ESET Inspect Onprem v3

eset inspect on prem v3 is an endpoint detection and response solution that provides advanced threat detection and investigation capabilities eset inspect on prem is a robust endpoint detection and response (edr) solution designed to provide deep visibility into endpoint activities and potential threats this connector allows swimlane turbine users to seamlessly integrate with eset inspect on prem, enabling the retrieval and management of security detections by leveraging this integration, users can automate the extraction and normalization of threat data, enhancing their security operations with precise and actionable insights prerequisites before you can use the eset inspect on prem v3 connector for turbine, you'll need access to the eset inspect api this requires the following http bearer authentication using the following parameters url the endpoint url for accessing the eset inspect api username your eset inspect account username password the password associated with your eset inspect account capabilities this connector provides the following capabilities capabilities go here e g manage firewall policies instead of listing each individual tasks limitations include information about known limitations here, including supported or minimum versions, especially known unsupported versions asset setup the content here should discuss asset setup in a conversational manner be sure to include any known login and test connection errors tasks setup special task setup as needed depending on plugin, exclude if empty known available allowed input options from enum type selection notes any other notes not fitting other sections go here any reference urls to external docs or other resources configurations eset inspect on prem authentication authenticates against the eset inspect on prem rest api using username and password to obtain a bearer token configuration parameters parameter description type required url base url of the eset inspect on prem server (e g https //your eset server https //your eset server ) string required username eset inspect on prem username string required password eset inspect on prem password string required domain whether the user account belongs to a domain set to true for domain accounts, false for local accounts boolean optional verify ssl verify ssl certificate of the eset server boolean optional http proxy a proxy to route requests through string optional actions list detections retrieve a paginated, filterable list of eset inspect on prem detections with options for sorting and filtering optionally returns results as normalized turbine schema alerts endpoint url /api/v1/detections method get input argument name type required description parameters $top integer optional maximum number of detections to return in a single response parameters $skip integer optional number of detections to skip (for pagination) parameters $count integer optional if set to 1, returns only the total count of matching detections instead of their full detail parameters $orderby string optional sort detections by a field and direction example "creationtime desc" or "severity asc" parameters $filter string optional odata filter expression using fields id, resolved, creationtime and operators eq, ne, gt, ge, lt, le, and, or, () example "resolved eq false and creationtime ge 2024 01 01t00 00 00z " parameters return as turbine schema boolean optional if true, maps each detection to a normalized turbine schema alert instead of returning the raw api response parameters alert organization string optional optional organization name to embed in turbine schema alerts only used when return as turbine schema is true parameters ioc types array optional list of observable types to extract from each detection supported ipv4 public, ipv4 private, ipv6 public, ipv6 private, domain, url, email, sha1, sha256, md5 omit or leave empty to extract all types parameters domains ignore list string optional comma separated domain values to exclude from observable extraction parameters ip cidr ignore list string optional comma separated cidr ranges to exclude from observable extraction parameters regex ignore string optional regex pattern — any observable value matching this pattern is excluded from extraction parameters ioc ignore paths array optional array of slash separated field paths to strip from each detection before extracting observables supports wildcards ( ) and nested paths example \["processcommandline", "context/ /ipaddress"] input example {"parameters" {"$top" 123,"$skip" 123,"$count" 123,"$orderby" "string","$filter" "string","return as turbine schema"\ true,"alert organization" "string","ioc types" \["string"],"domains ignore list" "string","ip cidr ignore list" "string","regex ignore" "string","ioc ignore paths" \["string"]}} output parameter type description status code integer http status code of the api response count integer total number of detections matching the query value array raw list of detection objects (when return as turbine schema is false) value uuid string unique detection identifier value id integer unique detection identifier in the eset inspect database value creationtime string time of the detection (iso 8601) value computerid integer computer's unique identifier in the eset inspect database value computername string name of the computer that raised the detection value computeruuid string computer's uuid in the eset inspect database value rulename string name of the rule that triggered the detection value ruleid integer integer id of the rule value ruleuuid string uuid of the rule value severity string detection severity label value severityscore integer precise severity score 1 39 = info, 40 69 = warning, 70 100 = threat value type integer eset detection type 0=unknownalarm, 1=ruleactivated, 2=malwarefoundondisk, 3=malwarefoundinmemory, 4=exploitdetected, 5=firewalldetection, 7=blockedaddress, 8=cryptoblockerdetection value resolved boolean whether the detection has been marked resolved value threatname string name of the threat value threaturi string uri that caused the detection to trigger value processid integer unique process identifier in the eset inspect database value processuser string user account logged on at the time of the detection trigger value processcommandline string command line arguments used with the process value modulename string executable that triggered the detection value moduleid integer unique executable identifier in the eset inspect database value modulesha1 string sha1 hash of the executable that triggered the detection value modulelgage integer number of days visible in livegrid output example {"count" 123,"value" \[{"uuid" "12345678 1234 1234 1234 123456789abc","id" 123,"creationtime" "string","computerid" 123,"computername" "example name","computeruuid" "string","rulename" "example name","ruleid" 123,"ruleuuid" "string","severity" "string","severityscore" 123,"type" 123,"resolved"\ true,"threatname" "example name","threaturi" "string"}],"alerts" \[{"alert uid" "string","alert title" "string","alert description" "string","alert severity" "string","alert risk score" 123,"alert created ti response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt