Fetch Ignored Events API

Use this API to get FIM events that are ignored.

POST/fim/v2/events/ignore/search

Input Parameters

Parameter	Mandatory/Optional	Data Type	Description
filter	Optional	String	Filter the events list by providing a query using Qualys syntax. Refer to the “How to Search” topic in the online help for assistance with creating your query. For example - dateTime:['2019-02-25T18:30:00.000Z'..'2019-02-26T18:29:59.999Z'] AND action: 'Content' For dateTime filter start date should not be lower than 2017-01-01. The processedTime filter can be used only for events generated post FIM release 2.0.2. To comply with data retention policy, the API fetches data only from the last 15 months. For more information, refer to Data Retention Policy.
pageNumber	Optional	String	The page to be returned. Starts from zero.
pageSize	Optional	String	The number of records per page to be included in the response. Default is 10.
sort	Optional	String	Sort the results using a Qualys token. For example - [{\"dateTime\":\"asc\"}]
file.attribute.hidden	Optional	String	Displays attribute event for file or directory for which hidden attribute is checked or unchecked.
file.attribute.readonly	Optional	String	Displays attribute event for file or directory for which readonly attribute is checked or unchecked.
Authorization	Mandatory	String	Authorization token to authenticate to the Qualys Cloud Platform. Prepend token with "Bearer" and one space. For example - Bearer authToken

Sample 1

API Request

curl -X POST 
"<qualys_base_url>/fim/v2/events/ignore/search 
-H 'authorization: Bearer  ' 
-H 'content-type: application/json' 
-d @request.json"

Contents of request.json:

{
  "pageSize": 1,
  "filter": "dateTime:['2018-06-25T18:30:00.000Z'..'2019-02-20T18:29:59.999Z']"
}

Response

[
  {
    "sortValues": [],
    "data": {
      "dateTime": "2018-07-12T15:19:33.704+0000",
      "fullPath": "\\Device\\HarddiskVolume2\\FIM\\MobaXterm_installer.msi",
      "severity": 5,
      "profiles": [
        {
          "name": "Bug_Test_1",
          "rules": [
            {
              "severity": 2,
              "description": "",
              "id": "df74b8e2-704b-419e-818e-3c7f4e4a2838",
              "type": "directory"
            }
          ],
          "id": "a0f61a71-fc03-4d9e-a234-fb39afa35d66",
          "type": "WINDOWS",
          "category": {
            "name": "PCI",
            "id": "2dab5022-2fdd-11e7-93ae-92361f002671"
          }
        },
        {
          "name": "Bug_Test_Profile",
          "rules": [
            {
              "severity": 5,
              "description": "",
              "id": "c9a0d542-2d00-4a34-8ffd-b07a4826739a",
              "type": "directory"
            }
          ],
          "id": "f214c35a-441e-450a-b817-2f162add6854",
          "type": "WINDOWS",
          "category": {
            "name": "PCI",
            "id": "2dab5022-2fdd-11e7-93ae-92361f002671"
          }
        }
      ],
      "type": "File",
      "changedAttributes": null,
      "platform": "WINDOWS",
      "oldContent": null,
      "actor": {
        "process": "Explorer.EXE",
        "processID": 312,
        "imagePath": "\\Device\\HarddiskVolume2\\Windows\\Explorer.EXE",
        "userName": "CAAUTOMATION-PC\\Administrator",
        "userID": "S-1-5-21-3436480518-4193688097-2835352598-500"
      },
      "newContent": null,
      "ignoreDate": "2018-07-24",
      "customerId": "58b888be-a90f-e3be-838d-88877aee572b",
      "name": "MobaXterm_installer.msi",
      "action": "Delete",
      "id": "c6d7929c-85cb-3791-b6ed-2bcd9a7682cb",
      "asset": {
        "agentId": "fe94430f-f12c-4c6d-a9c2-a660049d69e5",
        "interfaces": [
          {
            "hostname": "CAAUTOMATION-PC",
            "macAddress": "00:50:56:9F:FF:54",
            "address": "10.113.197.104",
            "interfaceName": "Intel(R) PRO/1000 MT Network Connection"
          }
        ],
        "lastCheckedIn": "2018-07-12T15:07:23.000Z",
        "created": 1531195694000,
        "hostId": null,
        "operatingSystem": "Microsoft Windows 7 Professional 6.1.7601 Service Pack 1 Build 7601",
        "tags": [
          "8072536",
          "7895614",
          "7655820",
          "7650412"
        ],
        "assetType": "HOST",
        "system": {
          "lastBoot": "2018-06-14T16:29:03.000Z"
        },
        "ec2": null,
        "lastLoggedOnUser": ".\\Administrator",
        "netbiosName": "CAAUTOMATION-PC",
        "name": "IOC-104",
        "agentVersion": "2.0.6.1",
        "updated": 1531408044017
      },
      "class": "Disk"
    }
  }
]

Sample 2

API Request

curl -X POST
<qualys_base_url>/fim/v2/events/ignore/search
-H'authorization: Bearer <token>'
-H 'content-type:application/json' -d @request.json

Contents of request.json:

{
        "pageSize": 100,
        "filter": "reputationStatus: MALICIOUS"
}

Response

{
  "dateTime": "2021-01-19T07:09:07.116+0000",
  "fullPath": "\\Device\\HarddiskVolume2\\FIM\\ProdCerts",
  "severity": 3,
  "profiles": [
    {
      "name": "Bug_Test_Profile",
      "rules": [
        {
          "severity": 3,
          "description": "",
          "id": "c9a0d542-2d00-4a34-8ffd-b07a4826739a",
          "type": "directory"
        }
      ],
      "id": "f214c35a-441e-450a-b817-2f162add6854",
      "type": "WINDOWS",
      "category": {
        "name": "PCI",
        "id": "f589a105-0100-3dbb-a007-556fae7afea5"
      }
    }
  ],
  "type": "Directory",
  "changedAttributes": null,
  "platform": "WINDOWS",
  "oldContent": null,
  "actor": {
    "process": "Explorer.EXE",
    "processID": 312,
    "imagePath": "\\Device\\HarddiskVolume2\\Windows\\Explorer.EXE",
    "userName": "CAAUTOMATION-PC\\Administrator",
    "userID": "S-1-5-21-3436480518-4193688097-2835352598-500"
  },
  "newContent": null,
  "ignoreDate": "2021-01-19",
  "customerId": "58b888be-a90f-e3be-838d-88877aee572b",
  "name": "ProdCerts",
  "action": "Create",
  "id": "5ca3af2b-991d-3154-acce-6ebbad2a6cc1",
  "asset": {
    "agentId": "b1362e7f-a29c-4226-a9a2-f91747f7e009",
    "interfaces": [
      {
        "hostname": "CAAUTOMATION-PC",
        "macAddress": "00:50:56:9F:FF:54",
        "address": "10.113.197.104",
        "interfaceName": "Intel(R) PRO/1000 MT Network Connection"
      }
    ],
    "lastCheckedIn": "2021-01-19T07:02:08.000Z",
    "created": 1529071987000,
    "hostId": null,
    "operatingSystem": "Microsoft Windows 7 Professional 6.1.7601 Service Pack 1 Build 7601",
    "tags": [
      "7895614",
      "7655820",
      "7650412",
      "8072536"
    ],
    "assetType": "HOST",
    "system": {
      "lastBoot": "2018-06-14T16:29:03.000Z"
    },
    "ec2": null,
    "lastLoggedOnUser": ".\\Administrator",
    "netbiosName": "CAAUTOMATION-PC",
    "name": "CAAUTOMATION-PC",
    "agentVersion": "2.0.6.1",
    "updated": 1529391745750
  },
  "class": "Disk",
  "fileContentHash": "50dc26047f5572a38aa7adb4e9b140dc301ea41d1f4bed5095a1ed7fc1d03fbc",
  "reputationStatus": "KNOWN",
  "fileCertificateHash": [
    "d12bed1761e1b2c244db23cebe4185c2b0839eee",
    "7ade32c9b68b944bf291d1fcc59faef061a6d2f2"
  ],
  "trustStatus": "TRUSTED"
}

Sample 3

API Request

curl -X POST
"<qualys_base_url>/fim/v2/events/ignore/search
-H'authorization: Bearer <token>'
-H 'content-type:application/json'
-d @request.json

Contents of request.json:

{
  "pageSize": 100,
  "filter": "registryKey.name: Data"
}

Response

[
  {
    "sortValues": [],
    "data": {
      "dateTime": "2021-03-05T11:28:36.455+0000",
      "fullPath": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Data",
      "type": "Value",
      "platform": "WINDOWS",
      "oldContent": null,
      "newContent": null,
      "customerId": "00XXXX-643f-f4af-8336-b253066XXXX",
      "action": "Content",
      "id": "e115XXXX-af72-37b5-8f92-9e878bbbba53",
      "severity": 3,
      "fileCertificateHash": null,
      "profiles": [
        {
          "name": "Profile Name",
          "rules": [
            {
              "severity": 3,
              "number": 1,
              "name": "Rule 1",
              "description": "Rule 1",
              "section": null,
              "id": "4282XXXX-cc33-49d8-82df-53a00e27XXXX",
              "type": "key"
            }
          ],
          "id": "f99941de-2296-4044-bfca-05aeb4575ef5",
          "type": "WINDOWS",
          "category": {
            "name": "PCI",
            "id": "2dabXXXX-2fdd-11e7-93ae-92361f00XXXX"
          }
        }
      ],
      "changedAttributes": null,
      "processedTime": "2021-03-05T05:37:30.311+0000",
      "actor": {
        "process": "reg.exe",
        "processID": 2811,
        "imagePath": "C:\\Windows\\System32\\reg.exe",
        "userName": "MSEDGEWIN10\\IEUser",
        "userID": "S-1-5-21-3461203602-4096304019-2269080069-1000"
      },
      "name": null,
      "asset": {
        "agentId": "7c99XXXX-92fa-4943-91ab-249e341dd10d",
        "interfaces": [
          {
            "hostname": "WIN10-122.WORKGROUP",
            "macAddress": "00:50:56:AA:5C:85",
            "address": "10.115.98.122",
            "interfaceName": "Intel(R) 82574L Gigabit Network Connection"
          }
        ],
        "lastCheckedIn": "2019-07-23T11:01:00.000Z",
        "created": "2021-01-11T06:40:09.930+0000",
        "hostId": null,
        "operatingSystem": "Microsoft Windows 10 Pro 10.0.10586 N/A Build 10586",
        "tags": [
          "7508831",
          "7526815",
          "7593230"
        ],
        "assetType": "HOST",
        "system": {
          "lastBoot": "2019-07-23T11:01:00.000Z"
        },
        "ec2": null,
        "lastLoggedOnUser": ".\\Administrator",
        "netbiosName": "WIN10-122",
        "name": "WIN10-122",
        "agentVersion": "3.0.0.101",
        "updated": "2021-01-11T06:40:09.930+0000"
      },
      "ignoreDate": "2021-01-12",
      "fileContentHash": null,
      "reputationStatus": null,
      "registryPath": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
      "registryName": "Data",
      "oldRegistryValueType": "REG_MULTI_SZ",
      "oldRegistryValueContent": [
        "Multvalue string",
        "Multvalue string"
      ],
      "newRegistryValueType": "REG_MULTI_SZ",
      "newRegistryValueContent": [
        "Multvalue string1",
        "Multvalue string2"
      ],
      "class": "Registry"
    }
  }
]

Fetch Ignored Events API

Input ParametersInput Parameters

Sample 1Sample 1

Sample 2Sample 2

Sample 3Sample 3

Input Parameters

Sample 1

Sample 2

Sample 3