Harfanglab

the harfanglab connector facilitates seamless integration with the harfanglab edr platform, enabling automated security monitoring and response actions harfanglab is a cutting edge endpoint security solution that provides comprehensive telemetry and actionable insights for threat detection and response this connector enables swimlane turbine users to integrate harfanglab's advanced endpoint isolation and incident management capabilities directly into their security workflows by leveraging this integration, security teams can automate the containment of threats, streamline incident analysis, and enhance their overall security posture with minimal manual intervention prerequisites to effectively utilize the harfanglab connector within the swimlane turbine platform, ensure you have the following http bearer token authentication with these parameters url the base url for the harfanglab api endpoint token a valid bearer token to authenticate api requests the harfanglab connector integrates with swimlane turbine to retrieve the incidents, endpoint info , isolate and deisolate the endpoints capabilities this connector provides the following capabilities deisolate endpoint endpoint search fetch incidents get endpoint info isolate endpoint asset setup this connector requires the below parameters for authentication url token configurations http bearer authentication authenticates using bearer token such as a jwt, etc configuration parameters parameter description type required url a url to the target host string required token token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions deisolate endpoint reconnect a previously isolated endpoint to the network in harfanglab by specifying the endpoint's id endpoint url /api/data/endpoint/agent/{{id}}/deisolate/ method post input argument name type required description path parameters id string required parameters for the deisolate endpoint action additional info object optional parameter for deisolate endpoint additional info additional info1 string optional parameter for deisolate endpoint additional info additional info2 string optional parameter for deisolate endpoint additional info additional info3 string optional parameter for deisolate endpoint additional info additional info4 string optional parameter for deisolate endpoint description string optional parameter for deisolate endpoint group count number optional count value id string optional unique identifier policy object optional parameter for deisolate endpoint policy agent auto forget boolean optional parameter for deisolate endpoint policy agent auto forget max days number optional agent auto forget max days minimum value is 1 policy agent auto update boolean optional date value policy agent ui admin message string optional response message policy agent ui enabled boolean optional parameter for deisolate endpoint policy agent ui notification level number optional agent ui notification level maximum value is 2147483647 and minimum value is 2147483648 policy agent ui notification scope number optional agent ui notification scope maximum value is 2147483647 and minimum value is 2147483648 policy agent upgrade strategy string optional parameter for deisolate endpoint policy audit killswitch boolean optional parameter for deisolate endpoint policy binary download enabled boolean optional parameter for deisolate endpoint policy description string optional parameter for deisolate endpoint policy driverblock mode number optional driverblock mode maximum is 3 and minimum is 0 policy feature callback tampering boolean optional parameter for deisolate endpoint policy feature dse tampering mode number optional feature dse tampering mode maximum value is 2147483647 and minimum value is 2147483648 policy feature event stacktrace boolean optional parameter for deisolate endpoint input example {"json body" {"additional info" {"additional info1" "","additional info2" "","additional info3" "","additional info4" ""},"description" "","group count" 0,"id" "3fa85f64 5717 4562 b3fc 2c963f66afa6","policy" {"agent auto forget"\ false,"agent auto forget max days" 1,"agent auto update"\ false,"agent ui admin message" "","agent ui enabled"\ true,"agent ui notification level" 2147483647,"agent ui notification scope" 2147483647,"agent upgrade strategy" "latest","audit killswitch"\ true,"binary download enabled"\ true,"description" "","driverblock mode" 3,"feature callback tampering"\ true,"feature dse tampering mode" 2147483647,"feature event stacktrace"\ true,"feature live process heuristics"\ true,"feature ppl antimalware"\ true,"feature process tampering"\ true,"feature windows filesystem events"\ true,"fim policy" "3fa85f64 5717 4562 b3fc 2c963f66afa6","hibou minimum level" "","hibou mode" 3,"hibou skip signed ms"\ true,"hibou skip signed others"\ true,"hlai minimum level" "","hlai mode" 3,"hlai pdf"\ true,"hlai scan libraries"\ true,"hlai scripts minimum level" "","hlai scripts mode" 3,"hlai skip signed ms"\ true,"hlai skip signed others"\ true,"hlai written executable"\ true,"ioc mode" 3,"ioc ruleset" 0,"ioc scan libraries"\ true,"ioc scan written executable"\ true,"isolation exclusions revision" 2147483647,"library download enabled"\ true,"linux paths other watched globs" \["/dev/shm/ ","/home/ / ","/tmp/ "],"linux self protection"\ true,"linux self protection feature hosts"\ true,"linux startup block"\ true,"linux use isolation"\ true,"local endpoint cache size" 10240,"loglevel" "","macos paths muted exact" \["/library/bluetooth/com apple mobilebluetooth ledevices paired db wal","/private/var/root/library/logs/bluetooth/bluetoothd hci latest pklg"],"macos paths muted globs" \[],"macos paths muted prefixes" \["/system/volumes/data/ spotlight v100/","/usr/sbin/"],"macos paths other watched exact" \["/ ssh/authorized keys","/etc/resolv conf","/private/var/at/cron deny","/var/run/utmpx"],"macos paths other watched globs" \["/users/ / ","/etc/ssl/ "],"macos paths other watched prefixes" \["/library/launchagents/","/private/var/at/tabs/"],"macos paths read watched exact" \["/ ssh/authorized keys","/var/run/utmpx"],"macos paths read watched globs" \["/users/ / ","/etc/ssl/ "],"macos paths read watched prefixes" \["/library/launchagents/","/private/var/at/tabs/"],"macos paths write watched exact" \["/private/var/at/cron allow","/var/run/utmpx"],"macos paths write watched globs" \["/users/ / ","/etc/ssl/ "],"macos paths write watched prefixes" \["/library/launchagents/","/private/var/at/tabs/"],"name" "","origin stack" {"id" "","is current"\ true,"is supervisor"\ true,"is tenant"\ true,"name" ""},"ransomguard heuristic mode" 2147483647,"ransomguard mode" 3,"self protection"\ true,"self protection feature hosts"\ true,"self protection feature safe mode"\ true,"self protection firewall"\ true,"sidewatch mode" 3,"sigma mode" 3,"sigma ruleset" 0,"sleepjitter" 2147483647,"sleeptime" 2147483647,"synchronization status" "3fa85f64 5717 4562 b3fc 2c963f66afa6","telemetry alerts limit"\ true,"telemetry alerts limit value" 2147483647,"telemetry amsi dynamic scripts limit"\ true,"telemetry amsi dynamic scripts limit value" 2147483647,"telemetry amsi dynamic scripts state" "disabled","telemetry amsi other scans limit"\ true,"telemetry amsi other scans limit value" 2147483647,"telemetry amsi other scans state" "disabled","telemetry authentication"\ true,"telemetry authentication limit"\ true,"telemetry authentication limit value" 2147483647,"telemetry authentication state" "disabled","telemetry dns resolution"\ true,"telemetry dns resolution limit"\ true,"telemetry dns resolution limit value" 2147483647,"telemetry dns resolution state" "disabled","telemetry dotnet library state" "disabled","telemetry driverload"\ true,"telemetry driverload limit"\ true,"telemetry driverload limit value" 2147483647,"telemetry driverload state" "disabled","telemetry file download limit"\ true,"telemetry file download limit value" 2147483647,"telemetry file download state" "disabled","telemetry file limit"\ true,"telemetry file limit value" 2147483647,"telemetry file state" "disabled","telemetry library load limit"\ true,"telemetry library load limit value" 2147483647,"telemetry library load state" "disabled","telemetry log"\ true,"telemetry log limit"\ true,"telemetry log limit value" 2147483647,"telemetry log state" "disabled","telemetry named pipe limit"\ true,"telemetry named pipe limit value" 2147483647,"telemetry named pipe state" "disabled","telemetry network"\ true,"telemetry network limit"\ true,"telemetry network limit value" 2147483647,"telemetry network listen limit"\ true,"telemetry network listen limit value" 2147483647,"telemetry network listen state" "disabled","telemetry network state" "disabled","telemetry on alert enabled"\ true,"telemetry on alert post alert max duration secs" 2147483647,"telemetry on alert post alert max event count" 2147483647,"telemetry on alert pre alert event count" 2147483647,"telemetry powershell"\ true,"telemetry powershell limit"\ true,"telemetry powershell limit value" 2147483647,"telemetry powershell state" "disabled","telemetry process"\ true,"telemetry process access limit"\ true,"telemetry process access limit value" 2147483647,"telemetry process access state" "disabled","telemetry process limit"\ true,"telemetry process limit value" 2147483647,"telemetry process state" "disabled","telemetry process tamper limit"\ true,"telemetry process tamper limit value" 2147483647,"telemetry process tamper state" "disabled","telemetry raw device access limit"\ true,"telemetry raw device access limit value" 2147483647,"telemetry raw device access state" "disabled","telemetry raw socket creation limit"\ true,"telemetry raw socket creation limit value" 2147483647,"telemetry raw socket creation state" "disabled","telemetry registry limit"\ true,"telemetry registry limit value" 2147483647,"telemetry registry state" "disabled","telemetry remotethread"\ true,"telemetry remotethread limit"\ true,"telemetry remotethread limit value" 2147483647,"telemetry remotethread state" "disabled","telemetry service limit"\ true,"telemetry service limit value" 2147483647,"telemetry service state" "disabled","telemetry url request limit"\ true,"telemetry url request limit value" 2147483647,"telemetry url request state" "disabled","telemetry usb activity limit"\ true,"telemetry usb activity limit value" 2147483647,"telemetry usb activity state" "disabled","telemetry user group limit"\ true,"telemetry user group limit value" 2147483647,"telemetry user group state" "disabled","telemetry wmi event limit"\ true,"telemetry wmi event limit value" 2147483647,"telemetry wmi event state" "disabled","thread download enabled"\ true,"use isolation"\ true,"vulnerability policy" "3fa85f64 5717 4562 b3fc 2c963f66afa6","windows eventlog config" {"detection events" {},"telemetry events" {}},"windows read watched paths" \[" \\\program files "," \\\\\\\users\\\\ "],"windows registry read blacklist" \[],"windows registry read whitelist" \["hklm\\\sam\\\sam\\\domains\\\account\\\users\\\\ \\\\ ","hklm\\\security\\\cache\\\\ ","hku\\\\ \\\software\\\simontatham\\\\ "],"windows self protection"\ true,"windows self protection feature firewall"\ true,"windows self protection feature hosts"\ true,"windows self protection feature safe mode"\ true,"windows write watched paths" \[" \\\program files "," \\\windows\\\system32\\\tasks\\\\ "],"yara mode" 3,"yara ruleset" 0,"yara scan libraries load"\ true,"yara scan written executable"\ true,"yara skip signed ms"\ true,"yara skip signed others"\ true},"subnet" {}},"path parameters" {"id" "3fa85f64 5717 4562 b3fc 2c963f66afa6"}} output parameter type description status code number http status code of the response reason string response reason phrase policy not allowed array output field policy not allowed policy not allowed hostname string name of the resource policy not allowed id string unique identifier requested array output field requested requested hostname string name of the resource requested id string unique identifier unrequested array output field unrequested unrequested hostname string name of the resource unrequested id string unique identifier unsupported array output field unsupported unsupported hostname string name of the resource unsupported id string unique identifier output example {"status code" 200,"response headers" {"content type" "text/html; charset=utf 8","x hsci cache time" "2024 12 18t12 01 22 328z"},"reason" "ok","json body" {"policy not allowed" \[{}],"requested" \[{}],"unrequested" \[{}],"unsupported" \[{}]}} endpoint search retrieve endpoint information from harfanglab by conducting a targeted search endpoint url /api/data/endpoint/agent method get input argument name type required description parameters search string optional parameters for the endpoint search action parameters ordering string optional parameters for the endpoint search action parameters id string optional parameters for the endpoint search action parameters domainname string optional parameters for the endpoint search action parameters dnsdomainname string optional parameters for the endpoint search action parameters hostname string optional parameters for the endpoint search action parameters osmajor number optional parameters for the endpoint search action parameters osminor number optional parameters for the endpoint search action parameters osproducttype string optional parameters for the endpoint search action parameters firstseen string optional parameters for the endpoint search action parameters lastseen string optional parameters for the endpoint search action parameters version string optional parameters for the endpoint search action parameters bitness string optional parameters for the endpoint search action parameters domain string optional parameters for the endpoint search action parameters installdate string optional parameters for the endpoint search action parameters ipaddress string optional parameters for the endpoint search action parameters external ipaddress string optional parameters for the endpoint search action parameters osbuild number optional parameters for the endpoint search action parameters osid string optional parameters for the endpoint search action parameters osversion string optional parameters for the endpoint search action parameters producttype string optional parameters for the endpoint search action parameters servicepack string optional parameters for the endpoint search action parameters total memory number optional parameters for the endpoint search action parameters cpu count number optional parameters for the endpoint search action parameters cpu frequency number optional parameters for the endpoint search action input example {"parameters" {"search" "string","ordering" "string","id" "12345678 1234 1234 1234 123456789abc","domainname" "example name","dnsdomainname" "example name","hostname" "example name","osmajor" 123,"osminor" 123,"osproducttype" "string","firstseen" "string","lastseen" "string","version" "string","bitness" "string","domain" "string","installdate" "string","ipaddress" "string","external ipaddress" "string","osbuild" 123,"osid" "string","osversion" "string","producttype" "string","servicepack" "string","total memory" 123,"cpu count" 123,"cpu frequency" 123,"avg cpu" 123,"avg memory" 123,"avg system cpu" 123,"avg system memory" 123,"starttime" "string","machine boottime" "string","subnet gateway ipaddress" "string","subnet gateway macaddress" "string","subnet name" "example name","isolation state" "string","antivirus name" "example name","antivirus version" "string","antivirus rules version" "string","antivirus last update date" "string","antivirus rules last update date" "string","additional info" "string","additional info additional info1" "string","additional info additional info2" "string","additional info additional info3" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase count number count value next string output field next previous string output field previous results array result of the operation results additional info object result of the operation results additional info additional info1 string result of the operation results antivirus last update date string result of the operation results antivirus name string name of the resource results antivirus profile object result of the operation results antivirus profile agent count number result of the operation results antivirus profile antivirus object object result of the operation results antivirus profile antivirus slug string result of the operation results antivirus profile creation date string result of the operation results antivirus profile description string result of the operation results antivirus profile id string unique identifier results antivirus profile last modifier object result of the operation results antivirus profile last modifier id number unique identifier results antivirus profile last modifier username string name of the resource results antivirus profile last update string result of the operation results antivirus profile name string name of the resource results antivirus profile revision number result of the operation results antivirus profile status string status value results antivirus rules last update date string result of the operation output example {"count" 123,"next" "string","previous" "string","results" \[{"additional info" {},"antivirus last update date" "string","antivirus name" "example name","antivirus profile" {},"antivirus profile status" "active","antivirus rules last update date" "string","antivirus rules version" "string","antivirus version" "string","application count" 123,"avg cpu" 123,"avg memory" 123,"avg system cpu" 123,"avg system memory" 123,"bitness" "string","cpu count" 123}]} fetch incidents fetches a list of incidents from harfanglab, providing an overview of security alerts and breaches endpoint url /api/data/alert/alert/alert method get input argument name type required description parameters limit number optional parameters for the fetch incidents action parameters offset number optional parameters for the fetch incidents action input example {"parameters" {"limit" 3,"offset" 1}} output parameter type description status code number http status code of the response reason string response reason phrase count number count value next string output field next previous string output field previous results array result of the operation filters object output field filters filters wildcard array output field filters wildcard output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"count" 0,"next" "","previous" "/api/data/alert/alert/alert/?limit=3","results" \[""],"filters" {"wildcard" \[]}}} get endpoint info retrieve detailed information for a specific agent in harfanglab using the provided unique identifier (id) endpoint url /api/data/endpoint/agent/{{id}} method get input argument name type required description path parameters id string required parameters for the get endpoint info action input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase additional info object output field additional info additional info additional info1 string output field additional info additional info1 additional info additional info2 string output field additional info additional info2 additional info additional info3 string output field additional info additional info3 additional info additional info4 string output field additional info additional info4 antivirus last update date string date value antivirus name string name of the resource antivirus profile object output field antivirus profile antivirus profile agent count number count value antivirus profile antivirus object object output field antivirus profile antivirus object antivirus profile antivirus slug string output field antivirus profile antivirus slug antivirus profile creation date string date value antivirus profile description string output field antivirus profile description antivirus profile id string unique identifier antivirus profile last modifier object output field antivirus profile last modifier antivirus profile last modifier id number unique identifier antivirus profile last modifier username string name of the resource antivirus profile last update string date value antivirus profile name string name of the resource antivirus profile revision number output field antivirus profile revision antivirus profile status string status value antivirus rules last update date string date value antivirus rules version string output field antivirus rules version output example {"additional info" {"additional info1" "string","additional info2" "string","additional info3" "string","additional info4" "string"},"antivirus last update date" "string","antivirus name" "example name","antivirus profile" {"agent count" 123,"antivirus object" {},"antivirus slug" "string","creation date" "string","description" "string","id" "12345678 1234 1234 1234 123456789abc","last modifier" {"id" 123,"username" "example name"},"last update" "string","name" "example name","revision" 123},"ant isolate endpoint initiates network isolation on a specified agent using its id in harfanglab, to contain potential threats endpoint url /api/data/endpoint/agent/{{id}}/isolate/ method post input argument name type required description path parameters id string required parameters for the isolate endpoint action additional info object optional parameter for isolate endpoint additional info additional info1 string optional parameter for isolate endpoint additional info additional info2 string optional parameter for isolate endpoint additional info additional info3 string optional parameter for isolate endpoint additional info additional info4 string optional parameter for isolate endpoint description string optional parameter for isolate endpoint group count number optional count value id string optional unique identifier policy object optional parameter for isolate endpoint policy agent auto forget boolean optional parameter for isolate endpoint policy agent auto forget max days number optional agent auto forget max days minimum value is 1 policy agent auto update boolean optional date value policy agent ui admin message string optional response message policy agent ui enabled boolean optional parameter for isolate endpoint policy agent ui notification level number optional agent ui notification level maximum value is 2147483647 and minimum value is 2147483648 policy agent ui notification scope number optional agent ui notification scope maximum value is 2147483647 and minimum value is 2147483648 policy agent upgrade strategy string optional parameter for isolate endpoint policy audit killswitch boolean optional parameter for isolate endpoint policy binary download enabled boolean optional parameter for isolate endpoint policy description string optional parameter for isolate endpoint policy driverblock mode number optional driverblock mode maximum is 3 and minimum is 0 policy feature callback tampering boolean optional parameter for isolate endpoint policy feature dse tampering mode number optional feature dse tampering mode maximum value is 2147483647 and minimum value is 2147483648 policy feature event stacktrace boolean optional parameter for isolate endpoint input example {"json body" {"additional info" {"additional info1" "","additional info2" "","additional info3" "","additional info4" ""},"description" "","group count" 0,"id" "3fa85f64 5717 4562 b3fc 2c963f66afa6","policy" {"agent auto forget"\ false,"agent auto forget max days" 1,"agent auto update"\ false,"agent ui admin message" "","agent ui enabled"\ true,"agent ui notification level" 2147483647,"agent ui notification scope" 2147483647,"agent upgrade strategy" "latest","audit killswitch"\ true,"binary download enabled"\ true,"description" "","driverblock mode" 3,"feature callback tampering"\ true,"feature dse tampering mode" 2147483647,"feature event stacktrace"\ true,"feature live process heuristics"\ true,"feature ppl antimalware"\ true,"feature process tampering"\ true,"feature windows filesystem events"\ true,"fim policy" "3fa85f64 5717 4562 b3fc 2c963f66afa6","hibou minimum level" "","hibou mode" 3,"hibou skip signed ms"\ true,"hibou skip signed others"\ true,"hlai minimum level" "","hlai mode" 3,"hlai pdf"\ true,"hlai scan libraries"\ true,"hlai scripts minimum level" "","hlai scripts mode" 3,"hlai skip signed ms"\ true,"hlai skip signed others"\ true,"hlai written executable"\ true,"ioc mode" 3,"ioc ruleset" 0,"ioc scan libraries"\ true,"ioc scan written executable"\ true,"isolation exclusions revision" 2147483647,"library download enabled"\ true,"linux paths other watched globs" \["/dev/shm/ ","/home/ / ","/tmp/ "],"linux self protection"\ true,"linux self protection feature hosts"\ true,"linux startup block"\ true,"linux use isolation"\ true,"local endpoint cache size" 10240,"loglevel" "","macos paths muted exact" \["/library/bluetooth/com apple mobilebluetooth ledevices paired db wal","/private/var/root/library/logs/bluetooth/bluetoothd hci latest pklg"],"macos paths muted globs" \[],"macos paths muted prefixes" \["/system/volumes/data/ spotlight v100/","/usr/sbin/"],"macos paths other watched exact" \["/ ssh/authorized keys","/etc/resolv conf","/private/var/at/cron deny","/var/run/utmpx"],"macos paths other watched globs" \["/users/ / ","/etc/ssl/ "],"macos paths other watched prefixes" \["/library/launchagents/","/private/var/at/tabs/"],"macos paths read watched exact" \["/ ssh/authorized keys","/var/run/utmpx"],"macos paths read watched globs" \["/users/ / ","/etc/ssl/ "],"macos paths read watched prefixes" \["/library/launchagents/","/private/var/at/tabs/"],"macos paths write watched exact" \["/private/var/at/cron allow","/var/run/utmpx"],"macos paths write watched globs" \["/users/ / ","/etc/ssl/ "],"macos paths write watched prefixes" \["/library/launchagents/","/private/var/at/tabs/"],"name" "","origin stack" {"id" "","is current"\ true,"is supervisor"\ true,"is tenant"\ true,"name" ""},"ransomguard heuristic mode" 2147483647,"ransomguard mode" 3,"self protection"\ true,"self protection feature hosts"\ true,"self protection feature safe mode"\ true,"self protection firewall"\ true,"sidewatch mode" 3,"sigma mode" 3,"sigma ruleset" 0,"sleepjitter" 2147483647,"sleeptime" 2147483647,"synchronization status" "3fa85f64 5717 4562 b3fc 2c963f66afa6","telemetry alerts limit"\ true,"telemetry alerts limit value" 2147483647,"telemetry amsi dynamic scripts limit"\ true,"telemetry amsi dynamic scripts limit value" 2147483647,"telemetry amsi dynamic scripts state" "disabled","telemetry amsi other scans limit"\ true,"telemetry amsi other scans limit value" 2147483647,"telemetry amsi other scans state" "disabled","telemetry authentication"\ true,"telemetry authentication limit"\ true,"telemetry authentication limit value" 2147483647,"telemetry authentication state" "disabled","telemetry dns resolution"\ true,"telemetry dns resolution limit"\ true,"telemetry dns resolution limit value" 2147483647,"telemetry dns resolution state" "disabled","telemetry dotnet library state" "disabled","telemetry driverload"\ true,"telemetry driverload limit"\ true,"telemetry driverload limit value" 2147483647,"telemetry driverload state" "disabled","telemetry file download limit"\ true,"telemetry file download limit value" 2147483647,"telemetry file download state" "disabled","telemetry file limit"\ true,"telemetry file limit value" 2147483647,"telemetry file state" "disabled","telemetry library load limit"\ true,"telemetry library load limit value" 2147483647,"telemetry library load state" "disabled","telemetry log"\ true,"telemetry log limit"\ true,"telemetry log limit value" 2147483647,"telemetry log state" "disabled","telemetry named pipe limit"\ true,"telemetry named pipe limit value" 2147483647,"telemetry named pipe state" "disabled","telemetry network"\ true,"telemetry network limit"\ true,"telemetry network limit value" 2147483647,"telemetry network listen limit"\ true,"telemetry network listen limit value" 2147483647,"telemetry network listen state" "disabled","telemetry network state" "disabled","telemetry on alert enabled"\ true,"telemetry on alert post alert max duration secs" 2147483647,"telemetry on alert post alert max event count" 2147483647,"telemetry on alert pre alert event count" 2147483647,"telemetry powershell"\ true,"telemetry powershell limit"\ true,"telemetry powershell limit value" 2147483647,"telemetry powershell state" "disabled","telemetry process"\ true,"telemetry process access limit"\ true,"telemetry process access limit value" 2147483647,"telemetry process access state" "disabled","telemetry process limit"\ true,"telemetry process limit value" 2147483647,"telemetry process state" "disabled","telemetry process tamper limit"\ true,"telemetry process tamper limit value" 2147483647,"telemetry process tamper state" "disabled","telemetry raw device access limit"\ true,"telemetry raw device access limit value" 2147483647,"telemetry raw device access state" "disabled","telemetry raw socket creation limit"\ true,"telemetry raw socket creation limit value" 2147483647,"telemetry raw socket creation state" "disabled","telemetry registry limit"\ true,"telemetry registry limit value" 2147483647,"telemetry registry state" "disabled","telemetry remotethread"\ true,"telemetry remotethread limit"\ true,"telemetry remotethread limit value" 2147483647,"telemetry remotethread state" "disabled","telemetry service limit"\ true,"telemetry service limit value" 2147483647,"telemetry service state" "disabled","telemetry url request limit"\ true,"telemetry url request limit value" 2147483647,"telemetry url request state" "disabled","telemetry usb activity limit"\ true,"telemetry usb activity limit value" 2147483647,"telemetry usb activity state" "disabled","telemetry user group limit"\ true,"telemetry user group limit value" 2147483647,"telemetry user group state" "disabled","telemetry wmi event limit"\ true,"telemetry wmi event limit value" 2147483647,"telemetry wmi event state" "disabled","thread download enabled"\ true,"use isolation"\ true,"vulnerability policy" "3fa85f64 5717 4562 b3fc 2c963f66afa6","windows eventlog config" {"detection events" {},"telemetry events" {}},"windows read watched paths" \[" \\\program files "," \\\\\\\users\\\\ "],"windows registry read blacklist" \[],"windows registry read whitelist" \["hklm\\\sam\\\sam\\\domains\\\account\\\users\\\\ \\\\ ","hklm\\\security\\\cache\\\\ ","hku\\\\ \\\software\\\simontatham\\\\ "],"windows self protection"\ true,"windows self protection feature firewall"\ true,"windows self protection feature hosts"\ true,"windows self protection feature safe mode"\ true,"windows write watched paths" \[" \\\program files "," \\\windows\\\system32\\\tasks\\\\ "],"yara mode" 3,"yara ruleset" 0,"yara scan libraries load"\ true,"yara scan written executable"\ true,"yara skip signed ms"\ true,"yara skip signed others"\ true},"subnet" {}},"path parameters" {"id" "3fa85f64 5717 4562 b3fc 2c963f66afa6"}} output parameter type description status code number http status code of the response reason string response reason phrase policy not allowed array output field policy not allowed policy not allowed hostname string name of the resource policy not allowed id string unique identifier requested array output field requested requested hostname string name of the resource requested id string unique identifier unrequested array output field unrequested unrequested hostname string name of the resource unrequested id string unique identifier unsupported array output field unsupported unsupported hostname string name of the resource unsupported id string unique identifier output example {"status code" 200,"response headers" {"content type" "text/html; charset=utf 8","x hsci cache time" "2024 12 18t12 01 22 328z"},"reason" "ok","json body" {"policy not allowed" \[{}],"requested" \[{}],"unrequested" \[{}],"unsupported" \[{}]}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt x hsci cache time http response header x hsci cache time 2024 12 18t12 01 22 328z