EDR API Documentation v0.0.2
Scroll down for code samples, example requests and responses. Select a language for code samples from the tabs above or the mobile navigation menu.
EDR Investigation API
Base URLs:
Authentication
- HTTP Authentication, scheme: bearer
Default
Get Processes
Code samples
# You can also use wget
curl -X GET https://api.cwatchedr.com/process \
-H 'Accept: application/json' \
-H 'Authorization: Bearer {access-token}'
GET /process
This API returns list of processes doing filtering on the process properties or their events
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| process_hash | query | string(sha1) | false | Filters processes with specified SHA1 hash |
| process_user | query | string | false | Filters processes with specified owner user |
| process_name | query | string | false | Filters processes with specified name |
| pid | query | number(int32) | false | Filters processes which has specified PID |
| file_hash | query | string(sha1) | false | Filters processes which created/modified a file with specified SHA1 Hash |
| file_name | query | string | false | Filters processes which created/modified a file with specified name |
| destination_ip | query | string(ipv4) | false | Filters processes which communicated with specified IP address |
| device_name | query | string | false | Filters processes which ran in specified device |
Example responses
200 Response
[
{
"id": "string",
"pid": 0,
"process_name": "string",
"process_path": "string",
"device_name": "string",
"process_user": "string",
"process_hash": "string"
}
]
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON array of matched processes | Inline |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » id | string | false | none | none |
| » pid | number(int32) | false | none | none |
| » process_name | string | false | none | none |
| » process_path | string | false | none | none |
| » device_name | string | false | none | none |
| » process_user | string | false | none | none |
| » process_hash | string | false | none | none |
Get Endpoints
Code samples
# You can also use wget
curl -X GET https://api.cwatchedr.com/endpoint \
-H 'Accept: application/json' \
-H 'Authorization: Bearer {access-token}'
GET /endpoint
Returns a list of endpoints that match the user defined criteria.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| device_name | query | string | false | Filters endpoints with specified name |
| endpointIDs | query | array[integer] | false | Filters endpoints with integer endpoint ids. |
| status | query | string | false | Filters endpoints with specified status |
Enumerated Values
| Parameter | Value |
|---|---|
| status | online |
| status | offline |
| status | disconnected |
Example responses
200 Response
{
"endpoints": [
{
"endpointID": "string",
"device_name": "string",
"version": "string",
"operating_system": "string",
"logged_on_user": "string",
"status": "string"
}
]
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON array of endpoints | Inline |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » endpoints | [object] | false | none | none |
| »» endpointID | string | false | none | none |
| »» device_name | string | false | none | none |
| »» version | string | false | none | none |
| »» operating_system | string | false | none | none |
| »» logged_on_user | string | false | none | none |
| »» status | string | false | none | none |
Get Verdict
Code samples
# You can also use wget
curl -X GET https://api.cwatchedr.com/hash/verdict?hash=string \
-H 'Accept: application/json' \
-H 'Authorization: Bearer {access-token}'
GET /hash/verdict
Returns the Comodo verdict of the given hash. 0-Unknown, 1-Safe, 2-Malware, 3-Unknown
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| hash | query | string(sha1) | true | SHA1 hash |
Example responses
200 Response
{
"hash": "string",
"verdict": 0
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON object of the verdict with SHA1 hash | Inline |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » hash | string | false | none | none |
| » verdict | number | false | none | none |
Get File Names
Code samples
# You can also use wget
curl -X GET https://api.cwatchedr.com/hash/name?hash=string \
-H 'Accept: application/json' \
-H 'Authorization: Bearer {access-token}'
GET /hash/name
Returns the observed file names for the given hash
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| hash | query | string(sha1) | true | SHA1 hash |
Example responses
200 Response
[
"string"
]
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON array of the file names of SHA1 hash | Inline |
Response Schema
Get Seen On Devices
Code samples
# You can also use wget
curl -X GET https://api.cwatchedr.com/hash/seenon?hash=string \
-H 'Accept: application/json' \
-H 'Authorization: Bearer {access-token}'
GET /hash/seenon
Returns the list of seen on devices for the given hash
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| hash | query | string(sha1) | true | SHA1 hash |
Example responses
200 Response
[
0
]
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON array of the endpointIDs | Inline |
Response Schema
Get Alerts
Code samples
# You can also use wget
curl -X GET https://api.cwatchedr.com/alert?alertTime=0&scoreMin=0&scoreMax=0 \
-H 'Accept: application/json' \
-H 'Authorization: Bearer {access-token}'
GET /alert
Returns the list of alerts with given parameters
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| alertTime | query | integer | true | Filters alerts from given alert time |
| scoreMin | query | integer | true | number |
| scoreMax | query | integer | true | number |
| endpointID | query | integer | false | endpointID |
| search | query | string | false | Filters alerts with specified search value |
| processPath | query | string | false | Filters alerts with specified process path |
| user | query | string | false | Filters alerts with specified owner user |
| dismissed | query | boolean | false | boolean |
| status | query | integer | false | Filters alerts with specified alert status |
| policyID | query | integer | false | Filters alerts with specified policy id |
Enumerated Values
| Parameter | Value |
|---|---|
| dismissed | true |
| dismissed | false |
| dismissed | null |
Example responses
200 Response
{
"items": [
{
"customerID": 0,
"timestamp": 0,
"endpointID": 0,
"data": {},
"expirationDate": 0,
"isActive": true
}
]
}
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON array of the alerts | Inline |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » items | [object] | false | none | none |
| »» customerID | integer | false | none | none |
| »» timestamp | integer | false | none | none |
| »» endpointID | integer | false | none | none |
| »» data | object | false | none | none |
| »» expirationDate | integer | false | none | none |
| »» isActive | boolean | false | none | none |
Post Alerts
Code samples
# You can also use wget
curl -X POST https://api.cwatchedr.com/alert \
-H 'Content-Type: application/json' \
-H 'edr-customerid: 0' \
-H 'Authorization: Bearer {access-token}'
POST /alert
Creates new alerts with given parameters
Body parameter
{
"alerts": [
{
"timestamp": 0,
"endpointID": 0,
"expirationDate": 0,
"isActive": true,
"alertName": "string",
"status": 0,
"userVerdict": true,
"type": 0,
"processHash": "string",
"processPath": "string",
"device": "string",
"user": "string",
"data": {
"childProcess": "string",
"score": 0,
"policyID": 0,
"policyName": "string",
"processInstanceID": "string",
"event": {
"process": {
"prcsInstanceID": "string",
"prcsPID": 0,
"prcsCreationTime": "string",
"prcsUserName": "string",
"prcsUserDomain": "string",
"prcsPath": "string",
"prcsHash": "string",
"prcsVerdict": 0,
"prcsDeviceName": "string",
"prcsLoggedOnUser": "string",
"prcsParentTree": [
{}
]
},
"eventTime": "string",
"eventGroup": 0,
"baseEventType": 0,
"adaptiveEventType": "string",
"endpointID": 0,
"customerID": 0,
"childPrcsInstanceID": "string",
"childPrcsPID": 0,
"childPrcsPath": "string",
"childPrcsElevationType": 0,
"childPrcsCmdLine": "string",
"childPrcsHash": "string",
"childPrcsVerdict": 0,
"childPrcsIsSigned": true,
"childPrcsIsPacked": true
}
}
}
]
}
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| edr-customerid | header | integer | false | none |
| body | body | object | false | none |
| » alerts | body | [object] | false | none |
| »» timestamp | body | integer | false | none |
| »» endpointID | body | integer | false | none |
| »» expirationDate | body | integer | false | none |
| »» isActive | body | boolean | false | none |
| »» alertName | body | string | false | none |
| »» status | body | integer | false | none |
| »» userVerdict | body | boolean | false | none |
| »» type | body | integer | false | none |
| »» processHash | body | string | false | none |
| »» processPath | body | string | false | none |
| »» device | body | string | false | none |
| »» user | body | string | false | none |
| »» data | body | object | false | none |
| »»» childProcess | body | string | false | none |
| »»» score | body | integer | false | none |
| »»» policyID | body | integer | false | none |
| »»» policyName | body | string | false | none |
| »»» processInstanceID | body | string | false | none |
| »»» event | body | object | false | none |
| »»»» process | body | object | false | none |
| »»»»» prcsInstanceID | body | string | false | none |
| »»»»» prcsPID | body | integer | false | none |
| »»»»» prcsCreationTime | body | string | false | none |
| »»»»» prcsUserName | body | string | false | none |
| »»»»» prcsUserDomain | body | string | false | none |
| »»»»» prcsPath | body | string | false | none |
| »»»»» prcsHash | body | string | false | none |
| »»»»» prcsVerdict | body | integer | false | none |
| »»»»» prcsDeviceName | body | string | false | none |
| »»»»» prcsLoggedOnUser | body | string | false | none |
| »»»»» prcsParentTree | body | [object] | false | none |
| »»»» eventTime | body | string | false | none |
| »»»» eventGroup | body | integer | false | none |
| »»»» baseEventType | body | integer | false | none |
| »»»» adaptiveEventType | body | string | false | none |
| »»»» endpointID | body | integer | false | none |
| »»»» customerID | body | integer | false | none |
| »»»» childPrcsInstanceID | body | string | false | none |
| »»»» childPrcsPID | body | integer | false | none |
| »»»» childPrcsPath | body | string | false | none |
| »»»» childPrcsElevationType | body | integer | false | none |
| »»»» childPrcsCmdLine | body | string | false | none |
| »»»» childPrcsHash | body | string | false | none |
| »»»» childPrcsVerdict | body | integer | false | none |
| »»»» childPrcsIsSigned | body | boolean | false | none |
| »»»» childPrcsIsPacked | body | boolean | false | none |
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | created | None |
Update Alerts
Code samples
# You can also use wget
curl -X PUT https://api.cwatchedr.com/alert \
-H 'Content-Type: application/json' \
-H 'edr-customerid: 0' \
-H 'Authorization: Bearer {access-token}'
PUT /alert
Updates alerts userVerdict and status values
Body parameter
{
"userVerdict": true,
"status": 0
}
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| edr-customerid | header | integer | false | none |
| body | body | object | false | none |
| » userVerdict | body | boolean | false | none |
| » status | body | integer | false | none |
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | updated | None |
Dismiss Alerts
Code samples
# You can also use wget
curl -X PUT https://api.cwatchedr.com/alert/dismiss/{alertID} \
-H 'edr-customerid: 0' \
-H 'Authorization: Bearer {access-token}'
PUT /alert/dismiss/{alertID}
Dismiss alerts for given alertID
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| edr-customerid | header | integer | false | none |
| alertID | path | string | true | none |
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | dismisses alert | None |
Report False Positive
Code samples
# You can also use wget
curl -X PUT https://api.cwatchedr.com/alert/{alertID}/report-false-positive \
-H 'edr-customerid: 0' \
-H 'Authorization: Bearer {access-token}'
PUT /alert/{alertID}/report-false-positive
To report alert as false /report-false-positive
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| edr-customerid | header | integer | false | none |
| alertID | path | string | true | none |
| userVerdict | query | boolean | false | none |
| feedback | query | string | false | none |
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | succesfully reports alert as false positive | None |
Close Positive
Code samples
# You can also use wget
curl -X PUT https://api.cwatchedr.com/alert/{alertID}/close \
-H 'edr-customerid: 0' \
-H 'Authorization: Bearer {access-token}'
PUT /alert/{alertID}/close
Close alerts
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| edr-customerid | header | integer | false | none |
| alertID | path | string | true | none |
| userVerdict | query | boolean | false | none |
| feedback | query | string | false | none |
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | succesfully closes alert | None |
Get Events
Code samples
# You can also use wget
curl -X GET https://api.cwatchedr.com/events \
-H 'Accept: application/json' \
-H 'edr-customerid: 0' \
-H 'Authorization: Bearer {access-token}'
GET /events
Returns the list of events with given parameters
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| edr-customerid | header | integer | false | none |
| from_time | query | integer | false | The beginning of the time to search events |
| to_time | query | integer | false | The ending of the time to search events |
| page_size | query | integer | false | The numbers of items to return |
| next_key | query | string | false | The event id to get next batch events |
| prev_key | query | string | false | The event id to get previous batch events |
| is_next | query | boolean | false | Markup next or previous results |
| q | query | string | false | You can use these fields with 'AND' conjunction : |
Detailed descriptions
q: You can use these fields with 'AND' conjunction :
| Field | Operator | Type | Values |
| event_group | =, != | enum | 'PROCESS', 'NETWORK', 'REGISTRY', 'FILE', 'DEFENSEPLUS','BROWSER' |
| adaptive_event_type | =, != | string | |
| id | = | string | |
| base_event_type | =, != | enum | 'Create Process', 'Network Listen', 'Network Connection', 'Delete Registry Key', 'Delete Registry Value', 'Set Registry Value', 'Write File', 'Delete File', 'Browser Download', 'File Copy from hared Folder', 'File Copy from USB Disk', 'Email Download', 'File Copy to Shared Folder', 'File Copy to USB Disk', 'Access Raw Disk', 'Access Keyboard', 'Access Screen', 'Set Windows Hook', Virtual Memory Access', 'Access Microphone', 'Code Injection', 'Open Process' |
| process_pid | =, != | number | |
| process_creation_time | =, !=, >, <, <=, >= | date-time | |
| process_path | =, !=, ~ | string | |
| process_user_name | =, !=, ~ | string | |
| process_user_domain | =, !=, ~ | string | |
| process_hash | =, != | string | |
| process_logged_on_user | =, !=, ~ | string | |
| process_device_name | =, !=, ~ | string | |
| child_process_pid | =, != | integer | |
| child_process_path | =, !=, ~ | string | |
| child_process_elevation_type | =, != | enum | 'TYPE0', 'TYPE1', 'TYPE2', 'TYPE3' |
| child_process_command_line | =, !=, ~ | string | |
| child_process_hash | =, != | string | |
| network_source_ip | =, != | ipv4 | |
| network_destination_ip | =, != | ipv4 | |
| network_source_port | =, != | integer | |
| network_destination_port | =, != | integer | |
| network_transfer_protocol | =, != | enum | 'NONE', 'TCP', 'UDP' |
| registry_value_name | =, != | string | |
| registry_key_path | =, !=, ~ | string | |
| registry_value_data | =, !=, ~ | string | |
| file_hash | =, != | string | |
| file_path | =, !=, ~ | string | |
| file_old_path | =, !=, ~ | string | |
| browser_download_url | =, !=, ~ | string | |
| browser_file_path | =, !=, ~ | string | |
| browser_file_hash | =, != | string | |
| target_name | =, !=, ~ | string |
Example responses
200 Response
[
{
"customer_id": 0,
"timestamp": 0,
"sequence": 0,
"base_event_type": 0,
"process_user_domain": "string",
"process_device_name": "string",
"endpoint_id": 0,
"event_group": 0,
"process_hash": "string",
"process_instance_id": "string",
"process_pid": 0,
"process_path": "string",
"process_parent_tree": [
{
"prcsPID": 0,
"prcsCreationTime": "string",
"prcsUserName": "string",
"prcsUserDomain": "string",
"prcsPath": "string",
"prcsHash": "string",
"prcsVerdict": 0
}
],
"process_creation_time": "string",
"process_logged_on_user": "string",
"process_user_name": "string",
"process_verdict": 0,
"child_process_instance_id": "string",
"child_process_pid": 0,
"child_process_path": "string",
"child_process_command_line": "string",
"child_process_elevation_type": 0,
"child_process_hash": "string",
"child_process_is_packed": true,
"child_process_is_signed": true,
"child_process_verdict": 0,
"event_time": "string",
"id": "string"
}
]
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON array of the events | Inline |
| 400 | Bad Request | Bad request. Invalid query string. | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » customer_id | integer | false | none | none |
| » timestamp | integer | false | none | none |
| » sequence | integer | false | none | none |
| » base_event_type | integer | false | none | none |
| » process_user_domain | string | false | none | none |
| » process_device_name | string | false | none | none |
| » endpoint_id | integer | false | none | none |
| » event_group | integer | false | none | none |
| » process_hash | string | false | none | none |
| » process_instance_id | string | false | none | none |
| » process_pid | integer | false | none | none |
| » process_path | string | false | none | none |
| » process_parent_tree | [object] | false | none | none |
| »» prcsPID | integer | false | none | none |
| »» prcsCreationTime | string | false | none | none |
| »» prcsUserName | string | false | none | none |
| »» prcsUserDomain | string | false | none | none |
| »» prcsPath | string | false | none | none |
| »» prcsHash | string | false | none | none |
| »» prcsVerdict | integer | false | none | none |
| » process_creation_time | string | false | none | none |
| » process_logged_on_user | string | false | none | none |
| » process_user_name | string | false | none | none |
| » process_verdict | integer | false | none | none |
| » child_process_instance_id | string | false | none | none |
| » child_process_pid | integer | false | none | none |
| » child_process_path | string | false | none | none |
| » child_process_command_line | string | false | none | none |
| » child_process_elevation_type | integer | false | none | none |
| » child_process_hash | string | false | none | none |
| » child_process_is_packed | boolean | false | none | none |
| » child_process_is_signed | boolean | false | none | none |
| » child_process_verdict | integer | false | none | none |
| » event_time | string | false | none | none |
| » id | string | false | none | none |
Get Events Detail
Code samples
# You can also use wget
curl -X GET https://api.cwatchedr.com/events/detail?ids=id1%2C%20id2 \
-H 'Accept: application/json' \
-H 'edr-customerid: 0' \
-H 'Authorization: Bearer {access-token}'
GET /events/detail
Returns the events detail with given parameters
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| edr-customerid | header | integer | false | none |
| ids | query | string | true | Numeric ID of the event to get. If you want to send multiple event id, should be seperated with comma |
Example responses
200 Response
[
{
"customer_id": 0,
"timestamp": 0,
"sequence": 0,
"base_event_type": 0,
"process_user_domain": "string",
"process_device_name": "string",
"endpoint_id": 0,
"event_group": 0,
"process_hash": "string",
"process_instance_id": "string",
"process_pid": 0,
"process_path": "string",
"process_parent_tree": [
{
"prcsPID": 0,
"prcsCreationTime": "string",
"prcsUserName": "string",
"prcsUserDomain": "string",
"prcsPath": "string",
"prcsHash": "string",
"prcsVerdict": 0
}
],
"process_creation_time": "string",
"process_logged_on_user": "string",
"process_user_name": "string",
"process_verdict": 0,
"child_process_instance_id": "string",
"child_process_pid": 0,
"child_process_path": "string",
"child_process_command_line": "string",
"child_process_elevation_type": 0,
"child_process_hash": "string",
"child_process_is_packed": true,
"child_process_is_signed": true,
"child_process_verdict": 0,
"event_time": "string",
"id": "string"
}
]
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON array of the events | Inline |
| 400 | Bad Request | Bad request. Invalid query string. | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » customer_id | integer | false | none | none |
| » timestamp | integer | false | none | none |
| » sequence | integer | false | none | none |
| » base_event_type | integer | false | none | none |
| » process_user_domain | string | false | none | none |
| » process_device_name | string | false | none | none |
| » endpoint_id | integer | false | none | none |
| » event_group | integer | false | none | none |
| » process_hash | string | false | none | none |
| » process_instance_id | string | false | none | none |
| » process_pid | integer | false | none | none |
| » process_path | string | false | none | none |
| » process_parent_tree | [object] | false | none | none |
| »» prcsPID | integer | false | none | none |
| »» prcsCreationTime | string | false | none | none |
| »» prcsUserName | string | false | none | none |
| »» prcsUserDomain | string | false | none | none |
| »» prcsPath | string | false | none | none |
| »» prcsHash | string | false | none | none |
| »» prcsVerdict | integer | false | none | none |
| » process_creation_time | string | false | none | none |
| » process_logged_on_user | string | false | none | none |
| » process_user_name | string | false | none | none |
| » process_verdict | integer | false | none | none |
| » child_process_instance_id | string | false | none | none |
| » child_process_pid | integer | false | none | none |
| » child_process_path | string | false | none | none |
| » child_process_command_line | string | false | none | none |
| » child_process_elevation_type | integer | false | none | none |
| » child_process_hash | string | false | none | none |
| » child_process_is_packed | boolean | false | none | none |
| » child_process_is_signed | boolean | false | none | none |
| » child_process_verdict | integer | false | none | none |
| » event_time | string | false | none | none |
| » id | string | false | none | none |
Get Count Of Events
Code samples
# You can also use wget
curl -X GET https://api.cwatchedr.com/events/aggregations?field=PROCESS_USER_NAME \
-H 'Accept: application/json' \
-H 'edr-customerid: 0' \
-H 'Authorization: Bearer {access-token}'
GET /events/aggregations
Returns count of events with given parameters
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| edr-customerid | header | integer | false | none |
| from_time | query | integer | false | The beginning of the time to search events |
| to_time | query | integer | false | The ending of the time to search events |
| field | query | string | true | Indicates which field to aggregate |
| next_key | query | string | false | The event id to get next batch events |
| prev_key | query | string | false | The event id to get previous batch events |
| is_next | query | boolean | false | Markup next or previous results |
| q | query | string | false | You can use these fields with 'AND' conjunction : |
Detailed descriptions
q: You can use these fields with 'AND' conjunction :
| Field | Operator | Type | Values |
| event_group | =, != | enum | 'PROCESS', 'NETWORK', 'REGISTRY', 'FILE', 'DEFENSEPLUS','BROWSER' |
| adaptive_event_type | =, != | string | |
| id | = | string | |
| base_event_type | =, != | enum | 'Create Process', 'Network Listen', 'Network Connection', 'Delete Registry Key', 'Delete Registry Value', 'Set Registry Value', 'Write File', 'Delete File', 'Browser Download', 'File Copy from hared Folder', 'File Copy from USB Disk', 'Email Download', 'File Copy to Shared Folder', 'File Copy to USB Disk', 'Access Raw Disk', 'Access Keyboard', 'Access Screen', 'Set Windows Hook', Virtual Memory Access', 'Access Microphone', 'Code Injection', 'Open Process' |
| process_pid | =, != | number | |
| process_creation_time | =, !=, >, <, <=, >= | date-time | |
| process_path | =, !=, ~ | string | |
| process_user_name | =, !=, ~ | string | |
| process_user_domain | =, !=, ~ | string | |
| process_hash | =, != | string | |
| process_logged_on_user | =, !=, ~ | string | |
| process_device_name | =, !=, ~ | string | |
| child_process_pid | =, != | integer | |
| child_process_path | =, !=, ~ | string | |
| child_process_elevation_type | =, != | enum | 'TYPE0', 'TYPE1', 'TYPE2', 'TYPE3' |
| child_process_command_line | =, !=, ~ | string | |
| child_process_hash | =, != | string | |
| network_source_ip | =, != | ipv4 | |
| network_destination_ip | =, != | ipv4 | |
| network_source_port | =, != | integer | |
| network_destination_port | =, != | integer | |
| network_transfer_protocol | =, != | enum | 'NONE', 'TCP', 'UDP' |
| registry_value_name | =, != | string | |
| registry_key_path | =, !=, ~ | string | |
| registry_value_data | =, !=, ~ | string | |
| file_hash | =, != | string | |
| file_path | =, !=, ~ | string | |
| file_old_path | =, !=, ~ | string | |
| browser_download_url | =, !=, ~ | string | |
| browser_file_path | =, !=, ~ | string | |
| browser_file_hash | =, != | string | |
| target_name | =, !=, ~ | string |
Enumerated Values
| Parameter | Value |
|---|---|
| field | PROCESS_USER_NAME |
| field | PROCESS_PATH |
| field | PROCESS_DEVICE_NAME |
| field | BASE_EVENT_TYPE |
| field | ADAPTIVE_EVENT_TYPE |
Example responses
200 Response
[
{
"count": 0,
"value": "string"
}
]
Responses
| Status | Meaning | Description | Schema |
|---|---|---|---|
| 200 | OK | A JSON array of the events count. Response body properties can change by query parameters. For example:\If search with field equal PROCESS_USER_NAME, response body will have count and process_user_name properties. | Inline |
| 400 | Bad Request | Bad request. Invalid query string. | None |
Response Schema
Status Code 200
| Name | Type | Required | Restrictions | Description |
|---|---|---|---|---|
| » count | integer | false | none | none |
| » value | string | false | none | It depends on which field you request |