "SHA-2 256 (Secure Hash Algorithm 2) 256 digest of file's content." }, "isReadOnly": { "type": "boolean", "description": "True if the scanned object was read-only and cannot be modified/cleaned/deleted." }, "lastEditor": { "$ref": "v1ObjectEditor", "description": "Details of user who edited an object.", "email": { "type": "string", "description": "Email of the user." }, "userUuid": { "type": "string", "description": "Reference to [user]. type: _draft.User" }, "userName": { "type": "string", "description": "Name of the user (e.g. login)." } }, "origin": { "$ref": "v1ObjectOrigin", "type": "string", "description": "Object origin denotes a system managing object's life-cycle. This is necessary to be known for actions that manipulate with object, such as delete, quarantine, move and so on. OBJECT_ORIGIN_UNSPECIFIED: fallback OBJECT_ORIGIN_MS_OFFICE365: Object originates in Microsoft Office 365. OBJECT_ORIGIN_GOOGLE_WORKSPACE: Object originates in Google Workspace. OBJECT_ORIGIN_DEVICE: Object originates from a device.", "default": "OBJECT_ORIGIN_UNSPECIFIED", "enum": [ "OBJECT_ORIGIN_UNSPECIFIED", "OBJECT_ORIGIN_MS_OFFICE365", "OBJECT_ORIGIN_GOOGLE_WORKSPACE", "OBJECT_ORIGIN_DEVICE" ] }, "path": { "type": "string", "description": "File path. Absolute path is absolute within storage. For example: /documents/trip.xml might be absolute within Microsoft Sharepoint Site." }, "reference": { "type": "string", "description": "How the file is referred to. Files can be hosted in various systems with different types of indexing (e.g. URI, UUID, etc.). Object reference must be unique within one parent object (e,g, email or archive) to ensure referential integrity. Optimally, the reference should be universally unique identifier. That prevents from ambiguities during pairing of the object with scan results with actions." }, "sizeBytes": { "type": "string", "description": "File size in bytes.", "format": "uint64" }, "storages": [ { "$ref": "v1FileStorage", "description": "File storage represents a different storage location. This could include email, archive, Microsoft Sharepoint Site, Hyper-V Volume, etc. File path is relative to this storage.", "displayName": { "type": "string", "description": "Human readable name of the storage. For example, a name of Microsoft Teams Team or name the archive file." }, "msSharepointRootSiteUuid": { "type": "string", "description": "Reference to [Microsoft Sharepoint root site]. Only valid if the object originates in Sharepoint site. type: quarantine_management.v1-alpha.MicrosoftSharepointSite" }, "archiveReference": { "type": "string", "description": "Reference to the archive containing the file. Can be an URL or path to the parent archive." }, "cloudDriveUserUuid": { "type": "string", "description": "If the file resides in the cloud on a cloud drive (for example, Google Drive or Microsoft OneDrive), this attribute references the user who owns that drive. type: user_management.v1.User" }, "emailReference": { "type": "string", "description": "Reference to the email containing the file. The file itself can be part of the email body, an email attachment, or part of an attached archive." }, "msSharepointSiteUuid": { "type": "string", "description": "Reference to [Microsoft Sharepoint site]. type: quarantine_management.v1-alpha.MicrosoftSharepointSite" }, "msTeamsTeamUuid": { "type": "string", "description": "Reference to [Microsoft Teams team]. type: quarantine_management.v1-alpha.MicrosoftTeamsTeam" } } ] } ], "cc": { "type": "string", "description": "Carbon copy recipient(s) of the email." }, "containedUrls": [ { "type": "string" } ], "from": { "type": "string", "description": "Sender(s) of the email." }, "headers": [ { "type": "string" } ], "internetMessageId": { "title": "Unique identifier of the message according to https://en.wikipedia.org/wiki/Message-ID", "type": "string" }, "isReadOnly": { "type": "boolean", "description": "True if the scanned object was read-only and cannot be modified/cleaned/deleted." }, "mailboxUserUuid": { "type": "string", "description": "Reference to the user who owns the mailbox, if the email can be associated with a mailbox. If the email cannot be associated with a mailbox, this will be empty. type: user_management.v1.User" }, "origin": { "$ref": "v1ObjectOrigin", "type": "string", "description": "Object origin denotes a system managing object's life-cycle. This is necessary to be known for actions that manipulate with object, such as delete, quarantine, move and so on. OBJECT_ORIGIN_UNSPECIFIED: fallback OBJECT_ORIGIN_MS_OFFICE365: Object originates in Microsoft Office 365. OBJECT_ORIGIN_GOOGLE_WORKSPACE: Object originates in Google Workspace. OBJECT_ORIGIN_DEVICE: Object originates from a device.", "default": "OBJECT_ORIGIN_UNSPECIFIED", "enum": [ "OBJECT_ORIGIN_UNSPECIFIED", "OBJECT_ORIGIN_MS_OFFICE365", "OBJECT_ORIGIN_GOOGLE_WORKSPACE", "OBJECT_ORIGIN_DEVICE" ] }, "reference": { "type": "string", "description": "How the email is referred to. Emails can be sourced in various systems with different types of indexing (e.g. URI, UUID, etc.). Object reference must be unique within one parent object (e,g, email or archive) to ensure referential integrity or the scope of protection (e.g. one account). For example: - Outlook email can be referenced by EntryID (or SearchKey) - Exchange email can be referenced by combination of Timestamp | Subject | Sender fields. Info: Optimally, the reference should be universally unique identifier. That prevents from ambiguities during pairing of the object with scan results with actions. This might, however, be substantially difficult to achieve in distributed email-system, where the id-issuing authority is out of our reach and might be spoofed by e.g. spammers." }, "senderIpAddress": { "type": "string", "description": "IP address of the sender. Might be IPv4 or IPv6." }, "subject": { "type": "string", "description": "Subject of the email." }, "to": { "type": "string", "description": "Recipient(s) of the email." } }, "file": { "$ref": "v1File", "description": "Describes file. File can be contained within other structures, such as email (attachment), archive or Miscrosoft Sharepoint Site. Those structures form parents of the file.", "containedFiles": [ { "$ref": "v1File" } ], "hashSha1": { "type": "string", "description": "SHA-1 (Secure Hash Algorithm 1) digest of file's content." }, "hashSha2256": { "type": "string", "description": "SHA-2 256 (Secure Hash Algorithm 2) 256 digest of file's content." }, "isReadOnly": { "type": "boolean", "description": "True if the scanned object was read-only and cannot be modified/cleaned/deleted." }, "lastEditor": { "$ref": "v1ObjectEditor", "description": "Details of user who edited an object.", "email": { "type": "string", "description": "Email of the user." }, "userUuid": { "type": "string", "description": "Reference to [user]. type: _draft.User" }, "userName": { "type": "string", "description": "Name of the user (e.g. login)." } }, "origin": { "$ref": "v1ObjectOrigin", "type": "string", "description": "Object origin denotes a system managing object's life-cycle. This is necessary to be known for actions that manipulate with object, such as delete, quarantine, move and so on. OBJECT_ORIGIN_UNSPECIFIED: fallback OBJECT_ORIGIN_MS_OFFICE365: Object originates in Microsoft Office 365. OBJECT_ORIGIN_GOOGLE_WORKSPACE: Object originates in Google Workspace. OBJECT_ORIGIN_DEVICE: Object originates from a device.", "default": "OBJECT_ORIGIN_UNSPECIFIED", "enum": [ "OBJECT_ORIGIN_UNSPECIFIED", "OBJECT_ORIGIN_MS_OFFICE365", "OBJECT_ORIGIN_GOOGLE_WORKSPACE", "OBJECT_ORIGIN_DEVICE" ] }, "path": { "type": "string", "description": "File path. Absolute path is absolute within storage. For example: /documents/trip.xml might be absolute within Microsoft Sharepoint Site." }, "reference": { "type": "string", "description": "How the file is referred to. Files can be hosted in various systems with different types of indexing (e.g. URI, UUID, etc.). Object reference must be unique within one parent object (e,g, email or archive) to ensure referential integrity. Optimally, the reference should be universally unique identifier. That prevents from ambiguities during pairing of the object with scan results with actions." }, "sizeBytes": { "type": "string", "description": "File size in bytes.", "format": "uint64" }, "storages": [ { "$ref": "v1FileStorage", "description": "File storage represents a different storage location. This could include email, archive, Microsoft Sharepoint Site, Hyper-V Volume, etc. File path is relative to this storage.", "displayName": { "type": "string", "description": "Human readable name of the storage. For example, a name of Microsoft Teams Team or name the archive file." }, "msSharepointRootSiteUuid": { "type": "string", "description": "Reference to [Microsoft Sharepoint root site]. Only valid if the object originates in Sharepoint site. type: quarantine_management.v1-alpha.MicrosoftSharepointSite" }, "archiveReference": { "type": "string", "description": "Reference to the archive containing the file. Can be an URL or path to the parent archive." }, "cloudDriveUserUuid": { "type": "string", "description": "If the file resides in the cloud on a cloud drive (for example, Google Drive or Microsoft OneDrive), this attribute references the user who owns that drive. type: user_management.v1.User" }, "emailReference": { "type": "string", "description": "Reference to the email containing the file. The file itself can be part of the email body, an email attachment, or part of an attached archive." }, "msSharepointSiteUuid": { "type": "string", "description": "Reference to [Microsoft Sharepoint site]. type: quarantine_management.v1-alpha.MicrosoftSharepointSite" }, "msTeamsTeamUuid": { "type": "string", "description": "Reference to [Microsoft Teams team]. type: quarantine_management.v1-alpha.MicrosoftTeamsTeam" } } ] }, "networkTraffic": { "$ref": "v2EndpointNetworkTraffic", "description": "Descriptor of a endpoint network communication involved into (indicated) incident. For endpoint scenarios it is useful to identify the endpoint side as local, while the other end of network communication as remote.", "direction": { "$ref": "v2NetworkTrafficDirection", "type": "string", "description": "Direction of network communication. NETWORK_TRAFFIC_DIRECTION_UNSPECIFIED: fallback NETWORK_TRAFFIC_DIRECTION_INBOUND: The direction from remote host towards local host (the device where detection occurred). NETWORK_TRAFFIC_DIRECTION_OUTBOUND: The direction from local host (the device where detection occurred) towards remote host.", "default": "NETWORK_TRAFFIC_DIRECTION_UNSPECIFIED", "enum": [ "NETWORK_TRAFFIC_DIRECTION_UNSPECIFIED", "NETWORK_TRAFFIC_DIRECTION_INBOUND", "NETWORK_TRAFFIC_DIRECTION_OUTBOUND" ] }, "localIpAddress": { "type": "string", "description": "The IP address of endpoint-local network interface." }, "localMacAddress": { "type": "string", "description": "The MAC (L2) address of endpoint-local network interface." }, "localPort": { "type": "integer", "description": "The port on endpoint-side of the communication.", "format": "int64" }, "protocolKeyword": { "type": "string", "description": "Network protocol used in the communication. Name must be from keyword column of IANA list" }, "remoteIpAddress": { "type": "string", "description": "The IP address of network interface of remote host." }, "remoteMacAddress": { "type": "string", "description": "The MAC (L2) address of remote network interface (possibly the MAC address of gateway)." }, "remotePort": { "type": "integer", "description": "The port on remote-side of the communication.", "format": "int64" } }, "note": { "type": "string", "description": "Arbitrary text." }, "objectHashSha1": { "type": "string", "description": "SHA1 hash of content of scanned object." }, "objectName": { "type": "string", "description": "Name/path of scanned object. Examples: 'http://roxlock.com' 'eicar.com'" }, "objectSizeBytes": { "type": "string", "description": "Object's size in bytes.", "format": "uint64" }, "objectTypeName": { "title": "Human-friendly type name of scanned object", "type": "string", "description": "Examples: 'File' 'Memory'" }, "objectUrl": { "type": "string", "description": "URL (uniform resource locator) of scanned object." }, "occurTime": { "type": "string", "description": "Timestamp of detection occurrence. Info: Named by using google naming convention: https://cloud.google.com/apis/design/naming_convention#time_and_duration", "format": "date-time" }, "process": { "$ref": "incident_managementv2Process", "description": "Descriptor of process related to the detection.", "commandLine": { "title": "Argument used with the command", "type": "string" }, "path": { "type": "string", "description": "Disk path to the executable." }, "uuid": { "type": "string", "description": "Universally Unique Identifier References use this identifier so it must be filled in all the cases except resource creation. Compliant with RFC 4122: A Universally Unique IDentifier (UUID) URN Namespace Formatted according to template xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx, as explained on wikipedia. For example: '123e4567-e89b-12d3-a456-426614174000'", "readOnly": true } }, "resolved": { "type": "boolean", "description": "If true, detection is resolved and pose threat no more." }, "responses": [ { "$ref": "incident_managementv2DetectionResponse", "description": { "type": "string", "description": "Human-readable description of the response." }, "actionType": { "$ref": "v2ObjectActionType", "type": "string", "description": "Categories of operations that can be performed on objects. OBJECT_ACTION_TYPE_UNSPECIFIED: fallback OBJECT_ACTION_TYPE_NO_ACTION: No action was done. OBJECT_ACTION_TYPE_ERROR: Action was not performed because of error. OBJECT_ACTION_TYPE_QUARANTINE: Class of quarantining actions. For example: - attachment quarantined - email quarantined - OBJECT_ACTION_TYPE_CLEAN: Class of cleaning actions. For example when an malware is removed from zip archive. - OBJECT_ACTION_TYPE_DELETE: Class of deleting actions. For example: - email deleted - file deleted - OBJECT_ACTION_TYPE_REPLACE: Class of replacing actions. - OBJECT_ACTION_TYPE_MOVE_TO_FOLDER: Actions where object is moved to certain folder. - OBJECT_ACTION_TYPE_MOVE_TO_TRASH: Actions where object us moved to trash folder. - OBJECT_ACTION_TYPE_MOVE_TO_JUNK: Actions where object is moved to junk folder. - OBJECT_ACTION_TYPE_TERMINATE: Actions where some process is terminated. For example: - download terminated - connection terminated - process terminated (killed).", "default": "OBJECT_ACTION_TYPE_UNSPECIFIED", "enum": [ "OBJECT_ACTION_TYPE_UNSPECIFIED", "OBJECT_ACTION_TYPE_NO_ACTION", "OBJECT_ACTION_TYPE_ERROR", "OBJECT_ACTION_TYPE_QUARANTINE", "OBJECT_ACTION_TYPE_CLEAN", "OBJECT_ACTION_TYPE_DELETE", "OBJECT_ACTION_TYPE_REPLACE", "OBJECT_ACTION_TYPE_MOVE_TO_FOLDER", "OBJECT_ACTION_TYPE_MOVE_TO_TRASH", "OBJECT_ACTION_TYPE_MOVE_TO_JUNK", "OBJECT_ACTION_TYPE_TERMINATE" ] }, "deviceRestartRequired": { "type": "boolean", "description": "Response needs restart of the device to be completed." }, "displayName": { "type": "string", "description": "Human-friendly name of the response." }, "protectionName": { "type": "string", "description": "Human-readable name of the protection that performed the response." }, "emailReference": { "type": "string", "description": "Reference to the affected email. Emails can be sourced in various systems with different types of indexing (e.g. URI, UUID, etc.). Object reference must be unique within one parent object (e,g, email or archive) to ensure referential integrity or the scope of protection (e.g. one account). For example: - Outlook email can be referenced by EntryID (or SearchKey) - Exchange email can be referenced by combination of Timestamp | Subject | Sender fields. Info: Optimally, the reference should be universally unique identifier. That prevents from ambiguities during pairing of the object with scan results with actions. This might, however, be substantially difficult to achieve in distributed email-system, where the id-issuing authority is out of our reach and might be spoofed by e.g. spammers." }, "fileReference": { "type": "string", "description": "Reference to the file affected by the response. Files can be hosted in various systems with different types of indexing (e.g. URI, UUID, etc.). Object reference must be unique within one parent object (e,g, email or archive) to ensure referential integrity. Optimally, the reference should be universally unique identifier. That prevents from ambiguities during pairing of the object with scan results with actions. Info: There might be multiple responses linked to some of troublesome files. For example an email with infected attachment might get that attachment quarantined." } } ], "scanUuid": { "type": "string", "description": "Reference to on-demand [scan] during which the detection occurred. Empty for real-time scans. type: scan_management.v1.Scan" }, "severityLevel": { "$ref": "dotnodwell_known_typesv1SeverityLevel", "type": "string", "description": "Severity levels abstracted to cover all the possible GUIs. Vocabulary is leaving interpretation of severity level completely to API client. This approach is inevitable on SIEM level as there are many contributing sources. Keeping the local names for severity levels never fits all the GUIs. SEVERITY_LEVEL_UNSPECIFIED: fallback SEVERITY_LEVEL_DIAGNOSTIC: In some GUIs known Debug SEVERITY_LEVEL_INFORMATIONAL: In some GUIs known as Info or Information SEVERITY_LEVEL_LOW: In some GUIs known Warning SEVERITY_LEVEL_MEDIUM: In some GUIs known as Error or Threat SEVERITY_LEVEL_HIGH: In some GUIs known as Critical", "default": "SEVERITY_LEVEL_UNSPECIFIED", "enum": [ "SEVERITY_LEVEL_UNSPECIFIED", "SEVERITY_LEVEL_DIAGNOSTIC", "SEVERITY_LEVEL_INFORMATIONAL", "SEVERITY_LEVEL_LOW", "SEVERITY_LEVEL_MEDIUM", "SEVERITY_LEVEL_HIGH" ] }, "severityScore": { "type": "integer", "description": "Integer representation of severity level to be comparable in queries. For example 'severity_score > 10'. Severity score is a number from 1 to 100 mapped to severity level as follows: 1 - 49 = LOW 50 - 59 = MEDIUM (a.k.a. Warning) 60 - 100 = HIGH (a.k.a Threat)", "format": "int64" }, "triggeringEvent": { "$ref": "v2TriggeringEvent", "description": "Event that triggered the detection.", "type": { "$ref": "v2TriggeringEventType", "title": "Event that triggered the detection", "type": "string", "description": "UNSPECIFIED: Fallback PROCESS_STARTED: Process was started PROCESS_TERMINATED: Process was terminated PROCESS_STARTED_BEFORE_DATA_COLLECTION: Process started, before data collection started PROCESS_ENDED_BEFORE_DATA_COLLECTION: Process ended. before data collection started PROCESS_EXECUTED: Process executed with exec system call CODE_INJECTED: Some code was injected to the process PROCESS_OPENED: Existing process was opened, in order to to reading its memory. > For more info: > https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess FILE_DELETED: File was deleted FILE_RENAMED: File was renamed FILE_REWRITTEN: Some data were written to the file UNSAVED_FILE_DELETED_ON_CLOSE: Some process is creating file, but when closed, the file is deleted as it was not requested to save it FILE_TRUNCATED: Some process is opening a file with some data, but it is requested to delete the data TCP_IP_CONNECTED: TCP/IP connection established TCP_IP_DISCONNECTED: TCP/IP connection was closed TCP_IP_CONNECTION_ACCEPTED: TCP/IP connection was accepted REGISTRY_KEY_CREATED: New registry key was created REGISTRY_KEY_DELETED: Existing registry key was deleted REGISTRY_KEY_VALUE_SET: New registry key value added/modified REGISTRY_KEY_VALUE_DELETED: Existing registry key value deleted HTTP_REQUEST_SENT: Some HTTP request is sent, which can mean that browser is opening some website. REGISTRY_KEY_RENAMED: Existing registry key renamed EXECUTABLE_FILE_DROPPED: Executable file was written to the disk SHARED_LIBRARY_LOADED_BEFORE_DATA_COLLECTION: Some shared library was loaded, before data collection started DYNAMIC_SHARED_LIBRARY_LOADED: Some process loaded shared library DNS_RESOLVED: DNS resolution USER_LOGGED_IN: User logged out USER_LOGGED_OUT: User logged out USER_ACTIVATED: Disabled user was activated USER_DISABLED: Active user was disabled USER_CREATED: New user was created USER_DELETED: User was deleted USER_ADDED_TO_GROUP: User added to specific group USER_REMOVED_FROM_GROUP: User was removed from specific group AMSI_TRIGGERED: AMSI (Antimalware Scan Interface) was exeuted WMI_AUTO_EXECUTED_PERSISTENCE: WMI (Windows Management Instrumentation) persistence on execution. Which means that, specific piece of code or a script continues to execute or re-executes even after a system reboot. WMI_EXECUTED_PROCESS: WMI executed some process WMI_QUERY_DISPLAYED: WMI query has been executed. This might occur in a system monitoring tool, a script, or a log where the output of a WMI query is shown to the user or recorded for review. MONITORED_FILE_OPENED: Opening file for reading = triggered when a monitored file was read. Monitored files refer to those which contain either sensitive information or stored credentials. For example, stored browser passwords, stored FTP clients passwords, AD database and so on. PROCESS_COMMUNICATION_USED_NAMED_PIPE: Some process is trying to communicate with another process using the named pipes TCP_IP_NETWORK_PROTOCOL_IDENTIFIED: Info received from Firewall about the network protocols of the identified TCP connection. For example: IMAP, POP3, RDP, RMI. DRIVER_LOADED: Driver was loaded DRIVER_UNLOADED: Driver was unloaded FILE_MARKED_EXECUTABLE: File was marked as executable SYSTEM_CALLED_API: Monitoring API calls commonly used by malware MULTIPLE_FILES_CHANGED: Information from RansomWare Shield, that something changed multiple files in short time range WINDOWS_SERVICE_INSTALLED: Windows service has been installed WINDOWS_SERVICE_STARTED: Windows service started WINDOWS_SERVICE_MODIFIED: Windows service has been changed or modified WINDOWS_SERVICE_STOPPED: Windows service stopped WINDOWS_SERVICE_REMOVED: Windows service has been removed or uninstalled SCHEDULED_TASK_ADDED: Scheduled task has been added SCHEDULED_TASK_STARTED: Scheduled task started SCHEDULED_TASK_MODIFIED: Scheduled task has been changed or modified SCHEDULED_TASK_REMOVED: Scheduled task has been removed CHILD_PROCESS_STARTED: Child process was created CHILD_PROCESS_STARTED_BEFORE_DATA_COLLECTION: Child process was started, before data collection started", "default": "UNSPECIFIED", "enum": [ "UNSPECIFIED", "PROCESS_STARTED", "PROCESS_TERMINATED", "PROCESS_STARTED_BEFORE_DATA_COLLECTION", "PROCESS_ENDED_BEFORE_DATA_COLLECTION", "PROCESS_EXECUTED", "CODE_INJECTED", "PROCESS_OPENED", "FILE_DELETED", "FILE_RENAMED", "FILE_REWRITTEN", "UNSAVED_FILE_DELETED_ON_CLOSE", "FILE_TRUNCATED", "TCP_IP_CONNECTED", "TCP_IP_DISCONNECTED", "TCP_IP_CONNECTION_ACCEPTED", "REGISTRY_KEY_CREATED", "REGISTRY_KEY_DELETED", "REGISTRY_KEY_VALUE_SET", "REGISTRY_KEY_VALUE_DELETED", "HTTP_REQUEST_SENT", "REGISTRY_KEY_RENAMED", "EXECUTABLE_FILE_DROPPED", "SHARED_LIBRARY_LOADED_BEFORE_DATA_COLLECTION", "DYNAMIC_SHARED_LIBRARY_LOADED", "DNS_RESOLVED", "USER_LOGGED_IN", "USER_LOGGED_OUT", "USER_ACTIVATED", "USER_DISABLED", "USER_CREATED", "USER_DELETED", "USER_ADDED_TO_GROUP", "USER_REMOVED_FROM_GROUP", "AMSI_TRIGGERED", "WMI_AUTO_EXECUTED_PERSISTENCE", "WMI_EXECUTED_PROCESS", "WMI_QUERY_DISPLAYED", "MONITORED_FILE_OPENED", "PROCESS_COMMUNICATION_USED_NAMED_PIPE", "TCP_IP_NETWORK_PROTOCOL_IDENTIFIED", "DRIVER_LOADED", "DRIVER_UNLOADED", "FILE_MARKED_EXECUTABLE", "SYSTEM_CALLED_API", "MULTIPLE_FILES_CHANGED", "WINDOWS_SERVICE_INSTALLED", "WINDOWS_SERVICE_STARTED", "WINDOWS_SERVICE_MODIFIED", "WINDOWS_SERVICE_STOPPED", "WINDOWS_SERVICE_REMOVED", "SCHEDULED_TASK_ADDED", "SCHEDULED_TASK_STARTED", "SCHEDULED_TASK_MODIFIED", "SCHEDULED_TASK_REMOVED", "CHILD_PROCESS_STARTED", "CHILD_PROCESS_STARTED_BEFORE_DATA_COLLECTION" ] }, "data": [] }, "typeName": { "type": "string", "description": "Human-friendly type of detection. Examples: 'Potentially unwanted application' 'Trojan' 'Test file' 'TCP Port scanning attack' Deprecated in favor of enumerated type." }, "userName": { "type": "string", "description": "User name in whose context detection occurred. It is arbitrary string, for example on windows: https://docs.microsoft.com/en-us/windows/win32/secauthn/user-name-formats" }, "uuid": { "type": "string", "description": "Unique identifier of the entity. Must be collision free - two identifiers created anywhere in the world must not collide within entity parent scope. Unless a member of aggregate, the entity scope is always global. Although most of the times compliant with RFC 4122: A Universally Unique IDentifier (UUID) URN Namespace, do not rely on it being a RFC UUID. Treat it as an opaque identifier. RFC UUID can be recognized by being formatted according to template xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx, as explained on wikipedia. UUID is used for referencing an entity, even across domains. Example: '123e4567-e89b-12d3-a456-426614174000'" } } ] } |
default |
An unexpected error response. |
{ "code": 0, "message": "string", "details": [ { "@type": "string" } ] } |
{ "$ref": "rpcStatus", "code": { "type": "integer", "format": "int32" }, "message": { "type": "string" }, "details": [ { "$ref": "protobufAny", "@type": { "type": "string" } } ] } |
202 |
Response took too long and the request was cached. |
null |
[] |