Endpoint Security Management API

Version: 1.5.2

Version History

Download the API specification

Introduction

The Endpoint Security Management API is a RESTful API that you can use to remotely monitor and manage devices that run these WatchGuard Endpoint Security products:

  • Advanced EPDR
  • Endpoint Protection Detection and Response (EPDR)
  • Endpoint Detection and Response (EDR)
  • Endpoint Detection and Response Core (EDR Core)
  • Endpoint Protection Platform (EPP)

The availability of each API endpoint and the information it returns depends on the features your WatchGuard Endpoint Security product supports. See Supported Features by Product and WatchGuard EDR Core Features in WatchGuard Help Center.

This API documentation explains how to access the Endpoint Security Management API and includes examples to help you get started.

To monitor and manage devices that run Panda Aether platform endpoint security software, use the Aether Endpoint Security Management API. Both APIs include the same API endpoints, but the URLs are different.

Get Started

This section describes how to submit requests to the Endpoint Security Management API.

The Endpoint Security Management API URL is:

https://{base API URL}/rest/endpoint-security/management/

The base URL for WatchGuard public APIs varies by region. The base API URL for your account appears on the Managed Access page in WatchGuard Cloud.

Endpoint Path Parameters

Each WatchGuard public API has a version, expressed as <major>.<minor>.<patch>. You specify the major API version, such as v1, as part of the endpoint URI path.

All Endpoint Security Management API endpoint URIs must include your WatchGuard Cloud account ID in the {accountid} path parameter.

Many endpoints return complex data structures, some of which consist of enumerations. Within each major version of the API, WatchGuard does not delete or change the meaning of enumeration values. However, we might add new values. Consider this when you develop integrations that use information provided by the API.

Authentication

WatchGuard public APIs use the Open Authorization (OAuth) 2.0 authorization framework for token-based authentication. To use the Endpoint Security Management API, you must first enable API access in your WatchGuard Cloud account and make an API request to generate an access token.

You must include the access token and your API Key in the header of each request you make to the Endpoint Security Management API.

For more information, see Authentication.

Request Headers

You must include this information in the header of each request you make to the Endpoint Security Management API:

Content-Type

application/json

Accept

application/json

Authorization

The access token that you generate with the WatchGuard Authentication API. For more information, see Authentication.

WatchGuard-API-Key

The API key associated with your WatchGuard Cloud account (shown on the Managed Access page in WatchGuard Cloud).

Retrieve Account License Information

/api/{v1}/accounts/{accountId}/licenses

Retrieves license information for WatchGuard Endpoint Security products associated with your WatchGuard Cloud account.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Example Request

This request retrieves license information for the specified account:

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/licenses
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		

Example Response

This response contains license data and a count of how many licenses are associated with the specified account:


{
  "product_license_counter": [
    {
      "product_id": 12345,
      "license_type": 1,
      "product_name": "Endpoint Protection Detection and Response",
      "assigned_licenses": 3,
      "unassigned_licenses": 7,
      "without_license_devices": 2,
      "expiration_date": "2020-01-14T00:00:00",
      "license_items": [
       {
          "product_id": 4,
          "license_type": 1,
          "amount": 3,
          "expiration_date": "2022-01-14T00:00:00"
        }
      ]
    }
  ]
}

This table lists and describes the data returned in the response:

product_license_counter
array

Array of license objects.

product_id
integer

Product internal ID.

Example: 12345

license_type
integer

Type of license. This can be one of these values:

  • 1 — Release
  • 2 — Trial
  • 3 — Beta
  • 4 — Not for resale

Example: 1

product_name
string

Name of the licensed product.

Example: Endpoint Protection Detection and Response

assigned_licenses
integer

Number of licenses assigned to devices.

Example: 3

unassigned_licenses
integer

Number of licenses that are not assigned to devices.

Example: 7

without_license_devices
integer

Number of devices that do not have a license assigned.

Example: 2

expiration_date
string

Date when all licenses in the license contract expire and the devices are no longer protected.

Example: 2022-01-14T00:00:00

license_items
array

Array of license items.

product_id
integer

Identification number for the product.

Example: 4

license_type
integer

Type of license. This can be one of these values:

  • 1 — Release
  • 2 — Trial
  • 3 — Beta
  • 4 — Not for resale

Example: 1

amount
integer

Maximum number of license installations allowed. If the number of installations exceeds this number, the administrator will receive an alert.

Example: 3

expiration_date
string

Date when the license expires.

Example: 2022-01-14T00:00:00

Retrieve a List of Devices

/api/{v1}/accounts/{accountId}/devices

Retrieves a list of devices, and additional information, such as the device IP address and operating system. The response to this request is limited to 3,000 records.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Request Parameters

When you send a request to this endpoint, you can include these request parameters:

$top
integer

Specifies the number of objects to retrieve.

Example: 5

$skip
integer

Bypasses the specified number of objects in the results returned.

For example, if you specify 10, the results start at object 11.

Example: 5

$search
string

Returns only objects that include the specified text string. For example, "name" returns objects that include "hostname" and "username."

The supported search fields depend on the endpoint:

  • Devices: Host name, description, IP address, logged on user
  • DeviceProtectionStatus: Host name
  • ManagedConfigurations: Name, description

Example: name

$count
boolean

Indicates whether to return a counter that shows the total number of objects in the total_items response parameter.

Example: true

$orderby
string

Specifies how to order results. You can order by any parameter in the response and sort results in ascending or descending order.

Specify a parameter name with any underscores removed, followed by a + (plus sign) and either asc (ascending) or desc (descending).

For example, to order results by the host_name parameter in descending order, specify hostname+desc. If you do not specify a field to order by, the API will use the order in the database.

Example: hostname+desc

$config
boolean

Indicates whether the security configuration name and ID are returned. The default value is true.

Example: true

Example Request

This request returns a list of devices for the specified account, sorted by the host_name parameter, and also returns a count of the devices:

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/devices?$count=true&$orderby=hostname&$config=true
		-H 'accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		

Example Response

The response includes an array of device data that matches your request.


{
"data": [
  	{
            "device_id": "af39deee-4db0-4409-9dca-fcb22c62d9d2",
            "account_id": "f674161e-78b4-4945-bc3b-f7d61fde6344",
            "site_id": "1f6ef943-c314-41cc-8484-27980d0d11f3",
            "site_name": "WGC-1-6463e9ab95114a848b9d",
            "host_name": "LINUX_DESKTOP_1",
            "type": 1,
            "description": null,
            "domain": "WORKGROUP",
            "platform_id": 2,
            "ip_address": "192.168.0.212",
            "mac_addresses": [
                "2C:0A:E5:C2:DE:0F",
                "00:0E:A6:F8:FE:FF",
                "00:0E:A6:F9:1B:6D",
                "00:15:AF:0A:C3:12",
                "08:00:27:00:60:D5",
                "20:41:53:59:4E:FF"
            ],
            "operating_system": "Debian (10.10)",
            "license_status": 0,
            "isolation_state": 0,
            "encryption": 6,
            "reinstall_protection_requested": false,
            "reinstall_agent_requested": false,
            "reboot_requested": false,
            "agent_version": "1.10.10.0001",
            "last_connection": "2021-12-07T01:04:08.644Z",
            "security_configuration_name": null,
            "security_configuration_id": "ac6b4f17-bd6e-467f-9083-aa7d90a8fee2",
            "logged_on_users_list": [
                "user1",
                "user2"
            ],
            "custom_group_folder_path": "All\ServersFolderName\GroupName1",
            "active_directory_canonical_name": "ROOTDOMAIN.local\Computers\Servers\Division\DEVICE_5"					
        }
  ],
"total_items": 1
}

This table lists and describes the data returned in the response:

data
array

Array of device data.

 

device_id
string

Identifier for the device.

Example: 287324d8-194f-4f5a-a7ad-e2480d5ad1b2

account_id
string

Identifier for the account.

Example: cd6c6dd6-r97o-453d-ld8o-a5976dc0596c

site_id
string

Identifier for the site.

Example: 8b7205bc-60e0-45a0-9956-b17b6a8673f6

site_name
string

Name of the site the device belongs to.

Example: AD360

host_name
string

Host name of the device.

Example: WIN_SERVER_6

type
integer

Type of device. This can be one of these values:

  • 1 — Workstation
  • 2 — Laptop
  • 3 — Server
  • 4 — Mobile device

Example: 3

description
string

Description of the device.

Example: Marketing server

domain
string

Domain where your devices belong on Microsoft networks.

Example: WORKGROUP

platform_id
integer

Device platform. This can be one of these values:

  • 1 — Windows
  • 2 — Linux
  • 3 — macOS
  • 4 — Android
  • 5 — iOS

Example: 1

ip_address
string

IP address of the device.

Example: 192.0.2.1

mac_addresses
array

List of MAC addresses of the device.

Example: 00:0E:A6:F8:FE:FF

operating_system
string

Name of the operating system installed on the device.

Example: Microsoft Windows 10

license_status
integer

Status of the device license. This can be one of these values:

  • 0 — Assigned
  • 1 — Not assigned
  • 2 — Manual deallocation
  • 3 — Auto deallocation

Example: 0

isolation_state
integer

Isolation status of the device. This can be one of these values:

  • 0 — Not isolated
  • 1 — Isolated
  • 2 — Applying isolation
  • 3 — Removing isolation

Example: 1

encryption
integer

Device encryption status. This can be one of these values:

  • 0 — Without protection/without information
  • 1 — Activated
  • 2 — Deactivated
  • 3 — Error
  • 4 — Error installing
  • 5 — Without license
  • 6 — Not available

Example: 6

reinstall_protection_requested
boolean

Indicates whether reinstallation of protection is requested.

Example: true

reinstall_agent_requested
boolean

Indicates whether reinstallation of the agent is requested.

Example: true

reboot_requested
boolean

Indicates whether device reboot is requested.

Example: true

agent_version
string

Version of the agent installed on the endpoint.

Example: 1.17.00.0000

last_connection
string

Date and time of the last connection of the device.

Example: 2020-11-06T20:08:43.128Z

security_configuration_name
boolean

Name of the security configuration.

If the config request parameter is true, security_configuration_name displays the security configuration name. If config is false, then null is displayed.

Example: Virtual machines

security_configuration_id
boolean

Unique identifier of the security configuration.

If the config request parameter is true, security_configuration_id displays the unique identifier. If config is false, then null is displayed.

Example: 287324d8-194f-4f5a-a7ad-e2480d5ad1b2

logged_on_users_list
array

List of last logged on users.

custom_group_folder_path
string

Full path to the group the device is assigned to.

Example: All\ServersFolderName\GroupName1

active_directory_canonical_name
string

Full canonical path to the device in Active Directory.

Example: ROOTDOMAIN.local\Computers\Servers\Division\DEVICE_5

total_items
integer

Total number of devices.

If the count request parameter is true, total_items displays the total number of devices. If count is false, then total_items displays null.

Example: 42

Retrieve a List of Managed Configurations

/api/{v1}/accounts/{accountId}/managedconfigurations/{type}

Retrieves a list of the specified type of managed configurations associated with your WatchGuard Cloud account.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

type
integer
REQUIRED

Type of configuration to return. Specify one of these values:

  • 1 — Deployment settings
  • 2 — Workstations and servers
  • 3 — Android
  • 12 — iOS

Example: 2

Request Parameters

When you send a request to this endpoint, you can include these request parameters:

$top
integer

Specifies the number of objects to retrieve.

Example: 5

$skip
integer

Bypasses the specified number of objects in the results returned.

For example, if you specify 10, the results start at object 11.

Example: 5

$search
string

Returns only objects that include the specified text string. For example, "name" returns objects that include "hostname" and "username."

The supported search fields depend on the endpoint:

  • Devices: Host name, description, IP address, logged on user
  • DeviceProtectionStatus: Host name
  • ManagedConfigurations: Name, description

Example: name

$count
boolean

Indicates whether to return a counter that shows the total number of objects in the total_items response parameter.

Example: true

$orderby
string

Specifies how to order results. You can order by any parameter in the response and sort results in ascending or descending order.

Specify a parameter name with any underscores removed, followed by a + (plus sign) and either asc (ascending) or desc (descending).

For example, to order results by the host_name parameter in descending order, specify hostname+desc. If you do not specify a field to order by, the API will use the order in the database.

Example: hostname+desc

Example Request

This request retrieves managed configurations for workstations and servers for the specified account:

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/managedconfigurations/2
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		

Example Response

The response includes an array of managed configurations for workstations and servers for the specified account.

{
"data": [
	{
  	"id": "f6c469cf-d2b3-4e53-b2f3-08bb917e4d43",
  	"name": "WorkstationAndServer Settings",
  	"description": "Workstation and server configuration pre-patch installation",
  	"is_default": true
  	},
	{
	"id": "e9798e72-8893-41d8-fa6b-c712aab4969a",
	"name": "Security Settings",
	"description": "Security Settings for workstations and servers",
	"is_default": false
	}
],
"total_items": null
}

This table lists and describes the data returned in the response:

data
array

List of managed configurations.

id
string

Unique identifier of the managed configuration.

Example: f6c469cf-d2b3-4e53-b2f3-08bb917e4d43

name
string

Name of the managed configuration.

Example: WorkstationAndServer Settings

description
string

Description of the managed configuration.

Example: Workstation and server configuration pre-patch installation

is_default
boolean

Indicates whether this is the default managed configuration.

Example: false

total_items
integer

Total number of managed configurations of this type.

If the count request parameter is true, total_items displays the number of managed configurations of this type. If count is false, then total_items displays null.

Example: 3

Retrieve an Installation Package URL

/api/{v1}/accounts/{accountId}/installers

Retrieves the URL to download an installation package that installs endpoint security software with the specified managed configuration settings on a device.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Request Parameters

platformId
integer
REQUIRED

Identifier of the platform you want to retrieve the installation package URL for. Specify one of these values:

  • 1 — Windows
  • 2 — Linux
  • 3 — macOS
  • 4 — Android
  • 5 — iOS

Example: 1

managedConfigurationId
string
REQUIRED

Identifier of the managed configuration you want to retrieve the installation package URL for.

Example: f6c469cf-d2b3-4e53-b2f3-08bb917e4d43

useActiveDirectory
boolean
REQUIRED

Indicates whether to integrate the device into Active Directory.

Example: true

Example Request

This request returns the URL to download an installation package for the specified managed configuration:

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/installers?platformId=1&managedConfigurationId=f6c469cf-d2b3-4e53-b2f3-08bb917e4d43&useActiveDirectory=false
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		

Example Response

The response includes the URL to download the installation package.

{
  "installer_download_url": "https://example.com/api/v1/accounts/5a5246d8-21f1-465c-83d2-b0316dd047a8/sites/279b5ffd-fa95-45c9-b7b4-7be51ff6e3e8/installers?installerType=2&platform=1&managedConfigurationId=f6c469cf-d2b3-4e53-b2f3-08bb917e4d43&customGroupId=c81fb727-69aa-45a1-8cc0-8e1e18ecc6ae&integrationGroupType=0"
}

This table lists and describes the data returned in the response:

installer_download_url
string

URL to download the installation package.

Example: https://example.com/api/v1/accounts/5a5246d8-21f1-465c-83d2-b0316dd047a8/sites/279b5ffd-fa95-45c9-b7b4-7be51ff6e3e8/installers?installerType=2&platform=1&managedConfigurationId=f6c469cf-d2b3-4e53-b2f3-08bb917e4d43&customGroupId=c81fb727-69aa-45a1-8cc0-8e1e18ecc6ae&integrationGroupType=0

Link Devices to Managed Configurations

/api/{v1}/accounts/{accountId}/managedconfigurations/{type}/{configId}

Links devices to a specified configuration.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

type
integer
REQUIRED

Type of configuration. Currently, only option 2 is supported.

    2 — Workstations and servers

Example: 2

configId
string
REQUIRED

Identifier of the managed configuration to associate with the devices.

Example: dab50d3d-cbda-4d36-8c79-2df0b0789b49

Request Body

device_ids
array
REQUIRED

List of IDs of devices to link to the specified managed configuration.

Example: "00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"

Example Request

This request links two devices to the specified managed configuration:

curl -X PATCH https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/managedconfigurations/2/dab50d3d-cbda-4d36-8c79-2df0b0789b49
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		-d '{
		"device_ids":[
		"00ab3e54-7bb7-4bd3-bd39-237a9d191a44","287324d8-194f-4f5a-a7ad-e2480d5ad1b2"
		]
		}'

Example Response

A successful request returns the 200 OK status code.

Retrieve Device Protection Status

/api/{v1}/accounts/{accountId}/devicesprotectionstatus

Retrieves a list of devices with their protection status and other device information. The response to this request is limited to 3,000 records.

Path Parameters

When you send a request to this endpoint, you must include this path parameter:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Request Parameters

When you send a request to this endpoint, you can include these request parameters:

$top
integer

Specifies the number of objects to retrieve.

Example: 5

$skip
integer

Bypasses the specified number of objects in the results returned.

For example, if you specify 10, the results start at object 11.

Example: 5

$search
string

Returns only objects that include the specified text string. For example, "name" returns objects that include "hostname" and "username."

The supported search fields depend on the endpoint:

  • Devices: Host name, description, IP address, logged on user
  • DeviceProtectionStatus: Host name
  • ManagedConfigurations: Name, description

Example: name

$count
boolean

Indicates whether to return a counter that shows the total number of objects in the total_items response parameter.

Example: true

$orderby
string

Specifies how to order results. You can order by any parameter in the response and sort results in ascending or descending order.

Specify a parameter name with any underscores removed, followed by a + (plus sign) and either asc (ascending) or desc (descending).

For example, to order results by the host_name parameter in descending order, specify hostname+desc. If you do not specify a field to order by, the API will use the order in the database.

Example: hostname+desc

Example Request

This request retrieves the protection status of the first two devices and the total count of devices with protection:

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/devicesprotectionstatus?$top=2&$count=true
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		

Example Response

The response includes an array of data about your devices and their protection status.

{
  "data": [
    {
      "host_name": "WIN_SERVER_6",
      "device_id": "287324d8-194f-4f5a-a7ad-e2480d5ad1b2",
      "platform_id": 1,
      "device_type": 3,
      "accumulated_protection_status": 1,
      "adaptive_defense_status": 2,
      "file_antivirus_status": 1,
      "firewall_status": 6,
      "isolation_state": 0,
      "protection_engine_update_status": 1,
      "protection_engine_version": "8.00.17.0001",
      "knowledge_catalog_update_status": 2,
      "knowledge_catalog_date": "2020-10-23T17:36:04.401Z",
      "last_connection_date": "2020-10-23T17:36:04.401Z",
      "reboot_requested": true,
      "reinstall_protection_requested": true,
      "reinstall_agent_requested": true,
      "license_status": 0
    },
    {
      "host_name": "WIN_WORKSTATION_12",
      "device_id": "123456d8-910f-4f5a-a7ad-e2480d5ad1b2",
      "platform_id": 1,
      "device_type": 1,
      "accumulated_protection_status": 1,
      "adaptive_defense_status": 1,
      "file_antivirus_status": 1,
      "firewall_status": 3,
      "isolation_state": 3,
      "protection_engine_update_status": 2,
      "protection_engine_version": "8.00.18.0002",
      "knowledge_catalog_update_status": 2,
      "knowledge_catalog_date": "2021-01-15T13:00:01Z",
      "last_connection_date": "2021-01-15T16:08:24.253Z",
      "reboot_requested": false,
      "reinstall_protection_requested": true,
      "reinstall_agent_requested": true,
      "license_status": 0
      "reinstall_agent_error": 2
      "reinstall_protection_error": 8
    }																						
  ],
  "total_items": 10
}

This table lists and describes the data returned in the response:

data
string

Array of device data.

host_name
string

Host name of the device.

Example: WIN_SERVER_6

device_id
string

Identification number of the device.

Example: 287324d8-194f-4f5a-a7ad-e2480d5ad1b2

platform_id
integer

Device platform. This can be one of these values:

  • 1 — Windows
  • 2 — Linux
  • 3 — macOS
  • 4 — Android
  • 5 — iOS

Example: 1

device_type
integer

Type of device. This can be one of these values:

  • 1 — Workstation
  • 2 — Laptop
  • 3 — Server
  • 4 — Mobile device

Example: 1

accumulated_protection_status
integer

General protection status. This can be one of these values:

  • 0 — Without protection/without information
  • 1 — Enabled
  • 2 — Disabled
  • 3 — Error
  • 4 — Error installing
  • 5 — Without license
  • 6 — Not available

Example: 2

adaptive_defense_status
integer

Adaptive Defense status. This can be one of these values:

  • 0 — Without protection/without information
  • 1 — Enabled
  • 2 — Disabled
  • 3 — Error
  • 4 — Error installing
  • 5 — Without license
  • 6 — Not available

Example: 2

file_antivirus_status
integer

Antivirus status. This can be one of these values:

  • 0 — Without protection/without information
  • 1 — Enabled
  • 2 — Disabled
  • 3 — Error
  • 4 — Error installing
  • 5 — Without license
  • 6 — Not available

Example: 2

firewall_status
integer

Firewall status. This can be one of these values:

  • 0 — Without protection/without information
  • 1 — Enabled
  • 2 — Disabled
  • 3 — Error
  • 4 — Error installing
  • 5 — Without license
  • 6 — Not available

Example: 6

isolation_state
integer

Isolation state of the device. This can be one of these values:

  • 0 — Not isolated
  • 1 — Isolated
  • 2 — Applying isolation
  • 3 — Removing isolation

Example: 1

protection_engine_update_status
integer

Protection engine update status. This can be one of these values:

  • 0 — Undefined
  • 1 — Outdated
  • 2 — Updated
  • 3 — Waiting for reboot

Example: 1

protection_engine_version
string

Protection engine version.

Example: 8.00.17.0001

knowledge_catalog_update_status
integer

Update status of the catalog. This can be one of these values:

  • 1 — Outdated
  • 2 — Updated

Example: 2

knowledge_catalog_date
string

Date and time when the knowledge catalog installed on the device.

Example: 2020-09-28T06:13:01.695Z

last_connection_date
string

Date and time when the device last connected.

Example: 2020-09-28T06:13:01.883Z

reboot_requested
boolean

Indicates whether device reboot is requested.

Example: true

reinstall_protection_requested
boolean

Indicates whether reinstallation of the protection is requested.

Example: true

reinstall_agent_requested
boolean

Indicates whether reinstallation of the agent is requested.

Example: true

license_status
integer

Status of the license. This can be one of these values:

  • 0 — Assigned
  • 1 — No Assigned
  • 2 — Manual Deallocation
  • 3 — Auto Deallocation

Example: 0

reinstall_agent_error
string

Additional information in the event of a reinstall agent error in JSON format. The step parameter can be one of these values:

  • 0 — AgentInstallNotStarted
  • 1 — AgentInstallConnection
  • 2 — AgentInstallDetermineOs
  • 3 — AgentInstallGetInstaller
  • 4 — AgentInstallCopy
  • 5 — AgentInstallInstallation
  • 6 — AgentInstallIntegration

Example: {"error":58,"code":2020,"date_time":"2020-11-20T20:27:18.725Z","step":2}

reinstall_protection_error
string

Additional information in the event of a reinstall protection error in JSON format. The step parameter can be one of these values:

  • 8 — ProtectionInstallInstallation
  • 9 — ProtectionInstallSoftwareUpdate
  • 10 — ProtectionInstallThirdPartyUninstall
  • 11 — ProtectionInstallThirdPartyUninstaller

Example: {"error":36,"code":4001,"date_time":"2020-11-20T20:27:18.725Z","step":8}

total_items
integer

Total number of devices.

If the count request parameter is true, total_items displays the total number of devices. If count is false, then total_items displays null.

Example: 5

Retrieve Counts of Security Events

/api/{v1}/accounts/{accountId}/securityeventcounters/{type}

Retrieves counts of detected security events for the specified types.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

type
integer
REQUIRED

Types of security event counters to retrieve. This parameter is a mask. Add the values of the security event counter types you want to retrieve.

For example, if you want to retrieve only programs blocked, specify 8. If you want to retrieve both PUPs and programs blocked, specify 10 because 8 (programs blocked) + 2 (PUPs) = 10.

  • 1 — Malware
  • 2 — PUPs (Potentially Unwanted Programs)
  • 4 — Exploits
  • 8 — Programs blocked
  • 16 — Threats detected by AV
  • 32 — Network attack
  • 255 — All counters

Example: 10

Request Parameters

When you send a request to this endpoint, you can include this request parameter:

filter
string

Filters the security event counters by date.

Specify the type of security event:

  • 33001 — Antivirus
  • 32001 — Other types

Specify the length of the time period in the format [x, y] where x is the number of units and y is the unit of time:

  • 1 — Years
  • 2 — Months
  • 3 — Days
  • 4 — Hours

For example, this retrieves threats detected by AV for the last 7 days: filter=33001%20AmongTheLast%20[7,3].

This retrieves security event counters for the other types for the last 3 months: filter=32001%20AmongTheLast%20[3,2].

If you do not specify a filter, the API returns all of the security events for the last 30 days.

Example: 33001%20AmongTheLast%20[7,3]

 

Example Request

This request retrieves all security event counters for the specified account:

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/securityeventcounters/255
	-H 'Accept: application/json'
	-H 'Content-Type: application/json'
	-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
	-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'

Example Response

This response contains counts of detected security events.

{
  "malware_counters": {
    "total_alerts": 0,
    "total_executed": 0,
    "total_data_access": 0,
    "total_external_communications": 0,
    "total_affected_devices": 0
  },
  "pups_counters": {
    "total_alerts": 0,
    "total_executed": 0,
    "total_data_access": 0,
    "total_external_communications": 0,
    "total_affected_devices": 0
  },
  "exploit_counters": {
    "total_alerts": 0,
    "total_executed": 0,
    "total_data_access": 0,
    "total_external_communications": 0,
    "total_affected_devices": 0
  },
  "program_blocked_counters": {
    "total_programs_blocked": 0
  },
  "threats_by_av_counters": {
    "total_phishing_detected_by_av": 0,
    "total_tracking_cookies_detected_by_av": 0,
    "total_devices_blocked_by_av": 0,
    "total_malware_urls_blocked_by_av": 0,
    "total_intrusion_attempted_blocked_by_av": 0,
    "total_dangerous_actions_blocked_by_av": 0
  },
  "network_attack_counters": {
    "total_alerts": 0,
    "total_affected_devices": 0
}

This table lists and describes the data returned in the response:

malware_counters
array

Array of data about malware.

total_alerts
integer

Number of malware alerts.

Example: 4

total_executed
integer

Number of executed malware instances.

Example: 2

total_data_access
integer

Number of times malware accessed data.

Example: 1

total_external_communications
integer

Number of external communications by malware.

Example: 0

total_affected_devices
integer

Number of devices affected by malware.

Example: 3

pups_counters
array

Array of data about potentially unwanted programs (PUPs).

total_alerts
integer

Number of PUP alerts.

Example: 3

total_executed
integer

Number of PUPs that ran successfully.

Example: 0

total_data_access
integer

Number of times PUPs accessed data.

Example: 1

total_external_communications
integer

Number of external communications by PUPs.

Example: 2

total_affected_devices
integer

Number of affected devices.

Example: 5

exploit_counters
array

Array of data about vulnerability exploit attacks.

total_alerts
integer

Number of exploit alerts.

Example: 2

total_executed
integer

Number of exploits executed.

Example: 1

total_data_access
integer

Number of times exploits accessed data.

Example: 0

total_external_communications
integer

Number of external communications by exploits.

Example: 1

total_affected_devices
integer

Number of devices affected by exploits.

Example: 2

program_blocked_counters
array

Array of data about programs blocked.

total_programs_blocked
integer

Number of blocked programs.

Example: 0

threats_by_av_counters
array

Array of data about threats detected by antivirus.

total_phishing_detected_by_av
integer

Number of phishing attempts detected by antivirus.

Example: 1

total_tracking_cookies_detected_by_av
integer

Number of tracking cookies detected by antivirus.

Example: 1

total_devices_blocked_by_av
integer

Number of devices blocked by antivirus.

Example: 1

total_malware_urls_blocked_by_av
integer

Number of malware URLs blocked by antivirus.

Example: 2

total_intrusion_attempted_blocked_by_av
integer

Number of intrusion attempts blocked by antivirus.

Example: 2

total_dangerous_actions_blocked_by_av
integer

Number of dangerous actions blocked by antivirus.

Example: 3

network_attack_counters
array

Array of data about network attacks blocked.

total_alerts
integer

Number of alerts.

Example: 2

total_affected_devices
integer

Number of affected devices.

Example: 20

Retrieve a Security Overview

/api/{v1}/accounts/{accountId}/securityoverview/{period}

Retrieves a security overview that includes security event counters for a specified time period.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId

string

REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

period
integer
REQUIRED

Period of time to retrieve security event counters for. Specify one of these values:

  • 1 — Previous 24 hours
  • 7 — Previous 7 days
  • 30 — Previous 30 days

Example: 7

Example Request

This request retrieves security event counters for the specified account for the previous 24 hours:

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/securityoverview/1
	-H 'Accept: application/json'
	-H 'Content-Type: application/json'
	-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
	-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'

Example Response

This response contains counts of detected security events.

{
  "total_devices": 4,
  "total_unmanaged_devices": 6,				
  "malware": {
    "total_alerts": 0,
    "total_executed": 0,
    "total_data_access": 0,
    "total_external_communications": 0,
    "total_affected_devices": 0
  },
  "pups": {
    "total_alerts": 0,
    "total_executed": 0,
    "total_data_access": 0,
    "total_external_communications": 0,
    "total_affected_devices": 0
  },
  "exploits": {
    "total_alerts": 0,
    "total_executed": 0,
    "total_data_access": 0,
    "total_external_communications": 0,
    "total_affected_devices": 0
  },
  "programs_blocked": {
    "total_programs_blocked": 0
  },
  "threats_by_av_counters": {
    "total_phishing_detected_by_av": 0,
    "total_tracking_cookies_detected_by_av": 0,
    "total_devices_blocked_by_av": 0,
    "total_malware_urls_blocked_by_av": 0,
    "total_intrusion_attempted_blocked_by_av": 0,
    "total_dangerous_actions_blocked_by_av": 0,
   "total_hacking_tools_by_av": 0,
    "total_spyware_by_av": 0,
    "total_virus_by_av": 0
  },
  "indicators_of_attack_counters": {
    "total_indicators_of_attack": 0
  }
}

This table lists and describes the data returned in the response:

total_devices
integer

Number of devices.

total_unmanaged_devices
integer

Number of unmanaged devices.

malware
array

Array of data about malware.

total_alerts

integer



Number of malware alerts.

Example: 4

total_executed

integer



Number of executed malware instances.

Example: 2

total_data_access

integer



Number of times malware accessed data.

Example: 1

total_external_communications

integer



Number of external communications by malware.

Example: 0

total_affected_devices

integer



Number of devices affected by malware.

Example: 3

pups
array

Array of data about potentially unwanted programs (PUPs).

total_alerts

integer



Number of PUP alerts.

Example: 3

total_executed

integer



Number of PUPs that ran successfully.

Example: 0

total_data_access

integer



Number of times PUPs accessed data.

Example: 1

total_external_communications

integer



Number of external communications by PUPs.

Example: 2

total_affected_devices

integer



Number of affected devices.

Example: 5

exploits
array

Array of data about vulnerability exploit attacks.

total_alerts

integer



Number of exploit alerts.

Example: 2

total_executed

integer



Number of exploits executed.

Example: 1

total_data_access

integer



Number of times exploits accessed data.

Example: 0

total_external_communications

integer



Number of external communications by exploits.

Example: 1

total_affected_devices

integer



Number of devices affected by exploits.

Example: 2

programs_blocked
array

Array of data about programs blocked.

total_programs_blocked

integer



Number of blocked programs.

Example: 0

threats_by_av_counters

array



Array of data about threats detected by antivirus.

total_phishing_detected_by_av

integer



Number of phishing attempts detected by antivirus.

Example: 1

total_tracking_cookies_detected_by_av

integer



Number of tracking cookies detected by antivirus.

Example: 1

total_devices_blocked_by_av

integer



Number of devices blocked by antivirus.

Example: 1

total_malware_urls_blocked_by_av

integer



Number of malware URLs blocked by antivirus.

Example: 2

total_intrusion_attempted_blocked_by_av

integer



Number of intrusion attempts blocked by antivirus.

Example: 2

total_dangerous_actions_blocked_by_av

integer



Number of dangerous actions blocked by antivirus.

Example: 3

total_hacking_tools_by_av

integer



Number of hacking tools detected by antivirus.

Example: 3

total_spyware_by_av

integer



Number of spyware detected by antivirus.

Example: 2

total_virus_by_av

integer



Number of viruses detected by antivirus.

Example: 2

indicators_of_attack_counters

array



Array of data about indicators of attack.

total_indicators_of_attack

integer



Number of indicators of attack.

Example: 3

Retrieve Security Events for Devices

/api/{v1}/accounts/{accountId}/securityevents/{type}/export/{period}

Retrieves a list of security events of the specified type for the specified device for a specific time period. The response to this request is limited to 3,000 records.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId

string

REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

type
integer
REQUIRED

Type of security event. Specify one of these values:

  • 1 — Malware
  • 2 — PUPs (Potentially Unwanted Programs)
  • 3 — Blocked Programs
  • 4 — Exploits
  • 5 — Blocked by Advanced Security Policies
  • 6 — Virus
  • 7 — Spyware
  • 8 — Hacking Tools and PUPs Detected by Antivirus
  • 9 — Phishing
  • 10 — Suspicious
  • 11 — Dangerous Actions
  • 12 — Tracking Cookies
  • 13 — Malware URLs
  • 14 — Other Security Event Detected by Antivirus
  • 15 — Intrusion Attempts
  • 16 — Blocked Connections
  • 17 — Blocked Devices
  • 18 — Indicators of Attack
  • 19 — Network Attack Protection

Example: 13

period
integer
REQUIRED

Period of time to retrieve security events for. Specify one of these values:

  • 1 — Previous 24 hours
  • 7 — Previous 7 days

Example: 7

Request Parameters

When you send a request to this endpoint, you can include this request parameter:

hostname
string

Host name (base-64 encoded) of the device you want to retrieve security events for.

 

Example Request

This request retrieves malware URL security events for the previous 7 days:

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/securityevents/13/export/7
	-H 'Accept: application/json'
	-H 'Content-Type: application/json'
	-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
	-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'

Example Response

The response indicates whether data has been accessed by a security threat, and indicates the action performed by Aether Endpoint Security.

{
  "data": [
    "accessed_data": true,
    "action": 10,
    "date": "2020-11-20T20:27:18.725Z",
    "device_id": "8b7205bc-60e0-45a0-9956-b17b6a8673f6",
    "site_id": "8b7205bc-60e0-45a0-9956-b17b6a8673f6",
    "event_id": 69608597,
    "event_type": -86726288.19318274,
    "dwell_time": 51373899,
    "is_excluded": true,
    "hash": "009a9b4ff00946f9a5a5659dfe9086da",
    "host_name": "WIN_SERVER_6",
    "item_name": "NameMalware",
    "made_external_connections": true,
    "path": "ThreatPath",
    "protection_mode": 5799409.122032538,
    "reclassified_to_type": -88047622.99579449,
    "like_lihood_of_being_malicious": -18274273.348011777,
    "discard_motive": -77046516.51787202,
    "lock_plus_rule_id": -22540451.640785083,
    "user_name": "Username",
    "was_run": true,
    "source_ip": "SourceIPName",
    "source_machine_name": "SourceDeviceName",
    "source_user": "SourceUsername",
    "detection_technology": "DetectionTechnologyName",
    "exploit_technique": "ExploitTechnique",
    "risk": true,
    "description": "DeviceDescriptionName",
    "domain": "DeviceDomain",
    "detected_by": 68864810.84915292,
    "device_type": -73108038.14936246,
    "platform_id": -70290399.75311546,
    "excluded": true,
    "file_info_discard": "FileIndentifierHash",
    "id": "8b7205bc-60e0-45a0-9956-b17b6a8673f6",
    "ip_address": "192.168.1.10",
    "malware_name": "MalwareName",
    "malware_category": -85107213.72887051,
    "malware_type": -62357590.74048821,
    "number_of_occurrences": 20674256,
    "security_event_date": "2021-07-20T20:27:18.725Z",
    "site_name": "SiteName",
    "network_activity_type": -85774927.58794248,
    "direction": 50845497.54724711,
    "protocol": -86318449.566446,
    "local_endpoint": {},
    "remote_endpoint": {},
    "firewall_rule_definition": {},
    "rule_id": "8b7205bc-60e0-45a0-9956-b17b6a8673f6",
    "rule_name": "RuleName",
    "rule_configuration_id": "9b7205bc-60e0-45a0-9956-b17b6a8673f6",
    "rule_obsolete": false,
    "alias": "AliasName",
    "instance_id": "9b7205bc-60e0-45a0-9956-b17b6a8673f6",
    "type": -51429435.96722382,
    "rule_risk": -54492359.89028178,
    "rule_mitre": "tactic: TA0006, technique: T1003",
    "status": 31156035.444223955,
    "endpoint_event_date": "2021-07-20T20:27:18.725Z",
    "filed_date": "2021-07-20T20:27:18.725Z",
    "since_until_filed": "8.07:06:05",
    "count": -10808344,
    "custom_group_folder_id": "1b7205bc-60e0-45a0-9956-b17b6a8673f6",
    "custom_group_folder_info": [
      {
        "name": "Root",
        "is_translatable": true,
        "type": 1
      }, 
      {
        "name": "Windows",
        "type": 2
      },
      {
        "name": "Server",
        "type": 2
      }
    ],
    "network_attack": null,
    "local_ip_address": 192.168.1.1,
    "remote_ip_address": 192.168.10.1
  ],
  "total_items": null  
}

This table lists and describes the data returned in the response:

data
array

Array of security event data.

accessed_data
boolean

Indicates if the data has been accessed.

Example: true

action
integer

Indicates the action performed.

For indicators of attack, this can be one of these values:

  • 0 — Undefined
  • 1 — Reported
  • 2 — Attack Blocked

For other detections, this can be one of these values:

  • 0 — Allowed
  • 1 — Quarantined
  • 2 — Blocked
  • 3 — Killed
  • 4 — Ignored
  • 5 — Cleaned
  • 6 — Deleted
  • 7 — Restored
  • 8 — Allowed By Whitelist
  • 9 — Write Blocked
  • 10 — Pending User Action
  • 11 — Uninstalled
  • 13 — After Process Blocked
  • 14 — Immediately Blocked
  • 15 — Allowed By User
  • 16 — Detected Restart Pending
  • 17 — Allowed By Administrator
  • 18 — Allowed on GW Installer
  • 21 — Suspend Process
  • 1009 — Reported
  • 1010 — Unquarantine
  • 1011 — Rename
  • 1012 — Block URL

date
string

Date and time of detection.

Example: "2020-11-20T20:27:18.725Z"

device_id
string

Identifier of the device.

Example: 8b7205bc-60e0-45a0-9956-b17b6a8673f6

site_id
string

Identifier of the site.

Example: 8b7205bc-60e0-45a0-9956-b17b6a8673f6

event_id
integer

Identifier of the event.

Example: 69608597

event_type
integer

Indicates the event type. This can be one of these values:

  • 0 — Malware
  • 1 — Exploit
  • 2 — PUPs
  • 3 — Blocked Item
  • 6 — Lock Plus Advanced Security
  • 7 — Lock Plus Application Control
  • 8 — Application Control
  • 10 — Network Attack Activity

dwell_time
integer

Indicates the number of seconds that the threat was on the device without classification.

Example: 60

is_excluded
boolean

Indicates if data has been excluded.

Example: true

hash
string

Hash of an element.

Example: 009a9b4ff00946f9a5a5659dfe9086da

host_name
string

Name of the host.

Example: WIN_SERVER_6

item_name
string

Name of the threat.

Example: MalwareName

made_external_connections
boolean

Indicates if malware made external connections.

Example: true

path
string

Name of the threat path.

Example: ThreatPathName

protection_mode
integer

Indicates the protection mode. This can be one of these values:

  • 0 — Undefined
  • 1 — Audit
  • 2 — Hardening
  • 3 — Lock

reclassified_to_type
integer

Indicates the type to which it has been reclassified. This can be one of these values:

  • 0 — Blocked
  • 1 — Malware
  • 3 — PUP
  • 6 — Goodware
  • 11 — Removed From List

like_lihood_of_being_malicious
integer

Indicates the likelihood of being malicious. This can be one of these values:

  • 0 — Low
  • 1 — Medium
  • 2 — High
  • 3 — Very High

discard_motive
integer

Reason for discarding the knowledge sample. This can be one of these values:

  • 0 — Unknown
  • 1 — Other Reason
  • 2 — File Max Size

lock_plus_rule_id
integer

LockPlus Rule ID. This can be one of these values:

  • 1 — Obfuscated Params PowerShell
  • 2 — User Executed PowerShell
  • 4 — Unknown Scripts
  • 5 — Locally Built Programs
  • 6 — Documents With Macros
  • 7 — Windows Boot Registry
  • 101 — Forbidden MD5
  • 102 — Forbidden Program Name

user_name
string

Username.

Example: Name

was_run
boolean

Indicates if the item has been executed.

Example: true

source_ip
string

Name of the source IP.

Example: SourceIPName

source_machine_name
string

Name of the source device.

Example: SourceDeviceName

source_user
string

Source username.

Example: SourceUserName

detection_technology
string

Name of detection technology in exploit detections.

Example: DetectionTechnologyName

exploit_technique
string

Exploit technique.

Example: ExploitTechnique

risk
boolean

Indicates whether it is a risk exploit.

Example: true

description
string

Device description in antivirus detections.

Example: DeviceDescription

domain
string

Domain of device in antivirus detections.

Example: DeviceDomain

detected_by
integer

Protection or technology in antivirus detections. This can be one of these values:

  • 1 — On-Demand Scan
  • 2 — File Resident
  • 3 — Mail Resident
  • 4 — Firewall
  • 5 — Device Control
  • 6 — Exchange Mailbox
  • 7 — Exchange Transport
  • 8 — Exchange Antispam
  • 9 — Web Protection
  • 10 — Exchange Content
  • 11 — Minerva
  • 12 — Web Access Control
  • 13 — Anti-theft
  • 14 — Anti-tampering
  • 15 — Personal Information Tracking
  • 16 — Isolation
  • 17 — Data Search Control
  • 18 — Patch Management
  • 19 — Personal Information Inventory
  • 20 — Application Control
  • 21 — Encryption USB
  • 22 — Authorized Software

device_type
integer

Device type in antivirus and firewall detections. This can be one of these values:

  • 0 — Undefined
  • 1 — Workstation
  • 2 — Laptop
  • 3 — Server
  • 4 — Mobile

platform_id
integer

Platform of the affected device. This can be one of these values:

  • 0 — Undefined
  • 1 — Windows
  • 2 — Linux
  • 3 — Mac
  • 4 — Android
  • 5 — iOS

excluded
boolean

Indicates if the element has been excluded in antivirus detection.

Example: true

file_info_discard
string

Hash to identify the file in antivirus detections.

Example: 009a9b4ff00946f9a5a5659dfe9086da

id
string

Identifier in antivirus detections.

Example: 8b7205bc-60e0-45a0-9956-b17b6a8673f6

ip_address
string

IP address of the device in antivirus and firewall detections.

Example: 192.168.1.10

malware_name
string

Malware name in antivirus detections.

Example: MalwareName

malware_category
integer

Malware category in antivirus detections. This can be one of these values:

  • 1 — Virus
  • 2 — Spyware
  • 3 — HackingPpnd
  • 4 — Phishing
  • 5 — Suspicious
  • 6 — Blocked Operations
  • 7 — Tracking Cookies
  • 8 — Malware URL
  • 9 — Other

malware_type
integer

Malware type in antivirus detections. This can be one of these values:

  • 21 — Nereus Heuritic
  • 22 — Beta Trace Heuritic
  • 23 — Smart Clean Heuritic
  • 24 — Cloud Heuritic
  • 25 — 1N
  • 26 — Behavioral
  • 31 — Confirmed Goodware
  • 32 — Not Confirmed Goodware
  • 33 — Unwanted Goodware
  • 34 — Ranked
  • 35 — Digital Signature
  • 101 — Virus
  • 102 — Worm
  • 103 — Trojan
  • 104 — TrojanPwdeal
  • 105 — Dialer
  • 106 — Joke
  • 107 — Security Risk
  • 108 — Spyware
  • 109 — Adware
  • 110 — Worm Fake Worm
  • 111 — Tracking Cookie
  • 112 — PUP
  • 113 — Hacking Tool
  • 114 — Vulnerability
  • 115 — Max Size
  • 116 — Zip of Death
  • 117 — Packer of Death
  • 118 — Hoax
  • 119 — Phis Fraud
  • 120 — Rootkit
  • 121 — Backdoor
  • 122 — Virus Constructor
  • 123 — Malicious URL
  • 201 — Advertising
  • 202 — Toolbar
  • 203 — Net Tool
  • 204 — Advert Popup
  • 219 — Illegal
  • 223 — Internet Tools
  • 227 — Offensive
  • 236 — Society Education
  • 241 — Content Filter

number_of_occurrences
integer

Number of occurrences in antivirus detections.

Example: 3

security_event_date
string

Security event date and time for antivirus, firewall, and device control detections.

Example: "2021-07-20T20:27:18.725Z"

site_name
string

Site name in antivirus and firewall detections.

Example: SiteName

network_activity_type
integer

Network activity type in firewall detections. This can be one of these values:

  • 1 — IcmpAttack
  • 2 — UdpPortScan
  • 3 — HeaderLengths
  • 4 — UdpFlood
  • 5 — TcpFlagsCheck
  • 6 — SmartWins
  • 7 — IpExplicitPath
  • 8 — LandAttack
  • 9 — SmartDns
  • 10 — IcmpFilterEchoRequest
  • 11 — OsDetection
  • 12 — SmartDhcp
  • 13 — SynFlood
  • 14 — SmartArp
  • 15 — TcpPortScan

direction
integer

Direction of firewall blocked connections. This can be one of these values:

  • 1 — Incoming
  • 2 — Outgoing
  • 3 — Incoming and Outgoing
  • 4 — Internal

protocol
integer

Protocol of firewall blocked connections. This can be one of these values:

  • 1 — TCP
  • 2 — UDP
  • 3 — TCPUDP
  • 4 — ICMP
  • 5 — IP
  • 6 — All

local_endpoint
string

Firewall blocked connections for a local endpoint, in JSON format: Mac Address, IP Address, Port, and IP Type. IP type can be one of these values:

  • 0 — Unknown
  • 1 — IPV4
  • 2 — IPV6

Example: {"mac_address": "34:0A:E5:C2:DE:0C","ip_address": "192.168.0.173","port": 58550,"ip_type": 1}

remote_endpoint
string

Firewall blocked connections for a remote endpoint, in JSON format: Mac Address, IP Address, Port, and IP Type. IP type can be one of these values:

  • 0 — Unknown
  • 1 — IPV4
  • 2 — IPV6

Example: {"mac_address": "47:0A:E5:C2:DE:2F","ip_address": "192.168.0.75","port": 58550,"ip_type": 1}

rule_id
string

Identifier of a rule in firewall blocked connections and in indicators of attack detections.

Example: 8b7205bc-60e0-45a0-9956-b17b6a8673f6

rule_name
string

Rule name for firewall blocked connections and for indicators of attack detections.

Example: MyRule

rule_configuration_id
string

Identifier of rule configuration in firewall blocked connections.

Example: 9b7205bc-60e0-45a0-9956-b17b6a8673f6

rule_obsolete
boolean

Indicates if the rule is obsolete in firewall blocked connections.

Example: false

alias
string

Alias name for device control detections.

Example: AliasName

instance_id
string

Instance identifier for device control detections.

Example: 9b7205bc-60e0-45a0-9956-b17b6a8673f6

type
integer

Type of device for device control detections. This can beone of these values:

  • 0 — Undefined
  • 1 — Removable Storage
  • 2 — Image Capture
  • 3 — Optical Storage
  • 4 — Bluetooth
  • 5 — Modem
  • 6 — Mobile

rule_risk
integer

Indicates the rule risk for indicators of attack detections. This can be one of these values:

  • 0 — Undefined
  • 1 — Critical
  • 2 — High
  • 3 — Medium
  • 4 — Low
  • 1000 — Unknown

rule_mitre
string

Array with JSON pairs of the MITRE attack tactic and technique in indicators of attack detections.

Example: [{tactic: "TA0006", technique: "T1003"}]

status
integer

Indicates the status in indicators of attack detections. This can be one of these values:

  • 0 — Undefined
  • 1 — Pending
  • 2 — Filed

endpoint_event_date
string

Endpoint event date in indicators of attack detections.

Example: "2021-07-20T20:27:18.725Z"

filed_date
string

Filed date in indicators of attack detections.

Example: "2021-07-20T20:27:18.725Z"

since_until_filed
string

Time since the filed date in indicators of attack detections.

Example: 8.07:06:05 specifies 8 days, 7 hours, 6 minutes, and 5 seconds

count
integer

Number of occurrences in indicators of attack detections.

Example: 3

custom_group_folder_id
string

Identifier of the assigned custom group folder.

Example: 1b7205bc-60e0-45a0-9956-b17b6a8673f6

custom_group_folder_info
array

Array of folders that represents the path where the device is located in the management UI.

name
string

Name of the folder.

Example: Windows

type
integer

Type of folder. This can be one of these values:

  • 1 — Root folder
  • 2 — Custom folder
  • 3 — Active Directory root folder
  • 4 — Site folder
  • 5 — Domain controller folder
  • 6 — Active Directory folder
  • 7 — IP address range folder

is_translatable
boolean

Indicates whether you can rename the folder. This can be one of these values:

  • True — The system assigns the folder name automatically. The name depends on the selected language.
  • False — The administrator assigns and can change the folder name.

network_attack
string

Network attack name.

Example: Denial of Service attack (DoS)

local_ip_address
string

Local IP address in network attack detections.

Example: 192.168.1.1

remote_ip_address
string

Remote IP address in network attack detections.

Example: 192.168.10.1

total_items
integer

Count is not supported. Currently, null is always displayed in this field.

Example: null

Uninstall Protection from Devices

/api/{v1}/accounts/{accountId}/devices/uninstall

Uninstalls protection from the specified devices.

Path Parameters

When you send a request to this endpoint, you must include this path parameter:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Request Body

device_ids
array
REQUIRED

List of IDs of devices to uninstall protection from.

Example: "00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"

Example Request

This request uninstalls protection from two devices.

curl -X POST https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/devices/uninstall
	-H 'Accept: application/json'
	-H 'Content-Type: application/json'
	-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
	-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'
	-d '{
	"device_ids": ["00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"]
	}'

Example Response

A successful request returns the 200 OK status code.

Isolate Devices

/api/{v1}/accounts/{accountId}/devices/isolation

Isolates the specified devices. When you isolate a device, communication to and from the device is denied.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Request Body

device_ids
array
REQUIRED

List of IDs of devices to isolate.

Example: "00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"

exclusion_programs
array

List of programs to exclude from isolation and allow to communicate normally.

Example: "Chrome.exe"

customized_message
string

Text to show in an alert message on the isolated devices.

Example: This computer has been isolated by an administrator.

hide_customized_alert
boolean

Indicates whether to hide the customized alert message on isolated devices.

Example: true

Example Request

This request isolates two devices, displays a custom alert message on the devices, and allows the Chrome.exe program to continue to communicate normally:

curl -X POST https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/devices/isolation
	-H 'Accept: application/json'
	-H 'Content-Type: application/json'
	-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
	-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'
	-d '{
	"device_ids": ["00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"]
	"exclusion_programs": ["Chrome.exe"],
	"customized_message": "This computer has been isolated by an administrator",
	"hide_customized_alert": false			
	}'

Example Response

The response contains IDs of the isolated devices.

{
  "processed_device_ids": ["00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"]
}

This table lists and describes the data returned in the response:

processed_device_ids
string

List of IDs of the isolated devices.

Example: [ "00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2" ]

Stop Device Isolation

/api/{v1}/accounts/{accountId}/devices/noisolation

Stops isolation on the specified devices.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Request Body

device_ids
string
REQUIRED

List of IDs of isolated devices to remove from isolation.

Example: ["00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"]

Example Request

This request stops isolation for two isolated devices:

curl -X POST https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/devices/noisolation
	-H 'Accept: application/json'
	-H 'Content-Type: application/json'
	-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
	-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'
	-d '{
	"device_ids": ["00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"]
	}'

Example Response

The response includes the IDs of devices that are no longer isolated.

{
     "processed_device_ids": ["00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"]
}

This table lists and describes the data returned in the response:

processed_device_ids
string

List of IDs of devices removed from isolation.

Example: ["00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"]

Send Device Action

/api/{v1}/accounts/{accountId}/devices/action

Initiates an action on the specified devices. For example, sends an action to reboot a device.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Request Body

device_ids
string
REQUIRED

List of IDs of the devices to initiate an action on.

Example: ["00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"]

action_type
integer
REQUIRED

Type of action to initiate on the device. Specify one of these values:

  • 1 — Reboot

count_down_type
integer
REQUIRED

Amount of time to count down to the action. Specify one of these values:

  • 1 — Immediate
  • 2 — Fifteen minutes
  • 3 — Thirty minutes
  • 4 — One hour
  • 5 — Two hours
  • 6 — Four hours
  • 7 — Eight hours

Example Request

This request reboots two devices:

curl -X POST https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/devices/action
	-H 'Accept: application/json'
	-H 'Content-Type: application/json'
	-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
	-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'
	-d '{
	"device_ids": ["00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"],
	"action_type": 1, 
	"count_down_type": 5

Example Response

The response includes the IDs of the rebooted devices.

{
     "processed_device_ids": ["00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"]
}

This table lists and describes the data returned in the response:

processed_device_ids
string

List of IDs of rebooted devices.

Example: ["00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"]

Scan Devices Immediately

/api/{v1}/accounts/{accountId}/immediatescan

Starts a task to scan the specified devices immediately.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Request Body

device_ids
string
REQUIRED

List of IDs of devices to scan.

Example: "00ab3e54-7bb7-4bd3-r0lo-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"

task_name
string
REQUIRED

Name of the scan task.

Example: Routine scan.

task_description
string

Description of the scan task.

Example: Windows 8 machines only.

scan_scope
integer

Scope of the scan task. Specify one of these values:

  • 0 — Entire computer
  • 1 — Critical areas
  • 2 — Specified items

Example: 0

specified_items_to_scan
string

List of specific locations or items to scan. All folders and files in the specified locations are scanned.

Works only when scan_scope is 2.

Example: "C:\Downloads", "C:\Documents"

detect_hacking_tools
boolean

Indicates whether to detect hacking tools. This detects potentially unwanted programs, as well as programs used by hackers.

Example: false

detect_suspicious_files
boolean

Indicates whether to detect suspicious files. In scheduled scans, the tool scans computer software but does not run it. Some types of threats have a lower chance of detection. Set this option to true to scan with heuristic algorithms and improve detection rates.

Example: true

scan_compressed_files
boolean

Indicates whether to scan compressed files. This decompresses compressed files and scans their contents.

Example: true

apply_exclusions_on_scan
boolean

Indicates whether to exclude items from the scan, such as specific files, files with a specific extension, or a specific directory.

Example: true

extensions_to_exclude
string

List of file extensions to exclude from the scan.

Works only when apply_exclusions_on_scan is true.

Example: "exe", "pdf"

files_to_exclude
string

List of file names (with their extensions) to exclude from the scan.

Works only when apply_exclusions_on_scan is true.

Example: "Chrome.exe", "Explorer.exe"

folders_to_exclude
string

List of folders to exclude from the scan. You must include the full path.

Works only when apply_exclusions_on_scan is true.

Example: "D:/shared_drive/documents"

execution_window_expiration
string

Time period in which the scan must run before it times out. The default is 7 days.

Example: 8.07:06:05 specifies 8 days, 7 hours, 6 minutes, and 5 seconds

Example Request

This request immediately scans critical areas on two devices:

curl -X POST https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/immediatescan
	-H 'Accept: application/json'
	-H 'Content-Type: application/json'
	-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
	-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'
	-d '{
	"device_ids": ["00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"],
	"task_name": "Scan laptops", 
	"task_description": "Scan Marketing laptops",
	"scan_scope": 1, 
	"specified_items_to_scan": [""],
	"detect_hacking_tools": true, 
	"detect_suspicious_files": true, 
	"scan_compressed_files": true, 
	"apply_exclusions_on_scan": false, 
	"extensions_to_exclude": [""], 
	"files_to_exclude": [""], 
	"folders_to_exclude": [""],
	"execution_window_expiration": "10.00:00:00"
	}'

Example Response

The response contains a task ID.

{
    "task_id": "12a345a6-a789-0123-a4aa-56a7890a12a3"
}

This table lists and describes the data returned in the response:

task_id
string

ID of the completed scan task.

Example: 12a345a6-a789-0123-a4aa-56a7890a12a3

Retrieve a List of Unmanaged Devices

/api/{v1}/accounts/{accountId}/unmanageddevices

Retrieves a list of unmanaged devices discovered on the network. The response to this request is limited to 3,000 records.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Request Parameters

When you send a request to this endpoint, you can include these request parameters:

$top
integer

Specifies the number of objects to retrieve.

Example: 5

$skip
integer

Bypasses the specified number of objects in the results returned.

For example, if you specify 10, the results start at object 11.

Example: 5

$search
string

Returns only objects that include the specified text string. For example, "name" returns objects that include "hostname" and "username."

The supported search fields depend on the endpoint:

  • Devices: Host name, description, IP address, logged on user
  • DeviceProtectionStatus: Host name
  • ManagedConfigurations: Name, description

Example: name

$count
boolean

Indicates whether to return a counter that shows the total number of objects in the total_items response parameter.

Example: true

$orderby
string

Specifies how to order results. You can order by any parameter in the response and sort results in ascending or descending order.

Specify a parameter name with any underscores removed, followed by a + (plus sign) and either asc (ascending) or desc (descending).

For example, to order results by the host_name parameter in descending order, specify hostname+desc. If you do not specify a field to order by, the API will use the order in the database.

Example: hostname+desc

Example Request

This request retrieves a list of unmanaged devices associated with the specified account ID:

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/unmanageddevices"
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		

Example Response

The response contains a list of unmanaged devices as well as information about each unmanaged device.

{
"data": [
	{  
	  "device_id": "287324d8-194f-4f5a-a7ad-e2480d5ad1b2",
	  "account_id": "cd6c6dd6-b97f-453d-ad81-a5976dc0596c",
	  "site_id": "8b7205bc-60e0-45a0-9956-b17b6a8673f6",
	  "host_name": "WIN_SERVER_6",
	  "ip_address": "192.0.2.1",
	  "mac_address": "00:0a:95:9d:68:16",
	  "probe_name": "Probe computer 7",
	  "last_seen_datetime": "2020-11-18T22:25:22.641Z",
	  "network_interface_controller_vendor": "Intel",
	  "visible": true,
	  "description": "Finance mac01",
	  "status": "0_Undefined",
	  "installation_error": 200000
	}
	],
"total_items": null
}

This table lists and describes the data returned in the response:

data
string

Array of device data.

device_id
string

Identifier for the device.

Example: 287324d8-194f-4f5a-a7ad-e2480d5ad1b2

account_id
string

Identifier of the account.

Example: cd6c6dd6-b97f-453d-ad81-a5976dc0596c

site_id
string

Identifier of the site.

Example: 8b7205bc-60e0-45a0-9956-b17b6a8673f6

host_name
string

Name of the host.

Example: WIN_SERVER_6

ip_address
string

IP address of the device.

Example: 192.0.2.1

mac_address
string

MAC address of the device.

Example: 00:0a:95:9d:68:16

probe_name
string

Name of the device that discovered the unmanaged device.

Example: Probe computer 7

last_seen_datetime
string

Date and time the unmanaged device was found.

Example: 2020-11-20T20:27:18.725Z

network_interface_controller_vendor
string

Manufacturer of the network card in the device.

Example: Intel

description
string

Description of the device.

Example: Finance mac01

status
integer

Status of the device. This can be one of these values:

  • 0 — Undefined
  • 1 — Discovered
  • 2 — Installing
  • 3 — Error

Example: 1

installation_error
integer

Unmanaged device installation error. This can be one of these values:

  • 200000 — Unable to connect to the computer. Make sure the computer is turned on and meets the remote installation requirements.
  • 200053 — Unable to connect to the computer. Make sure the computer is turned on and meets the remote installation requirements.
  • 201312 — Wrong credentials. Launch the installation again using credentials with sufficient privileges to perform the installation.
  • 201326 — Wrong credentials. Launch the installation again using credentials with sufficient privileges to perform the installation.
  • 299999 — Discovery computer not available.
  • 300000 — Operating system not supported. Make sure the computer is turned on and meets the remote installation requirements.
  • 301077 — Operating system not supported. Make sure the computer is turned on and meets the remote installation requirements.
  • 400000 — Unable to download the agent installer. Make sure the computer is turned on and meets the remote installation requirements.
  • 400002 — Unable to download the agent installer. Make sure the computer is turned on and meets the remote installation requirements.
  • 400112 — Unable to download the agent installer. Make sure the computer is turned on and meets the remote installation requirements.
  • 500000 — Unable to copy the agent installer. Make sure the computer is turned on and meets the remote installation requirements.
  • 500112 — Unable to copy the agent installer. Make sure the computer is turned on and meets the remote installation requirements.
  • 600000 — Unable to install the agent. Make sure the computer is turned on and meets the remote installation requirements.
  • 601603 — Unable to install the agent. Make sure the computer is turned on and meets the remote installation requirements.
  • 700000 — Unable to register the agent. Make sure the computer is turned on and meets the remote installation requirements.
  • 701603 — Unable to register the agent. Make sure the computer is turned on and meets the remote installation requirements.
  • 900000 — Unable to install the protection.
  • 900112 — Not enough disk space.
  • 901601 — Windows installer is not operational.
  • 901602 — Removal of the third-party protection installed was canceled by the user.
  • 901603 — Unable to install the protection.
  • 901618 — Another installation is in progress.
  • 999999 — Unhandled error during installation.
  • 1000000 — Unable to download the protection.
  • 1100000 — Error automatically uninstalling a third-party protection application.
  • 1200000 — No uninstaller available to remove a third-party protection application.

Example: 200000

total_items
integer

Total number of unmanaged devices.

If the count request parameter is true, total_items displays the total number of unmanaged devices. If count is false, then total_items displays null.

Example: 2

Retrieve Company Risk Information

/api/{v1}/accounts/{accountId}/riskassessment/companyrisksummary

Retrieves a summary of the company risk status.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Example Request

This request retrieves a count of devices associated with each risk level:

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/riskassessment/companyrisksummary"
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		

Example Response

The response contains a count of devices associated with each risk level:

{
    "without_risk": 25,
    "medium_risk": 43,
    "high_risk": 14,
    "critical_risk": 0
}

This table lists and describes the data returned in the response:

without_risk
integer

Total number of devices with no risk.

Example: 25

medium_risk
integer

Total number of devices with medium risk.

Example: 43

high_risk
integer

Total number of devices with high risk.

Example: 14

critical_risk
integer

Total number of devices with critical risk.

Example: 0

Retrieve Detected Risks

/api/{v1}/accounts/{accountId}/riskassessment/detectedrisks

Retrieves a count of detected devices for each type of risk.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Request Parameters

When you send a request to this endpoint, you can include this request parameter:

$filter
string

Specifies the device or type of device to retrieve risk information from. You can combine two or more values with the boolean operators %20And%20 and %20Or%20:

  • 4005%20Eq%20 — Type of device. 1=Workstation, 2=Laptop, 3=Server, 4=Mobile.
  • 4004%20Eq%20 — Type of operating system installed on the device. 1=Windows, 2=Linux, 3=Mac, 4=Android, 5=iOS.
  • 101%20Eq%20 — Identifier for the device.

Example Request

This request returns a count of the Linux laptops where each type of risk was detected.

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/riskassessment/detectedrisks?$filter=4005%20Eq%202%20And%204004%20Eq%202
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		

Example Response

The response contains information about each type of risk and a count of devices where the risk was detected.


{
  "data": [
    {
      "risk_factor": 70,
      "risk_severity": 40,
      "total_active_devices_counter": 1",
      "total_without_risk": 2,
      "total_not_applicable_by_platform": 0,
      "total_not_evaluated_on_device": 0
    }
  ]
  "total_items": 1
}

This table lists and describes the data returned in the response:

data
array

Array of risk data.

risk_factor
integer

Identifier of the risk. This can be one of these values:

  • 10 — No protection
  • 20 — Out-of-date protection
  • 30 — Out-of-date knowledge (more than 30 days)
  • 40 — No connectivity to knowledge servers
  • 50 — No uninstallation protection
  • 60 — Anti-tamper protection disabled
  • 70 — File antivirus disabled
  • 80 — Advanced protection for Windows disabled or in ‘Audit’ mode
  • 90 — Advanced protection for Windows in ‘Hardening’ mode
  • 100 — Advanced protection for Linux disabled or in 'Do not detect’ or ‘Audit’ mode
  • 110 — Anti-exploit protection disabled or in 'Audit' mode
  • 120 — Anti-phishing protection disabled
  • 130 — Web browsing antivirus disabled
  • 140 — Folder, file, and extension exclusions
  • 150 — Recent indicators of attack
  • 160 — Critical patches pending installation
  • 170 — Audit mode enabled
  • 180 — Network attack protection disabled or in Audit mode

Example: 70 (File antivirus disabled)

risk_severity
integer

Assigned risk level. This can be one of these values:

  • 0 — Undefined
  • 20 — Medium risk
  • 30 — High risk
  • 40 — Critical risk
  • 50 — Based on the risk of the indicators of attack

Example: 40 (Critical risk)

total_active_devices_counter
integer

Number of devices where the risk was detected.

Example: 1

total_without_risk
integer

Number of devices where the risk was not detected.

Example: 2

total_not_applicable_by_platform
integer

Number of devices where the risk was not evaluated because it is not compatible with the type of device.

Example: 0

total_not_evaluated_on_device
integer

Number of devices where the risk was not evaluated because you did not enable it for detection.

Example: 0

total_items
integer

Total number of retrieved risks.

If the count request parameter is true, total_items displays the total number of retrieved risks. If count is false, then total_items displays null.

Example: 1

Retrieve Risks Detected for Devices

/api/{v1}/accounts/{accountId}/riskassessment/devicesrisk

Retrieves a count of risks detected on each device by risk level. The response to this request is limited to 3,000 records.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Request Parameters

When you send a request to this endpoint, you can include these request parameters:

$top
integer

Specifies the number of objects to retrieve.

Example: 5

$skip
integer

Bypasses the specified number of objects in the results returned.

For example, if you specify 10, the results start at object 11.

Example: 5

$search
string

Returns only objects that include the specified text string. For example, "name" returns objects that include "hostname" and "username".

The supported search field is the device host name.

$count
boolean

Indicates whether to return a counter that shows the total number of objects in the total_items response parameter.

Example: true

$filter
string

Specifies a filter to retrieve devices. You can combine two or more values with the boolean operators %20And%20 and %20Or%20:

  • 4005%20Eq%20 — Type of device. 1=Workstation, 2=Laptop, 3=Server, 4=Mobile.
  • 4004%20Eq%20 — Type of operating system installed on the device. 1=Windows, 2=Linux, 3=Mac, 4=Android, 5=iOS
  • 72001%20Eq%20 — Risk level. 5=No risk, 20=Medium, 30=High, 40=Critical
  • 72002%20Eq%20 — Risk detected. 10=No protection, 20=Out-of-date protection, 30=Out-of-date knowledge (more than 30 days), 40=No connectivity to knowledge servers, 50=No uninstallation protection, 60=Anti-tamper protection disabled, 70=File antivirus disabled, 80=Advanced protection for Windows disabled or in Audit mode, 90=Advanced protection for Windows in Hardening mode, 100=Advanced protection for Linux disabled or in Do not detect or Audit mode, 110=Anti-exploit protection disabled or in Audit mode, 120=Anti-phishing protection disabled, 130=Web browsing antivirus disabled, 140=Folder, file, and extension exclusions, 150=Recent indicators of attack, 160=Critical patches pending installation, 170=Audit mode enabled, 180=Network attack protection disabled or in Audit mode
  • 101%20Eq%20 — Identifier for the device.
  • 9001%20AmongTheLast%20[x,y]— Retrieves devices where risks were detected within the specified time period.
  • 9001%20NotAmongTheLast%20[x,y]— Retrieves devices where risks were detected outside the specified time period.

Specify the length of the time period in the format [x, y] where x is the number of units and y is the unit of time:

  • 1 — Years
  • 2 — Months
  • 3 — Days
  • 4 — Hours

Example: Retrieves devices for the last 7 days: filter=9001%20AmongTheLast%20[7,3].

Example: Retrieves devices outside the last 3 months. filter=9001%20NotAmongTheLast%20[3,2].

Example Request

This request retrieves risk information for Windows servers.

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/riskassessment/devicesrisk?$filter=4005%20Eq%202%20And%204004%20Eq%202
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		

Example Response

The response returns risk information for each Windows server:


{
  "data": [
    {
      "device_id": 18421fc0-285a-41e6-8a67-a8cb400bedd0,
      "host_name": "WIN-SERVER-1",
      "last_connection_date": 2022-12-20T00:39:21.574Z",
      "device_risk_severity": 40,
      "risk_status_counters": {
          "total_critical_risk": 1,
          "total_high_risk": 0,
          "total_medium_risk": 0,
          "total_without_risk": 4,
          "total_not_applicable_by_platform": 9,
          "total_not_evaluated_on_device": 2
	   }
    }
  ]
  "total_items": 1
}

This table lists and describes the data returned in the response:

data
array

Array of risk data.

device_id
string

Identifier for the device.

Example: 18421fc0-285a-41e6-8a67-a8cb400bedd0

host_name
string

Host name of the device.

Example: WIN-SERVER-1

last_connection_date
string

Date and time of the last connection of the device.

Example: 2022-12-20T00:39:21.574Z

device_risk_severity
integer

Risk level associated with the device. This can be one of these values:

  • 0 — Undefined
  • 5 — No risk
  • 20 — Medium risk
  • 30 — High risk
  • 40 — Critical risk

Example: 40

risk_status_counters
object

Number of risks found on the device by risk level.

total_critical_risk
integer

Number of critical-level risks found on the device.

Example: 1

total_high_risk
integer

Number of high-level risks found on the device.

Example: 0

total_medium_risk
integer

Number of medium-level risks found on the device.

Example: 0

total_without_risk
integer

Number of risks not found on the device.

Example: 4

total_not_applicable_by_platform
integer

Number of risks not compatible with the operating system or type of device.

Example: 9

total_not_evaluated_on_device
integer

Number of risks not evaluated on the device because they were not enabled for detection.

Example: 2

total_items
integer

Total number of retrieved devices.

If the count request parameter is true, total_items displays the total number of devices. If count is false, then total_items displays null.

Example: 1

Retrieve a Risk Detection Overview

/api/{v1}/accounts/{accountId}/riskassessment/statisticsbydate/{period}

Retrieves an overview of the number and types of risks detected over time.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId

string

REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

period
string

Period of time to retrieve risk detection counters for. Specify one of these values:

  • 7 — Previous 7 days
  • 30 — Previous 30 days (by default)

Example Request

This request retrieves risk detection counters for the specified account for the previous 7 days:

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/riskassessment/statisticsbydate/7
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		

Example Response

This response contains counts of devices associated with each risk level for the previous 7 days:


[
  {
    "key": {
      "date": "2022-12-07T23:59:59.999Z",
      "device_risk_severity": 5
    },
    "value": 10
  }
]

This table lists and describes the data returned in the response:

key
array

Array with the date key and risk level assigned.

date
string

Date and time of the overview.

Example: 2022-11-21T23:59:59.999Z

device_risk_severity
integer

Risk level associated with the device. This can be one of these values:

  • 0 — Undefined
  • 5 — No risk
  • 20 — Medium risk
  • 30 — High risk
  • 40 — Critical risk

value
integer

Number of devices found for the specified key.

Example: 14

Retrieve Risk Configuration

/api/{v1}/accounts/{accountId}/riskassessment/configuration

Retrieves the risk configuration.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId

string

REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Example Request

This request retrieves the list of risks and the configured risk levels.

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/riskassessment/configuration
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		

Example Response

The response contains the list of risks and the level assigned to each risk.


[
  {
    "recommended_severity": 40,
    "factor": 10,
    "enable": true,
    "severity": 40,
    "edited_by_user": false,
    "supported": true,
    "threshold": null
  }
]

This table lists and describes the data returned in the response:

recommended_severity
integer

Risk level recommended by default by WatchGuard Technologies Inc.. This can be one of these values:

  • 0 — Undefined
  • 20 — Medium risk
  • 30 — High risk
  • 40 — Critical risk
  • 50 — Based on the risk of the indicators of attack

Example: 40

factor
integer

Risk type. This can be one of these values:

  • 10 — No protection
  • 20 — Out-of-date protection
  • 30 — Out-of-date knowledge (more than 30 days)
  • 40 — No connectivity to knowledge servers
  • 50 — No uninstallation protection
  • 60 — Anti-tamper protection disabled
  • 70 — File antivirus disabled
  • 80 — Advanced protection for Windows disabled or in ‘Audit’ mode
  • 90 — Advanced protection for Windows in ‘Hardening’ mode
  • 100 — Advanced protection for Linux disabled or in 'Do not detect’ or ‘Audit’ mode
  • 110 — Anti-exploit protection disabled or in 'Audit' mode
  • 120 — Anti-phishing protection disabled
  • 130 — Web browsing antivirus disabled
  • 140 — Folder, file, and extension exclusions
  • 150 — Recent indicators of attack
  • 160 — Critical patches pending installation
  • 170 — Audit mode enabled
  • 180 — Network attack protection disabled or in Audit mode

Example: 10

enable
boolean

Indicates whether the risk is enabled for detection in the settings.

Example: true

severity
integer

Risk level. This can be one of these values:

  • 0 — Undefined
  • 20 — Medium risk
  • 30 — High risk
  • 40 — Critical risk
  • 50 — Based on the risk of the indicators of attack

Example: 40

edited_by_user
boolean

Indicates whether the risk level is the recommended value or it was modified by you.

Example: false

supported
boolean

Indicates whether the risk is compatible with the type of product assigned to the account.

Example: false

threshold
integer

The value is null for all risks, except for these risks:

  • 150 — Number of days that the solution checks for IOAs. The default value is 30 days. This value is not shown in the Web UI.
  • 160 — Maximum number of days that can pass before a published patch must be applied. After that period, the risk is detected.

Update Risk Configuration

/api/{v1}/accounts/{accountId}/riskassessment/updateconfiguration

Modifies the risk configuration.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId

string

REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Request Body

risk_settings_list
array
REQUIRED

List of types of risks to configure.

recommended_severity
integer

Risk level recommended by WatchGuard Technologies Inc.. This value has no effect, but you must include it. This can be one of these values:

  • 0 — Undefined
  • 20 — Medium risk
  • 30 — High risk
  • 40 — Critical risk
  • 50 — Based on the risk of the indicators of attack

factor
integer

Risk type. This can be one of these values:

  • 10 — No protection
  • 20 — Out-of-date protection
  • 30 — Out-of-date knowledge (more than 30 days)
  • 40 — No connectivity to knowledge servers
  • 50 — No uninstallation protection
  • 60 — Anti-tamper protection disabled
  • 70 — File antivirus disabled
  • 80 — Advanced protection for Windows disabled or in ‘Audit’ mode
  • 90 — Advanced protection for Windows in ‘Hardening’ mode
  • 100 — Advanced protection for Linux disabled or in 'Do not detect’ or ‘Audit’ mode
  • 110 — Anti-exploit protection disabled or in 'Audit' mode
  • 120 — Anti-phishing protection disabled
  • 130 — Web browsing antivirus disabled
  • 140 — Folder, file, and extension exclusions
  • 150 — Recent indicators of attack
  • 160 — Critical patches pending installation
  • 170 — Audit mode enabled
  • 180 — Network attack protection disabled or in Audit mode

Example: 10

enable
boolean

Indicates whether the risk is enabled for detection in the settings.

Example: true

severity
integer

Risk level. This can be one of these values:

  • 0 — Undefined
  • 20 — Medium risk
  • 30 — High risk
  • 40 — Critical risk
  • 50 — Based on the risk of the indicators of attack

Example: 40.

edited_by_user
boolean

Indicates whether the risk level is the recommended value or it was modified by you. This value has no effect, but you must include it.

Example: true

supported
boolean

Indicates whether the risk is compatible with the type of product assigned to the account. This value has no effect, but you must include it.

Example:true

threshold
integer

This value has no effect for all risks, except for these risks:

  • 150 — Number of days that the solution checks for IOAs. The default value is 30 days. This value is not shown in the Web UI.
  • 160 — Maximum number of days that can pass before a published patch must be applied. After that period, the risk is detected.

Example Request

This request sets the risk configuration:

curl -X PATCH https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/riskassessment/updateconfiguration
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		-d '{
		"risk_settings_list": [{
			"recommended_severity":40,
			"factor":10,
			"enable": true,
			"severity": 40,
			"edited_by_user": false,
			"supported": true,
			"threshold": null
		},  {
			"recommended_severity": 30,
			"factor": 20,
			"enable": true,
			"severity": 20,
			"edited_by_user": false,
			"supported": true,
			"threshold": null
		}
		]
		}'
		

Example Response

This response contains the result of applying the risk configuration:


{
  "processed_ok": true
}

This table lists and describes the data returned in the response:

processed_ok
boolean

Result of applying the risk configuration.

Example: true

Retrieve Missing Patches

/api/v1/accounts/{accountId}/patchavailability

Retrieves published patches not installed on the devices on the network.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Request Parameters

When you send a request to this endpoint, you can include these request parameters:

$top
integer

Specifies the number of objects to retrieve.

Example: 5

$skip
integer

Bypasses the specified number of objects in the results returned.

For example, if you specify 10, the results start at object 11.

Example: 5

$count
boolean

Indicates whether to return a counter that shows the total number of objects in the total_items response parameter.

Example: true

$filter
string

Specifies a filter to retrieve patches. You can combine two or more values with the boolean operators %20And%20 and %20Or%20:

  • 26018%20Eq%20{patchTypeEnum} — Type of patch. 0=Non-operating system patch,1=Operating system patch.
  • 4001%20Eq%20%22{Hostname}%22 — Name of the host.
  • 26004%20Contains%20%22{ProgramName}%22 — Name of the program.
  • 26006%20Contains%20%22{PatchName}%22 — Name of the patch.
  • 26003%20Eq%20{CriticalityEnum} — Severity of the patch. 101=Other patches (non-security-related), 201=Critical, 202=Important, 203=Moderate, 204=Low, 205=Unspecified, 301=Service Pack
  • 26008%20Eq%20{CVE} — Common Vulnerabilities and Exposures (CVE) code assigned to the patch.

Example: Retrieves missing patches of the Operating System type and Critical severity: filter=26018%20Eq%201%20And%2026003%20Eq%20201.

Example Request

This request retrieves information about missing patches of the Operating System type and Critical severity.

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/patchavailability?$count=true&$filter=26018%20Eq%201%20And%2026003%20Eq%20201
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		

Example Response

The response contains information about each patch found:

{
  "data": [
    {
      "account_id": "cd6c6dd6-r97o-453d-ld8o-a5976dc0596c",
      "site_id": "8b7205bc-60e0-45a0-9956-b17b6a8673f6",
      "site_name": "AD360",
      "device_id": "18421fc0-285a-41e6-8a67-a8cb400bedd0",
      "host_name": "WIN-SERVER-1",
      "device_type": 1,
      "platform_id": 1,
      "patch_management_status": 0,
      "custom_group_folder_id": "225b2d1d-3115-428f-951d-1e58992ccd64",
      "isolation_state": 1,
      "license_status": 0,
      "patch_id": "00012594-0000-0000-0000-000000000000",
      "patch_name": "Microsoft security advisory: Update for vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge: October 19, 2015",
      "program_name": "Windows 10 (x64)",
      "program_version": "6.4",
      "patch_release_date": "2015-10-19T00:00:00Z",
      "patch_criticality": 301,
      "patch_type": 1,
      "is_downloadable": true,
      "is_allowed_manual_installation": true,
      "automatic_reboot": false,
      "download_url": "https://download.microsoft.com/download/1/6/D/16DB3B7D-57D0-4E1A-BF24-22BBC4EDBC6A/WSUS-KB2938066-amd64.exe",
      "local_filename": "WSUS-KB2938066-amd64.exe",
      "patch_installation_availability": 1,
      "patch_cve_ids": [
        "CVE-2010-3190"
      ],
      "vendor_id": 1,
      "family_id": 165,
      "version_id": 1166,
      "vendor_name": "Microsoft",
      "family_name": "Windows"
	  }
    ],
    "total_items": 1
}

This table lists and describes the data returned in the response:

data
array

Array of patch data.

account_id
string

Identifier for the account.

Example: cd6c6dd6-r97o-453d-ld8o-a5976dc0596c

site_id
string

Identifier for the site.

Example: 8b7205bc-60e0-45a0-9956-b17b6a8673f6

site_name
string

Name of the site the device belongs to.

Example: AD360

device_id
string

Identifier for the device.

Example: 18421fc0-285a-41e6-8a67-a8cb400bedd0

host_name
string

Host name of the device.

Example: WIN-SERVER-1

device_type
integer

Type of device. This can be one of these values:

  • 1 — Workstation
  • 2 — Laptop
  • 3 — Server

Example: 1

platform_id
integer

Device platform. This can be one of these values:

  • 1 — Windows
  • 2 — Linux
  • 3 — macOS

Example: 1

patch_management_status
integer

Status of the Patch Management module. This can be one of these values:

  • 0 — No protection or No information
  • 1 — Enabled
  • 2 — Disabled
  • 3 — Error
  • 4 — Error installing
  • 5 — No license
  • 6 — Not available

Example: 0

custom_group_folder_id
string

Identifier of the assigned custom group folder.

Example: 225b2d1d-3115-428f-951d-1e58992ccd64

isolation_state
integer

Isolation status of the device. This can be one of these values:

  • 0 — Not isolated
  • 1 — Isolated
  • 2 — Applying isolation
  • 3 — Removing isolation

Example: 1

license_status
integer

Status of the device license. This can be one of these values:

  • 0 — Assigned
  • 1 — Not assigned
  • 2 — Manual deallocation
  • 3 — Auto deallocation

Example: 0

patch_id
string

Identifier of the patch.

Example: 00012594-0000-0000-0000-000000000000

patch_name
string

Name of the patch.

Example: Microsoft security advisory: Update for vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge: October 19, 2015

program_name
string

Name of the program associated with the patch.

Example: Windows 10 (x64)

program_version
string

Version of the program associated with the patch.

Example: 6.4

patch_release_date
string

Patch release date.

patch_criticality
integer

Patch severity. This can be one of these values:

  • 101 — Other patches (non-security-related)
  • 201 — Critical (security-related)
  • 202 — Important (security-related)
  • 203 — Moderate (security-related)
  • 204 — Low (security-related)
  • 205 — Unspecified (security-related)
  • 301 — Service Pack

Example: 301

patch_type
integer

Patch type. This can be one of these values:

  • 0 — Non-operating system patch
  • 1 — Operating system patch

Example: 1

is_downloadable
boolean

Indicates whether the patch is downloadable. This can be one of these values:

  • True — Patch Management can download the patch automatically.
  • False — You must install the patch manually (either add it to a repository or manually install it on the target device).

Example: true

is_allowed_manual_installation
boolean

Indicates whether manual patch installation is allowed. This can be one of these values:

  • True — Patch Management cannot download the patch automatically, but enables you to add it to a repository.
  • False — Patch Management does not enable you to add the patch to a repository. You must install the patch manually on the target device.

Example: true

automatic_reboot
boolean

Indicates whether the patch can perform an automatic reboot.

Example: false

download_url
string

Manual patch download URL (if available).

Example: https://download.microsoft.com/download/1/6/D/16DB3B7D-57D0-4E1A-BF24-22BBC4EDBC6A/WSUS-KB2938066-amd64.exe

local_filename
string

Name of the local patch file (if available).

Example: WSUS-KB2938066-amd64.exe

patch_installation_availability
integer

Indicates the patch availability for installation. This can be one of these values:

  • 1 — Pending installation
  • 2 — Pending installation (you must add the patch manually to the patch repository)
  • 3 — Pending installation (the patch has already been added to the patch repository)
  • 4 — Pending restart to complete installation

Example: 1

patch_cve_ids
array

List of CVEs associated with the patch (if available).

Example: [ "CVE-2010-3190" ]

vendor_id
integer

Numeric identifier of the vendor associated with the patch (if available).

Example:1

family_id
integer

Numeric identifier of the program family associated with the patch (if available).

Example: 165

version_id
integer

Numeric identifier of the program version associated with the patch (if available).

Example: 1166

vendor_name
string

Name of the vendor associated with the patch.

Example: Microsoft

family_name
string

Name of the program family associated with the patch.

Example: Windows

total_items
integer

Total number of retrieved patches.

If the count request parameter is true, total_items displays the total number of retrieved patches. If count is false, then total_items displays null.

Example: 1

Retrieve Installed Software

/api/{v1}/accounts/{accountId}/softwareinventory

Retrieves the software installed on the computers on the network.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Request Parameters

When you send a request to this endpoint, you can include these request parameters:

$top
integer

Specifies the number of objects to retrieve.

Example: 5

$skip
integer

Bypasses the specified number of objects in the results returned.

For example, if you specify 10, the results start at object 11.

Example: 5

$count
boolean

Indicates whether to return a counter that shows the total number of objects in the total_items response parameter.

Example: true

$filter
string

Specifies a filter to retrieve the software inventory:

  • 4001%20Eq%20%22{HostName}%22 — Name of the device in URL encoded format.

Example: Retrieves the software installed on a device named WIN-DESKTOP-3: filter=4001%20Eq%20%22WIN-DESKTOP-3%22.

Example Request

This request retrieves the software installed on a device named WIN-DESKTOP-3.

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/softwareinventory?$count=true&$filter=4001%20Eq%20%22WIN-DESKTOP-3%22
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		

Example Response

The response contains information about each program found on the device:

{
  "data": [
    {
      "site_id": "8b7205bc-60e0-45a0-9956-b17b6a8673f6",
      "site_name": "AD360",
      "device_id": "18421fc0-285a-41e6-8a67-a8cb400bedd0",
      "host_name": "WIN-DESKTOP-3",
      "description": null,
      "device_type": 1,
      "platform_id": 1,
      "ip_address": "192.168.0.66",
      "domain": "WORKGROUP",
      "operating_system": "Windows 10 Pro (Version: 21H1) (Build: 14393.693)",
      "custom_group_folder_id": "225b2d1d-3115-428f-951d-1e58992ccd64",
      "name": "Mozilla Firefox 36.0.1 (x86 en-GB)",
      "publisher": "Mozilla",
      "version": "36.0.1",
      "size": 85687,
      "installation_date": "2022-03-03T15:24:52.202Z",
      "is_patch": false
	  }
    ],
    "total_items": 1
}

This table lists and describes the data returned in the response:

data
array

Array with information about the software installed on the device.

site_id
string

Identifier for the site.

Example: 8b7205bc-60e0-45a0-9956-b17b6a8673f6

site_name
string

Name of the site the device belongs to.

Example: AD360

device_id
string

Identifier for the device.

Example: 18421fc0-285a-41e6-8a67-a8cb400bedd0

host_name
string

Host name of the device.

Example: WIN-DESKTOP-3

description
string

Description of the device.

device_type
integer

Type of device. This can be one of these values:

  • 1 — Workstation
  • 2 — Laptop
  • 3 — Server
  • 4 — Mobile device

Example: 1

platform_id
integer

Device platform. This can be one of these values:

  • 1 — Windows
  • 2 — Linux
  • 3 — macOS
  • 4 — Android
  • 5 — iOS

Example: 1

ip_address
string

IP address of the device.

Example: 192.168.0.66

domain
string

Domain where your devices belong on Microsoft networks.

Example: WORKGROUP

operating_system
string

Name of the operating system installed on the device.

Example: Windows 10 Pro (Version: 21H1) (Build: 14393.693)

custom_group_folder_id
string

Identifier of the assigned custom group folder.

Example: 225b2d1d-3115-428f-951d-1e58992ccd64

name
string

Name of the software installed on the device.

Example: Mozilla Firefox 36.0.1 (x86 en-GB)

publisher
string

Software vendor name.

Example: Mozilla

version
string

Version of the software installed on the device.

Example: 36.0.1

size
integer

Size in bytes of the software installed on the device (if available).

Example: 85687

installation_date
string

Software installation date (if available).

Example: 2022-03-03T15:24:52.202Z

is_patch
boolean

Indicates whether the software is a patch.

Example: false

total_items
integer

Total number of retrieved software programs.

If the count request parameter is true, total_items displays the total retrieved software programsof devices. If count is false, then total_items displays null.

Example: 1

Retrieve BIOS Information

/api/{v1}/accounts/{accountId}/devices/{deviceId}/hardwareinventory

Retrieves the characteristics of a device BIOS.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

deviceId
string
REQUIRED

Identifier of the device.

Example: 287324d8-194f-4f5a-a7ad-e2480d5ad1b3

Example Request

This request retrieves information about a device BIOS.

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/devices/287324d8-194f-4f5a-a7ad-e2480d5ad1b3/hardwareinventory
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		

Example Response

The response returns information about the device BIOS vendor, release date, and version:

{
  "bios": [
    {
      "name": "L01 v02.33",
      "manufacturer": "Hewlett-Packard",
      "version": "HPQOEM - 20140715); L01 v02.33); American Megatrends - 4028E);",
      "serial_number": "CZC4462KD8",
      "release_date": "2015-05-22T07:11:20.994Z"
	  }
    ]
}

This table lists and describes the data returned in the response:

bios
array

Array with the BIOS data.

name
string

BIOS name.

Example: 8b7205bc-60e0-45a0-9956-b17b6a8673f6

manufacturer
string

BIOS vendor name.

Example: AD360

version
string

BIOS software version.

Example: 18421fc0-285a-41e6-8a67-a8cb400bedd0

serial_number
string

BIOS serial number.

Example: WIN-DESKTOP-3

release_date
string

BIOS release date (if available).

Example: 2015-05-22T07:11:20.994Z

Retrieve Tasks

/api/v1/accounts/{accountId}/tasks

Retrieves a list of all tasks created.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

Request Parameters

When you send a request to this endpoint, you can include these request parameters:

$top
integer

Specifies the number of objects to retrieve.

Example: 5

$skip
integer

Bypasses the specified number of objects in the results returned.

For example, if you specify 10, the results start at object 11.

Example: 5

$count
boolean

Indicates whether to return a counter that shows the total number of objects in the total_items response parameter.

Example: true

$filter
string

Specifies a filter to retrieve the task list. You can combine two or more values with the boolean operators %20And%20 and %20Or%20:

  • 41003%20Eq%20{taskTypeEnum} — Task type. 1=Antimalware scan, 2=Malware disinfection, 6=Patch installation, 7=Patch uninstallation,10=IOC search
  • 41004%20Eq%20{scheduleTypeEnum} — Task start type. 1=Immediate,2=One-time,3=Scheduled
  • 41006%20Eq%20{stateTypeEnum} — Task status. 0=No recipients, 1=Unpublished, 2=In progress, 3=Canceled, 4=Finished

Example: Retrieves all immediate tasks: filter=41004%20Eq%201.

Example Request

This request retrieves information about immediate tasks.

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/tasks?$count=true&$filter=41004%20Eq%201
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		

Example Response

The response returns information about each task found:

{
  "data": [
    {
      "account_id": "cd6c6dd6-r97o-453d-ld8o-a5976dc0596c",
      "id": "1530df10-0a9a-46bb-b8ab-aec2d0d8b9a3",
      "name": "Test API 01",
      "description": "Scan task created from API",
      "type": 1,
      "status": {
          "enabled": true,
          "delivery_state": 2,
          "last_job_date": null
      },
      "schedule": {
          "type": 1,
          "start_date": "12a345a6-a789-0123-a4aa-56a7890a12a3",
          "is_local_time": false,
          "recurrence": { 
              "Type": 2,
              "Frequency": 1,
              "DaysOfWeek": [1, 2, 3, 4, 5]
           },
          "execution_timeout": null,
          "execution_window": 1,
          "execution_window_expiration": "600.00:00:00",
          "publish_date": "2015-10-19T00:00:00Z"
      },
      "can_be_deleted": false,
      "can_be_copied": true,
      "can_access_to_detailed_view": true,
      "scope_type": 1
    }
  ],
  "total_items": 1
}

This table lists and describes the data returned in the response:

data
array

Array of task data.

account_id
string

Identifier for the account.

Example: cd6c6dd6-r97o-453d-ld8o-a5976dc0596c

id
string

Identifier of the task.

Example: 1530df10-0a9a-46bb-b8ab-aec2d0d8b9a3

name
string

Name of the task.

Example: Test API 01

description
string

Description of the task.

Example: Scan task created from API

type
integer

Type of task. This can be one of these values:

  • 1 — Antimalware scan task
  • 2 — Malware disinfection task
  • 6 — Patch installation task
  • 7 — Patch uninstallation task
  • 10 — IOC search task

Example: 1

status
array

Status of the task.

enabled
boolean

Indicates whether the task is enabled or not.

Example: true

delivery_state
integer

Delivery status of the task. This can be one of these values:

  • 0 — Pending
  • 1 — Ready for delivery
  • 2 — Published
  • 3 — Canceled
  • 4 — Finished

Example: 1

last_job_date
string

Date of the last update of a job associated with the task.

Example: 2023-06-11T12:00:00Z

schedule
array

Task schedule details.

type
integer

Type of schedule. This can be one of these values:

  • 1 — Now
  • 2 — One-time
  • 3 — Recurring

Example: 1

start_date
string

Start date of the schedule.

Example: 2023-06-11T12:00:00Z

is_local_time
boolean

Indicates whether the date is local.

Example: false

recurrence
array

Task recurrence pattern.

type
integer

Type of recurrence. This can be one of these values:

  • 1 — Daily
  • 2 — Weekly
  • 3 — Monthly
  • 4 — Yearly
  • 5 — Hourly

Example: 1

frequency
integer

Number of executions of the scheduled task.

Example: 3

days_of_week
array

List of days of the week the task is scheduled for. 0=Sunday, 1=Monday, 2=Tuesday, 3=Wednesday, 4=Thursday, 5=Friday, 6=Saturday.

Example: [3,6]

week_of_month
integer

Week in the month the task is scheduled for (optional). This can be one of these values:

  • 1 — First
  • 2 — Second
  • 3 — Third
  • 4 — Fourth
  • 5 — Last

Example: 1

date_of_month
array

Days of the month the task is scheduled for. 1=Day one, 2=Day two..., 30=Day thirty, 31=Day thirty one.

Example: [23,25]

month_of_year
array

Months of the year the task is scheduled for. 0=Every month,1=January...,12=December.

Example: 1

execution_timeout
string

Specifies how long the task can run from the time it starts.

Example: 1.07:06:05 indicates 1 day, 7 hours, 6 minutes, and 5 seconds.

execution_window
integer

Execution window for the scheduled task. This can be one of these values:

  • 0 — Only at specified time
  • 1 — As soon as possible

Example: 1

execution_window_expiration
string

Maximum wait time for the task to start if the target device is not available.

Example: 3.07:06:05 indicates 3 days, 7 hours, 6 minutes, and 5 seconds.

publish_date
string

Publication date for the scheduled task.

Example: 2023-06-21T11:00:00Z

can_be_deleted
boolean

Indicates whether the task can be deleted.

Example: false

can_be_copied
boolean

Indicates whether the task can be copied.

Example: true

can_access_to_detailed_view
boolean

Indicates whether the task can access a detailed view.

Example: true

scope_type
integer

Indicates the scope of the task. This can be one of these values:

  • 0 — Invalid
  • 1 — Customer
  • 2 — Partner

Example: 1

total_items
integer

Total number of retrieved tasks.

If the count request parameter is true, total_items displays the total number of retrieved tasks. If count is false, then total_items displays null.

Example: 1

Retrieve Task Repetitions

/api/v1/accounts/{accountId}/tasks/{type}/{taskId}/jobs

Retrieves task repetitions for a specific task.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

type
integer
REQUIRED

Type of task. This can be one of these values:

  • 1 — Antimalware scan task
  • 2 — Malware disinfection task
  • 6 — Patch installation task
  • 7 — Patch uninstallation task
  • 10 — IOC search task

Example: 1

taskId
string
REQUIRED

Task unique identifier.

Example: 287324d8-194f-4f5a-a7ad-e2480d5ad1b

Example Request

This request retrieves information about antimalware task repetitions for a specific task.

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/tasks/1/68ce953a-b590-44d0-a9fa-34d224c9b5e7/jobs
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		

Example Response

The response includes details of the task repetitions:

[
  {
    "id": "20230517153644",
    "date": "2023-05-17T15:36:44Z",
    "affected_items": 0,
    "is_local_time": false
  }
]

This table lists and describes the data returned in the response:

array

Array of task repetition data.

id
string

Identifier of the task repetition.

Example: 20230517153644

date
string

Task repetition date.

Example: 2023-05-17T15:36:44Z

affected_items
integer

Number of items affected by the repeated task.

Example: 0

is_local_time
boolean

Indicates whether the repetition date is local.

Example: Scan task created from API

Retrieve Task Status

/api/v1/accounts/{accountId}/tasks/{type}/{taskId}/jobs/{jobId}/status

Retrieves the status of task repetitions for a specific task.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

type
integer
REQUIRED

Type of task. This can be one of these values:

  • 1 — Antimalware scan task
  • 2 — Malware disinfection task
  • 6 — Patch installation task
  • 7 — Patch uninstallation task
  • 10 — IOC search task

Example: 1

taskId
string
REQUIRED

Unique identifier of the task.

Example: 287324d8-194f-4f5a-a7ad-e2480d5ad1b

jobId
string
REQUIRED

Identifier of the task specific repetition.

Example : 20230615000000

Request Parameters

When you send a request to this endpoint, you can include these request parameters:

$top
integer

Specifies the number of objects to retrieve.

Example: 5

$skip
integer

Bypasses the specified number of objects in the results returned.

For example, if you specify 10, the results start at object 11.

Example: 5

$count
boolean

Indicates whether to return a counter that shows the total number of objects in the total_items response parameter.

Example: true

$filter
string

Specifies a filter to retrieve the status of task repetitions for a specific task. You can combine two or more values with the boolean operators %20And%20 and %20Or%20:

  • 40002%20Eq%20{statusEnum} — Status of the task: 0=Pending, 1=In progress, 2=Succeeded, 3=Failed, 4=Expired, 5=Canceled, 6=Canceling, 7=Timeout
  • 40001%20Gt%200 — Repetition with detections
  • 40001%20Eq%200 — Repetition with no detections

Example: Retrieves repetitions in Pending status: filter=40002%20Eq%200.

Example Request

This request retrieves information about repetitions in Pending status for a specific task.

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/tasks/1/68ce953a-b590-44d0-a9fa-34d224c9b5e7/jobs/20230227000000/status?$count=true
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		

Example Response

The response returns information about each repetition found:

{
  "data": [
    {
      "site_id": "8b7205bc-60e0-45a0-9956-b17b6a8673f6",
      "site_name": "AD360",
      "device_id": "18421fc0-285a-41e6-8a67-a8cb400bedd0",
      "host_name": "WIN-DESKTOP-3",
      "device_type": 3,
      "ip_address": "192.168.0.66",
      "status": 2,
      "affected_items": 3,
      "start_time": "2023-02-27T00:03:06Z",
      "finish_time": "2023-02-27T00:05:11Z"	  }
    ],
    "total_items": 1
}

This table lists and describes the data returned in the response:

data
array

Array of repetition data.

site_id
string

Identifier for the site.

Example: 8b7205bc-60e0-45a0-9956-b17b6a8673f6

site_name
string

Name of the site the device belongs to.

Example: AD360

device_id
string

Identifier for the device.

Example: 18421fc0-285a-41e6-8a67-a8cb400bedd0

host_name
string

Host name of the device.

Example: WIN-DESKTOP-3

device_type
integer

Type of device. This can be one of these values:

  • 1 — Workstation
  • 2 — Laptop
  • 3 — Server
  • 4 — Mobile device

Example: 1

ip_address
string

IP address of the device.

Example: 192.168.0.66

status
integer

Status of the task repetition. This can be one of these values.

  • 0 — Pending
  • 1 — In progress
  • 2 — Succeeded
  • 3 — Failed
  • 4 — Expired
  • 5 — Canceled
  • 6 — Canceling
  • 7 — Timeout

Example: 2

affected_items
integer

Number of items affected by the repeated task.

Example: 3

start_time
string

Start date for the repeated task.

Example: 2023-06-15T12:00:00Z

finish_time
string

End date for the repeated task.

Example: 2023-06-16T18:00:00Z

total_items
integer

Total number of retrieved repetitions.

If the count request parameter is true, total_items displays the total number of retrieved repetitions. If count is false, then total_items displays null.

Example: 1

   

Retrieve Task Results

/api/v1/accounts/{accountId}/tasks/{type}/{taskId}/jobs/{jobId}/results

Retrieves the results of a specific task repetition.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

type
integer
REQUIRED

Type of task. This can be one of these values:

  • 1 — Antimalware scan task
  • 2 — Malware disinfection task
  • 6 — Patch installation task
  • 7 — Patch uninstallation task
  • 10 — IOC search task

Example: 1

taskId
string
REQUIRED

Unique identifier of the task.

Example: 287324d8-194f-4f5a-a7ad-e2480d5ad1b

jobId
string
REQUIRED

Identifier of the specific task repetition.

Example : 20230615000000

Request Parameters

When you send a request to this endpoint, you can include these request parameters:

$top
integer

Specifies the number of objects to retrieve.

Example: 5

$skip
integer

Bypasses the specified number of objects in the results returned.

For example, if you specify 10, the results start at object 11.

Example: 5

Example Request

This request retrieves the results of a specific task repetition.

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/tasks/1/68ce953a-b590-44d0-a9fa-34d224c9b5e7/jobs/20230227000000/results
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		

Example Response

The response returns information about the task repetition:

{
  "data": [
    {
      "device_id": "18421fc0-285a-41e6-8a67-a8cb400bedd0",
      "host_name": "WIN-DESKTOP-3",
      "device_type": 3,
      "ip_address": "192.168.0.66",
      "date": "2023-06-25T12:00:00Z",
      "malware_info": {
          "malware_category": 2,
          "path": "C:\\Documents\\AAABC_dc9354c9H.zip",
          "number_of_occurrences": 1
      }
      "patch_info": null,
      "ioc_info": null	  
     }
  ],
    "total_items": 1
}

This table lists and describes the data returned in the response:

data
array

Array with information about the repeated task.

device_id
string

Identifier for the device.

Example: 18421fc0-285a-41e6-8a67-a8cb400bedd0

host_name
string

Host name of the device.

Example: WIN-DESKTOP-3

device_type
integer

Type of device. This can be one of these values:

  • 1 — Workstation
  • 2 — Laptop
  • 3 — Server
  • 4 — Mobile device

Example: 1

ip_address
string

IP address of the device.

Example: 192.168.0.66

date
string

Task results date.

Example: 2023-06-25T12:00:00Z

malware_info
array

Additional information for antimalware scan tasks and malware disinfection tasks.

malware_category
integer

Malware category in antivirus detections. This can be one of these values:

  • 1 — Virus
  • 2 — Spyware
  • 3 — HackingPpnd
  • 4 — Phishing
  • 5 — Suspicious
  • 6 — Blocked Operations
  • 7 — Tracking Cookies
  • 8 — Malware URL
  • 9 — Other

Example: 4

path
string

Path where the malware was detected.

Example: C:\\Documents\\AAABC_dc9354c9H.zip

number_of_occurrences
integer

Number of occurrences in antivirus detections.

Example: 1

patch_info
array

Additional information for patch installation tasks and patch uninstallation tasks.

patch_name
string

Name of the patch.

Example: Quality Rollup for .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7 for Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2

product_name
string

Name of the product associated with the patch.

Example: .NET Framework 4.7 (x64)

product_version
string

Version of the product associated with the patch

Example: 4.7

criticality
integer

Patch severity. This can be one of these values:

  • 101 — Other patches (non-security-related)
  • 201 — Critical (security-related)
  • 202 — Important (security-related)
  • 203 — Moderate (security-related)
  • 204 — Low (security-related)
  • 205 — Unspecified (security-related)
  • 301 — Service Pack

Example: 301

installation_date
string

Date when the patch was installed.

Example: 2023-06-25T12:00:00Z

result
integer

Result of the patch operation performed. This can be one of these values:

  • 1— Installed
  • 2 — Waiting for reboot
  • 3 — Download error
  • 4 — Installation error
  • 5 — Already installed
  • 6 — Uninstalled
  • 7 — Uninstallation error
  • 8 — Manual download error

Example: 1

ioc_info
array

Additional information for IOC search tasks.

ioc_name
string

Name of the IOC associated with the result of the task.

Example: Search based on domain

ioc_description
string

Description of the IOC associated with the result of the task.

Example: Approved: Domain rule description

total_items
integer

Count is not supported. Currently, null is always displayed in this field.

Example: null

Retrieve Task Details

/api/v1/accounts/{accountId}/taskdetails/{type}/{taskId}

Retrieves the details of a specific task.

Path Parameters

When you send a request to this endpoint, you must include these path parameters:

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

type
integer
REQUIRED

Type of task. This can be one of these values:

  • 1 — Antimalware scan task
  • 2 — Malware disinfection task
  • 6 — Patch installation task
  • 7 — Patch uninstallation task
  • 10 — IOC search task

Example: 1

taskId
string
REQUIRED

Unique identifier of the task.

Example: 287324d8-194f-4f5a-a7ad-e2480d5ad1b

Example Request

This request retrieves information about a specific task.

curl -X GET https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1/accounts/WGC-1-123abc456/taskdetails/1/75541a26-729b-4d54-ab80-262339ffbaa7
		-H 'Accept: application/json'
		-H 'Content-Type: application/json'
		-H 'WatchGuard-API-Key: s9t7El6RZFg8UcmRhYKdwXqBhyuioiWER83Nqd0tL'
		-H 'Authorization: Bearer eyJraWQiOiJNWnpabklNK2V6Q3BXUE5mM2FXTHhoSmEza0ltcEFMbnluT05DcFdIT2tZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJjNDQyMTJlMi05MmI1LTRiOTYtYTRmNS1lYWRlODA4OTM1YjIiLCJjdXN0b206YXBpX2tleXMiOiJwMHM1UmQzUkF2NlR2d0VuWEx5YUphR2x0ZWtieEFVUzcwVGVzOXlGIiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tXC91cy13ZXN0LTJfa3hXeFdrTFZ5IiwiY29nbml0bzp1c2VybmFtZSI6IjAyNjk0OWM1OWI2NzIxOGNfcndfaWQiLCJhdWQiOiIzb3AybDBqazkxN3FudXFoZnVoanRvcXRzZyIsImV2ZW50X2lkIjoiODczM2ZmMjktOGNhMC00ODMyLTg0NzgtMDNiNWIxMDI3NmQ3IiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1NjkzNTM0NDEsIm5hbWUiOiIwMjY5NDljNTliNjcyMThjX3J3X2lkIiwiY3VzdG9tOmFjY291bnRfaWQiOiJBQ0MtMTIzNTA2OCIsImV4cCI6MTU2OTM1NzA0MSwiY3VzdG9tOnJvbGUiOiIxIiwiaWF0IjoxNTY5MzUzNDQxfQ.MUAeG6QyM7Zog8mM--WK2uJVevLRwz8z2KPpGhQbUnHK04Hy_JdO4F4wH6IV0WVENGsBrcjp5boxcBZgdJE46123MGnB0HvghN5IoAZUOkfFPm7SAN68posHqYLoo14YNedc5GtvOzCxTmi9YepvE5LhsoC6Tgyc0e3ABn18gEZsyxmJFcMBHXOMei7AssYSWAdDyoI7j6jZslxmhXj7_h6T9PyqjLxLjFEq5S6oK9u4IVDVBlRxbURaRVAGb7ywfHiZEPDgceV-Wnv0AIhDzj5dL28AmiGIkWtWinF0UD-NSMKN4vtszK2sUWUSl8ZfVNGU650heiAaUAy7XmiqbA'	 
		

Example Response

The response contains the task details.

{
  "account_id": "cd6c6dd6-r97o-453d-ld8o-a5976dc0596c",
  "id": "1530df10-0a9a-46bb-b8ab-aec2d0d8b9a3",
  "name": "Test API 01",
  "description": "Scan task created from API",
  "type": 6,
  "status": {
      "enabled": true,
      "delivery_state": 2,
      "last_job_date": "2023-02-27T00:08:28.184Z"
  },
  "schedule": {
      "type": 2,
      "start_date": "2023-06-11T12:00:00Z",
      "is_local_time": true,
      "recurrence": { 
          "Type": 2,
          "Frequency": 1,
          "DaysOfWeek": [1, 2, 3, 4, 5]
       },
       "execution_timeout": "02:00:00",
       "execution_window": 1,
       "execution_window_expiration": "02:00:00",
       "publish_date": "2015-10-19T00:00:00Z"
  },
  "scope_type": 1,
  "can_be_deleted": true,
  "can_be_copied": true,
  "can_access_to_detailed_view": true,
  "antimalware_scan_task_action": {
      "targets": {
          "type": 2,
          "items": [
              "c:\\mw"
          ],
          "compressed_files": true
      },
      "malware_to_detect": {
          "viruses": true,
          "hacking_tools_and_pups": true,
          "suspicious": false
      },
      "exclusions": {
          "apply_exclusions_of_resident_protection": true,
          "extensions": [
              ".xls"
          ],
          "folders": [],
          "files": []
      }
  },
  "patch_installation_task_action": null,
  "patch_uninstallation_task_action": null,
  "ioc_definition_scan_task_action": null,
  "recipients": {
    "devices": [
      {
      "device_id": "9b86334c-57ca-4440-9d71-0fb967bf873f"
      },
      {
      "device_id": "95a6d34c-5585-415c-9603-891576e0bfaa"
      }
    ],
    "custom_group_folders": ["287324d8-194f-4f5a-a7ad-e2480d5ad1b2"] 
    "device_types": [
      1,
      2,
      3,
      4
    ]
  }				
}

This table lists and describes the data returned in the response:

account_id
string

Identifier for the account.

Example: 8b7205bc-60e0-45a0-9956-b17b6a8673f6

id
string

Identifier of the task.

Example: 1530df10-0a9a-46bb-b8ab-aec2d0d8b9a3

name
string

Name of the task.

Example: Test API 01

description
string

Description of the task.

Example: WIN-DESKTOP-3

type
integer

Type of task. This can be one of these values:

  • 1 — Antimalware scan task
  • 2 — Malware disinfection task
  • 6 — Patch installation task
  • 7 — Patch uninstallation task
  • 10 — IOC search task

Example: 1

status
array

Status of the task.

enabled
boolean

Indicates whether the task is enabled or not.

Example: true

delivery_state
integer

Delivery status of the task. This can be one of these values:

  • 0 — Pending
  • 1 — Ready for delivery
  • 2 —Published
  • 3 —Cancelled
  • 4 — Finished

last_job_date
string

Date of the last update of a repetition associated with the task.

Example: 2023-06-11T12:00:00Z

schedule
array

Task schedule details.

type
integer

Type of schedule. This can be one of these values:

  • 1 — Now
  • 2 — One-time
  • 3 — Recurring

Example: 3

start_date
string

Start date of the schedule.

Example: 2023-06-11T12:00:00Z

is_local_time
boolean

Indicates whether the date is local.

Example: false

recurrence
array

Task recurrence pattern.

type
integer

Type of recurrence. This can be one of these values:

  • 1 — Daily
  • 2 — Weekly
  • 3 — Monthly
  • 4 — Yearly
  • 5 — Hourly

Example: 1

frequency
integer

Number of executions of the scheduled task.

Example: 3

days_of_week
array

List of days of the week the task is scheduled for. 0=Sunday, 1=Monday, 2=Tuesday, 3=Wednesday, 4=Thursday, 5=Friday, 6=Saturday.

Example: [3,6]

week_of_month
integer

Week in the month the task is scheduled for (optional). This can be one of these values:

  • 1 — First
  • 2 — Second
  • 3 — Third
  • 4 — Fourth
  • 5 — Last

Example: 3

date_of_month
array

Days of the month the task is scheduled for. 1=Day one, 2=Day two..., 30=Day thirty, 31=Day thirty one.

Example: [1,11, 15, 16]

month_of_year
array

Months of the year the task is scheduled for. 0=Every month,1=January...,12=December.

Example: [1, 4, 11]

execution_timeout
string

Specifies how long the task can run from the time it starts.

Example: 1.07:06:05 (indicates 1 day, 7 hours, 6 minutes, and 5 seconds).

execution_window
integer

Execution window for the scheduled task. This can be one of these values:

  • 0 — Only at specified time
  • 1 — As soon as possible

Example: 1

execution_window_expiration
string

Maximum wait time for the task to start if the target device is not available.

Example: 3.07:06:05 (indicates 3 days, 7 hours, 6 minutes, and 5 seconds).

publish_date
string

Publication date for the scheduled task.

Example: 2023-06-21T11:00:00Z

scope_type
integer

Indicates the scope of the task. This can be one of these values:

  • 0 — Invalid
  • 1 — Customer
  • 2 — Partner

Example: 1

can_be_deleted
boolean

Indicates whether the task can be deleted.

Example: false

can_be_copied
boolean

Indicates whether the task can be copied.

Example: true

can_access_to_detailed_view
boolean

Indicates whether the task can access a detailed view.

Example: true

antimalware_scan_task_action
array

Additional information for antimalware scan tasks.

targets
array

Specifies the items to scan on the device.

type
integer

Scope of the scan task. This can be one of these values:

  • 0 — Entire computer
  • 1 — Critical areas
  • 2 — Specified items

Example: 0

items
array

List of specific locations or items to scan. All folders and files in the specified locations are scanned. Works only when scan_scope is 2.

Example: ['c:\downloads','c:\program files']

compressed_files
boolean

Indicates whether to scan compressed files. When set to true, this decompresses compressed files and scans their contents.

Example: true

malware_to_detect
array

Indicates the type of threat to scan for.

viruses
boolean

Indicates whether to scan for viruses.

Example: true

hacking_tools_and_pups
boolean

Indicates whether to scan for hacking tools and PUPs.

Example: true

suspicious
Boolean

Indicates whether to scan for suspicious items.

Example: true

exclusions
array

Indicates the items to exclude from the scan.

apply_exclusions_of_resident_protection
boolean

Indicates whether the permanent protection excludes items from the scan.

Example: true

extensions
array

List of file extensions to exclude from the scan.

Example: ['.bat','.pif']

folders
array

List of folders to exclude from the scan.

Example: ['c:\downloads','c:\program files']

files
array

List of file names to exclude from the scan.

Example: ['virus.exe','spam.exe']

patch_installation_task_action
array

Additional information for patch installation tasks.

platforms
array

List of platforms for patch installation (1=Windows, 2=macOS, 3=Linux)

Example: [1,2]

patch_installation_configuration
array

Patch installation task configuration detailed information.

patches_to_install
array

List of patch identifiers associated with the task.

Example: [00012594-0000-0000-0000-000000000000]

criticality_configuration
array

Specifies the severity of the patches to install on devices.

update_security_patches
array

Specifies the severity of the security patches to install.

critical
boolean

Indicates whether to scan for critical severity patches.

Example: true

important
boolean

Indicates whether to scan for important severity patches.

Example: true

moderate
boolean

Indicates whether to scan for moderate severity patches.

Example: true

low
boolean

Indicates whether to scan for low severity patches.

Example: true

not_classified
boolean

Indicates whether to scan for unspecified severity patches.

Example: true

update_non_security_patches
array

Specifies the severity of the non-security patches to install.

critical
boolean

Indicates whether to scan for critical severity patches.

Example: true

important
boolean

Indicates whether to scan for important severity patches.

Example: true

moderate
boolean

Indicates whether to scan for moderate severity patches.

Example: true

low
boolean

Indicates whether to scan for low severity patches.

Example: true

not_classified
boolean

Indicates whether to scan for unspecified severity patches.

Example: true

update_service_packs
boolean

Indicates whether to scan for Service Packs.

Example: true

vendors_configuration
array

Indicates the software (vendor, family, or product) to patch.

use_selected_vendors_to_apply_patches
boolean

Indicates whether you want to use the vendor/family/product configuration selected for Windows platforms to apply the patches in the task.

Example: true

selected_vendors_ids
array

List of vendor identifiers associated with the task.

Example: [9, 8, 82, 183]

selected_vendor_families_ids
array

List of software family identifiers associated with the task.

Example: [53, 54, 199, 56, 63, 239]

selected_vendor_versions_ids
array

List of software version identifiers associated with the task.

Example: [79, 80, 81, 83, 87, 1174]

vendors_configuration_for_linux
array

Indicates the Linux software (vendor, family, or product) to patch.

use_selected_vendors_to_apply_patches
boolean

Indicates whether you want to use the vendor/family/product configuration selected for Linux platforms to apply the patches in the task.

Example: true

install_patches_requiring_forced_reboot
boolean

Indicates whether you want to install patches that require a forced reboot of the target device. Currently, this parameter applies to macOS computers only.

Example: true

selected_vendor_names
array

List of vendor name identifiers to use in the task.

Example: ["Gimp.org"],

selected_vendor_family_names
array

List of software family name identifiers to use in the task.

Example: ["Gimp.org/Gimp", "Gimp.org/gimp-data-extras", "Gimp.org/gimp-help"]

vendors_configuration_for_mac
array

Indicates the macOS software (vendor, family, or product) to patch.

use_selected_vendors_to_apply_patches
boolean

Indicates whether you want to use the vendor/family/product configuration selected for macOS platforms to apply the patches in the task.

Example: true

install_patches_requiring_forced_reboot
boolean

Indicates whether you want to install patches that require a forced reboot of the target device.

Example: true

selected_vendor_names
array

List of vendor name identifiers to use in the task.

Example: ["Opera"]

selected_vendor_family_names
array

List of software family name identifiers to use in the task.

Example: ["Opera Software ASA/Opera"],

patch_uninstallation_task_action
array

Additional information for patch uninstallation tasks.

patch_uninstallation_configuration
array

Patch uninstallation task configuration detailed information.

patches_to_uninstall
array

List of patch identifiers associated with the task.

Example: [00012594-0000-0000-0000-000000000000]

ioc_definition_scan_task_action
array

Additional information for IOC search tasks.

ioc_definition_scan_task_configuration
array

IOC search task configuration detailed information.

ioc_definition_ids
array

List of IOCs associated with the task.

details
array

Details of the IOC

id
string

Identifier of the IOC.

Example: 6b7205bc-60e0-45a0-9956-b17b6a8673f3

name
string

Name of the IOC.

Example: Search based on domain

stix_bundle
string

STIX content associated with the IOC search task.

Example: <?xml version=\"1.0\"?><bundle><type>bundle</type><id>bundle--5928e8d2-ebac-493d-b912-b24221ecdf28</id><objects></objects></bundle>

recipients
array

Specifies the task recipients.

devices
array

Specifies the task recipients (devices).

device_id
string

Identifier for the device associated with the task.

Example: 5b7205bc-60e0-45a0-9956-b17b6a8673f1

custom_group_folders
array

Specifies task recipients of the custom group type.

device_id
string

Identifier for the custom group folder associated with the task.

Example: 6b7205bc-60e0-45a0-9956-b17b6a8673f2

device_types
array

Specifies task recipients based on the type of device where the task is run.

device_id
string

Identifier for the device type associated with the task.

Example: 7b7205bc-60e0-45a0-9956-b17b6a8673f3