ESET Online Help

Search
Select the category
Select the topic

GET Get detection

Relative path: /v2/detections/{detectionUuid}

Get detection.

Parameters in path

Name

Type

Required

Description

detectionUuid

string

Yes

[Detection] reference.

type: Detection



Responses

Display Schema instead of an Example or vice-versa

Code

Description

Example

Schema

200

Successful response.

{
  "detection": {
    "category": "DETECTION_CATEGORY_UNSPECIFIED",
    "circumstances": "string",
    "cloudOfficeTenantUuid": "string",
    "device": {
      "displayName": "string",
      "uuid": "string"
    },
    "displayName": "string",
    "edrRuleUuid": "string",
    "email": {
      "attachments": [
        {
          "containedFiles": [
            null
          ],
          "hashSha1": "string",
          "hashSha2256": "string",
          "isReadOnly": true,
          "lastEditor": {
            "email": "string",
            "userUuid": "string",
            "userName": "string"
          },
          "origin": "OBJECT_ORIGIN_UNSPECIFIED",
          "path": "string",
          "reference": "string",
          "sizeBytes": "string",
          "storages": [
            {
              "displayName": "string",
              "msSharepointRootSiteUuid": "string",
              "archiveReference": "string",
              "cloudDriveUserUuid": "string",
              "emailReference": "string",
              "msSharepointSiteUuid": "string",
              "msTeamsTeamUuid": "string"
            }
          ]
        }
      ],
      "bodyParts": [
        {
          "containedFiles": [
            null
          ],
          "hashSha1": "string",
          "hashSha2256": "string",
          "isReadOnly": true,
          "lastEditor": {
            "email": "string",
            "userUuid": "string",
            "userName": "string"
          },
          "origin": "OBJECT_ORIGIN_UNSPECIFIED",
          "path": "string",
          "reference": "string",
          "sizeBytes": "string",
          "storages": [
            {
              "displayName": "string",
              "msSharepointRootSiteUuid": "string",
              "archiveReference": "string",
              "cloudDriveUserUuid": "string",
              "emailReference": "string",
              "msSharepointSiteUuid": "string",
              "msTeamsTeamUuid": "string"
            }
          ]
        }
      ],
      "cc": "string",
      "containedUrls": [
        "string"
      ],
      "from": "string",
      "headers": [
        "string"
      ],
      "internetMessageId": "string",
      "isReadOnly": true,
      "mailboxUserUuid": "string",
      "mtaSmtpDetails": {
        "hello": "string",
        "recipients": [
          "string"
        ],
        "sender": "string",
        "senderIpAddress": "string"
      },
      "origin": "OBJECT_ORIGIN_UNSPECIFIED",
      "reference": "string",
      "senderIpAddress": "string",
      "subject": "string",
      "to": "string"
    },
    "file": {
      "containedFiles": [
        null
      ],
      "hashSha1": "string",
      "hashSha2256": "string",
      "isReadOnly": true,
      "lastEditor": {
        "email": "string",
        "userUuid": "string",
        "userName": "string"
      },
      "origin": "OBJECT_ORIGIN_UNSPECIFIED",
      "path": "string",
      "reference": "string",
      "sizeBytes": "string",
      "storages": [
        {
          "displayName": "string",
          "msSharepointRootSiteUuid": "string",
          "archiveReference": "string",
          "cloudDriveUserUuid": "string",
          "emailReference": "string",
          "msSharepointSiteUuid": "string",
          "msTeamsTeamUuid": "string"
        }
      ]
    },
    "networkTraffic": {
      "direction": "NETWORK_TRAFFIC_DIRECTION_UNSPECIFIED",
      "localIpAddress": "string",
      "localMacAddress": "string",
      "localPort": 0,
      "protocolKeyword": "string",
      "remoteIpAddress": "string",
      "remoteMacAddress": "string",
      "remotePort": 0
    },
    "note": "string",
    "objectHashSha1": "string",
    "objectName": "string",
    "objectSizeBytes": "string",
    "objectTypeName": "string",
    "objectUrl": "string",
    "occurTime": "string",
    "process": {
      "commandLine": "string",
      "path": "string",
      "uuid": "string"
    },
    "resolved": true,
    "responses": [
      {
        "actionType": "OBJECT_ACTION_TYPE_UNSPECIFIED",
        "description": "string",
        "deviceRestartRequired": true,
        "displayName": "string",
        "protectionName": "string",
        "emailReference": "string",
        "fileReference": "string"
      }
    ],
    "scanUuid": "string",
    "severityLevel": "SEVERITY_LEVEL_UNSPECIFIED",
    "severityScore": 0,
    "triggeringEvent": {
      "type": "UNSPECIFIED",
      "data": {}
    },
    "typeName": "string",
    "userName": "string",
    "uuid": "string"
  }
}
{
  "$ref": "incident_managementv2GetDetectionResponse",
  "detection": {
    "$ref": "incident_managementv2Detection",
    "description": "Descriptor of one particular detection occurrence. Detections occurs in some [DetectionContext] and is followed by [DetectionResponse]s. [Detection] can be resolved what means it no longer pose security risk.",
    "category": {
      "$ref": "incident_managementv2DetectionCategory",
      "type": "string",
      "description": "Category of detection. Deprecated because offers incorrect classification of detections (based on implementation details we want to hide from users). DETECTION_CATEGORY_UNSPECIFIED: fallback DETECTION_CATEGORY_EDR_RULE: When hit of EDR rule is detected. For more on rules see https://help.eset.com/ei_rules/latest/en-US/. - DETECTION_CATEGORY_FIREWALL_RULE: When hit of firewall rule is detected. - DETECTION_CATEGORY_ANTIVIRUS: For ThreatSense detections. - DETECTION_CATEGORY_HIPS: When host intrusion is detected. - DETECTION_CATEGORY_NETWORK_INTRUSION: When network intrusion is detected. - DETECTION_CATEGORY_HIPS_RULE: When hit of HIPS rule is detected. - DETECTION_CATEGORY_WEB_ACCESS: When access to web is detected. - DETECTION_CATEGORY_VULNERABILITY: When application vulnerability is detected. - DETECTION_CATEGORY_APPLICATION_PATCH: When application patch is detected. - DETECTION_CATEGORY_SUSPICIOUS_ACTIVITY: When suspicious activity is detected.",
      "default": "DETECTION_CATEGORY_UNSPECIFIED",
      "enum": [
        "DETECTION_CATEGORY_UNSPECIFIED",
        "DETECTION_CATEGORY_EDR_RULE",
        "DETECTION_CATEGORY_FIREWALL_RULE",
        "DETECTION_CATEGORY_ANTIVIRUS",
        "DETECTION_CATEGORY_HIPS",
        "DETECTION_CATEGORY_NETWORK_INTRUSION",
        "DETECTION_CATEGORY_HIPS_RULE",
        "DETECTION_CATEGORY_WEB_ACCESS",
        "DETECTION_CATEGORY_VULNERABILITY",
        "DETECTION_CATEGORY_APPLICATION_PATCH",
        "DETECTION_CATEGORY_SUSPICIOUS_ACTIVITY"
      ]
    },
    "circumstances": {
      "type": "string",
      "description": "Human-friendly and plain English description of [detection]'s circumstances. For example: 'Event occurred during an attempt to access the web by the application: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe (8BD6BEB1AF61231295A22145AA0251FA24FE5622).'"
    },
    "cloudOfficeTenantUuid": {
      "type": "string",
      "description": "Reference to [cloud office tenant]. If empty or null, the detection occurred outside any cloud office tenant scope. type: cloud_office_protection.v1.CloudOfficeTenant"
    },
    "device": {
      "$ref": "v2Device",
      "description": "Descriptor of the [device] with detection. Full device details must be fetched from device management.",
      "displayName": {
        "type": "string",
        "description": "Human friendly name of the device with detection."
      },
      "uuid": {
        "type": "string",
        "description": "Unique identifier of the entity. Must be collision free - two identifiers created anywhere in the world must not collide within entity parent scope. Unless a member of aggregate, the entity scope is always global. Although most of the times compliant with RFC 4122: A Universally Unique IDentifier (UUID) URN Namespace, do not rely on it being a RFC UUID. Treat it as an opaque identifier. RFC UUID can be recognized by being formatted according to template xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx, as explained on wikipedia. UUID is used for referencing an entity, even across domains. Example: '123e4567-e89b-12d3-a456-426614174000'",
        "readOnly": true
      }
    },
    "displayName": {
      "type": "string",
      "description": "Human-friendly name of the detection. This value can be used to look up details at https://www.threatminer.org/. Examples: 'Win32/Kingsoft.B' 'Rule_name_100663' '(Blocked by )PUA blacklist'"
    },
    "edrRuleUuid": {
      "type": "string",
      "description": "Reference to EDR rule which triggered the detection. type: EdrRule"
    },
    "email": {
      "$ref": "v1Email",
      "attachments": [
        {
          "$ref": "v1File",
          "description": "Describes file. File can be contained within other structures, such as email (attachment), archive or Miscrosoft Sharepoint Site. Those structures form parents of the file.",
          "containedFiles": [
            {
              "$ref": "v1File"
            }
          ],
          "hashSha1": {
            "type": "string",
            "description": "SHA-1 (Secure Hash Algorithm 1) digest of file's content."
          },
          "hashSha2256": {
            "type": "string",
            "description": "SHA-2 256 (Secure Hash Algorithm 2) 256 digest of file's content."
          },
          "isReadOnly": {
            "type": "boolean",
            "description": "True if the scanned object was read-only and cannot be modified/cleaned/deleted."
          },
          "lastEditor": {
            "$ref": "v1ObjectEditor",
            "description": "Details of user who edited an object.",
            "email": {
              "type": "string",
              "description": "Email of the user."
            },
            "userUuid": {
              "type": "string",
              "description": "Reference to [user]. type: _draft.User"
            },
            "userName": {
              "type": "string",
              "description": "Name of the user (e.g. login)."
            }
          },
          "origin": {
            "$ref": "v1ObjectOrigin",
            "type": "string",
            "description": "Object origin denotes a system managing object's life-cycle. This is necessary to be known for actions that manipulate with object, such as delete, quarantine, move and so on. OBJECT_ORIGIN_UNSPECIFIED: fallback OBJECT_ORIGIN_MS_OFFICE365: Object originates in Microsoft Office 365. OBJECT_ORIGIN_GOOGLE_WORKSPACE: Object originates in Google Workspace. OBJECT_ORIGIN_DEVICE: Object originates from a device.",
            "default": "OBJECT_ORIGIN_UNSPECIFIED",
            "enum": [
              "OBJECT_ORIGIN_UNSPECIFIED",
              "OBJECT_ORIGIN_MS_OFFICE365",
              "OBJECT_ORIGIN_GOOGLE_WORKSPACE",
              "OBJECT_ORIGIN_DEVICE"
            ]
          },
          "path": {
            "type": "string",
            "description": "File path. Absolute path is absolute within storage. For example: /documents/trip.xml might be absolute within Microsoft Sharepoint Site."
          },
          "reference": {
            "type": "string",
            "description": "How the file is referred to. Files can be hosted in various systems with different types of indexing (e.g. URI, UUID, etc.). Object reference must be unique within one parent object (e,g, email or archive) to ensure referential integrity. Optimally, the reference should be universally unique identifier. That prevents from ambiguities during pairing of the object with scan results with actions."
          },
          "sizeBytes": {
            "type": "string",
            "description": "File size in bytes.",
            "format": "uint64"
          },
          "storages": [
            {
              "$ref": "v1FileStorage",
              "description": "File storage represents a different storage location. This could include email, archive, Microsoft Sharepoint Site, Hyper-V Volume, etc. File path is relative to this storage.",
              "displayName": {
                "type": "string",
                "description": "Human readable name of the storage. For example, a name of Microsoft Teams Team or name the archive file."
              },
              "msSharepointRootSiteUuid": {
                "type": "string",
                "description": "Reference to [Microsoft Sharepoint root site]. Only valid if the object originates in Sharepoint site. type: quarantine_management.v1-alpha.MicrosoftSharepointSite"
              },
              "archiveReference": {
                "type": "string",
                "description": "Reference to the archive containing the file. Can be an URL or path to the parent archive."
              },
              "cloudDriveUserUuid": {
                "type": "string",
                "description": "If the file resides in the cloud on a cloud drive (for example, Google Drive or Microsoft OneDrive), this attribute references the user who owns that drive. type: user_management.v1.User"
              },
              "emailReference": {
                "type": "string",
                "description": "Reference to the email containing the file. The file itself can be part of the email body, an email attachment, or part of an attached archive."
              },
              "msSharepointSiteUuid": {
                "type": "string",
                "description": "Reference to [Microsoft Sharepoint site]. type: quarantine_management.v1-alpha.MicrosoftSharepointSite"
              },
              "msTeamsTeamUuid": {
                "type": "string",
                "description": "Reference to [Microsoft Teams team]. type: quarantine_management.v1-alpha.MicrosoftTeamsTeam"
              }
            }
          ]
        }
      ],
      "bodyParts": [
        {
          "$ref": "v1File",
          "description": "Describes file. File can be contained within other structures, such as email (attachment), archive or Miscrosoft Sharepoint Site. Those structures form parents of the file.",
          "containedFiles": [
            {
              "$ref": "v1File"
            }
          ],
          "hashSha1": {
            "type": "string",
            "description": "SHA-1 (Secure Hash Algorithm 1) digest of file's content."
          },
          "hashSha2256": {
            "type": "string",
            "description": "SHA-2 256 (Secure Hash Algorithm 2) 256 digest of file's content."
          },
          "isReadOnly": {
            "type": "boolean",
            "description": "True if the scanned object was read-only and cannot be modified/cleaned/deleted."
          },
          "lastEditor": {
            "$ref": "v1ObjectEditor",
            "description": "Details of user who edited an object.",
            "email": {
              "type": "string",
              "description": "Email of the user."
            },
            "userUuid": {
              "type": "string",
              "description": "Reference to [user]. type: _draft.User"
            },
            "userName": {
              "type": "string",
              "description": "Name of the user (e.g. login)."
            }
          },
          "origin": {
            "$ref": "v1ObjectOrigin",
            "type": "string",
            "description": "Object origin denotes a system managing object's life-cycle. This is necessary to be known for actions that manipulate with object, such as delete, quarantine, move and so on. OBJECT_ORIGIN_UNSPECIFIED: fallback OBJECT_ORIGIN_MS_OFFICE365: Object originates in Microsoft Office 365. OBJECT_ORIGIN_GOOGLE_WORKSPACE: Object originates in Google Workspace. OBJECT_ORIGIN_DEVICE: Object originates from a device.",
            "default": "OBJECT_ORIGIN_UNSPECIFIED",
            "enum": [
              "OBJECT_ORIGIN_UNSPECIFIED",
              "OBJECT_ORIGIN_MS_OFFICE365",
              "OBJECT_ORIGIN_GOOGLE_WORKSPACE",
              "OBJECT_ORIGIN_DEVICE"
            ]
          },
          "path": {
            "type": "string",
            "description": "File path. Absolute path is absolute within storage. For example: /documents/trip.xml might be absolute within Microsoft Sharepoint Site."
          },
          "reference": {
            "type": "string",
            "description": "How the file is referred to. Files can be hosted in various systems with different types of indexing (e.g. URI, UUID, etc.). Object reference must be unique within one parent object (e,g, email or archive) to ensure referential integrity. Optimally, the reference should be universally unique identifier. That prevents from ambiguities during pairing of the object with scan results with actions."
          },
          "sizeBytes": {
            "type": "string",
            "description": "File size in bytes.",
            "format": "uint64"
          },
          "storages": [
            {
              "$ref": "v1FileStorage",
              "description": "File storage represents a different storage location. This could include email, archive, Microsoft Sharepoint Site, Hyper-V Volume, etc. File path is relative to this storage.",
              "displayName": {
                "type": "string",
                "description": "Human readable name of the storage. For example, a name of Microsoft Teams Team or name the archive file."
              },
              "msSharepointRootSiteUuid": {
                "type": "string",
                "description": "Reference to [Microsoft Sharepoint root site]. Only valid if the object originates in Sharepoint site. type: quarantine_management.v1-alpha.MicrosoftSharepointSite"
              },
              "archiveReference": {
                "type": "string",
                "description": "Reference to the archive containing the file. Can be an URL or path to the parent archive."
              },
              "cloudDriveUserUuid": {
                "type": "string",
                "description": "If the file resides in the cloud on a cloud drive (for example, Google Drive or Microsoft OneDrive), this attribute references the user who owns that drive. type: user_management.v1.User"
              },
              "emailReference": {
                "type": "string",
                "description": "Reference to the email containing the file. The file itself can be part of the email body, an email attachment, or part of an attached archive."
              },
              "msSharepointSiteUuid": {
                "type": "string",
                "description": "Reference to [Microsoft Sharepoint site]. type: quarantine_management.v1-alpha.MicrosoftSharepointSite"
              },
              "msTeamsTeamUuid": {
                "type": "string",
                "description": "Reference to [Microsoft Teams team]. type: quarantine_management.v1-alpha.MicrosoftTeamsTeam"
              }
            }
          ]
        }
      ],
      "cc": {
        "type": "string",
        "description": "Carbon copy recipient(s) of the email."
      },
      "containedUrls": [
        {
          "type": "string"
        }
      ],
      "from": {
        "type": "string",
        "description": "Sender(s) of the email."
      },
      "headers": [
        {
          "type": "string"
        }
      ],
      "internetMessageId": {
        "title": "Unique identifier of the message according to https://en.wikipedia.org/wiki/Message-ID",
        "type": "string"
      },
      "isReadOnly": {
        "type": "boolean",
        "description": "True if the scanned object was read-only and cannot be modified/cleaned/deleted."
      },
      "mailboxUserUuid": {
        "type": "string",
        "description": "Reference to the user who owns the mailbox, if the email can be associated with a mailbox. If the email cannot be associated with a mailbox, this will be empty. type: user_management.v1.User"
      },
      "mtaSmtpDetails": {
        "$ref": "v1MailTransferAgentSmtpDetails",
        "description": "Details of SMTP activity at Mail Transfer Agent (MTA). Info: For MTA specification see: https://datatracker.ietf.org/doc/html/rfc5321#section-2.3.3",
        "hello": {
          "type": "string",
          "description": "Parameter of extended HELLO (EHLO) or HELLO (HELO) command. Info: For details of the command see: https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.1.1"
        },
        "recipients": [
          {
            "type": "string"
          }
        ],
        "sender": {
          "type": "string",
          "description": "Parameter (reverse-path) of MAIL (MAIL FROM) command. A sender of the email. Info: For details of the command see: https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.1.2"
        },
        "senderIpAddress": {
          "type": "string",
          "description": "IP address of the sender. Might be IPv4 or IPv6."
        }
      },
      "origin": {
        "$ref": "v1ObjectOrigin",
        "type": "string",
        "description": "Object origin denotes a system managing object's life-cycle. This is necessary to be known for actions that manipulate with object, such as delete, quarantine, move and so on. OBJECT_ORIGIN_UNSPECIFIED: fallback OBJECT_ORIGIN_MS_OFFICE365: Object originates in Microsoft Office 365. OBJECT_ORIGIN_GOOGLE_WORKSPACE: Object originates in Google Workspace. OBJECT_ORIGIN_DEVICE: Object originates from a device.",
        "default": "OBJECT_ORIGIN_UNSPECIFIED",
        "enum": [
          "OBJECT_ORIGIN_UNSPECIFIED",
          "OBJECT_ORIGIN_MS_OFFICE365",
          "OBJECT_ORIGIN_GOOGLE_WORKSPACE",
          "OBJECT_ORIGIN_DEVICE"
        ]
      },
      "reference": {
        "type": "string",
        "description": "How the email is referred to. Emails can be sourced in various systems with different types of indexing (e.g. URI, UUID, etc.). Object reference must be unique within one parent object (e,g, email or archive) to ensure referential integrity or the scope of protection (e.g. one account). For example: - Outlook email can be referenced by EntryID (or SearchKey) - Exchange email can be referenced by combination of Timestamp | Subject | Sender fields. Info: Optimally, the reference should be universally unique identifier. That prevents from ambiguities during pairing of the object with scan results with actions. This might, however, be substantially difficult to achieve in distributed email-system, where the id-issuing authority is out of our reach and might be spoofed by e.g. spammers."
      },
      "senderIpAddress": {
        "type": "string",
        "description": "IP address of the sender. Might be IPv4 or IPv6."
      },
      "subject": {
        "type": "string",
        "description": "Subject of the email."
      },
      "to": {
        "type": "string",
        "description": "Recipient(s) of the email."
      }
    },
    "file": {
      "$ref": "v1File",
      "description": "Describes file. File can be contained within other structures, such as email (attachment), archive or Miscrosoft Sharepoint Site. Those structures form parents of the file.",
      "containedFiles": [
        {
          "$ref": "v1File"
        }
      ],
      "hashSha1": {
        "type": "string",
        "description": "SHA-1 (Secure Hash Algorithm 1) digest of file's content."
      },
      "hashSha2256": {
        "type": "string",
        "description": "SHA-2 256 (Secure Hash Algorithm 2) 256 digest of file's content."
      },
      "isReadOnly": {
        "type": "boolean",
        "description": "True if the scanned object was read-only and cannot be modified/cleaned/deleted."
      },
      "lastEditor": {
        "$ref": "v1ObjectEditor",
        "description": "Details of user who edited an object.",
        "email": {
          "type": "string",
          "description": "Email of the user."
        },
        "userUuid": {
          "type": "string",
          "description": "Reference to [user]. type: _draft.User"
        },
        "userName": {
          "type": "string",
          "description": "Name of the user (e.g. login)."
        }
      },
      "origin": {
        "$ref": "v1ObjectOrigin",
        "type": "string",
        "description": "Object origin denotes a system managing object's life-cycle. This is necessary to be known for actions that manipulate with object, such as delete, quarantine, move and so on. OBJECT_ORIGIN_UNSPECIFIED: fallback OBJECT_ORIGIN_MS_OFFICE365: Object originates in Microsoft Office 365. OBJECT_ORIGIN_GOOGLE_WORKSPACE: Object originates in Google Workspace. OBJECT_ORIGIN_DEVICE: Object originates from a device.",
        "default": "OBJECT_ORIGIN_UNSPECIFIED",
        "enum": [
          "OBJECT_ORIGIN_UNSPECIFIED",
          "OBJECT_ORIGIN_MS_OFFICE365",
          "OBJECT_ORIGIN_GOOGLE_WORKSPACE",
          "OBJECT_ORIGIN_DEVICE"
        ]
      },
      "path": {
        "type": "string",
        "description": "File path. Absolute path is absolute within storage. For example: /documents/trip.xml might be absolute within Microsoft Sharepoint Site."
      },
      "reference": {
        "type": "string",
        "description": "How the file is referred to. Files can be hosted in various systems with different types of indexing (e.g. URI, UUID, etc.). Object reference must be unique within one parent object (e,g, email or archive) to ensure referential integrity. Optimally, the reference should be universally unique identifier. That prevents from ambiguities during pairing of the object with scan results with actions."
      },
      "sizeBytes": {
        "type": "string",
        "description": "File size in bytes.",
        "format": "uint64"
      },
      "storages": [
        {
          "$ref": "v1FileStorage",
          "description": "File storage represents a different storage location. This could include email, archive, Microsoft Sharepoint Site, Hyper-V Volume, etc. File path is relative to this storage.",
          "displayName": {
            "type": "string",
            "description": "Human readable name of the storage. For example, a name of Microsoft Teams Team or name the archive file."
          },
          "msSharepointRootSiteUuid": {
            "type": "string",
            "description": "Reference to [Microsoft Sharepoint root site]. Only valid if the object originates in Sharepoint site. type: quarantine_management.v1-alpha.MicrosoftSharepointSite"
          },
          "archiveReference": {
            "type": "string",
            "description": "Reference to the archive containing the file. Can be an URL or path to the parent archive."
          },
          "cloudDriveUserUuid": {
            "type": "string",
            "description": "If the file resides in the cloud on a cloud drive (for example, Google Drive or Microsoft OneDrive), this attribute references the user who owns that drive. type: user_management.v1.User"
          },
          "emailReference": {
            "type": "string",
            "description": "Reference to the email containing the file. The file itself can be part of the email body, an email attachment, or part of an attached archive."
          },
          "msSharepointSiteUuid": {
            "type": "string",
            "description": "Reference to [Microsoft Sharepoint site]. type: quarantine_management.v1-alpha.MicrosoftSharepointSite"
          },
          "msTeamsTeamUuid": {
            "type": "string",
            "description": "Reference to [Microsoft Teams team]. type: quarantine_management.v1-alpha.MicrosoftTeamsTeam"
          }
        }
      ]
    },
    "networkTraffic": {
      "$ref": "v2EndpointNetworkTraffic",
      "description": "Descriptor of a endpoint network communication involved into (indicated) incident. For endpoint scenarios it is useful to identify the endpoint side as local, while the other end of network communication as remote.",
      "direction": {
        "$ref": "v2NetworkTrafficDirection",
        "type": "string",
        "description": "Direction of network communication. NETWORK_TRAFFIC_DIRECTION_UNSPECIFIED: fallback NETWORK_TRAFFIC_DIRECTION_INBOUND: The direction from remote host towards local host (the device where detection occurred). NETWORK_TRAFFIC_DIRECTION_OUTBOUND: The direction from local host (the device where detection occurred) towards remote host.",
        "default": "NETWORK_TRAFFIC_DIRECTION_UNSPECIFIED",
        "enum": [
          "NETWORK_TRAFFIC_DIRECTION_UNSPECIFIED",
          "NETWORK_TRAFFIC_DIRECTION_INBOUND",
          "NETWORK_TRAFFIC_DIRECTION_OUTBOUND"
        ]
      },
      "localIpAddress": {
        "type": "string",
        "description": "The IP address of endpoint-local network interface."
      },
      "localMacAddress": {
        "type": "string",
        "description": "The MAC (L2) address of endpoint-local network interface."
      },
      "localPort": {
        "type": "integer",
        "description": "The port on endpoint-side of the communication.",
        "format": "int64"
      },
      "protocolKeyword": {
        "type": "string",
        "description": "Network protocol used in the communication. Name must be from keyword column of IANA list"
      },
      "remoteIpAddress": {
        "type": "string",
        "description": "The IP address of network interface of remote host."
      },
      "remoteMacAddress": {
        "type": "string",
        "description": "The MAC (L2) address of remote network interface (possibly the MAC address of gateway)."
      },
      "remotePort": {
        "type": "integer",
        "description": "The port on remote-side of the communication.",
        "format": "int64"
      }
    },
    "note": {
      "type": "string",
      "description": "Arbitrary text."
    },
    "objectHashSha1": {
      "type": "string",
      "description": "SHA1 hash of content of scanned object."
    },
    "objectName": {
      "type": "string",
      "description": "Name/path of scanned object. Examples: 'http://roxlock.com' 'eicar.com'"
    },
    "objectSizeBytes": {
      "type": "string",
      "description": "Object's size in bytes.",
      "format": "uint64"
    },
    "objectTypeName": {
      "title": "Human-friendly type name of scanned object",
      "type": "string",
      "description": "Examples: 'File' 'Memory'"
    },
    "objectUrl": {
      "type": "string",
      "description": "URL (uniform resource locator) of scanned object."
    },
    "occurTime": {
      "type": "string",
      "description": "Timestamp of detection occurrence. Info: Named by using google naming convention: https://cloud.google.com/apis/design/naming_convention#time_and_duration",
      "format": "date-time"
    },
    "process": {
      "$ref": "incident_managementv2Process",
      "description": "Descriptor of process related to the detection.",
      "commandLine": {
        "title": "Argument used with the command",
        "type": "string"
      },
      "path": {
        "type": "string",
        "description": "Disk path to the executable."
      },
      "uuid": {
        "type": "string",
        "description": "Universally Unique Identifier References use this identifier so it must be filled in all the cases except resource creation. Compliant with RFC 4122: A Universally Unique IDentifier (UUID) URN Namespace Formatted according to template xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx, as explained on wikipedia. For example: '123e4567-e89b-12d3-a456-426614174000'",
        "readOnly": true
      }
    },
    "resolved": {
      "type": "boolean",
      "description": "If true, detection is resolved and pose threat no more."
    },
    "responses": [
      {
        "$ref": "incident_managementv2DetectionResponse",
        "description": {
          "type": "string",
          "description": "Human-readable description of the response."
        },
        "actionType": {
          "$ref": "v2ObjectActionType",
          "type": "string",
          "description": "Categories of operations that can be performed on objects. OBJECT_ACTION_TYPE_UNSPECIFIED: fallback OBJECT_ACTION_TYPE_NO_ACTION: No action was done. OBJECT_ACTION_TYPE_ERROR: Action was not performed because of error. OBJECT_ACTION_TYPE_QUARANTINE: Class of quarantining actions. For example: - attachment quarantined - email quarantined - OBJECT_ACTION_TYPE_CLEAN: Class of cleaning actions. For example when a malware is removed from zip archive. - OBJECT_ACTION_TYPE_DELETE: Class of deleting actions. For example: - email deleted - file deleted - OBJECT_ACTION_TYPE_REPLACE: Class of replacing actions. - OBJECT_ACTION_TYPE_MOVE_TO_FOLDER: Actions where object is moved to a certain folder. - OBJECT_ACTION_TYPE_MOVE_TO_TRASH: Actions where object is moved to trash folder. - OBJECT_ACTION_TYPE_MOVE_TO_JUNK: Actions where object is moved to junk folder. - OBJECT_ACTION_TYPE_TERMINATE: Actions where some process is terminated. For example: - download terminated - connection terminated - process terminated (killed).",
          "default": "OBJECT_ACTION_TYPE_UNSPECIFIED",
          "enum": [
            "OBJECT_ACTION_TYPE_UNSPECIFIED",
            "OBJECT_ACTION_TYPE_NO_ACTION",
            "OBJECT_ACTION_TYPE_ERROR",
            "OBJECT_ACTION_TYPE_QUARANTINE",
            "OBJECT_ACTION_TYPE_CLEAN",
            "OBJECT_ACTION_TYPE_DELETE",
            "OBJECT_ACTION_TYPE_REPLACE",
            "OBJECT_ACTION_TYPE_MOVE_TO_FOLDER",
            "OBJECT_ACTION_TYPE_MOVE_TO_TRASH",
            "OBJECT_ACTION_TYPE_MOVE_TO_JUNK",
            "OBJECT_ACTION_TYPE_TERMINATE"
          ]
        },
        "deviceRestartRequired": {
          "type": "boolean",
          "description": "Response needs restart of the device to be completed."
        },
        "displayName": {
          "type": "string",
          "description": "Human-friendly name of the response."
        },
        "protectionName": {
          "type": "string",
          "description": "Human-readable name of the protection that performed the response."
        },
        "emailReference": {
          "type": "string",
          "description": "Reference to the affected email. Emails can be sourced in various systems with different types of indexing (e.g. URI, UUID, etc.). Object reference must be unique within one parent object (e,g, email or archive) to ensure referential integrity or the scope of protection (e.g. one account). For example: - Outlook email can be referenced by EntryID (or SearchKey) - Exchange email can be referenced by combination of Timestamp | Subject | Sender fields. Info: Optimally, the reference should be universally unique identifier. That prevents from ambiguities during pairing of the object with scan results with actions. This might, however, be substantially difficult to achieve in distributed email-system, where the id-issuing authority is out of our reach and might be spoofed by e.g. spammers."
        },
        "fileReference": {
          "type": "string",
          "description": "Reference to the file affected by the response. Files can be hosted in various systems with different types of indexing (e.g. URI, UUID, etc.). Object reference must be unique within one parent object (e,g, email or archive) to ensure referential integrity. Optimally, the reference should be universally unique identifier. That prevents from ambiguities during pairing of the object with scan results with actions. Info: There might be multiple responses linked to some of troublesome files. For example an email with infected attachment might get that attachment quarantined."
        }
      }
    ],
    "scanUuid": {
      "type": "string",
      "description": "Reference to on-demand [scan] during which the detection occurred. Empty for real-time scans. type: scan_management.v1.Scan"
    },
    "severityLevel": {
      "$ref": "dotnodwell_known_typesv1SeverityLevel",
      "type": "string",
      "description": "Severity levels abstracted to cover all the possible GUIs. Vocabulary is leaving interpretation of severity level completely to API client. This approach is inevitable on SIEM level as there are many contributing sources. Keeping the local names for severity levels never fits all the GUIs. SEVERITY_LEVEL_UNSPECIFIED: fallback SEVERITY_LEVEL_DIAGNOSTIC: In some GUIs known Debug SEVERITY_LEVEL_INFORMATIONAL: In some GUIs known as Info or Information SEVERITY_LEVEL_LOW: In some GUIs known Warning SEVERITY_LEVEL_MEDIUM: In some GUIs known as Error or Threat SEVERITY_LEVEL_HIGH: In some GUIs known as Critical",
      "default": "SEVERITY_LEVEL_UNSPECIFIED",
      "enum": [
        "SEVERITY_LEVEL_UNSPECIFIED",
        "SEVERITY_LEVEL_DIAGNOSTIC",
        "SEVERITY_LEVEL_INFORMATIONAL",
        "SEVERITY_LEVEL_LOW",
        "SEVERITY_LEVEL_MEDIUM",
        "SEVERITY_LEVEL_HIGH"
      ]
    },
    "severityScore": {
      "type": "integer",
      "description": "Integer representation of severity level to be comparable in queries. For example 'severity_score > 10'. Severity score is a number from 1 to 100 mapped to severity level as follows: 1 - 49 = LOW 50 - 59 = MEDIUM (a.k.a. Warning) 60 - 100 = HIGH (a.k.a Threat)",
      "format": "int64"
    },
    "triggeringEvent": {
      "$ref": "v2TriggeringEvent",
      "description": "Event that triggered the detection.",
      "type": {
        "$ref": "v2TriggeringEventType",
        "title": "Event that triggered the detection",
        "type": "string",
        "description": "UNSPECIFIED: Fallback PROCESS_STARTED: Process was started PROCESS_TERMINATED: Process was terminated PROCESS_STARTED_BEFORE_DATA_COLLECTION: Process started before data collection PROCESS_ENDED_BEFORE_DATA_COLLECTION: Process ended before data collection PROCESS_EXECUTED: Process executed with exec system call CODE_INJECTED: Some code was injected to the process PROCESS_OPENED: Existing process was opened, in order to have its memory read. > Info: > https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess FILE_DELETED: File was deleted FILE_RENAMED: File was renamed FILE_REWRITTEN: Some data were written to the file UNSAVED_FILE_DELETED_ON_CLOSE: Some process is creating file, but when closed, the file is deleted as it was not requested to save it FILE_TRUNCATED: Some process is opening a file with some data, but it is requested to delete the data TCP_IP_CONNECTED: TCP/IP connection established TCP_IP_DISCONNECTED: TCP/IP connection was closed TCP_IP_CONNECTION_ACCEPTED: TCP/IP connection was accepted REGISTRY_KEY_CREATED: New registry key was created REGISTRY_KEY_DELETED: Existing registry key was deleted REGISTRY_KEY_VALUE_SET: New registry key value added/modified REGISTRY_KEY_VALUE_DELETED: Existing registry key value deleted HTTP_REQUEST_SENT: Some HTTP request is sent, which can mean that browser is opening some website. REGISTRY_KEY_RENAMED: Existing registry key renamed EXECUTABLE_FILE_DROPPED: Executable file was written to the disk SHARED_LIBRARY_LOADED_BEFORE_DATA_COLLECTION: Some shared DLL was loaded before data collection started DEPRECATED in favor of LIBRARY_LOADED_BEFORE_DATA_COLLECTION. - LIBRARY_LOADED_BEFORE_DATA_COLLECTION: Some DLL was loaded before data collection started. - DYNAMIC_SHARED_LIBRARY_LOADED: Some process loaded DLL - DNS_RESOLVED: DNS resolution - USER_LOGGED_IN: User logged in - USER_LOGGED_OUT: User logged out - USER_ACTIVATED: Disabled user was activated - USER_DISABLED: Active user was disabled - USER_CREATED: New user was created - USER_DELETED: User was deleted - USER_ADDED_TO_GROUP: User added to specific group - USER_REMOVED_FROM_GROUP: User was removed from specific group - AMSI_TRIGGERED: AMSI (Antimalware Scan Interface) was exeuted - WMI_AUTO_EXECUTED_PERSISTENCE: WMI (Windows Management Instrumentation) persistence on execution. Which means that, specific piece of code or a script continues to execute or re-executes even after a system reboot. - WMI_EXECUTED_PROCESS: Process was started or triggered by Windows Management Instrumentation (WMI). - WMI_QUERY_DISPLAYED: WMI query has been executed. This might occur in a system monitoring tool, a script, or a log where the output of a WMI query is shown to the user or recorded for review. - MONITORED_FILE_OPENED: Opening file for reading = triggered when a monitored file was read. Monitored files refer to those which contain either sensitive information or stored credentials. For example, stored browser passwords, stored FTP clients passwords, AD database and so on. - PROCESS_COMMUNICATION_USED_NAMED_PIPE: Some process is trying to communicate with another process using the named pipes - TCP_IP_NETWORK_PROTOCOL_IDENTIFIED: Info received from Firewall about the network protocols of the identified TCP connection. For example: IMAP, POP3, RDP, RMI. - DRIVER_LOADED: Driver was loaded - DRIVER_UNLOADED: Driver was unloaded - FILE_MARKED_EXECUTABLE: File was marked as executable - SYSTEM_CALLED_API: Monitoring API calls commonly used by malware - MULTIPLE_FILES_CHANGED: Information from RansomWare Shield, that something changed multiple files in short time range - WINDOWS_SERVICE_INSTALLED: Windows service has been installed - WINDOWS_SERVICE_STARTED: Windows service started - WINDOWS_SERVICE_MODIFIED: Windows service has been changed or modified - WINDOWS_SERVICE_STOPPED: Windows service stopped - WINDOWS_SERVICE_REMOVED: Windows service has been removed or uninstalled - SCHEDULED_TASK_ADDED: Scheduled task has been added - SCHEDULED_TASK_STARTED: Scheduled task started - SCHEDULED_TASK_MODIFIED: Scheduled task has been changed or modified - SCHEDULED_TASK_REMOVED: Scheduled task has been removed - CHILD_PROCESS_STARTED: Child process was created - CHILD_PROCESS_STARTED_BEFORE_DATA_COLLECTION: Child process was started before data collection started",
        "default": "UNSPECIFIED",
        "enum": [
          "UNSPECIFIED",
          "PROCESS_STARTED",
          "PROCESS_TERMINATED",
          "PROCESS_STARTED_BEFORE_DATA_COLLECTION",
          "PROCESS_ENDED_BEFORE_DATA_COLLECTION",
          "PROCESS_EXECUTED",
          "CODE_INJECTED",
          "PROCESS_OPENED",
          "FILE_DELETED",
          "FILE_RENAMED",
          "FILE_REWRITTEN",
          "UNSAVED_FILE_DELETED_ON_CLOSE",
          "FILE_TRUNCATED",
          "TCP_IP_CONNECTED",
          "TCP_IP_DISCONNECTED",
          "TCP_IP_CONNECTION_ACCEPTED",
          "REGISTRY_KEY_CREATED",
          "REGISTRY_KEY_DELETED",
          "REGISTRY_KEY_VALUE_SET",
          "REGISTRY_KEY_VALUE_DELETED",
          "HTTP_REQUEST_SENT",
          "REGISTRY_KEY_RENAMED",
          "EXECUTABLE_FILE_DROPPED",
          "SHARED_LIBRARY_LOADED_BEFORE_DATA_COLLECTION",
          "LIBRARY_LOADED_BEFORE_DATA_COLLECTION",
          "DYNAMIC_SHARED_LIBRARY_LOADED",
          "DNS_RESOLVED",
          "USER_LOGGED_IN",
          "USER_LOGGED_OUT",
          "USER_ACTIVATED",
          "USER_DISABLED",
          "USER_CREATED",
          "USER_DELETED",
          "USER_ADDED_TO_GROUP",
          "USER_REMOVED_FROM_GROUP",
          "AMSI_TRIGGERED",
          "WMI_AUTO_EXECUTED_PERSISTENCE",
          "WMI_EXECUTED_PROCESS",
          "WMI_QUERY_DISPLAYED",
          "MONITORED_FILE_OPENED",
          "PROCESS_COMMUNICATION_USED_NAMED_PIPE",
          "TCP_IP_NETWORK_PROTOCOL_IDENTIFIED",
          "DRIVER_LOADED",
          "DRIVER_UNLOADED",
          "FILE_MARKED_EXECUTABLE",
          "SYSTEM_CALLED_API",
          "MULTIPLE_FILES_CHANGED",
          "WINDOWS_SERVICE_INSTALLED",
          "WINDOWS_SERVICE_STARTED",
          "WINDOWS_SERVICE_MODIFIED",
          "WINDOWS_SERVICE_STOPPED",
          "WINDOWS_SERVICE_REMOVED",
          "SCHEDULED_TASK_ADDED",
          "SCHEDULED_TASK_STARTED",
          "SCHEDULED_TASK_MODIFIED",
          "SCHEDULED_TASK_REMOVED",
          "CHILD_PROCESS_STARTED",
          "CHILD_PROCESS_STARTED_BEFORE_DATA_COLLECTION"
        ]
      },
      "data": []
    },
    "typeName": {
      "type": "string",
      "description": "Human-friendly type of detection. Examples: 'Potentially unwanted application' 'Trojan' 'Test file' 'TCP Port scanning attack' Deprecated in favor of enumerated type."
    },
    "userName": {
      "type": "string",
      "description": "User name in whose context detection occurred. It is arbitrary string, for example on windows: https://docs.microsoft.com/en-us/windows/win32/secauthn/user-name-formats"
    },
    "uuid": {
      "type": "string",
      "description": "Unique identifier of the entity. Must be collision free - two identifiers created anywhere in the world must not collide within entity parent scope. Unless a member of aggregate, the entity scope is always global. Although most of the times compliant with RFC 4122: A Universally Unique IDentifier (UUID) URN Namespace, do not rely on it being a RFC UUID. Treat it as an opaque identifier. RFC UUID can be recognized by being formatted according to template xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx, as explained on wikipedia. UUID is used for referencing an entity, even across domains. Example: '123e4567-e89b-12d3-a456-426614174000'"
    }
  }
}

202

Response took too long; request cached. Response can be retrieved later using the response-id header.

null
[]

400

One of the errors: 1. Bad or missing authorization. 2. Validation error. Invalid argument provided.

null
[]

401

Token has expired or is invalid.

null
[]

403

Access denied. Check permissions.

null
[]

404

Requested resource not found.

null
[]

429

Rate limit reached. Try again later.

null
[]

500

Internal server failure. Try again later.

null
[]

502

Internal server failure. Try again later.

null
[]

503

Environment under maintenance. Try again later.

null
[]

504

Action took too long; timeout reached

null
[]