REST API documentation | GuardMode 2022.1

Fetch all alert types

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Responses

200

Returns a collection of all possible alert types

application/json

get

/alerts/types

GET /alerts/types HTTP/1.1
Host: 
Authorization: Basic username:password
Accept: */*

200

Returns a collection of all possible alert types

[
  {
    "id": 1,
    "name": "text"
  }
]

Update password for default user

put

Authorizations

AuthorizationstringRequired

Basic Authorization header

Body

newPasswordstring · min: 5 · max: 20000Required

Responses

204

Password updated successfully

400

Will be returned if body is not correct

application/json

500

Will be returned if there was error with parsing configuration file

put

/authentication/password

PUT /authentication/password HTTP/1.1
Host: 
Authorization: Basic username:password
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 22

{
  "newPassword": "text"
}

No content

Get all excluded paths

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Responses

200

Returns array of excluded paths

404

Excluded paths file not found

get

/settings/excluded-paths

GET /settings/excluded-paths HTTP/1.1
Host: 
Authorization: Basic username:password
Accept: */*

{
  "paths": [
    {
      "id": "123e4567-e89b-12d3-a456-426614174000",
      "path": "text",
      "user": "text"
    }
  ]
}

Create new excluded path

post

Authorizations

AuthorizationstringRequired

Basic Authorization header

Body

pathstring · min: 1Required

userstring | nullableOptional

Responses

201

Returns single excluded path

400

Bad request was sent

404

Excluded paths file not found

409

Excluded path already exists

post

/settings/excluded-paths

POST /settings/excluded-paths HTTP/1.1
Host: 
Authorization: Basic username:password
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 29

{
  "path": "text",
  "user": "text"
}

{
  "id": "123e4567-e89b-12d3-a456-426614174000",
  "path": "text",
  "user": "text"
}

Get single excluded path

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Path parameters

idstring · uuidRequired

Responses

200

Returns single excluded path

404

Excluded path not found or excluded paths file not found

get

/settings/excluded-paths/{id}

GET /settings/excluded-paths/{id} HTTP/1.1
Host: 
Authorization: Basic username:password
Accept: */*

{
  "id": "123e4567-e89b-12d3-a456-426614174000",
  "path": "text",
  "user": "text"
}

Remove excluded path

delete

Authorizations

AuthorizationstringRequired

Basic Authorization header

Path parameters

idstring · uuidRequired

Responses

204

Excluded path was removed

404

Excluded paths file not found

delete

/settings/excluded-paths/{id}

DELETE /settings/excluded-paths/{id} HTTP/1.1
Host: 
Authorization: Basic username:password
Accept: */*

No content

Fetch all file system event types

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Responses

200

Returns a collection of all possible file system event types

application/json

get

/events/types

GET /events/types HTTP/1.1
Host: 
Authorization: Basic username:password
Accept: */*

200

Returns a collection of all possible file system event types

[
  {
    "id": 1,
    "name": "text"
  }
]

Fetch file system events from database

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Query parameters

Startstring · date-timeOptional

Endstring · date-timeOptional

Limitinteger · int32 · min: 1 · max: 5000Optional

CursorstringOptional

incidentstring · uuidOptional

Responses

200

Returns a response object containing the collection of file system events

application/json

400

Will be returned if request is not valid

application/json

404

Incident with provided id was not found

application/json

get

/events

GET /events HTTP/1.1
Host: 
Authorization: Basic username:password
Accept: */*

{
  "events": [
    {
      "filename": "text",
      "oldFilename": "text",
      "occurrenceTimeStamp": "2025-12-14T18:34:11.985Z",
      "insertionTimeStamp": "2025-12-14T18:34:11.985Z",
      "type": {
        "id": 1,
        "name": "text"
      },
      "username": "text",
      "pid": 1,
      "networkUsername": "text"
    }
  ],
  "nextRequestCursor": "text",
  "numberOfItems": 1
}

Get current file system events configuration.

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Responses

200

Returns file system events configuration

application/json

get

/settings/events

GET /settings/events HTTP/1.1
Host: 
Authorization: Basic username:password
Accept: */*

200

Returns file system events configuration

{
  "queryingDelay": "text",
  "savingDelay": "text"
}

Update file system events configuration.

put

Authorizations

AuthorizationstringRequired

Basic Authorization header

Body

queryingDelaystring · date-spanOptional

savingDelaystring · date-spanOptional

Responses

200

File system events configuration has been updated

application/json

400

Bad request was sent

application/json

put

/settings/events

PUT /settings/events HTTP/1.1
Host: 
Authorization: Basic username:password
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 45

{
  "queryingDelay": "text",
  "savingDelay": "text"
}

{
  "queryingDelay": "text",
  "savingDelay": "text"
}

Get current honeypot configuration.

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Responses

200

Honeypot configuration has been updated

get

/settings/honeypot

GET /settings/honeypot HTTP/1.1
Host: 
Authorization: Basic username:password
Accept: */*

200

Honeypot configuration has been updated

{
  "sourcePath": "text",
  "placementPaths": [
    "text"
  ]
}

Add placement path to honeypot configuration

post

Authorizations

AuthorizationstringRequired

Basic Authorization header

Body

placementPathstring · min: 1Required

Responses

200

Placement path added

400

Bad request was sent

post

/settings/honeypot

POST /settings/honeypot HTTP/1.1
Host: 
Authorization: Basic username:password
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 24

{
  "placementPath": "text"
}

{
  "sourcePath": "text",
  "placementPaths": [
    "text"
  ]
}

Update honeypot configuration.

put

Authorizations

AuthorizationstringRequired

Basic Authorization header

Body

placementPathsstring[]Required

Responses

200

Honeypot configuration has been updated

400

Bad request was sent

put

/settings/honeypot

PUT /settings/honeypot HTTP/1.1
Host: 
Authorization: Basic username:password
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 27

{
  "placementPaths": [
    "text"
  ]
}

{
  "sourcePath": "text",
  "placementPaths": [
    "text"
  ]
}

Remove placement path from honeypot configuration

delete

Authorizations

AuthorizationstringRequired

Basic Authorization header

Query parameters

pathstringOptional

Responses

200

Placement path removed

400

Bad request was sent

delete

/settings/honeypot

DELETE /settings/honeypot HTTP/1.1
Host: 
Authorization: Basic username:password
Accept: */*

{
  "sourcePath": "text",
  "placementPaths": [
    "text"
  ]
}

Get current security incident detection configuration

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Responses

200

Returns current configuration

application/json

get

/settings/security-incidents

GET /settings/security-incidents HTTP/1.1
Host: 
Authorization: Basic username:password
Accept: */*

200

Returns current configuration

{
  "enabled": true,
  "inactivityPeriod": "text"
}

Update security incident detection configuration

put

Authorizations

AuthorizationstringRequired

Basic Authorization header

Body

Security incident detection configuration update request

enabledbooleanRequired

Indicates if security incident detection is enabled

inactivityPeriodstring · date-spanRequired

A period of inactivity after which incidents will be closed

Responses

200

Returns successfully updated configuration

application/json

400

Bad request was sent

application/json

put

/settings/security-incidents

PUT /settings/security-incidents HTTP/1.1
Host: 
Authorization: Basic username:password
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 42

{
  "enabled": true,
  "inactivityPeriod": "text"
}

{
  "enabled": true,
  "inactivityPeriod": "text"
}

Get all security incidents

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Query parameters

userstringOptional

Responses

200

Returns a list of all detected security incidents

application/json

get

/security-incidents

GET /security-incidents HTTP/1.1
Host: 
Authorization: Basic username:password
Accept: */*

200

Returns a list of all detected security incidents

[
  {
    "id": "123e4567-e89b-12d3-a456-426614174000",
    "user": "text",
    "start": "2025-12-14T18:34:11.985Z",
    "end": "2025-12-14T18:34:11.985Z"
  }
]

Get all alerts linked to a specified incident

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Path parameters

idstring · uuidRequired

Responses

200

Returns a list of linked alerts

application/json

get

/security-incidents/{id}/alerts

GET /security-incidents/{id}/alerts HTTP/1.1
Host: 
Authorization: Basic username:password
Accept: */*

200

Returns a list of linked alerts

[
  {
    "id": "123e4567-e89b-12d3-a456-426614174000",
    "occurredAt": "2025-12-14T18:34:11.985Z",
    "type": {
      "id": 1,
      "name": "text"
    },
    "userName": "text"
  }
]

Returns block list info

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Responses

200

Returns block list info

404

Block list file not found

get

/settings/block-list

GET /settings/block-list HTTP/1.1
Host: 
Authorization: Basic username:password
Accept: */*

{
  "lastUpdated": "2025-12-14T18:34:11.985Z",
  "patternFilters": [
    {
      "regex": {
        "options": 0,
        "rightToLeft": true,
        "matchTimeout": "text"
      },
      "value": "text"
    }
  ]
}

Update block list patterns

put

Authorizations

AuthorizationstringRequired

Basic Authorization header

Body

lastUpdatedstring · date-timeRequired

filtersstring[]Required

Responses

204

Block list patterns were updated

304

Block list was not modified because it is already up to date

400

Bad request was sent

put

/settings/block-list

PUT /settings/block-list HTTP/1.1
Host: 
Authorization: Basic username:password
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 61

{
  "lastUpdated": "2025-12-14T18:34:11.985Z",
  "filters": [
    "text"
  ]
}

No content

Returns skip list info

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Responses

200

Returns skip list info

404

Skip list file not found

get

/settings/block-list/skip

GET /settings/block-list/skip HTTP/1.1
Host: 
Authorization: Basic username:password
Accept: */*

{
  "filters": [
    {
      "id": "123e4567-e89b-12d3-a456-426614174000",
      "createdDate": "2025-12-14T18:34:11.985Z",
      "pattern": "text"
    }
  ]
}

Add pattern to skip list

post

Authorizations

AuthorizationstringRequired

Basic Authorization header

Body

patternstring · min: 1Required

Responses

204

Skip pattern added

400

Bad request was sent

404

Skip list file not found

409

Pattern already exists in skip list

post

/settings/block-list/skip

POST /settings/block-list/skip HTTP/1.1
Host: 
Authorization: Basic username:password
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 18

{
  "pattern": "text"
}

No content

Update skip list patterns

put

Authorizations

AuthorizationstringRequired

Basic Authorization header

Body

filtersstring[]Required

Responses

204

Skip list patterns updated

400

Bad request was sent

put

/settings/block-list/skip

PUT /settings/block-list/skip HTTP/1.1
Host: 
Authorization: Basic username:password
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 20

{
  "filters": [
    "text"
  ]
}

No content

Remove pattern from skip list

delete

Authorizations

AuthorizationstringRequired

Basic Authorization header

Path parameters

idstring · uuidRequired

Responses

204

Skip pattern removed

400

Bad request was sent

404

Skip list file not found

delete

/settings/block-list/skip/{id}

DELETE /settings/block-list/skip/{id} HTTP/1.1
Host: 
Authorization: Basic username:password
Accept: */*

No content

Returns current SMB monitoring configuration

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Responses

200

Configuration retrieval succeeded

application/json

get

/settings/smb

GET /settings/smb HTTP/1.1
Host: 
Authorization: Basic username:password
Accept: */*

200

Configuration retrieval succeeded

{
  "enabled": true,
  "message": {
    "separator": "text",
    "template": "text"
  },
  "listener": {
    "port": 1,
    "endMarker": "text"
  }
}

Updates SMB monitoring configuration

put

Authorizations

AuthorizationstringRequired

Basic Authorization header

Body

enabledbooleanRequired

Responses

200

Configuration update succeeded

application/json

400

Bad request was sent

application/json

put

/settings/smb

PUT /settings/smb HTTP/1.1
Host: 
Authorization: Basic username:password
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 106

{
  "enabled": true,
  "message": {
    "separator": "text",
    "template": "text"
  },
  "listener": {
    "port": 1,
    "endMarker": "text"
  }
}

{
  "enabled": true,
  "message": {
    "separator": "text",
    "template": "text"
  },
  "listener": {
    "port": 1,
    "endMarker": "text"
  }
}

Get current threshold configuration.

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Responses

200

Threshold configuration has been updated

get

/settings/threshold

GET /settings/threshold HTTP/1.1
Host: 
Authorization: Basic username:password
Accept: */*

200

Threshold configuration has been updated

{
  "entropyCheck": {
    "enabled": true,
    "maxCheckAttempts": 1
  },
  "magicNumberCheck": {
    "enabled": true,
    "filesChecked": 1
  },
  "numberOfBuckets": 1,
  "pointsLimit": 1,
  "writesPerSecond": {
    "high": 1,
    "medium": 1,
    "low": 1
  },
  "riskWeights": {
    "high": 1,
    "medium": 1,
    "low": 1
  }
}

Update threshold configuration.

put

Authorizations

AuthorizationstringRequired

Basic Authorization header

Body

numberOfBucketsinteger · int32 · max: 1000Required

Number of threshold buckets

pointsLimitinteger · int32 · max: 1000Required

Limit of data points to analyze

Responses

200

Threshold configuration has been updated

400

Bad request was sent

put

/settings/threshold

PUT /settings/threshold HTTP/1.1
Host: 
Authorization: Basic username:password
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 235

{
  "entropyCheck": {
    "enabled": true,
    "maxCheckAttempts": 1
  },
  "magicNumberCheck": {
    "enabled": true,
    "filesChecked": 1
  },
  "numberOfBuckets": 1,
  "pointsLimit": 1,
  "writesPerSecond": {
    "high": 1,
    "medium": 1,
    "low": 1
  },
  "riskWeights": {
    "high": 1,
    "medium": 1,
    "low": 1
  }
}

{
  "entropyCheck": {
    "enabled": true,
    "maxCheckAttempts": 1
  },
  "magicNumberCheck": {
    "enabled": true,
    "filesChecked": 1
  },
  "numberOfBuckets": 1,
  "pointsLimit": 1,
  "writesPerSecond": {
    "high": 1,
    "medium": 1,
    "low": 1
  },
  "riskWeights": {
    "high": 1,
    "medium": 1,
    "low": 1
  }
}