YossiCo 0 Posted October 11 Share Posted October 11 Hi, I've researched the Inspect API for the last couple of weeks. I've found that pulling the detection via the API generally returns more data than Syslog/Notifications, that I can then analyze better inside my other security solutions. Is there an API method or parameter that allows filtering detections directly by ruleName in the request? My current working approach is to fetch all detections and then search for a match ruleName match, but an API-side filter would be more efficient. I've been trying to ensure I only pull new detections that occur after the last successful fetch. I first used creationTime to track the last detection's creationTime and filter new detections based on that, however this led to a lot of missing detections that happened after the script ran. I found that switching to $filter=id gt {last_detection_id} tracking worked better, as it helped avoid missing detections that were inserted between polling intervals. However, I still encountered cases where the script stopped pulling detections even though new ones were available. So, some questions regarding this. What is the recommended approach to avoid missing new detections when polling continuously? Are there rate limits or best practices for how frequently we can query the API? My ideal PAGE_SIZE is 100, however to get the full detection details, I need to query by detection uuid, because the API returns a limited subset of fields when querying multiple detections together. So 1 request to fetch the batch + 100 requests for details = 101 requests overall. On a related note, is it possible to disable the Syslog of just the ESET Inspect rules? I found on Documentation there is an option for "Event type of logs", however I'm missing this option. Quote Link to comment Share on other sites More sharing options...
ESET Staff j91321 7 Posted 19 hours ago ESET Staff Share Posted 19 hours ago (edited) You can use $filter with ruleName to get only those names like this: GET /api/v1/detections?$filter=ruleName eq "File and Directory Discovery [L1114]" My experience the best way how to get the additional details and don't miss detections is to combine syslog and API. Get information about new Inspect detections with Syslog which contains detection id and fetch the additional details with API. This is doable with logstash for example. Edited 19 hours ago by j91321 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.