REST API Documentation
GET /settings/tags HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
A list of all currently added tags
[
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"tag": "text",
"createdAt": "2025-07-01T03:38:23.906Z"
}
]
POST /settings/tags HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 14
{
"tag": "text"
}
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"tag": "text",
"createdAt": "2025-07-01T03:38:23.906Z"
}
PUT /authentication/password HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 22
{
"newPassword": "text"
}
No content
PUT /settings/events HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 45
{
"queryingDelay": "text",
"savingDelay": "text"
}
{
"queryingDelay": "text",
"savingDelay": "text",
"incidentDetection": {
"enabled": true,
"yaraAnalysisEnabled": true,
"inactivityPeriod": "text"
}
}
GET /settings/events HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
Current file system events configuration
{
"queryingDelay": "text",
"savingDelay": "text",
"incidentDetection": {
"enabled": true,
"yaraAnalysisEnabled": true,
"inactivityPeriod": "text"
}
}
GET /settings/excluded-paths HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
{
"paths": [
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"path": "text",
"user": "text"
}
]
}
Path to exclude
Username for which the path should be excluded from monitoring
POST /settings/excluded-paths HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 29
{
"path": "text",
"user": "text"
}
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"path": "text",
"user": "text"
}
Excluded path identifier
DELETE /settings/excluded-paths/{id} HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
No content
Excluded path identifier
GET /settings/excluded-paths/{id} HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"path": "text",
"user": "text"
}
GET /settings/reports/file-event-report HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
OK
{
"enabled": true,
"scheduledHours": [
"03:38:23"
]
}
PUT /settings/reports/file-event-report HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 16
{
"enabled": true
}
{
"enabled": true,
"scheduledHours": [
"03:38:23"
]
}
POST /settings/reports/file-event-report/hours HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 19
{
"hour": "03:38:23"
}
{
"enabled": true,
"scheduledHours": [
"03:38:23"
]
}
DELETE /settings/reports/file-event-report/hours HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
{
"enabled": true,
"scheduledHours": [
"03:38:23"
]
}
GET /settings/reports/file-event-report/excluded-paths HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
OK
[
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"path": "text",
"user": "text"
}
]
Path to exclude
Username for which the path should be excluded from monitoring
POST /settings/reports/file-event-report/excluded-paths HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 29
{
"path": "text",
"user": "text"
}
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"path": "text",
"user": "text"
}
DELETE /settings/reports/file-event-report/excluded-paths/{id} HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
No content
GET /settings/reports/file-event-report/included-paths HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
OK
[
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"path": "text",
"user": "text"
}
]
Path to include
Username for which the path should be included in file event reports
POST /settings/reports/file-event-report/included-paths HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 29
{
"path": "text",
"user": "text"
}
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"path": "text",
"user": "text"
}
DELETE /settings/reports/file-event-report/included-paths/{id} HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
No content
GET /settings/file-integrity HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
File integrity configuration
{
"enabled": true,
"paths": [
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"prefix": "text",
"checkFileContents": true
}
]
}
Request to add new monitored path to file integrity configuration
Path prefix to monitor
Indicates if the file contents are checked to reduce number of false positives
POST /settings/file-integrity HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 42
{
"prefix": "text",
"checkFileContents": true
}
{
"enabled": true,
"paths": [
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"prefix": "text",
"checkFileContents": true
}
]
}
Updates file integrity strategy configuration
Indicates if the file integrity strategy is enabled
PUT /settings/file-integrity HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 16
{
"enabled": true
}
{
"enabled": true,
"paths": [
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"prefix": "text",
"checkFileContents": true
}
]
}
ID of the path to be removed
DELETE /settings/file-integrity HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
{
"enabled": true,
"paths": [
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"prefix": "text",
"checkFileContents": true
}
]
}
ID of path to update
Indicates if the file contents are checked to reduce number of false positives
PUT /settings/file-integrity/{id} HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 26
{
"checkFileContents": true
}
{
"enabled": true,
"paths": [
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"prefix": "text",
"checkFileContents": true
}
]
}
GET /events/types HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
A collection of all file system event types
[
{
"id": 1,
"name": "text"
}
]
GET /events HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
{
"events": [
{
"filename": "text",
"oldFilename": "text",
"occurrenceTimeStamp": "2025-07-01T03:38:23.906Z",
"insertionTimeStamp": "2025-07-01T03:38:23.906Z",
"type": {
"id": 1,
"name": "text"
},
"username": "text",
"pid": 1,
"networkUsername": "text"
}
],
"nextRequestCursor": "text",
"numberOfItems": 1
}
A set of placement paths
Source path honeypot files
PUT /settings/honeypot HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 47
{
"placementPaths": [
"text"
],
"sourcePath": "text"
}
{
"sourcePath": "text",
"placementPaths": [
"text"
]
}
GET /settings/honeypot HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
Current honeypot configuration
{
"sourcePath": "text",
"placementPaths": [
"text"
]
}
A set of placement paths
POST /settings/honeypot HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 24
{
"placementPath": "text"
}
{
"sourcePath": "text",
"placementPaths": [
"text"
]
}
Placement path
DELETE /settings/honeypot HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
{
"sourcePath": "text",
"placementPaths": [
"text"
]
}
Incident identifier
Maximum number of entries to be returned
Cursor to filter out already returned entries
GET /security-incidents/{incidentId}/files HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
[
{
"originalPath": "text",
"mostRecentPath": "text",
"firstModificationTime": "2025-07-01T03:38:23.906Z",
"modification": {
"id": 1,
"name": "text"
}
}
]
Incident identifier
GET /security-incidents/{id}/events HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
{
"events": [
{
"filename": "text",
"oldFilename": "text",
"occurrenceTimeStamp": "2025-07-01T03:38:23.906Z",
"insertionTimeStamp": "2025-07-01T03:38:23.906Z",
"type": {
"id": 1,
"name": "text"
},
"username": "text",
"pid": 1,
"networkUsername": "text"
}
],
"nextRequestCursor": "text",
"numberOfItems": 1
}
User name. Only includes the incidents which were created for a specific user
GET /security-incidents HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
A list of all detected security incidents
[
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"user": "text",
"start": "2025-07-01T03:38:23.906Z",
"end": "2025-07-01T03:38:23.906Z"
}
]
GET /security-incidents/modification-types HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
A list of all possible values of affected file modification types
[
{
"id": 1,
"name": "text"
}
]
A request that registers an agent with a management server
Agent instance identifier
The Guard Mode management server address/host
API key identifier
API key secret
POST /registrations HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 150
{
"instance_id": "123e4567-e89b-12d3-a456-426614174000",
"server_address": "text",
"key_id": "123e4567-e89b-12d3-a456-426614174000",
"api_key_secret": "text"
}
{
"fqdn": "text",
"operatingSystem": "text"
}
DELETE /registrations HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
Registration is removed
No content
GET /settings/block-list HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
Current block list data
{
"lastUpdated": "2025-07-01T03:38:23.906Z",
"fileGroupCount": 1
}
The timestamp which will be set as the 'last update time' for the block list
Collection of path filters
["*.exe"]
PUT /settings/block-list HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 62
{
"lastUpdated": "2025-07-01T03:38:23.906Z",
"filters": [
"*.exe"
]
}
No content
GET /settings/block-list/skip HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
Current skip list
{
"filters": [
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"createdDate": "2025-07-01T03:38:23.906Z",
"pattern": "text"
}
]
}
Collection of path filters
["*.exe"]
PUT /settings/block-list/skip HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 21
{
"filters": [
"*.exe"
]
}
No content
File path pattern
POST /settings/block-list/skip HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 18
{
"pattern": "text"
}
No content
Skip list pattern identifier
DELETE /settings/block-list/skip/{id} HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
No content
Maximum number of entries to be returned
Cursor to filter out already returned entries
GET /scans HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
[
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"startedAt": "2025-07-01T03:38:23.906Z",
"endedAt": "2025-07-01T03:38:23.906Z",
"lastScannedPath": "text",
"scannedFilesCount": 1,
"suspiciousFilesCount": 1,
"state": {
"id": 1,
"name": "text"
},
"pathsToScan": [
{
"value": "text",
"errorMessage": "text"
}
]
}
]
Scan creation request
Paths that will be recursively scanned
Indicates if file names found during scan should be analyzed to find files with names often used by ransomware
Indicates if files should be scanned using YARA rules
If true, Agent will raise alert on suspicious file found
If present, causes exclusions to work as if filesystem root was at each of provided paths
POST /scans HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 115
{
"paths": [
"text"
],
"checkBlockListPatterns": true,
"checkYaraRules": true,
"sendAlerts": true,
"rootMountPoints": [
"text"
]
}
No content
GET /scans/{id} HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"startedAt": "2025-07-01T03:38:23.906Z",
"endedAt": "2025-07-01T03:38:23.906Z",
"lastScannedPath": "text",
"scannedFilesCount": 1,
"suspiciousFilesCount": 1,
"state": {
"id": 1,
"name": "text"
},
"pathsToScan": [
{
"value": "text",
"errorMessage": "text"
}
]
}
Maximum number of entries to be returned
Cursor to filter out already returned entries
GET /scans/{id}/suspicious-files HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"startedAt": "2025-07-01T03:38:23.906Z",
"endedAt": "2025-07-01T03:38:23.906Z",
"lastScannedPath": "text",
"scannedFilesCount": 1,
"suspiciousFilesCount": 1,
"state": {
"id": 1,
"name": "text"
},
"pathsToScan": [
{
"value": "text",
"errorMessage": "text"
}
]
}
POST /scans/{id}/stop HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
No content
GET /settings/smb HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
Current SMB monitoring configuration
{
"enabled": true,
"message": {
"template": "text"
},
"listener": {
"port": 1,
"endMarker": "text"
}
}
PUT /settings/smb HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 87
{
"enabled": true,
"message": {
"template": "text"
},
"listener": {
"port": 1,
"endMarker": "text"
}
}
{
"enabled": true,
"message": {
"template": "text"
},
"listener": {
"port": 1,
"endMarker": "text"
}
}
Number of threshold buckets
Limit of data points to analyze
PUT /settings/threshold HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 264
{
"entropyCheck": {
"enabled": true,
"maxCheckAttempts": 1
},
"magicNumberCheck": {
"enabled": true,
"filesChecked": 1
},
"yaraCheck": {
"enabled": true
},
"numberOfBuckets": 1,
"pointsLimit": 1,
"writesPerSecond": {
"high": 1,
"medium": 1,
"low": 1
},
"riskWeights": {
"high": 1,
"medium": 1,
"low": 1
}
}
{
"entropyCheck": {
"enabled": true,
"maxCheckAttempts": 1
},
"magicNumberCheck": {
"enabled": true,
"filesChecked": 1
},
"yaraCheck": {
"isEnabled": true
},
"numberOfBuckets": 1,
"pointsLimit": 1,
"writesPerSecond": {
"high": 1,
"medium": 1,
"low": 1
},
"riskWeights": {
"high": 1,
"medium": 1,
"low": 1
}
}
GET /settings/threshold HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
Current threshold configuration
{
"entropyCheck": {
"enabled": true,
"maxCheckAttempts": 1
},
"magicNumberCheck": {
"enabled": true,
"filesChecked": 1
},
"yaraCheck": {
"isEnabled": true
},
"numberOfBuckets": 1,
"pointsLimit": 1,
"writesPerSecond": {
"high": 1,
"medium": 1,
"low": 1
},
"riskWeights": {
"high": 1,
"medium": 1,
"low": 1
}
}
PUT /settings/yara HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 225
{
"scans": {
"rulesPath": "text",
"maxFileSizeInBytes": 1
},
"threshold": {
"rulesPath": "text",
"maxFileSizeInBytes": 1
},
"fileIntegrity": {
"rulesPath": "text",
"maxFileSizeInBytes": 1
},
"incidents": {
"rulesPath": "text",
"maxFileSizeInBytes": 1
}
}
{
"scans": {
"rulesPath": "text",
"maxFileSizeInBytes": 1
},
"threshold": {
"rulesPath": "text",
"maxFileSizeInBytes": 1
},
"fileIntegrity": {
"rulesPath": "text",
"maxFileSizeInBytes": 1
},
"incidents": {
"rulesPath": "text",
"maxFileSizeInBytes": 1
}
}
GET /settings/yara HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
Current configuration
{
"scans": {
"rulesPath": "text",
"maxFileSizeInBytes": 1
},
"threshold": {
"rulesPath": "text",
"maxFileSizeInBytes": 1
},
"fileIntegrity": {
"rulesPath": "text",
"maxFileSizeInBytes": 1
},
"incidents": {
"rulesPath": "text",
"maxFileSizeInBytes": 1
}
}
GET /settings/available-timezones HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
[
{
"id": "text",
"offset": "text"
}
]
Timezone configuration update request
ID of a timezone that will be set
PUT /settings/timezone HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 19
{
"timeZone": "text"
}
No content
GET /settings/timezone HTTP/1.1
Host:
Authorization: Basic username:password
api-version: text
Accept: */*
Current timezone configuration
{
"timeZone": {
"id": "text",
"offset": "text"
}
}