REST API Documentation

See also. To access the Swagger API using HTTPS, see Using TLS.

Returns all agent tags

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Responses

200

A list of all currently added tags

idstring · uuidRequired

tagstring · min: 1Required

createdAtstring · date-timeRequired

get

/settings/tags

GET /settings/tags HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

200

A list of all currently added tags

[
  {
    "id": "123e4567-e89b-12d3-a456-426614174000",
    "tag": "text",
    "createdAt": "2026-03-03T16:29:18.924Z"
  }
]

Adds a new agent tag

post

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

tagstring · min: 1 · max: 250Required

Responses

201

Tag was successfully added

400

Bad request was sent

409

Tag limit was reached

post

/settings/tags

POST /settings/tags HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 14

{
  "tag": "text"
}

{
  "id": "123e4567-e89b-12d3-a456-426614174000",
  "tag": "text",
  "createdAt": "2026-03-03T16:29:18.924Z"
}

Removes an agent tag

delete

Authorizations

AuthorizationstringRequired

Basic Authorization header

Path parameters

idstring · uuidRequired

Header parameters

api-versionstringRequired

Responses

204

Tag was removed

400

Bad request was sent

delete

/settings/tags/{id}

DELETE /settings/tags/{id} HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

No content

Update password for default user

put

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

newPasswordstring · min: 5 · max: 20000Required

Responses

204

Password was successfully updated

400

Request validation failed

application/json

500

Configuration file is malformed

put

/authentication/password

PUT /authentication/password HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 22

{
  "newPassword": "text"
}

No content

Deprecated

Update file system events configuration

put

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

queryingDelaystring · date-spanRequired

savingDelaystring · date-spanRequired

Responses

200

Updated file system events configuration

application/json

queryingDelaystring · date-spanRequired

Controls the frequency of the execution of queries that access file system events, like all detection strategies

savingDelaystring · date-spanRequired

Indicates how often the events are saved to the database

400

Request validation failed

application/json

put

/settings/events

PUT /settings/events HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 45

{
  "queryingDelay": "text",
  "savingDelay": "text"
}

{
  "queryingDelay": "text",
  "savingDelay": "text",
  "incidentDetection": {
    "enabled": true,
    "yaraAnalysisEnabled": true,
    "inactivityPeriod": "text"
  }
}

Get current file system events configuration

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Responses

200

Current file system events configuration

application/json

queryingDelaystring · date-spanRequired

Controls the frequency of the execution of queries that access file system events, like all detection strategies

savingDelaystring · date-spanRequired

Indicates how often the events are saved to the database

get

/settings/events

GET /settings/events HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

200

Current file system events configuration

{
  "queryingDelay": "text",
  "savingDelay": "text",
  "incidentDetection": {
    "enabled": true,
    "yaraAnalysisEnabled": true,
    "inactivityPeriod": "text"
  }
}

Get all excluded paths

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Responses

200

Current listing of excluded paths

A list of paths at which events will be ignored by agent

404

Excluded paths file was not found

get

/settings/excluded-paths

GET /settings/excluded-paths HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

{
  "paths": [
    {
      "id": "123e4567-e89b-12d3-a456-426614174000",
      "path": "text",
      "user": "text"
    }
  ]
}

Create new excluded path

post

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

pathstring · min: 1Required

Path to exclude

userstring · nullableOptional

Username for which the path should be excluded from monitoring

Responses

201

An excluded path entry was created

400

Request validation failed

404

Excluded paths file was not found

409

Excluded path already exists in the file

post

/settings/excluded-paths

POST /settings/excluded-paths HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 29

{
  "path": "text",
  "user": "text"
}

{
  "id": "123e4567-e89b-12d3-a456-426614174000",
  "path": "text",
  "user": "text"
}

Remove excluded path

delete

Authorizations

AuthorizationstringRequired

Basic Authorization header

Path parameters

idstring · uuidRequired

Excluded path identifier

Header parameters

api-versionstringRequired

Responses

204

Excluded path was removed

404

Excluded paths file was not found

delete

/settings/excluded-paths/{id}

DELETE /settings/excluded-paths/{id} HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

No content

Get single excluded path

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Path parameters

idstring · uuidRequired

Excluded path identifier

Header parameters

api-versionstringRequired

Responses

200

A single excluded path

Represents a path at which file system events will be ignored

idstring · uuidRequired

Excluded path identifier

pathstring · min: 1Required

Path to exclude

userstring · nullableOptional

Username for which the path should be excluded from monitoring

404

Excluded path was not found or excluded paths file was not found

get

/settings/excluded-paths/{id}

GET /settings/excluded-paths/{id} HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

{
  "id": "123e4567-e89b-12d3-a456-426614174000",
  "path": "text",
  "user": "text"
}

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Responses

200

enabledbooleanRequired

scheduledHoursstring · time[]Required

get

/settings/reports/file-event-report

GET /settings/reports/file-event-report HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

200

{
  "enabled": true,
  "scheduledHours": [
    "16:29:18"
  ]
}

put

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

enabledbooleanRequired

Responses

200

enabledbooleanRequired

scheduledHoursstring · time[]Required

400

Bad Request

put

/settings/reports/file-event-report

PUT /settings/reports/file-event-report HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 16

{
  "enabled": true
}

{
  "enabled": true,
  "scheduledHours": [
    "16:29:18"
  ]
}

post

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

hourstring · timeRequired

Responses

200

enabledbooleanRequired

scheduledHoursstring · time[]Required

400

Bad Request

409

Conflict

post

/settings/reports/file-event-report/hours

POST /settings/reports/file-event-report/hours HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 19

{
  "hour": "16:29:18"
}

{
  "enabled": true,
  "scheduledHours": [
    "16:29:18"
  ]
}

delete

Authorizations

AuthorizationstringRequired

Basic Authorization header

Query parameters

hourstring · timeOptional

Header parameters

api-versionstringRequired

Responses

200

enabledbooleanRequired

scheduledHoursstring · time[]Required

400

Bad Request

422

Unprocessable Content

delete

/settings/reports/file-event-report/hours

DELETE /settings/reports/file-event-report/hours HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

{
  "enabled": true,
  "scheduledHours": [
    "16:29:18"
  ]
}

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Responses

200

Represents a path at which file system events will be ignored

idstring · uuidRequired

Excluded path identifier

pathstring · min: 1Required

Path to exclude

userstring · nullableOptional

Username for which the path should be excluded from monitoring

get

/settings/reports/file-event-report/excluded-paths

GET /settings/reports/file-event-report/excluded-paths HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

200

[
  {
    "id": "123e4567-e89b-12d3-a456-426614174000",
    "path": "text",
    "user": "text"
  }
]

post

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

pathstring · min: 1Required

Path to exclude

userstring · nullableOptional

Username for which the path should be excluded from monitoring

Responses

201

Created

400

Bad Request

409

Conflict

post

/settings/reports/file-event-report/excluded-paths

POST /settings/reports/file-event-report/excluded-paths HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 29

{
  "path": "text",
  "user": "text"
}

{
  "id": "123e4567-e89b-12d3-a456-426614174000",
  "path": "text",
  "user": "text"
}

delete

Authorizations

AuthorizationstringRequired

Basic Authorization header

Path parameters

idstring · uuidRequired

Header parameters

api-versionstringRequired

Responses

204

No Content

400

Bad Request

delete

/settings/reports/file-event-report/excluded-paths/{id}

DELETE /settings/reports/file-event-report/excluded-paths/{id} HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

No content

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Responses

200

Represents a path at which file system events will be tracked by file event reports

idstring · uuidRequired

Included path identifier

pathstring · min: 1Required

Path to include

userstring · nullableOptional

Username for which the path should be included in file event reports

get

/settings/reports/file-event-report/included-paths

GET /settings/reports/file-event-report/included-paths HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

200

[
  {
    "id": "123e4567-e89b-12d3-a456-426614174000",
    "path": "text",
    "user": "text"
  }
]

post

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

pathstring · min: 1Required

Path to include

userstring · nullableOptional

Username for which the path should be included in file event reports

Responses

201

Created

400

Bad Request

409

Conflict

post

/settings/reports/file-event-report/included-paths

POST /settings/reports/file-event-report/included-paths HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 29

{
  "path": "text",
  "user": "text"
}

{
  "id": "123e4567-e89b-12d3-a456-426614174000",
  "path": "text",
  "user": "text"
}

delete

Authorizations

AuthorizationstringRequired

Basic Authorization header

Path parameters

idstring · uuidRequired

Header parameters

api-versionstringRequired

Responses

204

No Content

400

Bad Request

delete

/settings/reports/file-event-report/included-paths/{id}

DELETE /settings/reports/file-event-report/included-paths/{id} HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

No content

Returns current file integrity configuration

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Responses

200

File integrity configuration

File integrity strategy configuration

enabledbooleanRequired

Indicates if the file integrity strategy is enabled

get

/settings/file-integrity

GET /settings/file-integrity HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

200

File integrity configuration

{
  "enabled": true,
  "paths": [
    {
      "id": "123e4567-e89b-12d3-a456-426614174000",
      "prefix": "text",
      "checkFileContents": true
    }
  ]
}

Adds new monitored path to file integrity configuration

post

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

Request to add new monitored path to file integrity configuration

prefixstring · min: 1Required

Path prefix to monitor

checkFileContentsbooleanRequired

Indicates if the file contents are checked to reduce number of false positives

Responses

200

File integrity strategy configuration

enabledbooleanRequired

Indicates if the file integrity strategy is enabled

201

New path was successfully added

400

Request validation failed

409

Conflict

post

/settings/file-integrity

POST /settings/file-integrity HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 42

{
  "prefix": "text",
  "checkFileContents": true
}

{
  "enabled": true,
  "paths": [
    {
      "id": "123e4567-e89b-12d3-a456-426614174000",
      "prefix": "text",
      "checkFileContents": true
    }
  ]
}

Updates file integrity strategy configuration

put

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

Updates file integrity strategy configuration

enabledbooleanRequired

Indicates if the file integrity strategy is enabled

Responses

200

File integrity strategy configuration

enabledbooleanRequired

Indicates if the file integrity strategy is enabled

400

Request validation failed

put

/settings/file-integrity

PUT /settings/file-integrity HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 16

{
  "enabled": true
}

{
  "enabled": true,
  "paths": [
    {
      "id": "123e4567-e89b-12d3-a456-426614174000",
      "prefix": "text",
      "checkFileContents": true
    }
  ]
}

Removes path with specified ID from file integrity configuration

delete

Authorizations

AuthorizationstringRequired

Basic Authorization header

Query parameters

idstring · uuidOptional

ID of the path to be removed

Header parameters

api-versionstringRequired

Responses

200

Path was successfully removed

File integrity strategy configuration

enabledbooleanRequired

Indicates if the file integrity strategy is enabled

204

No Content

400

Request validation failed

delete

/settings/file-integrity

DELETE /settings/file-integrity HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

{
  "enabled": true,
  "paths": [
    {
      "id": "123e4567-e89b-12d3-a456-426614174000",
      "prefix": "text",
      "checkFileContents": true
    }
  ]
}

Updates one of monitored paths

put

Authorizations

AuthorizationstringRequired

Basic Authorization header

Path parameters

idstring · uuidRequired

ID of path to update

Header parameters

api-versionstringRequired

Body

checkFileContentsbooleanRequired

Indicates if the file contents are checked to reduce number of false positives

Responses

200

File integrity strategy configuration

enabledbooleanRequired

Indicates if the file integrity strategy is enabled

404

Not Found

put

/settings/file-integrity/{id}

PUT /settings/file-integrity/{id} HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 26

{
  "checkFileContents": true
}

{
  "enabled": true,
  "paths": [
    {
      "id": "123e4567-e89b-12d3-a456-426614174000",
      "prefix": "text",
      "checkFileContents": true
    }
  ]
}

List all file system event types

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Responses

200

A collection of all file system event types

application/json

Represents enumeration values, defined by ID and name

idinteger · int32Required

ID of returned value

namestring · min: 1Required

Descriptive name of this value

get

/events/types

GET /events/types HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

200

A collection of all file system event types

[
  {
    "id": 1,
    "name": "text"
  }
]

List file system events

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Query parameters

Startstring · date-timeOptional

Endstring · date-timeOptional

Limitinteger · int32 · min: 1 · max: 5000Optional

CursorstringOptional

incidentstring · uuidOptional

Header parameters

api-versionstringRequired

Responses

200

A collection of file system events

application/json

nextRequestCursorstring · nullableOptional

numberOfItemsinteger · int32Required

400

Request validation failed

application/json

get

/events

GET /events HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

{
  "events": [
    {
      "filename": "text",
      "oldFilename": "text",
      "occurrenceTimeStamp": "2026-03-03T16:29:18.924Z",
      "insertionTimeStamp": "2026-03-03T16:29:18.924Z",
      "type": {
        "id": 1,
        "name": "text"
      },
      "username": "text",
      "pid": 1,
      "networkUsername": "text"
    }
  ],
  "nextRequestCursor": "text",
  "numberOfItems": 1
}

Update honeypot configuration

put

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

placementPathsstring[]Required

A set of placement paths

sourcePathstring · nullableOptional

Source path honeypot files

Responses

200

Updated honeypot configuration

sourcePathstring · min: 1Required

Honeypot files source path

placementPathsstring[]Required

File placement path collection

400

Request validation failed

put

/settings/honeypot

PUT /settings/honeypot HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 47

{
  "placementPaths": [
    "text"
  ],
  "sourcePath": "text"
}

{
  "sourcePath": "text",
  "placementPaths": [
    "text"
  ]
}

Get current honeypot configuration

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Responses

200

Current honeypot configuration

sourcePathstring · min: 1Required

Honeypot files source path

placementPathsstring[]Required

File placement path collection

get

/settings/honeypot

GET /settings/honeypot HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

200

Current honeypot configuration

{
  "sourcePath": "text",
  "placementPaths": [
    "text"
  ]
}

Add placement path to honeypot configuration

post

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

placementPathstring · min: 1Required

A set of placement paths

Responses

200

An updated honeypot configuration with the new placement path

sourcePathstring · min: 1Required

Honeypot files source path

placementPathsstring[]Required

File placement path collection

400

Request validation failed

post

/settings/honeypot

POST /settings/honeypot HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 24

{
  "placementPath": "text"
}

{
  "sourcePath": "text",
  "placementPaths": [
    "text"
  ]
}

Remove placement path from honeypot configuration

delete

Authorizations

AuthorizationstringRequired

Basic Authorization header

Query parameters

pathstringOptional

Placement path

Header parameters

api-versionstringRequired

Responses

200

An updated honeypot configuration without the selected placement path

sourcePathstring · min: 1Required

Honeypot files source path

placementPathsstring[]Required

File placement path collection

400

Request validation failed

delete

/settings/honeypot

DELETE /settings/honeypot HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

{
  "sourcePath": "text",
  "placementPaths": [
    "text"
  ]
}

List all affected files linked to an incident with provided identifier

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Path parameters

incidentIdstring · uuidRequired

Incident identifier

Query parameters

Limitinteger · int32 · min: 1 · max: 2000Optional

Maximum number of entries to be returned

CursorstringOptional

Cursor to filter out already returned entries

Header parameters

api-versionstringRequired

Responses

200

A list of affected files connected to an incident with a given identifier

application/json

Affected file response item

originalPathstring · min: 1Required

Path to affected file before the incident started

mostRecentPathstring · min: 1Required

Last registered path to affected file

firstModificationTimestring · date-timeRequired

Time of the first suspicious modification of this affected file

400

Request validation failed

application/json

404

An incident with provided identifier was not found

application/json

get

/security-incidents/{incidentId}/files

GET /security-incidents/{incidentId}/files HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

[
  {
    "originalPath": "text",
    "mostRecentPath": "text",
    "firstModificationTime": "2026-03-03T16:29:18.924Z",
    "modification": {
      "id": 1,
      "name": "text"
    }
  }
]

Get suspicious events connected to an incident with provided identifier

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Path parameters

idstring · uuidRequired

Incident identifier

Query parameters

Startstring · date-timeOptional

Endstring · date-timeOptional

Limitinteger · int32 · min: 1 · max: 5000Optional

CursorstringOptional

Header parameters

api-versionstringRequired

Responses

200

A collection of events connected to an incident with a given identifier

application/json

nextRequestCursorstring · nullableOptional

numberOfItemsinteger · int32Required

400

Request validation failed

application/json

404

An incident with provided identifier was not found

application/json

get

/security-incidents/{id}/events

GET /security-incidents/{id}/events HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

{
  "events": [
    {
      "filename": "text",
      "oldFilename": "text",
      "occurrenceTimeStamp": "2026-03-03T16:29:18.924Z",
      "insertionTimeStamp": "2026-03-03T16:29:18.924Z",
      "type": {
        "id": 1,
        "name": "text"
      },
      "username": "text",
      "pid": 1,
      "networkUsername": "text"
    }
  ],
  "nextRequestCursor": "text",
  "numberOfItems": 1
}

List all security incidents

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Query parameters

userstringOptional

User name. Only includes the incidents which were created for a specific user

Header parameters

api-versionstringRequired

Responses

200

A list of all detected security incidents

application/json

Security incident response item

idstring · uuidRequired

Identifier of the incident

userstring · min: 1Required

User for whom the incident was opened

startstring · date-timeRequired

Incident start time

endstring · date-time · nullableRequired

Incident end time, or null if it is still ongoing

get

/security-incidents

GET /security-incidents HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

200

A list of all detected security incidents

[
  {
    "id": "123e4567-e89b-12d3-a456-426614174000",
    "user": "text",
    "start": "2026-03-03T16:29:18.924Z",
    "end": "2026-03-03T16:29:18.924Z"
  }
]

Get all possible values of affected file modification types

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Responses

200

A list of all possible values of affected file modification types

application/json

Represents enumeration values, defined by ID and name

idinteger · int32Required

ID of returned value

namestring · min: 1Required

Descriptive name of this value

get

/security-incidents/modification-types

GET /security-incidents/modification-types HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

200

A list of all possible values of affected file modification types

[
  {
    "id": 1,
    "name": "text"
  }
]

Registers the agent's node with a management server

post

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

A request that registers an agent with a management server

instance_idstring · uuidRequired

Agent instance identifier

server_addressstring · min: 1Required

The Guard Mode management server address/host

key_idstring · uuidRequired

API key identifier

api_key_secretstring · min: 1Required

API key secret

Responses

200

Registration response with an extra data about the node

Successful agent registration response

fqdnstring · min: 1Required

Fully qualified domain name of the registered agent

operatingSystemstring · nullableOptional

Agent's operating system

400

Request validation failed

409

Agent is already registered with a server instance

post

/registrations

POST /registrations HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 150

{
  "instance_id": "123e4567-e89b-12d3-a456-426614174000",
  "server_address": "text",
  "key_id": "123e4567-e89b-12d3-a456-426614174000",
  "api_key_secret": "text"
}

{
  "fqdn": "text",
  "operatingSystem": "text"
}

Removes the current registration from a management server

delete

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Responses

204

Registration is removed

delete

/registrations

DELETE /registrations HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

204

Registration is removed

No content

Returns block list information

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Responses

200

Current block list data

lastUpdatedstring · date-timeRequired

A timestamp which indicates when the block list was last updated

fileGroupCountinteger · int64Required

Count of pattern/file groups

get

/settings/block-list

GET /settings/block-list HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

200

Current block list data

{
  "lastUpdated": "2026-03-03T16:29:18.924Z",
  "fileGroupCount": 1
}

Update block list patterns

put

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

lastUpdatedstring · date-timeRequired

The timestamp which will be set as the 'last update time' for the block list

filtersstring[]Required

Collection of path filters

Example: ["*.exe"]

Responses

204

Block list patterns were updated

304

Block list was not modified because it is already up to date

400

Request validation failed

put

/settings/block-list

PUT /settings/block-list HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 62

{
  "lastUpdated": "2026-03-03T16:29:18.924Z",
  "filters": [
    "*.exe"
  ]
}

No content

Returns skip list information

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Responses

200

Current skip list

Skip list filters

get

/settings/block-list/skip

GET /settings/block-list/skip HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

200

Current skip list

{
  "filters": [
    {
      "id": "123e4567-e89b-12d3-a456-426614174000",
      "createdDate": "2026-03-03T16:29:18.924Z",
      "pattern": "text"
    }
  ]
}

Update skip list patterns

put

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

filtersstring[]Required

Collection of path filters

Example: ["*.exe"]

Responses

204

Skip list patterns updated

400

Request validation failed

put

/settings/block-list/skip

PUT /settings/block-list/skip HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 21

{
  "filters": [
    "*.exe"
  ]
}

No content

Add a pattern to skip list

post

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

patternstring · min: 1Required

File path pattern

Responses

204

Skip pattern added

400

Request validation failed

409

Pattern already exists in the skip list

post

/settings/block-list/skip

POST /settings/block-list/skip HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 18

{
  "pattern": "text"
}

No content

Remove a pattern from skip list

delete

Authorizations

AuthorizationstringRequired

Basic Authorization header

Path parameters

idstring · uuidRequired

Skip list pattern identifier

Header parameters

api-versionstringRequired

Responses

204

Skip pattern was removed

400

Request validation failed

delete

/settings/block-list/skip/{id}

DELETE /settings/block-list/skip/{id} HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

No content

Get all scans

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Query parameters

Limitinteger · int32 · min: 1 · max: 2000Optional

Maximum number of entries to be returned

CursorstringOptional

Cursor to filter out already returned entries

Header parameters

api-versionstringRequired

Responses

200

Returns a list of all scans, both ended and ongoing

File system scan

idstring · uuidRequired

Identifier of the scan

startedAtstring · date-timeRequired

Scan start time

endedAtstring · date-time · nullableRequired

Scan end time if it has ended, or null otherwise

lastScannedPathstring · nullableRequired

Last file path scanned by this scan, or null if no files were scanned yet

scannedFilesCountinteger · int32Required

Number of files that were scanned

suspiciousFilesCountinteger · int32Required

Number of suspicious files found

400

Bad Request

get

/scans

GET /scans HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

[
  {
    "id": "123e4567-e89b-12d3-a456-426614174000",
    "startedAt": "2026-03-03T16:29:18.924Z",
    "endedAt": "2026-03-03T16:29:18.924Z",
    "lastScannedPath": "text",
    "scannedFilesCount": 1,
    "suspiciousFilesCount": 1,
    "state": {
      "id": 1,
      "name": "text"
    },
    "pathsToScan": [
      {
        "value": "text",
        "errorMessage": "text"
      }
    ]
  }
]

Start new scan

post

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

Scan creation request

pathsstring[]Required

Paths that will be recursively scanned

checkBlockListPatternsbooleanRequired

Indicates if file names found during scan should be analyzed to find files with names often used by ransomware

checkYaraRulesbooleanOptional

Indicates if files should be scanned using YARA rules

sendAlertsbooleanOptional

If true, Agent will raise alert on suspicious file found

rootMountPointsstring[] · nullableOptional

If present, causes exclusions to work as if filesystem root was at each of provided paths

Responses

200

Returns a newly created scan

No content

202

Accepted

400

Bad request was sent

post

/scans

POST /scans HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 115

{
  "paths": [
    "text"
  ],
  "checkBlockListPatterns": true,
  "checkYaraRules": true,
  "sendAlerts": true,
  "rootMountPoints": [
    "text"
  ]
}

No content

Get a scan with a given ID

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Path parameters

idstring · uuidRequired

Header parameters

api-versionstringRequired

Responses

200

Returns a scan with provided ID

File system scan

idstring · uuidRequired

Identifier of the scan

startedAtstring · date-timeRequired

Scan start time

endedAtstring · date-time · nullableRequired

Scan end time if it has ended, or null otherwise

lastScannedPathstring · nullableRequired

Last file path scanned by this scan, or null if no files were scanned yet

scannedFilesCountinteger · int32Required

Number of files that were scanned

suspiciousFilesCountinteger · int32Required

Number of suspicious files found

404

There is no scan with a given ID

get

/scans/{id}

GET /scans/{id} HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

{
  "id": "123e4567-e89b-12d3-a456-426614174000",
  "startedAt": "2026-03-03T16:29:18.924Z",
  "endedAt": "2026-03-03T16:29:18.924Z",
  "lastScannedPath": "text",
  "scannedFilesCount": 1,
  "suspiciousFilesCount": 1,
  "state": {
    "id": 1,
    "name": "text"
  },
  "pathsToScan": [
    {
      "value": "text",
      "errorMessage": "text"
    }
  ]
}

Get suspicious files' details from a scan with a given ID

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Path parameters

idstring · uuidRequired

Query parameters

Limitinteger · int32 · min: 1 · max: 1000Optional

Maximum number of entries to be returned

CursorstringOptional

Cursor to filter out already returned entries

Header parameters

api-versionstringRequired

Responses

200

Returns a list of suspicious files found by this scan

File system scan

idstring · uuidRequired

Identifier of the scan

startedAtstring · date-timeRequired

Scan start time

endedAtstring · date-time · nullableRequired

Scan end time if it has ended, or null otherwise

lastScannedPathstring · nullableRequired

Last file path scanned by this scan, or null if no files were scanned yet

scannedFilesCountinteger · int32Required

Number of files that were scanned

suspiciousFilesCountinteger · int32Required

Number of suspicious files found

400

Bad Request

404

There is no scan with a given ID

get

/scans/{id}/suspicious-files

GET /scans/{id}/suspicious-files HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

{
  "id": "123e4567-e89b-12d3-a456-426614174000",
  "startedAt": "2026-03-03T16:29:18.924Z",
  "endedAt": "2026-03-03T16:29:18.924Z",
  "lastScannedPath": "text",
  "scannedFilesCount": 1,
  "suspiciousFilesCount": 1,
  "state": {
    "id": 1,
    "name": "text"
  },
  "pathsToScan": [
    {
      "value": "text",
      "errorMessage": "text"
    }
  ]
}

Attempts to stop a scan with given ID

post

Authorizations

AuthorizationstringRequired

Basic Authorization header

Path parameters

idstring · uuidRequired

Header parameters

api-versionstringRequired

Responses

200

Scan was successfully stopped

No content

204

Scan has already finished

404

Scan with provided ID doesn't exist

422

Scan with provided ID cannot be stopped

post

/scans/{id}/stop

POST /scans/{id}/stop HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

No content

Returns current SMB monitoring configuration

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Responses

200

Current SMB monitoring configuration

application/json

enabledbooleanRequired

Indicates whether the SMB listener is enabled or disabled

get

/settings/smb

GET /settings/smb HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

200

Current SMB monitoring configuration

{
  "enabled": true,
  "message": {
    "template": "text"
  },
  "listener": {
    "port": 1,
    "endMarker": "text"
  }
}

Updates SMB monitoring configuration

put

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

enabledbooleanRequired

Responses

200

Updated SMB monitoring configuration

application/json

enabledbooleanRequired

Indicates whether the SMB listener is enabled or disabled

400

Request validation failed

application/json

put

/settings/smb

PUT /settings/smb HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 87

{
  "enabled": true,
  "message": {
    "template": "text"
  },
  "listener": {
    "port": 1,
    "endMarker": "text"
  }
}

{
  "enabled": true,
  "message": {
    "template": "text"
  },
  "listener": {
    "port": 1,
    "endMarker": "text"
  }
}

Update threshold configuration.

put

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

numberOfBucketsinteger · int32 · max: 1000Required

Number of threshold buckets

pointsLimitinteger · int32 · max: 1000Required

Limit of data points to analyze

Responses

200

Updated threshold configuration

numberOfBucketsinteger · int32Required

Number of threshold buckets

pointsLimitinteger · int32Required

Limit of data points to analyze

400

Request validation failed

put

/settings/threshold

PUT /settings/threshold HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 264

{
  "entropyCheck": {
    "enabled": true,
    "maxCheckAttempts": 1
  },
  "magicNumberCheck": {
    "enabled": true,
    "filesChecked": 1
  },
  "yaraCheck": {
    "enabled": true
  },
  "numberOfBuckets": 1,
  "pointsLimit": 1,
  "writesPerSecond": {
    "high": 1,
    "medium": 1,
    "low": 1
  },
  "riskWeights": {
    "high": 1,
    "medium": 1,
    "low": 1
  }
}

{
  "entropyCheck": {
    "enabled": true,
    "maxCheckAttempts": 1
  },
  "magicNumberCheck": {
    "enabled": true,
    "filesChecked": 1
  },
  "yaraCheck": {
    "isEnabled": true
  },
  "numberOfBuckets": 1,
  "pointsLimit": 1,
  "writesPerSecond": {
    "high": 1,
    "medium": 1,
    "low": 1
  },
  "riskWeights": {
    "high": 1,
    "medium": 1,
    "low": 1
  }
}

Get current threshold configuration.

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Responses

200

Current threshold configuration

numberOfBucketsinteger · int32Required

Number of threshold buckets

pointsLimitinteger · int32Required

Limit of data points to analyze

get

/settings/threshold

GET /settings/threshold HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

200

Current threshold configuration

{
  "entropyCheck": {
    "enabled": true,
    "maxCheckAttempts": 1
  },
  "magicNumberCheck": {
    "enabled": true,
    "filesChecked": 1
  },
  "yaraCheck": {
    "isEnabled": true
  },
  "numberOfBuckets": 1,
  "pointsLimit": 1,
  "writesPerSecond": {
    "high": 1,
    "medium": 1,
    "low": 1
  },
  "riskWeights": {
    "high": 1,
    "medium": 1,
    "low": 1
  }
}

Get Agent's healtcheck

get

Authorizations

Responses

200

Success

No content

get

/health

GET /health HTTP/1.1
Accept: */*

200

Success

No content

Get OpenTelemetry metrics of the Agent as a Prometheus log

get

Authorizations

Responses

200

Success

No content

get

/metrics

GET /metrics HTTP/1.1
Accept: */*

200

Success

No content

Update YARA analysis configuration

put

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

Responses

200

Updated configuration

400

Bad request was sent

put

/settings/yara

PUT /settings/yara HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 225

{
  "scans": {
    "rulesPath": "text",
    "maxFileSizeInBytes": 1
  },
  "threshold": {
    "rulesPath": "text",
    "maxFileSizeInBytes": 1
  },
  "fileIntegrity": {
    "rulesPath": "text",
    "maxFileSizeInBytes": 1
  },
  "incidents": {
    "rulesPath": "text",
    "maxFileSizeInBytes": 1
  }
}

{
  "scans": {
    "rulesPath": "text",
    "maxFileSizeInBytes": 1
  },
  "threshold": {
    "rulesPath": "text",
    "maxFileSizeInBytes": 1
  },
  "fileIntegrity": {
    "rulesPath": "text",
    "maxFileSizeInBytes": 1
  },
  "incidents": {
    "rulesPath": "text",
    "maxFileSizeInBytes": 1
  }
}

Get current YARA analysis configuration

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Responses

200

Current configuration

get

/settings/yara

GET /settings/yara HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

200

Current configuration

{
  "scans": {
    "rulesPath": "text",
    "maxFileSizeInBytes": 1
  },
  "threshold": {
    "rulesPath": "text",
    "maxFileSizeInBytes": 1
  },
  "fileIntegrity": {
    "rulesPath": "text",
    "maxFileSizeInBytes": 1
  },
  "incidents": {
    "rulesPath": "text",
    "maxFileSizeInBytes": 1
  }
}

Returns information about all timezones defined in the system that agent is operating on

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Responses

200

Timezone information

idstring · min: 1Required

Timezone ID that can be used set this timezone in configuration

offsetstring · date-spanRequired

Base UTC offset of this timezone (current offset might be different, depending on daylight saving time, etc.)

204

List of all known timezones

get

/settings/available-timezones

GET /settings/available-timezones HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

[
  {
    "id": "text",
    "offset": "text"
  }
]

Updates timezone configuration

put

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Body

Timezone configuration update request

timeZonestring · min: 1Required

ID of a timezone that will be set

Responses

204

Configuration was successfully updated

400

Bad request was sent

put

/settings/timezone

PUT /settings/timezone HTTP/1.1
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 19

{
  "timeZone": "text"
}

No content

Returns current timezone configuration

get

Authorizations

AuthorizationstringRequired

Basic Authorization header

Header parameters

api-versionstringRequired

Responses

200

Current timezone configuration

Timezone configuration

get

/settings/timezone

GET /settings/timezone HTTP/1.1
Authorization: Basic username:password
api-version: text
Accept: */*

200

Current timezone configuration

{
  "timeZone": {
    "id": "text",
    "offset": "text"
  }
}

PreviousUsing GuardMode Agent Command Line NextOn-demand Scanning

Last updated 1 year ago

hashtagReturns all agent tags

hashtagAdds a new agent tag

hashtagRemoves an agent tag

hashtagUpdate password for default user

hashtagUpdate file system events configuration

hashtagGet current file system events configuration

hashtagGet all excluded paths

hashtagCreate new excluded path

hashtagRemove excluded path

hashtagGet single excluded path

hashtagReturns current file integrity configuration

hashtagAdds new monitored path to file integrity configuration

hashtagUpdates file integrity strategy configuration

hashtagRemoves path with specified ID from file integrity configuration

hashtagUpdates one of monitored paths

hashtagList all file system event types

hashtagList file system events

hashtagUpdate honeypot configuration

hashtagGet current honeypot configuration

hashtagAdd placement path to honeypot configuration

hashtagRemove placement path from honeypot configuration

hashtagList all affected files linked to an incident with provided identifier

hashtagGet suspicious events connected to an incident with provided identifier

hashtagList all security incidents

hashtagGet all possible values of affected file modification types

hashtagRegisters the agent's node with a management server

hashtagRemoves the current registration from a management server

hashtagReturns block list information

hashtagUpdate block list patterns

hashtagReturns skip list information

hashtagUpdate skip list patterns

hashtagAdd a pattern to skip list

hashtagRemove a pattern from skip list

hashtagGet all scans

hashtagStart new scan

hashtagGet a scan with a given ID

hashtagGet suspicious files' details from a scan with a given ID

hashtagAttempts to stop a scan with given ID

hashtagReturns current SMB monitoring configuration

hashtagUpdates SMB monitoring configuration

hashtagUpdate threshold configuration.

hashtagGet current threshold configuration.

hashtagGet Agent's healtcheck

hashtagGet OpenTelemetry metrics of the Agent as a Prometheus log

hashtagUpdate YARA analysis configuration

hashtagGet current YARA analysis configuration

hashtagReturns information about all timezones defined in the system that agent is operating on

hashtagUpdates timezone configuration

hashtagReturns current timezone configuration

Returns all agent tags

Adds a new agent tag

Removes an agent tag

Update password for default user

Update file system events configuration

Get current file system events configuration

Get all excluded paths

Create new excluded path

Remove excluded path

Get single excluded path

Returns current file integrity configuration

Adds new monitored path to file integrity configuration

Updates file integrity strategy configuration

Removes path with specified ID from file integrity configuration

Updates one of monitored paths

List all file system event types

List file system events

Update honeypot configuration

Get current honeypot configuration

Add placement path to honeypot configuration

Remove placement path from honeypot configuration

List all affected files linked to an incident with provided identifier

Get suspicious events connected to an incident with provided identifier

List all security incidents

Get all possible values of affected file modification types

Registers the agent's node with a management server

Removes the current registration from a management server

Returns block list information

Update block list patterns

Returns skip list information

Update skip list patterns

Add a pattern to skip list

Remove a pattern from skip list

Get all scans

Start new scan

Get a scan with a given ID

Get suspicious files' details from a scan with a given ID

Attempts to stop a scan with given ID

Returns current SMB monitoring configuration

Updates SMB monitoring configuration

Update threshold configuration.

Get current threshold configuration.

Get Agent's healtcheck

Get OpenTelemetry metrics of the Agent as a Prometheus log

Update YARA analysis configuration

Get current YARA analysis configuration

Returns information about all timezones defined in the system that agent is operating on

Updates timezone configuration

Returns current timezone configuration