Heimdal Assistance and Support Help Center home page

Articles in this section

Haven't Tried Heimdal Yet?

Start Free Trial 30-day Free Trial. Offer valid only for companies.

HEIMDAL Security API 2.0

Last updated

HEIMDAL Security enables you to easily access data about your endpoints, view detected threats, application deployments, and more. To obtain all that, we provide API endpoints that you can use to ingest data available in our HEIMDAL Dashboard into any desired SIEM tool.
To access the HEIMDAL API section, log in to the HEIMDAL Dashboard, click on the Guide tab -> Your Heimdal API Key mini-tab. Your Personal API Key can be generated in the Guide -> Your Personal API Key section. If you don't have an active Personal API Key, you can generate one in the Guide section -> Your Heimdal API Key. In case you need to delete the existing Personal API Key, you can press the Delete button and generate a new Personal API Key. 

1. API 2.0 authentication
2. API 2.0 configuration

API 2.0 authentication

The API 2.0 endpoints allow you to get data available in the HEIMDAL Dashboard (through GET, POST, and PUT methods) based on each HEIMDAL product in JSON format. The data can be filtered using the parameters described below and can be accessed with your Personal API Key (added in the Authentication header as Bearer or OAUTH2 authentication type). Access to the API endpoints is only possible from the IP addresses/ranges that are marked as trusted for your HEIMDAL Dashboard user account (within the Accounts section).

your_api.PNG

For each HTTP request to the Heimdal Security API, you must provide your Personal API Key in the HTTP header Authorization: "Authorization: Bearer Your-Personal-API-Key".

Curl

curl -H "Authorization: Bearer UUP5MERX4PRNZ3FU7RMYUTBL52ASIORN" "https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/activeclients?customerId=229584&startDate=2021-04-03T12:00&endDate=2021-05-03T11:59&pageNumber=1&pageSize=1"

API 2.0 configuration

The Heimdal API v2.0 endpoints are typically structured by module. The base URL depends on your specific HEIMDAL Dashboard environment (e.g., PROD or RC). A typical GET request to fetch data (e.g., Device Info details) follows this pattern:

Component Description Example
Method HTTP Verb GET, POST, PUT
Base URL Regional Dashboard https://dashboard.heimdalsecurity.com
Endpoint Module Path /api/heimdalapi/2.0/activeclients
Parameters Query Filters ?customerId=123&startDate=2024-01-01

Command query parameters:

  • customerId: (Required) Your unique customer identification number.

  • startDate / endDate: Filters results within a specific timeframe (Format: YYYY-MM-DD).

  • optional_parameter: Specific filters like hostname, email, or status.

Example:

curl -H "Authorization: Bearer YOUR_API_KEY" \
"https://dashboard.heimdalsecurity.com/api/heimdalapi/activeclients?customerId=9999"

Expected output (JSON Response)
The API returns data in JSON format. A successful request will return a 200 OK status code with a response body structured as follows:

{
 "result": [
   {
     "id": "307508",
     "hostname": "WORKSTATION-01",
     "os": "Windows 11",
     "agentVersion": "4.2.0",
     "status": "Active",
     "lastSeen": "2024-12-17T10:00:00Z"
   }
 ],
 "status": "RanToCompletion",
 "isCompletedSuccessfully": true
}

API 2.0 limitations and standard parameters

To ensure high availability and optimal performance across our infrastructure, the HEIMDAL API enforces the following usage policies:

  • Rate Limiting: The API allows for a maximum of 10 requests per second.

  • Granularity: Limits are applied at a granular level to allow for flexible integration. Throttling is calculated per API Key, per Customer ID, and per Route. For partners or resellers, this means that limits are isolated to each specific customer environment and product "source," preventing high usage in one area from impacting others.

  • Pagination: To facilitate efficient data retrieval, the default page size is 1,000 records per page (previously 100), reducing the total number of round-trips required for large datasets.

The following parameters are used across most data retrieval requests in the Heimdal API.

Parameter Mandatory Description Default value Format example
customerId Yes The unique ID of the customer whose data is being queried. N/A 12345
startDate No The start date and time for the filtering interval. 31 days before the current date (00:00:00) YYYY-MM-DDTHH:MM:SS (e.g., 2024-12-01T00:00:00)
endDate No The end date and time for the filtering interval. Current date and time YYYY-MM-DDTHH:MM:SS (e.g., 2024-12-31T23:59:59)
pageNumber No Used for paginated queries to specify which page of results to return. 1  
pageSize No Used for paginated queries to specify the number of items per page. 1000

Note: If you exceed the rate limit, the API will return a 429 Too Many Requests HTTP status code. We recommend implementing a retry logic with exponential backoff to handle these instances gracefully.

API endpoints

CUSTOMERS' details
This API endpoint retrieves information about a specific customer or all customers of a reseller. It works only if you have a Dashboard reseller/admin/super admin role and you specify the customer's or the reseller's ID as the customerId value.
Parameter: customers

https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/customers?customerId=229584

Output:

{
    "items": [
        {
            "id": 229584,
            "name": "HEIMDAL Support Team",
            "customerType": "Corp",
            "licenseType": "DNS-N,DNS-E,VM,IM,AV,REP,PEDM,AC,ESEC,EFP,RD,PASM",
            "splaLicense": "No",
            "purchasedLicenses": 100
        }
    ],
    "totalCount": 1,
    "pageNumber": 1,
    "pageSize": 1
}

Device Info details 
This API endpoint retrieves information about all the active clients of a customer (id, hostname, IP Address, Agent version, OS, current Group Policy, Last seen, active modules, status).
Parameter: activeclients

https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/activeclients?customerId=229584&startDate=2021-04-03T12:00&endDate=2021-05-03T11:59&pageNumber=1&pageSize=2

Output: 
{

    "items": [
        {
            "id": 743907,
            "hostname": "SUPPORT1",
            "username": "Test",
            "ipAddress": "10.0.2.52",
            "externalIp": "5.2.145.131",
            "version": "4.5.0.2000",
            "currentGroupPolicy": "3rd Party Patch Management",
            "selectedGroupPolicyId": 39299,
            "lastSeen": "2024-12-12T18:11:27.843+00:00",
            "modules": "ThirdParty Applications,Infinity Management,Scripting",
            "status": "Revoked",
            "machineType": "Endpoint",
            "operatingSystem": "Microsoft Windows 10 Enterprise - x64",
            "motherboardSerial": "6123-2686-6273-8851-1549-0354-63",
            "motherboardSerialSecondary": "6123-2686-6273-8851-1549-0354-63",
            "hddSerial": "",
            "previousGroupPolicy": "",
            "lastPolicyChange": "0001-01-01T00:00:00+00:00"
        }
]
}

Device Info hardware details 
This API endpoint retrieves information about the hardware specifications of an endpoint. This request works only when specifying the clientInfoId of an endpoint. It does not list all endpoints in one request. 
Parameter: activeclients/getDeviceInfo
Required parameter: clientInfoId

https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/activeclients/getDeviceInfo?customerId=229584&clientInfoId=3138602

Output: 
{

    "items": [
        {
            "clientInfoId": 3138602,
            "chassisType": "Desktop",
            "osVersion": "10.0.19045.0",
            "osBuild": "19045",
            "fullOsVersion": "22H2 (OS Build 19045.6466)",
            "osEdition": "Pro",
            "osServicePack": "",
            "biosVersion": "VRTUAL - 1 | Hyper-V UEFI Release v4.1 | Microsoft - 100032",
            "biosManufacturer": "Microsoft Corporation",
            "motherboardManufacturer": "Microsoft Corporation",
            "motherboardModel": "Virtual Machine",
            "systemModel": "Virtual Machine",
            "processorModel": "AMD Ryzen 7 3700X 8-Core Processor",
            "processorCoresNo": 1,
            "processorUtilization": 4,
            "memoryCapacity": 2,
            "memoryUtilization": 79,
            "hddCapacity": 99,
            "hddUtilization": 0,
            "vdfVersion": "1.443.170.0",
            "vdfTimestamp": "2025-12-17T02:01:24+00:00",
            "lastReboot": "2025-12-11T07:52:54.7155955+00:00",
            "repVersion": "",
            "appControlVersion": "",
            "dnsInfos": [
                {
                    "adapterName": "Ethernet",
                    "dnsAddresses": "10.0.2.1",
                    "isDnsAutomatic": true,
                    "physicalAddress": "00155D015F67"
                }
            ]
        }
    ],
    "totalCount": 1,
    "pageNumber": 1,
    "pageSize": 1
}

Device Notifications
This API endpoint retrieves information about all the device notifications an endpoint has.
Parameter: activeclients/getNotifications
Required parameter: clientInfoId

https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/activeclients/getDeviceInfo?customerId=229584&startDate=2021-04-03T12:00&endDate=2021-05-03T11:59&pageNumber=1&pageSize=2&clientInfoId=3138602

Output: 
{

    "items": [],
    "totalCount": 0,
    "pageNumber": 1,
    "pageSize": 100
}

Device Risk Scores
This API endpoint retrieves information about all the device risk scores.
Parameter: activeclients/getRiskScores
Required parameter: clientInfoId

https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/activeclients/getDeviceInfo?customerId=229584&startDate=2021-04-03T12:00&endDate=2021-05-03T11:59&pageNumber=1&pageSize=2&clientInfoId=3138602

Output: 
{

    "items": [
        {
            "riskScore": 0.0
        }
    ],
    "totalCount": 1,
    "pageNumber": 1,
    "pageSize": 1
}

Windows Group Policies
This API endpoint retrieves all the Windows group policies found on the tenant
Parameter: groupPolicy/getWindowsPolicies

https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/groupPolicy/getWindowsPolicies?customerId=229584&pageNumber=1&pageSize=2

Output: 
{

    "items": [
        {
            "id": 26509,
            "name": "Default"
        },
        {
            "id": 32519,
            "name": "Privilege Elevation and Delegation Management"
        },
        {
            "id": 39297,
            "name": "Next-Gen Antivirus with XTP"
        }]
}

Linux Group Policies
This API endpoint retrieves all the Linux group policies found on the tenant
Parameter: groupPolicy/getLinuxPolicies

https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/groupPolicy/getLinuxPolicies?customerId=229584&pageNumber=1&pageSize=2

Output: 
{

    "items": [
        {
            "id": 26509,
            "name": "Default"
        },
        {
            "id": 32519,
            "name": "Privilege Elevation and Delegation Management"
        },
        {
            "id": 39297,
            "name": "Next-Gen Antivirus with XTP"
        }]
}

macOS Group Policies
This API endpoint retrieves all the macOS group policies found on the tenant
Parameter: groupPolicy/getMacPolicies

https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/groupPolicy/getMacPolicies?customerId=229584&pageNumber=1&pageSize=2

Output: 
{

    "items": [
        {
            "id": 26509,
            "name": "Default"
        },
        {
            "id": 32519,
            "name": "Privilege Elevation and Delegation Management"
        },
        {
            "id": 39297,
            "name": "Next-Gen Antivirus with XTP"
        }]
}

DNS Security Network Statistics
This API endpoint retrieves information about a customer’s DNS Security Network statistics (hostname, IP Address, accessed domain, threat type, protocol, status, timestamp).
Parameter: threatPreventionNetwork
Optional parameters:

  • hostname                       - allows you to specify the hostname;
  • status
                                           - all - gets all the DNS Security Network detections;
                                           - passed - gets only the passed queries;
                                           - blocked - gets only the blocked detections;
                                           - categoryBlocked - gets only the category blocked detections.
  • ipAddress                       - allows you to specify an IP Address.
https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/threatPreventionNetwork?customerId=229584&startDate=2021-04-03T12:00&endDate=2021-05-03T11:59&pageNumber=1&pageSize=2

Output:
{

    "items": [
        {
            "hostname": "N/A",
            "ipAddress": "5.2.145.131",
            "domain": "onedscolprdfrc03.francecentral.cloudapp.azure.com",
            "threatType": "-",
            "protocol": "UDP",
            "status": "Passed",
            "timestamp": "2025-12-17T13:40:16+00:00"
        },
        {
            "hostname": "N/A",
            "ipAddress": "5.2.145.131",
            "domain": "onedscolprdcus23.centralus.cloudapp.azure.com",
            "threatType": "-",
            "protocol": "UDP",
            "status": "Passed",
            "timestamp": "2025-12-17T13:40:16+00:00"
        }]
}
DNS Security Endpoint Statistics
This API endpoint retrieves information about a customer’s DarkLayer Guard statistics (hostname, IP Address, username, accessed domain, threat type, process making the request, the path of the process, resolve IP Addresses and domains, protocol, timestamp, status).
Parameter: darklayerguard
Optional parameters:
  • status
                                           - analyzed - filters only analyzed DNS Security Endpoint queries;
                                           - blocked - filters only blocked DNS Security Endpoint queries;
                                           - allowed - filters only allowed DNS Security Endpoint queries.
https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/darklayerguard?customerId=229584&startDate=2021-04-03T12:00&endDate=2021-05-03T11:59&pageNumber=1&pageSize=2

Output:
{

    "items": [
        {
            "clientInfoId": 1840275,
            "hostname": "ROMY",
            "ip": "192.168.0.180",
            "activeUsername": "Romy",
            "domain": "acrobat.adobe.com",
            "threatType": "-",
            "threatToProcessCorrelation": "chrome.exe",
            "threatToProcessCorrelationPath": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
            "resolvedIps": "104.117.76.88 | 104.117.76.115 | 104.117.76.75 | 104.117.76.83",
            "resolvedDomains": "acrobat.adobe.com.i.edgekey.net | e29329.dsca.akamaiedge.net",
            "protocol": "IPv6",
            "timestamp": "2024-12-31T12:00:34+00:00",
            "status": "Allowed"
        }]
}

DNS Security Endpoint - Full logging
This API endpoint retrieves information about a customer’s DarkLayer Guard statistics (hostname, IP Address, username, accessed domain, threat type, process making the request, the path of the process, resolve IP Addresses and domains, protocol, timestamp, status).
Parameter: tpefullloging
Optional parameters:

  • clientInfoId
  • domain
  • status
                                           - allowed - filters only allowed DNS Security Endpoint queries;
                                           - blocked - filters only blocked DNS Security Endpoint queries;
                                           - categoryBlocked - filters only category-blocked DNS Security Endpoint queries.
https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/tpefulllogging?customerId=229584&startDate=2021-04-03T12:00&endDate=2021-05-03T11:59&pageNumber=1&pageSize=2&status=blocked

Output:
{

    "items": [
        {
            "clientInfoId": 1840275,
            "hostname": "ROMY",
            "publicIp": "86.120.252.232",
            "domain": "treatment.grammarly.com",
            "state": "Excluded",
            "blocked": false,
            "threatType": "-",
            "threatCategory": "-",
            "protocol": "IPv6",
            "processName": "-",
            "processPath": "-",
            "activeUsername": "Romy",
            "ips": "-",
            "cNames": "-",
            "timestamp": "2025-12-17T13:42:38+00:00"
        }]
}

DNS Security - VectorN Network
This API endpoint retrieves information about a customer’s VectorN statistics (hostname, patternId, hostname). 
Parameter: vectorn/getNetworkMatches
Optional parameters:

  • hostname
  • patternId
https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/vectorn/getNetworkMatches?customerId=229584&startDate=2021-04-06T12:00&endDate=2021-05-06T11:59&pageNumber=1&pageSize=2&hostname=Test&patternId=test.com

Output:
{

    "items": [
        {
            "id": 1,
            "name": "Infostealer strain",
            "description": "Same time of day in the course of a month.",
            "risk": "Moderate"
        },
        {
            "id": 2,
            "name": "APT strain",
            "description": "Same time of hour in the course of a day.",
            "risk": "High"
        },
        {
            "id": 4,
            "name": "Botnet strain",
            "description": "Same time of day in the course of a month.",
            "risk": "Moderate"
        }]
}

DNS Security - VectorN Endpoint
This API endpoint retrieves information about a customer’s VectorN statistics (hostname, patternId, hostname). 
Parameter: vectorn/getEndpointMatches
Optional parameters:

  • hostname
  • patternId
https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/vectorn/getEndpointMatches?customerId=229584&startDate=2021-04-06T12:00&endDate=2021-05-06T11:59&pageNumber=1&pageSize=2&hostname=Test&patternId=test.com

Output:
{

    "items": [
        {
            "id": 1,
            "name": "Infostealer strain",
            "description": "Same time of day in the course of a month.",
            "risk": "Moderate"
        },
        {
            "id": 2,
            "name": "APT strain",
            "description": "Same time of hour in the course of a day.",
            "risk": "High"
        },
        {
            "id": 4,
            "name": "Botnet strain",
            "description": "Same time of day in the course of a month.",
            "risk": "Moderate"
        }]
}

DNS Security - VectorN Malware Patterns
This API endpoint retrieves information about a customer’s VectorN statistics (hostname, malware pattern, probability of infection, process triggering the infection, the type of the process, count, and last match).
Parameter: vectorn
Optional parameters:

  • probabilityofinfection
                                           - none - gets all VectorN detections;
                                           - moderate - gets only moderate VectorN detections;
                                           - high - gets only high or not vulnerable VectorN detections;
                                           - veryhigh - gets only very high VectorN detections.
https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/vectorn?customerId=229584&startDate=2021-04-06T12:00&endDate=2021-05-06T11:59&pageNumber=1&pageSize=2&probabilityOfInfection=high

Output:
{

    "items": [
        {
            "id": 1,
            "name": "Infostealer strain",
            "description": "Same time of day in the course of a month.",
            "risk": "Moderate"
        },
        {
            "id": 2,
            "name": "APT strain",
            "description": "Same time of hour in the course of a day.",
            "risk": "High"
        },
        {
            "id": 4,
            "name": "Botnet strain",
            "description": "Same time of day in the course of a month.",
            "risk": "Moderate"
        }]
}


3rd Party Patch Management statistics (Windows)
This API endpoint retrieves information about a customer’s 3rd Party Software that is deployed in the environment (hostname, IP Address, name of the Microsoft Update, KB, severity, OS, categories, timestamp, CVE, and CVSS). 
Parameter: thirdparty
Optional parameters:

  • clientInfoId
  • status
                                           - latest -  gets only the 3rd Party Software that are the latest update statuses;
                                           - update -  gets only the 3rd Party Software that are up to date;
                                           - vulnerable - get only the vulnerable 3rd Party Software;
                                           - patched - gets only the patched or not vulnerable 3rd Party Software;
                                           - uninstalled - gets only the uninstalled 3rd Party Software.
https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/thirdparty?customerId=229584&startDate=2021-04-06T12:00&endDate=2021-05-06T11:59&pageNumber=1&pageSize=2&clientInfoId=398379

Output:
{

    "items": [
        {
            "clientInfoId": "3096227",
            "software": "Google Chrome x64",
            "version": "131.0.6778.205",
            "previousVersion": "-",
            "status": "Up to date",
            "releaseDate": "0001-01-01T00:00:00+00:00",
            "timestamp": "2024-12-24T19:44:38.853+00:00",
            "cve": null,
            "cvss": null
        },
        {
            "clientInfoId": "3096227",
            "software": "Mozilla Firefox en-US x64",
            "version": "133.0.3",
            "previousVersion": "132.0.2",
            "status": "Up to date",
            "releaseDate": "0001-01-01T00:00:00+00:00",
            "timestamp": "2024-12-24T19:44:38.853+00:00",
            "cve": null,
            "cvss": null
        }]
}

3rd Party Patch Management statistics (Linux)
This API retrieves information about a customer’s 3rd Party Software that is deployed in the environment.
Parameter: linuxThirdParty
Optional parameters:

  • clientInfoId
https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/linuxThirdparty?customerId=229584&startDate=2021-04-06T12:00&endDate=2021-05-06T11:59&pageNumber=1&pageSize=2&clientInfoId=3055353


 

3rd Party Patch Management statistics - Intune support
This API endpoint retrieves information about a customer’s 3rd Party Software deployed in the environment (Application Name, Architecture, Install command line, Uninstall command line, detected script, HEIMDAL storage URL, version, and others). It can be used with Microsoft Intune to get it to push the patches from HEIMDAL's servers. 
Parameter: patchManagement/getIntuneApplications
Optional parameters:

  • appname - it is used to filter applications by their name (it can be the Full Name of the application or only a part of it). The search is not case-sensitive.
https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/patchManagement/getIntuneApplications?customerId=229584&pageNumber={pageNumber}&pageSize={pageSize}&appName={appName}

Output:
{

    "items": [
        {
            "applicationName": "7-zip x64",
            "publisher": "Igor Pavlov",
            "architecture": "x64",
            "patches": [
                {
                    "installArguments": "/qn /norestart ALLUSERS=1",
                    "appType": "Line-of-business app (MSI)",
                    "url": "https://heimdalprodstorage.blob.core.windows.net/patching/7z1806-x64.msi.enc",
                    "version": "18.06.00.0",
                    "useUserInstallContext": false
                },
                {
                    "installArguments": "/qn /norestart ALLUSERS=1",
                    "appType": "Line-of-business app (MSI)",
                    "url": "https://heimdalprodstorage.blob.core.windows.net/patching/7z1900-x64.msi.enc",
                    "version": "19.00.00.0",
                    "useUserInstallContext": false
                }]}]
}

Infinity Management applications
This API endpoint retrieves information about the applications deployed through Infinity Management. 
Parameter: infinitymanagement/getApplications
Optional parameters: applicationId

https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/infinityManagement/getApplications?customerId=229584&pageNumber={pageNumber}&pageSize={pageSize}&applicationId={applicationId}

Output:

{
    "items": [
        {
            "id": 3185,
            "name": "1 IM - Microsoft 365 Apps x64",
            "status": "NotProcessed",
            "publisher": null,
            "note": null,
            "isDeleted": false,
            "timestamp": "2025-12-09T15:22:09.44091+00:00",
            "architecture": "x64",
            "customExpressionTags": "Microsoft 365 Apps*",
            "cveProductName": null,
            "hasSupport": true
        }]
}

Infinity Management patches
This API retrieves information about the patches deployed through Infinity Management. 
Parameter: infinityManagement/getPatches
Optional parameters: applicationId, patchId 
https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/infinityManagement/getPatches/customerId=229584&pageNumber={pageNumber}&pageSize={pageSize}&applicationId={applicationId}&patchId={patchId}

OS Updates (Windows)
This API endpoint retrieves information about a customer’s Microsoft Updates that are deployed in the environment (hostname, IP Address, name of the Microsoft Update, KB, severity, OS, categories, timestamp, CVE, and CVSS).
Parameter: microsoftUpdates
Optional parameters:
 

  • clientInfoId
  • groupPolicyId
  • severity
  • category
  • windowsupdatestatus
                                           - installed - gets only the installed Microsoft Updates;
                                           - notinstalled - gets only the not-installed Microsoft Updates;
                                           - failed - gets only the Microsoft Updates that have been unable to install;
                                           - pending - gets only the Microsoft Updates that require a reboot to complete. 
https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/microsoftUpdates?customerId=229584&startDate=2021-04-06T12:00&endDate=2021-05-06T11:59&pageNumber={pageNumber}&pageSize={pageSize}&clientInfoId={clientInfoId}&groupPolicyId={groupPolicyId}&windowsUpdateStatus={windowsUpdateStatus}&severity={severity}&category={category}

Output:        
{

    "items": [
        {
            "clientInfoId": "1840275",
            "updateName": "Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.421.1139.0) - Current Channel (Broad)",
            "kb": "2267602",
            "severity": "None",
            "products": "Microsoft Defender Antivirus",
            "categories": "Definition Updates",
            "timestamp": "2025-01-01T19:04:06.0389796+00:00",
            "windowsUpdateStatus": "Installed",
            "cve": "-",
            "cvss": 0.0
        },
        {
            "clientInfoId": "1840275",
            "updateName": "Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.421.1114.0) - Current Channel (Broad)",
            "kb": "2267602",
            "severity": "None",
            "products": "Microsoft Defender Antivirus",
            "categories": "Definition Updates",
            "timestamp": "2024-12-31T11:20:58.4764482+00:00",
            "windowsUpdateStatus": "Installed",
            "cve": "-",
            "cvss": 0.0
        }]
}

OS Updates (Linux)
This API endpoint retrieves information about a customer’s Linux Updates that are deployed in the environment.
Parameter: linuxUpdates
Optional parameters:
 

  • clientInfoId
https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/linuxUpdates?customerId=229584&startDate=2021-04-06T12:00&endDate=2021-05-06T11:59&pageNumber={pageNumber}&pageSize={pageSize}&clientInfoId={clientInfoId}

Next-Gen Antivirus detections
This API endpoint retrieves information about a customer’s Next-Gen Antivirus detection statistics (hostname, IP Address, infected file, threat category, infection name, process name, status, resolution, timestamp).
Parameter: vigilancedetections
Optional parameters:

  • clientInfoId
  • resolution
                                           - none - gets all Next-Gen Antivirus detections;
                                           - quarantinepending - gets only pending quarantined detections;
                                           - deletequarantinepending - gets only pending for delete quarantines;
                                           - excludequarantinepending - gets only pending for excluding quarantines;
                                           - excludequarantinepending - gets only pending for excluding quarantines;
                                           - repairquarantinepending - gets only pending for repair quarantines;
                                           - removequarantinepending - gets only pending for remove quarantines;
                                           - excludepending - gets only pending for excluding Next-Gen Antivirus detections;
                                           - removeexclusionpending - gets only pending for remove exclusions;
                                           - repairpending - gets only pending for repair Next-Gen Antivirus  detections;
                                           - deletepending - gets only pending for delete Next-Gen Antivirus  detections;
                                           - quarantined - gets only quarantined Next-Gen Antivirus detections;
                                           - deleted - gets only deleted Next-Gen Antivirus detections;
                                           - excluded - gets only excluded Next-Gen Antivirus detections;
                                           - repaired - gets only repaired Next-Gen Antivirus  detections;
                                           - fnotexist - gets only not existing Next-Gen Antivirus  detections;
                                           - errorrepair - gets only failed to repair Next-Gen Antivirus  detections;
                                           - errordelete - gets only failed to delete Next-Gen Antivirus  detections;
                                           - errorquarantine - gets only quarantines that couldn't be added;
                                           - errorexcludequarantine - gets only quarantines that couldn't be excluded;
                                           - errorrepairquarantine - gets only quarantines that couldn't be repaired;
                                           - errorremovequarantine - gets only quarantines that couldn't be removed;
                                           - denyaccesspending - gets pending for deny access to Next-Gen Antivirus detections;
                                           - deniedaccess - gets only denied access to Next-Gen Antivirus detections.
https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/vigilancedetections?customerId=229584&startDate=2021-04-06&endDate=2021-05-06&clientInfoId=1840275&pageNumber={pageNumber}&pageSize={pageSize}&resolution=quarantined

Output:
{

    "items": [
        {
            "clientInfoId": 1840275,
            "file": "c:\\users\\romy\\eicar.com",
            "threatCategory": "Virus",
            "infectionName": "Virus:DOS/EICAR_Test_File",
            "processName": "C:\\Windows\\explorer.exe",
            "status": "Infected",
            "resolution": "Quarantined",
            "md5": "44d88612fea8a8f36de82e1278abb02f",
            "timestamp": "2024-12-13T13:50:15.7218182+00:00"
        },
        {
            "clientInfoId": 1140494,
            "file": "c:\\users\\test\\desktop\\op\\0.zip",
            "threatCategory": "Password Stealer",
            "infectionName": "PWS:Win32/Fareit",
            "processName": "Unknown",
            "status": "Infected",
            "resolution": "Quarantined",
            "md5": "c526c0645c8143f82ae71fb6da2d19f4",
            "timestamp": "2024-12-08T06:08:12.2939169+00:00"
        }]
}

XTP detections
This API endpoint retrieves information about a customer’s XTP detections (hostname, IP Address, file, threat category, infection name, process name, status, resolution, timestamp).
Parameter: xtp/getDetections
Optional parameters: 

  • clientInfoId
  • severity - informational, low, medium, high, critical
https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/xtp/getDetections?customerId=229584&startDate=2021-04-06&endDate=2021-05-06&pageNumber={pageNumber}&pageSize={pageSize}&clientInfoId=1840275&severity=low

XTP rules
This API endpoint retrieves information about a customer’s XTP rules. 
Parameter: xtp/getRules and ruleIDs (this is required, and for multiple entries, you can use comma-separated values)

https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/xtp/getRules?customerId=229584&startDate=2021-04-06&endDate=2021-05-06&pageNumber={pageNumber}&pageSize={pageSize}&ruleIds={ruleIds}

The data is currently limited to the last 10,000 records.

Privilege Elevation and Delegation Management statistics
This API endpoint retrieves information about a customer’s PEDM elevations. 
Parameter: adminprivilege/getElevationsInLifecycle

  • elevationState (this is a MANDATORY parameter)
                                           - Init - gets elevations that were requested and expect to be approved or denied;
                                           - Pending - gets elevations that were approved and waiting to be started;
                                           - Finalized - gets elevations that were completed;
                                           - Failed - gets elevations that were not initiated;
https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/adminprivilege/getElevationsInLifecycle?customerId=229584&filterPeriodStart=2021-04-28T12:00&filterPeriodEnd=2021-05-28T11:59&startDate=2021-04-06&endDate=2021-05-06&pageNumber={pageNumber}&pageSize={pageSize}&elevationState=Init

Output:        
{

    "items": [
        {
            "elevationId": 4626907,
            "username": "SUPPORT8\\TestNoAP",
            "reason": "Install software",
            "requestTime": "2024-12-04T09:09:02.3814681+00:00",
            "startTime": null,
            "endTime": null,
            "elevationType": "Session",
            "fileName": "",
            "filePath": "",
            "clientInfoId": 1571680
        }]
}

Privilege Elevation and Delegation Management details
This API endpoint outputs details related to the processes that were running during the elevation.
Parameter: adminprivilege/getElevationProcesses
Optional parameters: 

  • elevationId - the ID corresponding to the requested elevation (can be retrieved from Privileged PEDM statistics);
  • clientInfoId - the ID of the endpoint requesting the elevation (can be retrieved from the Device Info Details; 
https://dashboard.heimdalsecurity.com/api/heimdalapi/adminprivilege/2.0/getElevationProcesses?customerId=229584&startDate={startDate}&endDate={endDate}&pageNumber={pageNumber}&pageSize={pageSize}&clientInfoId={clientInfoId}&elevationId={elevation_Id}

Output:
{

    "items": [
        {
            "elevationId": 7740359,
            "clientInfoId": 3140033,
            "processName": "npp.8.9.3.Installer.x64",
            "processFullPath": "\"C:\\Users\\TestNoAP\\Downloads\\npp.8.9.3.Installer.x64.exe\"",
            "userName": "SUPPORT9\\TestNoAP",
            "date": "2026-04-07T08:24:56.2575456+00:00"
        }
    ],
    "totalCount": 1,
    "pageNumber": 1,
    "pageSize": 1000
}

Application Control statistics
This API retrieves information about a customer’s processes that are intercepted by the Application Control module.
Parameter: processlock/getInterceptedProcess

https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/processlock/getInterceptedProcess?customerId=229584&startDate={startDate}&endDate={endDate}&pageNumber={pageNumber}&pageSize={pageSize}

Application Control process details
This API retrieves information about a customer’s specific process that is intercepted by the Application Control module.
Parameter: processlock/getDetailsForInterceptedProcess
Optional parameters: md5Hash (the hash of the file)
 

https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/processlock/getDetailsForInterceptedProcess?customerId=229584&startDate={startDate}&endDate={endDate}&pageNumber={pageNumber}&pageSize={pageSize}&md5=a74fd77f0a2415df748d41693bd7f69b

Output:        

        "hostName": "ROMY",
        "userName": "ROMY\\Romy",
        "version": "90.0.4430.212",
        "interceptedProcess": "2021-05-11T20:03:41.754+00:00",
        "groupPolicyName": "ROMY's endpoints",
        "status": "AllowByDefault"

Application Control raw processes
This API retrieves information about a customer’s raw processes that are intercepted by the Application Control module.
Parameter: processlock/getRawInterceptedProcess

https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/processlock/getRawInterceptedProcess?customerId=229584&endDate={endDate}&pageNumber={pageNumber}&pageSize={pageSize}

Output:        
{

    "items": [
        {
            "hostname": "SUPPORT9",
            "userName": "SUPPORT9\\TestNoAP",
            "processName": "RuntimeBroker.exe",
            "fullPath": "C:\\Windows\\System32\\RuntimeBroker.exe",
            "publisher": "Microsoft Windows",
            "softwareName": "Runtime Broker",
            "version": "10.0.26100.7309 (WinBuild.160101.0800)",
            "md5": "",
            "certificate": "CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
            "groupPolicyName": "Application Control",
            "status": "AllowByDefault",
            "interceptedProcess": "2025-12-17T15:05:17+00:00"
        },
        {
            "hostname": "SUPPORT9",
            "userName": "SUPPORT9\\TestNoAP",
            "processName": "backgroundTaskHost.exe",
            "fullPath": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe",
            "publisher": "Microsoft Windows",
            "softwareName": "Background Task Host",
            "version": "10.0.26100.1 (WinBuild.160101.0800)",
            "md5": "f588c66901cb6e1bc7c7b4953bc76473",
            "certificate": "CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
            "groupPolicyName": "Application Control",
            "status": "AllowByDefault",
            "interceptedProcess": "2025-12-17T15:05:16+00:00"
        }]
}

TAC alerts
This API retrieves information about a customer’s TAC alerts.
Parameter: tacAlerts
Optional parameters:

  • clientInfoId
  • severities - Informational, Low, Medium, High, Critical
  • sources - Xtp, VectorN, Patching, WindowsUpdate, Antivirus, RansomwareEncryptionProtection, PrivilegedAccessManagement, AppControl, EmailSecurity, EmailFraudPrevention
  • resolutions - Unresolved, Resolved, Actioned
https://dashboard.heimdalsecurity.com/api/heimdalapi/2.0/tacAlerts?customerId=229584&startDate={startDate}&endDate={endDate}&pageNumber={pageNumber}&pageSize={pageSize}&clientInfoId={clientInfoId}&severities={severities}&sources={sources}&resolutions={resolutions}

Data is currently limited to the last 10,000 entries.

TAC Device Notifications
This API retrieves information about a customer’s TAC device alerts.
Parameter: tac/getNotfications
Optional parameters:

  • clientInfoId 
  • severities - Informational, Low, Medium, High, Critical
  • sources - XTP, VectorN, Patching, WindowsUpdate, Antivirus, RansomwareEncryptionProtection, PrivilegedAccessManagement, AppControl, Firewall, EndpointOperationalIssues
  • resolutions - Unresolved, Resolved, Actioned, UnderInvestigation
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/2.0/tac/getNotfications?customerId={customerId}&startDate={startDate}&endDate={endDate}&clientInfoId={clientInfoId}&severities={severities}&sources={sources}&resolutions={resolutions}&pageNumber={pageNumber}&pageSize={pageSize}

Output:
{

    "items": [
        {
            "clientInfoId": "3461569",
            "hostname": "SERVER1",
            "name": "Microsoft severity rating - informational",
            "details": "Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.449.122.0) - Current Channel (Broad)",
            "processName": "-",
            "pid": "-",
            "categories": [
                "Vulnerability Management"
            ],
            "resolution": "Resolved",
            "severity": "Informational",
            "source": "WindowsUpdate",
            "ruleId": 1551,
            "timestamp": "2026-04-15T20:58:44.4070705+00:00",
            "lastUpdated": "2026-04-15T22:39:03.5276696+00:00"
        },
 
{
            "clientInfoId": "3334946",
            "hostname": "SUPPORT5",
            "name": "Heimdal uninstalled",
            "details": "Hostname SUPPORT5 has uninstalled Heimdal Thor Agent",
            "processName": "-",
            "pid": "-",
            "categories": [
                "Endpoint Detection"
            ],
            "resolution": "Actioned",
            "severity": "Critical",
            "source": "EndpointOperationalIssues",
            "ruleId": 1696,
            "timestamp": "2026-04-23T10:08:30.4585749+00:00",
            "lastUpdated": "2026-04-23T10:26:12.526522+00:00"
        },

TAC Device Risk Scores
This API retrieves information about a customer’s TAC device risk scores.
Parameter: tac/getUserNotifications
                   clientInfoId

https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/2.0/tac/getRiskScores?customerId={customerId}&startDate={startDate}&endDate={endDate}&clientInfoId={clientInfoId}
Output:
{
    "items": [
        {
            "riskScore": 30.0
        }
    ],

TAC M365 Notifications
This API retrieves information about a customer’s TAC M365 User notifications.
Parameter: tac/getUserNotifications
Optional parameters:

  • userPrincipalName
  • severities - Informational, Low, Medium, High, Critical
  • sources - LoginAnomalyDetection, EmailSecurity, EmailFraudPrevention, RansomwareEncryptionProtectionCloud, M365EmailForwardRule, M365SecurityIssues
  • resolutions - Unresolved, Resolved, Actioned, UnderInvestigation
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/2.0/tac/getUserNotifications?customerId={customerId}&startDate={startDate}&endDate={endDate}&userPrincipalName={userPrincipalName}&severities={severities}&sources={sources}&resolutions={resolutions}&pageNumber={pageNumber}&pageSize={pageSize}
Output:
{
    "items": [
        {
            "userPrincipalName": "test@centiumtest.com",
            "name": "Fwd Rule - TestNewRule",
            "details": "Emails sent to test@centiumtest.com are forwarded to test@gmail.com",
            "categories": [
                "User Management Alert"
            ],
            "resolution": "Unresolved",
            "severity": "High",
            "source": "M365EmailForwardRule",
            "timestamp": "2026-04-16T03:00:12.4086475+00:00",
            "alertTimestamp": "0001-01-01T00:00:00+00:00",
            "lastUpdated": "0001-01-01T00:00:00+00:00"
        },
 
{
            "userPrincipalName": "sierra-test1@centiumtest.com",
            "name": "MFA disabled",
            "details": "User sierra-test1@centiumtest.com has MFA disabled",
            "categories": [
                "User Management Alert"
            ],
            "resolution": "Unresolved",
            "severity": "Critical",
            "source": "M365SecurityIssues",
            "timestamp": "2026-05-06T02:03:46.017315+00:00",
            "alertTimestamp": "0001-01-01T00:00:00+00:00",
            "lastUpdated": "0001-01-01T00:00:00+00:00"
        }
TAC M365 Risk Scores
This API retrieves information about a customer’s TAC M365 User risk scores.
Parameter: tac/getUserRiskScores
                   userPrincipalName 
https://rc-dashboard.heimdalsecurity.com/api/heimdalapi/2.0/tac/getUserRiskScores?customerId={customerId}&startDate={startDate}&endDate={endDate}&userPrincipalName={userPrincipalName}
Output:
{
   "items": [
       {
           "riskScore": 100.0
       }
   ],
 

AUDIT logs
This API retrieves information about the changes applied to a Windows Group Policy applying to a computer in your environment.

Log Category Method Endpoint Path Required Parameters
Windows GP Audit GET /api/heimdalapi/2.0/auditLogs/getWindowsSettingsAuditLogs customerId, startDate, endDate, pageNumber, pageSize
Linux GP Audit GET /api/heimdalapi/2.0/auditLogs/getLinuxSettingsAuditLogs customerId, startDate, endDate, pageNumber, pageSize
macOS GP Audit GET /api/heimdalapi/2.0/auditLogs/getMacSettingsAuditLogs customerId, startDate, endDate, pageNumber, pageSize
Network Settings GET /api/heimdalapi/2.0/auditLogs/getNetworkSettingsAuditLogs customerId, startDate, endDate, pageNumber, pageSize
Device Info Audit GET /api/heimdalapi/2.0/auditLogs/getClientInfoAuditLogs customerId, startDate, endDate, pageNumber, pageSize
Global Audit Logs GET /api/heimdalapi/2.0/auditLogs/getGlobalAuditLogs customerId, startDate, endDate, pageNumber, pageSize
MXDR Operations GET /api/heimdalapi/2.0/xdr pageNumber, pageSize

Haven't Tried Heimdal Yet?

Start Free Trial 30-day Free Trial. Offer valid only for companies.