Get EDR rule
Relative path: /v2/edr-rules/{ruleUuid}
Get [EDR rule] details.
Base URL for Europe, Germany, United States, Canada and Japan regions:
|
https://eu.incident-management.eset.systems |
|
https://de.incident-management.eset.systems |
|
https://us.incident-management.eset.systems |
|
https://ca.incident-management.eset.systems |
|
https://jpn.incident-management.eset.systems |
Parameters in path
Name |
Type |
Required |
Description |
|---|---|---|---|
ruleUuid |
string |
Yes |
Reference to the rule. type: EdrRule |
Responses
Display Schema+Headers instead of an Example or vice-versa
Code |
Description and Example |
Description, Schema and Headers |
|---|---|---|
200 |
Successful response.
{
"rule": {
"displayName": "string",
"enabled": true,
"scopes": [
{
"deviceUuid": "string",
"deviceGroupUuid": "string"
}
],
"severityLevel": "SEVERITY_LEVEL_UNSPECIFIED",
"severityScore": 0,
"xmlDefinition": "string",
"uuid": "string",
"authorUuid": "string",
"editorUuid": "string"
}
}
|
Successful response.
{
"$ref": "v2GetEdrRuleResponse",
"rule": {
"$ref": "v2EdrRule",
"description": "[EDR rule] where actions are executed based on the criteria. [EDR rule] defines one or more actions executed as a result of suspicious activity.",
"displayName": {
"type": "string",
"description": "User-friendly name of the [rule]. The value is derived from the description/name value in xml_definition.",
"readOnly": true
},
"enabled": {
"type": "boolean",
"description": "If enabled, the rule is used for matching."
},
"scopes": [
{
"$ref": "v2EdrRuleScope",
"description": "Scope for which the rule (exclusion) is applicable.",
"deviceUuid": {
"type": "string",
"description": "Reference to the device for which the rule is applicable. type: device_management.v1.Device"
},
"deviceGroupUuid": {
"type": "string",
"description": "Reference to the device_group for which the rule is applicable. type: device_management.v1.DeviceGroup"
}
}
],
"severityLevel": {
"$ref": "dotnodwell_known_typesv1SeverityLevel",
"type": "string",
"description": "Severity levels abstracted to cover all the possible GUIs. Vocabulary is leaving interpretation of severity level completely to API client. This approach is inevitable on SIEM level as there are many contributing sources. Keeping the local names for severity levels never fits all the GUIs. SEVERITY_LEVEL_UNSPECIFIED: fallback SEVERITY_LEVEL_DIAGNOSTIC: In some GUIs known Debug SEVERITY_LEVEL_INFORMATIONAL: In some GUIs known as Info or Information SEVERITY_LEVEL_LOW: In some GUIs known Warning SEVERITY_LEVEL_MEDIUM: In some GUIs known as Error or Threat SEVERITY_LEVEL_HIGH: In some GUIs known as Critical",
"default": "SEVERITY_LEVEL_UNSPECIFIED",
"enum": [
"SEVERITY_LEVEL_UNSPECIFIED",
"SEVERITY_LEVEL_DIAGNOSTIC",
"SEVERITY_LEVEL_INFORMATIONAL",
"SEVERITY_LEVEL_LOW",
"SEVERITY_LEVEL_MEDIUM",
"SEVERITY_LEVEL_HIGH"
]
},
"severityScore": {
"type": "integer",
"description": "The integer representation of the severity level to be comparable in queries. For example, 'severity_score > 10'. The value is derived from the severity_score value in xml_definition. The severity score is a number from 1 to 100 mapped to the severity level as follows: 1 - 49 = LOW 50 - 59 = MEDIUM (also known as Warning) 60 - 100 = HIGH (also known as Threat)",
"format": "int64",
"readOnly": true
},
"xmlDefinition": {
"type": "string",
"description": "Definition of the rule in XML language. Specification of the format is in ESET Inspect On-Prem: Rules guide. XML definition must be valid according to this specification for the [EDR rule] to be valid."
},
"uuid": {
"type": "string",
"description": "Unique identifier of the entity. Must be collision-free - two identifiers created anywhere in the world must not collide within entity parent scope. Unless a member of aggregate, the entity scope is always global. Although most of the times compliant with RFC 4122: A Universally Unique IDentifier (UUID) URN Namespace, do not rely on it being a RFC UUID. Treat it as an opaque identifier. RFC UUID can be recognized by being formatted according to the template xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx, as explained on Wikipedia. UUID is used for referencing an entity, even across domains. Example: '123e4567-e89b-12d3-a456-426614174000'",
"readOnly": true
},
"authorUuid": {
"type": "string",
"description": "Principal responsible for the first revision of the entity. It might be the identification of the user.",
"readOnly": true
},
"editorUuid": {
"type": "string",
"description": "Principal responsible for the revision of the entity. It might be the identification of the user. Every revision might have a different editor. For non-revisioned entities, the editor denotes the author of the last revision. For just-created entities, author and editor are the same.",
"readOnly": true
}
}
}
{
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|
202 |
Response took too long; request cached. Response can be retrieved later using the response-id header. |
Response took too long; request cached. Response can be retrieved later using the response-id header.
[]
{
"response-id": {
"description": "Unique ID of a pending request. Used to retrieve cached result.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
},
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|
400 |
One of the errors: 1. Bad or missing authorization. 2. Validation error. Invalid argument provided. |
One of the errors: 1. Bad or missing authorization. 2. Validation error. Invalid argument provided.
[]
{
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|
401 |
Token has expired or is invalid. |
Token has expired or is invalid.
[]
{
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|
403 |
Access denied. Check permissions. |
Access denied. Check permissions.
[]
{
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|
404 |
Requested resource not found. |
Requested resource not found.
[]
{
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|
429 |
Rate limit reached. Try again later. |
Rate limit reached. Try again later.
[]
{
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|
500 |
Internal server failure. Try again later. |
Internal server failure. Try again later.
[]
{
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|
502 |
Internal server failure. Try again later. |
Internal server failure. Try again later.
[]
{
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|
503 |
Environment under maintenance. Try again later. |
Environment under maintenance. Try again later.
[]
{
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|
504 |
Action took too long; timeout reached |
Action took too long; timeout reached
[]
{
"request-id": {
"description": "Unique ID of the request. Include in support requests.",
"style": "simple",
"explode": false,
"schema": {
"type": "string",
"format": "uuid"
}
}
}
|