Symantec Endpoint Security

the swimlane symantec endpoint security connector integrates symantec endpoint security with swimlane to command devices prerequisites to obtain your client id and client secret , required by the asset, log in to https //sep securitycloud symantec com/v2/home/dashboard then, under the integration tab in the main menu, click client applications capabilities this connector provides the following capabilities add blacklist apply policy delete blacklist get devices information get file finger print list by name get file finger print list get policies get policy by id get policy versions get policy target rules get device group policies update blacklist make a custom scan make a full scan make a quick scan and so on action setup some actions need one or more device id to run the action get devices helps to get additional information about your devices for example, you can use the name input to get information about that specific device relative time format the following actions accept relative time formats for start date and end date inputs get incidents get incidents events you can use any standard datetime format supported by pendulum, or a relative datetime for the current time now any other time (+/ )(integer) (milliseconds|seconds|minutes|days|weeks|months|years) for example now 1 months +3 days 123 seconds queries the following actions use queries to filter output data get incidents get commands you can use the query input to filter out the results when creating a search query string, consider the following you can search supported fields by specifying the field name followed by a colon " " and then the term you are looking for you can also escape special characters that are part of the query syntax to escape a special character use \ before the character here is the current list of special characters + && || ! ( ) { } \[ ] ^ " ? \ the date value should follow the iso 8601 date stamp standard format (yyyy mm dd’t’hh\ mm \ ss sssz) supported boolean operators for complex query are and or + not note boolean operators must be all caps multiple terms can be combined together with boolean operators to form a more complex query in the query clause use parentheses to group clauses to form sub queries defaults to all incidents updated between the start time and end time specified in the query the maximum length of the query string is 1024 characters supported fields for query include state id, incident uid, created, modified, reference incident uid, priority id, severity id, remediation, suspected breach, detection type, conclusion,resolution id notes https //sep securitycloud symantec com/v2/home/dashboard https //apidocs securitycloud symantec com/#/doc?id=edr incidents product version tested against v1 configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required custom client id client id string required custom client secret client secret string required http proxy a proxy to route requests through string optional actions add blacklist adds a blacklist as a file fingerprint list to symantec endpoint protection manager a system administrator account is required for this action endpoint url api/v1/policy objects/fingerprints method post input argument name type required description name string optional name of the resource domainid string optional unique identifier hashtype string optional type of the resource description string optional parameter for add blacklist data array optional response data input example {"name" "example name","domainid" "string","hashtype" "string","description" "string","data" \["string"]} output parameter type description status code number http status code of the response reason string response reason phrase output example {} apply policy this api lets you apply a policy to device groups endpoint url /v1/policies/{{policy uid}}/versions/{{version}}/device groups method post input argument name type required description path parameters policy uid string required parameters for the apply policy action path parameters version string required parameters for the apply policy action target rules array optional parameter for apply policy override boolean optional unique identifier device group ids array optional unique identifier input example {"json body" {"target rules" \["quarantine"],"override"\ true,"device group ids" \["wa1jpjdfrmsfbvohsbuk7g"]},"path parameters" {"policy uid" "string","version" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 204,"response headers" {},"reason" "ok","json body" {}} cancel command this api lets you cancel the endpoint search command endpoint url v1/commands/endpoint search/{{command id}}/cancel method put input argument name type required description path parameters command id string required parameters for the cancel command action input example {"path parameters" {"command id" "edrc 722eb5fa 9ce7 4770 9948 a18f92f62fad"}} output parameter type description status code number http status code of the response reason string response reason phrase message string response message output example {"status code" 404,"response headers" {"date" "thu, 22 dec 2022 19 23 52 gmt","content type" "application/json","content length" "99","connection" "keep alive","server" "envoy","x envoy upstream service time" "23","via" "1 1 google","alt svc" "h3=\\" 443\\"; ma=2592000,h3 29=\\" 443\\"; ma=2592000"},"reason" "not found","json body" {"message" "search history object not found for command\ edrc 722eb5fa 9ce7 4770 9948 a18f92f "}} custom scan runs a custom scan endpoint url v1/commands/scans/custom method post input argument name type required description device ids array optional unique identifier org unit ids array optional unique identifier is recursive boolean optional parameter for custom scan input example {"json body" {"device ids" \["40pfciogqtmj3 eijlg5sa","ehh 9sdfteoh vg5g6mqo2"],"org unit ids" \["jc9gvca qi2jxn6ubdllew","jc9gvca qi2jxn6ubdllez"],"is recursive"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase status number status value status text string status value results object result of the operation results data array response data results data command state ref string response data results data device id string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"status" 200,"status text" "200 ok","results" {"data" \[]}}} delete blacklist deletes an existing blacklist, and removes it from a group to which it applies a system administrator account is required for this action endpoint url api/v1/policy objects/fingerprints/{{id}} method delete input argument name type required description path parameters id string required parameters for the delete blacklist action input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {} delete command this api lets you delete the endpoint search command endpoint url v1/commands/endpoint search/{{command id}} method delete input argument name type required description path parameters command id string required parameters for the delete command action input example {"path parameters" {"command id" "edrc 722eb5fa 9ce7 4770 9948 a18f92f62fad"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 200,"response headers" {"date" "thu, 22 dec 2022 19 26 36 gmt","content length" "0","connection" "keep alive","server" "envoy","cache control" "no cache, no store, max age=0, must revalidate","pragma" "no cache","expires" "0","x xss protection" "1; mode=block","x frame options" "deny","x content type options" "nosniff","x envoy upstream service time" "12","via" "1 1 google","alt svc" "h3=\\" 443\\"; ma=2592000,h3 29=\\" 443\\"; ma=2592000"},"reason" "ok","response text" ""} full dump command this api lets you send the full dump command on the device endpoint url v1/commands/endpoint search/fulldump method post input argument name type required description device id string optional unique identifier description string optional parameter for full dump command input example {"json body" {"device id" "4u t38vbrrcg8lh2soxhwg","description" "test"}} output parameter type description status code number http status code of the response reason string response reason phrase status number status value status text string status value results object result of the operation results data array response data results data command state ref string response data results data command type string response data output example {"status code" 200,"response headers" {"date" "fri, 23 dec 2022 15 26 43 gmt","content type" "application/json","content length" "206","connection" "keep alive","server" "envoy","x envoy upstream service time" "1052","via" "1 1 google","alt svc" "h3=\\" 443\\"; ma=2592000,h3 29=\\" 443\\"; ma=2592000"},"reason" "ok","json body" {"status" 200,"status text" "200 ok","results" {"data" \[]}}} full scan runs a full scan endpoint url v1/commands/scans/full method post input argument name type required description device ids array optional unique identifier org unit ids array optional unique identifier is recursive boolean optional parameter for full scan input example {"json body" {"device ids" \["40pfciogqtmj3 eijlg5sa","ehh 9sdfteoh vg5g6mqo2"],"org unit ids" \["jc9gvca qi2jxn6ubdllew","jc9gvca qi2jxn6ubdllez"],"is recursive"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase status number status value status text string status value results object result of the operation results data array response data results data command state ref string response data results data device id string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"status" 200,"status text" "200 ok","results" {"data" \[]}}} get command by id this api lets you get the details of endpoint search command endpoint url v1/commands/endpoint search/{{command id}} method get input argument name type required description path parameters command id string required parameters for the get command by id action input example {"path parameters" {"command id" "edrc 6648f9af db51 4d86 8ff4 4c66c901a879"}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource command id string unique identifier user name string name of the resource create time string time value command status string status value command type string type of the resource total endpoints number output field total endpoints completed endpoints number output field completed endpoints endpoint status count object status value endpoint status count found number status value output example {"status code" 404,"response headers" {"date" "fri, 23 dec 2022 15 14 44 gmt","content type" "application/json","content length" "99","connection" "keep alive","server" "envoy","x envoy upstream service time" "19","via" "1 1 google","alt svc" "h3=\\" 443\\"; ma=2592000,h3 29=\\" 443\\"; ma=2592000"},"reason" "not found","json body" {"name" "public api full dump","command id" "edrc 6648f9af db51 4d86 8ff4 4c66c901a879","user name" "edrcust gcp dev861871","create time" "2021 12 28t10 15 16 507z","co get commands this api lets you get the list of endpoint search commands endpoint url v1/commands/endpoint search method post input argument name type required description query string optional parameter for get commands input example {"json body" {"query" "command status error"}} output parameter type description status code number http status code of the response reason string response reason phrase commands array output field commands commands file name string name of the resource commands file string output field commands file total number output field total output example {"status code" 200,"response headers" {"date" "thu, 22 dec 2022 18 56 21 gmt","content type" "application/json","content length" "25","connection" "keep alive","server" "envoy","x envoy upstream service time" "18","via" "1 1 google","alt svc" "h3=\\" 443\\"; ma=2592000,h3 29=\\" 443\\"; ma=2592000"},"reason" "ok","json body" {"commands" \[],"total" 0}} get device group policies this api lets you retrieve a list of policies that are targeted on a device group endpoint url /v1/device groups/{{group id}}/policies method get input argument name type required description path parameters group id string required parameters for the get device group policies action input example {"path parameters" {"group id" "u6gnvuc3qyurlf4ilnxldg"}} output parameter type description status code number http status code of the response reason string response reason phrase total number output field total policies array output field policies policies name string name of the resource policies policy type string type of the resource policies policy uid string unique identifier policies policy version number output field policies policy version policies target apply level string output field policies target apply level policies target rules array output field policies target rules policies target rules version number output field policies target rules version policies target rules enabled boolean output field policies target rules enabled policies target rules sort order number output field policies target rules sort order policies targeted date string date value output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"total" 10,"policies" \[{"name" "default intrusion prevention policy","policy type" "network ips","policy uid" "9a2d5a12 4a4a 49d1 a55c 67012cdbd221","policy version" 1,"target apply level" "direct","target rules" \[{"version" 1,"enabled"\ false,"sort order" 999999}],"targeted date" "2021 05 20t00 00 00 000z"},{"name" "default device control policy","policy type" "device control","policy uid" "d30aed4a dff0 4270 8107 3297d15fe03c", get devices retrieve the list of devices endpoint url v1/devices method get input argument name type required description parameters client version array optional parameters for the get devices action parameters device status array optional parameters for the get devices action parameters device type string optional parameters for the get devices action parameters edr enabled boolean optional parameters for the get devices action parameters is cloud boolean optional parameters for the get devices action parameters is online boolean optional parameters for the get devices action parameters is virtual boolean optional parameters for the get devices action parameters name array optional parameters for the get devices action parameters os array optional parameters for the get devices action input example {"parameters" {"client version" \["14 3 202 3000","14 3 4615 2000"],"device status" \["at risk","compromised","not computed"],"device type" "workstation","edr enabled"\ false,"is cloud"\ false,"is online"\ true,"is virtual"\ true,"name" \["desktop lqj2ouu","swim mitm"],"os" \["windows","linux","ios","mac"]}} output parameter type description status code number http status code of the response reason string response reason phrase total number output field total devices array output field devices devices id string unique identifier devices name string name of the resource devices host string output field devices host devices domain string output field devices domain devices created string output field devices created devices modified string output field devices modified devices os object output field devices os devices os ver string output field devices os ver devices os name string name of the resource devices os type string type of the resource devices os 64 bit boolean output field devices os 64 bit devices os lang string output field devices os lang devices os major ver number output field devices os major ver devices os minor ver number output field devices os minor ver devices os sp number output field devices os sp devices os tz offset number output field devices os tz offset devices os user string output field devices os user devices os user domain string output field devices os user domain devices os vol avail mb number output field devices os vol avail mb devices os vol cap mb number output field devices os vol cap mb devices hw object output field devices hw output example {"status code" 200,"response headers" {"date" "thu, 22 dec 2022 16 16 58 gmt","content type" "application/json","content length" "4427","connection" "keep alive","server" "envoy","x envoy upstream service time" "38","via" "1 1 google","alt svc" "h3=\\" 443\\"; ma=2592000,h3 29=\\" 443\\"; ma=2592000"},"reason" "ok","json body" {"total" 4,"devices" \[{"id" "4u t38vbrrcg8lh2soxhwg","name" "desktop qsi525c","host" "desktop qsi525c","domain" "","created" "2022 12 12t18 47 18 450z","modified" "2022 12 22t get file finger print list gets the file fingerprint list for a specified id as a set of hash values a system administrator account is required for this action endpoint url api/v1/policy objects/fingerprints/{{id}} method get input argument name type required description path parameters id string required parameters for the get file finger print list action input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource hashtype string type of the resource source string output field source description string output field description data array response data groupids array unique identifier output example {"id" "12345678 1234 1234 1234 123456789abc","name" "example name","hashtype" "string","source" "string","description" "string","data" \["string"],"groupids" \["string"]} get file finger print list by name gets the file fingerprint list for a specified name as a set of hash values a system administrator account is required for this action endpoint url api/v1/policy objects/fingerprints method get input argument name type required description parameters name string required parameters for the get file finger print list by name action parameters domainid string optional parameters for the get file finger print list by name action input example {"parameters" {"name" "example name","domainid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource hashtype string type of the resource source string output field source description string output field description data array response data groupids array unique identifier output example {"id" "12345678 1234 1234 1234 123456789abc","name" "example name","hashtype" "string","source" "string","description" "string","data" \["string"],"groupids" \["string"]} get incident associate events this task lets you retrieve incident associate events based on time range filter endpoint url v1/incidents/events method post input argument name type required description incident associate boolean optional unique identifier limit number optional parameter for get incident associate events input example {"json body" {"incident associate"\ true,"limit" 100}} output parameter type description status code number http status code of the response reason string response reason phrase total number output field total events array output field events events file name string name of the resource events file string output field events file output example {"status code" 200,"response headers" {"date" "mon, 26 dec 2022 17 27 08 gmt","content type" "application/json","content length" "23","connection" "keep alive","server" "envoy","x envoy upstream service time" "128","via" "1 1 google","alt svc" "h3=\\" 443\\"; ma=2592000,h3 29=\\" 443\\"; ma=2592000"},"reason" "ok","json body" {"total" 0,"events" \[]}} get incident by id this task lets you retrieve details for a specific incident endpoint url v1/incidents/{{id}} method post input argument name type required description path parameters id string required parameters for the get incident by id action input example {"path parameters" {"id" "700559b9 c260 4c76 b441 f5fc5bd08e6d"}} output parameter type description status code number http status code of the response reason string response reason phrase message string response message output example {"status code" 404,"response headers" {"date" "fri, 23 dec 2022 19 38 01 gmt","content type" "application/json","content length" "95","connection" "keep alive","server" "envoy","x envoy upstream service time" "111","via" "1 1 google","alt svc" "h3=\\" 443\\"; ma=2592000,h3 29=\\" 443\\"; ma=2592000"},"reason" "not found","json body" {"message" "incident summary is missing for incident id 700559b9 c260 4c76 b441 f5fc5bd08e6 "}} get incidents this api lets you retrieve incidents and incident events you can specify a search criteria to filter results endpoint url v1/incidents method post input argument name type required description start date string optional date value end date string optional date value next number optional parameter for get incidents limit number optional parameter for get incidents include events boolean optional parameter for get incidents query string optional parameter for get incidents input example {"json body" {"start date" "2022 11 25t22 46 09 230+0000","end date" "2023 05 21t22 46 09 230+0000","next" 0,"limit" 10,"include events"\ true,"query" "state id \[0 to 5] and remediation memory "}} output parameter type description status code number http status code of the response reason string response reason phrase total number output field total incidents array unique identifier incidents customer uid string unique identifier incidents incident uid string unique identifier incidents type string unique identifier incidents conclusion string unique identifier incidents remediation string unique identifier incidents priority id number unique identifier incidents category id number unique identifier incidents modified string unique identifier incidents state id number unique identifier incidents id number unique identifier incidents product uid string unique identifier incidents events array unique identifier incidents events activity id number unique identifier incidents events actor object unique identifier incidents events actor cmd line string unique identifier incidents events actor file object unique identifier incidents events actor file company name string unique identifier incidents events actor file created number unique identifier incidents events actor file folder string unique identifier incidents events actor file md5 string unique identifier incidents events actor file name string unique identifier output example {"status code" 200,"response headers" {"date" "thu, 22 dec 2022 19 07 21 gmt","content type" "application/json","content length" "26","connection" "keep alive","server" "envoy","x envoy upstream service time" "186","via" "1 1 google","alt svc" "h3=\\" 443\\"; ma=2592000,h3 29=\\" 443\\"; ma=2592000"},"reason" "ok","json body" {"total" 1,"incidents" \[{}]}} get lineage events by incident id this task lets you retrieve process lineage events for a specific incident endpoint url v1/incidents/{{incident id}}/lineage method get input argument name type required description path parameters incident id string required parameters for the get lineage events by incident id action input example {"path parameters" {"incident id" "700559b9 c260 4c76 b441 f5fc5bd08e6d"}} output parameter type description status code number http status code of the response reason string response reason phrase message string response message output example {"status code" 404,"response headers" {"date" "mon, 26 dec 2022 17 36 20 gmt","content type" "application/json","content length" "89","connection" "keep alive","server" "envoy","x envoy upstream service time" "29","via" "1 1 google","alt svc" "h3=\\" 443\\"; ma=2592000,h3 29=\\" 443\\"; ma=2592000"},"reason" "not found","json body" {"message" "there is no event uid for incident id 700559b9 c260 4c76 b441 f5fc5bd08e6d"}} get policies this api lets you retrieve a list of your policies endpoint url /v1/policies method get input argument name type required description parameters limit number optional parameters for the get policies action parameters offset number optional parameters for the get policies action parameters name string optional parameters for the get policies action parameters type string optional parameters for the get policies action input example {"parameters" {"limit" 100,"offset" 1,"name" "test","type" "test"}} output parameter type description status code number http status code of the response reason string response reason phrase total number output field total policies array output field policies policies name string name of the resource policies author string output field policies author policies policy uid string unique identifier policies policy version number output field policies policy version policies policy type string type of the resource policies is imported boolean output field policies is imported policies created string output field policies created policies modified string output field policies modified output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"total" 22,"policies" \[{"name" "default adaptive protection policy","author" "system","policy uid" "fb52866d 18d8 46af 9c3b c071afc5041e","policy version" 1,"policy type" "behavioral analysis","is imported"\ false,"created" "2021 05 16t08 36 34 000z","modified" "2021 05 16t08 36 34 000z"},{"name" "default allow list policy","author" "system","policy uid" "d6c51743 6aa2 4c46 b95d 72da1d31e686","policy version" 1,"policy type" "exc get policy by id this api lets you retrieve the details for a policy by using its uid and version endpoint url /v1/policies/{{policy uid}}/versions/{{version}} method get input argument name type required description path parameters policy uid string required parameters for the get policy by id action path parameters version string required parameters for the get policy by id action headers object optional http headers for the request headers accept string optional http headers for the request input example {"path parameters" {"policy uid" "915ab1a5 3e50 41c7 b054 244ceb5cbccf","version" "1"},"headers" {"accept" "application/zip"}} output parameter type description status code number http status code of the response reason string response reason phrase attributes object output field attributes attributes id string unique identifier attributes version number output field attributes version attributes schemaversion number output field attributes schemaversion attributes type number type of the resource features array output field features features configuration object output field features configuration features configuration suspicious behavior enhancements string output field features configuration suspicious behavior enhancements features configuration suspicious behavior enhancement rules array output field features configuration suspicious behavior enhancement rules features configuration suspicious behavior enhancement rules name string name of the resource features configuration suspicious behavior enhancement rules desc string output field features configuration suspicious behavior enhancement rules desc features configuration suspicious behavior enhancement rules action string output field features configuration suspicious behavior enhancement rules action features properties object output field features properties features properties id string unique identifier features properties name string name of the resource features properties policy string output field features properties policy features properties policy name string name of the resource features properties version number output field features properties version features properties policy subtype string type of the resource locations array output field locations locations file name string name of the resource locations file string output field locations file output example {"attributes" {"id" "12345678 1234 1234 1234 123456789abc","version" 123,"schemaversion" 123,"type" 123},"features" \[{"configuration" {},"properties" {}}],"locations" \[{"file name" "example name","file" "string"}]} get policy target rules this api lets you retrieve a list of target rules endpoint url /v1/policies/target rules method get input argument name type required description parameters limit number optional parameters for the get policy target rules action parameters offset number optional parameters for the get policy target rules action input example {"parameters" {"limit" 100,"offset" 10}} output parameter type description status code number http status code of the response reason string response reason phrase total number output field total target rules array output field target rules target rules name string name of the resource target rules enabled boolean output field target rules enabled target rules description string output field target rules description target rules author string output field target rules author target rules sort order number output field target rules sort order target rules created string output field target rules created target rules modified string output field target rules modified output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"total" 2,"target rules" \[{},{}]}} get policy versions this api lets you retrieve the versions of a policy endpoint url /v1/policies/{{policy uid}}/versions method get input argument name type required description path parameters policy uid string required parameters for the get policy versions action input example {"path parameters" {"policy uid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase total number output field total policy versions array output field policy versions policy versions policy version number output field policy versions policy version policy versions device group count number count value output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"total" 1,"policy versions" \[{}]}} patch deny list policy this api lets you perform partial update of deny list policy endpoint url /v1/policies/deny list/{{policy uid}}/versions/{{version}} method patch input argument name type required description path parameters policy uid string required parameters for the patch deny list policy action path parameters version string required parameters for the patch deny list policy action add object optional parameter for patch deny list policy add blacklistrules array optional parameter for patch deny list policy add blacklistrules processfile object optional parameter for patch deny list policy add blacklistrules processfile md5 string optional parameter for patch deny list policy add blacklistrules processfile name string optional name of the resource add nonperules array optional parameter for patch deny list policy remove object optional parameter for patch deny list policy remove blacklistrules array optional parameter for patch deny list policy remove blacklistrules processfile object optional parameter for patch deny list policy remove blacklistrules processfile md5 string optional parameter for patch deny list policy remove nonperules array optional parameter for patch deny list policy input example {"json body" {"add" {"blacklistrules" \[{"processfile" {"sha2" "cc58a84bad103041396af249a16a1d16cbf698868d5388d8951f14d1403559bd","name" "my sha256"}},{"processfile" {"sha2" "1287a84bad103041396af249a16a1d16cbf698868d5388d8951f14d1403559bd"}},{"processfile" {"md5" "b8eea75b4224d8079bb86312528ef095","name" "my md5 "}},{"processfile" {"md5" "ef22af4e07f0457fdd0cdaf68f712df7","name" "ef22af4e07f0457fdd0cdaf68f712df7"}}],"nonperules" \[{"file" {"name" " ","sha2" "cc58a84bad103041396af249a16a1d16cbf698868d5388d8951f14d1403559bd","size" 900},"actor" {}},{"file" {"name" "non ex md5 with app access file","md5" "787eaf4e07f0457fdd0cdaf68f712df7"},"actor" {"directory" "c \\\testloc\\\test124\\\ttemdj exe"}},{"file" {"name" "non ex md5 with app access fingerprint","md5" "123eaf4e07f0457fdd0cdaf68f712dab"},"actor" {"md5" "a23baf4e07f0457fdd0cdaf68f712dcd"}},{"file" {"name" "non ex md5 with file path","md5" "2f305d3e26033d128f3741a18150cf2e","directory" "c /testmylocation/testloc2/thisfile doc"},"actor" {}},{"file" {"name" "non ex md5 with file size","md5" "e27f35b2d30423cd3a281375585e22f9","size" 500},"actor" {}},{"file" {"name" "non ex sha256 with app access file","sha2" "4afa016a9dbc2f1da43f4a71c62e4653afe0f2e2a6b4722698525086f496fbd2"},"actor" {"directory" "c /gest/myfle exe"}},{"file" {"name" "non ex sha256 with app access fingerprint","sha2" "3ffa016a9dbc2f1da43f4a71c62e4653afe0f2e2a6b4722698525086f496f123"},"actor" {"sha2" "123abf6a9dbc2f1da43f4a71c62e4653afe0f2e2a6b4722698525086f496fbd2"}},{"file" {"name" "non ex sha256 with file path","sha2" "7afcc2c38ac334047f0cc957708e5b32cfcb15f72f4c22c9ec53ff48339922b9","directory" "c \\\testloc\\\myfile txt"},"actor" {}},{"file" {"name" "non ex sha256 with file size","sha2" "bf9c02ea1745be0a3227fd0841ea53ed6d361006f13dd62677aeb4eed00e0bc5","size" 200},"actor" {}}]},"remove" {"blacklistrules" \[{"processfile" {"sha2" "6666a84bad103041396af249a16a1d16cbf698868d5388d8951f14d1403559bd"}},{"processfile" {"md5" "ef22af4e07f0457fdd0cdaf68f712df7"}}],"nonperules" \[{"file" {"sha2" "9998a84bad103041396af249a16a1d16cbf698868d5388d8951f14d1403559bd","size" 900}},{"file" {"md5" "555eaf4e07f0457fdd0cdaf68f712df7"},"actor" {"directory" "c \\\testloc\\\test124\\\ttemdj exe"}},{"file" {"md5" "1333af4e07f0457fdd0cdaf68f712dab"},"actor" {"md5" "a23baf4e07f0457fdd0cdaf68f712dcd"}},{"file" {"md5" "20878d3e26033d128f3741a18150cf2e","directory" "c /testmylocation/testloc2/thisfile doc"}}]}},"path parameters" {"policy uid" "string","version" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource author string output field author policy uid string unique identifier policy version number output field policy version policy type string type of the resource is imported boolean output field is imported locked boolean output field locked created string output field created modified string output field modified output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"name" "deny list policy update name","author" "client application\\\my client11","policy uid" "ebe8835f a84d 4538 85f6 5f3ed450a2d2","policy version" 3,"policy type" "deny list","is imported"\ false,"locked"\ true,"created" "2022 08 29t11 14 45 000z","modified" "2022 08 30t09 54 51 000z"}} process dump command this task lets you send the process dump command on the device endpoint url v1/commands/endpoint search/processdump method post input argument name type required description device id string optional unique identifier hash string optional parameter for process dump command description string optional parameter for process dump command input example {"json body" {"device id" "4u t38vbrrcg8lh2soxhwg","hash" "c4e078607db2784be7761c86048dffa6f3ef04b551354a32fcdec3b6a3450905","description" "test"}} output parameter type description status code number http status code of the response reason string response reason phrase status number status value status text string status value results object result of the operation results data array response data results data command state ref string response data results data command type string response data output example {"status code" 200,"response headers" {"date" "fri, 23 dec 2022 20 46 05 gmt","content type" "application/json","content length" "209","connection" "keep alive","server" "envoy","x envoy upstream service time" "1059","via" "1 1 google","alt svc" "h3=\\" 443\\"; ma=2592000,h3 29=\\" 443\\"; ma=2592000"},"reason" "ok","json body" {"status" 200,"status text" "200 ok","results" {"data" \[]}}} quarantine device this api lets you quarantine devices managed by your integrate cyber defense manager endpoint url v1/commands/contain method post input argument name type required description device ids array optional unique identifier org unit ids array optional unique identifier payload object optional parameter for quarantine device payload quarantine host group name string optional name of the resource is recursive boolean optional parameter for quarantine device input example {"json body" {"device ids" \["40pfciogqtmj3 eijlg5sa","ehh 9sdfteoh vg5g6mqo2"],"org unit ids" \["jc9gvca qi2jxn6ubdllew","jc9gvca qi2jxn6ubdllez"],"payload" {"quarantine host group name" "test group name"},"is recursive"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase status number status value status text string status value results object result of the operation results data array response data results data command state ref string response data results data device id string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"status" 200,"status text" "200 ok","results" {"data" \[]}}} quick scan runs a quick scan endpoint url v1/commands/scans/quick method post input argument name type required description device ids array optional unique identifier org unit ids array optional unique identifier is recursive boolean optional parameter for quick scan input example {"json body" {"device ids" \["40pfciogqtmj3 eijlg5sa","ehh 9sdfteoh vg5g6mqo2"],"org unit ids" \["jc9gvca qi2jxn6ubdllew","jc9gvca qi2jxn6ubdllez"],"is recursive"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase status number status value status text string status value results object result of the operation results data array response data results data command state ref string response data results data device id string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"status" 200,"status text" "200 ok","results" {"data" \[]}}} restart device this api lets you reboot devices that are managed by your integrated cyber defense manager defense manager endpoint url v1/commands/restart method post input argument name type required description device ids array optional unique identifier payload object optional parameter for restart device payload prompt type string optional type of the resource payload schedule type string optional type of the resource payload reason type string optional type of the resource payload message string optional response message input example {"json body" {"device ids" \["40pfciogqtmj3 eijlg5sa","ehh 9sdfteoh vg5g6mqo2"],"payload" {"prompt type" "prompt","schedule type" "later","reason type" "remediation","message" "this is a restart test"}}} output parameter type description status code number http status code of the response reason string response reason phrase status number status value status text string status value results object result of the operation results data array response data results data command state ref string response data results data device id string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"status" 200,"status text" "200 ok","results" {"data" \[]}}} unquarantine device unquarantine devices managed by your integrated cyber defense manager endpoint url v1/commands/allow method post input argument name type required description device ids array optional unique identifier input example {"json body" {"device ids" \["40pfciogqtmj3 eijlg5sa","ehh 9sdfteoh vg5g6mqo2"]}} output parameter type description status code number http status code of the response reason string response reason phrase status number status value status text string status value results object result of the operation results data array response data results data command state ref string response data results data device id string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"status" 200,"status text" "200 ok","results" {"data" \[]}}} update blacklist updates an existing blacklist a system administrator account is required for this action endpoint url api/v1/policy objects/fingerprints/{{id}} method post input argument name type required description path parameters id string required parameters for the update blacklist action name string optional name of the resource domainid string optional unique identifier hashtype string optional type of the resource description string optional parameter for update blacklist data array optional response data input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"},"name" "example name","domainid" "string","hashtype" "string","description" "string","data" \["string"]} output parameter type description status code number http status code of the response reason string response reason phrase output example {} update content this api lets you update security definitions and content of devices managed by your integrated cyber defense manager endpoint url v1/commands/update content method post input argument name type required description device ids array optional unique identifier org unit ids array optional unique identifier is recursive boolean optional parameter for update content input example {"json body" {"device ids" \["40pfciogqtmj3 eijlg5sa","ehh 9sdfteoh vg5g6mqo2"],"org unit ids" \["jc9gvca qi2jxn6ubdllew","jc9gvca qi2jxn6ubdllez"],"is recursive"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase status number status value status text string status value results object result of the operation results data array response data results data command state ref string response data results data device id string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"status" 200,"status text" "200 ok","results" {"data" \[]}}} update deny list policy this api lets you perform update of deny list policy endpoint url /v1/policies/deny list/{{policy uid}}/versions/{{version}} method put input argument name type required description path parameters policy uid string required parameters for the update deny list policy action path parameters version string required parameters for the update deny list policy action features array optional parameter for update deny list policy features configuration object optional parameter for update deny list policy features configuration blacklistrules array optional parameter for update deny list policy features configuration blacklistrules processfile object optional parameter for update deny list policy features configuration blacklistrules processfile md5 string optional parameter for update deny list policy features configuration blacklistrules processfile name string optional name of the resource features configuration nonperules array optional parameter for update deny list policy features properties object optional parameter for update deny list policy features properties policy name string optional name of the resource features state object optional parameter for update deny list policy features state locked boolean optional parameter for update deny list policy input example {"json body" {"features" \[{"configuration" {"blacklistrules" \[{"processfile" {"sha2" "cc58a84bad103041396af249a16a1d16cbf698868d5388d8951f14d1403559bd","name" "my sha256"}},{"processfile" {"sha2" "1287a84bad103041396af249a16a1d16cbf698868d5388d8951f14d1403559bd"}},{"processfile" {"md5" "b8eea75b4224d8079bb86312528ef095","name" "my md5 "}},{"processfile" {"md5" "ef22af4e07f0457fdd0cdaf68f712df7","name" "ef22af4e07f0457fdd0cdaf68f712df7"}}],"nonperules" \[{"file" {"name" " ","sha2" "cc58a84bad103041396af249a16a1d16cbf698868d5388d8951f14d1403559bd","size" 900},"actor" {}},{"file" {"name" "non ex md5 with app access file","md5" "787eaf4e07f0457fdd0cdaf68f712df7"},"actor" {"directory" "c \\\testloc\\\test124\\\ttemdj exe"}},{"file" {"name" "non ex md5 with app access fingerprint","md5" "123eaf4e07f0457fdd0cdaf68f712dab"},"actor" {"md5" "a23baf4e07f0457fdd0cdaf68f712dcd"}},{"file" {"name" "non ex md5 with file path","md5" "2f305d3e26033d128f3741a18150cf2e","directory" "c /testmylocation/testloc2/thisfile doc"},"actor" {}},{"file" {"name" "non ex md5 with file size","md5" "e27f35b2d30423cd3a281375585e22f9","size" 500},"actor" {}},{"file" {"name" "non ex sha256 with app access file","sha2" "4afa016a9dbc2f1da43f4a71c62e4653afe0f2e2a6b4722698525086f496fbd2"},"actor" {"directory" "c /gest/myfle exe"}},{"file" {"name" "non ex sha256 with app access fingerprint","sha2" "3ffa016a9dbc2f1da43f4a71c62e4653afe0f2e2a6b4722698525086f496f123"},"actor" {"sha2" "123abf6a9dbc2f1da43f4a71c62e4653afe0f2e2a6b4722698525086f496fbd2"}},{"file" {"name" "non ex sha256 with file path","sha2" "7afcc2c38ac334047f0cc957708e5b32cfcb15f72f4c22c9ec53ff48339922b9","directory" "c \\\testloc\\\myfile txt"},"actor" {}},{"file" {"name" "non ex sha256 with file size","sha2" "bf9c02ea1745be0a3227fd0841ea53ed6d361006f13dd62677aeb4eed00e0bc5","size" 200},"actor" {}}]},"properties" {"policy name" "deny list policy update name"},"state" {"locked"\ false}}]},"path parameters" {"policy uid" "string","version" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource author string output field author policy uid string unique identifier policy version number output field policy version policy type string type of the resource is imported boolean output field is imported locked boolean output field locked created string output field created modified string output field modified output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"name" "deny list 30 aug","author" "client application\\\my client11","policy uid" "55dd0dbe 4ce9 4184 b601 4b6ec984bca2","policy version" 3,"policy type" "deny list","is imported"\ false,"locked"\ true,"created" "2022 08 29t11 14 45 000z","modified" "2022 08 30t09 54 51 000z"}} update policy this api lets you update policy with new configurations endpoint url /v1/policies method put input argument name type required description attributes object optional parameter for update policy attributes id string optional unique identifier attributes version number optional parameter for update policy attributes schemaversion number optional parameter for update policy attributes type number optional type of the resource features array optional parameter for update policy features configuration object optional parameter for update policy features configuration rule sets array optional parameter for update policy features configuration rule sets name string optional name of the resource features configuration rule sets description string optional parameter for update policy features configuration rule sets enabled boolean optional parameter for update policy features configuration rule sets mode string optional parameter for update policy features configuration rule sets version number optional parameter for update policy features configuration rule sets log action number optional parameter for update policy features configuration rule sets control rules array optional parameter for update policy features configuration rule sets control rules name string optional name of the resource features configuration rule sets control rules description string optional parameter for update policy features configuration rule sets control rules enabled boolean optional parameter for update policy features configuration rule sets control rules child process boolean optional parameter for update policy features configuration rule sets control rules processes array optional parameter for update policy features configuration rule sets control rules exclude processes array optional parameter for update policy features configuration rule sets control rules condition list array optional parameter for update policy features properties object optional parameter for update policy features properties id string optional unique identifier features properties name string optional name of the resource input example {"json body" {"attributes" {"id" "string","version" 100,"schemaversion" 100,"type" 100},"features" \[{"configuration" {"rule sets" \[{"name" "block programs from running from removable drives \[ac2]","description" "this rule will block any program from running from any removable media, including floppies, usb flash drives, cd/dvd drives and other drives, such as zip and jazz drives ","enabled"\ false,"mode" "production","version" 0,"log action" 1,"control rules" \[{"name" "block running applications from removable media","description" " ","enabled"\ true,"child process"\ false,"processes" \[{"file" {"enable checksum"\ false,"enable name"\ true,"name" " ","regex"\ false,"enable drive types"\ false,"enable device instance"\ false}}],"exclude processes" \[],"condition list" \[{"name" "block programs from running from removable drives \[ac2]","description" "this rule will block any program from running from any removable media, including floppies, usb flash drives, cd/dvd drives and other drives, such as zip and jazz drives ","enabled" 1,"launch process condition" {"action" {"action" "block","severity" 3,"log action" 1},"processes" \[{"file" {"enable checksum"\ false,"enable name"\ true,"name" " ","regex"\ false,"enable drive types"\ true,"drive types" \["removable","cd dvd"],"enable device instance"\ false}},{"file" {"enable checksum"\ false,"enable name"\ true,"name" " ","regex"\ false,"enable drive types"\ false,"enable device instance"\ true,"device instance id" "usbstor "}}],"exclude processes" \[]}}]}]}]},"properties" {"id" "{25dfb16f a981 476c 8d1e d6ab79fe97ac}","name" "app control lite","policy" "0f311289 bf45 4c97 b7eb 3db508827c87","policy name" "default custom application behaviors policy","version" 1,"policy subtype" "eg"},"state" {"locked"\ true}}],"locations" \[],"type" "app control lite"}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource author string output field author policy uid string unique identifier policy version number output field policy version policy type string type of the resource is imported boolean output field is imported locked boolean output field locked created string output field created modified string output field modified output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"name" "broadcom policy name","author" "client application\\\my client11","policy uid" "1d3fd28f 4d10 4089 8c01 b3604dfbc564","policy version" 1,"policy type" "custom application behavior","is imported"\ false,"locked"\ true,"created" "2022 08 29t10 32 47 000z","modified" "2022 08 30t09 49 54 000z"}} response headers header description example alt svc http response header alt svc h3=" 443 "; ma=2592000,h3 29=" 443 "; ma=2592000 cache control directives for caching mechanisms no cache, no store, max age=0, must revalidate connection http response header connection keep alive content length the length of the response body in bytes 209 content type the media type of the resource application/json date the date and time at which the message was originated mon, 26 dec 2022 17 36 20 gmt expires the date/time after which the response is considered stale 0 pragma http response header pragma no cache server information about the software used by the origin server envoy via http response header via 1 1 google x content type options http response header x content type options nosniff x envoy upstream service time http response header x envoy upstream service time 1052 x frame options http response header x frame options deny x xss protection http response header x xss protection 1; mode=block