Get detection

Request a specific detection resource belonging to a tenant. Use get detections to obtain the unique detection ID.

Service endpoint

/detections/v2/{detection_id}/details

Optional query string parameters

Example

https://protectapi.cylance.com/detections/v2/f2d6c020-53e2-4300-9005-2e006d9a0f57/details

Method

HTTP/1.1 GET

Request headers
  • Accept: application/json
  • Authorization: Bearer JWT Token returned by Auth API with the opticsdetect:read scope encoded

Request

None

Response

Please see the Response status codes for more information.

Response JSON schema

Field Name Description

ActivationTime

This is the time that this particular detection first started to occur.

AppliedExceptions

These are the exceptions that were applied to the detection.

  • Id: This is the unique identifier for the exception.
  • Version: This is the version number for the exception.

ArtifactsOfInterest

This is the artifact associated with the rule that triggered the exception. This is a dynamic object.

  • Artifact:
    • Type: This is the type of artifact.
    • Uid: This is the unique identifier for the artifact.
  • Source: This is the source for the artifact.
  • StateA: This is this is the name of the artifact of interest.

AssociatedArtifacts

This is the list of artifacts that were involved in this detection. These are dynamic objects.

Comment

This is the comment on the detection.

Context

This is the context of the detection.

DetectionRule

This is the description of the rule from which this detection originated.

  • Category: This is the category of the rule.
  • Description: This is the description of the rule.
  • Id: This is the ID of the rule.
  • Name: This is the name of the rule.
  • Version: This is the version of the rule.

Detector

This is the description of the plugin that originated the detection.

  • Name: This is the name of the detector.
  • Version: This is the version of the detector.

Device

This is a capture of the current state of the device.

  • CylanceId: This is the unique ID for the device.
  • Name: This is the name of the device.

Id

This is the unique identifier for the detection.

InvolvedArtifacts

These are the artifacts involved in this detection.

Name

This is the name of the detection.

ObjectType

This is the object type for the detection.

OccurrenceTime

This is the time at which the detection occurred.

PhoneticId

This is the easy-to-read version of the ID that is probabilistically unique.

Product

This is the description of the Endpoint Defense product that originated the detection.

  • Name: This is the name of the Endpoint Defense product.
  • Version: This is the version of the Endpoint Defense product.

ReceivedTime

This is the time when the detection was received.

Responses

These are the responses to the detection.

  • Status: This is the status of the response.
  • Comment: This is the comment on the response.
  • TenantId: This is the tenant ID to which the response belongs.
  • PhoneticId: This is the easy-to-read version of the ID that is probabilistically unique.
  • DetectionId: This is the ID for the detection event that warranted the response.
  • OccurrenceTime: This is the time at which the response actions were taken.
  • ActionResults:
    • HandlingResponderVersion: This is the version of the responder plugin that performed the response.
    • HandlingResponderName: This is the name of the responder plugin that performed the response.
    • Results:
      • Status: This is the status of the result.
      • Message: This is the message of the result.
      • Code:
        • Ordinal: This is the indicator code for the success of the action.
        • Reason: This is the detailed description explaining the indicator code.
        • Name: This is the friendly name of the status code.
  • AssociatedArtifacts: These are the artifacts upon which the action occurred.
  • ResponseRuleId: This is the ID of the response rule that triggered the response.
  • SchemaVersion: This is the version of the response rule.
  • ResponseRuleVersion: This is the version of the response rule.
  • ReceivedTime: This is the time the response was received.
  • ObjectType: This is the type of the object for the response.

SchemaVersion

This is the version of the schema to which the object conforms.

Severity

This is the criticality of an observance of the detection.

SeveritySortLevel

This is the sort level for the severity.

Status

This is the status of the detection in the workflow.

StatusSortLevel

This is the sort level for the status.

Trace

This is the trace information.

  • Event: This is the Aurora Focus Event that triggered the state.
  • StateName: This is the name of a state that was traversed.

TenantId

This is the ID for the tenant.

ZoneIds

This is the list of IDs for the zones associated with the detection.