NAV Navbar
Shell

EDR API Documentation v0.0.2

Scroll down for code samples, example requests and responses. Select a language for code samples from the tabs above or the mobile navigation menu.

EDR Investigation API

Base URLs:

Authentication

Default

Get Processes

Code samples

# You can also use wget
curl -X GET https://api.cwatchedr.com/process \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer {access-token}'

GET /process

This API returns list of processes doing filtering on the process properties or their events

Parameters

Name In Type Required Description
process_hash query string(sha1) false Filters processes with specified SHA1 hash
process_user query string false Filters processes with specified owner user
process_name query string false Filters processes with specified name
pid query number(int32) false Filters processes which has specified PID
file_hash query string(sha1) false Filters processes which created/modified a file with specified SHA1 Hash
file_name query string false Filters processes which created/modified a file with specified name
destination_ip query string(ipv4) false Filters processes which communicated with specified IP address
device_name query string false Filters processes which ran in specified device

Example responses

200 Response

[
  {
    "id": "string",
    "pid": 0,
    "process_name": "string",
    "process_path": "string",
    "device_name": "string",
    "process_user": "string",
    "process_hash": "string"
  }
]

Responses

Status Meaning Description Schema
200 OK A JSON array of matched processes Inline

Response Schema

Status Code 200

Name Type Required Restrictions Description
» id string false none none
» pid number(int32) false none none
» process_name string false none none
» process_path string false none none
» device_name string false none none
» process_user string false none none
» process_hash string false none none

Get Endpoints

Code samples

# You can also use wget
curl -X GET https://api.cwatchedr.com/endpoint \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer {access-token}'

GET /endpoint

Returns a list of endpoints that match the user defined criteria.

Parameters

Name In Type Required Description
device_name query string false Filters endpoints with specified name
endpointIDs query array[integer] false Filters endpoints with integer endpoint ids.
status query string false Filters endpoints with specified status

Enumerated Values

Parameter Value
status online
status offline
status disconnected

Example responses

200 Response

{
  "endpoints": [
    {
      "endpointID": "string",
      "device_name": "string",
      "version": "string",
      "operating_system": "string",
      "logged_on_user": "string",
      "status": "string"
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK A JSON array of endpoints Inline

Response Schema

Status Code 200

Name Type Required Restrictions Description
» endpoints [object] false none none
»» endpointID string false none none
»» device_name string false none none
»» version string false none none
»» operating_system string false none none
»» logged_on_user string false none none
»» status string false none none

Get Verdict

Code samples

# You can also use wget
curl -X GET https://api.cwatchedr.com/hash/verdict?hash=string \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer {access-token}'

GET /hash/verdict

Returns the Comodo verdict of the given hash. 0-Unknown, 1-Safe, 2-Malware, 3-Unknown

Parameters

Name In Type Required Description
hash query string(sha1) true SHA1 hash

Example responses

200 Response

{
  "hash": "string",
  "verdict": 0
}

Responses

Status Meaning Description Schema
200 OK A JSON object of the verdict with SHA1 hash Inline

Response Schema

Status Code 200

Name Type Required Restrictions Description
» hash string false none none
» verdict number false none none

Get File Names

Code samples

# You can also use wget
curl -X GET https://api.cwatchedr.com/hash/name?hash=string \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer {access-token}'

GET /hash/name

Returns the observed file names for the given hash

Parameters

Name In Type Required Description
hash query string(sha1) true SHA1 hash

Example responses

200 Response

[
  "string"
]

Responses

Status Meaning Description Schema
200 OK A JSON array of the file names of SHA1 hash Inline

Response Schema

Get Seen On Devices

Code samples

# You can also use wget
curl -X GET https://api.cwatchedr.com/hash/seenon?hash=string \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer {access-token}'

GET /hash/seenon

Returns the list of seen on devices for the given hash

Parameters

Name In Type Required Description
hash query string(sha1) true SHA1 hash

Example responses

200 Response

[
  0
]

Responses

Status Meaning Description Schema
200 OK A JSON array of the endpointIDs Inline

Response Schema

Get Alerts

Code samples

# You can also use wget
curl -X GET https://api.cwatchedr.com/alert?alertTime=0&scoreMin=0&scoreMax=0 \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer {access-token}'

GET /alert

Returns the list of alerts with given parameters

Parameters

Name In Type Required Description
alertTime query integer true Filters alerts from given alert time
scoreMin query integer true number
scoreMax query integer true number
endpointID query integer false endpointID
search query string false Filters alerts with specified search value
processPath query string false Filters alerts with specified process path
user query string false Filters alerts with specified owner user
dismissed query boolean false boolean
status query integer false Filters alerts with specified alert status
policyID query integer false Filters alerts with specified policy id

Enumerated Values

Parameter Value
dismissed true
dismissed false
dismissed null

Example responses

200 Response

{
  "items": [
    {
      "customerID": 0,
      "timestamp": 0,
      "endpointID": 0,
      "data": {},
      "expirationDate": 0,
      "isActive": true
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK A JSON array of the alerts Inline

Response Schema

Status Code 200

Name Type Required Restrictions Description
» items [object] false none none
»» customerID integer false none none
»» timestamp integer false none none
»» endpointID integer false none none
»» data object false none none
»» expirationDate integer false none none
»» isActive boolean false none none

Post Alerts

Code samples

# You can also use wget
curl -X POST https://api.cwatchedr.com/alert \
  -H 'Content-Type: application/json' \
  -H 'edr-customerid: 0' \
  -H 'Authorization: Bearer {access-token}'

POST /alert

Creates new alerts with given parameters

Body parameter

{
  "alerts": [
    {
      "timestamp": 0,
      "endpointID": 0,
      "expirationDate": 0,
      "isActive": true,
      "alertName": "string",
      "status": 0,
      "userVerdict": true,
      "type": 0,
      "processHash": "string",
      "processPath": "string",
      "device": "string",
      "user": "string",
      "data": {
        "childProcess": "string",
        "score": 0,
        "policyID": 0,
        "policyName": "string",
        "processInstanceID": "string",
        "event": {
          "process": {
            "prcsInstanceID": "string",
            "prcsPID": 0,
            "prcsCreationTime": "string",
            "prcsUserName": "string",
            "prcsUserDomain": "string",
            "prcsPath": "string",
            "prcsHash": "string",
            "prcsVerdict": 0,
            "prcsDeviceName": "string",
            "prcsLoggedOnUser": "string",
            "prcsParentTree": [
              {}
            ]
          },
          "eventTime": "string",
          "eventGroup": 0,
          "baseEventType": 0,
          "adaptiveEventType": "string",
          "endpointID": 0,
          "customerID": 0,
          "childPrcsInstanceID": "string",
          "childPrcsPID": 0,
          "childPrcsPath": "string",
          "childPrcsElevationType": 0,
          "childPrcsCmdLine": "string",
          "childPrcsHash": "string",
          "childPrcsVerdict": 0,
          "childPrcsIsSigned": true,
          "childPrcsIsPacked": true
        }
      }
    }
  ]
}

Parameters

Name In Type Required Description
edr-customerid header integer false none
body body object false none
» alerts body [object] false none
»» timestamp body integer false none
»» endpointID body integer false none
»» expirationDate body integer false none
»» isActive body boolean false none
»» alertName body string false none
»» status body integer false none
»» userVerdict body boolean false none
»» type body integer false none
»» processHash body string false none
»» processPath body string false none
»» device body string false none
»» user body string false none
»» data body object false none
»»» childProcess body string false none
»»» score body integer false none
»»» policyID body integer false none
»»» policyName body string false none
»»» processInstanceID body string false none
»»» event body object false none
»»»» process body object false none
»»»»» prcsInstanceID body string false none
»»»»» prcsPID body integer false none
»»»»» prcsCreationTime body string false none
»»»»» prcsUserName body string false none
»»»»» prcsUserDomain body string false none
»»»»» prcsPath body string false none
»»»»» prcsHash body string false none
»»»»» prcsVerdict body integer false none
»»»»» prcsDeviceName body string false none
»»»»» prcsLoggedOnUser body string false none
»»»»» prcsParentTree body [object] false none
»»»» eventTime body string false none
»»»» eventGroup body integer false none
»»»» baseEventType body integer false none
»»»» adaptiveEventType body string false none
»»»» endpointID body integer false none
»»»» customerID body integer false none
»»»» childPrcsInstanceID body string false none
»»»» childPrcsPID body integer false none
»»»» childPrcsPath body string false none
»»»» childPrcsElevationType body integer false none
»»»» childPrcsCmdLine body string false none
»»»» childPrcsHash body string false none
»»»» childPrcsVerdict body integer false none
»»»» childPrcsIsSigned body boolean false none
»»»» childPrcsIsPacked body boolean false none

Responses

Status Meaning Description Schema
200 OK created None

Update Alerts

Code samples

# You can also use wget
curl -X PUT https://api.cwatchedr.com/alert \
  -H 'Content-Type: application/json' \
  -H 'edr-customerid: 0' \
  -H 'Authorization: Bearer {access-token}'

PUT /alert

Updates alerts userVerdict and status values

Body parameter

{
  "userVerdict": true,
  "status": 0
}

Parameters

Name In Type Required Description
edr-customerid header integer false none
body body object false none
» userVerdict body boolean false none
» status body integer false none

Responses

Status Meaning Description Schema
200 OK updated None

Dismiss Alerts

Code samples

# You can also use wget
curl -X PUT https://api.cwatchedr.com/alert/dismiss/{alertID} \
  -H 'edr-customerid: 0' \
  -H 'Authorization: Bearer {access-token}'

PUT /alert/dismiss/{alertID}

Dismiss alerts for given alertID

Parameters

Name In Type Required Description
edr-customerid header integer false none
alertID path string true none

Responses

Status Meaning Description Schema
200 OK dismisses alert None

Report False Positive

Code samples

# You can also use wget
curl -X PUT https://api.cwatchedr.com/alert/{alertID}/report-false-positive \
  -H 'edr-customerid: 0' \
  -H 'Authorization: Bearer {access-token}'

PUT /alert/{alertID}/report-false-positive

To report alert as false /report-false-positive

Parameters

Name In Type Required Description
edr-customerid header integer false none
alertID path string true none
userVerdict query boolean false none
feedback query string false none

Responses

Status Meaning Description Schema
200 OK succesfully reports alert as false positive None

Close Positive

Code samples

# You can also use wget
curl -X PUT https://api.cwatchedr.com/alert/{alertID}/close \
  -H 'edr-customerid: 0' \
  -H 'Authorization: Bearer {access-token}'

PUT /alert/{alertID}/close

Close alerts

Parameters

Name In Type Required Description
edr-customerid header integer false none
alertID path string true none
userVerdict query boolean false none
feedback query string false none

Responses

Status Meaning Description Schema
200 OK succesfully closes alert None

Get Events

Code samples

# You can also use wget
curl -X GET https://api.cwatchedr.com/events \
  -H 'Accept: application/json' \
  -H 'edr-customerid: 0' \
  -H 'Authorization: Bearer {access-token}'

GET /events

Returns the list of events with given parameters

Parameters

Name In Type Required Description
edr-customerid header integer false none
from_time query integer false The beginning of the time to search events
to_time query integer false The ending of the time to search events
page_size query integer false The numbers of items to return
next_key query string false The event id to get next batch events
prev_key query string false The event id to get previous batch events
is_next query boolean false Markup next or previous results
q query string false You can use these fields with 'AND' conjunction :

Detailed descriptions

q: You can use these fields with 'AND' conjunction :

Field Operator Type Values
event_group =, != enum 'PROCESS', 'NETWORK', 'REGISTRY', 'FILE', 'DEFENSEPLUS','BROWSER'
adaptive_event_type =, != string
id = string
base_event_type =, != enum 'Create Process', 'Network Listen', 'Network Connection', 'Delete Registry Key', 'Delete Registry Value', 'Set Registry Value', 'Write File', 'Delete File', 'Browser Download', 'File Copy from hared Folder', 'File Copy from USB Disk', 'Email Download', 'File Copy to Shared Folder', 'File Copy to USB Disk', 'Access Raw Disk', 'Access Keyboard', 'Access Screen', 'Set Windows Hook', Virtual Memory Access', 'Access Microphone', 'Code Injection', 'Open Process'
process_pid =, != number
process_creation_time =, !=, >, <, <=, >= date-time
process_path =, !=, ~ string
process_user_name =, !=, ~ string
process_user_domain =, !=, ~ string
process_hash =, != string
process_logged_on_user =, !=, ~ string
process_device_name =, !=, ~ string
child_process_pid =, != integer
child_process_path =, !=, ~ string
child_process_elevation_type =, != enum 'TYPE0', 'TYPE1', 'TYPE2', 'TYPE3'
child_process_command_line =, !=, ~ string
child_process_hash =, != string
network_source_ip =, != ipv4
network_destination_ip =, != ipv4
network_source_port =, != integer
network_destination_port =, != integer
network_transfer_protocol =, != enum 'NONE', 'TCP', 'UDP'
registry_value_name =, != string
registry_key_path =, !=, ~ string
registry_value_data =, !=, ~ string
file_hash =, != string
file_path =, !=, ~ string
file_old_path =, !=, ~ string
browser_download_url =, !=, ~ string
browser_file_path =, !=, ~ string
browser_file_hash =, != string
target_name =, !=, ~ string

Example responses

200 Response

[
  {
    "customer_id": 0,
    "timestamp": 0,
    "sequence": 0,
    "base_event_type": 0,
    "process_user_domain": "string",
    "process_device_name": "string",
    "endpoint_id": 0,
    "event_group": 0,
    "process_hash": "string",
    "process_instance_id": "string",
    "process_pid": 0,
    "process_path": "string",
    "process_parent_tree": [
      {
        "prcsPID": 0,
        "prcsCreationTime": "string",
        "prcsUserName": "string",
        "prcsUserDomain": "string",
        "prcsPath": "string",
        "prcsHash": "string",
        "prcsVerdict": 0
      }
    ],
    "process_creation_time": "string",
    "process_logged_on_user": "string",
    "process_user_name": "string",
    "process_verdict": 0,
    "child_process_instance_id": "string",
    "child_process_pid": 0,
    "child_process_path": "string",
    "child_process_command_line": "string",
    "child_process_elevation_type": 0,
    "child_process_hash": "string",
    "child_process_is_packed": true,
    "child_process_is_signed": true,
    "child_process_verdict": 0,
    "event_time": "string",
    "id": "string"
  }
]

Responses

Status Meaning Description Schema
200 OK A JSON array of the events Inline
400 Bad Request Bad request. Invalid query string. None

Response Schema

Status Code 200

Name Type Required Restrictions Description
» customer_id integer false none none
» timestamp integer false none none
» sequence integer false none none
» base_event_type integer false none none
» process_user_domain string false none none
» process_device_name string false none none
» endpoint_id integer false none none
» event_group integer false none none
» process_hash string false none none
» process_instance_id string false none none
» process_pid integer false none none
» process_path string false none none
» process_parent_tree [object] false none none
»» prcsPID integer false none none
»» prcsCreationTime string false none none
»» prcsUserName string false none none
»» prcsUserDomain string false none none
»» prcsPath string false none none
»» prcsHash string false none none
»» prcsVerdict integer false none none
» process_creation_time string false none none
» process_logged_on_user string false none none
» process_user_name string false none none
» process_verdict integer false none none
» child_process_instance_id string false none none
» child_process_pid integer false none none
» child_process_path string false none none
» child_process_command_line string false none none
» child_process_elevation_type integer false none none
» child_process_hash string false none none
» child_process_is_packed boolean false none none
» child_process_is_signed boolean false none none
» child_process_verdict integer false none none
» event_time string false none none
» id string false none none

Get Events Detail

Code samples

# You can also use wget
curl -X GET https://api.cwatchedr.com/events/detail?ids=id1%2C%20id2 \
  -H 'Accept: application/json' \
  -H 'edr-customerid: 0' \
  -H 'Authorization: Bearer {access-token}'

GET /events/detail

Returns the events detail with given parameters

Parameters

Name In Type Required Description
edr-customerid header integer false none
ids query string true Numeric ID of the event to get. If you want to send multiple event id, should be seperated with comma

Example responses

200 Response

[
  {
    "customer_id": 0,
    "timestamp": 0,
    "sequence": 0,
    "base_event_type": 0,
    "process_user_domain": "string",
    "process_device_name": "string",
    "endpoint_id": 0,
    "event_group": 0,
    "process_hash": "string",
    "process_instance_id": "string",
    "process_pid": 0,
    "process_path": "string",
    "process_parent_tree": [
      {
        "prcsPID": 0,
        "prcsCreationTime": "string",
        "prcsUserName": "string",
        "prcsUserDomain": "string",
        "prcsPath": "string",
        "prcsHash": "string",
        "prcsVerdict": 0
      }
    ],
    "process_creation_time": "string",
    "process_logged_on_user": "string",
    "process_user_name": "string",
    "process_verdict": 0,
    "child_process_instance_id": "string",
    "child_process_pid": 0,
    "child_process_path": "string",
    "child_process_command_line": "string",
    "child_process_elevation_type": 0,
    "child_process_hash": "string",
    "child_process_is_packed": true,
    "child_process_is_signed": true,
    "child_process_verdict": 0,
    "event_time": "string",
    "id": "string"
  }
]

Responses

Status Meaning Description Schema
200 OK A JSON array of the events Inline
400 Bad Request Bad request. Invalid query string. None

Response Schema

Status Code 200

Name Type Required Restrictions Description
» customer_id integer false none none
» timestamp integer false none none
» sequence integer false none none
» base_event_type integer false none none
» process_user_domain string false none none
» process_device_name string false none none
» endpoint_id integer false none none
» event_group integer false none none
» process_hash string false none none
» process_instance_id string false none none
» process_pid integer false none none
» process_path string false none none
» process_parent_tree [object] false none none
»» prcsPID integer false none none
»» prcsCreationTime string false none none
»» prcsUserName string false none none
»» prcsUserDomain string false none none
»» prcsPath string false none none
»» prcsHash string false none none
»» prcsVerdict integer false none none
» process_creation_time string false none none
» process_logged_on_user string false none none
» process_user_name string false none none
» process_verdict integer false none none
» child_process_instance_id string false none none
» child_process_pid integer false none none
» child_process_path string false none none
» child_process_command_line string false none none
» child_process_elevation_type integer false none none
» child_process_hash string false none none
» child_process_is_packed boolean false none none
» child_process_is_signed boolean false none none
» child_process_verdict integer false none none
» event_time string false none none
» id string false none none

Get Count Of Events

Code samples

# You can also use wget
curl -X GET https://api.cwatchedr.com/events/aggregations?field=PROCESS_USER_NAME \
  -H 'Accept: application/json' \
  -H 'edr-customerid: 0' \
  -H 'Authorization: Bearer {access-token}'

GET /events/aggregations

Returns count of events with given parameters

Parameters

Name In Type Required Description
edr-customerid header integer false none
from_time query integer false The beginning of the time to search events
to_time query integer false The ending of the time to search events
field query string true Indicates which field to aggregate
next_key query string false The event id to get next batch events
prev_key query string false The event id to get previous batch events
is_next query boolean false Markup next or previous results
q query string false You can use these fields with 'AND' conjunction :

Detailed descriptions

q: You can use these fields with 'AND' conjunction :

Field Operator Type Values
event_group =, != enum 'PROCESS', 'NETWORK', 'REGISTRY', 'FILE', 'DEFENSEPLUS','BROWSER'
adaptive_event_type =, != string
id = string
base_event_type =, != enum 'Create Process', 'Network Listen', 'Network Connection', 'Delete Registry Key', 'Delete Registry Value', 'Set Registry Value', 'Write File', 'Delete File', 'Browser Download', 'File Copy from hared Folder', 'File Copy from USB Disk', 'Email Download', 'File Copy to Shared Folder', 'File Copy to USB Disk', 'Access Raw Disk', 'Access Keyboard', 'Access Screen', 'Set Windows Hook', Virtual Memory Access', 'Access Microphone', 'Code Injection', 'Open Process'
process_pid =, != number
process_creation_time =, !=, >, <, <=, >= date-time
process_path =, !=, ~ string
process_user_name =, !=, ~ string
process_user_domain =, !=, ~ string
process_hash =, != string
process_logged_on_user =, !=, ~ string
process_device_name =, !=, ~ string
child_process_pid =, != integer
child_process_path =, !=, ~ string
child_process_elevation_type =, != enum 'TYPE0', 'TYPE1', 'TYPE2', 'TYPE3'
child_process_command_line =, !=, ~ string
child_process_hash =, != string
network_source_ip =, != ipv4
network_destination_ip =, != ipv4
network_source_port =, != integer
network_destination_port =, != integer
network_transfer_protocol =, != enum 'NONE', 'TCP', 'UDP'
registry_value_name =, != string
registry_key_path =, !=, ~ string
registry_value_data =, !=, ~ string
file_hash =, != string
file_path =, !=, ~ string
file_old_path =, !=, ~ string
browser_download_url =, !=, ~ string
browser_file_path =, !=, ~ string
browser_file_hash =, != string
target_name =, !=, ~ string

Enumerated Values

Parameter Value
field PROCESS_USER_NAME
field PROCESS_PATH
field PROCESS_DEVICE_NAME
field BASE_EVENT_TYPE
field ADAPTIVE_EVENT_TYPE

Example responses

200 Response

[
  {
    "count": 0,
    "value": "string"
  }
]

Responses

Status Meaning Description Schema
200 OK A JSON array of the events count. Response body properties can change by query parameters. For example:\If search with field equal PROCESS_USER_NAME, response body will have count and process_user_name properties. Inline
400 Bad Request Bad request. Invalid query string. None

Response Schema

Status Code 200

Name Type Required Restrictions Description
» count integer false none none
» value string false none It depends on which field you request