Fetch Event Details
For API version information, refer to the API Version History section.
Non-Versioned
This API retrieves details for an event.
Input ParametersInput Parameters
|
Input Parameters |
Mandatory/Optional |
Description |
|---|---|---|
|
agentId (String) |
Mandatory |
ID of the agent for which you want to fetch the details. |
|
eventId (String) |
Mandatory |
ID of the event for which you want to fetch the details. |
|
Authorization (String) |
Mandatory |
Authorization token to authenticate to the Qualys Enterprise TruRisk™ Platform. Prepend token with "Bearer" and one space. For example - Bearer authToken. |
| filter (String) | Optional |
Filter the events list by providing a query using Qualys syntax. Refer to the How to Search topic in the online help for assistance with creating your query. For example - event.datetime:["2024-09-15T00:30:00.000Z".."2024-09-22T18:29:59.999Z"] AND action: 'Created' You can filter events based on the time they are generated on the event (event.datetime) or the time they are processed at Qualys (event.eventprocesstime). If you want to fetch events by date AND time, it is recommended to use the "event.datetime" or "event.eventprocesstime" parameter. |
Sample - Fetch File Event DetailsSample - Fetch File Event Details
API request
curl -G --data-urlencode "filter=type:file"
"<qualys_base_url>/ioc/events/fxxxx2-222a-xxxx-abcd-28exxxxx11/F_fexxxxx-222a-1111-abcd-2xxxx11-1xxxx505xxxxxx8xxx56" -H "Authorization: Bearer <token>"
Response
[
{
"dateTime": "2025-02-19T13:23:45.175+0000",
"eventSource": "EDR",
"indicator2": [
{
"score": "7",
"sha256": "3247bcfd60f6dd25f34cb74b5889ab10ef1b3ec72b4d4b3d95b5b25b534560b8",
"familyName": "virus",
"verdict": "MALICIOUS",
"threatName": "virus",
"category": "virus"
}
],
"type": "FILE",
"actor": {
"processEventId": "RTP_900a3661-8a3b-3547-82f8-743e68a5ad5f_11-2-2025",
"processUniqueId": "7203985709335574011",
"processId": 2864,
"processName": "MsMpEng.exe",
"imageFullPath": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24090.11-0\\MsMpEng.exe",
"productName": "Microsoft? Windows? Operating System"
},
"score": "7",
"scoreSource": "REVERSING_LAB",
"file": {
"fullPath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"extension": "exe",
"product": "Microsoft? Windows? Operating System",
"fileName": "powershell.exe",
"sha256": "3247bcfd60f6dd25f34cb74b5889ab10ef1b3ec72b4d4b3d95b5b25b534560b8",
"writeDate": "2024-08-09T07:22:08.000+0000",
"description": "Windows PowerShell",
"macroEmbedded": false,
"version": "10.0.22621.3085",
"path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
"createdDate": "2024-08-09T07:22:08.000+0000",
"size": 450560,
"accessDate": "2025-01-10T07:10:47.000+0000",
"certificates": [
{
"expiryDate": "2024-11-14T19:20:09.000+0000",
"certificateSigned": true,
"certificateIssuer": "Microsoft Windows Production PCA 2011",
"certificateValid": false,
"certificateIssuedTo": "Microsoft Windows",
"certificateSignedDate": "2023-11-16T19:20:09.000+0000",
"certificateHash": "d8fb0cc66a08061b42d46d03546f0d42cbc49b7c"
}
],
"nonPEFile": false,
"company": "Microsoft Corporation",
"fileType": "exe",
"md5": "9d8e30daf21108092d5980c931876b7e"
},
"action": "READ",
"id": "RTF_55fcc54e-2cbb-3177-81c0-f42e413312d2_19-2-2025",
"category": [
"virus"
],
"asset": {
"fullOSName": "Microsoft Windows 11 Enterprise 10.0.22631 Build 22631",
"hostName": "WIN-AS-IPV6-4-2",
"agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
"interfaces": [
{
"macAddress": "00:X0:XX:0X:00:00",
"ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed",
"interfaceName": "Intel(R) 82574L Gigabit Network Connection",
"gatewayAddress": "XX.XX.X0X.X"
},
{
"macAddress": "00:X0:XX:0X:00:00",
"ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed",
"interfaceName": "Intel(R) 82574L Gigabit Network Connection",
"gatewayAddress": "XX.XX.X0X.X"
}
],
"netBiosName": "WIN-AS-IPV6-4-2",
"customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
"platform": "Windows",
"tags": [
{
"name": "Maine_District_Court",
"uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
},
{
"name": "Meena",
"uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
},
{
"name": "Cloud Agent",
"uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
}
]
}
}
]
Response Field DescriptionsResponse Field Descriptions
|
Dataset Name |
Field Name |
Data Type |
Description |
|---|---|---|---|
| Event | dateTime | Timestamp | Timestamp of the last reported EDR event (ISO 8601 format). |
| eventSource | String | The source of the event (Anti-malware or EDR). | |
| type | String | The type of event (e.g., 'FILE' indicates a file-related event). | |
| score | String | The overall threat severity score based on reputation data from Threat Intelligence feeds. | |
| scoreSource | String | The source of the score (e.g. Anti-malware, Behavioral Detection, Qualys Research, Sandbox, Threat Intelligence). | |
| action | String | An action performed on the file (e.g. "READ", "CREATED" etc). | |
| id | String | A unique identifier assigned to the agent installed on the asset. | |
| category | Array of String | A list of categories associated with the event (e.g., 'virus'). | |
| indicator2 | Array of Object |
A list of indicators (detected threats) includes objects with detailed information. Dataset: indicator2 |
|
| actor | Object |
Details about the process that triggered the event. Dataset: actor |
|
| file | Object |
Details related to the file involved in the event. Dataset: file |
|
| file.certificates | Object |
A list of certificates associated with the file. Contains certificate information. Dataset: file.certificates |
|
| asset | Object |
Indicates details about the host system where the event occurred. Dataset: asset |
|
| asset.interfaces | Array of Object |
A list of network interfaces on the host system, including network-related details such as IP and MAC addresses. Dateset: asset.interfaces |
|
| asset.tags | Array of Object |
A list of tags associated with the asset. Contains tag details such as name and unique identifier. Dateset: asset.tags |
|
| indicator2 | score | String | The threat severity score. |
| sha256 | String | The SHA-256 hash value of the file associated with the indicator. | |
| familyName | String | The family name of the detected malware or threat (e.g., "virus"). | |
| verdict | String | The verdict assigned to the file (e.g., "MALICIOUS"). | |
| threatName | String | The name of the detected threat. | |
| category | String | The category of the detected threat (e.g., "virus"). | |
| actor | processEventId | String | The unique identifier for the process event. |
| processUniqueId | String | The unique identifier for the process. | |
| processId | Integer | The Process ID of the actor involved in the event. | |
| processName | String | The name of the process responsible for the event (e.g., "MsMpEng.exe"). | |
| imageFullPath | String | The full file path of the executable that triggered the event. | |
| productName | String | The name of the product associated with the process (e.g., "Microsoft Windows Operating System"). | |
| file | fullPath | String | The full file path of the involved file. |
| extension | String | The file extension of the involved file (e.g., "exe"). | |
| product | String | The product name associated with the file. | |
| numOfPages | Integer | The number of pages in the file (if applicable). | |
| fileName | String | The name of the file involved in the event. | |
| sha256 | String | The SHA-256 hash value of the file. | |
| writeDate | String | The date and time when the file was last written to. | |
| description | String | The description of the file (e.g., "Windows PowerShell"). | |
| macroEmbedded | Boolean | Indicates whether the file contains embedded macros (e.g., 'false' if no macros are present). | |
| version | String | The version of the file involved. | |
| path | String | The path where the file is located. | |
| createdDate | String | The date and time when the file was created. | |
| size | Integer | The size of the file in bytes. | |
| accessDate | String | The date and time when the file was last accessed. | |
| nonPEFile | Boolean | Indicates whether the file is a non-PE (Portable Executable) file. | |
| company | String | The company that produced the file. | |
| fileType | String | The type of file (e.g. "exe"). | |
| md5 | String | The MD5 hash value of the file. | |
| file.certificates | expiryDate | String | The expiry date of the certificate. |
| certificateSigned | Boolean | Indicates whether the certificate is signed. | |
| certificateIssuer | String | The issuer of the certificate. | |
| certificateValid | Boolean | Indicates whether the certificate is valid. | |
| certificateIssuedTo | String | The entity to which the certificate was issued. | |
| certificateSignedDate | String | The date when the certificate was signed. | |
| certificateHash | String | The hash value of the certificate. | |
| asset | fullOSName | String | The full operating system name and version running on the host system. |
| hostName | String | The hostname of the affected system. | |
| agentId | String | The unique identifier for the agent monitoring the system. | |
| netBiosName | String | The NetBIOS name of the affected system. | |
| customerId | String | The unique identifier for the customer. | |
| platform | String | The platform on which the host is running (e.g., Windows). | |
| asset.interfaces | macAddress | String | The MAC address of the network interface. |
| ipAddress | String | The IP address of the network interface. | |
| interfaceName | String | The name of the network interface. | |
| gatewayAddress | String | The gateway address of the network interface. | |
| asset.tags | name | String | The name of the tag. |
| uuid | String | The unique identifier for the tag. |
Sample - Fetch Network Event DetailsSample - Fetch Network Event Details
API request
curl -G --data-urlencode "filter=type:network"
"<qualys_base_url>/ioc/events/fxxxx2-222a-xxxx-abcd-28exxxxx11/F_fexxxxx-222a-1111-abcd-2xxxx11-1xxxx505xxxxxx8xxx56" -H "Authorization: Bearer <token>"
Response
[
{
"dateTime": "2025-02-20T15:36:11.000+0000",
"process": {
"fullPath": "/usr/sbin/chronyd",
"parentProcessName": "systemd",
"processFile": {
"fullPath": "/usr/sbin/chronyd",
"path": "/usr/sbin",
"createdDate": "2019-08-08T11:40:18.000+0000",
"sha256": "5fc9a67facabbe3abc2970db5d3ace95f591cf0d307b83c76a62873410dc652a",
"size": 269392,
"moduleName": "chronyd",
"uniqueImageId": "-2766799832389448102",
"md5": "919aa879e59e4cc4ad2638d2d6271eb9"
},
"processEventId": "RTP_f96ee276-5ba1-3963-b6be-98b58637de9d_24-12-2024",
"parentPid": 1,
"pid": 796,
"userName": "chrony",
"processName": "chronyd",
"currentDirectory": "/",
"elevated": false,
"isCertificateExists": false,
"arguments": "/usr/sbin/chronyd",
"parentEventId": "RTP_d7d691d0-1b84-31b1-8d7e-c6b3f43d0963_24-12-2024"
},
"eventSource": "EDR",
"type": "NETWORK",
"network": {
"protocol": "TCP",
"remoteIP": "2604:a880:400:d0::4ed:f001",
"localPort": "0",
"agentMetaData": "{\"tags\":[\"Unknown\",\"auid_4294967295\"]}",
"remotePort": "123",
"state": "ESTABLISHED"
},
"actor": {
"processEventId": "RTP_f96ee276-5ba1-3963-b6be-98b58637de9d_24-12-2024",
"processUniqueId": "4343915213667668267",
"processId": 796,
"processName": "chronyd",
"arguments": "/usr/sbin/chronyd",
"imageFullPath": "/usr/sbin/chronyd"
},
"score": "9",
"scoreSource": "CTDB",
"action": "ESTABLISHED",
"id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X",
"category": [
"Phishing",
"Spam Sources",
"Windows Exploits"
],
"asset": {
"fullOSName": "CentOS Linux 7.9.2009",
"hostName": "centos-10.14.28.130",
"agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
"interfaces": [
{
"macAddress": "00:X0:XX:0X:00:00",
"ipAddress": "X0.1X.XX1.00",
"interfaceName": "ens192",
"gatewayAddress": "XX.XX.X0X.X"
},
{
"macAddress": "00:X0:XX:0X:00:00",
"ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed",
"interfaceName": "ens192",
"gatewayAddress": "XX.XX.X0X.X"
}
],
"customerId": "fd01c4e0-9a06-4198-8362-fa6eb8b2adea",
"platform": "LINUX",
"tags": [
{
"name": "Cloud Agent",
"uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
},
{
"name": "AG1",
"uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
}
]
}
}
]
Response Field DescriptionsResponse Field Descriptions
|
Dataset Name |
Field Name |
Data Type |
Description |
|---|---|---|---|
| Event | dateTime | String | Timestamp of the last reported EDR event (ISO 8601 format). |
| eventSource | String | The source of the event (e.g., "EDR" for endpoint detection and response). | |
| type | String | The type of event (e.g., "NETWORK" indicates a network-related event). | |
| score | String | The overall threat severity score assigned to the event (e.g., "9" indicates a high risk). | |
| scoreSource | String | The source of the score (e.g., "CTDB"). | |
| action | String | An action taken on the network connection (e.g., "ESTABLISHED"). | |
| id | String | The Unique identifier for the event. | |
| uniqueId | String | The Unique identifier for the event. | |
| process | Object |
Information about the process involved in the event. Dataset: process |
|
| process.processFile | Object |
Information about the process file. Dataset: process.processFile |
|
| network | Object |
Information related to the network event. Dataset: network |
|
| actor | Object |
Details about the process that triggered the event. Dataset: actor |
|
| actor | Object |
Information about the asset (host) involved in the event. Dataset: asset |
|
| asset.interfaces | Array of Object |
A list of network interfaces on the host system, including network-related details such as IP and MAC addresses. Dateset: asset.interfaces |
|
| asset.tags | Array of Object |
A list of tags associated with the asset. Contains tag details such as name and unique identifier. Dateset: asset.tags |
|
| Process | fullPath | String | The full path of the process executable. |
| parentProcessName | String | The name of the parent process. | |
| processEventId | String | The unique identifier for the process event. | |
| parentPid | Integer | The parent process ID (PID) of the process. | |
| pid | Integer | The process ID (PID) of the current process. | |
| userName | String | The username under which the process is running. | |
| processName | String | The name of the process. | |
| currentDirectory | String | The current directory of the process. | |
| elevated | Boolean | Indicates whether the process has elevated privileges (e.g., root, admin). | |
| isCertificateExists | Boolean | Indicates whether the process has an associated certificate. | |
| arguments | String | The arguments passed to the process during execution. | |
| parentEventId | String | Indicates the parent event identifier for the process. | |
| process.processFile | fullPath | String | The full path of the process file. |
| path | String | The directory path where the process file is located. | |
| createdDate | String | The date when the process file was created. | |
| sha256 | String | The SHA-256 hash of the process file. | |
| size | Integer | The size of the process file in bytes. | |
| moduleName | String | The name of the module associated with the process file. | |
| uniqueImageId | String | The unique identifier for the process image. | |
| md5 | String | The MD5 hash of the process file. | |
| network | protocol | String | The protocol used in the network connection (e.g., "TCP"). |
| remoteIP | String | The IP address of the remote entity involved in the network connection. | |
| localPort | String | The local port used for the network connection. | |
| remotePort | String | The remote port used for the network connection | |
| state | String | Indicates the state of the network connection (e.g., "ESTABLISHED"). | |
| actor | processEventId | String | The unique identifier for the process event. |
| processUniqueId | String | The unique identifier for the process. | |
| processId | Integer | The process ID of the actor. | |
| processName | String | The name of the process involved. | |
| arguments | String | The arguments passed to the process involved in the event. | |
| imageFullPath | String | The full path of the process executable involved in the event. | |
| category | Array of Strings | The categories associated with the event (e.g., "Phishing", "Spam Sources", "Windows Exploits"). | |
| asset | fullOSName | String | The full operating system name and version running on the asset. |
| hostName | String | The hostname of the affected asset. | |
| agentId | String | The unique identifier for the agent monitoring the asset. | |
| customerId | String | The unique identifier for the customer. | |
| platform | String | The platform of the asset (e.g., "LINUX"). | |
| asset.interfaces | macAddress | String | The MAC address of the network interface. |
| ipAddress | String | The IP address of the network interface. | |
| interfaceName | String | The name of the network interface. | |
| gatewayAddress | String | The gateway address of the network interface. | |
| asset.tags | name | String | The name of the tag. |
| uuid | String | The unique identifier for the tag. |
Sample - Fetch Process Event DetailsSample - Fetch Process Event Details
API request
curl -G --data-urlencode "filter=type:process"
"<qualys_base_url>/ioc/events/fxxxx2-222a-xxxx-abcd-28exxxxx11/F_fexxxxx-222a-1111-abcd-2xxxx11-1xxxx505xxxxxx8xxx56" -H "Authorization: Bearer <token>"
Response
[
{
"dateTime": "2025-02-19T00:03:39.016+0000",
"process": {
"parentProcessName": "services.exe",
"processFile": {
"createdDate": "2025-02-14T18:36:56.000+0000",
"sha256": "6fc3bf1fdfd76860be782554f8d25bd32f108db934d70f4253f1e5f23522e503",
"size": 57528,
"certificates": [
{
"expiryDate": "2025-02-07T19:22:46.000+0000",
"certificateSigned": true,
"certificateIssuer": "Microsoft Windows Production PCA 2011",
"certificateValid": false,
"certificateIssuedTo": "Microsoft Windows Publisher",
"certificateSignedDate": "2024-02-08T19:22:46.000+0000",
"certificateHash": "09a1aa05288e952c901821deaece78d148d2e4d2"
}
],
"moduleName": "svchost.exe",
"uniqueImageId": "6695093065446506235",
"md5": "7469cc568ad6821fd9d925542730a7d8"
},
"processEventId": "RTP_5d946345-7faa-3040-a254-570fe24cb92b_19-2-2025",
"parentPid": 736,
"pid": 4720,
"userName": "NT AUTHORITY\\SYSTEM",
"sid": "S-1-16-16384",
"processName": "svchost.exe",
"elevated": true,
"isCertificateExists": true,
"arguments": "-k netsvcs -p -s wuauserv",
"parentEventId": "RTP_ebe08cb7-a6f6-3fe8-a93d-761f669649ff_12-2-2025",
"integrityLevel": "ML_SYSTEM",
"loadedModules": [
{
"fullPath": "C:\\Windows\\System32\\msxml6.dll",
"fileName": "msxml6.dll",
"createdDate": "2024-05-29T12:12:51.000+0000",
"sha256": "1bb75d1eddd78915238e145aeabdd6ffbc789d6325fb4280dafcf42ca26e7667",
"size": 2474760,
"certificates": [
{
"expiryDate": "2024-11-14T19:20:08.000+0000",
"certificateSigned": true,
"certificateIssuer": "Microsoft Windows Production PCA 2011",
"certificateValid": false,
"certificateIssuedTo": "Microsoft Windows",
"certificateSignedDate": "2023-11-16T19:20:08.000+0000",
"certificateHash": "71f53a26bb1625e466727183409a30d03d7923df"
}
],
"moduleName": "msxml6.dll",
"action": "LOAD",
"productName": "Microsoft XML Core Services",
"md5": "545a0575c1b1caf6b681f4dd9ac75e84"
}
]
},
"eventSource": "EDR",
"type": "PROCESS",
"actor": {
"processEventId": "RTP_ebe08cb7-a6f6-3fe8-a93d-761f669649ff_12-2-2025",
"processId": 736,
"processName": "services.exe",
"imageFullPath": "C:\\Windows\\system32\\services.exe"
},
"score": "3",
"scoreSource": "SIDDHI",
"action": "RUNNING",
"mitreInfoList": [
{
"techniques": [
{
"techniqueName": "Masquerading: Match Legitimate Name or Location",
"techniqueScore": 3,
"techniqueId": "T1036.005"
}
],
"tactics": [
{
"tacticName": "Defense Evasion",
"tacticId": "TA0005"
}
],
"technique": {
"techniqueName": "Masquerading: Match Legitimate Name or Location",
"techniqueScore": 3,
"techniqueId": "T1036.005"
},
"ruleNames": [
"T1036_005_1 Masquerading: Match Legitimate Name or Location"
],
"ruleId": "T1036_005_1"
}
],
"ruleNames": [
"T1036_005_1 Masquerading: Match Legitimate Name or Location"
],
"id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X",
"asset": {
"fullOSName": "Microsoft Windows 10 Enterprise 10.0.19045 Build 19045",
"hostName": "DESKTOP-F66RP42",
"agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
"netBiosName": "DESKTOP-F66RP42",
"isQuarantineHost": false,
"customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
"platform": "Windows",
"tags": [
{
"name": "Cloud Agent",
"uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
}
]
}
}
]
Response Field DescriptionsResponse Field Descriptions
|
Dataset Name |
Field Name |
Data Type |
Description |
|---|---|---|---|
| Event | dateTime | String (ISO 8601) | The timestamp when the event occurred. |
| eventSource | String | The source of the event (e.g., EDR). | |
| type | String | The type of event (e.g., PROCESS). | |
| score | String | The overall threat security score indicating the risk or severity of the event. | |
| scoreSource | String | The source of the score. | |
| action | String | The action associated with the event (e.g., RUNNING). | |
| ruleNames | Array of Strings | The list of rule names triggered by the event (e.g., Masquerading). | |
| id | String | The Unique identifier for the event. | |
| process | Object |
Information about the process involved in the event. Dataset: process |
|
| process.processFile | Object |
Information about the process file. Dataset: process.processFile |
|
| process.processFile.certificates | Array of Objects |
The list of certificates associated with the process file. Dataset: process.processFile.certificates |
|
| process.loadedModules | Array of Objects |
The list of modules loaded by the process. Dataset: process.loadedModules |
|
| process.loadedModules.certificates | Array of Objects |
The list of certificates associated with the process file. Dataset: process.loadedModules.certificates |
|
| actor | Object |
Information about the actor that initiated the event. Dataset: actor |
|
| mitreInfoList | Array of Objects |
The list of MITRE ATT&CK techniques, tactics, and rules related to the event. Dataset: mitreInfoList |
|
| mitreInfoList.techniques | Array of Objects |
The list of techniques associated with the event (e.g. Masquerading). Dataset: mitreInfoList.techniques |
|
| mitreInfoList.tactics | Array of Objects |
The list of tactics associated with the event (e.g. Defense Evasion). Dataset: mitreInfoList.tactics |
|
| mitreInfoList.technique | Array of Objects |
Detailed information about the MITRE technique. Dataset: mitreInfoList.technique |
|
| asset | Object |
Information about the asset (host) involved in the event. Dataset: asset |
|
| asset.tags | Array of Objects |
A list of tags associated with the asset. Dataset: asset.tags |
|
| indicator2 | score | String | The threat severity score. |
| sha256 | String | The SHA-256 hash value of the file associated with the indicator. | |
| familyName | String | The family name of the detected malware or threat (e.g., "virus"). | |
| verdict | String | The verdict assigned to the file ("MALICIOUS" in this case). | |
| threatName | String | The name of the detected threat. | |
| category | String | The category of the detected threat (e.g., "virus"). | |
| actor | processEventId | String | The unique identifier for the process event. |
| processUniqueId | String | The unique identifier for the process. | |
| processId | Integer | The process ID of the actor involved in the event. | |
| processName | String | The name of the process responsible for the event (e.g., "MsMpEng.exe"). | |
| imageFullPath | String | The full file path of the executable that triggered the event. | |
| productName | String | The name of the product associated with the process (e.g., "Microsoft Windows Operating System"). | |
| file | fullPath | String | The full file path of the involved file. |
| extension | String | The file extension of the involved file (e.g., "exe"). | |
| product | String | The product name associated with the file. | |
| numOfPages | Integer | The number of pages in the file (if applicable). | |
| fileName | String | The name of the file involved in the event. | |
| sha256 | String | The SHA-256 hash value of the file. | |
| writeDate | String | The date and time when the file was last written to. | |
| description | String | The description of the file (e.g., "Windows PowerShell"). | |
| macroEmbedded | Boolean | Indicates whether the file contains embedded macros (e.g., 'false' if no macros are present). | |
| version | String | The version of the file involved. | |
| path | String | The path where the file is located. | |
| createdDate | String | The date and time when the file was created. | |
| size | Integer | The size of the file in bytes. | |
| accessDate | String | The date and time when the file was last accessed. | |
| nonPEFile | Boolean | Indicates whether the file is a non-PE (Portable Executable) file. | |
| company | String | The company that produced the file. | |
| fileType | String | The type of file (e.g. "exe"). | |
| md5 | String | The MD5 hash value of the file. | |
| file.certificates | expiryDate | String | The expiry date of the certificate. |
| certificateSigned | Boolean | Indicates whether the certificate is signed. | |
| certificateIssuer | String | The issuer of the certificate. | |
| certificateValid | Boolean | Indicates whether the certificate is valid. | |
| certificateIssuedTo | String | The entity to which the certificate was issued. | |
| certificateSignedDate | String | The date when the certificate was signed. | |
| certificateHash | String | The hash value of the certificate. | |
| asset | fullOSName | String | The full operating system name and version running on the host system. |
| hostName | String | The hostname of the affected system. | |
| agentId | String | The unique identifier for the agent monitoring the system. | |
| netBiosName | String | The NetBIOS name of the affected system. | |
| customerId | String | The unique identifier for the customer. | |
| platform | String | The platform on which the host is running (e.g., Windows). | |
| asset.interfaces | macAddress | String | The MAC address of the network interface. |
| ipAddress | String | The IP address of the network interface. | |
| interfaceName | String | The name of the network interface. | |
| gatewayAddress | String | The gateway address of the network interface. | |
| asset.tags | name | String | The name of the tag. |
| uuid | String | The unique identifier for the tag. |
Sample - Fetch Registry Event DetailsSample - Fetch Registry Event Details
API request
curl -G --data-urlencode "filter=type:registry"
"<qualys_base_url>/ioc/events/fxxxx2-222a-xxxx-abcd-28exxxxx11/F_fexxxxx-222a-1111-abcd-2xxxx11-1xxxx505xxxxxx8xxx56" -H "Authorization: Bearer <token>"
Response
[
{
"dateTime": "2025-02-22T08:22:23.017+0000",
"registry": {
"path": "TamperProtection",
"value": "0x0",
"key": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features"
},
"eventSource": "EDR",
"type": "REGISTRY",
"actor": {
"processEventId": "RTP_d15905b7-df0e-3b55-8cb4-f9a7c2ef9d92_21-2-2025",
"processUniqueId": "-553510450883925585",
"processId": 75572,
"processName": "MsMpEng.exe",
"imageFullPath": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.25010.6-0\\MsMpEng.exe",
"productName": "Microsoft? Windows? Operating System"
},
"score": "3",
"scoreSource": "SIDDHI",
"action": "WRITE",
"mitreInfoList": [
{
"techniques": [
{
"techniqueName": "Modify Registry",
"techniqueScore": 3,
"techniqueId": "T1112"
},
{
"techniqueName": "Impair Defenses: Disable or Modify Tools",
"techniqueId": "T1562.001"
}
],
"tactics": [
{
"tacticName": "Defense Evasion",
"tacticId": "TA0005"
}
],
"technique": {
"techniqueName": "Modify Registry",
"techniqueScore": 3,
"techniqueId": "T1112"
},
"ruleNames": [
"Tamper Win Defender Protection via Registry"
],
"ruleId": "T1112_61"
}
],
"ruleNames": [
"Tamper Win Defender Protection via Registry"
],
"id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X",
"asset": {
"fullOSName": "Microsoft Windows Server 2022 Standard 10.0.20348 Build 20348",
"hostName": "WIN-KL5S113723C",
"agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
"interfaces": [
{
"macAddress": "00:X0:XX:0X:00:00",
"ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed",
"interfaceName": "Intel(R) 82574L Gigabit Network Connection",
"gatewayAddress": "XX.XX.X0X.X"
},
{
"macAddress": "00:X0:XX:0X:00:00",
"ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed",
"interfaceName": "Intel(R) 82574L Gigabit Network Connection",
"gatewayAddress": "XX.XX.X0X.X"
},
{
"macAddress": "00:X0:XX:0X:00:00",
"ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed",
"interfaceName": "Intel(R) 82574L Gigabit Network Connection",
"gatewayAddress": "XX.XX.X0X.X"
}
],
"netBiosName": "WIN-KL5S113723C",
"customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
"platform": "Windows",
"tags": [
{
"name": "Cloud Agent",
"uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
}
]
}
}
]
Response Field DescriptionsResponse Field Descriptions
|
Dataset Name |
Field Name |
Data Type |
Description |
|---|---|---|---|
| Event | dateTime | Timestamp | Timestamp when the event occurred in the endpoint (ISO 8601 format). |
| eventSource | String | The source of the event (e.g., "EDR" for endpoint detection and response). | |
| type | String | The type of the event (e.g., "REGISTRY" indicates a registry-related event). | |
| score | String | The overall threat severity score assigned to the event (e.g., "3" indicates a lower risk). | |
| scoreSource | String | The source of the score (e.g., "SIDDHI"). | |
| action | String | An action taken on the registry key (e.g., "WRITE"). | |
| ruleNames | Array of Strings | A list of rule names associated with the event (e.g., "Tamper Win Defender Protection via Registry"). | |
| id | String | A unique identifier for the event. | |
| uniqueId | String | A unique identifier for the event. | |
| registry | Object |
Registry information involved in the event. Dataset: registry |
|
| actor | Object |
Details about the process that triggered the event. Dataset: actor |
|
| mitreInfoList | Array of Object |
A list of MITRE ATT&CK techniques, tactics, and rules related to the event. Dataset: mitreInfoList |
|
| mitreInfoList.techniques | Array of Object |
A list of techniques associated with the event (e.g., Masquerading). Dataset: mitreInfoList.techniques |
|
| mitreInfoList.tactics | Array of Object |
A list of tactics associated with the event (e.g., Defense Evasion). Dataset: mitreInfoList.tactics |
|
| mitreInfoList.technique | Object |
Detailed information about the MITRE technique. Dataset: mitreInfoList.technique |
|
| asset | Object |
Information about the asset (host) involved in the event. Dataset: asset |
|
| asset.interfaces | Array of Object |
A list of network interfaces on the host system, including network-related details such as IP and MAC addresses. Dataset: asset.interfaces |
|
| asset.tags | Array of Object |
A list of tags associated with the asset. Contains tag details such as name and unique identifier. Dataset: asset.tags |
|
| registry | path | String | The path of the registry key. |
| value | String | The value of the registry key. | |
| key | String | The key of the registry path. | |
| actor | processEventId | String | The unique identifier for the process event. |
| processUniqueId | String | The unique identifier for the process. | |
| processId | Integer | The process ID of the actor. | |
| processName | String | The name of the process involved. | |
| imageFullPath | String | The full path of the process executable involved in the event. | |
| productName | String | The name of the product associated with the process (e.g., "Microsoft Windows Operating System"). | |
| mitreInfoList | ruleNames | Array of Strings | A list of rule names triggered by the event. |
| ruleId | String | The unique rule identifier associated with the event. | |
| mitreInfoList.techniques | techniqueName | String | The name of the technique used (e.g. "Modify Registry"). |
| techniqueScore | Integer | The score of the MITRE technique. | |
| techniqueId | String | The technique ID from MITRE ATT&CK (e.g. "T1112" for Modify Registry). | |
| mitreInfoList.tactics | tacticName | String | The name of the tactic used (e.g. "Defense Evasion"). |
| tacticId | String | The Tactic ID from MITRE ATT&CK (e.g. "TA0005" for Defense Evasion). | |
| mitreInfoList.technique | techniqueName | String | The name of the technique (e.g. "Modify Registry"). |
| techniqueScore | Integer | The score of the MITRE technique. | |
| techniqueId | String | The technique ID from MITRE ATT&CK (e.g. "T1112"). | |
| asset | fullOSName | String | The full operating system name and version running on the asset. |
| hostName | String | The hostname of the affected asset. | |
| agentId | String | The unique identifier for the agent monitoring the asset. | |
| netBiosName | String | The NetBIOS name of the affected asset. | |
| isQuarantineHost | Boolean | Indicates whether the asset is in quarantine. | |
| customerId | String | The unique identifier for the customer. | |
| platform | String | The platform of the asset (e.g. "Windows"). | |
| asset.interfaces | macAddress | String | The MAC address of the network interface. |
| ipAddress | String | The IP address of the network interface. | |
| interfaceName | String | The name of the network interface. | |
| gatewayAddress | String | The gateway address of the network interface. | |
| asset.tags | name | String | The name of the tag. |
| uuid | String | The unique identifier for the tag. |
V1.0
This API retrieves details for an event.
Input ParametersInput Parameters
|
Input Parameters |
Mandatory/Optional |
Description |
|---|---|---|
|
agentId (String) |
Mandatory |
ID of the agent for which you want to fetch the details. |
|
eventId (String) |
Mandatory |
ID of the event for which you want to fetch the details. |
|
Authorization (String) |
Mandatory |
Authorization token to authenticate to the Qualys Enterprise TruRisk™ Platform. Prepend token with "Bearer" and one space. For example - Bearer authToken. |
| filter (String) | Optional |
Filter the events list by providing a query using Qualys syntax. Refer to the How to Search topic in the online help for assistance with creating your query. For example - event.datetime:["2024-09-15T00:30:00.000Z".."2024-09-22T18:29:59.999Z"] AND action: 'Created' You can filter events based on the time they are generated on the event (event.datetime) or the time they are processed at Qualys (event.eventprocesstime). If you want to fetch events by date AND time, it is recommended to use the "event.datetime" or "event.eventprocesstime" parameter. |
Sample - Fetch File Event DetailsSample - Fetch File Event Details
API request
curl -G --data-urlencode "filter=type:file"
"<qualys_base_url>/ioc/v1/events/fxxxx2-222a-xxxx-abcd-28exxxxx11/F_fexxxxx-222a-1111-abcd-2xxxx11-1xxxx505xxxxxx8xxx56" -H "Authorization: Bearer <token>"
Response
[
{
"dateTime": "2025-02-19T13:23:45.175+0000",
"eventSource": "EDR",
"indicator2": [
{
"score": "7",
"sha256": "3247bcfd60f6dd25f34cb74b5889ab10ef1b3ec72b4d4b3d95b5b25b534560b8",
"familyName": "virus",
"verdict": "MALICIOUS",
"threatName": "virus",
"category": "virus"
}
],
"type": "FILE",
"actor": {
"processEventId": "RTP_900a3661-8a3b-3547-82f8-743e68a5ad5f_11-2-2025",
"processUniqueId": "7203985709335574011",
"processId": 2864,
"processName": "MsMpEng.exe",
"imageFullPath": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24090.11-0\\MsMpEng.exe",
"productName": "Microsoft? Windows? Operating System"
},
"score": "7",
"scoreSource": "REVERSING_LAB",
"file": {
"fullPath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"extension": "exe",
"product": "Microsoft? Windows? Operating System",
"fileName": "powershell.exe",
"sha256": "3247bcfd60f6dd25f34cb74b5889ab10ef1b3ec72b4d4b3d95b5b25b534560b8",
"writeDate": "2024-08-09T07:22:08.000+0000",
"description": "Windows PowerShell",
"macroEmbedded": false,
"version": "10.0.22621.3085",
"path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
"createdDate": "2024-08-09T07:22:08.000+0000",
"size": 450560,
"accessDate": "2025-01-10T07:10:47.000+0000",
"certificates": [
{
"expiryDate": "2024-11-14T19:20:09.000+0000",
"certificateSigned": true,
"certificateIssuer": "Microsoft Windows Production PCA 2011",
"certificateValid": false,
"certificateIssuedTo": "Microsoft Windows",
"certificateSignedDate": "2023-11-16T19:20:09.000+0000",
"certificateHash": "d8fb0cc66a08061b42d46d03546f0d42cbc49b7c"
}
],
"nonPEFile": false,
"company": "Microsoft Corporation",
"fileType": "exe",
"md5": "9d8e30daf21108092d5980c931876b7e"
},
"action": "READ",
"id": "RTF_55fcc54e-2cbb-3177-81c0-f42e413312d2_19-2-2025",
"category": [
"virus"
],
"asset": {
"fullOSName": "Microsoft Windows 11 Enterprise 10.0.22631 Build 22631",
"hostName": "WIN-AS-IPV6-4-2",
"agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
"interfaces": [
{
"macAddress": "00:X0:XX:0X:00:00",
"ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed",
"interfaceName": "Intel(R) 82574L Gigabit Network Connection",
"gatewayAddress": "XX.XX.X0X.X"
},
{
"macAddress": "00:X0:XX:0X:00:00",
"ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed",
"interfaceName": "Intel(R) 82574L Gigabit Network Connection",
"gatewayAddress": "XX.XX.X0X.X"
}
],
"netBiosName": "WIN-AS-IPV6-4-2",
"customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
"platform": "Windows",
"tags": [
{
"name": "Maine_District_Court",
"uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
},
{
"name": "Meena",
"uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
},
{
"name": "Cloud Agent",
"uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
}
]
}
}
]
Response Field DescriptionsResponse Field Descriptions
|
Dataset Name |
Field Name |
Data Type |
Description |
|---|---|---|---|
| Event | dateTime | Timestamp | Timestamp of the last reported EDR event (ISO 8601 format). |
| eventSource | String | The source of the event (Anti-malware or EDR). | |
| type | String | The type of event (e.g., 'FILE' indicates a file-related event). | |
| score | String | The overall threat severity score based on reputation data from Threat Intelligence feeds. | |
| scoreSource | String | The source of the score (e.g. Anti-malware, Behavioral Detection, Qualys Research, Sandbox, Threat Intelligence). | |
| action | String | An action performed on the file (e.g. "READ", "CREATED" etc). | |
| id | String | A unique identifier assigned to the agent installed on the asset. | |
| category | Array of String | A list of categories associated with the event (e.g., 'virus'). | |
| indicator2 | Array of Object |
A list of indicators (detected threats) includes objects with detailed information. Dataset: indicator2 |
|
| actor | Object |
Details about the process that triggered the event. Dataset: actor |
|
| file | Object |
Details related to the file involved in the event. Dataset: file |
|
| file.certificates | Object |
A list of certificates associated with the file. Contains certificate information. Dataset: file.certificates |
|
| asset | Object |
Indicates details about the host system where the event occurred. Dataset: asset |
|
| asset.interfaces | Array of Object |
A list of network interfaces on the host system, including network-related details such as IP and MAC addresses. Dateset: asset.interfaces |
|
| asset.tags | Array of Object |
A list of tags associated with the asset. Contains tag details such as name and unique identifier. Dateset: asset.tags |
|
| indicator2 | score | String | The threat severity score. |
| sha256 | String | The SHA-256 hash value of the file associated with the indicator. | |
| familyName | String | The family name of the detected malware or threat (e.g., "virus"). | |
| verdict | String | The verdict assigned to the file (e.g., "MALICIOUS"). | |
| threatName | String | The name of the detected threat. | |
| category | String | The category of the detected threat (e.g., "virus"). | |
| actor | processEventId | String | The unique identifier for the process event. |
| processUniqueId | String | The unique identifier for the process. | |
| processId | Integer | The Process ID of the actor involved in the event. | |
| processName | String | The name of the process responsible for the event (e.g., "MsMpEng.exe"). | |
| imageFullPath | String | The full file path of the executable that triggered the event. | |
| productName | String | The name of the product associated with the process (e.g., "Microsoft Windows Operating System"). | |
| file | fullPath | String | The full file path of the involved file. |
| extension | String | The file extension of the involved file (e.g., "exe"). | |
| product | String | The product name associated with the file. | |
| numOfPages | Integer | The number of pages in the file (if applicable). | |
| fileName | String | The name of the file involved in the event. | |
| sha256 | String | The SHA-256 hash value of the file. | |
| writeDate | String | The date and time when the file was last written to. | |
| description | String | The description of the file (e.g., "Windows PowerShell"). | |
| macroEmbedded | Boolean | Indicates whether the file contains embedded macros (e.g., 'false' if no macros are present). | |
| version | String | The version of the file involved. | |
| path | String | The path where the file is located. | |
| createdDate | String | The date and time when the file was created. | |
| size | Integer | The size of the file in bytes. | |
| accessDate | String | The date and time when the file was last accessed. | |
| nonPEFile | Boolean | Indicates whether the file is a non-PE (Portable Executable) file. | |
| company | String | The company that produced the file. | |
| fileType | String | The type of file (e.g. "exe"). | |
| md5 | String | The MD5 hash value of the file. | |
| file.certificates | expiryDate | String | The expiry date of the certificate. |
| certificateSigned | Boolean | Indicates whether the certificate is signed. | |
| certificateIssuer | String | The issuer of the certificate. | |
| certificateValid | Boolean | Indicates whether the certificate is valid. | |
| certificateIssuedTo | String | The entity to which the certificate was issued. | |
| certificateSignedDate | String | The date when the certificate was signed. | |
| certificateHash | String | The hash value of the certificate. | |
| asset | fullOSName | String | The full operating system name and version running on the host system. |
| hostName | String | The hostname of the affected system. | |
| agentId | String | The unique identifier for the agent monitoring the system. | |
| netBiosName | String | The NetBIOS name of the affected system. | |
| customerId | String | The unique identifier for the customer. | |
| platform | String | The platform on which the host is running (e.g., Windows). | |
| asset.interfaces | macAddress | String | The MAC address of the network interface. |
| ipAddress | String | The IP address of the network interface. | |
| interfaceName | String | The name of the network interface. | |
| gatewayAddress | String | The gateway address of the network interface. | |
| asset.tags | name | String | The name of the tag. |
| uuid | String | The unique identifier for the tag. |
Sample - Fetch Network Event DetailsSample - Fetch Network Event Details
API request
curl -G --data-urlencode "filter=type:network"
"<qualys_base_url>/ioc/v1/events/fxxxx2-222a-xxxx-abcd-28exxxxx11/F_fexxxxx-222a-1111-abcd-2xxxx11-1xxxx505xxxxxx8xxx56" -H "Authorization: Bearer <token>"
Response
[
{
"dateTime": "2025-02-20T15:36:11.000+0000",
"process": {
"fullPath": "/usr/sbin/chronyd",
"parentProcessName": "systemd",
"processFile": {
"fullPath": "/usr/sbin/chronyd",
"path": "/usr/sbin",
"createdDate": "2019-08-08T11:40:18.000+0000",
"sha256": "5fc9a67facabbe3abc2970db5d3ace95f591cf0d307b83c76a62873410dc652a",
"size": 269392,
"moduleName": "chronyd",
"uniqueImageId": "-2766799832389448102",
"md5": "919aa879e59e4cc4ad2638d2d6271eb9"
},
"processEventId": "RTP_f96ee276-5ba1-3963-b6be-98b58637de9d_24-12-2024",
"parentPid": 1,
"pid": 796,
"userName": "chrony",
"processName": "chronyd",
"currentDirectory": "/",
"elevated": false,
"isCertificateExists": false,
"arguments": "/usr/sbin/chronyd",
"parentEventId": "RTP_d7d691d0-1b84-31b1-8d7e-c6b3f43d0963_24-12-2024"
},
"eventSource": "EDR",
"type": "NETWORK",
"network": {
"protocol": "TCP",
"remoteIP": "2604:a880:400:d0::4ed:f001",
"localPort": "0",
"agentMetaData": "{\"tags\":[\"Unknown\",\"auid_4294967295\"]}",
"remotePort": "123",
"state": "ESTABLISHED"
},
"actor": {
"processEventId": "RTP_f96ee276-5ba1-3963-b6be-98b58637de9d_24-12-2024",
"processUniqueId": "4343915213667668267",
"processId": 796,
"processName": "chronyd",
"arguments": "/usr/sbin/chronyd",
"imageFullPath": "/usr/sbin/chronyd"
},
"score": "9",
"scoreSource": "CTDB",
"action": "ESTABLISHED",
"id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X",
"category": [
"Phishing",
"Spam Sources",
"Windows Exploits"
],
"asset": {
"fullOSName": "CentOS Linux 7.9.2009",
"hostName": "centos-10.14.28.130",
"agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
"interfaces": [
{
"macAddress": "00:X0:XX:0X:00:00",
"ipAddress": "X0.1X.XX1.00",
"interfaceName": "ens192",
"gatewayAddress": "XX.XX.X0X.X"
},
{
"macAddress": "00:X0:XX:0X:00:00",
"ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed",
"interfaceName": "ens192",
"gatewayAddress": "XX.XX.X0X.X"
}
],
"customerId": "fd01c4e0-9a06-4198-8362-fa6eb8b2adea",
"platform": "LINUX",
"tags": [
{
"name": "Cloud Agent",
"uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
},
{
"name": "AG1",
"uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
}
]
}
}
]
Response Field DescriptionsResponse Field Descriptions
|
Dataset Name |
Field Name |
Data Type |
Description |
|---|---|---|---|
| Event | dateTime | String | Timestamp of the last reported EDR event (ISO 8601 format). |
| eventSource | String | The source of the event (e.g., "EDR" for endpoint detection and response). | |
| type | String | The type of event (e.g., "NETWORK" indicates a network-related event). | |
| score | String | The overall threat severity score assigned to the event (e.g., "9" indicates a high risk). | |
| scoreSource | String | The source of the score (e.g., "CTDB"). | |
| action | String | An action taken on the network connection (e.g., "ESTABLISHED"). | |
| id | String | The Unique identifier for the event. | |
| uniqueId | String | The Unique identifier for the event. | |
| process | Object |
Information about the process involved in the event. Dataset: process |
|
| process.processFile | Object |
Information about the process file. Dataset: process.processFile |
|
| network | Object |
Information related to the network event. Dataset: network |
|
| actor | Object |
Details about the process that triggered the event. Dataset: actor |
|
| actor | Object |
Information about the asset (host) involved in the event. Dataset: asset |
|
| asset.interfaces | Array of Object |
A list of network interfaces on the host system, including network-related details such as IP and MAC addresses. Dateset: asset.interfaces |
|
| asset.tags | Array of Object |
A list of tags associated with the asset. Contains tag details such as name and unique identifier. Dateset: asset.tags |
|
| Process | fullPath | String | The full path of the process executable. |
| parentProcessName | String | The name of the parent process. | |
| processEventId | String | The unique identifier for the process event. | |
| parentPid | Integer | The parent process ID (PID) of the process. | |
| pid | Integer | The process ID (PID) of the current process. | |
| userName | String | The username under which the process is running. | |
| processName | String | The name of the process. | |
| currentDirectory | String | The current directory of the process. | |
| elevated | Boolean | Indicates whether the process has elevated privileges (e.g., root, admin). | |
| isCertificateExists | Boolean | Indicates whether the process has an associated certificate. | |
| arguments | String | The arguments passed to the process during execution. | |
| parentEventId | String | Indicates the parent event identifier for the process. | |
| process.processFile | fullPath | String | The full path of the process file. |
| path | String | The directory path where the process file is located. | |
| createdDate | String | The date when the process file was created. | |
| sha256 | String | The SHA-256 hash of the process file. | |
| size | Integer | The size of the process file in bytes. | |
| moduleName | String | The name of the module associated with the process file. | |
| uniqueImageId | String | The unique identifier for the process image. | |
| md5 | String | The MD5 hash of the process file. | |
| network | protocol | String | The protocol used in the network connection (e.g., "TCP"). |
| remoteIP | String | The IP address of the remote entity involved in the network connection. | |
| localPort | String | The local port used for the network connection. | |
| remotePort | String | The remote port used for the network connection | |
| state | String | Indicates the state of the network connection (e.g., "ESTABLISHED"). | |
| actor | processEventId | String | The unique identifier for the process event. |
| processUniqueId | String | The unique identifier for the process. | |
| processId | Integer | The process ID of the actor. | |
| processName | String | The name of the process involved. | |
| arguments | String | The arguments passed to the process involved in the event. | |
| imageFullPath | String | The full path of the process executable involved in the event. | |
| category | Array of Strings | The categories associated with the event (e.g., "Phishing", "Spam Sources", "Windows Exploits"). | |
| asset | fullOSName | String | The full operating system name and version running on the asset. |
| hostName | String | The hostname of the affected asset. | |
| agentId | String | The unique identifier for the agent monitoring the asset. | |
| customerId | String | The unique identifier for the customer. | |
| platform | String | The platform of the asset (e.g., "LINUX"). | |
| asset.interfaces | macAddress | String | The MAC address of the network interface. |
| ipAddress | String | The IP address of the network interface. | |
| interfaceName | String | The name of the network interface. | |
| gatewayAddress | String | The gateway address of the network interface. | |
| asset.tags | name | String | The name of the tag. |
| uuid | String | The unique identifier for the tag. |
Sample - Fetch Process Event DetailsSample - Fetch Process Event Details
API request
curl -G --data-urlencode "filter=type:process"
"<qualys_base_url>/ioc/v1/events/fxxxx2-222a-xxxx-abcd-28exxxxx11/F_fexxxxx-222a-1111-abcd-2xxxx11-1xxxx505xxxxxx8xxx56" -H "Authorization: Bearer <token>"
Response
[
{
"dateTime": "2025-02-19T00:03:39.016+0000",
"process": {
"parentProcessName": "services.exe",
"processFile": {
"createdDate": "2025-02-14T18:36:56.000+0000",
"sha256": "6fc3bf1fdfd76860be782554f8d25bd32f108db934d70f4253f1e5f23522e503",
"size": 57528,
"certificates": [
{
"expiryDate": "2025-02-07T19:22:46.000+0000",
"certificateSigned": true,
"certificateIssuer": "Microsoft Windows Production PCA 2011",
"certificateValid": false,
"certificateIssuedTo": "Microsoft Windows Publisher",
"certificateSignedDate": "2024-02-08T19:22:46.000+0000",
"certificateHash": "09a1aa05288e952c901821deaece78d148d2e4d2"
}
],
"moduleName": "svchost.exe",
"uniqueImageId": "6695093065446506235",
"md5": "7469cc568ad6821fd9d925542730a7d8"
},
"processEventId": "RTP_5d946345-7faa-3040-a254-570fe24cb92b_19-2-2025",
"parentPid": 736,
"pid": 4720,
"userName": "NT AUTHORITY\\SYSTEM",
"sid": "S-1-16-16384",
"processName": "svchost.exe",
"elevated": true,
"isCertificateExists": true,
"arguments": "-k netsvcs -p -s wuauserv",
"parentEventId": "RTP_ebe08cb7-a6f6-3fe8-a93d-761f669649ff_12-2-2025",
"integrityLevel": "ML_SYSTEM",
"loadedModules": [
{
"fullPath": "C:\\Windows\\System32\\msxml6.dll",
"fileName": "msxml6.dll",
"createdDate": "2024-05-29T12:12:51.000+0000",
"sha256": "1bb75d1eddd78915238e145aeabdd6ffbc789d6325fb4280dafcf42ca26e7667",
"size": 2474760,
"certificates": [
{
"expiryDate": "2024-11-14T19:20:08.000+0000",
"certificateSigned": true,
"certificateIssuer": "Microsoft Windows Production PCA 2011",
"certificateValid": false,
"certificateIssuedTo": "Microsoft Windows",
"certificateSignedDate": "2023-11-16T19:20:08.000+0000",
"certificateHash": "71f53a26bb1625e466727183409a30d03d7923df"
}
],
"moduleName": "msxml6.dll",
"action": "LOAD",
"productName": "Microsoft XML Core Services",
"md5": "545a0575c1b1caf6b681f4dd9ac75e84"
}
]
},
"eventSource": "EDR",
"type": "PROCESS",
"actor": {
"processEventId": "RTP_ebe08cb7-a6f6-3fe8-a93d-761f669649ff_12-2-2025",
"processId": 736,
"processName": "services.exe",
"imageFullPath": "C:\\Windows\\system32\\services.exe"
},
"score": "3",
"scoreSource": "SIDDHI",
"action": "RUNNING",
"mitreInfoList": [
{
"techniques": [
{
"techniqueName": "Masquerading: Match Legitimate Name or Location",
"techniqueScore": 3,
"techniqueId": "T1036.005"
}
],
"tactics": [
{
"tacticName": "Defense Evasion",
"tacticId": "TA0005"
}
],
"technique": {
"techniqueName": "Masquerading: Match Legitimate Name or Location",
"techniqueScore": 3,
"techniqueId": "T1036.005"
},
"ruleNames": [
"T1036_005_1 Masquerading: Match Legitimate Name or Location"
],
"ruleId": "T1036_005_1"
}
],
"ruleNames": [
"T1036_005_1 Masquerading: Match Legitimate Name or Location"
],
"id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X",
"asset": {
"fullOSName": "Microsoft Windows 10 Enterprise 10.0.19045 Build 19045",
"hostName": "DESKTOP-F66RP42",
"agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
"netBiosName": "DESKTOP-F66RP42",
"isQuarantineHost": false,
"customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
"platform": "Windows",
"tags": [
{
"name": "Cloud Agent",
"uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
}
]
}
}
]
Response Field DescriptionsResponse Field Descriptions
|
Dataset Name |
Field Name |
Data Type |
Description |
|---|---|---|---|
| Event | dateTime | String (ISO 8601) | The timestamp when the event occurred. |
| eventSource | String | The source of the event (e.g., EDR). | |
| type | String | The type of event (e.g., PROCESS). | |
| score | String | The overall threat security score indicating the risk or severity of the event. | |
| scoreSource | String | The source of the score. | |
| action | String | The action associated with the event (e.g., RUNNING). | |
| ruleNames | Array of Strings | The list of rule names triggered by the event (e.g., Masquerading). | |
| id | String | The Unique identifier for the event. | |
| process | Object |
Information about the process involved in the event. Dataset: process |
|
| process.processFile | Object |
Information about the process file. Dataset: process.processFile |
|
| process.processFile.certificates | Array of Objects |
The list of certificates associated with the process file. Dataset: process.processFile.certificates |
|
| process.loadedModules | Array of Objects |
The list of modules loaded by the process. Dataset: process.loadedModules |
|
| process.loadedModules.certificates | Array of Objects |
The list of certificates associated with the process file. Dataset: process.loadedModules.certificates |
|
| actor | Object |
Information about the actor that initiated the event. Dataset: actor |
|
| mitreInfoList | Array of Objects |
The list of MITRE ATT&CK techniques, tactics, and rules related to the event. Dataset: mitreInfoList |
|
| mitreInfoList.techniques | Array of Objects |
The list of techniques associated with the event (e.g. Masquerading). Dataset: mitreInfoList.techniques |
|
| mitreInfoList.tactics | Array of Objects |
The list of tactics associated with the event (e.g. Defense Evasion). Dataset: mitreInfoList.tactics |
|
| mitreInfoList.technique | Array of Objects |
Detailed information about the MITRE technique. Dataset: mitreInfoList.technique |
|
| asset | Object |
Information about the asset (host) involved in the event. Dataset: asset |
|
| asset.tags | Array of Objects |
A list of tags associated with the asset. Dataset: asset.tags |
|
| indicator2 | score | String | The threat severity score. |
| sha256 | String | The SHA-256 hash value of the file associated with the indicator. | |
| familyName | String | The family name of the detected malware or threat (e.g., "virus"). | |
| verdict | String | The verdict assigned to the file ("MALICIOUS" in this case). | |
| threatName | String | The name of the detected threat. | |
| category | String | The category of the detected threat (e.g., "virus"). | |
| actor | processEventId | String | The unique identifier for the process event. |
| processUniqueId | String | The unique identifier for the process. | |
| processId | Integer | The process ID of the actor involved in the event. | |
| processName | String | The name of the process responsible for the event (e.g., "MsMpEng.exe"). | |
| imageFullPath | String | The full file path of the executable that triggered the event. | |
| productName | String | The name of the product associated with the process (e.g., "Microsoft Windows Operating System"). | |
| file | fullPath | String | The full file path of the involved file. |
| extension | String | The file extension of the involved file (e.g., "exe"). | |
| product | String | The product name associated with the file. | |
| numOfPages | Integer | The number of pages in the file (if applicable). | |
| fileName | String | The name of the file involved in the event. | |
| sha256 | String | The SHA-256 hash value of the file. | |
| writeDate | String | The date and time when the file was last written to. | |
| description | String | The description of the file (e.g., "Windows PowerShell"). | |
| macroEmbedded | Boolean | Indicates whether the file contains embedded macros (e.g., 'false' if no macros are present). | |
| version | String | The version of the file involved. | |
| path | String | The path where the file is located. | |
| createdDate | String | The date and time when the file was created. | |
| size | Integer | The size of the file in bytes. | |
| accessDate | String | The date and time when the file was last accessed. | |
| nonPEFile | Boolean | Indicates whether the file is a non-PE (Portable Executable) file. | |
| company | String | The company that produced the file. | |
| fileType | String | The type of file (e.g. "exe"). | |
| md5 | String | The MD5 hash value of the file. | |
| file.certificates | expiryDate | String | The expiry date of the certificate. |
| certificateSigned | Boolean | Indicates whether the certificate is signed. | |
| certificateIssuer | String | The issuer of the certificate. | |
| certificateValid | Boolean | Indicates whether the certificate is valid. | |
| certificateIssuedTo | String | The entity to which the certificate was issued. | |
| certificateSignedDate | String | The date when the certificate was signed. | |
| certificateHash | String | The hash value of the certificate. | |
| asset | fullOSName | String | The full operating system name and version running on the host system. |
| hostName | String | The hostname of the affected system. | |
| agentId | String | The unique identifier for the agent monitoring the system. | |
| netBiosName | String | The NetBIOS name of the affected system. | |
| customerId | String | The unique identifier for the customer. | |
| platform | String | The platform on which the host is running (e.g., Windows). | |
| asset.interfaces | macAddress | String | The MAC address of the network interface. |
| ipAddress | String | The IP address of the network interface. | |
| interfaceName | String | The name of the network interface. | |
| gatewayAddress | String | The gateway address of the network interface. | |
| asset.tags | name | String | The name of the tag. |
| uuid | String | The unique identifier for the tag. |
Sample - Fetch Registry Event DetailsSample - Fetch Registry Event Details
API request
curl -G --data-urlencode "filter=type:registry"
"<qualys_base_url>/ioc/v1/events/fxxxx2-222a-xxxx-abcd-28exxxxx11/F_fexxxxx-222a-1111-abcd-2xxxx11-1xxxx505xxxxxx8xxx56" -H "Authorization: Bearer <token>"
Response
[
{
"dateTime": "2025-02-22T08:22:23.017+0000",
"registry": {
"path": "TamperProtection",
"value": "0x0",
"key": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features"
},
"eventSource": "EDR",
"type": "REGISTRY",
"actor": {
"processEventId": "RTP_d15905b7-df0e-3b55-8cb4-f9a7c2ef9d92_21-2-2025",
"processUniqueId": "-553510450883925585",
"processId": 75572,
"processName": "MsMpEng.exe",
"imageFullPath": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.25010.6-0\\MsMpEng.exe",
"productName": "Microsoft? Windows? Operating System"
},
"score": "3",
"scoreSource": "SIDDHI",
"action": "WRITE",
"mitreInfoList": [
{
"techniques": [
{
"techniqueName": "Modify Registry",
"techniqueScore": 3,
"techniqueId": "T1112"
},
{
"techniqueName": "Impair Defenses: Disable or Modify Tools",
"techniqueId": "T1562.001"
}
],
"tactics": [
{
"tacticName": "Defense Evasion",
"tacticId": "TA0005"
}
],
"technique": {
"techniqueName": "Modify Registry",
"techniqueScore": 3,
"techniqueId": "T1112"
},
"ruleNames": [
"Tamper Win Defender Protection via Registry"
],
"ruleId": "T1112_61"
}
],
"ruleNames": [
"Tamper Win Defender Protection via Registry"
],
"id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X",
"asset": {
"fullOSName": "Microsoft Windows Server 2022 Standard 10.0.20348 Build 20348",
"hostName": "WIN-KL5S113723C",
"agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
"interfaces": [
{
"macAddress": "00:X0:XX:0X:00:00",
"ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed",
"interfaceName": "Intel(R) 82574L Gigabit Network Connection",
"gatewayAddress": "XX.XX.X0X.X"
},
{
"macAddress": "00:X0:XX:0X:00:00",
"ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed",
"interfaceName": "Intel(R) 82574L Gigabit Network Connection",
"gatewayAddress": "XX.XX.X0X.X"
},
{
"macAddress": "00:X0:XX:0X:00:00",
"ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed",
"interfaceName": "Intel(R) 82574L Gigabit Network Connection",
"gatewayAddress": "XX.XX.X0X.X"
}
],
"netBiosName": "WIN-KL5S113723C",
"customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
"platform": "Windows",
"tags": [
{
"name": "Cloud Agent",
"uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
}
]
}
}
]
Response Field DescriptionsResponse Field Descriptions
|
Dataset Name |
Field Name |
Data Type |
Description |
|---|---|---|---|
| Event | dateTime | Timestamp | Timestamp when the event occurred in the endpoint (ISO 8601 format). |
| eventSource | String | The source of the event (e.g., "EDR" for endpoint detection and response). | |
| type | String | The type of the event (e.g., "REGISTRY" indicates a registry-related event). | |
| score | String | The overall threat severity score assigned to the event (e.g., "3" indicates a lower risk). | |
| scoreSource | String | The source of the score (e.g., "SIDDHI"). | |
| action | String | An action taken on the registry key (e.g., "WRITE"). | |
| ruleNames | Array of Strings | A list of rule names associated with the event (e.g., "Tamper Win Defender Protection via Registry"). | |
| id | String | A unique identifier for the event. | |
| uniqueId | String | A unique identifier for the event. | |
| registry | Object |
Registry information involved in the event. Dataset: registry |
|
| actor | Object |
Details about the process that triggered the event. Dataset: actor |
|
| mitreInfoList | Array of Object |
A list of MITRE ATT&CK techniques, tactics, and rules related to the event. Dataset: mitreInfoList |
|
| mitreInfoList.techniques | Array of Object |
A list of techniques associated with the event (e.g., Masquerading). Dataset: mitreInfoList.techniques |
|
| mitreInfoList.tactics | Array of Object |
A list of tactics associated with the event (e.g., Defense Evasion). Dataset: mitreInfoList.tactics |
|
| mitreInfoList.technique | Object |
Detailed information about the MITRE technique. Dataset: mitreInfoList.technique |
|
| asset | Object |
Information about the asset (host) involved in the event. Dataset: asset |
|
| asset.interfaces | Array of Object |
A list of network interfaces on the host system, including network-related details such as IP and MAC addresses. Dataset: asset.interfaces |
|
| asset.tags | Array of Object |
A list of tags associated with the asset. Contains tag details such as name and unique identifier. Dataset: asset.tags |
|
| registry | path | String | The path of the registry key. |
| value | String | The value of the registry key. | |
| key | String | The key of the registry path. | |
| actor | processEventId | String | The unique identifier for the process event. |
| processUniqueId | String | The unique identifier for the process. | |
| processId | Integer | The process ID of the actor. | |
| processName | String | The name of the process involved. | |
| imageFullPath | String | The full path of the process executable involved in the event. | |
| productName | String | The name of the product associated with the process (e.g., "Microsoft Windows Operating System"). | |
| mitreInfoList | ruleNames | Array of Strings | A list of rule names triggered by the event. |
| ruleId | String | The unique rule identifier associated with the event. | |
| mitreInfoList.techniques | techniqueName | String | The name of the technique used (e.g. "Modify Registry"). |
| techniqueScore | Integer | The score of the MITRE technique. | |
| techniqueId | String | The technique ID from MITRE ATT&CK (e.g. "T1112" for Modify Registry). | |
| mitreInfoList.tactics | tacticName | String | The name of the tactic used (e.g. "Defense Evasion"). |
| tacticId | String | The Tactic ID from MITRE ATT&CK (e.g. "TA0005" for Defense Evasion). | |
| mitreInfoList.technique | techniqueName | String | The name of the technique (e.g. "Modify Registry"). |
| techniqueScore | Integer | The score of the MITRE technique. | |
| techniqueId | String | The technique ID from MITRE ATT&CK (e.g. "T1112"). | |
| asset | fullOSName | String | The full operating system name and version running on the asset. |
| hostName | String | The hostname of the affected asset. | |
| agentId | String | The unique identifier for the agent monitoring the asset. | |
| netBiosName | String | The NetBIOS name of the affected asset. | |
| isQuarantineHost | Boolean | Indicates whether the asset is in quarantine. | |
| customerId | String | The unique identifier for the customer. | |
| platform | String | The platform of the asset (e.g. "Windows"). | |
| asset.interfaces | macAddress | String | The MAC address of the network interface. |
| ipAddress | String | The IP address of the network interface. | |
| interfaceName | String | The name of the network interface. | |
| gatewayAddress | String | The gateway address of the network interface. | |
| asset.tags | name | String | The name of the tag. |
| uuid | String | The unique identifier for the tag. |
API Version History
The following table depicts the information about the different versions of this API along with the status:
| API Version | API Status | Release Date |
| /ioc/events/{agentid}/{eventid} | Active | |
| /ioc/v1/events/{agentid}/{eventid} | Active | May 2025 |