REST API Documentation
GET /settings/tags HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
A list of all currently added tags
[
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"tag": "text",
"createdAt": "2025-07-06T00:56:58.826Z"
}
]
POST /settings/tags HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 14
{
"tag": "text"
}
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"tag": "text",
"createdAt": "2025-07-06T00:56:58.826Z"
}
PUT /authentication/password HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 22
{
"newPassword": "text"
}
No content
GET /settings/events HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
Current file system events configuration
{
"queryingDelay": "text",
"savingDelay": "text",
"incidentDetection": {
"enabled": true,
"inactivityPeriod": "text"
}
}
PUT /settings/events HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 45
{
"queryingDelay": "text",
"savingDelay": "text"
}
{
"queryingDelay": "text",
"savingDelay": "text",
"incidentDetection": {
"enabled": true,
"inactivityPeriod": "text"
}
}
GET /settings/excluded-paths HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
{
"paths": [
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"path": "text",
"user": "text"
}
]
}
Path to exclude
Username for which the path should be excluded from monitoring
POST /settings/excluded-paths HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 29
{
"path": "text",
"user": "text"
}
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"path": "text",
"user": "text"
}
Excluded path identifier
GET /settings/excluded-paths/{id} HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"path": "text",
"user": "text"
}
Excluded path identifier
DELETE /settings/excluded-paths/{id} HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
No content
GET /settings/reports/file-event-report HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
Success
{
"enabled": true,
"timeZone": "text",
"scheduledHours": [
"00:56:58"
]
}
PUT /settings/reports/file-event-report HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 34
{
"enabled": true,
"timeZone": "text"
}
{
"enabled": true,
"timeZone": "text",
"scheduledHours": [
"00:56:58"
]
}
POST /settings/reports/file-event-report/hours HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 19
{
"hour": "00:56:58"
}
{
"enabled": true,
"timeZone": "text",
"scheduledHours": [
"00:56:58"
]
}
DELETE /settings/reports/file-event-report/hours HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
{
"enabled": true,
"timeZone": "text",
"scheduledHours": [
"00:56:58"
]
}
GET /settings/reports/file-event-report/excluded-paths HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
Success
[
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"path": "text",
"user": "text"
}
]
Path to exclude
Username for which the path should be excluded from monitoring
POST /settings/reports/file-event-report/excluded-paths HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 29
{
"path": "text",
"user": "text"
}
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"prefix": {
"isQualified": true,
"fileName": "text"
},
"username": "text"
}
DELETE /settings/reports/file-event-report/excluded-paths/{id} HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
No content
GET /settings/reports/file-event-report/timezones HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
Success
[
{
"id": "text",
"offset": "text"
}
]
GET /settings/file-integrity HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
File integrity configuration
{
"enabled": true,
"paths": [
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"prefix": "text",
"checkFileContents": true
}
]
}
Request to add new monitored path to file integrity configuration
Path prefix to monitor
Indicates if the file contents are checked to reduce number of false positives
POST /settings/file-integrity HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 42
{
"prefix": "text",
"checkFileContents": true
}
{
"enabled": true,
"paths": [
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"prefix": "text",
"checkFileContents": true
}
]
}
Updates file integrity strategy configuration
Indicates if the file integrity strategy is enabled
PUT /settings/file-integrity HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 16
{
"enabled": true
}
{
"enabled": true,
"paths": [
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"prefix": "text",
"checkFileContents": true
}
]
}
ID of the path to be removed
DELETE /settings/file-integrity HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
{
"enabled": true,
"paths": [
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"prefix": "text",
"checkFileContents": true
}
]
}
ID of path to update
Indicates if the file contents are checked to reduce number of false positives
PUT /settings/file-integrity/{id} HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 26
{
"checkFileContents": true
}
{
"enabled": true,
"paths": [
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"prefix": "text",
"checkFileContents": true
}
]
}
GET /events/types HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
A collection of all file system event types
[
{
"id": 1,
"name": "text"
}
]
GET /events HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
{
"events": [
{
"filename": "text",
"oldFilename": "text",
"occurrenceTimeStamp": "2025-07-06T00:56:58.826Z",
"insertionTimeStamp": "2025-07-06T00:56:58.826Z",
"type": {
"id": 1,
"name": "text"
},
"username": "text",
"pid": 1,
"networkUsername": "text"
}
],
"nextRequestCursor": "text",
"numberOfItems": 1
}
GET /settings/honeypot HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
Current honeypot configuration
{
"sourcePath": "text",
"placementPaths": [
"text"
]
}
POST /settings/honeypot HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 24
{
"placementPath": "text"
}
{
"sourcePath": "text",
"placementPaths": [
"text"
]
}
A set of placement paths
PUT /settings/honeypot HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 27
{
"placementPaths": [
"text"
]
}
{
"sourcePath": "text",
"placementPaths": [
"text"
]
}
Placement path
DELETE /settings/honeypot HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
{
"sourcePath": "text",
"placementPaths": [
"text"
]
}
User name. Only includes the incidents which were created for a specific user
GET /security-incidents HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
A list of all detected security incidents
[
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"user": "text",
"start": "2025-07-06T00:56:58.826Z",
"end": "2025-07-06T00:56:58.826Z"
}
]
Incident identifier
Maximum number of entries to be returned
Cursor to filter out already returned entries
GET /security-incidents/{incidentId}/files HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
[
{
"originalPath": "text",
"mostRecentPath": "text",
"firstModificationTime": "2025-07-06T00:56:58.826Z",
"modification": {
"id": 1,
"name": "text"
}
}
]
Incident identifier
GET /security-incidents/{id}/events HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
{
"events": [
{
"filename": "text",
"oldFilename": "text",
"occurrenceTimeStamp": "2025-07-06T00:56:58.826Z",
"insertionTimeStamp": "2025-07-06T00:56:58.826Z",
"type": {
"id": 1,
"name": "text"
},
"username": "text",
"pid": 1,
"networkUsername": "text"
}
],
"nextRequestCursor": "text",
"numberOfItems": 1
}
GET /security-incidents/modification-types HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
A list of all possible values of affected file modification types
[
{
"id": 1,
"name": "text"
}
]
A request that registers an agent with a management server
Agent instance identifier
The Guard Mode management server address/host
API key identifier
API key secret
POST /registrations HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 150
{
"instance_id": "123e4567-e89b-12d3-a456-426614174000",
"server_address": "text",
"key_id": "123e4567-e89b-12d3-a456-426614174000",
"api_key_secret": "text"
}
{
"fqdn": "text",
"operatingSystem": "text"
}
DELETE /registrations HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
Registration is removed
No content
GET /settings/block-list HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
Current block list data
{
"lastUpdated": "2025-07-06T00:56:58.826Z",
"fileGroupCount": 1
}
The timestamp which will be set as the 'last update time' for the block list
Collection of path filters
["*.exe"]
PUT /settings/block-list HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 62
{
"lastUpdated": "2025-07-06T00:56:58.826Z",
"filters": [
"*.exe"
]
}
No content
GET /settings/block-list/skip HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
Current skip list
{
"filters": [
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"createdDate": "2025-07-06T00:56:58.826Z",
"pattern": "text"
}
]
}
File path pattern
POST /settings/block-list/skip HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 18
{
"pattern": "text"
}
No content
Collection of path filters
["*.exe"]
PUT /settings/block-list/skip HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 21
{
"filters": [
"*.exe"
]
}
No content
Skip list pattern identifier
DELETE /settings/block-list/skip/{id} HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
No content
Maximum number of entries to be returned
Cursor to filter out already returned entries
GET /scans HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
[
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"startedAt": "2025-07-06T00:56:58.826Z",
"endedAt": "2025-07-06T00:56:58.826Z",
"lastScannedPath": "text",
"scannedFilesCount": 1,
"suspiciousFilesCount": 1,
"state": {
"id": 1,
"name": "text"
},
"pathsToScan": [
{
"value": "text",
"errorMessage": "text"
}
]
}
]
Scan creation request
Paths that will be recursively scanned
Indicates if file names found during scan should be analyzed to find files with names often used by ransomware
If true, Agent will raise alert on suspicious file found
POST /scans HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 66
{
"paths": [
"text"
],
"checkBlockListPatterns": true,
"sendAlerts": true
}
No content
GET /scans/{id} HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"startedAt": "2025-07-06T00:56:58.826Z",
"endedAt": "2025-07-06T00:56:58.826Z",
"lastScannedPath": "text",
"scannedFilesCount": 1,
"suspiciousFilesCount": 1,
"state": {
"id": 1,
"name": "text"
},
"pathsToScan": [
{
"value": "text",
"errorMessage": "text"
}
]
}
Maximum number of entries to be returned
Cursor to filter out already returned entries
GET /scans/{id}/suspicious-files HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"startedAt": "2025-07-06T00:56:58.826Z",
"endedAt": "2025-07-06T00:56:58.826Z",
"lastScannedPath": "text",
"scannedFilesCount": 1,
"suspiciousFilesCount": 1,
"state": {
"id": 1,
"name": "text"
},
"pathsToScan": [
{
"value": "text",
"errorMessage": "text"
}
]
}
POST /scans/{id}/stop HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
No content
GET /settings/smb HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
Current SMB monitoring configuration
{
"enabled": true,
"message": {
"template": "text"
},
"listener": {
"port": 1,
"endMarker": "text"
}
}
PUT /settings/smb HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 87
{
"enabled": true,
"message": {
"template": "text"
},
"listener": {
"port": 1,
"endMarker": "text"
}
}
{
"enabled": true,
"message": {
"template": "text"
},
"listener": {
"port": 1,
"endMarker": "text"
}
}
GET /settings/threshold HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
Current threshold configuration
{
"entropyCheck": {
"enabled": true,
"maxCheckAttempts": 1
},
"magicNumberCheck": {
"enabled": true,
"filesChecked": 1
},
"numberOfBuckets": 1,
"pointsLimit": 1,
"writesPerSecond": {
"high": 1,
"medium": 1,
"low": 1
},
"riskWeights": {
"high": 1,
"medium": 1,
"low": 1
}
}
Number of threshold buckets
Limit of data points to analyze
PUT /settings/threshold HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 235
{
"entropyCheck": {
"enabled": true,
"maxCheckAttempts": 1
},
"magicNumberCheck": {
"enabled": true,
"filesChecked": 1
},
"numberOfBuckets": 1,
"pointsLimit": 1,
"writesPerSecond": {
"high": 1,
"medium": 1,
"low": 1
},
"riskWeights": {
"high": 1,
"medium": 1,
"low": 1
}
}
{
"entropyCheck": {
"enabled": true,
"maxCheckAttempts": 1
},
"magicNumberCheck": {
"enabled": true,
"filesChecked": 1
},
"numberOfBuckets": 1,
"pointsLimit": 1,
"writesPerSecond": {
"high": 1,
"medium": 1,
"low": 1
},
"riskWeights": {
"high": 1,
"medium": 1,
"low": 1
}
}