HEIMDAL Security allows you to easily access statistics about your endpoints, found detections, and applications deployed via the Heimdal Agent. To obtain all that, we provide API keys that you can customize and use to ingest data available in our Heimdal Dashboard into any desired SIEM tool.
To access the Heimdal Security API section, log in to the HEIMDAL Dashboard, click on the Guide tab -> Your HS API Key mini-tab. Access to the API is only possible from the IP ranges that are marked as trusted for your customer account. Your Personal API Key can be generated in the Guide -> Your HS API Key section.
If you don't have an active Personal API Key, you can generate one in the Guide section -> Your HS API Key -> New API/Old API. In case you need to delete the existing Personal API Key, you can press the Delete button and Generate a new Personal API Key.
APIs
The APIs allows you to get data available in the HEIMDAL Dashboard (through GET, POST, PUT methods) based on each Heimdal module (DarkLayer Guard, VectorN Detection, 3rd Party Software, Microsoft Updates, Next-Gen Antivirus & MDM, Ransomware Encryption Protection, Active Clients) into JSON format. The data can be filtered using the parameters described below and can be accessed with your personal API Key (added in the Authentication header as Bearer or OAUTH2 authentication type).
For each HTTP request to the Heimdal Security API you must provide your personal API Key in the HTTP header Authorization: "Authorization: Bearer Your-Personal-API-Key".
Curl
curl -H "Authorization: Bearer UUP5MERX4PRNZ3FU7RMYUTBL52ASIORN" "https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/activeclients?customerId=229584&startDate=2021-04-03T12:00&endDate=2021-05-03T11:59"
CONFIGURE THE API URL
The API URL can be configured with multiple parameters in order to filter the data according to your current needs:
Method: GET
URL: https://dashboard_environment.heimdalsecurity.com/api/heimdalapi/heimdal_module?customerId=customerId&startDate=start_date&endDate=end_date&optional_parameter=value_for_optional_param
Parameters:
- dashboard_environment: the environment for the desired dashboard (Production or Release Candidate): dashboard or rc-dashboard;
- heimdal_module: name of the interrogated module;
- customerId: the ID of the customer (found under the Your Personal API Key field);
- start_date: the start date for the data to be retrieved;
- end_date: the end date for when the data will stop being retrieved;
- optional_parameter: the optional parameter that some modules allow to filter the retrieved data (the optional parameters are described below);
- value_for_optional_parameter: the value that must be inserted for the optional parameter that is specific for each module.
The date format for the START DATE and END DATE parameter is YYYY-mm-DDTHH:MM.
- YYYY – the year (ex: 2018);
- mm – the month (ex: 02 for February);
- DD – the day (ex: 15);
- T – required if the date will include HOUR and MINUTES;
- HH – the hour (ex: 18);
- MM – the minute (ex: 08).
RESELLER create/update customer
This API allows you to perform customer operations from a Reseller account. It allows you to create an Enterprise customer that will be available in the Admin -> Customers section. It will also create an account in the Accounts section. It works only if you have a Dashboard reseller/admin/super admin role.
Method: POST
Parameter: reseller/create
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/reseller/create
Body:
{
"customerName": "customer_name_here",
"email": "email_address",
"licensesCount": licenseCount,
"expirationDate": "yyyy-mm-dd"
}
Method: PUT
Parameter: reseller/update
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/reseller/update
Body:
{
"customerId": customerId,
"licensesCount": licenseCount,
"products": ["prod1", "prod2", "prod3"]
}
LicensesCount and Products parameters are not required simultaneously, but can be provided simultaneously. The products parameter is a string array and should include the new products to be added to the specified customer. Product values are DNS-N, DNS-E, PnA Management, Infinity Management, Antivirus, REP, PAM, App Control, ESF Standard, ESF Advanced, EFP, RD.
CUSTOMERS' details
This API retrieves information about a specific customer or all customers of a reseller. It works only if you have a Dashboard reseller/admin/super admin role and you specify the customer's or the reseller's ID as the customerId value.
Method: GET
Parameter: customers
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/customers?customerId=229584&startDate=2021-04-03T12:00&endDate=2021-05-03T11:59
Output:
"result": {
"id": "307508",
"name": "Romy's Customer",
"type": "Corp",
"licenseType": "TPE,AV,VM,PAM,AC,ESEC,EFP",
"splaLicense": "Yes",
"activeEndpoints": "10",
"activeServers": "0",
"purchasedLicenses": "1"
},
"id": 1348,
"exception": null,
"status": "RanToCompletion",
"isCanceled": false,
"isCompleted": true,
"isCompletedSuccessfully": true,
"creationOptions": "None",
"asyncState": null,
"isFaulted": false
ACTIVE CLIENTS details
This API retrieves information about all the active clients of a customer (id, hostname, IP Address, Agent version, OS, current Group Policy, Last seen, active modules, status).
Method: GET
Parameter: activeclients
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/activeclients?customerId=229584&startDate=2021-04-03T12:00&endDate=2021-05-03T11:59
Output:
"id": 407074,
"hostname": "WORKSTATION49",
"ipAddress": "192.168.2.88",
"version": "2.5.341.2000",
"operatingSystem": "Microsoft Windows 10 - x64",
"currentGP": "Sales Master GP",
"selectedGP": "Automatic",
"lastSeen": "20-12-02T14:56:39.607+00:00",
"modules": "DarkLayer Guard,VectorN,ThirdParty Applications,Infinity Management,Microsoft Updates,Next-Gen Antivirus,Firewall, Ransomware Encryption Protection,Privileged Access Management, Email Fraud Prevention",
"status": "Healthy",
"alerts": []
"riskScore": 14.0,
"machineInfo": {
"dnsInfos": [
{
"adapterName": "Ethernet",
"dnsAddresses": "10.0.2.1",
"isDnsAutomatic": true,
"physicalAddress": "00155D015F05"
}
],
"osVersion": "10.0.19045.0",
"osBuild": "19045",
"fullOSVersion": "22H2 (OS Build 19045.2364)",
"osEdition": "Enterprise",
"osServicePack": "",
"biosVersion": "VRTUAL - 5001818 | BIOS Date: 05/18/18 15:55:38 Ver: 09.00.07 | BIOS Date: 05/18/18 15:55:38 Ver: 09.00.07",
"biosManufacturer": "American Megatrends Inc.",
"motherboardManufacturer": "Microsoft Corporation",
"motherboardModel": "Virtual Machine",
"motherboardSerial": "6123-2686-6273-8851-1549-0354-63",
"motherboardSerialSecondary": "6123-2686-6273-8851-1549-0354-63",
"processorModel": "AMD Ryzen 7 3700X 8-Core Processor",
"processorCoresNo": 4,
"processorUtilization": 9,
"processorUtilizationLimit": null,
"memoryCapacity": 3,
"memoryUtilization": 74,
"memoryUtilizationLimit": null,
"hddCapacity": 149,
"hddUtilization": 1,
"hddSerial": "",
"vdfVersion": "1.421.573.0",
"vdfTimestamp": "2024-12-01T13:17:17+00:00",
"avModuleStatus": null,
"lastReboot": "2024-11-25T19:45:45.2779833+00:00"
}
}
*Note: The LastSeen from the Active Clients view is updated every 6 hours.
CLIENT specifics
This API retrieves information about a specific client (id, hostname, IP Address, Agent version, OS, current Group Policy, selected Group Policy, Last seen, active modules, status, alerts, machine Information).
Method: GET
Parameter: activeclients
Optional parameters:
- clientInfoID - gets the client specifics of an endpoint;
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/activeclients?customerId=229584&clientInfoID=743907&startDate=2021-04-03T12:00&endDate=2021-05-03T11:59
Output:
"id": 407074,
"hostname": "SUPPORT1",
"ipAddress": "192.168.2.88",
"version": "2.5.373.3000",
"operatingSystem": "Microsoft Windows 10 - x64",
"currentGP": "3rd Party Software",
"selectedGP": "Automatic",
"lastSeen": "20.04.2021",
"modules": "DarkLayer Guard,VectorN,ThirdParty Applications,Infinity Management,Microsoft Updates,Next-Gen Antivirus,Firewall, Ransomware Encryption Protection,Privileged Access Management, Email Fraud Prevention",
"status": "Healthy",
"alerts": []
"machineInfo": {
"dnsInfo": null,
"osVersion": "10.0.19043.0",
"osBuild": "19043",
"osServicePack": "",
"biosVersion": "VRTUAL - 4001628 | BIOS Date: 04/28/16 13:00:17 Ver: 09.00.06 | BIOS Date: 04/28/16 13:00:17 Ver: 09.00.06",
"biosManufacturer": "American Megatrends Inc.",
"motherboardManufacturer": "Microsoft Corporation",
"motherboardModel": "Virtual Machine",
"processorModel": "AMD Ryzen 7 3700X 8-Core Processor",
"processorCoresNo": 4,
"processorUtilization": 6,
"processorUtilizationLimit": null,
"memoryCapacity": 3,
"memoryUtilization": 68,
"memoryUtilizationLimit": null,
"hddCapacity": 97,
"hddUtilization": 0,
"vdfVersion": 8.18.44.170,
"vdfTimestamp": "2021-10-26T14:25:35.5612271+00:00",
"lastReboot": "2021-11-12T12:25:35.5613271+00:00",
}
ACTIVE CLIENTS PER MODULE
This API works only for reseller accounts and retrieves information about all the information about the customers (parent reseller, customer name, active modules). The statistics are pulled on a calendar month basis (1st of the month until the end of the month), and the API does NOT have an end date parameter. In the customerId key, you have to use the reseller's customer ID.
Method: GET
Parameter: ReportsStats/ExportActiveClientsPerModule
Optional parameters:
- HeimdalReportStandard - gets standard statistics;
- HeimdalReportVerbose - getsverbose statistics;
- splaOption
- All - getsall statistics;
- SPLA - gets only statistics that have SPLA;
- WithoutSPLA - gets only statistics that don't have SPLA.
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/ReportsStats/ExportActiveClientsPerModule?customerId=229584&startDate=2021-04-03T12:00&queryType=HeimdalReportStandard&splaOption=All
Output:
"parentName": "Example Reseller",
"modules": {
"Heimdal Reseller": [
{
"customerName": "ExampleCustomerName, ID: 187788004",
"threatPreventionNetwork": " 0 ",
"threatPreventionEndpointEndpoints": " 4 ",
"threatPreventionEndpointServers": " 1 ",
"patchAndAssetsEndpoints": "10",
"patchAndAssetsServers": "0",
"infinityManagementEndpoints": " 5 ",
"infinityManagementServers": " 5 ",
"nextGenAvEndpoints": " 5 ",
"nextGenAvServers": " 1 ",
"ransomwareEncryptionProtectionEndpoints": " 5 ",
"ransomwareEncryptionProtectionServers": " 1 ",
"forensicsEndpoints": " 3 ",
"forensicsServers": " 0 ",
"privilegedAccessManagementEndpoints": " 6 ",
"privilegedAccessManagementServers": " 0 ",
"appControlEndpoints": " 3 ",
"appControlServers": "0",
"emailSecurity": "5",
"emailFraudPreventionEndpoints": "3",
"emailFraudPreventionServers": "3",
} ]
}
ACTIVE CLIENTS TOTAL
This API works only for reseller accounts and retrieves information about information about a customer (parent reseller, customer name, active modules). The statistics are pulled on a calendar month basis (1st of the month until the end of the month,) and the API does NOT have an end date parameter.
Method: GET
Parameter: ReportsStats/ExportActiveClientsTotal
Optional parameters:
- HeimdalReportStandard - gets standard statistics;
- HeimdalReportVerbose - gets verbose statistics;
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/ReportsStats/ExportActiveClientsTotal?customerId=229584&startDate=2021-04-03T12:00&queryType=HeimdalReportStandard&splaOption=All
Output:
"parentName": "Example Reseller",
"modules": {
"Heimdal Reseller": [
{
"customerName": "ExampleCustomerName, ID: 187788004",
"activeDevices": 17 ,
"activeEndpoints": 12 ,
"activeServers": 2 ,
"purchasedLicenses": 200 ,
"hasThreatPreventionNetwork": true ,
"hasThreatPreventionEndpoint": true ,
"hasPatchAndAssets": true ,
"hasInfinityManagement": true ,
"hasNextGenAntivirus": true ,
"hasRamsomwareEncryptionProtection": true ,
"hasForensics": true ,
"hasPrivilegedAccessManagement": true ,
"hasAppControl": true ,
"hasEmailSec": true ,
"hasEmailFraudPrevention": true ,
} ]
}
DNS Security NETWORK
This API retrieves information about a customer’s DNS Security Network statistics (hostname, IP Address, accessed domain, threat type, protocol, status, timestamp).
Method: GET
Parameter: threatPreventionNetwork
Optional parameters:
- hostname - allows you to specify the hostname;
- status
- all - gets all the DNS Security Network detections;
- passed - gets only the passed queries;
- blocked - gets only the blocked detections;
- categoryBlocked - gets only the category blocked detections. - ipAddress - allows you to specify an IP Address.
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/threatPreventionNetwork?customerId=229584&startDate=2021-04-03T12:00&endDate=2021-05-03T11:59
Output:
"hostname": "WORKHCJ42",
"ip": "192.168.1.156",
"domain": "s-usc1c-nss-212.firebaseio.com",
"threatType": "-",
"protocol": "UDP",
"status": "Sane",
"timestamp": "2021-03-28T10:50:30.96+00:00"
DNS Security ENDPOINT - DARKLAYER GUARD
This API retrieves information about a customer’s DarkLayer Guard statistics (hostname, IP Address, username, accessed domain, threat type, process making the request, the path of the process, resolve IP Addresses and domains, protocol, timestamp, status).
Method: GET
Parameter: darklayerguard
Optional parameters:
- status
- analyzed - filters only analyzed DNS Security Endpoint queries;
- blocked - filters only blocked DNS Security Endpoint queries;
- allowed - filters only allowed DNS Security Endpoint queries.
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/darklayerguard?customerId=229584&startDate=2021-04-03T12:00&endDate=2021-05-03T11:59
Output:
"hostname": "WORKHCJ42",
"ip": "::1",
"activeUsername": "hcj",
"domain": "s-usc1c-nss-212.firebaseio.com",
"threatType": "-",
"threatToProcessCorrelation": "chrome.exe",
"threatToProcessCorrelationPath": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"resolvedIps": "35.201.97.85",
"resolvedDomains": "-",
"urls": "-",
"protocol": "IPv6",
"timestamp": "2021-03-28T10:50:30.96+00:00",
"status": "Allowed"
DNS Security ENDPOINT - Full logging
This API retrieves information about a customer’s DarkLayer Guard statistics (hostname, IP Address, username, accessed domain, threat type, process making the request, the path of the process, resolve IP Addresses and domains, protocol, timestamp, status).
Method: GET
Parameter: tpefullloging
Optional parameters:
- status
- allowed - filters only allowed DNS Security Endpoint queries;
- blocked - filters only blocked DNS Security Endpoint queries;
- categoryBlocked - filters only category-blocked DNS Security Endpoint queries.
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/tpefulllogging?customerId=229584&status=blocked
Output:
"customerId": "229584",
"clientInfoId": "2435272",
"hostname": "SUPPORT0",
"publicIp": "5.2.145.131",
"domain": "11proc.com",
"state": "Blocked"
"blocked": true,
"threatType": "Phishing",
"threatCategory": "Phishing",
"protocol": "IPv6",
"processName: "System Idle Process",
"processPath: "",
"activeUsername": "Test",
"ips": "",
"webAddresses": "",
"timestamp": "2023-10-24T06:29:58.5749861+00:00",
"domainTrimmed": "11proc.com"
DNS Security ENDPOINT - VECTORN
This API retrieves information about a customer’s VectorN statistics (hostname, malware pattern, probability of infection, process triggering the infection, the of the process, count, last match).
Method: GET
Parameter: vectorn
Optional parameters:
- probabilityofinfection
- none - gets all vectorn detections;
- moderate - gets only moderate vectorn detections;
- high - gets only high or not vulnerable vectorn detections;
- veryhigh - gets only very high vectorn detections.
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/vectorn?customerId=229584&startDate=2021-04-06T12:00&endDate=2021-05-06T11:59&probabilityOfInfection=high
Output:
"hostname": "WORKSTATION50",
"malwarePattern": "Attack blocked",
"probabilityOfInfection": "High",
"threatToProcessCorrelation": "chrome.exe",
"threatToProcessCorrelationPath": " C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"count": 1,
"lastMatch": "2021-03-28T12:14:52.64+00:00"
PATCH & ASSETS - 3RD PARTY SOFTWARE
This API retrieves information about a customer’s 3rd Party Software that is deployed in the environment (hostname, IP Address, name of the Microsoft Update, KB, severity, OS, categories, timestamp, CVE, and CVSS). The API can get a batch of the last 1,000 entries. If you have more than 1,000, you should use the timeframe mechanism, by limiting the start/end date to an interval that ranges up to 1,000.
Method: GET
Parameter: thirdparty
Optional parameters:
- status
- latest - gets only the 3rd Party Sofware that are latest update statuses;
- update - gets only the 3rd Party Sofware that are up to date;
- vulnerable - get only the vulnerable 3rd Party Sofware;
- patched - gets only the patched or not vulnerable 3rd Party Sofware;
- uninstalled - gets only the uninstalled 3rd Party Sofware.
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/thirdparty?customerId=229584&startDate=2021-04-06T12:00&endDate=2021-05-06T11:59&status=uptodate
Output:
"hostname": "WORKHCJ38\\hcj",
"ip": "192.168.0.15",
"software": "Adobe Acrobat Reader DC",
"version": "21.001.20150",
"status": "Vulnerable",
"releaseDate": "2020-06-13T08:19:53.023+00:00",
"timestamp": "2021-04-28T06:39:52.083+00:00",
"cve": "-",
"cvss": null
PATCH & ASSETS - 3RD PARTY SOFTWARE COMPLIANCE
This API retrieves information about the customer’s 3rd Party Software compliance in the environment (clientInfoId, hostname, username, number of Updates, and Last Seen).
Method: GET
Parameter: thirdparty/compliance
Optional parameters:
-
status - compliant (gets only the compliant devices) or non-complaint (gets only the non-compliant devices).
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/thirdparty/compliance?customerId=229584&startDate=2021-04-06T12:00&endDate=2021-05-06T11:59&status=compliant
Output:
"clientInfoId": "2233331",
"hostname": "Support3",
"username": "Administrator",
" numberOfUpdates ": "0",
"lastSeen": "2024-04-28T06:39:52.083+00:00"
PATCH & ASSETS - 3RD PARTY SOFTWARE - Intune support
This API retrieves information about a customer’s 3rd Party Software deployed in the environment (Application Name, Architecture, Install command line, Uninstall command line, detected script, HEIMDAL storage URL, version, and others) and can be used with Microsoft Intune to get it to push the patches from HEIMDAL's servers.
Method: GET
Parameter: patch-management/intune
Optional parameters:
- appname - it is used to filter applications by their name (it can be the Full Name of the application or only a part of it). The search is not case-sensitive.
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/patch-management/intune?customerId=229584
Output:
"applicationName": "Mozilla Firefox EN x64",
"publisher": " Mozilla ",
"architecture": " x64 ",
"patches": [
{
"installCommand": " Firefox_Setup_94.0.2_x64_en.exe -ms ",
"uninstallCommand": " C:\\Program Files\\Mozilla Firefox\\uninstall\\helper.exe /S ",
"detectionScript": " "$Application = \"Mozilla Firefox\"\n\n$isInstalled = (Get-ItemProperty HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*).displayname -match $Application\n\nif ($isInstalled) { \n\n Write-Output \"Exit code 0\";\n exit 0 \n \n}\n\nelse {\n \n Write-Output \"Exit code 1\";\n exit 1 ",
"minimumSupportedWindowsRelease": "1607",
"runDetectionScriptSilently": "true",
"appType": "Windows app (Win32)",
"url": "https://heimdalprodstorage.blob.core.windows.net/patching/Firefox_Setup_94.0.2_x64_en.exe.enc",
"version": "94.0.2",
"useUserInstallContext": false
}
]
PATCH & ASSETS - INFINITY MANAGEMENT
This API retrieves information about the applications deployed through Infinity Management.
Method: GET
Parameter: infinitymanagement/getapplications
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/infinitymanagement/getapplications?customerId=229584
Output:
"customerId": "229584",
"publisher": "null",
"isDeleted": "false",
"name": "WinMerge x64",
"id": "910",
"patches": [],
"status": "NotProcessed",
"timestamp": "2021-04-28T06:39:52.083+00:00",
"architecture": x64,
"customExpressionTags": "WinMerge*",
"cveProductName": null,
"isCustom": false
Method: GET
Parameter: infinitymanagement/getapplication/{application-id}
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/infinitymanagement/getapplication/{application-id}?customerId=229584
Output:
"customerId": "229584",
"publisher": "null",
"isDeleted": "false",
"name": "WinMerge x64",
"id": "910",
"patches": [],
"status": "NotProcessed",
"timestamp": "2021-04-28T06:39:52.083+00:00",
"architecture": x64,
"customExpressionTags": "WinMerge*",
"cveProductName": null,
"isCustom": false
Method: POST
Parameter: infinitymanagement/postapplication
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/infinitymanagement/postapplication&customerId=229584
JSON request:
{
"name": name of the application | string *
"architecture": options: x86/x64/both
"customexpressiontags": custom expression tags | string *
}
The body request needs to include all the parameters above. Fields marked with * are mandatory.
Method: PUT
Parameter: infinitymanagement/putapplication
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/infinitymanagement/putapplication&customerId=229584
JSON request:
{
"name": name of the application | string *
"architecture": options: x86/x64/both
"customexpressiontags": custom expression tags | string *
}
The body request needs to include all the parameters above. Fields marked with * are mandatory.
Method: GET
Parameter: infinitymanagement/getpatch/{application-id}
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/infinitymanagement/getpatch/{patch-id}?customerId=229584
PATCH & ASSETS - MICROSOFT UPDATES
This API retrieves information about a customer’s Microsoft Updates that are deployed in the environment (hostname, IP Address, name of the Microsoft Update, KB, severity, OS, categories, timestamp, CVE, and CVSS).
Method: GET
Parameter: microsoftupdates
Mandatory parameters:
- windowsupdatestatus
- installed - gets only the installed Microsoft Updates;
- notinstalled - gets only the not installed Microsoft Updates;
- failed - gets only the Microsoft Updates that have failed to install;
- pending - gets only the Microsoft Updates that are requiring a reboot to complete.
Optional parameters:
- groupPolicyId
- clientInfoId
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/microsoftupdates?customerId=229584&startDate=2021-04-06T12:00&endDate=2021-05-06T11:59&windowsUpdateStatus=installed&groupPolicyId=50591
Output:
"hostname": "WORKSTATIONHCJ\\hcj",
"ip": "192.168.100.8",
"updateName": "2021-2 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10, version 20H2 for x64 (KB4601050)",
"kb": "4601050",
"severity": "Important",
"products": "Windows 10, version 1903 and later",
"categories": "Security Updates",
"timestamp": "2021-04-21T06:45:30.9993686+00:00",
"windowsUpdateStatus": "Installed",
"cve": "CVE-2021-24111",
"cvss": "0.0"
ENDPOINT DETECTION - NEXT-GEN ANTIVIRUS & MDM detections
This API retrieves information about a customer’s Next-Gen Antivirus & MDM Detections statistics (hostname, IP Address, infected file, threat category, infection name, process name, status, resolution, timestamp).
Method: GET
Parameter: vigilancedetections
Optional parameters:
-
resolution
- none - gets all Next-Gen Antivirus detections;
- quarantinepending - gets only pending quarantined detections;
- deletequarantinepending - gets only pending for delete quarantines;
- excludequarantinepending - gets only pending for excluding quarantines;
- excludequarantinepending - gets only pending for excluding quarantines;
- repairquarantinepending - gets only pending for repair quarantines;
- removequarantinepending - gets only pending for remove quarantines;
- excludepending - gets only pending for excluding Next-Gen Antivirus detections;
- removeexclusionpending - gets only pending for remove exclusions;
- repairpending - gets only pending for repair Next-Gen Antivirus detections;
- deletepending - gets only pending for delete Next-Gen Antivirus detections;
- quarantined - gets only quarantined Next-Gen Antivirus detections;
- deleted - gets only deleted Next-Gen Antivirus detections;
- excluded - gets only excluded Next-Gen Antivirus detections;
- repaired - gets only repaired Next-Gen Antivirus detections;
- fnotexist - gets only not existing Next-Gen Antivirus detections;
- errorrepair - gets only failed to repair Next-Gen Antivirus detections;
- errordelete - gets only failed to delete Next-Gen Antivirus detections;
- errorquarantine - gets only quarantines that couldn't be added;
- errorexcludequarantine - gets only quarantines that couldn't be excluded;
- errorrepairquarantine - gets only quarantines that couldn't be repaired;
- errorremovequarantine - gets only quarantines that couldn't be removed;
- denyaccesspending - gets pending for deny to access Next-Gen Antivirus detections;
- deniedaccess - gets only denied to access Next-Gen Antivirus detections.
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/vigilancedetections?customerId=229584&startDate=2021-04-06&endDate=2021-05-06&resolution=quarantined
Output:
"hostname": "SUPPORT5\\Test",
"ip": "192.168.1.115",
"file": "c:\\$recycle.bin\\s-1-5-21-1997709346-3999438470-2438471797-1001\\$rn3ivyl.exe",
"threatCategory": "adware",
"infectionName": "ADWARE/SaveNow.npjhd",
"processName": "explorer.exe",
"status": "Infected",
"resolution": "Quarantined",
"timestamp": "2021-04-21T11:33:28.6990477+00:00"
ENDPOINT DETECTION - RANSOMWARE ENCRYPTION PROTECTION
This API retrieves information about a customer’s Ransomware Encryption Protection statistics (hostname, IP Address, file, threat category, infection name, process name, status, resolution, timestamp).
Method: GET
Parameter: encryptiondetection
Optional parameters: resolution
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/encryptiondetection?customerId=229584&startDate=2021-04-06T12:00&endDate=2021-05-06T11:59
Output:
"hostname": "WORKSTATIONADU\\hcj",
"ip": "192.168.100.23",
"file": "c:\\onedrivetemp\\s-1-5-21-2261967463-2817085238-861388073-3245\\be749d47aef34e508a1bd9262bfcd9cb-355d93c8d1ec4505b8c642b2e8973223-be38a1826a6b4baf9d8ecc7e12a238bc-a4f9b0bc6a7ad1c9011a3aa33a9a45f9f19ad4b5.temp",
"threatCategory": "trojan",
"infectionName": "TR/Agent.gyl",
"processName": "-",
"status": "Infected",
"resolution": "FNOTEXIST",
"timestamp": "2021-04-05T08:30:47.1134657+00:00"
ENDPOINT DETECTION - XTP
This API retrieves information about a customer’s XTP statistics (hostname, IP Address, file, threat category, infection name, process name, status, resolution, timestamp).
Method: GET
Parameter: xtp
Optional parameters: page size (you need to specify an integer), page number (you need to specify an integer), severities (you need to specify an array)
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/xtp?customerId=229584
Output:
PRIVILEGES & APP CONTROL - PRIVILEGED ACCESS MANAGEMENT
This API retrieves information about a customer’s PAM elevations.
Method: GET
Parameter: adminprivilege/GetElevationsInLifecycle
Other parameters:
- elevationState (this is a MANDATORY parameter)
- Init - gets elevations that were requested and expect to be approved or denied;
- Pending - gets elevations that were approved and waiting to be started;
- Finalized - gets elevations that were completed;
- Failed - gets elevations that were not initiated; - filterPeriodStart - the start date for the data to be retrieved (if missing, it will retrieve the first 1000 entries);
- filterPeriodEnd - the end date for the data to be retrieved (if missing, it will retrieve all until the current date);
- skip - indicates how many items should be skipped for the current API call (default is 0);
- top - indicates how many items will be retrieved (default and maximum is 1000).
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/adminprivilege/GetElevationsInLifecycle?customerId=229584&filterPeriodStart=2021-04-28T12:00&filterPeriodEnd=2021-05-28T11:59&elevationState=Finalized&skip=0&top=20
Output:
"elevationId": 236797,
"hostname": "SUPPORT8",
"username": "SUPPORT8\\TestNoAP",
"reason": "testst",
"requestTime": "2021-05-18T09:12:08.2914415+00:00",
"startTime": "2021-05-18T09:12:29.8720966+00:00",
"elevationType": "File",
"fileName": "powershell.exe",
"filePath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"clientInfoId": 869519,
"totalProcessesExecuted": 1
PRIVILEGES & APP CONTROL - PRIVILEGED ACCESS MANAGEMENT elevations
This API allows you to accept/deny PAM elevations.
Method: POST
Parameter: adminprivilege/ApproveElevation | adminprivilege/DenyElevation
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/adminprivilege/ApproveElevation?customerId=229584&elevationId={elevation_Id}
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/adminprivilege/DenyElevation?customerId=229584&elevationId={elevation_Id}
Output:
"customerId": "229584",
"elevationId": 236797,
"isUpdated": true,
"status": "AwaingElevation",
"message": "The elevation was not updated"
PRIVILEGES & APP CONTROL - PRIVILEGED ACCESS MANAGEMENT details
This API retrieves information about a customer’s PAM elevation details.
Method: GET
Parameter: adminprivilege/GetElevationDetails
Optional parameters:
- elevationId - the ID corresponding to the requested elevation (can be retrieved from Privileged Access Management Statistics API);
- clientInfoId - the ID of the endpoint requesting the elevation (can be retrieved from the Active Clients Details API;
- filterPeriodStart - the start date for the data to be retrieved (if missing, it will retrieve the first 1000 entries);
- filterPeriodEnd - the end date for the data to be retrieved (if missing, it will retrieve all until the current date);
- skip - indicates how many items should be skipped for the current API call (default is 0);
- top - indicates how many items will be retrieved (default and maximum is 1000).
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/adminprivilege/GetElevationDetails?customerId=229584&elevationId=236797&clientInfoId=869519&filterPeriodStart=2021-04-28T12:00&filterPeriodEnd=2021-05-28T11:59&skip=0&top=20
Output:
"processName": "powershell.exe",
"processFullPath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"userName": "SUPPORT8\\TestNoAP",
"date": "2021-05-18T09:12:08.2914415+00:00",
PRIVILEGES & APP CONTROL - APPLICATION CONTROL
This API retrieves information about a customer’s processes that are intercepted by the Application Control module.
Method: GET
Parameter: processlock/GetInterceptedProcess
Optional parameters:
- filterPeriodStart - the start date for the data to be retrieved (if missing, it will retrieve the first 1000 entries);
- filterPeriodEnd - the end date for the data to be retrieved (if missing, it will retrieve all until the current date);
- skip - indicates how many items should be skipped for the current API call (default is 0);
- top - indicates how many items will be retrieved (default and maximum is1000).
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/processlock/GetInterceptedProcess?customerId=229584?filterPeriodStart=2021-04-28T12:00&filterPeriodEnd=2021-05-28T11:59&skip=0&top=20
Output:
"processname": "chrome",
"fullPath": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
"username": "ROMY\\Romy",
"startTime": "2021-05-11T20:03:41.754+00:00",
"numberOfExecutions": "9601",
"publisher": "Google LLC",
"softwareName": "Google Chrome",
"version": "90.0.4430.212",
"md5": "a74fd77f0a2415df748d41693bd7f69b",
"status": "AllowByDefault"
PRIVILEGES & APP CONTROL - APPLICATION PROCESS details
This API retrieves information about a customer’s specific process that is intercepted by the Application Control module.
Method: GET
Parameter: processlock/GetDetailsForInterceptedProcess
Optional parameters:
- md5Hash - the hash of the file;
- filterPeriodStart - the start date for the data to be retrieved (if missing, it will retrieve the first 1000 entries);
- filterPeriodEnd - the end date for the data to be retrieved (if missing, it will retrieve all until the current date);
- skip - indicates how many items should be skipped for the current API call (default is 0);
- top - indicates how many items will be retrieved (default and maximum is 1000).
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/processlock/GetDetailsForInterceptedProcess?customerId=229584&md5=a74fd77f0a2415df748d41693bd7f69b&filterPeriodStart=2021-04-28T12:00&filterPeriodEnd=2021-05-28T11:59&skip=0&top=20
Output:
"hostName": "ROMY",
"userName": "ROMY\\Romy",
"version": "90.0.4430.212",
"interceptedProcess": "2021-05-11T20:03:41.754+00:00",
"groupPolicyName": "ROMY's endpoints",
"status": "AllowByDefault"
REMOTE Desktop
This API retrieves information about the Remote Desktop product.
Method: GET
Parameter: remotedesktop/getconnectionurl
Optional parameters:
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/remotedesktop/getconnectionurl?customerId=229584&clientInfoId=13432432
AUDIT Logs
This API retrieves information about the changes applied to a Group Policy (Windows, Linux, macOS, Android) applying to a computer in your environment.
Method: GET
Parameter: auditlogs/getwindowssettingsauditlogs, auditlogs/getlinuxsettingsauditlogs, auditlogs/getmacsettingsauditlogs, auditlogs/getmobilesettingsauditlogs, auditlogs/getnetworksettingsauditlogs, auditlogs/getglobalauditlogs
Optional parameters:
- pagesize- the hash of the file;
- pagenumber - the start date for the data to be retrieved (if missing, it will retrieve the first 1000 entries);
Example:
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/auditlogs/getwindowssettingsauditlogs?customerId=229584&pagesize=2&pagenumber=1
Output:
{
"type": "groupPolicyWrapper",
"groupPolicyWrapper": {
"adGroup": "",
"localGroup": "",
"priority": "14",
"status": "true"
"languageId": "1"
"customerId": "229584"
"groupPolicyType": "300"
"patchingAppPolicyWrapper": [
{
"id": "3572413"
"groupPolicyWrapperId": "39255",
...
}
"operation": "Update",
"timestamp": "g2022-07-19T08:01:57.1259369+00:00roupPolicyWrapper",
"userId": "6ff7a4eb-ec6c9-f30d-9017-295e97a5e674",
"userName": "xx@heimdalsecurity.com",
"version": "3.0.1.3000",
"customerId": 229584
}
This API is limited to retrieving 10,000 records (due to a database restriction).
Old APIs
The Old API extracts data in bulk, without the possibility to change the filters, and can be accessed directly from the URL (by specifying the authorization in the URL). The API filters are based on Day-Month-Year with the time automatically set at the start to 12:00:00 AM and at the end to 1:59:59 PM. Except for the Customers API and the DarkLayer Guard API, all the other API requests have additional parameters that can take different values.
Configure the Old API URL
The Old API URL can be configured with multiple parameters in order to filter the data according to your current needs:
Method: GET
URL: https://dashboard_environment.heimdalsecurity.com/api/stats/{customerId}/heimdal_module/{start_date}/{end_date}/{apiKey}
Parameters:
- dashboard_environment: the environment for the desired dashboard (Production or Release Candidate): dashboard or rc-dashboard;
- heimdal_module: name of the interrogated module;
- customerId: the ID of the customer (found under the Your Personal API Key field);
- start_date: the start date for the data to be retrieved;
- end_date: the end date for when the data will stop being retrieved;
- apiKey: your Personal API Key
- optional_parameter: the optional parameter that some modules allow to filter the retrieved data (the optional parameters are described below);
- value_for_optional_parameter: the value that must be inserted for the optional parameter that is specific for each module.
Overview Statistics: http://dashboard.heimdalsecurity.com/api/stats/{customer-id}/Overview/{start-date}/{end-date}/{apiKey}
Detailed Statistics: http://dashboard.heimdalsecurity.com/api/stats/{customer-id}/Details/{start-date}/{end-date}/{apiKey}
Customer Details: http://dashboard.heimdalsecurity.com/api/stats/{customer-id}/CustomerDetails/{apiKey}
Reseller Details: http://dashboard.heimdalsecurity.com/api/stats/{customer-id}/Customers/{apiKey}
Output example:
{
"vectorN": {
"statistics": {
"detections": 0
},
"items": []
},
"vulnerability": {
"statistics": {
"vulnerabilities": 18,
"patchesApplied": 335,
"softwareUpdated": 62,
"softwareMonitored": 116
},
"items": [
{
"hostname": "ROMY\\Romy",
"ip": "192.168.0.176",
"software": "7-zip x64",
"version": "19.00.00.0",
"date": "2021-04-08T12:24:10.287+00:00",
"status": "Patched"
},
{
"hostname": "ROMY\\Romy",
"ip": "192.168.0.176",
"software": "Adobe Acrobat Reader DC",
"version": "21.001.20150",
"date": "2021-05-06T07:06:36.323+00:00",
"status": "Up to date"
}
Here is how to add the Heimdal API into Splunk Enterprise:
Here is how to add the Heimdal API into Microsoft Power BI:
Here is how to add data into LogPoint SIEM: