Endpoint Security Management API

Content-Type

application/json

Accept

application/json

Authorization

The access token that you generate with the WatchGuard Authentication API. For more information, see Authentication.

WatchGuard-API-Key

The API key associated with your WatchGuard Cloud account (shown on the Managed Access page in WatchGuard Cloud).

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

product_license_counter
array

Array of license objects.

product_id
integer

Product internal ID.

Example: 12345

license_type
integer

Type of license. This can be one of these values:

• 1 — Release
• 2 — Trial
• 3 — Beta
• 4 — Not for resale

Example: 1

product_name
string

Name of the licensed product.

Example: Endpoint Protection Detection and Response

assigned_licenses
integer

Number of licenses assigned to devices.

Example: 3

unassigned_licenses
integer

Number of licenses that are not assigned to devices.

Example: 7

without_license_devices
integer

Number of devices that do not have a license assigned.

Example: 2

expiration_date
string

Date when all licenses in the license contract expire and the devices are no longer protected.

Example: 2022-01-14T00:00:00

license_items
array

Array of license items.

product_id
integer

Identification number for the product.

Example: 4

license_type
integer

Type of license. This can be one of these values:

• 1 — Release
• 2 — Trial
• 3 — Beta
• 4 — Not for resale

Example: 1

amount
integer

Maximum number of license installations allowed. If the number of installations exceeds this number, the administrator will receive an alert.

Example: 3

expiration_date
string

Date when the license expires.

Example: 2022-01-14T00:00:00

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

$top
integer

Specifies the number of objects to retrieve.

Example: 5

$skip
integer

Bypasses the specified number of objects in the results returned.

For example, if you specify 10, the results start at object 11.

Example: 5

$search
string

Returns only objects that include the specified text string. For example, "name" returns objects that include "hostname" and "username."

The supported search fields depend on the endpoint:

• Devices: Host name, description, IP address, logged on user
• DeviceProtectionStatus: Host name
• ManagedConfigurations: Name, description

Example: name

$count
boolean

Indicates whether to return a counter that shows the total number of objects in the total_items response parameter.

Example: true

$orderby
string

Specifies how to order results. You can order by any parameter in the response and sort results in ascending or descending order.

Specify a parameter name with any underscores removed, followed by a + (plus sign) and either asc (ascending) or desc (descending).

For example, to order results by the host_name parameter in descending order, specify hostname+desc. If you do not specify a field to order by, the API will use the order in the database.

Example: hostname+desc

$config
boolean

Indicates whether the security configuration name and ID are returned. The default value is true.

Example: true

data
array

Array of device data.

device_id
string

Identifier for the device.

Example: 287324d8-194f-4f5a-a7ad-e2480d5ad1b2

account_id
string

Identifier for the account.

Example: cd6c6dd6-r97o-453d-ld8o-a5976dc0596c

site_id
string

Identifier for the site.

Example: 8b7205bc-60e0-45a0-9956-b17b6a8673f6

site_name
string

Name of the site the device belongs to.

Example: AD360

host_name
string

Host name of the device.

Example: WIN_SERVER_6

type
integer

Type of device. This can be one of these values:

• 1 — Workstation
• 2 — Laptop
• 3 — Server
• 4 — Mobile device

Example: 3

description
string

Description of the device.

Example: Marketing server

domain
string

Domain where your devices belong on Microsoft networks.

Example: WORKGROUP

platform_id
integer

Device platform. This can be one of these values:

• 1 — Windows
• 2 — Linux
• 3 — macOS
• 4 — Android
• 5 — iOS

Example: 1

ip_address
string

IP address of the device.

Example: 192.0.2.1

mac_addresses
array

List of MAC addresses of the device.

Example: 00:0E:A6:F8:FE:FF

operating_system
string

Name of the operating system installed on the device.

Example: Microsoft Windows 10

license_status
integer

Status of the device license. This can be one of these values:

• 0 — Assigned
• 1 — Not assigned
• 2 — Manual deallocation
• 3 — Auto deallocation

Example: 0

isolation_state
integer

Isolation status of the device. This can be one of these values:

• 0 — Not isolated
• 1 — Isolated
• 2 — Applying isolation
• 3 — Removing isolation

Example: 1

encryption
integer

Device encryption status. This can be one of these values:

• 0 — Without protection/without information
• 1 — Activated
• 2 — Deactivated
• 3 — Error
• 4 — Error installing
• 5 — Without license
• 6 — Not available

Example: 6

reinstall_protection_requested
boolean

Indicates whether reinstallation of protection is requested.

Example: true

reinstall_agent_requested
boolean

Indicates whether reinstallation of the agent is requested.

Example: true

reboot_requested
boolean

Indicates whether device reboot is requested.

Example: true

agent_version
string

Version of the agent installed on the endpoint.

Example: 1.17.00.0000

last_connection
string

Date and time of the last connection of the device.

Example: 2020-11-06T20:08:43.128Z

security_configuration_name
boolean

Name of the security configuration.

If the config request parameter is true, security_configuration_name displays the security configuration name. If config is false, then null is displayed.

Example: Virtual machines

security_configuration_id
boolean

Unique identifier of the security configuration.

If the config request parameter is true, security_configuration_id displays the unique identifier. If config is false, then null is displayed.

Example: 287324d8-194f-4f5a-a7ad-e2480d5ad1b2

logged_on_users_list
array

List of last logged on users.

custom_group_folder_path
string

Full path to the group the device is assigned to.

Example: All\ServersFolderName\GroupName1

active_directory_canonical_name
string

Full canonical path to the device in Active Directory.

Example: ROOTDOMAIN.local\Computers\Servers\Division\DEVICE_5

total_items
integer

Total number of devices.

If the count request parameter is true, total_items displays the total number of devices. If count is false, then total_items displays null.

Example: 42

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

type
integer
REQUIRED

Type of configuration to return. Specify one of these values:

• 1 — Deployment settings
• 2 — Workstations and servers
• 3 — Android
• 12 — iOS

Example: 2

$top
integer

Specifies the number of objects to retrieve.

Example: 5

$skip
integer

Bypasses the specified number of objects in the results returned.

For example, if you specify 10, the results start at object 11.

Example: 5

$search
string

Returns only objects that include the specified text string. For example, "name" returns objects that include "hostname" and "username."

The supported search fields depend on the endpoint:

• Devices: Host name, description, IP address, logged on user
• DeviceProtectionStatus: Host name
• ManagedConfigurations: Name, description

Example: name

$count
boolean

Indicates whether to return a counter that shows the total number of objects in the total_items response parameter.

Example: true

$orderby
string

Specifies how to order results. You can order by any parameter in the response and sort results in ascending or descending order.

Specify a parameter name with any underscores removed, followed by a + (plus sign) and either asc (ascending) or desc (descending).

For example, to order results by the host_name parameter in descending order, specify hostname+desc. If you do not specify a field to order by, the API will use the order in the database.

Example: hostname+desc

data
array

List of managed configurations.

id
string

Unique identifier of the managed configuration.

Example: f6c469cf-d2b3-4e53-b2f3-08bb917e4d43

name
string

Name of the managed configuration.

Example: WorkstationAndServer Settings

description
string

Description of the managed configuration.

Example: Workstation and server configuration pre-patch installation

is_default
boolean

Indicates whether this is the default managed configuration.

Example: false

total_items
integer

Total number of managed configurations of this type.

If the count request parameter is true, total_items displays the number of managed configurations of this type. If count is false, then total_items displays null.

Example: 3

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

platformId
integer
REQUIRED

Identifier of the platform you want to retrieve the installation package URL for. Specify one of these values:

• 1 — Windows
• 2 — Linux
• 3 — macOS
• 4 — Android
• 5 — iOS

Example: 1

managedConfigurationId
string
REQUIRED

Identifier of the managed configuration you want to retrieve the installation package URL for.

Example: f6c469cf-d2b3-4e53-b2f3-08bb917e4d43

useActiveDirectory
boolean
REQUIRED

Indicates whether to integrate the device into Active Directory.

Example: true

installer_download_url
string

URL to download the installation package.

Example: https://example.com/api/v1/accounts/5a5246d8-21f1-465c-83d2-b0316dd047a8/sites/279b5ffd-fa95-45c9-b7b4-7be51ff6e3e8/installers?installerType=2&platform=1&managedConfigurationId=f6c469cf-d2b3-4e53-b2f3-08bb917e4d43&customGroupId=c81fb727-69aa-45a1-8cc0-8e1e18ecc6ae&integrationGroupType=0

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

type
integer
REQUIRED

Type of configuration. Currently, only option 2 is supported.

2 — Workstations and servers

Example: 2

configId
string
REQUIRED

Identifier of the managed configuration to associate with the devices.

Example: dab50d3d-cbda-4d36-8c79-2df0b0789b49

device_ids
array
REQUIRED

List of IDs of devices to link to the specified managed configuration.

Example: "00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

$top
integer

Specifies the number of objects to retrieve.

Example: 5

$skip
integer

Bypasses the specified number of objects in the results returned.

For example, if you specify 10, the results start at object 11.

Example: 5

$search
string

Returns only objects that include the specified text string. For example, "name" returns objects that include "hostname" and "username."

The supported search fields depend on the endpoint:

• Devices: Host name, description, IP address, logged on user
• DeviceProtectionStatus: Host name
• ManagedConfigurations: Name, description

Example: name

$count
boolean

Indicates whether to return a counter that shows the total number of objects in the total_items response parameter.

Example: true

$orderby
string

Specifies how to order results. You can order by any parameter in the response and sort results in ascending or descending order.

Specify a parameter name with any underscores removed, followed by a + (plus sign) and either asc (ascending) or desc (descending).

For example, to order results by the host_name parameter in descending order, specify hostname+desc. If you do not specify a field to order by, the API will use the order in the database.

Example: hostname+desc

data
string

Array of device data.

host_name
string

Host name of the device.

Example: WIN_SERVER_6

device_id
string

Identification number of the device.

Example: 287324d8-194f-4f5a-a7ad-e2480d5ad1b2

platform_id
integer

Device platform. This can be one of these values:

• 1 — Windows
• 2 — Linux
• 3 — macOS
• 4 — Android
• 5 — iOS

Example: 1

device_type
integer

Type of device. This can be one of these values:

• 1 — Workstation
• 2 — Laptop
• 3 — Server
• 4 — Mobile device

Example: 1

accumulated_protection_status
integer

General protection status. This can be one of these values:

• 0 — Without protection/without information
• 1 — Enabled
• 2 — Disabled
• 3 — Error
• 4 — Error installing
• 5 — Without license
• 6 — Not available

Example: 2

adaptive_defense_status
integer

Adaptive Defense status. This can be one of these values:

• 0 — Without protection/without information
• 1 — Enabled
• 2 — Disabled
• 3 — Error
• 4 — Error installing
• 5 — Without license
• 6 — Not available

Example: 2

file_antivirus_status
integer

Antivirus status. This can be one of these values:

• 0 — Without protection/without information
• 1 — Enabled
• 2 — Disabled
• 3 — Error
• 4 — Error installing
• 5 — Without license
• 6 — Not available

Example: 2

firewall_status
integer

Firewall status. This can be one of these values:

• 0 — Without protection/without information
• 1 — Enabled
• 2 — Disabled
• 3 — Error
• 4 — Error installing
• 5 — Without license
• 6 — Not available

Example: 6

isolation_state
integer

Isolation state of the device. This can be one of these values:

• 0 — Not isolated
• 1 — Isolated
• 2 — Applying isolation
• 3 — Removing isolation

Example: 1

protection_engine_update_status
integer

Protection engine update status. This can be one of these values:

• 0 — Undefined
• 1 — Outdated
• 2 — Updated
• 3 — Waiting for reboot

Example: 1

protection_engine_version
string

Protection engine version.

Example: 8.00.17.0001

knowledge_catalog_update_status
integer

Update status of the catalog. This can be one of these values:

• 1 — Outdated
• 2 — Updated

Example: 2

knowledge_catalog_date
string

Date and time when the knowledge catalog installed on the device.

Example: 2020-09-28T06:13:01.695Z

last_connection_date
string

Date and time when the device last connected.

Example: 2020-09-28T06:13:01.883Z

reboot_requested
boolean

Indicates whether device reboot is requested.

Example: true

reinstall_protection_requested
boolean

Indicates whether reinstallation of the protection is requested.

Example: true

reinstall_agent_requested
boolean

Indicates whether reinstallation of the agent is requested.

Example: true

license_status
integer

Status of the license. This can be one of these values:

• 0 — Assigned
• 1 — No Assigned
• 2 — Manual Deallocation
• 3 — Auto Deallocation

Example: 0

reinstall_agent_error
string

Additional information in the event of a reinstall agent error in JSON format. The step parameter can be one of these values:

• 0 — AgentInstallNotStarted
• 1 — AgentInstallConnection
• 2 — AgentInstallDetermineOs
• 3 — AgentInstallGetInstaller
• 4 — AgentInstallCopy
• 5 — AgentInstallInstallation
• 6 — AgentInstallIntegration

Example: {"error":58,"code":2020,"date_time":"2020-11-20T20:27:18.725Z","step":2}

reinstall_protection_error
string

Additional information in the event of a reinstall protection error in JSON format. The step parameter can be one of these values:

• 8 — ProtectionInstallInstallation
• 9 — ProtectionInstallSoftwareUpdate
• 10 — ProtectionInstallThirdPartyUninstall
• 11 — ProtectionInstallThirdPartyUninstaller

Example: {"error":36,"code":4001,"date_time":"2020-11-20T20:27:18.725Z","step":8}

total_items
integer

Total number of devices.

If the count request parameter is true, total_items displays the total number of devices. If count is false, then total_items displays null.

Example: 5

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

type
integer
REQUIRED

Types of security event counters to retrieve. This parameter is a mask. Add the values of the security event counter types you want to retrieve.

For example, if you want to retrieve only programs blocked, specify 8. If you want to retrieve both PUPs and programs blocked, specify 10 because 8 (programs blocked) + 2 (PUPs) = 10.

• 1 — Malware
• 2 — PUPs (Potentially Unwanted Programs)
• 4 — Exploits
• 8 — Programs blocked
• 16 — Threats detected by AV
• 32 — Network attack
• 255 — All counters

Example: 10

filter
string

Filters the security event counters by date.

Specify the type of security event:

• 33001 — Antivirus
• 32001 — Other types

Specify the length of the time period in the format [x, y] where x is the number of units and y is the unit of time:

• 1 — Years
• 2 — Months
• 3 — Days
• 4 — Hours

For example, this retrieves threats detected by AV for the last 7 days: filter=33001%20AmongTheLast%20[7,3].

This retrieves security event counters for the other types for the last 3 months: filter=32001%20AmongTheLast%20[3,2].

If you do not specify a filter, the API returns all of the security events for the last 30 days.

Example: 33001%20AmongTheLast%20[7,3]

malware_counters
array

Array of data about malware.

total_alerts
integer

Number of malware alerts.

Example: 4

total_executed
integer

Number of executed malware instances.

Example: 2

total_data_access
integer

Number of times malware accessed data.

Example: 1

total_external_communications
integer

Number of external communications by malware.

Example: 0

total_affected_devices
integer

Number of devices affected by malware.

Example: 3

pups_counters
array

Array of data about potentially unwanted programs (PUPs).

total_alerts
integer

Number of PUP alerts.

Example: 3

total_executed
integer

Number of PUPs that ran successfully.

Example: 0

total_data_access
integer

Number of times PUPs accessed data.

Example: 1

total_external_communications
integer

Number of external communications by PUPs.

Example: 2

total_affected_devices
integer

Number of affected devices.

Example: 5

exploit_counters
array

Array of data about vulnerability exploit attacks.

total_alerts
integer

Number of exploit alerts.

Example: 2

total_executed
integer

Number of exploits executed.

Example: 1

total_data_access
integer

Number of times exploits accessed data.

Example: 0

total_external_communications
integer

Number of external communications by exploits.

Example: 1

total_affected_devices
integer

Number of devices affected by exploits.

Example: 2

program_blocked_counters
array

Array of data about programs blocked.

total_programs_blocked
integer

Number of blocked programs.

Example: 0

threats_by_av_counters
array

Array of data about threats detected by antivirus.

total_phishing_detected_by_av
integer

Number of phishing attempts detected by antivirus.

Example: 1

total_tracking_cookies_detected_by_av
integer

Number of tracking cookies detected by antivirus.

Example: 1

total_devices_blocked_by_av
integer

Number of devices blocked by antivirus.

Example: 1

total_malware_urls_blocked_by_av
integer

Number of malware URLs blocked by antivirus.

Example: 2

total_intrusion_attempted_blocked_by_av
integer

Number of intrusion attempts blocked by antivirus.

Example: 2

total_dangerous_actions_blocked_by_av
integer

Number of dangerous actions blocked by antivirus.

Example: 3

network_attack_counters
array

Array of data about network attacks blocked.

total_alerts
integer

Number of alerts.

Example: 2

total_affected_devices
integer

Number of affected devices.

Example: 20

accountId

string

REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

period
integer
REQUIRED

Period of time to retrieve security event counters for. Specify one of these values:

• 1 — Previous 24 hours
• 7 — Previous 7 days
• 30 — Previous 30 days

Example: 7

total_devices
integer

Number of devices.

total_unmanaged_devices
integer

Number of unmanaged devices.

malware
array

Array of data about malware.

total_alerts

integer

Number of malware alerts.

Example: 4

total_executed

integer

Number of executed malware instances.

Example: 2

total_data_access

integer

Number of times malware accessed data.

Example: 1

total_external_communications

integer

Number of external communications by malware.

Example: 0

total_affected_devices

integer

Number of devices affected by malware.

Example: 3

pups
array

Array of data about potentially unwanted programs (PUPs).

total_alerts

integer

Number of PUP alerts.

Example: 3

total_executed

integer

Number of PUPs that ran successfully.

Example: 0

total_data_access

integer

Number of times PUPs accessed data.

Example: 1

total_external_communications

integer

Number of external communications by PUPs.

Example: 2

total_affected_devices

integer

Number of affected devices.

Example: 5

exploits
array

Array of data about vulnerability exploit attacks.

total_alerts

integer

Number of exploit alerts.

Example: 2

total_executed

integer

Number of exploits executed.

Example: 1

total_data_access

integer

Number of times exploits accessed data.

Example: 0

total_external_communications

integer

Number of external communications by exploits.

Example: 1

total_affected_devices

integer

Number of devices affected by exploits.

Example: 2

programs_blocked
array

Array of data about programs blocked.

total_programs_blocked

integer

Number of blocked programs.

Example: 0

threats_by_av_counters

array

Array of data about threats detected by antivirus.

total_phishing_detected_by_av

integer

Number of phishing attempts detected by antivirus.

Example: 1

total_tracking_cookies_detected_by_av

integer

Number of tracking cookies detected by antivirus.

Example: 1

total_devices_blocked_by_av

integer

Number of devices blocked by antivirus.

Example: 1

total_malware_urls_blocked_by_av

integer

Number of malware URLs blocked by antivirus.

Example: 2

total_intrusion_attempted_blocked_by_av

integer

Number of intrusion attempts blocked by antivirus.

Example: 2

total_dangerous_actions_blocked_by_av

integer

Number of dangerous actions blocked by antivirus.

Example: 3

total_hacking_tools_by_av

integer

Number of hacking tools detected by antivirus.

Example: 3

total_spyware_by_av

integer

Number of spyware detected by antivirus.

Example: 2

total_virus_by_av

integer

Number of viruses detected by antivirus.

Example: 2

indicators_of_attack_counters

array

Array of data about indicators of attack.

total_indicators_of_attack

integer

Number of indicators of attack.

Example: 3

accountId

string

REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

type
integer
REQUIRED

Type of security event. Specify one of these values:

• 1 — Malware
• 2 — PUPs (Potentially Unwanted Programs)
• 3 — Blocked Programs
• 4 — Exploits
• 5 — Blocked by Advanced Security Policies
• 6 — Virus
• 7 — Spyware
• 8 — Hacking Tools and PUPs Detected by Antivirus
• 9 — Phishing
• 10 — Suspicious
• 11 — Dangerous Actions
• 12 — Tracking Cookies
• 13 — Malware URLs
• 14 — Other Security Event Detected by Antivirus
• 15 — Intrusion Attempts
• 16 — Blocked Connections
• 17 — Blocked Devices
• 18 — Indicators of Attack
• 19 — Network Attack Protection

Example: 13

period
integer
REQUIRED

Period of time to retrieve security events for. Specify one of these values:

• 1 — Previous 24 hours
• 7 — Previous 7 days

Example: 7

hostname
string

Host name (base-64 encoded) of the device you want to retrieve security events for.

data
array

Array of security event data.

accessed_data
boolean

Indicates if the data has been accessed.

Example: true

action
integer

Indicates the action performed.

For indicators of attack, this can be one of these values:

• 0 — Undefined
• 1 — Reported
• 2 — Attack Blocked

For other detections, this can be one of these values:

• 0 — Allowed
• 1 — Quarantined
• 2 — Blocked
• 3 — Killed
• 4 — Ignored
• 5 — Cleaned
• 6 — Deleted
• 7 — Restored
• 8 — Allowed By Whitelist
• 9 — Write Blocked
• 10 — Pending User Action
• 11 — Uninstalled
• 13 — After Process Blocked
• 14 — Immediately Blocked
• 15 — Allowed By User
• 16 — Detected Restart Pending
• 17 — Allowed By Administrator
• 18 — Allowed on GW Installer
• 21 — Suspend Process
• 1009 — Reported
• 1010 — Unquarantine
• 1011 — Rename
• 1012 — Block URL

date
string

Date and time of detection.

Example: "2020-11-20T20:27:18.725Z"

device_id
string

Identifier of the device.

Example: 8b7205bc-60e0-45a0-9956-b17b6a8673f6

site_id
string

Identifier of the site.

Example: 8b7205bc-60e0-45a0-9956-b17b6a8673f6

event_id
integer

Identifier of the event.

Example: 69608597

event_type
integer

Indicates the event type. This can be one of these values:

• 0 — Malware
• 1 — Exploit
• 2 — PUPs
• 3 — Blocked Item
• 6 — Lock Plus Advanced Security
• 7 — Lock Plus Application Control
• 8 — Application Control
• 10 — Network Attack Activity

dwell_time
integer

Indicates the number of seconds that the threat was on the device without classification.

Example: 60

is_excluded
boolean

Indicates if data has been excluded.

Example: true

hash
string

Hash of an element.

Example: 009a9b4ff00946f9a5a5659dfe9086da

host_name
string

Name of the host.

Example: WIN_SERVER_6

item_name
string

Name of the threat.

Example: MalwareName

made_external_connections
boolean

Indicates if malware made external connections.

Example: true

path
string

Name of the threat path.

Example: ThreatPathName

protection_mode
integer

Indicates the protection mode. This can be one of these values:

• 0 — Undefined
• 1 — Audit
• 2 — Hardening
• 3 — Lock

reclassified_to_type
integer

Indicates the type to which it has been reclassified. This can be one of these values:

• 0 — Blocked
• 1 — Malware
• 3 — PUP
• 6 — Goodware
• 11 — Removed From List

like_lihood_of_being_malicious
integer

Indicates the likelihood of being malicious. This can be one of these values:

• 0 — Low
• 1 — Medium
• 2 — High
• 3 — Very High

discard_motive
integer

Reason for discarding the knowledge sample. This can be one of these values:

• 0 — Unknown
• 1 — Other Reason
• 2 — File Max Size

lock_plus_rule_id
integer

LockPlus Rule ID. This can be one of these values:

• 1 — Obfuscated Params PowerShell
• 2 — User Executed PowerShell
• 4 — Unknown Scripts
• 5 — Locally Built Programs
• 6 — Documents With Macros
• 7 — Windows Boot Registry
• 101 — Forbidden MD5
• 102 — Forbidden Program Name

user_name
string

Username.

Example: Name

was_run
boolean

Indicates if the item has been executed.

Example: true

source_ip
string

Name of the source IP.

Example: SourceIPName

source_machine_name
string

Name of the source device.

Example: SourceDeviceName

source_user
string

Source username.

Example: SourceUserName

detection_technology
string

Name of detection technology in exploit detections.

Example: DetectionTechnologyName

exploit_technique
string

Exploit technique.

Example: ExploitTechnique

risk
boolean

Indicates whether it is a risk exploit.

Example: true

description
string

Device description in antivirus detections.

Example: DeviceDescription

domain
string

Domain of device in antivirus detections.

Example: DeviceDomain

detected_by
integer

Protection or technology in antivirus detections. This can be one of these values:

• 1 — On-Demand Scan
• 2 — File Resident
• 3 — Mail Resident
• 4 — Firewall
• 5 — Device Control
• 6 — Exchange Mailbox
• 7 — Exchange Transport
• 8 — Exchange Antispam
• 9 — Web Protection
• 10 — Exchange Content
• 11 — Minerva
• 12 — Web Access Control
• 13 — Anti-theft
• 14 — Anti-tampering
• 15 — Personal Information Tracking
• 16 — Isolation
• 17 — Data Search Control
• 18 — Patch Management
• 19 — Personal Information Inventory
• 20 — Application Control
• 21 — Encryption USB
• 22 — Authorized Software

device_type
integer

Device type in antivirus and firewall detections. This can be one of these values:

• 0 — Undefined
• 1 — Workstation
• 2 — Laptop
• 3 — Server
• 4 — Mobile

platform_id
integer

Platform of the affected device. This can be one of these values:

• 0 — Undefined
• 1 — Windows
• 2 — Linux
• 3 — Mac
• 4 — Android
• 5 — iOS

excluded
boolean

Indicates if the element has been excluded in antivirus detection.

Example: true

file_info_discard
string

Hash to identify the file in antivirus detections.

Example: 009a9b4ff00946f9a5a5659dfe9086da

id
string

Identifier in antivirus detections.

Example: 8b7205bc-60e0-45a0-9956-b17b6a8673f6

ip_address
string

IP address of the device in antivirus and firewall detections.

Example: 192.168.1.10

malware_name
string

Malware name in antivirus detections.

Example: MalwareName

malware_category
integer

Malware category in antivirus detections. This can be one of these values:

• 1 — Virus
• 2 — Spyware
• 3 — HackingPpnd
• 4 — Phishing
• 5 — Suspicious
• 6 — Blocked Operations
• 7 — Tracking Cookies
• 8 — Malware URL
• 9 — Other

malware_type
integer

Malware type in antivirus detections. This can be one of these values:

• 21 — Nereus Heuritic
• 22 — Beta Trace Heuritic
• 23 — Smart Clean Heuritic
• 24 — Cloud Heuritic
• 25 — 1N
• 26 — Behavioral
• 31 — Confirmed Goodware
• 32 — Not Confirmed Goodware
• 33 — Unwanted Goodware
• 34 — Ranked
• 35 — Digital Signature
• 101 — Virus
• 102 — Worm
• 103 — Trojan
• 104 — TrojanPwdeal
• 105 — Dialer
• 106 — Joke
• 107 — Security Risk
• 108 — Spyware
• 109 — Adware
• 110 — Worm Fake Worm
• 111 — Tracking Cookie
• 112 — PUP
• 113 — Hacking Tool
• 114 — Vulnerability
• 115 — Max Size
• 116 — Zip of Death
• 117 — Packer of Death
• 118 — Hoax
• 119 — Phis Fraud
• 120 — Rootkit
• 121 — Backdoor
• 122 — Virus Constructor
• 123 — Malicious URL
• 201 — Advertising
• 202 — Toolbar
• 203 — Net Tool
• 204 — Advert Popup
• 219 — Illegal
• 223 — Internet Tools
• 227 — Offensive
• 236 — Society Education
• 241 — Content Filter

number_of_occurrences
integer

Number of occurrences in antivirus detections.

Example: 3

security_event_date
string

Security event date and time for antivirus, firewall, and device control detections.

Example: "2021-07-20T20:27:18.725Z"

site_name
string

Site name in antivirus and firewall detections.

Example: SiteName

network_activity_type
integer

Network activity type in firewall detections. This can be one of these values:

• 1 — IcmpAttack
• 2 — UdpPortScan
• 3 — HeaderLengths
• 4 — UdpFlood
• 5 — TcpFlagsCheck
• 6 — SmartWins
• 7 — IpExplicitPath
• 8 — LandAttack
• 9 — SmartDns
• 10 — IcmpFilterEchoRequest
• 11 — OsDetection
• 12 — SmartDhcp
• 13 — SynFlood
• 14 — SmartArp
• 15 — TcpPortScan

direction
integer

Direction of firewall blocked connections. This can be one of these values:

• 1 — Incoming
• 2 — Outgoing
• 3 — Incoming and Outgoing
• 4 — Internal

protocol
integer

Protocol of firewall blocked connections. This can be one of these values:

• 1 — TCP
• 2 — UDP
• 3 — TCPUDP
• 4 — ICMP
• 5 — IP
• 6 — All

local_endpoint
string

Firewall blocked connections for a local endpoint, in JSON format: Mac Address, IP Address, Port, and IP Type. IP type can be one of these values:

• 0 — Unknown
• 1 — IPV4
• 2 — IPV6

Example: {"mac_address": "34:0A:E5:C2:DE:0C","ip_address": "192.168.0.173","port": 58550,"ip_type": 1}

remote_endpoint
string

Firewall blocked connections for a remote endpoint, in JSON format: Mac Address, IP Address, Port, and IP Type. IP type can be one of these values:

• 0 — Unknown
• 1 — IPV4
• 2 — IPV6

Example: {"mac_address": "47:0A:E5:C2:DE:2F","ip_address": "192.168.0.75","port": 58550,"ip_type": 1}

rule_id
string

Identifier of a rule in firewall blocked connections and in indicators of attack detections.

Example: 8b7205bc-60e0-45a0-9956-b17b6a8673f6

rule_name
string

Rule name for firewall blocked connections and for indicators of attack detections.

Example: MyRule

rule_configuration_id
string

Identifier of rule configuration in firewall blocked connections.

Example: 9b7205bc-60e0-45a0-9956-b17b6a8673f6

rule_obsolete
boolean

Indicates if the rule is obsolete in firewall blocked connections.

Example: false

alias
string

Alias name for device control detections.

Example: AliasName

instance_id
string

Instance identifier for device control detections.

Example: 9b7205bc-60e0-45a0-9956-b17b6a8673f6

type
integer

Type of device for device control detections. This can beone of these values:

• 0 — Undefined
• 1 — Removable Storage
• 2 — Image Capture
• 3 — Optical Storage
• 4 — Bluetooth
• 5 — Modem
• 6 — Mobile

rule_risk
integer

Indicates the rule risk for indicators of attack detections. This can be one of these values:

• 0 — Undefined
• 1 — Critical
• 2 — High
• 3 — Medium
• 4 — Low
• 1000 — Unknown

rule_mitre
string

Array with JSON pairs of the MITRE attack tactic and technique in indicators of attack detections.

Example: [{tactic: "TA0006", technique: "T1003"}]

status
integer

Indicates the status in indicators of attack detections. This can be one of these values:

• 0 — Undefined
• 1 — Pending
• 2 — Filed

endpoint_event_date
string

Endpoint event date in indicators of attack detections.

Example: "2021-07-20T20:27:18.725Z"

filed_date
string

Filed date in indicators of attack detections.

Example: "2021-07-20T20:27:18.725Z"

since_until_filed
string

Time since the filed date in indicators of attack detections.

Example: 8.07:06:05 specifies 8 days, 7 hours, 6 minutes, and 5 seconds

count
integer

Number of occurrences in indicators of attack detections.

Example: 3

custom_group_folder_id
string

Identifier of the assigned custom group folder.

Example: 1b7205bc-60e0-45a0-9956-b17b6a8673f6

custom_group_folder_info
array

Array of folders that represents the path where the device is located in the management UI.

name
string

Name of the folder.

Example: Windows

type
integer

Type of folder. This can be one of these values:

• 1 — Root folder
• 2 — Custom folder
• 3 — Active Directory root folder
• 4 — Site folder
• 5 — Domain controller folder
• 6 — Active Directory folder
• 7 — IP address range folder

is_translatable
boolean

Indicates whether you can rename the folder. This can be one of these values:

• True — The system assigns the folder name automatically. The name depends on the selected language.
• False — The administrator assigns and can change the folder name.

network_attack
string

Network attack name.

Example: Denial of Service attack (DoS)

local_ip_address
string

Local IP address in network attack detections.

Example: 192.168.1.1

remote_ip_address
string

Remote IP address in network attack detections.

Example: 192.168.10.1

total_items
integer

Count is not supported. Currently, null is always displayed in this field.

Example: null

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

device_ids
array
REQUIRED

List of IDs of devices to uninstall protection from.

Example: "00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

device_ids
array
REQUIRED

List of IDs of devices to isolate.

Example: "00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"

exclusion_programs
array

List of programs to exclude from isolation and allow to communicate normally.

Example: "Chrome.exe"

customized_message
string

Text to show in an alert message on the isolated devices.

Example: This computer has been isolated by an administrator.

hide_customized_alert
boolean

Indicates whether to hide the customized alert message on isolated devices.

Example: true

processed_device_ids
string

List of IDs of the isolated devices.

Example: [ "00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2" ]

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

device_ids
string
REQUIRED

List of IDs of isolated devices to remove from isolation.

Example: ["00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"]

processed_device_ids
string

List of IDs of devices removed from isolation.

Example: ["00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"]

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

device_ids
string
REQUIRED

List of IDs of the devices to initiate an action on.

Example: ["00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"]

action_type
integer
REQUIRED

Type of action to initiate on the device. Specify one of these values:

• 1 — Reboot

count_down_type
integer
REQUIRED

Amount of time to count down to the action. Specify one of these values:

• 1 — Immediate
• 2 — Fifteen minutes
• 3 — Thirty minutes
• 4 — One hour
• 5 — Two hours
• 6 — Four hours
• 7 — Eight hours

processed_device_ids
string

List of IDs of rebooted devices.

Example: ["00ab3e54-7bb7-4bd3-bd39-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"]

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

device_ids
string
REQUIRED

List of IDs of devices to scan.

Example: "00ab3e54-7bb7-4bd3-r0lo-237a9d191a44", "287324d8-194f-4f5a-a7ad-e2480d5ad1b2"

task_name
string
REQUIRED

Name of the scan task.

Example: Routine scan.

task_description
string

Description of the scan task.

Example: Windows 8 machines only.

scan_scope
integer

Scope of the scan task. Specify one of these values:

• 0 — Entire computer
• 1 — Critical areas
• 2 — Specified items

Example: 0

specified_items_to_scan
string

List of specific locations or items to scan. All folders and files in the specified locations are scanned.

Works only when scan_scope is 2.

Example: "C:\Downloads", "C:\Documents"

detect_hacking_tools
boolean

Indicates whether to detect hacking tools. This detects potentially unwanted programs, as well as programs used by hackers.

Example: false

detect_suspicious_files
boolean

Indicates whether to detect suspicious files. In scheduled scans, the tool scans computer software but does not run it. Some types of threats have a lower chance of detection. Set this option to true to scan with heuristic algorithms and improve detection rates.

Example: true

scan_compressed_files
boolean

Indicates whether to scan compressed files. This decompresses compressed files and scans their contents.

Example: true

apply_exclusions_on_scan
boolean

Indicates whether to exclude items from the scan, such as specific files, files with a specific extension, or a specific directory.

Example: true

extensions_to_exclude
string

List of file extensions to exclude from the scan.

Works only when apply_exclusions_on_scan is true.

Example: "exe", "pdf"

files_to_exclude
string

List of file names (with their extensions) to exclude from the scan.

Works only when apply_exclusions_on_scan is true.

Example: "Chrome.exe", "Explorer.exe"

folders_to_exclude
string

List of folders to exclude from the scan. You must include the full path.

Works only when apply_exclusions_on_scan is true.

Example: "D:/shared_drive/documents"

execution_window_expiration
string

Time period in which the scan must run before it times out. The default is 7 days.

Example: 8.07:06:05 specifies 8 days, 7 hours, 6 minutes, and 5 seconds

task_id
string

ID of the completed scan task.

Example: 12a345a6-a789-0123-a4aa-56a7890a12a3

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

$top
integer

Specifies the number of objects to retrieve.

Example: 5

$skip
integer

Bypasses the specified number of objects in the results returned.

For example, if you specify 10, the results start at object 11.

Example: 5

$search
string

Returns only objects that include the specified text string. For example, "name" returns objects that include "hostname" and "username."

The supported search fields depend on the endpoint:

• Devices: Host name, description, IP address, logged on user
• DeviceProtectionStatus: Host name
• ManagedConfigurations: Name, description

Example: name

$count
boolean

Indicates whether to return a counter that shows the total number of objects in the total_items response parameter.

Example: true

$orderby
string

Specifies how to order results. You can order by any parameter in the response and sort results in ascending or descending order.

Specify a parameter name with any underscores removed, followed by a + (plus sign) and either asc (ascending) or desc (descending).

For example, to order results by the host_name parameter in descending order, specify hostname+desc. If you do not specify a field to order by, the API will use the order in the database.

Example: hostname+desc

data
string

Array of device data.

device_id
string

Identifier for the device.

Example: 287324d8-194f-4f5a-a7ad-e2480d5ad1b2

account_id
string

Identifier of the account.

Example: cd6c6dd6-b97f-453d-ad81-a5976dc0596c

site_id
string

Identifier of the site.

Example: 8b7205bc-60e0-45a0-9956-b17b6a8673f6

host_name
string

Name of the host.

Example: WIN_SERVER_6

ip_address
string

IP address of the device.

Example: 192.0.2.1

mac_address
string

MAC address of the device.

Example: 00:0a:95:9d:68:16

probe_name
string

Name of the device that discovered the unmanaged device.

Example: Probe computer 7

last_seen_datetime
string

Date and time the unmanaged device was found.

Example: 2020-11-20T20:27:18.725Z

network_interface_controller_vendor
string

Manufacturer of the network card in the device.

Example: Intel

description
string

Description of the device.

Example: Finance mac01

status
integer

Status of the device. This can be one of these values:

• 0 — Undefined
• 1 — Discovered
• 2 — Installing
• 3 — Error

Example: 1

installation_error
integer

Unmanaged device installation error. This can be one of these values:

• 200000 — Unable to connect to the computer. Make sure the computer is turned on and meets the remote installation requirements.
• 200053 — Unable to connect to the computer. Make sure the computer is turned on and meets the remote installation requirements.
• 201312 — Wrong credentials. Launch the installation again using credentials with sufficient privileges to perform the installation.
• 201326 — Wrong credentials. Launch the installation again using credentials with sufficient privileges to perform the installation.
• 299999 — Discovery computer not available.
• 300000 — Operating system not supported. Make sure the computer is turned on and meets the remote installation requirements.
• 301077 — Operating system not supported. Make sure the computer is turned on and meets the remote installation requirements.
• 400000 — Unable to download the agent installer. Make sure the computer is turned on and meets the remote installation requirements.
• 400002 — Unable to download the agent installer. Make sure the computer is turned on and meets the remote installation requirements.
• 400112 — Unable to download the agent installer. Make sure the computer is turned on and meets the remote installation requirements.
• 500000 — Unable to copy the agent installer. Make sure the computer is turned on and meets the remote installation requirements.
• 500112 — Unable to copy the agent installer. Make sure the computer is turned on and meets the remote installation requirements.
• 600000 — Unable to install the agent. Make sure the computer is turned on and meets the remote installation requirements.
• 601603 — Unable to install the agent. Make sure the computer is turned on and meets the remote installation requirements.
• 700000 — Unable to register the agent. Make sure the computer is turned on and meets the remote installation requirements.
• 701603 — Unable to register the agent. Make sure the computer is turned on and meets the remote installation requirements.
• 900000 — Unable to install the protection.
• 900112 — Not enough disk space.
• 901601 — Windows installer is not operational.
• 901602 — Removal of the third-party protection installed was canceled by the user.
• 901603 — Unable to install the protection.
• 901618 — Another installation is in progress.
• 999999 — Unhandled error during installation.
• 1000000 — Unable to download the protection.
• 1100000 — Error automatically uninstalling a third-party protection application.
• 1200000 — No uninstaller available to remove a third-party protection application.

Example: 200000

total_items
integer

Total number of unmanaged devices.

If the count request parameter is true, total_items displays the total number of unmanaged devices. If count is false, then total_items displays null.

Example: 2

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

without_risk
integer

Total number of devices with no risk.

Example: 25

medium_risk
integer

Total number of devices with medium risk.

Example: 43

high_risk
integer

Total number of devices with high risk.

Example: 14

critical_risk
integer

Total number of devices with critical risk.

Example: 0

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

$filter
string

Specifies the device or type of device to retrieve risk information from. You can combine two or more values with the boolean operators %20And%20 and %20Or%20:

• 4005%20Eq%20 — Type of device. 1=Workstation, 2=Laptop, 3=Server, 4=Mobile.
• 4004%20Eq%20 — Type of operating system installed on the device. 1=Windows, 2=Linux, 3=Mac, 4=Android, 5=iOS.
• 101%20Eq%20 — Identifier for the device.

data
array

Array of risk data.

risk_factor
integer

Identifier of the risk. This can be one of these values:

• 10 — No protection
• 20 — Out-of-date protection
• 30 — Out-of-date knowledge (more than 30 days)
• 40 — No connectivity to knowledge servers
• 50 — No uninstallation protection
• 60 — Anti-tamper protection disabled
• 70 — File antivirus disabled
• 80 — Advanced protection for Windows disabled or in ‘Audit’ mode
• 90 — Advanced protection for Windows in ‘Hardening’ mode
• 100 — Advanced protection for Linux disabled or in 'Do not detect’ or ‘Audit’ mode
• 110 — Anti-exploit protection disabled or in 'Audit' mode
• 120 — Anti-phishing protection disabled
• 130 — Web browsing antivirus disabled
• 140 — Folder, file, and extension exclusions
• 150 — Recent indicators of attack
• 160 — Critical patches pending installation
• 170 — Audit mode enabled
• 180 — Network attack protection disabled or in Audit mode

Example: 70 (File antivirus disabled)

risk_severity
integer

Assigned risk level. This can be one of these values:

• 0 — Undefined
• 20 — Medium risk
• 30 — High risk
• 40 — Critical risk
• 50 — Based on the risk of the indicators of attack

Example: 40 (Critical risk)

total_active_devices_counter
integer

Number of devices where the risk was detected.

Example: 1

total_without_risk
integer

Number of devices where the risk was not detected.

Example: 2

total_not_applicable_by_platform
integer

Number of devices where the risk was not evaluated because it is not compatible with the type of device.

Example: 0

total_not_evaluated_on_device
integer

Number of devices where the risk was not evaluated because you did not enable it for detection.

Example: 0

total_items
integer

Total number of retrieved risks.

If the count request parameter is true, total_items displays the total number of retrieved risks. If count is false, then total_items displays null.

Example: 1

accountId
string
REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

$top
integer

Specifies the number of objects to retrieve.

Example: 5

$skip
integer

Bypasses the specified number of objects in the results returned.

For example, if you specify 10, the results start at object 11.

Example: 5

$search
string

Returns only objects that include the specified text string. For example, "name" returns objects that include "hostname" and "username".

The supported search field is the device host name.

$count
boolean

Indicates whether to return a counter that shows the total number of objects in the total_items response parameter.

Example: true

$filter
string

Specifies a filter to retrieve devices. You can combine two or more values with the boolean operators %20And%20 and %20Or%20:

• 4005%20Eq%20 — Type of device. 1=Workstation, 2=Laptop, 3=Server, 4=Mobile.
• 4004%20Eq%20 — Type of operating system installed on the device. 1=Windows, 2=Linux, 3=Mac, 4=Android, 5=iOS
• 72001%20Eq%20 — Risk level. 5=No risk, 20=Medium, 30=High, 40=Critical
• 72002%20Eq%20 — Risk detected. 10=No protection, 20=Out-of-date protection, 30=Out-of-date knowledge (more than 30 days), 40=No connectivity to knowledge servers, 50=No uninstallation protection, 60=Anti-tamper protection disabled, 70=File antivirus disabled, 80=Advanced protection for Windows disabled or in Audit mode, 90=Advanced protection for Windows in Hardening mode, 100=Advanced protection for Linux disabled or in Do not detect or Audit mode, 110=Anti-exploit protection disabled or in Audit mode, 120=Anti-phishing protection disabled, 130=Web browsing antivirus disabled, 140=Folder, file, and extension exclusions, 150=Recent indicators of attack, 160=Critical patches pending installation, 170=Audit mode enabled, 180=Network attack protection disabled or in Audit mode
• 101%20Eq%20 — Identifier for the device.
• 9001%20AmongTheLast%20[x,y]— Retrieves devices where risks were detected within the specified time period.
• 9001%20NotAmongTheLast%20[x,y]— Retrieves devices where risks were detected outside the specified time period.

Specify the length of the time period in the format [x, y] where x is the number of units and y is the unit of time:

• 1 — Years
• 2 — Months
• 3 — Days
• 4 — Hours

Example: Retrieves devices for the last 7 days: filter=9001%20AmongTheLast%20[7,3].

Example: Retrieves devices outside the last 3 months. filter=9001%20NotAmongTheLast%20[3,2].

data
array

Array of risk data.

device_id
string

Identifier for the device.

Example: 18421fc0-285a-41e6-8a67-a8cb400bedd0

host_name
string

Host name of the device.

Example: WIN-SERVER-1

last_connection_date
string

Date and time of the last connection of the device.

Example: 2022-12-20T00:39:21.574Z

device_risk_severity
integer

Risk level associated with the device. This can be one of these values:

• 0 — Undefined
• 5 — No risk
• 20 — Medium risk
• 30 — High risk
• 40 — Critical risk

Example: 40

risk_status_counters
object

Number of risks found on the device by risk level.

total_critical_risk
integer

Number of critical-level risks found on the device.

Example: 1

total_high_risk
integer

Number of high-level risks found on the device.

Example: 0

total_medium_risk
integer

Number of medium-level risks found on the device.

Example: 0

total_without_risk
integer

Number of risks not found on the device.

Example: 4

total_not_applicable_by_platform
integer

Number of risks not compatible with the operating system or type of device.

Example: 9

total_not_evaluated_on_device
integer

Number of risks not evaluated on the device because they were not enabled for detection.

Example: 2

total_items
integer

Total number of retrieved devices.

If the count request parameter is true, total_items displays the total number of devices. If count is false, then total_items displays null.

Example: 1

accountId

string

REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

period
string

Period of time to retrieve risk detection counters for. Specify one of these values:

• 7 — Previous 7 days
• 30 — Previous 30 days (by default)

key
array

Array with the date key and risk level assigned.

date
string

Date and time of the overview.

Example: 2022-11-21T23:59:59.999Z

device_risk_severity
integer

Risk level associated with the device. This can be one of these values:

• 0 — Undefined
• 5 — No risk
• 20 — Medium risk
• 30 — High risk
• 40 — Critical risk

value
integer

Number of devices found for the specified key.

Example: 14

accountId

string

REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

recommended_severity
integer

Risk level recommended by default by WatchGuard Technologies Inc.. This can be one of these values:

• 0 — Undefined
• 20 — Medium risk
• 30 — High risk
• 40 — Critical risk
• 50 — Based on the risk of the indicators of attack

Example: 40

factor
integer

Risk type. This can be one of these values:

• 10 — No protection
• 20 — Out-of-date protection
• 30 — Out-of-date knowledge (more than 30 days)
• 40 — No connectivity to knowledge servers
• 50 — No uninstallation protection
• 60 — Anti-tamper protection disabled
• 70 — File antivirus disabled
• 80 — Advanced protection for Windows disabled or in ‘Audit’ mode
• 90 — Advanced protection for Windows in ‘Hardening’ mode
• 100 — Advanced protection for Linux disabled or in 'Do not detect’ or ‘Audit’ mode
• 110 — Anti-exploit protection disabled or in 'Audit' mode
• 120 — Anti-phishing protection disabled
• 130 — Web browsing antivirus disabled
• 140 — Folder, file, and extension exclusions
• 150 — Recent indicators of attack
• 160 — Critical patches pending installation
• 170 — Audit mode enabled
• 180 — Network attack protection disabled or in Audit mode

Example: 10

enable
boolean

Indicates whether the risk is enabled for detection in the settings.

Example: true

severity
integer

Risk level. This can be one of these values:

• 0 — Undefined
• 20 — Medium risk
• 30 — High risk
• 40 — Critical risk
• 50 — Based on the risk of the indicators of attack

Example: 40

edited_by_user
boolean

Indicates whether the risk level is the recommended value or it was modified by you.

Example: false

supported
boolean

Indicates whether the risk is compatible with the type of product assigned to the account.

Example: false

threshold
integer

The value is null for all risks, except for these risks:

• 150 — Number of days that the solution checks for IOAs. The default value is 30 days. This value is not shown in the Web UI.
• 160 — Maximum number of days that can pass before a published patch must be applied. After that period, the risk is detected.

accountId

string

REQUIRED

Your WatchGuard Cloud account ID, as shown on the My Account page in WatchGuard Cloud.

Example: WGC-1-123abc456 or ACC-1234567

risk_settings_list
array
REQUIRED

List of types of risks to configure.

recommended_severity
integer

Risk level recommended by WatchGuard Technologies Inc.. This value has no effect, but you must include it. This can be one of these values:

• 0 — Undefined
• 20 — Medium risk
• 30 — High risk
• 40 — Critical risk
• 50 — Based on the risk of the indicators of attack

factor
integer

Risk type. This can be one of these values:

• 10 — No protection
• 20 — Out-of-date protection
• 30 — Out-of-date knowledge (more than 30 days)
• 40 — No connectivity to knowledge servers
• 50 — No uninstallation protection
• 60 — Anti-tamper protection disabled
• 70 — File antivirus disabled
• 80 — Advanced protection for Windows disabled or in ‘Audit’ mode
• 90 — Advanced protection for Windows in ‘Hardening’ mode
• 100 — Advanced protection for Linux disabled or in 'Do not detect’ or ‘Audit’ mode
• 110 — Anti-exploit protection disabled or in 'Audit' mode
• 120 — Anti-phishing protection disabled
• 130 — Web browsing antivirus disabled
• 140 — Folder, file, and extension exclusions
• 150 — Recent indicators of attack
• 160 — Critical patches pending installation
• 170 — Audit mode enabled
• 180 — Network attack protection disabled or in Audit mode

Example: 10

enable
boolean

Indicates whether the risk is enabled for detection in the settings.

Example: true

severity
integer

Risk level. This can be one of these values:

• 0 — Undefined
• 20 — Medium risk
• 30 — High risk
• 40 — Critical risk
• 50 — Based on the risk of the indicators of attack

Example: 40.

edited_by_user
boolean

Indicates whether the risk level is the recommended value or it was modified by you. This value has no effect, but you must include it.

Example: true

supported
boolean

Indicates whether the risk is compatible with the type of product assigned to the account. This value has no effect, but you must include it.

Example:true

threshold
integer

This value has no effect for all risks, except for these risks:

• 150 — Number of days that the solution checks for IOAs. The default value is 30 days. This value is not shown in the Web UI.
• 160 — Maximum number of days that can pass before a published patch must be applied. After that period, the risk is detected.

processed_ok
boolean

Result of applying the risk configuration.

Example: true