Download quarantined objects

Relative path: /v1/quarantined-objects:download

Download quarantined objects matching criteria in the filter.

The response is ZIP archive of quarantined objects.

Info: modeled after https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/grpc_json_transcoder_filter#sending-arbitrary-content and https://github.com/googleapis/googleapis/blob/master/google/api/httpbody.proto

Request body

Display Schema instead of an Example or vice-versa

Type	Required	Example	Schema
application/json	No	{ "excludedObjectUuids": [ "string" ], "filter": { "cloudOfficeTenantUuid": "string", "emailInternetMessageId": "string", "emailRecipient": "string", "emailSender": "string", "emailSubject": "string", "fileName": "string", "msSharepointRootSiteUuid": "string", "msTeamsTeamUuid": "string", "objectOrigin": "OBJECT_ORIGIN_UNSPECIFIED", "objectType": "QUARANTINED_OBJECT_TYPE_UNSPECIFIED", "quarantineReason": "QUARANTINE_REASON_UNSPECIFIED", "quarantineTime": { "startTime": "string", "endTime": "string" }, "userUuid": "string" } }	{ "$ref": "v1DownloadQuarantinedObjectsRequest", "excludedObjectUuids": [ { "type": "string" } ], "filter": { "$ref": "v1QuarantineFilter", "description": "Quarantine filter. Every entry can be seen as a condition. If multiple conditions are filled, they are used in filtering expression with AND operator (i.e. they must be fulfilled simultaneously).", "cloudOfficeTenantUuid": { "type": "string", "description": "Reference to [cloud office tenant]. If filled, only objects of referred tenant are returned. If empty or null, objects of any tenant are returned. type: cloud_office_protection.v1.CloudOfficeTenant" }, "emailInternetMessageId": { "type": "string", "description": "If filled, only messages with this Message-ID would be returned. If empty or '', messages with any Message-ID would be returned." }, "emailRecipient": { "type": "string", "description": "If given, only emails with given email address in recipients would be returned. If empty or '', emails for all the recipients would be included in the response. 0..100 characters" }, "emailSender": { "type": "string", "description": "If given, only emails from given email address would be returned. If empty or '', all the senders would be included in the response. 0..100 characters" }, "emailSubject": { "type": "string", "description": "If given, only emails subject containing this string would be returned. If empty or '', emails with any subject would be included in the response. 0..100 characters" }, "fileName": { "type": "string", "description": "If given, only quarantined files with path terminated with this string would be returned. If empty or '', files of all the names would be returned." }, "msSharepointRootSiteUuid": { "type": "string", "description": "Reference to [Microsoft Sharepoint root site]. If filled, only objects belonging to given site or its child-sites are returned. If empty or '', objects of all the sites are returned. type: eset.dotnod.quarantine_management.v1-alpha.MicrosoftSharepointSite" }, "msTeamsTeamUuid": { "type": "string", "description": "Reference to [Microsoft Teams team]. type: eset.dotnod.quarantine_management.v1-alpha.MicrosoftTeamsTeam" }, "objectOrigin": { "$ref": "v1ObjectOrigin", "type": "string", "description": "Object origin denotes a system managing object's life-cycle. This is necessary to be known for actions that manipulate with object, such as delete, quarantine, move and so on. OBJECT_ORIGIN_UNSPECIFIED: fallback OBJECT_ORIGIN_MS_OFFICE365: Object originates in Microsoft Office 365. OBJECT_ORIGIN_GOOGLE_WORKSPACE: Object originates in Google Workspace. OBJECT_ORIGIN_DEVICE: Object originates from a device.", "default": "OBJECT_ORIGIN_UNSPECIFIED", "enum": [ "OBJECT_ORIGIN_UNSPECIFIED", "OBJECT_ORIGIN_MS_OFFICE365", "OBJECT_ORIGIN_GOOGLE_WORKSPACE", "OBJECT_ORIGIN_DEVICE" ] }, "objectType": { "$ref": "v1QuarantinedObjectType", "type": "string", "description": "Possible types of object. QUARANTINED_OBJECT_TYPE_UNSPECIFIED: fallback QUARANTINED_OBJECT_TYPE_EMAIL_MESSAGE: Object is email message. QUARANTINED_OBJECT_TYPE_EMAIL_ATTACHMENT: Object is email attachment. QUARANTINED_OBJECT_TYPE_FILE_ON_DRIVE: Object is a file on drive.", "default": "QUARANTINED_OBJECT_TYPE_UNSPECIFIED", "enum": [ "QUARANTINED_OBJECT_TYPE_UNSPECIFIED", "QUARANTINED_OBJECT_TYPE_EMAIL_MESSAGE", "QUARANTINED_OBJECT_TYPE_EMAIL_ATTACHMENT", "QUARANTINED_OBJECT_TYPE_FILE_ON_DRIVE" ] }, "quarantineReason": { "$ref": "v1QuarantineReason", "type": "string", "description": "Reasons for object being quarantined. QUARANTINE_REASON_UNSPECIFIED: fallback QUARANTINE_REASON_MALWARE: Object was identified as malware or as containing malware. QUARANTINE_REASON_GRAYWARE: The object was identified as grayware, or as containing grayware. Grayware refers to potentially unwanted programs or files that, while not explicitly malicious, can negatively impact system performance or user experience. QUARANTINE_REASON_PHISHING: Object (mostly email) was identified as phishing. QUARANTINE_REASON_SPAM: Object (mostly email) was identified as unsolicited or spam .", "default": "QUARANTINE_REASON_UNSPECIFIED", "enum": [ "QUARANTINE_REASON_UNSPECIFIED", "QUARANTINE_REASON_MALWARE", "QUARANTINE_REASON_GRAYWARE", "QUARANTINE_REASON_PHISHING", "QUARANTINE_REASON_SPAM" ] }, "quarantineTime": { "$ref": "typeInterval", "description": "Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time.", "startTime": { "type": "string", "description": "Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.", "format": "date-time" }, "endTime": { "type": "string", "description": "Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.", "format": "date-time" } }, "userUuid": { "type": "string", "description": "This is a reference to the user associated with the quarantined object through ownership of its storage. If filled for a file, only the files on a cloud drive owned by the given user are included in the response. If filled for a mail, only the files in a mailbox owned by the given user are included in the response. If null or empty, quarantined objects associated with any user and accessible to the caller will be included in the response. type: user_management.v1.User" } } }

Type

Required

Example

Schema

application/json

{
  "excludedObjectUuids": [
    "string"
  ],
  "filter": {
    "cloudOfficeTenantUuid": "string",
    "emailInternetMessageId": "string",
    "emailRecipient": "string",
    "emailSender": "string",
    "emailSubject": "string",
    "fileName": "string",
    "msSharepointRootSiteUuid": "string",
    "msTeamsTeamUuid": "string",
    "objectOrigin": "OBJECT_ORIGIN_UNSPECIFIED",
    "objectType": "QUARANTINED_OBJECT_TYPE_UNSPECIFIED",
    "quarantineReason": "QUARANTINE_REASON_UNSPECIFIED",
    "quarantineTime": {
      "startTime": "string",
      "endTime": "string"
    },
    "userUuid": "string"
  }
}

{
  "$ref": "v1DownloadQuarantinedObjectsRequest",
  "excludedObjectUuids": [
    {
      "type": "string"
    }
  ],
  "filter": {
    "$ref": "v1QuarantineFilter",
    "description": "Quarantine filter. Every entry can be seen as a condition. If multiple conditions are filled, they are used in filtering expression with AND operator (i.e. they must be fulfilled simultaneously).",
    "cloudOfficeTenantUuid": {
      "type": "string",
      "description": "Reference to [cloud office tenant]. If filled, only objects of referred tenant are returned. If empty or null, objects of any tenant are returned. type: cloud_office_protection.v1.CloudOfficeTenant"
    },
    "emailInternetMessageId": {
      "type": "string",
      "description": "If filled, only messages with this Message-ID would be returned. If empty or '', messages with any Message-ID would be returned."
    },
    "emailRecipient": {
      "type": "string",
      "description": "If given, only emails with given email address in recipients would be returned. If empty or '', emails for all the recipients would be included in the response. 0..100 characters"
    },
    "emailSender": {
      "type": "string",
      "description": "If given, only emails from given email address would be returned. If empty or '', all the senders would be included in the response. 0..100 characters"
    },
    "emailSubject": {
      "type": "string",
      "description": "If given, only emails subject containing this string would be returned. If empty or '', emails with any subject would be included in the response. 0..100 characters"
    },
    "fileName": {
      "type": "string",
      "description": "If given, only quarantined files with path terminated with this string would be returned. If empty or '', files of all the names would be returned."
    },
    "msSharepointRootSiteUuid": {
      "type": "string",
      "description": "Reference to [Microsoft Sharepoint root site]. If filled, only objects belonging to given site or its child-sites are returned. If empty or '', objects of all the sites are returned. type: eset.dotnod.quarantine_management.v1-alpha.MicrosoftSharepointSite"
    },
    "msTeamsTeamUuid": {
      "type": "string",
      "description": "Reference to [Microsoft Teams team]. type: eset.dotnod.quarantine_management.v1-alpha.MicrosoftTeamsTeam"
    },
    "objectOrigin": {
      "$ref": "v1ObjectOrigin",
      "type": "string",
      "description": "Object origin denotes a system managing object's life-cycle. This is necessary to be known for actions that manipulate with object, such as delete, quarantine, move and so on. OBJECT_ORIGIN_UNSPECIFIED: fallback OBJECT_ORIGIN_MS_OFFICE365: Object originates in Microsoft Office 365. OBJECT_ORIGIN_GOOGLE_WORKSPACE: Object originates in Google Workspace. OBJECT_ORIGIN_DEVICE: Object originates from a device.",
      "default": "OBJECT_ORIGIN_UNSPECIFIED",
      "enum": [
        "OBJECT_ORIGIN_UNSPECIFIED",
        "OBJECT_ORIGIN_MS_OFFICE365",
        "OBJECT_ORIGIN_GOOGLE_WORKSPACE",
        "OBJECT_ORIGIN_DEVICE"
      ]
    },
    "objectType": {
      "$ref": "v1QuarantinedObjectType",
      "type": "string",
      "description": "Possible types of object. QUARANTINED_OBJECT_TYPE_UNSPECIFIED: fallback QUARANTINED_OBJECT_TYPE_EMAIL_MESSAGE: Object is email message. QUARANTINED_OBJECT_TYPE_EMAIL_ATTACHMENT: Object is email attachment. QUARANTINED_OBJECT_TYPE_FILE_ON_DRIVE: Object is a file on drive.",
      "default": "QUARANTINED_OBJECT_TYPE_UNSPECIFIED",
      "enum": [
        "QUARANTINED_OBJECT_TYPE_UNSPECIFIED",
        "QUARANTINED_OBJECT_TYPE_EMAIL_MESSAGE",
        "QUARANTINED_OBJECT_TYPE_EMAIL_ATTACHMENT",
        "QUARANTINED_OBJECT_TYPE_FILE_ON_DRIVE"
      ]
    },
    "quarantineReason": {
      "$ref": "v1QuarantineReason",
      "type": "string",
      "description": "Reasons for object being quarantined. QUARANTINE_REASON_UNSPECIFIED: fallback QUARANTINE_REASON_MALWARE: Object was identified as malware or as containing malware. QUARANTINE_REASON_GRAYWARE: The object was identified as grayware, or as containing grayware. Grayware refers to potentially unwanted programs or files that, while not explicitly malicious, can negatively impact system performance or user experience. QUARANTINE_REASON_PHISHING: Object (mostly email) was identified as phishing. QUARANTINE_REASON_SPAM: Object (mostly email) was identified as unsolicited or spam .",
      "default": "QUARANTINE_REASON_UNSPECIFIED",
      "enum": [
        "QUARANTINE_REASON_UNSPECIFIED",
        "QUARANTINE_REASON_MALWARE",
        "QUARANTINE_REASON_GRAYWARE",
        "QUARANTINE_REASON_PHISHING",
        "QUARANTINE_REASON_SPAM"
      ]
    },
    "quarantineTime": {
      "$ref": "typeInterval",
      "description": "Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time.",
      "startTime": {
        "type": "string",
        "description": "Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.",
        "format": "date-time"
      },
      "endTime": {
        "type": "string",
        "description": "Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.",
        "format": "date-time"
      }
    },
    "userUuid": {
      "type": "string",
      "description": "This is a reference to the user associated with the quarantined object through ownership of its storage. If filled for a file, only the files on a cloud drive owned by the given user are included in the response. If filled for a mail, only the files in a mailbox owned by the given user are included in the response. If null or empty, quarantined objects associated with any user and accessible to the caller will be included in the response. type: user_management.v1.User"
    }
  }
}

Responses

Display Schema instead of an Example or vice-versa

Code	Description	Example	Schema
200	A successful response.(streaming responses)	"string"	{ "title": "Free form byte stream", "type": "string", "format": "binary" }
default	An unexpected error response.	{ "code": 0, "message": "string", "details": [ { "@type": "string" } ] }	{ "$ref": "rpcStatus", "code": { "type": "integer", "format": "int32" }, "message": { "type": "string" }, "details": [ { "$ref": "protobufAny", "description": "Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message. Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type. Example 1: Pack and unpack a message in C++. Foo foo = ...; Any any; any.PackFrom(foo); ... if (any.UnpackTo(&foo)) { ... } Example 2: Pack and unpack a message in Java. Foo foo = ...; Any any = Any.pack(foo); ... if (any.is(Foo.class)) { foo = any.unpack(Foo.class); } // or ... if (any.isSameTypeAs(Foo.getDefaultInstance())) { foo = any.unpack(Foo.getDefaultInstance()); } Example 3: Pack and unpack a message in Python. foo = Foo(...) any = Any() any.Pack(foo) ... if any.Is(Foo.DESCRIPTOR): any.Unpack(foo) ... Example 4: Pack and unpack a message in Go foo := &pb.Foo{...} any, err := anypb.New(foo) if err != nil { ... } ... foo := &pb.Foo{} if err := any.UnmarshalTo(foo); err != nil { ... } The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example 'foo.bar.com/x/y.z' will yield type name 'y.z'. JSON The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example: package google.profile; message Person { string first_name = 1; string last_name = 2; } { '@type': 'type.googleapis.com/google.profile.Person', 'firstName': <string>, 'lastName': <string> } If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]): { '@type': 'type.googleapis.com/google.protobuf.Duration', 'value': '1.212s' }", "@type": { "type": "string", "description": "A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one '/' character. The last segment of the URL's path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading '.' is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: If no scheme is provided, https is assumed. An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics." } } ] }
202	Response took too long and the request was cached.	null	[]

Code

Description

Example

Schema

200

A successful response.(streaming responses)

"string"

{
  "title": "Free form byte stream",
  "type": "string",
  "format": "binary"
}

default

An unexpected error response.

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

{
  "$ref": "rpcStatus",
  "code": {
    "type": "integer",
    "format": "int32"
  },
  "message": {
    "type": "string"
  },
  "details": [
    {
      "$ref": "protobufAny",
      "description": "Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message. Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type. Example 1: Pack and unpack a message in C++. Foo foo = ...; Any any; any.PackFrom(foo); ... if (any.UnpackTo(&foo)) { ... } Example 2: Pack and unpack a message in Java. Foo foo = ...; Any any = Any.pack(foo); ... if (any.is(Foo.class)) { foo = any.unpack(Foo.class); } // or ... if (any.isSameTypeAs(Foo.getDefaultInstance())) { foo = any.unpack(Foo.getDefaultInstance()); } Example 3: Pack and unpack a message in Python. foo = Foo(...) any = Any() any.Pack(foo) ... if any.Is(Foo.DESCRIPTOR): any.Unpack(foo) ... Example 4: Pack and unpack a message in Go foo := &pb.Foo{...} any, err := anypb.New(foo) if err != nil { ... } ... foo := &pb.Foo{} if err := any.UnmarshalTo(foo); err != nil { ... } The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example 'foo.bar.com/x/y.z' will yield type name 'y.z'. JSON The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example: package google.profile; message Person { string first_name = 1; string last_name = 2; } { '@type': 'type.googleapis.com/google.profile.Person', 'firstName': <string>, 'lastName': <string> } If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]): { '@type': 'type.googleapis.com/google.protobuf.Duration', 'value': '1.212s' }",
      "@type": {
        "type": "string",
        "description": "A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one '/' character. The last segment of the URL's path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading '.' is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: If no scheme is provided, https is assumed. An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics."
      }
    }
  ]
}

202

Response took too long and the request was cached.

null

[]

˄˅