Jump to content
Network communication blocked after upgrade to macOS 15 (Sequoia) ×
Customer satisfaction survey 2024 ×

Inspect API

YossiCo
 Share

Recommended Posts

YossiCo

YossiCo 0

Posted
Posted

Hi,

I've researched the Inspect API for the last couple of weeks. I've found that pulling the detection via the API generally returns more data than Syslog/Notifications, that I can then analyze better inside my other security solutions.

Is there an API method or parameter that allows filtering detections directly by ruleName in the request? My current working approach is to fetch all detections and then search for a match ruleName match, but an API-side filter would be more efficient.

I've been trying to ensure I only pull new detections that occur after the last successful fetch. I first used creationTime to track the last detection's creationTime and filter new detections based on that, however this led to a lot of missing detections that happened after the script ran.

I found that switching to $filter=id gt {last_detection_id} tracking worked better, as it helped avoid missing detections that were inserted between polling intervals. However, I still encountered cases where the script stopped pulling detections even though new ones were available.

So, some questions regarding this.

 

What is the recommended approach to avoid missing new detections when polling continuously?

Are there rate limits or best practices for how frequently we can query the API? My ideal PAGE_SIZE is 100, however to get the full detection details, I need to query by detection uuid, because the API returns a limited subset of fields when querying multiple detections together. So 1 request to fetch the batch + 100 requests for details = 101 requests overall.

On a related note, is it possible to disable the Syslog of just the ESET Inspect rules? I found on Documentation there is an option for "Event type of logs", however I'm missing this option.

 

 

 

Link to comment
Share on other sites
  • ESET Staff
j91321

j91321 7

Posted
  • ESET Staff
Posted (edited)

You can use $filter with ruleName to get only those names like this: 

GET /api/v1/detections?$filter=ruleName eq "File and Directory Discovery [L1114]"

My experience the best way how to get the additional details and don't miss detections is to combine syslog and API. Get information about new Inspect detections with Syslog which contains detection id and fetch the additional details with API. This is doable with logstash for example.

Edited by j91321
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...