Eset Connect

eset connect integrates eset's security intelligence with third party platforms to enhance threat detection and response eset is a global leader in cybersecurity, providing comprehensive protection for businesses and consumers the eset connect connector allows swimlane turbine users to seamlessly integrate with eset's security solutions, enabling automated retrieval and management of device and cloud office security detections this integration enhances security operations by providing real time insights and streamlined workflows, allowing users to efficiently manage threats and incidents within their environment prerequisites before you can use the eset connect connector for turbine, you'll need access to the eset business account iam service this requires the following oauth 2 0 password grant flow authentication using the following parameters base url the base endpoint for accessing eset services token url the url used to obtain the oauth token username your eset business account username password your eset business account password capabilities this connector provides the following capabilities capabilities go here e g manage firewall policies instead of listing each individual tasks limitations include information about known limitations here, including supported or minimum versions, especially known unsupported versions asset setup the content here should discuss asset setup in a conversational manner be sure to include any known login and test connection errors tasks setup special task setup as needed depending on plugin, exclude if empty known available allowed input options from enum type selection notes any other notes not fitting other sections go here any reference urls to external docs or other resources configurations eset connect oauth 2 0 password grant authenticates against the eset business account iam service using the oauth 2 0 password grant flow configuration parameters parameter description type required url base url of the eset incident management api for your region europe https //eu incident management eset systems https //eu incident management eset systems germany https //de incident management eset systems https //de incident management eset systems united states https //us incident management eset systems https //us incident management eset systems canada https //ca incident management eset systems https //ca incident management eset systems japan https //jpn incident management eset systems https //jpn incident management eset systems string required token url oauth 2 0 token endpoint for your region europe https //eu business account iam eset systems/oauth/token https //eu business account iam eset systems/oauth/token germany https //de business account iam eset systems/oauth/token https //de business account iam eset systems/oauth/token united states https //us business account iam eset systems/oauth/token https //us business account iam eset systems/oauth/token canada https //ca business account iam eset systems/oauth/token https //ca business account iam eset systems/oauth/token japan https //jpn business account iam eset systems/oauth/token https //jpn business account iam eset systems/oauth/token string required oauth2 username the eset business account username (email address) used for authentication ensure this api user has logged in to the eset cloud office security instance at least once before use string required oauth2 password the password for the eset business account user string required verify ssl verify ssl certificate on requests boolean optional http proxy a proxy to route requests through string optional actions list detections v1 retrieve paginated eset device detections from the v1 api, filtering by device, time range, and page optionally return results as normalized turbine schema alerts endpoint url /v1/detections method get input argument name type required description parameters deviceuuid string optional include only detections that occurred on the referenced device parameters starttime string optional include only incidents whose detections occurred after start time (including) detection occur time >= start time use timestamp in utc or offset format examples 2024 10 30t12 00z or 2024 10 30t10 00 +02 00 parameters endtime string optional include only incidents whose detections occurred before end time (excluding) detection occur time < end time use timestamp in utc or offset format examples 2024 10 30t12 00z or 2024 10 30t10 00 +02 00 parameters pagesize integer optional limit for pagination purposes if unspecified or 0, the default value is 50 the maximum value is 1000; values above 1000 will be coerced to 1000 parameters pagetoken string optional page token of the current page if not given or empty string, the first page is returned parameters return as turbine schema boolean optional when true, detections are mapped to normalized turbine schema alert objects and returned in the alerts field when false, raw eset detections are returned in the detections field parameters alert organization string optional optional organization name to include in the turbine schema alert used only when return as turbine schema is true parameters ioc types array optional list of observable types to extract supported ipv4 public, ipv4 private, ipv6 public, ipv6 private, domain, url, email, sha1, sha256, md5 if omitted or empty, all types are extracted parameters domains ignore list string optional comma separated domain values to exclude from observable extraction parameters ip cidr ignore list string optional comma separated cidr ranges to exclude from observable extraction parameters regex ignore string optional regex pattern — any observable value matching this pattern is excluded parameters ioc ignore paths array optional array of slash separated field paths to strip from each alert before extracting observables supports wildcards ( ) and nested paths example \["processcommandline", "context/ /ipaddress"] input example {"parameters" {"deviceuuid" "string","starttime" "string","endtime" "string","pagesize" 123,"pagetoken" "string","return as turbine schema"\ true,"alert organization" "string","ioc types" \["string"],"domains ignore list" "string","ip cidr ignore list" "string","regex ignore" "string","ioc ignore paths" \["string"]}} output parameter type description status code integer http status code of the response detections array raw eset detections populated when return as turbine schema is false detections uuid string unique identifier detections displayname string name of the resource detections typename string name of the resource detections category string output field detections category detections severitylevel string output field detections severitylevel detections occurtime string time value detections objectname string name of the resource detections objecthashsha1 string output field detections objecthashsha1 detections objecttypename string name of the resource detections objecturl string url endpoint for the request detections context object output field detections context detections context circumstances string output field detections context circumstances detections context deviceuuid string unique identifier detections context username string name of the resource detections context process object output field detections context process detections context process path string output field detections context process path detections networkcommunication object output field detections networkcommunication detections networkcommunication direction string output field detections networkcommunication direction detections networkcommunication localipaddress string output field detections networkcommunication localipaddress detections networkcommunication localport integer output field detections networkcommunication localport detections networkcommunication remoteipaddress string output field detections networkcommunication remoteipaddress detections networkcommunication remoteport integer output field detections networkcommunication remoteport detections networkcommunication protocolname string name of the resource output example {"detections" \[{"uuid" "12345678 1234 1234 1234 123456789abc","displayname" "example name","typename" "example name","category" "string","severitylevel" "string","occurtime" "string","objectname" "example name","objecthashsha1" "string","objecttypename" "example name","objecturl" "string","context" {},"networkcommunication" {},"responses" \[]}],"alerts" \[{"alert uid" "string","alert title" "string","alert description" "string","alert severity" "string","alert created timestamp" "string","alert st list detections v2 retrieve paginated eset cloud office security detections from the v2 api, filtering by tenant, time range, and page optionally return results as normalized turbine schema alerts not available in japan endpoint url /v2/detections method get input argument name type required description parameters cloudofficetenantuuid string optional reference to cloud office tenant whose detections should appear in the response if empty or null, detections of any cloud office tenant will be returned for device detections, it should be null or empty parameters starttime string optional include only incidents whose detections occurred after start time (including) detection occur time >= start time use timestamp in utc or offset format examples 2024 10 30t12 00z or 2024 10 30t10 00 +02 00 parameters endtime string optional include only incidents whose detections occurred before end time (excluding) detection occur time < end time use timestamp in utc or offset format examples 2024 10 30t12 00z or 2024 10 30t10 00 +02 00 parameters pagesize integer optional limit for pagination purposes if unspecified or 0, the default value is 50 the maximum value is 1000; values above 1000 will be coerced to 1000 parameters pagetoken string optional page token of the current page if not given or empty string, the first page is returned parameters return as turbine schema boolean optional when true, detections are mapped to normalized turbine schema alert objects and returned in the alerts field when false, raw eset detections are returned in the detections field parameters alert organization string optional optional organization name to include in the turbine schema alert used only when return as turbine schema is true parameters ioc types array optional list of observable types to extract supported ipv4 public, ipv4 private, ipv6 public, ipv6 private, domain, url, email, sha1, sha256, md5 if omitted or empty, all types are extracted parameters domains ignore list string optional comma separated domain values to exclude from observable extraction parameters ip cidr ignore list string optional comma separated cidr ranges to exclude from observable extraction parameters regex ignore string optional regex pattern — any observable value matching this pattern is excluded parameters ioc ignore paths array optional array of slash separated field paths to strip from each alert before extracting observables supports wildcards ( ) and nested paths example \["processcommandline", "context/ /ipaddress"] input example {"parameters" {"cloudofficetenantuuid" "string","starttime" "string","endtime" "string","pagesize" 123,"pagetoken" "string","return as turbine schema"\ true,"alert organization" "string","ioc types" \["string"],"domains ignore list" "string","ip cidr ignore list" "string","regex ignore" "string","ioc ignore paths" \["string"]}} output parameter type description status code integer http status code of the response detections array raw eset detections populated when return as turbine schema is false detections uuid string unique identifier detections displayname string name of the resource detections typename string name of the resource detections category string output field detections category detections severitylevel string output field detections severitylevel detections severityscore number score value detections occurtime string time value detections resolved boolean output field detections resolved detections username string name of the resource detections objectname string name of the resource detections objecthashsha1 string output field detections objecthashsha1 detections objectsizebytes string output field detections objectsizebytes detections objecttypename string name of the resource detections objecturl string url endpoint for the request detections circumstances string output field detections circumstances detections note string output field detections note detections scanuuid string unique identifier detections edrruleuuid string unique identifier detections cloudofficetenantuuid string unique identifier detections device object output field detections device detections device uuid string unique identifier detections device displayname string name of the resource detections process object output field detections process output example {"detections" \[{"uuid" "12345678 1234 1234 1234 123456789abc","displayname" "example name","typename" "example name","category" "string","severitylevel" "string","severityscore" 123,"occurtime" "string","resolved"\ true,"username" "example name","objectname" "example name","objecthashsha1" "string","objectsizebytes" "string","objecttypename" "example name","objecturl" "string","circumstances" "string"}],"alerts" \[{"alert uid" "string","alert title" "string","alert description" "string","alert sev response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt