Carbon Black Developer Network

App Control REST API Reference

Introduction

This document is intended for programmers who want to write code to interact with the Carbon Black App Control Platform using custom scripts or integrate with other applications. The Carbon Black App Control API is a RESTful API that can be consumed over the HTTPS protocol using any language that can issue GET/POST/PUT URI requests and interpret JSON responses.

Versioning

Current version of Carbon Black App Control API is v1. All API calls are based in address https://<your server name>/api/bit9platform/v1

Authentication

Carbon Black App Control APIs are authenticated through the API token. This token has to be placed inside each HTTP request 'X-Auth-Token' header. The API token is tied to the console user. To obtain the API token, ask the Carbon Black App Control Server administrator to generate special user and token for you. A good practice is to have separate console users with minimum required access controls for each API client.

Access Controls

An API client has the same access level as its corresponding console user. For example, in order to get access to the ‘event’ object, the user associated with API token will need permission to view events. Required permissions are listed with each API in this document. If caller lacks the required permissions, HTTP error 401 - Unauthorized will be returned.

Responses

Successful calls will return either HTTP 200 - OK or HTTP 201 - Created, depending if request modified/deleted an existing object or created a new object, respectively.

In case of POST and PUT, the response will contain the body of the modified or created object in the content, and the URI of the created or modified object in URL property of the response.

In the case of GET, the response will contain the body of the searched object(s) in the content.

Failed calls will return errors in the range 400-599. This is usually one of the following:

HTTP 400 - Bad request - Usually means that request contains unexpected parameters. More details about error can be found in the response content.

HTTP 401 - Unauthorized - Either authentication (invalid token) or access control (missing RBAC) error.

HTTP 403 - Forbidden - Specified object cannot be accessed or changed.

HTTP 404 - Not found - Object referenced in the request cannot be found.

HTTP 503 - Service unavailable - Cannot return object at this moment because service is unavailable. This can happen if too many file downloads are happening at the same time. You can try later.

Searching

Searching is done through the GET request, by passing search elements as URL query parts:

v1/computer?q=<query condition 1>&q=<query condition 1>...&group=<optional group term>&groupType=<optional group type>&groupStep=<optional group step>&sort=<optional sort term>&offset=<optional offset>&limit=<optional limit>&fields=<optional field list>

The following sections describe these query parts.

Query Condition

Multiple conditions can be added, and each has to be satisfied for the result set.

Individual conditions can have one or multiple subconditions, separated with ‘|’ (pipe) symbol. A condition contains three parts: name, operator and value.

Name is any valid field in the object that is being queried.
Operator is any of valid operators (see below). All operators consist of a single character.
Value is compared with operator and depends on field type. Values can be empty to reflect searching for null values and empty strings.

Possible operators are:

: results in LIKE comparison for strings, and = comparisons for other types. Note that LIKE comparison for strings results in ‘=’ comparison if the string doesn’t contain wildchars. String comparison is case insensitive.
! results in NOT LIKE comparison for strings, and <> comparison for other types. Note that NOT LIKE comparison for strings results in ‘<>’ comparison if the string doesn’t contain wildchars. String comparison is case insensitive.
< Less than - can be used for both strings and numerical values
> Greater than - can be used for both strings and numerical values
+ logical AND operation (valid only for numerical values). True if value has all bits set as in operand. This can be used to check existence of given flag in a field. Bitwise operations on integer fields cannot use indices and can result in slow queries if done on large datasets.
- logical NAND operation (valid only for numerical values). True if value has none of the bits in the operand. This can be used to check non-existence of given flag in a field. Bitwise operations on integer fields cannot use indices and can result in slow queries if done on large datasets.
| separating values with | (pipe) symbol will cause both values to be included in the condition. Example “q=fileName:test1.exe|test2.exe” will match all objects where filename is either test1.exe or test2.exe. Note that negative conditions (- and !) will exclude entries that match either of included values.

Special relative date comparison operator:

X[s|m|h|d|w|n] Indicates relative date to NOW. Units X can be expressed in (s)econds, (m)inutes, (h)ours, (d)ays, (w)eeks or mo(n)ths.

For example, -3w indicates three weeks ago, while 2d indicates two days in the future.

Following characters need to be escaped when used in query conditions to avoid conflicting with reserved characters:

\ => \\
| => \|
* => \*

Example of a complex search filter that uses several described operators and one escape sequence:

Search all computers that have ipAddress that (starts with fe00 or ff00) AND have non-empty computer tag AND were created less than 10 hours ago AND have policy name that contains character ‘*'


# Request: 
[GET] https://myServer/api/bit9platform/v1/Computer?q=ipAddress:fe00*|ff00*&q=computerTag!&q=dateCreated>-10h&q=policyName:*\**

# Resulting SQL query condition evaluated:
... WHERE (ipAddress LIKE 'fe00%' OR ipAddress LIKE 'ff00%') 
AND computerTag NOT LIKE '' 
AND dateCreated>DATEADD(HOUR, -10, GETUTCDATE())
AND policyName LIKE '%*%'

Note: All string matching will be case insensitive

Limiting Results and Getting Result Count

Attributes: &offset=x&limit=y, where x is zer0-based offset in data set (defaults to 0), and y is maximum number of results to retrieve

Special values for limit are:

If not specified: First 1000 results will be returned.
If set to -1: Only result count will be returned, without actual results. Offset parameter is ignored in this case.
If set to 0: All results will be returned. Offset parameter is ignored in this case. Note that some result sets could be very large, resulting in query timeout. Therefore, unless you know that query will not return more than 1000 results, it is recommended to retrieve data in chunks using offset and limit.

Here is an example on how to get result count from a query:


# Request: 
[GET] https://myServer/api/bit9platform/computer?limit=-1

# Response: 
{"count": 1284}

Sorting

Sorting is optional and can be defined with a single attribute: &sort=<field> <sort>

<field> is field to sort by. There can be only one sorting field
<sort> is optional and can be ASC or DESC. Default value is ASC

Grouping

Grouping is optional and can be defined with a single attribute: &group=<field> <sort>

<field> is field to group by. There can be only one grouping field
<sort> is optional and can be one of: ASC, DESC, CASC, CDESC. Default value is ASC
- ASC/DESC sorts by group field ascending or descending
- CASC/CDESC sorts by group count ascending or descending

Output of grouping is always an array of objects with value and count fields. “Value” is group field value, and “count” is number of rows that have that name for the grouped field. Here is an example:


# Request: 
[GET] https://myServer/api/bit9platform/v1/computer?group=osShortName CDESC

# Response:
[
    {"value": "Mac","count": 2311},
    {"value": "Windows 7","count": 1330}
    {"value": "CentOS 6","count": 826},
    {"value": "CentOS 5","count": 53},
]

Subgrouping

Subgrouping can be used with grouping to further break down categories using other fields: &group=<field1>&subgroup=<field2> <sort>

<field1> is the field to group by. There can be only one grouping field
<field2> is the field to subgroup within that group by. There can be only one subgrouping field
<sort> is optional and can be one of: ASC, DESC, CASC, CDESC. Default value is ASC
- ASC/DESC sorts by subgroup field ascending or descending
- CASC/CDESC sorts by subgroup count ascending or descending

Output of subgrouping is always an array of objects with two value fields and three count fields. Each of the value fields is named after the fields being grouped by. The three count fields are as follows:

subcount: The count of the number of rows that match both the group and subgroup fields
count: The total count of the number of rows that match the group field
dcount: The number of subgroup field values for that group field

In the below example, each subcount represents the number of items in the file catalog that match both that row’s publisherOrCompany and productName. Each row’s count contains the total sum of items with that row’s publisherOrCompany and its dcount represents the number of productName rows there are for that publisherOrCompany. Finally, all the rows are sorted by the subcount value in each row in descending order.

For the publisherOrCompany “Emoji Systems Incorporated”, there are a total of 61 (54 + 4 + 3) items across 3 productName values (“Emoji Manager”, “Emoji Framework” and “Emoji Installer”); those two numbers appear in all three “Emoji Systems Incorporated” rows as count and dcount. For the publisherOrCompany “Emojicorp”, there is only 1 productName value (“Emoji Loader”), so its dcount is 1, and its count is just the value of the one subcount, 52.


# Request: 
[GET] https://myserver/api/bit9platform/v1/fileCatalog?&q=publisherOrCompany:Emoji*&group=publisherOrCompany&subgroup=productName CDESC

# Response:
[
{"publisherOrCompany":"Emoji Systems Incorporated","productName":"Emoji Manager","subcount":54,"count":61,"dcount":3},
{"publisherOrCompany":"Emojicorp","productName":"Emoji Loader","subcount":52,"count":52,"dcount":1},
{"publisherOrCompany":"Emoji Systems Incorporated","productName":"Emoji Framework","subcount":4,"count":61,"dcount":3},
{"publisherOrCompany":"Emoji Systems Incorporated","productName":"Emoji Installer","subcount":3,"count":61,"dcount":3}
]

Grouping by Time Windows

Window grouping is special version of grouping that is available only on time-based fields: &group=<field> <sort>&groupType=<type>groupStep=<step>

<field> is field to group by. There can be only one grouping field
<sort> is optional and determines how results are sorted by time. It can be ASC or DESC. Default value is ASC
<type> is time unit for grouping. can be one of: s,m,h,d,w,n, which are abbreviations for (s)econds, (m)inutes, (h)ours, (d)ays, (w)eeks or mo(n)ths.
<step> is step of the time window, indicating how many time units to group by. If not supplied, it defaults to 1

Output of grouping is always array of objects with dateFrom, dateTo and count fields. dateFrom and dateTo are start and end of time window, while “count” is number of results in given time window. Note that empty time windows will be listed as well.

Number of results is limited to 5000, and offset/limit can be used in order to get more results in separate queries.

Here is example that returns number of events grouped by 2-month periods:


# Request: 
[GET] https://myServer/api/bit9platform/v1/event?group=timestamp&groupType=n&groupStep=2
# Response:
    [
{"dateFrom":"2014-10-01T00:00:00Z","dateTo":"2014-12-01T00:00:00Z","count":3177},
{"dateFrom":"2014-12-01T00:00:00Z","dateTo":"2015-02-01T00:00:00Z","count":0},
{"dateFrom":"2015-02-01T00:00:00Z","dateTo":"2015-04-01T00:00:00Z","count":2069703},
{"dateFrom":"2015-04-01T00:00:00Z","dateTo":"2015-06-01T00:00:00Z","count":6065022},
{"dateFrom":"2015-06-01T00:00:00Z","dateTo":"2015-08-01T00:00:00Z","count":462729}
]

Field Expansion

Expanding is a way to get associated foreign-key values for any API entry. It is optional and can be defined with one or more attributes: &expand=<field>

<field> is field to expand on. It has to be one of foreign keys defined for this object. Separate “expand” parameter can be supplied for the each available foreign key.

Expanding also exposes all fields from the related object, prefixed by foreign key name and underscore (_). You can use the newly exposed fields for grouping and searching as you would use native object fields. Fields that are eligible for expanding are listed as “foreign keys” for each API object.

For example, expanding on certificateId for fileCatalog will expose additional fields, including: certificateId_name, certificateId_serialNumber.

With certificateId expanded, following request will return the top 100 files that have a certificate with public key size less than 1024:


# Request: 
[GET] https://myServer/api/bit9platform/v1/fileCatalog?expand=certificateId&q=certificateId_publicKeySize<1024&limit=100

Performance warning: Filtering and grouping on expanded fields is more expensive because it requires underlying SQL Server queries to be more complex. It can slow down API response or, in some cases, cause a response timeout.

Limiting Output to Specific Fields

If you would like to only output specific fields in your API response, provide a comma-separated list of those fields in your query: &fields=<field1,field2,field3,…>

Here is example that returns only two fields, name and policyName, from the computer object:


# Request: 
[GET] https://myServer/api/bit9platform/v1/computer?fields=name,policyName
# Response:
[
{"name":"HELLO\WORLD1","policyName":"Lockdown"},
   	{"name":"HELLO\WORLD2","policyName":"Lockdown"},
{"name":"HELLO\WORLD3","policyName":"Lenient"}
]

You can also request fields across expansions:


# Request: 
[GET] https://myServer/api/bit9platform/v1/computer?expand=policyId&fields=name,policyName,policyId_description
# Response:
[
{"name":"HELLO\WORLD1","policyName":"Lockdown","policyId_description":"No new applications"},
   	{"name":"HELLO\WORLD2","policyName":"Lockdown","policyId_description":"No new applications"},
{"name":"HELLO\WORLD3","policyName":"Lenient","policyId_description":"A few new applications"}
]

Code Examples

Here are several code examples, written in Python 3, using requests and JSON libraries.

Approve Publisher

This code approves publisher with id=12 for all policies


import requests, json

# --- Prepare our request header and url ---
authJson={
'X-Auth-Token': '8F97E8CB-1DCD-40D2-817B-7CECDD79CA67',  # replace with actual user token
'content-type': 'application/json'
} 
b9StrongCert = True  # Set to False if your Server has self-signed IIS certificate
url = 'https://myserver/api/bit9platform/v1/publisher/12'  # replace with actual server address

# --- Here is our request ---
data = {'publisherState': 2}  # 2 means 'approved'
r = requests.put(url, json.dumps(data), headers=authJson, verify=b9StrongCert)
r.raise_for_status()  # Make sure the call succeeded
publisher = r.json()  # get resulting publisher object

Ban File per Policy

This code bans file with Md5 hash ‘64a4f54d6863d59f1121a91554b55e9a’ for policies id 10 and 11


import requests, json

# --- Prepare our request header and url ---
authJson={
'X-Auth-Token': '8F97E8CB-1DCD-40D2-817B-7CECDD79CA67',  # replace with actual user token
'content-type': 'application/json'
} 
b9StrongCert = True  # Set to False if your Server has self-signed IIS certificate
url = 'https://myserver/api/bit9platform/v1/fileRule'  # replace with actual server address

# --- Here is our request ---
data = {'hash': '64a4f54d6863d59f1121a91554b55e9a', 'fileState': 3,  # 3 means 'banned'
'policyIds': '10,11'} 
r = requests.post(url, json.dumps(data), headers=authJson, verify=b9StrongCert)
r.raise_for_status()  # Make sure the call succeeded
fileRule = r.json()  # get resulting file rule object

Disable Tamper Protection for Computers

This code disables tamper protection for computers with IP address starting with 10.201.2, and moves them into policy 8


import requests, json

# --- Prepare our request header and url ---
authJson={
'X-Auth-Token': '8F97E8CB-1DCD-40D2-817B-7CECDD79CA67',  # replace with actual user token
'content-type': 'application/json'
}
apiUrl = 'https://myserver/api/bit9platform' # replace with actual server address
b9StrongCert = True  # Set to False if your Server has self-signed IIS certificate

# Get computers. Here we assume that count is reasonable and we ca get all of them at once (no limit specified)
comps = requests.get(
    apiUrl + '/v1/computer?q=ipAddress:10.201.2.*', 
    headers=authJson, verify=b9StrongCert).json()

for c in comps:  # For each returned computer...
c['policyId'] = 8  # Move to policy 8
# Tamper protection can be disabled only through URI:
requests.post(
        apiUrl+'/v1/computer?newTamperProtectionActive=false', 
        json.dumps(c), headers=authJson, verify=b9StrongCert)

Locally Approve Files

This code locally approves all unapproved files for Windows computer in policy 8, if file prevalence is 10 or greater


import requests, json

# --- Prepare our request header and url ---
authJson={
'X-Auth-Token': '8F97E8CB-1DCD-40D2-817B-7CECDD79CA67',  # replace with actual user token
'content-type': 'application/json'
}
apiUrl = 'https://myserver/api/bit9platform' # replace with actual server address
b9StrongCert = True  # Set to False if your Server has self-signed IIS certificate

# Get all Windows computers in policy 8
comps = requests.get(
    apiUrl + '/v1/computer?q=policyId:8&q=platformId:1', 
    headers=authJson, verify=b9StrongCert).json()

for c in comps:  # For each returned computer, get list of locally unapproved files
files = requests.get(
        apiUrl + '/v1/fileInstance?q=computerId:'+ str(c['id']) + '&q=localState:1', 
        headers=authJson, verify=b9StrongCert).json()
    
for finst in files:  # For each returned file...
    # Get its file catalog entry to get prevalence
    fcat = requests.get(
            apiUrl + '/v1/fileCatalog/'+str(finst['fileCatalogId']), 
            headers=authJson, verify=b9StrongCert).json()

    if fcat['prevalence']>=10:  # if prevalent enough...
        finst['localState'] = 2  # Approve locally
        requests.post(
                apiUrl + '/v1/fileInstance', 
                json.dumps(finst), headers=authJson, verify=b9StrongCert)

Configure Rapid Configs

This code gives an example of how to configure a Rapid Config for policies with IDs 1 and 2


import requests, json

# --- Prepare our request header and url ---
auth_json={
'X-Auth-Token': '8F97E8CB-1DCD-40D2-817B-7CECDD79CA67',  # replace with actual user token
'content-type': 'application/json'
}
api_url = 'https://myserver/api/bit9platform' # replace with actual server address
strong_cert = True  # Set to False if your Server has self-signed IIS certificate

# Get Browser Protection Rapid Config
rapid_config = requests.get(
    api_url + '/v1/rapidConfig?q=name:Browser Protection', 
    headers=auth_json, verify=strong_cert).json()

browser_protection = rapid_config[0]

# print out the description
print("Browser Protection Rapid Config: " + browser_protection["description"])

# Look up available settings for Browser Protection
browser_protection_available_settings = requests.get(
    api_url + '/v1/rapidConfigAvailableSetting?q[0]=rapidConfigIdUnique:'+browser_protection["rapidConfigIdUnique"],
    headers=auth_json, verify=strong_cert).json()

new_settings = []
for available_setting in browser_protection_available_settings:
    # print useful information
    print("------------------------------------------------")
    print("Setting description: " + str(available_setting["description"]))
    print("Setting label: " + str(available_setting["label"]))
    print("Default value: " + str(available_setting["defaultValue"]))
    print("Possible values: " + ', '.join(available_setting["possibleValues"]))
    print("Required: " + str(available_setting["required"]))
    print("------------------------------------------------")
    # build settings based on default values
    if available_setting["defaultValue"] is not None:
        new_settings.append(
            {
                "rapidConfigIdUnique":browser_protection["rapidConfigIdUnique"],
                "paramIdUnique":available_setting["id"],
                "value":available_setting["defaultValue"],
                "policyIds":"1,2"
            })

# POST new configuration settings
for one_setting in new_settings:
    requests.post(
        api_url + '/v1/rapidConfigSetting', 
        json.dumps(one_setting), headers=auth_json, verify=strong_cert)

# Get Browser Protection Rapid Config again
rapid_config = requests.get(
    api_url + '/v1/rapidConfig?q=name:Browser Protection', 
    headers=auth_json, verify=strong_cert).json()

browser_protection = rapid_config[0]

# Enable Browser Protection Rapid Config
browser_protection["enabled"] = True

if browser_protection["configured"]:
    r = requests.post(
        api_url + '/v1/rapidConfig', 
        json.dumps(browser_protection), headers=auth_json, verify=strong_cert)
    if r.ok:
        print("Browser Protection successfully configured and enabled")
        exit(0)

print("Browser Protection configuration failed")
exit(1)

API Reference

This section lists all API objects and their properties that are listed in table with each object. Some subset of properties for each object are modifiable through POST/PUT requests and those are called in a separate table. 

Each API object can have associated GET, PUT, POST or DELETE requests with their individual parameters. 

GET and DELETE request parameters are entirely passed in the request URI.

POST and PUT request parameters accept entire object that is passed in the body of the request (as JSON), and some additional parameters that are passed through the request URI.

Following objects are supported:

advancedRule
agentConfig
appCatalog
appInstance
approvalRequest
approvalRequestRelated
approvalRequestSummary
cachedEvent
certificate
certificateBinary
clientRegistrationCode
companyName
computer
computerDiagnostics
computerUsername
connector
consoleUsername
cpeApplication
cpeApplicationFileMap
cpeCveMap
cpeDictionary
cveInstance
device
deviceInstance
deviceRule
deviceSerialNumber
driftReport
driftReportContents
event
eventCacheView
executionControlRule
expertRule
fileAction
fileAnalysis
fileCatalog
fileCreationControlRule
fileInstance
fileInstanceAll
fileInstanceDeleted
fileInstanceGroup
fileInstanceSnapshot
fileIntegrityControlRule
fileName
fileRule
fileRuleTriggerSummary
fileUpload
findFileCertificate
findFileComputer
findFileInstance
grantedUserPolicyPermission
identityProvider
internalEvent
meteredExecution
notification
notifier
objectTag
objectTagMap
pendingAnalysis
performanceOptimizationRule
plugin
policy
productName
publisher
publisherCertificate
rapidConfig
rapidConfigAvailableSetting
rapidConfigSetting
ruleTriggerData
ruleTriggerDetails
ruleTriggerSummary
scriptRule
serverConfig
serverPerformance
trustedDirectory
trustedPathRule
trustedUser
updater
user
userGroup
username
vulnerableDriver
whoAmI
yaraRule
yaraRuleset
yaraRuleTag
yaraVersion

» advancedRule

v1/advancedRule object exposes custom advanced rules. It also allows creating, editing and deleting these rules.

All Object Properties for advancedRule

Name	Type	Property Description
`id`	`Int32`	Unique id of this rule
`masterRuleId`	`Int32`	Id of parent of this rule
`idUnique`	`Guid`	Unique GUID of this rule
`name`	`String`	Rule name
`description`	`String`	Rule description
`ruleGroupId`	`Int32`	Group id of this rule
`ruleUITemplateId`	`Int32`	UI Template id of this rule. Can be one of:0=None1=File Integrity Control2=Trusted Path3=Execution Control4=File Creation Control5=Performance Optimization99=Advanced1000=Internal1001=Updaters
`ruleType`	`Int32`	Rule type. Can be one of:14=Memory rule 15=Registry rule 17=Custom rule
`ruleAction`	`String`	Display name of action taken by this rule. Action can be calculated from other rule parameters (flags, masks, opTypes), and is exposed as read-only field.
`pathPattern`	`String`	File path pattern to match
`processPattern`	`String`	Process path pattern to match
`restrictAccessFlags`	`Int32`	Rule restrict access flags used for memory rules only on Windows platform. This is combination of process access permission allowed.
`writeActionMask`	`Int32`	Write action mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`writeNegationMask`	`Int32`	Write negation mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`writeOpType`	`Int32`	Write operation flags. Can be combination of:FileOpTypeFlagNone = 0x00000000FileOpTypeFlagOpen = 0x00000001FileOpTypeFlagOpenExecuteIntent = 0x00000002FileOpTypeFlagOpenWriteIntent = 0x00000004FileOpTypeFlagRead = 0x00000008FileOpTypeFlagWrite = 0x00000010FileOpTypeFlagWriteDelayed = 0x00000020FileOpTypeFlagDelete = 0x00000040FileOpTypeFlagExecute = 0x00000080FileOpTypeFlagRename = 0x00000100FileOpTypeFlagCleanup = 0x00000200FileOpTypeFlagCreateNew = 0x00000400FileOpTypeFlagScriptExecute = 0x00000800FileOpTypeFlagProcessCreate = 0x00001000FileOpTypeFlagProcessTerminate = 0x00002000FileOpTypeFlagImageLoad = 0x00004000FileOpTypeFlagPermissionChange = 0x00008000FileOpTypeFlagOwnerChange = 0x00010000FileOpTypeFlagLockFile = 0x00020000
`execActionMask`	`Int32`	Execution action mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`combinedActionMask`	`Int32`	execActionMask combined with writeActionMask with a bitwise or. This is relevant for Advanced (ruleUITemplateId = 99) rules that have both set.
`execNegationMask`	`Int32`	Execution negation mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`execOpType`	`Int32`	Execution operation flags. Can be combination of:FileOpTypeFlagNone = 0x00000000FileOpTypeFlagOpen = 0x00000001FileOpTypeFlagOpenExecuteIntent = 0x00000002FileOpTypeFlagOpenWriteIntent = 0x00000004FileOpTypeFlagRead = 0x00000008FileOpTypeFlagWrite = 0x00000010FileOpTypeFlagWriteDelayed = 0x00000020FileOpTypeFlagDelete = 0x00000040FileOpTypeFlagExecute = 0x00000080FileOpTypeFlagRename = 0x00000100FileOpTypeFlagCleanup = 0x00000200FileOpTypeFlagCreateNew = 0x00000400FileOpTypeFlagScriptExecute = 0x00000800FileOpTypeFlagProcessCreate = 0x00001000FileOpTypeFlagProcessTerminate = 0x00002000FileOpTypeFlagImageLoad = 0x00004000FileOpTypeFlagPermissionChange = 0x00008000FileOpTypeFlagOwnerChange = 0x00010000FileOpTypeFlagLockFile = 0x00020000
`combinedOpType`	`Int32`	execOpType combined with writeOpType with a bitwise or. This is relevant for Advanced (ruleUITemplateId = 99) rules that have both set.
`policyIds`	`String`	List of IDs of policies where this rule applies. Value will be empty if this is a global rule
`platformFlags`	`Int32`	Set of platform flags where this rule will apply. combination of:1 = Windows2 = Mac4 = Linux
`hidden`	`Boolean`	True if rule is hidden
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`createdBy`	`String`	User that created this object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`modifiedByUserId`	`Int32`	Id of `user` that last modified this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`modifiedBy`	`String`	User that last modified this object
`dateImported`	`DateTime`	Date/time when this rule was imported (UTC). This field will be null if rule was not imported
`importedByUserId`	`Int32`	Id of `user` that imported this rule. This field will be null if rule was not importedThis is a foreign key and can be expanded to expose fields from the related `user` object
`importedBy`	`String`	User that imported this rule. This field will be null if rule was not imported
`importSessionHandle`	`String`	Internal session handle used during rule import. This field will be null if rule was not imported.
`sid`	`String`	List of user SIDs for which this rule applies
`userNames`	`String`	List of user names for which this rule applies
`rank`	`Int64`	Rule rank. Rules are evaluated by their rank. Note that value of the rank will be different than rank exposed in the console because API exposes more rules.
`enabled`	`Boolean`	True if rule is enabled
`clVersion`	`Int64`	CL version associated with this rule
`execNotifierId`	`Int32`	Id of `notifier` object associated with this rule’s execution action (can be 0 to use default notifier)
`writeNotifierId`	`Int32`	Id of `notifier` object associated with this rule’s write action (can be 0 to use default notifier)
`effectiveNotifierId`	`Int32`	Id of `notifier` object associated with this rule
`processFlags`	`Int32`	Process flags for this rule
`negatedProcessFlags`	`Int32`	Negated process flags for this rule
`ruleClassId`	`Int32`	Rule class Id
`processFileState`	`Int32`	Rule will be active only if process file state is equal to this value (can be 0 to ignore the process file state)
`processFileFlags`	`Int32`	Flags describing required properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processDeviceType`	`Int32`	Process device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`processClassification`	`String`	Rule will be active only if process classification is equal to this
`processPublisherName`	`String`	Rule will be active only if publisher name of process is equal to this
`targetFileState`	`Int32`	Rule will be active only if target file state is equal to this value (can be 0 to ignore the target file state)
`targetFileFlags`	`Int32`	Flags describing required properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetDeviceType`	`Int32`	Target device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`targetClassification`	`String`	Rule will be active only if target classification is equal to this
`targetPublisherName`	`String`	Rule will be active only if publisher name of target is equal to this
`minPlatform`	`Int32`	Min platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`maxPlatform`	`Int32`	Max platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`classifier`	`String`	Classifier tag to set or remove for classification actions
`objectType`	`Int32`	Object types on which rule will act. This differs per rule type. For Custom rules, it can be one of:-1 = Any0 = Unknown1 = Any existing object2 = Pipe or Mailslot3 = Volume or share4 = Directory5 = File6 = Other (e.g. path with windcards, illegal, system object etc.)For Registry rules, it can be one of:-1 = Any0 = Any1 = Key2 = ValueFor Memory rules, it can be one of:-1 = Any0 = Any1 = Process2 = Thread
`enforcementFlags`	`Int32`	Flags determining in which enforcement levels rule is active. Can be combination of:0x01 = High0x02 = Medium0x04 = LocalApproval0x08 = Low0x10 = Visibility0x20 = DisabledUse -1 to specify that rule will be active in all enforcement levels
`readOnly`	`Boolean`	True if rule is read-only from the console
`updaterId`	`Int32`	Id of `updater` object that contains this ruleThis is a foreign key and can be expanded to expose fields from the related `updater` object
`minAgentVersion`	`Int32`	Min agent version code for this rule
`maxAgentVersion`	`Int32`	Max agent version code for this rule
`priority`	`Int32`	Priority of this rule
`priorityBucket`	`Int32`	Priority bucket of this rule
`priorityGroup`	`Int32`	Priority group of this rule
`unifiedFlag`	`Int32`	Local override flag for unified rule (0 if rule is not unified, 1 - no override allowed, 2 - ranking allowed, 3 - local override allowed)
`unifiedSource`	`String`	Unified server name that created this rule
`origIdUnique`	`Guid`	Unique GUID of the original rule
`version`	`Int64`	Version of this custom rule

Properties modifiable Using PUT/POST Request for advancedRule

Name	Type	Property Description
`name`	`String`	Rule name
`description`	`String`	Rule description
`ruleGroupId`	`Int32`	Group id of this rule
`ruleType`	`Int32`	Rule type. Can be one of:14=Memory rule 15=Registry rule 17=Custom rule
`pathPattern`	`String`	File path pattern to match
`processPattern`	`String`	Process path pattern to match
`restrictAccessFlags`	`Int32`	Rule restrict access flags used for memory rules only on Windows platform. This is combination of process access permission allowed.
`writeActionMask`	`Int32`	Write action mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`writeNegationMask`	`Int32`	Write negation mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`writeOpType`	`Int32`	Write operation flags. Can be combination of:FileOpTypeFlagNone = 0x00000000FileOpTypeFlagOpen = 0x00000001FileOpTypeFlagOpenExecuteIntent = 0x00000002FileOpTypeFlagOpenWriteIntent = 0x00000004FileOpTypeFlagRead = 0x00000008FileOpTypeFlagWrite = 0x00000010FileOpTypeFlagWriteDelayed = 0x00000020FileOpTypeFlagDelete = 0x00000040FileOpTypeFlagExecute = 0x00000080FileOpTypeFlagRename = 0x00000100FileOpTypeFlagCleanup = 0x00000200FileOpTypeFlagCreateNew = 0x00000400FileOpTypeFlagScriptExecute = 0x00000800FileOpTypeFlagProcessCreate = 0x00001000FileOpTypeFlagProcessTerminate = 0x00002000FileOpTypeFlagImageLoad = 0x00004000FileOpTypeFlagPermissionChange = 0x00008000FileOpTypeFlagOwnerChange = 0x00010000FileOpTypeFlagLockFile = 0x00020000
`execActionMask`	`Int32`	Execution action mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`execNegationMask`	`Int32`	Execution negation mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`execOpType`	`Int32`	Execution operation flags. Can be combination of:FileOpTypeFlagNone = 0x00000000FileOpTypeFlagOpen = 0x00000001FileOpTypeFlagOpenExecuteIntent = 0x00000002FileOpTypeFlagOpenWriteIntent = 0x00000004FileOpTypeFlagRead = 0x00000008FileOpTypeFlagWrite = 0x00000010FileOpTypeFlagWriteDelayed = 0x00000020FileOpTypeFlagDelete = 0x00000040FileOpTypeFlagExecute = 0x00000080FileOpTypeFlagRename = 0x00000100FileOpTypeFlagCleanup = 0x00000200FileOpTypeFlagCreateNew = 0x00000400FileOpTypeFlagScriptExecute = 0x00000800FileOpTypeFlagProcessCreate = 0x00001000FileOpTypeFlagProcessTerminate = 0x00002000FileOpTypeFlagImageLoad = 0x00004000FileOpTypeFlagPermissionChange = 0x00008000FileOpTypeFlagOwnerChange = 0x00010000FileOpTypeFlagLockFile = 0x00020000
`policyIds`	`String`	List of IDs of policies where this rule applies. Value should be empty if this is a global rule
`platformFlags`	`Int32`	Set of platform flags where this rule will apply. combination of:1 = Windows2 = Mac4 = Linux
`sid`	`String`	List of user SIDs for which this rule applies
`userNames`	`String`	List of user names for which this rule applies
`rank`	`Int64`	Rule rank. Rules are evaluated by their rank. Change rank to move the rule
`enabled`	`Boolean`	True if rule is enabled
`clVersion`	`Int64`	CL version associated with this rule
`execNotifierId`	`Int32`	Id of `notifier` object associated with this rule’s execution action (can be 0 to use default notifier)
`writeNotifierId`	`Int32`	Id of `notifier` object associated with this rule’s write action (can be 0 to use default notifier)
`processFlags`	`Int32`	Process flags for this rule
`negatedProcessFlags`	`Int32`	Negated process flags for this rule
`ruleClassId`	`Int32`	Rule class Id
`processFileState`	`Int32`	Rule will be active only if process file state is equal to this value (can be 0 to ignore the process file state)
`processFileFlags`	`Int32`	Flags describing required properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processDeviceType`	`Int32`	Process device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`processClassification`	`String`	Rule will be active only if process classification is equal to this
`processPublisherName`	`String`	Rule will be active only if publisher name of process is equal to this
`targetFileState`	`Int32`	Rule will be active only if target file state is equal to this value (can be 0 to ignore the target file state)
`targetFileFlags`	`Int32`	Flags describing required properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetDeviceType`	`Int32`	Target device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`targetClassification`	`String`	Rule will be active only if target classification is equal to this
`targetPublisherName`	`String`	Rule will be active only if publisher name of target is equal to this
`minPlatform`	`Int32`	Min platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`maxPlatform`	`Int32`	Max platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`classifier`	`String`	Classifier tag to set or remove for classification actions
`objectType`	`Int32`	Object types on which rule will act. This differs per rule type. For Custom rules, it can be one of:-1 = Any0 = Unknown1 = Any existing object2 = Pipe or Mailslot3 = Volume or share4 = Directory5 = File6 = Other (e.g. path with windcards, illegal, system object etc.)For Registry rules, it can be one of:-1 = Any0 = Any1 = Key2 = ValueFor Memory rules, it can be one of:-1 = Any0 = Any1 = Process2 = Thread
`enforcementFlags`	`Int32`	Flags determining in which enforcement levels rule is active. Can be combination of:High = 0x01Medium = 0x02LocalApproval = 0x04Low = 0x08Visibility = 0x10Disabled = 0x20 Use -1 to specify that rule will be active in all enforcement levels
`readOnly`	`Boolean`	True if rule is read-only from the console
`minAgentVersion`	`Int32`	Min agent version code for this rule
`maxAgentVersion`	`Int32`	Max agent version code for this rule
`unifiedFlag`	`Int32`	Local override flag for unified rule (0 - if rule is not unified, 1 - no override allowed, 2 - ranking allowed, 3 - local override allowed)
`unifiedSource`	`String`	Unified server name that created this rule
`origIdUnique`	`Guid`	Unique GUID of the original rule

POST Request for advancedRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/advancedRule?delete={delete}

Name	Source	Type	Description
`value`	FromBody	customRule
`delete`	FromUri	Boolean

PUT Request for advancedRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/advancedRule/{id}?delete={delete}

Name	Source	Type
`id`	FromUri	Int32
`value`	FromBody	customRule
`delete`	FromUri	Boolean

DELETE Request for advancedRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/advancedRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for advancedRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/advancedRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for advancedRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/advancedRule?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» agentConfig

v1/agentConfig object exposes configuration properties for the Carbon Black App Control Agent. It allows enabling/disabling and changing properties.

All Object Properties for agentConfig

Name	Type	Property Description
`id`	`Int32`	Unique id of this agentConfig
`computerId`	`Int32`	Target id of `computer` for this property. 0 sends property to all computersThis is a foreign key and can be expanded to expose fields from the related `computer` object
`description`	`String`	Description of configuration property
`name`	`String`	Name of property
`value`	`String`	Value of property
`enabled`	`Boolean`	True if property is enabled
`hidden`	`Boolean`	True if property is hidden from the UI
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdBy`	`String`	User that created this object
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`modifiedBy`	`String`	User that last modified this object
`modifiedByUserId`	`Int32`	Id of `user` that last modified this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`clVersion`	`Int64`	CL version associated with this property
`platformFlags`	`Int32`	Set of platform flags where this property will be valid. combination of: 1 = Windows2 = Mac4 = LinuxUsing 0 causes property to apply to all platforms.

Properties modifiable Using PUT/POST Request for agentConfig

Name	Type	Property Description
`computerId`	`Int32`	Target id of `computer` for this property. 0 sends property to all computers
`description`	`String`	Description of configuration property
`name`	`String`	Name of property
`value`	`String`	Value of property
`enabled`	`Boolean`	True if property is enabled
`hidden`	`Boolean`	True if property is hidden from the UI
`platformFlags`	`Int32`	Set of platform flags where this property will be valid. combination of: 1 = Windows2 = Mac4 = LinuxUsing 0 causes property to apply to all platforms.

POST Request for agentConfig

Required permissions: ‘View system configuration’, ‘Manage system configuration’

Call syntax: bit9platform/v1/agentConfig?delete={delete}

Name	Source	Type	Description
`value`	FromBody	agentConfig
`delete`	FromUri	Boolean

PUT Request for agentConfig

Required permissions: ‘View system configuration’, ‘Manage system configuration’

Call syntax: bit9platform/v1/agentConfig/{id}?delete={delete}

Name	Source	Type
`id`	FromUri	Int32
`value`	FromBody	agentConfig
`delete`	FromUri	Boolean

DELETE Request for agentConfig

Required permissions: ‘View system configuration’, ‘Manage system configuration’

Call syntax: bit9platform/v1/agentConfig/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for agentConfig

Required permissions: ‘View system configuration’

Call syntax: bit9platform/v1/agentConfig/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for agentConfig

Required permissions: ‘View system configuration’

Call syntax: bit9platform/v1/agentConfig?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» appCatalog

v1/appCatalog object exposes the application catalog across all agents.

All Object Properties for appCatalog

Name	Type	Property Description
`id`	`Int32`	Application ID
`packageCode`	`Guid`	Package code of the Application
`productCode`	`Guid`	Product code of the Application
`upgradeCode`	`Guid`	Upgrade code of the Application
`firstSeenComputerId`	`Int32`	Id of `computer` where the Application was first seenThis is a foreign key and can be expanded to expose fields from the related `computer` object
`appName`	`String`	Application name
`appVersion`	`String`	Application version
`appVersionNumber`	`String`	Application version number
`appPublisher`	`String`	Application publisher name
`windowsInstaller`	`Boolean`	True if this is a Windows installer
`contact`	`String`	Contact information for the Application
`comments`	`String`	Comments about the Application
`helpTelephone`	`String`	Help phone number for the Application
`helpURL`	`String`	Help URL for the Application
`aboutURL`	`String`	About URL for the Application
`upgradeURL`	`String`	Upgrade URL for the Application
`readme`	`String`	Readme information about the Application
`company`	`String`	Company for the Application
`computerCount`	`Int32`	Number of computers with the Application
`dateCreated`	`DateTime`	Date/time when the Application was created (UTC)
`dateModified`	`DateTime`	Date/time when the Application was modified (UTC)

appCatalog is a read-only object and has no modifiable properties.

GET Request for appCatalog

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/appCatalog/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for appCatalog

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/appCatalog?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» appInstance

v1/appInstance object exposes application instances for each agent.

All Object Properties for appInstance

Name	Type	Property Description
`computerId`	`Int32`	ID of `computer` Where the Application was installedThis is a foreign key and can be expanded to expose fields from the related `computer` object
`appCatalogId`	`Int32`	ID of `appCatalog` entryThis is a foreign key and can be expanded to expose fields from the related `appCatalog` object
`installDate`	`DateTime`	Installation date of the Application
`installDirectory`	`String`	Installation directory of the Application
`uninstallKey`	`String`	Uninstall key for the Application
`source`	`String`	Source of the Application
`installedFor`	`String`	The Application was installed for these users
`repairCommandLine`	`String`	Repair command line for the Application
`uninstallCommandLine`	`String`	Uninstall command line for the Application
`estimatedDiskUsage`	`Int64`	Estimated disk usage by the Application
`languageId`	`Int32`	Language ID for the Application
`localPackage`	`String`	Installer for the Application
`dateCreated`	`DateTime`	Date/time when the Application was created (UTC)
`dateModified`	`DateTime`	Date/time when the Application was modified (UTC)

appInstance is a read-only object and has no modifiable properties.

GET Request for appInstance

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/appInstance/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for appInstance

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/appInstance?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» approvalRequest

v1/approvalRequest object exposes workflow for approval requests and justifications. Note that approvalRequests cannot be created from the API. Only modifications of existing approval requests generated by the endpoint are supported.

All Object Properties for approvalRequest

Name	Type	Property Description
`id`	`Int32`	Unique approvalRequestId
`fileCatalogId`	`Int32`	Id of `fileCatalog` entry associated with file for this requestThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`installerFileCatalogId`	`Int32`	Id of `fileCatalog` entry associated with installer for this requestThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`processFileCatalogId`	`Int32`	Id of `fileCatalog` entry associated with process for this requestThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`computerId`	`Int32`	Id of `computer` where request originatedThis is a foreign key and can be expanded to expose fields from the related `computer` object
`computerName`	`String`	Name of computer where request originated
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdBy`	`String`	User that created this object
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`modifiedBy`	`String`	User that last modified this object
`modifiedByUserId`	`Int32`	Id of `user` that last modified this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`enforcementLevel`	`Int32`	Enforcement level of agent at the time of request. Can be one of: 20=High (Block Unapproved) 30=Medium (Prompt Unapproved) 40=Low (Monitor Unapproved) 60=None (Visibility) 80=None (Disabled)
`resolution`	`Int32`	Resolution of request. Can be one of: 0=Not Resolved 1=Rejected 2=Resolved - Approved 3=Resolved - Rule Change 4=Resolved - Installer 5=Resolved - Updater 6=Resolved - Publisher 7=Resolved - Other
`requestType`	`Int32`	Type of request. One if: 1=Approval 2=Justification
`requestorComments`	`String`	Comments by user that created this request
`requestorEmail`	`String`	Email of user that created this request
`priority`	`Int32`	Priority of this request. Can be one of: 0=High 1=Medium 2=Low
`resolutionComments`	`String`	Comments by request resolver
`status`	`Int32`	Request status. Can be one of: 1=Submitted 2=Open 3=Closed 4=Escalated
`policyId`	`Int32`	Id of `policy` for computer at the time when request arrived to the serverThis is a foreign key and can be expanded to expose fields from the related `policy` object
`multipleBlocks`	`Boolean`	True if file referenced by this request had multiple blocks
`fileName`	`String`	Name of file on the agent
`pathName`	`String`	Path of the file on the agent
`process`	`String`	Process that attempted to execute file on the agent. This is full process path
`customRuleId`	`Int32`	Id of the `customRule` that caused the file block on the agentThis is a foreign key and can be expanded to expose fields from the related `customRule` object
`duplicates`	`Int32`	Number of duplicates (if exist) of this approval request
`related`	`Int32`	Number of related requests (if exist) of this approval request
`platform`	`String`	Platform of this approval request
`publisherReputation`	`String`	Reputation of this publisher. Can be one of: 0=Not trusted (Unknown) 1=Low 2=Medium 3=High
`customRuleType`	`String`	Custom rule type of the approval request. Can be one of: Memory Rule or Registry Rule
`installer`	`String`	Installer process that this file is part of. This is full installer path
`processName`	`String`	Process that attempted to execute file on the agent. This is file name part
`processPath`	`String`	Process that attempted to execute file on the agent. This is file path part
`responseMailSent`	`DateTime`	Date/time when response mail was sent from this approval request to requestor email
`file`	`String`	Full file path on the agent

Properties modifiable Using PUT/POST Request for approvalRequest

Name	Type	Property Description
`resolution`	`Int32`	Resolution of request. Resolution can be changed for open requests or closed requests only. It can be one of: 0=Not Resolved 1=Rejected 2=Resolved - Approved 3=Resolved - Rule Change 4=Resolved - Installer 5=Resolved - Updater 6=Resolved - Publisher 7=Resolved - Other
`requestorEmail`	`String`	Email of user that created this request
`resolutionComments`	`String`	Comments by request resolver
`status`	`Int32`	Request status. Can be one of: 1=Submitted 2=Open 3=Closed 4=EscalatedProhibited transitions are from any status back to 0 or 1.

POST Request for approvalRequest

Required permissions: ‘View approval requests’, ‘Manage approval requests’

Call syntax: bit9platform/v1/approvalRequest

Name	Source	Type	Description
`value`	FromBody	approvalRequest

PUT Request for approvalRequest

Required permissions: ‘View approval requests’, ‘Manage approval requests’

Call syntax: bit9platform/v1/approvalRequest/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	approvalRequest

GET Request for approvalRequest

Required permissions: ‘View approval requests’

Call syntax: bit9platform/v1/approvalRequest/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for approvalRequest

Required permissions: ‘View approval requests’

Call syntax: bit9platform/v1/approvalRequest?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type	Description
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32	When -2, a “quick count” will be returned.
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» approvalRequestRelated

v1/approvalRequestRelated object exposes workflow for approval requests and justifications. Note that approvalRequests cannot be created from the API. Only modifications of existing approval requests generated by the endpoint are supported.

All Object Properties for approvalRequestRelated

Name	Type	Property Description
`id`	`Int32`	Unique approvalRequestId
`fileCatalogId`	`Int32`	Id of `fileCatalog` entry associated with file for this requestThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`installerFileCatalogId`	`Int32`	Id of `fileCatalog` entry associated with installer for this requestThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`processFileCatalogId`	`Int32`	Id of `fileCatalog` entry associated with process for this requestThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`computerId`	`Int32`	Id of `computer` where request originatedThis is a foreign key and can be expanded to expose fields from the related `computer` object
`computerName`	`String`	Name of computer where request originated
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdBy`	`String`	User that created this object
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`modifiedBy`	`String`	User that last modified this object
`modifiedByUserId`	`Int32`	Id of `user` that last modified this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`enforcementLevel`	`Int32`	Enforcement level of agent at the time of request. Can be one of: 20=High (Block Unapproved) 30=Medium (Prompt Unapproved) 40=Low (Monitor Unapproved) 60=None (Visibility) 80=None (Disabled)
`resolution`	`Int32`	Resolution of request. Can be one of: 0=Not Resolved 1=Rejected 2=Resolved - Approved 3=Resolved - Rule Change 4=Resolved - Installer 5=Resolved - Updater 6=Resolved - Publisher 7=Resolved - Other
`requestType`	`Int32`	Type of request. One if: 1=Approval 2=Justification
`requestorComments`	`String`	Comments by user that created this request
`requestorEmail`	`String`	Email of user that created this request
`priority`	`Int32`	Priority of this request. Can be one of: 0=High 1=Medium 2=Low
`resolutionComments`	`String`	Comments by request resolver
`status`	`Int32`	Request status. Can be one of: 1=Submitted 2=Open 3=Closed 4=Escalated
`policyId`	`Int32`	Id of `policy` for computer at the time when request arrived to the serverThis is a foreign key and can be expanded to expose fields from the related `policy` object
`multipleBlocks`	`Boolean`	True if file referenced by this request had multiple blocks
`fileName`	`String`	Name of file on the agent
`pathName`	`String`	Path of the file on the agent
`process`	`String`	Process that attempted to execute file on the agent. This is full process path
`customRuleId`	`Int32`	Id of the `customRule` that caused the file block on the agentThis is a foreign key and can be expanded to expose fields from the related `customRule` object
`duplicates`	`Int32`	Number of duplicates (if exist) of this approval request
`related`	`Int32`	Number of related requests (if exist) of this approval request
`platform`	`String`	Platform of this approval request
`publisherReputation`	`String`	Reputation of this publisher. Can be one of: 0=Not trusted (Unknown) 1=Low 2=Medium 3=High
`customRuleType`	`String`	Custom rule type of the approval request. Can be one of: Memory Rule or Registry Rule
`installer`	`String`	Installer process that this file is part of. This is full installer path
`processName`	`String`	Process that attempted to execute file on the agent. This is file name part
`processPath`	`String`	Process that attempted to execute file on the agent. This is file path part
`responseMailSent`	`DateTime`	Date/time when response mail was sent from this approval request to requestor email
`file`	`String`	Full file path on the agent

approvalRequestRelated is a read-only object and has no modifiable properties.

GET Request for approvalRequestRelated

Required permissions: ‘View approval requests’

Call syntax: bit9platform/v1/approvalRequestRelated/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for approvalRequestRelated

Required permissions: ‘View approval requests’

Call syntax: bit9platform/v1/approvalRequestRelated?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» approvalRequestSummary

v1/approvalRequestSummary object exposes summary statistics for approval requests. Requires passing ageHours (timespan from now in hours, use -1 for all time) and requestType (1 = Approval Requests only, 2 = Justifications only, 3 = both Approval Requests and Justifications) as query parameters.

All Object Properties for approvalRequestSummary

Name	Type	Property Description
`id`	`Int32`	The `ageHours` parameter that was passed in
`submitted`	`Int32`	Number of new requests
`open`	`Int32`	Number of open requests
`closed`	`Int32`	Number of closed requests
`escalated`	`Int32`	Number of escalated requests
`outdated`	`Int32`	Number of outdated requests

approvalRequestSummary is a read-only object and has no modifiable properties.

GET Request for approvalRequestSummary

Required permissions: ‘View approval requests’

Call syntax: bit9platform/v1/approvalRequestSummary?ageHours={ageHours}&requestType={requestType}

Name	Source	Type	Description
`ageHours`	FromUri	Int32
`requestType`	FromUri	Int32

GET Request for approvalRequestSummary

Required permissions: ‘View approval requests’

Call syntax: bit9platform/v1/approvalRequestSummary/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for approvalRequestSummary

Required permissions: ‘View approval requests’

Call syntax: bit9platform/v1/approvalRequestSummary?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» cachedEvent

v1/cachedEvent object exposes cached events.

All Object Properties for cachedEvent

Name	Type	Property Description
`id`	`Int64`	Unique ID of this event/view combination
`eventId`	`Int64`	Event ID
`viewId`	`Int32`	Id of the saved view to which this record belongs
`timestamp`	`DateTime`	Date/Time when event was created (UTC)
`receivedTimestamp`	`DateTime`	Date/Time when event was received by the server (UTC)
`description`	`String`	Event description
`type`	`Int32`	Event type. Can be one of:0 = Server Management1 = Session Management2 = Computer Management3 = Policy Management4 = Policy Enforcement5 = Discovery6 = General Management8 = Internal Events
`subtype`	`Int32`	Event subtype. Can be one of event subtype IDs
`subtypeName`	`String`	Event subtype as string
`ipAddress`	`String`	IP address associated with this event
`computerId`	`Int32`	Id of `computer` associated with this eventThis is a foreign key and can be expanded to expose fields from the related `computer` object
`computerName`	`String`	Name of computer associated with this event
`policyId`	`Int32`	Id of `policy` where agent was at the time of the eventThis is a foreign key and can be expanded to expose fields from the related `policy` object
`policyName`	`String`	Name of policy where agent was at the time of the event
`fileCatalogId`	`Int32`	Id of `fileCatalog` entry associated with file for this eventThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`installerFileCatalogId`	`Int32`	Id of `fileCatalog` entry associated with installer for this eventThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`processFileCatalogId`	`Int32`	Id of `fileCatalog` entry associated with process for this eventThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`fileName`	`String`	Name of the file associated with this event
`pathName`	`String`	Path of the file associated with this event
`commandLine`	`String`	Full command line associated with this event. Viewing this field requires ‘View process command lines’ permission
`processPathName`	`String`	Name of the process associated with this event
`processFileName`	`String`	Path of the process associated with this event
`process`	`String`	Path and process associated with this event
`installerFileName`	`String`	Name of the installer associated with this event
`processKey`	`String`	Process key associated with this event. This key uniquely identifies the process in both Carbon Black App Control Platform and Carbon Black EDR product
`severity`	`Int32`	Event severity. Can be one of:2 = Critical3 = Error4 = Warning5 = Notice6 = Info7 = Debug
`userName`	`String`	User name associated with this event
`ruleName`	`String`	Rule name associated with this event
`banName`	`String`	Ban name associated with this event
`updaterName`	`String`	Updater name associated with this event
`rapfigName`	`String`	Rapid Config name associated with this event
`indicatorName`	`String`	Advanced threat indicator name associated with this event
`indicatorSetName`	`String`	Advanced threat indicator set name associated with this event
`param1`	`String`	Internal string parameter 1
`param2`	`String`	Internal string parameter 2
`param3`	`String`	Internal string parameter 3
`stringId`	`Int32`	Internal string Id used for description
`unifiedSource`	`String`	Unified server name that created this event
`clVersion`	`Int32`	CL version associated with this event
`eventRuleId`	`Int32`	Id of the event rule associated with this event
`customRuleId`	`Int32`	Id of the rule associated with this eventThis is a foreign key and can be expanded to expose fields from the related `customRule` object
`fileRuleId`	`Int32`	Id of the file rule associated with this eventThis is a foreign key and can be expanded to expose fields from the related `fileRule` object
`installEventId`	`Int32`	Id of the install event associated with this event
`pathNameId`	`Int32`	Id of the file path associated with this event
`processPathNameId`	`Int32`	Id of the file path of the process associated with this event
`fileNameId`	`Int32`	Id of the name of the file associated with this event
`fileFirstExecutionDate`	`DateTime`	Date of the first execution of the file associated with this event
`sha256`	`String`	SHA-256 hash of the file associated with this event
`computerPolicyId`	`Int32`	Id of the policy this computer is in
`platformId`	`Int32`	Id of the platform of this computer.Can be one of: 1 = Windows2 = Mac4 = Linux
`installerHash`	`String`	SHA-256 hash of the installer file associated with this event
`processHash`	`String`	SHA-256 hash of the process associated with this event
`computerTag`	`String`	Custom tag on the computer
`osName`	`String`	Computer’s operating system
`agentVersion`	`String`	Version of the agent running on the computer associated with this event
`fileTrust`	`Int32`	Trust value of the file associated with this event
`fileTrustMessages`	`String`	Trust messages from the file associated with this event
`fileThreat`	`Int16`	Threat value of the file associated with this event
`filePrevalence`	`Int32`	Prevalence of the file associated with this event
`processTrust`	`Int32`	Trust value of the process associated with this event
`processTrustMessages`	`String`	Trust messages from the process associated with this event
`processThreat`	`Int16`	Threat value of the process associated with this event
`processPrevalence`	`Int32`	Prevalence of the process associated with this event

cachedEvent is a read-only object and has no modifiable properties.

GET Request for cachedEvent

Required permissions: ‘View events’

Call syntax: bit9platform/v1/cachedEvent/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for cachedEvent

Required permissions: ‘View events’

Call syntax: bit9platform/v1/cachedEvent?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» certificate

v1/certificate object exposes certificates found on endpoints and allows changing certificate state.

All Object Properties for certificate

Name	Type	Property Description
`id`	`Int32`	Unique certificate id
`parentCertificateId`	`Int32`	Id of a parent `certificate` in a certificate chainThis is a foreign key and can be expanded to expose fields from the related `certificate` object
`publisherId`	`Int32`	Id of `publisher` for this certificatesThis is a foreign key and can be expanded to expose fields from the related `publisher` object
`thumbprint`	`String`	Thumbprint hash of the certificate
`thumbprintAlgorithm`	`String`	Algorithm used to calculate thumbprint of the certificate
`subjectName`	`String`	Certificate subject name
`signatureAlgorithm`	`String`	Certificate signature algorithm
`serialNumber`	`String`	Certificate serial number
`validFrom`	`DateTime`	Certificate valid from date (UTC)
`validTo`	`DateTime`	Certificate valid to date (UTC)
`publicKeyAlgorithm`	`String`	Certificate public key algorithm
`publicKeySize`	`Int32`	Certificate public key size in bits
`firstSeenComputerId`	`Int32`	Id of `computer` where this certificate was first seenThis is a foreign key and can be expanded to expose fields from the related `computer` object
`description`	`String`	Description of certificate given by the user
`sourceType`	`Int32`	Mechanism that changed publisher state. Can be one of: 1 = Manual5 = External (API)
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`modifiedByUser`	`String`	User that last modified this object
`modifiedByUserId`	`Int32`	Id of `user` that last modified this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`intermediary`	`Boolean`	True if certificate is intermediary certificate in the chain
`valid`	`Boolean`	True if certificate is valid
`embedded`	`Boolean`	True if certificate was seen as embedded signer of a file
`detached`	`Boolean`	True if certificate was seen as detached signer of a file
`signer`	`Boolean`	True if certificate was seen signing a file
`cosigner`	`Boolean`	True if certificate was seen counter-signing a file
`certificateHash`	`String`	Sha-256 hash of the certificate
`uniqueSignedFiles`	`Int32`	Number of unique files that were found signed with this certificate
`pathPositionId`	`Int32`	Certificate position in the certificate chain. Can be one of: 1=Leaf certificate 2=Intermediary certificate 3=Root certificate
`lastValidation`	`DateTime`	Last time this certificate was validated (UTC)
`validationErrorCode`	`Int32`	Certificate validation error code (0 means no error)
`validationError`	`String`	Certificate validation error (in case error happened on last validation)
`certificateState`	`Int32`	One of assigned states: 1=Unapproved 2=Approved 3=Banned
`certificateEffectiveState`	`Int32`	One of effective states (taking into account other certificate in the chain): 1=Unapproved 2=Approved 3=Banned 4=Mixed (mix of approved and banned based on policy)
`clVersion`	`Int64`	CL version associated with this certificate
`certificateGlobalState`	`String`	The default certificate state for all hosts
`certificateGlobalStateDetails`	`String`	The default certificate state details
`certificateStateSource`	`String`	How the certificate got into this state
`agentTrust`	`Boolean`	Whether this certificate is one that can be trusted by the agent for secure communication
`agentTrustEnabled`	`Boolean`	Whether the agent trusts this certificate for secure communication

Properties modifiable Using PUT/POST Request for certificate

Name	Type	Property Description
`description`	`String`	New certificate description
`sourceType`	`Int32`	Mechanism that changed publisher state. Can be one of: 1 = Manual5 = External (API)
`certificateState`	`Int32`	New state of the certificate. Valid states are: 1=Unapproved 2=Approved 3=Banned
`agentTrust`	`Boolean`	Whether this certificate is one that can be trusted by the agent for secure communication. This value can only be changed by itself or with `agentTrustEnabled`; other changed values will be ignored.
`agentTrustEnabled`	`Boolean`	Whether the agent trusts this certificate for secure communication. This value can only be changed by itself or with `agentTrust`; other changed values will be ignored.

POST Request for certificate

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/certificate

Name	Source	Type	Description
`value`	FromBody	certificate

PUT Request for certificate

Required permissions: ‘View software rules pages’, ‘Manage publisher rules’

Call syntax: bit9platform/v1/certificate/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	certificate

DELETE Request for certificate

Required permissions: ‘View software rules pages’, ‘Manage publisher rules’

Call syntax: bit9platform/v1/certificate/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for certificate

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/certificate/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for certificate

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/certificate?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» certificateBinary

v1/certificateBinary object exposes certificate binary information.

All Object Properties for certificateBinary

Name	Type	Property Description
`id`	`Int32`	Unique certificate id
`asString`	`String`	Content of certificate as text

Properties modifiable Using PUT/POST Request for certificateBinary

Name	Type	Property Description
`asString`	`String`	Content of certificate as text

POST Request for certificateBinary

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/certificateBinary

Name	Source	Type	Description
`value`	FromBody	certificateBinary

PUT Request for certificateBinary

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/certificateBinary/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	certificateBinary

DELETE Request for certificateBinary

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/certificateBinary/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for certificateBinary

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/certificateBinary/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for certificateBinary

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/certificateBinary?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» clientRegistrationCode

v1/clientRegistrationCode object Allows generation and modification of client registration codes.

All Object Properties for clientRegistrationCode

Name	Type	Property Description
`id`	`Int32`	Unique identifier of this registration code
`registrationCode`	`String`	Alphanumeric code to be used by clients to activate registration (Max length 24 characters, read-only)
`dateCreated`	`DateTime`	Date this code was generated
`enabled`	`Boolean`	Is the code active?
`createdBy`	`Int32`	User ID of the user who generated the code
`dateCreatedCode`	`String`	Formatted version of the dateCreated field used for searching. (Read-only)

clientRegistrationCode is a read-only object and has no modifiable properties.

POST Request for clientRegistrationCode

Required permissions: ‘View system configuration’, ‘Manage system configuration’

Call syntax: bit9platform/v1/clientRegistrationCode

Name	Source	Type	Description
`value`	FromBody	clientRegistrationCode

PUT Request for clientRegistrationCode

Required permissions: ‘View system configuration’, ‘Manage system configuration’

Call syntax: bit9platform/v1/clientRegistrationCode/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	clientRegistrationCode

GET Request for clientRegistrationCode

Required permissions: ‘View system configuration’

Call syntax: bit9platform/v1/clientRegistrationCode/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for clientRegistrationCode

Required permissions: ‘View system configuration’

Call syntax: bit9platform/v1/clientRegistrationCode?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» companyName

v1/companyName object exposes company names the server has encountered. Note that this is read-only API.

All Object Properties for companyName

Name	Type	Property Description
`id`	`Int32`	Unique company Id
`name`	`String`	Company name

companyName is a read-only object and has no modifiable properties.

GET Request for companyName

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/companyName/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for companyName

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/companyName?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» computer

v1/computer object exposes computer-related properties for Carbon Black App Control Agent. It allows following modifications:

Moving computers to different policies
Upgrading Carbon Black App Control Agent
Templating computers for VDI
Changing debugging properties of computers
Requesting advanced computer actions

All Object Properties for computer

Name	Type	Property Description
`id`	`Int32`	Unique computer id
`name`	`String`	Computer name
`computerTag`	`String`	Custom computer tag
`description`	`String`	Description of this computer
`policyId`	`Int32`	Id of `policy` this computer belongs toThis is a foreign key and can be expanded to expose fields from the related `policy` object
`previousPolicyId`	`Int32`	Id of `policy` this computer belongs to before the latest policy changeThis is a foreign key and can be expanded to expose fields from the related `policy` object
`policyName`	`String`	Name of the policy this computer belongs to
`automaticPolicy`	`Boolean`	True if this computer’s policy is assigned automatically through AD
`localApproval`	`Boolean`	True if this computer is in local approval mode
`users`	`String`	List of last logged in users
`ipAddress`	`String`	Last known IP address of this computer
`connected`	`Boolean`	True if this computer is connected
`enforcementLevel`	`Int32`	Current enforcement level. Can be one of: 20=High (Block Unapproved) 30=Medium (Prompt Unapproved) 35=Local approval 40=Low (Monitor Unapproved) 60=None (Visibility) 80=None (Disabled)
`disconnectedEnforcementLevel`	`Int32`	Current enforcement level for disconnected computers. Can be one of: 20=High (Block Unapproved) 30=Medium (Prompt Unapproved) 35=Local approval 40=Low (Monitor Unapproved) 60=None (Visibility) 80=None (Disabled)
`CLIPassword`	`String`	CLI password for this computer. Viewing this field requires ‘Manage computers’ permission
`lastRegisterDate`	`DateTime`	Last date/time this computer registered to the server (UTC)
`lastPollDate`	`DateTime`	Last date/time this computer contacted the server (UTC)
`osShortName`	`String`	Short OS name
`osName`	`String`	Long OS name
`platformId`	`Int32`	Platform Id. Can be one of: 1 = Windows2 = Mac4 = Linux
`virtualized`	`String`	True if computer is virtualized
`virtualPlatform`	`String`	If computer is virtualized, this is platform
`dateCreated`	`DateTime`	Date this computer was first registered
`agentVersion`	`String`	Version of Carbon Black App Control Platform agent
`daysOffline`	`Int32`	Number of days this computer was offline
`uninstalled`	`Boolean`	True if this computer was uninstalled
`deleted`	`Boolean`	True if computer is disabled
`processorCount`	`Int32`	Number of processor cores on this computer
`processorSpeed`	`Double`	Processor speed
`processorModel`	`String`	Processor model
`machineModel`	`String`	Machine model
`memorySize`	`Int32`	Memory size in MB
`upgradeStatus`	`String`	Upgrade status
`upgradeError`	`String`	Last upgrade error
`upgradeErrorTime`	`DateTime`	Last time upgrade error changed
`upgradeErrorCount`	`Int32`	Number of times last upgrade error happened so far
`syncFlags`	`Int32`	Status of synchronization on this agent. Can be combination of: 0x01=Agent is going through initialization 0x02=Agent is going through full cache re-synch 0x08=Agent config list is out of date 0x10=Agent Enforcement is out of date 0x20=Kernel is not connected to the agent 0x40=Agent events timestamps indicate that system clock is out of synch 0x80=Agent has failed the health check 0x100=This is clone that is tracking only new files 0x200=This version of kernel is not supported by the agent (Linux only)
`refreshFlags`	`Int32`	Refresh flags for this agent. Can be combination of: 0x01=Complete resynch of agent NAB and installer table is requested 0x02=Rescan of programs installed on the computer is requested0x20=Tell agent to refresh config list 0x40=Force this agent to reregister with new cookie 0x200=Trigger agent Reboot 0x1000=Tell agent to refresh config list from the file 0x4000 Boost the priority of this agent over all others permanently (until it is de-prioritized)
`policyStatus`	`String`	Status of policy on this agent
`policyStatusDetails`	`String`	Detailed status of policy on this agent
`prioritized`	`Boolean`	True if computer is prioritized
`macAddress`	`String`	MAC address of adapter used to connect to the Carbon Black App Control Server
`debugLevel`	`Int32`	Requested debug level of the agent. Once the agent accepts this debug level, its value will be reflected in the activeDebugLevel field. Range is from 0 (none) to 8 (verbose)
`kernelDebugLevel`	`Int32`	Requested kernel debug level of the agent. Once the agent accepts this debug level, its value will be reflected in the activeKernelDebugLevel field. Range is from 0 (none) to 5 (verbose)
`debugFlags`	`Int32`	Requested debug flags on the agent. Once the agent accepts these flags, there value will be reflected in the activeDebugFlags field.This value can be 0 or combination of:0x01 = Upload debug files now0x10 = Enable full memory dumps0x40 = Delete debug files0x80 = Upload agent cache0x200 = Save verbose debug info + counters to the cache when copied/uploaded0x400 = Generate and upload an analysis.bt9 file that contains various constraint violation analysis information0x800 = Run a health check and send results to server0x4000 = Agent will restore its database from a backup on next restart0x8000 = Restart the agent service0x10000 = Agent will delete its database and re-initialize on next restart
`debugDuration`	`Int32`	Requested agent debug duration in minutes
`activeDebugLevel`	`Int32`	Currently active debug level of the agent. Range is from 0 (none) to 8 (verbose)
`activeKernelDebugLevel`	`Int32`	Currently active kernel debug level of the agent. Range is from 0 (none) to 5 (verbose)
`activeDebugFlags`	`Int32`	Currently active debug flags on the agent. Can be 0 or combination of:0x01 = Upload debug files now0x10 = Enable full memory dumps0x40 = Delete debug files0x80 = Upload agent cache0x200 = Save verbose debug info + counters to the cache when copied/uploaded0x400 = Generate and upload an analysis.bt9 file that contains various constraint violation analysis information0x800 = Run a health check and send results to server
`ccLevel`	`Int32`	Cache consistency check level set for agent. Can be one of: 0 = None1 = Quick verification2 = Rescan known files3 = Full scan for new files
`ccFlags`	`Int32`	Cache consistency check flags set for agent. Can be 0 or combination of: 0x0001 = Whether this is just a test run or not0x0002 = Should the state of invalid files be preserved0x0004 = Should new files found be locally approved or not0x0008 = Should we re-evaluate whether a file’s certificate information is still valid or not0x0010 = Whether the check was scheduled or not0x0020 = Whether the agent should run constraint checks to test for invalid results0x0040 = Whether we are only searching for new script types as a result of a change to what ‘IsScript’ means0x0080 = Whether we are doing a level 3 check for initialization0x0100 = This cache check is to remediate CR# 180410x0200 = Force the re-evaluation of the IsCrawlable state and archive type
`supportedKernel`	`Boolean`	True if current computer kernel version is supported
`forceUpgrade`	`Boolean`	True if upgrade is forced for this computer
`hasHealthCheckErrors`	`Boolean`	True if computer has health check errors
`clVersion`	`Int32`	Current CL version of this agent
`agentMemoryDumps`	`Int32`	True if agent has memory dumps
`systemMemoryDumps`	`Int32`	True if agent has system memory dumps
`initializing`	`Boolean`	True if agent is initializing
`isActive`	`Boolean`	True if agent is active (recently connected and not deleted)
`tamperProtectionActive`	`Boolean`	True if agent’s tamper protection is active
`agentCacheSize`	`Int32`	Number of files that agent is tracking
`agentQueueSize`	`Int32`	Number of unsent file operations in agent’s queue
`syncPercent`	`Int32`	Synchronization percentage for file operations on the agent
`initPercent`	`Int32`	Initialization percentage of the agent
`tdCount`	`Int32`	Count of Trusted Directories hosted by this agent
`template`	`Boolean`	True if computer is a template
`templateComputerId`	`Int32`	Id of parent template `computer` if this is a cloneThis is a foreign key and can be expanded to expose fields from the related `computer` object
`templateDate`	`DateTime`	Date/time when this computer was templated (UTC)
`templateCloneCleanupMode`	`Int32`	Mode of template cleanup. Can be one of:1=Manual (from console)2=Automatic, by time (specified by templateCloneCleanupTime and templateCloneCleanupTimeScale)3=Automatic, when new computer with the same name comes online4=Automatic, as soon as computer goes offline
`templateCloneCleanupTime`	`Int32`	If templateCloneCleanupMode is 2, this is time before clone is cleaned up. Time unit is specified in templateCloneCleanupTimeScale
`templateCloneCleanupTimeScale`	`Int32`	Time unit of template cleanup. Can be one of:1=Hours2=Days3=Weeks
`templateTrackModsOnly`	`Boolean`	If True, clones of this template will track only new and modified files
`cbSensorId`	`Int32`	ID of Carbon Black sensor. If 0, sensor is not installed on this computer
`cbSensorVersion`	`String`	Version of Carbon Black sensor if installed
`cbSensorFlags`	`Int32`	Carbon Black sensor flags. Can be combination of:1 = User mode service is running2 = Kernel driver is running
`cbSensorStatus`	`String`	Carbon Black sensor status.
`hasDuplicates`	`Boolean`	True if this computer has duplicate entries based on computer name
`yaraVersion`	`Int32`	Current Yara version of this agent
`SCEPStatus`	`Int32`	Status of SCEP protection. Can be one of following values:0 = Unknown1 = Not Present2 = Disabled3 = Outdated4 = Active
`usingCommunicationKey`	`Boolean`	True if the agent is using the communication key to encrypt communications

Properties modifiable Using PUT/POST Request for computer

Name	Type	Property Description
`name`	`String`	Computer name can be changed only if computer is a template
`computerTag`	`String`	Custom computer tag
`description`	`String`	Description of this computer
`policyId`	`Int32`	New Id of `policy` for this computer. PolicyId is ignored if either automaticPolicy us True or localApproval is True
`automaticPolicy`	`Boolean`	True if this policy is assigned automatically through AD. Has to be False if localApproval is True
`localApproval`	`Boolean`	True if this computer is currently in local approval mode. Has to be False if automaticPolicy is True
`refreshFlags`	`Int32`	Change refresh flags for this agent. Can be combination of: 0x01=Complete resynch of agent NAB and installer table is requested 0x02=Rescan of programs installed on the computer is requested0x20=Tell agent to refresh config list 0x40=Force this agent to reregister with new cookie 0x200=Trigger agent Reboot. 0x1000=Tell agent to refresh config list from the file 0x4000 Boost the priority of this agent over all others permanently (until it is de-prioritized)
`prioritized`	`Boolean`	True to prioritize this computer
`debugLevel`	`Int32`	Requested debug level of agent. Once the agent accepts this debug level, its value will be reflected in the activeDebugLevel field. Range is from 0 (none) to 8 (verbose)
`kernelDebugLevel`	`Int32`	Requested kernel debug level of agent. Once the agent accepts this debug level, its value will be reflected in the activeKernelDebugLevel field. Range is from 0 (none) to 5 (verbose)
`debugFlags`	`Int32`	Requested debug flags. Once the agent accepts these flags, there value will be reflected in the activeDebugFlags field. Can be 0 or combination of:0x01 = Upload debug files now0x10 = Enable full memory dumps0x40 = Delete debug files0x80 = Upload agent cache0x200 = Save verbose debug info + counters to the cache when copied/uploaded0x400 = Generate and upload an analysis.bt9 file that contains various constraint violation analysis information0x800 = Run a health check and send results to server0x4000 = Agent will restore its database from a backup on next restart0x8000 = Restart the agent service0x10000 = Agent will delete its database and re-initialize on next restartThis value can be changed only if ‘changeDiagnostics’ request parameter is set to true.
`debugDuration`	`Int32`	Debug duration in minutes. This value can be changed only if ‘changeDiagnostics’ request parameter is set to true.
`ccLevel`	`Int32`	Cache consistency check level set for agent. Can be one of: 0 = None1 = Quick verification2 = Rescan known files3 = Full scan for new filesThis value can be changed only if ‘changeDiagnostics’ request parameter is set to true.
`ccFlags`	`Int32`	Cache consistency check flags set for agent. Can be 0 or combination of: 0x0001 = Whether this is just a test run or not0x0002 = Should the state of invalid files be preserved0x0004 = Should new files found be locally approved or not0x0008 = Should we re-evaluate whether a file’s certificate information is still valid or not0x0010 = Whether the check was scheduled or not0x0020 = Whether the agent should run constraint checks to test for invalid results0x0040 = Whether we are only searching for new script types as a result of a change to what ‘IsScript’ means0x0080 = Whether we are doing a level 3 check for initialization0x0100 = This cache check is to remediate CR# 180410x0200 = Force the re-evaluation of the IsCrawlable state and archive typeThis value can be changed only if ‘changeDiagnostics’ request parameter is set to true.
`forceUpgrade`	`Boolean`	True to force upgrade for this computer
`template`	`Boolean`	True if computer is a VDI template. This value can be changed only if ‘changeTemplate’ request parameter is set to true.
`templateCloneCleanupMode`	`Int32`	Mode of template cleanup. Can be one of:1=Manual (from console)2=Automatic, by time (specified by templateCloneCleanupTime and templateCloneCleanupTimeScale)3=Automatic, when new computer with the same name comes online4=Automatic, as soon as computer goes offlineThis value can be changed only if ‘changeTemplate’ request parameter is set to true.
`templateCloneCleanupTime`	`Int32`	If templateCloneCleanupMode is 2, this is time before clone is cleaned up. Time unit is specified in templateCloneCleanupTimeScale.This value can be changed only if ‘changeTemplate’ request parameter is set to true.
`templateCloneCleanupTimeScale`	`Int32`	Time unit of template cleanup. Can be one of:1=Hours2=Days3=WeeksThis value can be changed only if ‘changeTemplate’ request parameter is set to true.
`templateTrackModsOnly`	`Boolean`	If True, clones of this template will track only new and modified files. This value can be changed only if ‘changeTemplate’ request parameter is set to true.

POST Request for computer

Required permissions: ‘View computers’

Call syntax: bit9platform/v1/computer?changeDiagnostics={changeDiagnostics}&changeTemplate={changeTemplate}&delete={delete}&resetCLIPassword={resetCLIPassword}&newTamperProtectionActive={newTamperProtectionActive}

Name	Source	Type
`value`	FromBody	computer
`changeDiagnostics`	FromUri	Boolean
`changeTemplate`	FromUri	Boolean
`delete`	FromUri	Boolean
`resetCLIPassword`	FromUri	Boolean
`newTamperProtectionActive`	FromUri	Nullable`1

PUT Request for computer

Required permissions: ‘View computers’

Call syntax: bit9platform/v1/computer/{id}?changeDiagnostics={changeDiagnostics}&changeTemplate={changeTemplate}&delete={delete}&resetCLIPassword={resetCLIPassword}&newTamperProtectionActive={newTamperProtectionActive}

Name	Source	Type
`id`	FromUri	Int32
`value`	FromBody	computer
`changeDiagnostics`	FromUri	Boolean
`changeTemplate`	FromUri	Boolean
`delete`	FromUri	Boolean
`resetCLIPassword`	FromUri	Boolean
`newTamperProtectionActive`	FromUri	Nullable`1

DELETE Request for computer

Required permissions: ‘View computers’

Call syntax: bit9platform/v1/computer/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for computer

Required permissions: ‘View computers’

Call syntax: bit9platform/v1/computer/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for computer

Required permissions: ‘View computers’

Call syntax: bit9platform/v1/computer?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» computerDiagnostics

v1/computerDiagnostics object exposes computer-related properties for Carbon Black App Control Agent. It allows following modifications:

Moving computers to different policies
Upgrading Carbon Black App Control Agent
Templating computers for VDI
Changing debugging properties of computers
Requesting advanced computer actions

All Object Properties for computerDiagnostics

Name	Type	Property Description
`id`	`Int32`	Unique computer id
`name`	`String`	Computer name
`computerTag`	`String`	Custom computer tag
`description`	`String`	Description of this computer
`policyId`	`Int32`	Id of `policy` this computer belongs toThis is a foreign key and can be expanded to expose fields from the related `policy` object
`previousPolicyId`	`Int32`	Id of `policy` this computer belongs to before the latest policy changeThis is a foreign key and can be expanded to expose fields from the related `policy` object
`policyName`	`String`	Name of the policy this computer belongs to
`automaticPolicy`	`Boolean`	True if this computer’s policy is assigned automatically through AD
`localApproval`	`Boolean`	True if this computer is in local approval mode
`users`	`String`	List of last logged in users
`ipAddress`	`String`	Last known IP address of this computer
`connected`	`Boolean`	True if this computer is connected
`enforcementLevel`	`Int32`	Current enforcement level. Can be one of: 20=High (Block Unapproved) 30=Medium (Prompt Unapproved) 35=Local approval 40=Low (Monitor Unapproved) 60=None (Visibility) 80=None (Disabled)
`disconnectedEnforcementLevel`	`Int32`	Current enforcement level for disconnected computers. Can be one of: 20=High (Block Unapproved) 30=Medium (Prompt Unapproved) 35=Local approval 40=Low (Monitor Unapproved) 60=None (Visibility) 80=None (Disabled)
`CLIPassword`	`String`	CLI password for this computer. Viewing this field requires ‘Manage computers’ permission
`lastRegisterDate`	`DateTime`	Last date/time this computer registered to the server (UTC)
`lastPollDate`	`DateTime`	Last date/time this computer contacted the server (UTC)
`osShortName`	`String`	Short OS name
`osName`	`String`	Long OS name
`platformId`	`Int32`	Platform Id. Can be one of: 1 = Windows2 = Mac4 = Linux
`virtualized`	`String`	True if computer is virtualized
`virtualPlatform`	`String`	If computer is virtualized, this is platform
`dateCreated`	`DateTime`	Date this computer was first registered
`agentVersion`	`String`	Version of Carbon Black App Control Platform agent
`daysOffline`	`Int32`	Number of days this computer was offline
`uninstalled`	`Boolean`	True if this computer was uninstalled
`deleted`	`Boolean`	True if computer is disabled
`processorCount`	`Int32`	Number of processor cores on this computer
`processorSpeed`	`Double`	Processor speed
`processorModel`	`String`	Processor model
`machineModel`	`String`	Machine model
`memorySize`	`Int32`	Memory size in MB
`upgradeStatus`	`String`	Upgrade status
`upgradeError`	`String`	Last upgrade error
`upgradeErrorTime`	`DateTime`	Last time upgrade error changed
`upgradeErrorCount`	`Int32`	Number of times last upgrade error happened so far
`syncFlags`	`Int32`	Status of synchronization on this agent. Can be combination of: 0x01=Agent is going through initialization 0x02=Agent is going through full cache re-synch 0x08=Agent config list is out of date 0x10=Agent Enforcement is out of date 0x20=Kernel is not connected to the agent 0x40=Agent events timestamps indicate that system clock is out of synch 0x80=Agent has failed the health check 0x100=This is clone that is tracking only new files 0x200=This version of kernel is not supported by the agent (Linux only)
`refreshFlags`	`Int32`	Refresh flags for this agent. Can be combination of: 0x01=Complete resynch of agent NAB and installer table is requested 0x02=Rescan of programs installed on the computer is requested0x20=Tell agent to refresh config list 0x40=Force this agent to reregister with new cookie 0x200=Trigger agent Reboot 0x1000=Tell agent to refresh config list from the file 0x4000 Boost the priority of this agent over all others permanently (until it is de-prioritized)
`policyStatus`	`String`	Status of policy on this agent
`policyStatusDetails`	`String`	Detailed status of policy on this agent
`prioritized`	`Boolean`	True if computer is prioritized
`macAddress`	`String`	MAC address of adapter used to connect to the Carbon Black App Control Server
`debugLevel`	`Int32`	Requested debug level of the agent. Once the agent accepts this debug level, its value will be reflected in the activeDebugLevel field. Range is from 0 (none) to 8 (verbose)
`kernelDebugLevel`	`Int32`	Requested kernel debug level of the agent. Once the agent accepts this debug level, its value will be reflected in the activeKernelDebugLevel field. Range is from 0 (none) to 5 (verbose)
`debugFlags`	`Int32`	Requested debug flags on the agent. Once the agent accepts these flags, there value will be reflected in the activeDebugFlags field.This value can be 0 or combination of:0x01 = Upload debug files now0x10 = Enable full memory dumps0x40 = Delete debug files0x80 = Upload agent cache0x200 = Save verbose debug info + counters to the cache when copied/uploaded0x400 = Generate and upload an analysis.bt9 file that contains various constraint violation analysis information0x800 = Run a health check and send results to server0x4000 = Agent will restore its database from a backup on next restart0x8000 = Restart the agent service0x10000 = Agent will delete its database and re-initialize on next restart
`debugDuration`	`Int32`	Requested agent debug duration in minutes
`activeDebugLevel`	`Int32`	Currently active debug level of the agent. Range is from 0 (none) to 8 (verbose)
`activeKernelDebugLevel`	`Int32`	Currently active kernel debug level of the agent. Range is from 0 (none) to 5 (verbose)
`activeDebugFlags`	`Int32`	Currently active debug flags on the agent. Can be 0 or combination of:0x01 = Upload debug files now0x10 = Enable full memory dumps0x40 = Delete debug files0x80 = Upload agent cache0x200 = Save verbose debug info + counters to the cache when copied/uploaded0x400 = Generate and upload an analysis.bt9 file that contains various constraint violation analysis information0x800 = Run a health check and send results to server
`ccLevel`	`Int32`	Cache consistency check level set for agent. Can be one of: 0 = None1 = Quick verification2 = Rescan known files3 = Full scan for new files
`ccFlags`	`Int32`	Cache consistency check flags set for agent. Can be 0 or combination of: 0x0001 = Whether this is just a test run or not0x0002 = Should the state of invalid files be preserved0x0004 = Should new files found be locally approved or not0x0008 = Should we re-evaluate whether a file’s certificate information is still valid or not0x0010 = Whether the check was scheduled or not0x0020 = Whether the agent should run constraint checks to test for invalid results0x0040 = Whether we are only searching for new script types as a result of a change to what ‘IsScript’ means0x0080 = Whether we are doing a level 3 check for initialization0x0100 = This cache check is to remediate CR# 180410x0200 = Force the re-evaluation of the IsCrawlable state and archive type
`supportedKernel`	`Boolean`	True if current computer kernel version is supported
`forceUpgrade`	`Boolean`	True if upgrade is forced for this computer
`hasHealthCheckErrors`	`Boolean`	True if computer has health check errors
`clVersion`	`Int32`	Current CL version of this agent
`agentMemoryDumps`	`Int32`	True if agent has memory dumps
`systemMemoryDumps`	`Int32`	True if agent has system memory dumps
`initializing`	`Boolean`	True if agent is initializing
`isActive`	`Boolean`	True if agent is active (recently connected and not deleted)
`tamperProtectionActive`	`Boolean`	True if agent’s tamper protection is active
`agentCacheSize`	`Int32`	Number of files that agent is tracking
`agentQueueSize`	`Int32`	Number of unsent file operations in agent’s queue
`syncPercent`	`Int32`	Synchronization percentage for file operations on the agent
`initPercent`	`Int32`	Initialization percentage of the agent
`tdCount`	`Int32`	Count of Trusted Directories hosted by this agent
`template`	`Boolean`	True if computer is a template
`templateComputerId`	`Int32`	Id of parent template `computer` if this is a cloneThis is a foreign key and can be expanded to expose fields from the related `computer` object
`templateDate`	`DateTime`	Date/time when this computer was templated (UTC)
`templateCloneCleanupMode`	`Int32`	Mode of template cleanup. Can be one of:1=Manual (from console)2=Automatic, by time (specified by templateCloneCleanupTime and templateCloneCleanupTimeScale)3=Automatic, when new computer with the same name comes online4=Automatic, as soon as computer goes offline
`templateCloneCleanupTime`	`Int32`	If templateCloneCleanupMode is 2, this is time before clone is cleaned up. Time unit is specified in templateCloneCleanupTimeScale
`templateCloneCleanupTimeScale`	`Int32`	Time unit of template cleanup. Can be one of:1=Hours2=Days3=Weeks
`templateTrackModsOnly`	`Boolean`	If True, clones of this template will track only new and modified files
`cbSensorId`	`Int32`	ID of Carbon Black sensor. If 0, sensor is not installed on this computer
`cbSensorVersion`	`String`	Version of Carbon Black sensor if installed
`cbSensorFlags`	`Int32`	Carbon Black sensor flags. Can be combination of:1 = User mode service is running2 = Kernel driver is running
`cbSensorStatus`	`String`	Carbon Black sensor status.
`hasDuplicates`	`Boolean`	True if this computer has duplicate entries based on computer name
`yaraVersion`	`Int32`	Current Yara version of this agent
`SCEPStatus`	`Int32`	Status of SCEP protection. Can be one of following values:0 = Unknown1 = Not Present2 = Disabled3 = Outdated4 = Active
`usingCommunicationKey`	`Boolean`	True if the agent is using the communication key to encrypt communications
`duplicateCount`	`Int32`	Number of duplicate register attempts
`agentReadyToInitialize`	`Boolean`	True if the computer’s agent is currently ready to initialize
`agentUpToDate`	`Boolean`	True if the computer’s agent is up to date
`upgradedAgent`	`Boolean`	True if the computer’s agent has been upgraded
`cloneInventory`	`Boolean`	Designates what files to copy when cloning this machine (0 = New and Modified Files, 1 = All Files)
`usingArchivedKey`	`Boolean`	True if the computer is currently using an archived key
`usingDisabledKey`	`Boolean`	True if the computer is currently using a disabled key
`cloneCount`	`Int32`	Number of clones created from this computer
`auditDate`	`DateTime`	The date of the last audit performed on this computer
`diagnosticsDate`	`DateTime`	The date of the last diagnostic run on this computer
`totalEvents`	`Int64`	Total events from this computer
`totalAgentOperations`	`Int64`	Total file operations
`totalAgentChgOperations`	`Int64`	Total file change operations
`resynchCount`	`Int32`	Total resynchronization operations on this computer
`eventQueueSize`	`Int32`	Size of the event queue on this computer
`eventQueueDiff`	`Int32`	Size of today’s event queue as compared to yesterday’s
`agentQueueDiff`	`Int32`	Size of today’s file queue as compared to yesterday’s
`totalEventsDiff`	`Int64`	Number of today’s events as compared to yesterday’s
`totalAgentOperationsDiff`	`Int64`	Number of today’s file operations as compared to yesterday’s
`totalAgentChgOperationsDiff`	`Int64`	Number of today’s file change operations as compared to yesterday’s
`totalAgentInitOperationsDiff`	`Int64`	Number of today’s initialization operations as compared to yesterday’s
`totalAgentChurn`	`Int64`	Daily file churn on this computer
`resynchCountDiff`	`Int32`	Number of today’s resynchronization operations as compared to yesterday’s
`agentCacheSizeDiff`	`Int32`	Number of files the agent is tracking today as compared to yesterday
`registerCount`	`Int32`	Number of times this computer has registered with the server
`registerCountDiff`	`Int32`	Number of today’s server registrations as compared to yesterday’s

Properties modifiable Using PUT/POST Request for computerDiagnostics

Name	Type	Property Description
`name`	`String`	Computer name can be changed only if computer is a template
`computerTag`	`String`	Custom computer tag
`description`	`String`	Description of this computer
`policyId`	`Int32`	New Id of `policy` for this computer. PolicyId is ignored if either automaticPolicy us True or localApproval is True
`automaticPolicy`	`Boolean`	True if this policy is assigned automatically through AD. Has to be False if localApproval is True
`localApproval`	`Boolean`	True if this computer is currently in local approval mode. Has to be False if automaticPolicy is True
`refreshFlags`	`Int32`	Change refresh flags for this agent. Can be combination of: 0x01=Complete resynch of agent NAB and installer table is requested 0x02=Rescan of programs installed on the computer is requested0x20=Tell agent to refresh config list 0x40=Force this agent to reregister with new cookie 0x200=Trigger agent Reboot. 0x1000=Tell agent to refresh config list from the file 0x4000 Boost the priority of this agent over all others permanently (until it is de-prioritized)
`prioritized`	`Boolean`	True to prioritize this computer
`debugLevel`	`Int32`	Requested debug level of agent. Once the agent accepts this debug level, its value will be reflected in the activeDebugLevel field. Range is from 0 (none) to 8 (verbose)
`kernelDebugLevel`	`Int32`	Requested kernel debug level of agent. Once the agent accepts this debug level, its value will be reflected in the activeKernelDebugLevel field. Range is from 0 (none) to 5 (verbose)
`debugFlags`	`Int32`	Requested debug flags. Once the agent accepts these flags, there value will be reflected in the activeDebugFlags field. Can be 0 or combination of:0x01 = Upload debug files now0x10 = Enable full memory dumps0x40 = Delete debug files0x80 = Upload agent cache0x200 = Save verbose debug info + counters to the cache when copied/uploaded0x400 = Generate and upload an analysis.bt9 file that contains various constraint violation analysis information0x800 = Run a health check and send results to server0x4000 = Agent will restore its database from a backup on next restart0x8000 = Restart the agent service0x10000 = Agent will delete its database and re-initialize on next restartThis value can be changed only if ‘changeDiagnostics’ request parameter is set to true.
`debugDuration`	`Int32`	Debug duration in minutes. This value can be changed only if ‘changeDiagnostics’ request parameter is set to true.
`ccLevel`	`Int32`	Cache consistency check level set for agent. Can be one of: 0 = None1 = Quick verification2 = Rescan known files3 = Full scan for new filesThis value can be changed only if ‘changeDiagnostics’ request parameter is set to true.
`ccFlags`	`Int32`	Cache consistency check flags set for agent. Can be 0 or combination of: 0x0001 = Whether this is just a test run or not0x0002 = Should the state of invalid files be preserved0x0004 = Should new files found be locally approved or not0x0008 = Should we re-evaluate whether a file’s certificate information is still valid or not0x0010 = Whether the check was scheduled or not0x0020 = Whether the agent should run constraint checks to test for invalid results0x0040 = Whether we are only searching for new script types as a result of a change to what ‘IsScript’ means0x0080 = Whether we are doing a level 3 check for initialization0x0100 = This cache check is to remediate CR# 180410x0200 = Force the re-evaluation of the IsCrawlable state and archive typeThis value can be changed only if ‘changeDiagnostics’ request parameter is set to true.
`forceUpgrade`	`Boolean`	True to force upgrade for this computer
`template`	`Boolean`	True if computer is a VDI template. This value can be changed only if ‘changeTemplate’ request parameter is set to true.
`templateCloneCleanupMode`	`Int32`	Mode of template cleanup. Can be one of:1=Manual (from console)2=Automatic, by time (specified by templateCloneCleanupTime and templateCloneCleanupTimeScale)3=Automatic, when new computer with the same name comes online4=Automatic, as soon as computer goes offlineThis value can be changed only if ‘changeTemplate’ request parameter is set to true.
`templateCloneCleanupTime`	`Int32`	If templateCloneCleanupMode is 2, this is time before clone is cleaned up. Time unit is specified in templateCloneCleanupTimeScale.This value can be changed only if ‘changeTemplate’ request parameter is set to true.
`templateCloneCleanupTimeScale`	`Int32`	Time unit of template cleanup. Can be one of:1=Hours2=Days3=WeeksThis value can be changed only if ‘changeTemplate’ request parameter is set to true.
`templateTrackModsOnly`	`Boolean`	If True, clones of this template will track only new and modified files. This value can be changed only if ‘changeTemplate’ request parameter is set to true.

GET Request for computerDiagnostics

Required permissions: ‘Manage system configuration’

Call syntax: bit9platform/v1/computerDiagnostics/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for computerDiagnostics

Required permissions: ‘Manage system configuration’

Call syntax: bit9platform/v1/computerDiagnostics?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» computerUsername

v1/computerUsername object exposes computer usernames the server has encountered. Note that this is read-only API.

All Object Properties for computerUsername

Name	Type	Property Description
`id`	`Int32`	Unique username Id
`name`	`String`	Username

computerUsername is a read-only object and has no modifiable properties.

GET Request for computerUsername

Required permissions: ‘View login accounts and user roles’

Call syntax: bit9platform/v1/computerUsername/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for computerUsername

Required permissions: ‘View login accounts and user roles’

Call syntax: bit9platform/v1/computerUsername?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» connector

v1/connector object exposes Network Connectors for Carbon Black App Control Platform. Note that internal connectors can only be accessed as read-only (GET requests), while external connectors can also be modified (PUT/POST requests)

All Object Properties for connector

Name	Type	Property Description
`id`	`Int32`	Unique connector Id
`name`	`String`	Name of the connector
`analysisName`	`String`	Name for analysis component of the connector (can be same as the name field)
`connectorVersion`	`String`	Version of this connector
`canAnalyze`	`Boolean`	True if this connector can analyze files
`enabled`	`Boolean`	True if connector is enabled
`analysisEnabled`	`Boolean`	True if analysis component of this connector is enabled
`isInternal`	`Boolean`	True if this is internal connector
`analysisTargets`	`String[]`	Array of possible analysis targets. Analysis targets are required when creating new fileAnalysis. They usualy represent different OS and configurations and are available only for some internal connectors.

Properties modifiable Using PUT/POST Request for connector

Name	Type	Property Description
`name`	`String`	Name of the connector. Note that only non-internal connectors can be renamed
`analysisName`	`String`	Name for analysis component of the connector (can be same as the name field)
`connectorVersion`	`String`	Version of this connector
`canAnalyze`	`Boolean`	True if this connector can analyze files
`enabled`	`Boolean`	True if connector is enabled
`analysisEnabled`	`Boolean`	True if analysis component of this connector is enabled

PUT Request for connector

Required permissions: ‘View system configuration’, ‘Extend connectors through API’

Call syntax: bit9platform/v1/connector/{id}?unregister={unregister}&deleteData={deleteData}

Name	Source	Type
`id`	FromUri	Int32
`value`	FromBody	connector
`unregister`	FromUri	Boolean
`deleteData`	FromUri	Boolean

POST Request for connector

Required permissions: ‘View system configuration’, ‘Extend connectors through API’

Call syntax: bit9platform/v1/connector?unregister={unregister}&deleteData={deleteData}

Name	Source	Type
`connector`	FromBody	connector
`unregister`	FromUri	Boolean
`deleteData`	FromUri	Boolean

DELETE Request for connector

Required permissions: ‘View system configuration’, ‘Extend connectors through API’

Call syntax: bit9platform/v1/connector/{id}?deleteData={deleteData}

Name	Source	Type	Description
`id`	FromUri	Int32
`deleteData`	FromUri	Boolean

GET Request for connector

Required permissions: ‘View system configuration’

Call syntax: bit9platform/v1/connector/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for connector

Required permissions: ‘View system configuration’

Call syntax: bit9platform/v1/connector?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» consoleUsername

v1/consoleUsername object exposes console usernames. Note that this is read-only API.

All Object Properties for consoleUsername

Name	Type	Property Description
`id`	`Int32`	Unique username Id
`name`	`String`	Username

consoleUsername is a read-only object and has no modifiable properties.

GET Request for consoleUsername

Required permissions: ‘View login accounts and user roles’

Call syntax: bit9platform/v1/consoleUsername/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for consoleUsername

Required permissions: ‘View login accounts and user roles’

Call syntax: bit9platform/v1/consoleUsername?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» cpeApplication

v1/cpeApplication object Allows users to view and modify Common Platform Enumeration matches

All Object Properties for cpeApplication

Name	Type	Property Description
`id`	`Int64`	Unique id of this CPE Application
`company`	`String`	Name of the company Carbon Black App Control detected
`productName`	`String`	Name of the product Carbon Black App Control detected
`productVersion`	`String`	Version of the product Carbon Black App Control detected
`constructedCpe23Item`	`String`	A constructed CPE URI from the software Carbon Black App Control detected
`numberOfCves`	`Int32`	The number of CVE matched to this CPE
`mostDangerousCve`	`String`	The matched CVE with the highest CVSS score
`highestCvssScore`	`Decimal`	The highest CVSS score this CPE has
`modifiedByUserId`	`Int32`	Id of `user` that last modified this CPE ApplicationThis is a foreign key and can be expanded to expose fields from the related `user` object
`modifiedBy`	`String`	User that last modified this CPE Application
`dateModified`	`DateTime`	Date and time when this CPE Application was last modified (UTC)
`hidden`	`Boolean`	True if this CPE Application is hidden.
`dictionaryId`	`Int64`	Id of `CpeDictionary` record matched to this CPE ApplicationThis is a foreign key and can be expanded to expose fields from the related `cpeDictionary` object
`cves`	`String`	The list of CVEs matched to this CPE

Properties modifiable Using PUT/POST Request for cpeApplication

Name	Type	Property Description
`hidden`	`Boolean`	True if this CPE Application is hidden.
`dictionaryId`	`Int64`	Id of `CpeDictionary` record matched to this CPE Application

POST Request for cpeApplication

Required permissions: ‘View files and applications’, ‘Manage files’

Call syntax: bit9platform/v1/cpeApplication?removeMatch={removeMatch}

Name	Source	Type	Description
`value`	FromBody	cpeApplication
`removeMatch`	FromUri	Boolean

GET Request for cpeApplication

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/cpeApplication/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for cpeApplication

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/cpeApplication?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» cpeApplicationFileMap

v1/cpeApplicationFileMap object Read-only map of CPE applications and the files detected to be associated with them.

All Object Properties for cpeApplicationFileMap

Name	Type	Property Description
`id`	`Int64`	Unique ID of this entry
`cpeApplicationId`	`Int64`	The internal ID of the `cpeApplication`This is a foreign key and can be expanded to expose fields from the related `cpeApplication` object
`fileId`	`Int32`	The internal ID of the `fileCatalog`This is a foreign key and can be expanded to expose fields from the related `fileCatalog` object

cpeApplicationFileMap is a read-only object and has no modifiable properties.

GET Request for cpeApplicationFileMap

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/cpeApplicationFileMap/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for cpeApplicationFileMap

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/cpeApplicationFileMap?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» cpeCveMap

v1/cpeCveMap object Read-only map of CPEs and the CVEs detected to be associated with them.

All Object Properties for cpeCveMap

Name	Type	Property Description
`id`	`Int64`	Unique ID of this entry
`cpeId`	`Int64`	The internal ID of the `cpeApplication`This is a foreign key and can be expanded to expose fields from the related `cpeApplication` object
`cveId`	`Int64`	The internal ID of the `cveInstance`This is a foreign key and can be expanded to expose fields from the related `cveInstance` object

cpeCveMap is a read-only object and has no modifiable properties.

GET Request for cpeCveMap

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/cpeCveMap/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for cpeCveMap

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/cpeCveMap?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» cpeDictionary

v1/cpeDictionary object Allows users to view Common Platform Enumeration dictionary

All Object Properties for cpeDictionary

Name	Type	Property Description
`id`	`Int64`	Unique CPE dictionary entry id
`cpe23Item`	`String`	CPE item
`vendor`	`String`	Vendor of the application
`name`	`String`	Name of the application
`version`	`String`	Version of the application
`title`	`String`	Title of the application
`deprecated`	`Boolean`	True if this application entry is deprecated.

cpeDictionary is a read-only object and has no modifiable properties.

GET Request for cpeDictionary

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/cpeDictionary/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for cpeDictionary

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/cpeDictionary?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» cveInstance

v1/cveInstance object Allows users to view Common Vulnerabilities and Exposures matches

All Object Properties for cveInstance

Name	Type	Property Description
`id`	`Int64`	Unique CVE dictionary id
`cveId`	`String`	The id of this CVE in the NIST Database
`cpeCount`	`Int32`	The number of associated CPEs present on the system
`cvss3Score`	`Decimal`	CVSSv3 vulnerability score of this CVE
`cvss3Vector`	`String`	CVSSv3 attributes of this CVE
`cvss2Score`	`Decimal`	CVSSv2 vulnerability score of this CVE
`cvss2Vector`	`String`	CVSSv2 attributes of this CVE
`cweId`	`String`	The type of vulnerability this is
`hidden`	`Boolean`	True if all applications related to the CVE is hidden
`cpes`	`String`	List of matched CPEs on the system

cveInstance is a read-only object and has no modifiable properties.

GET Request for cveInstance

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/cveInstance/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for cveInstance

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/cveInstance?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» device

v1/device object exposes device-related properties for Carbon Black App Control Agent.

All Object Properties for device

Name	Type	Property Description
`id`	`Int32`	Unique device id
`name`	`String`	Device name
`vendor`	`String`	Device vendor
`friendlyName`	`String`	User-friendly name of the device
`firstSeenComputerId`	`Int32`	Id of `computer` on which the device was first identifiedThis is a foreign key and can be expanded to expose fields from the related `computer` object
`deviceStateId`	`Int32`	Id corresponding to the device’s state
`state`	`String`	Human-readable device state
`exceptions`	`Boolean`	Exceptions
`firstSeenDate`	`DateTime`	Date when the device was first identified
`dateAcknowledged`	`DateTime`	Date when the device was acknowledged by an App Control user
`description`	`String`	Device description
`acknowledged`	`Boolean`	Has the device been acknowledged by an App Control user?
`acknowledgedByUserId`	`Int32`	User ID of the user who acknowledged the deviceThis is a foreign key and can be expanded to expose fields from the related `user` object
`acknowledgedBy`	`String`	Username of the user who acknowledged the device
`computerCount`	`Int32`	On how many computers has this device been seen
`instanceCount`	`Int32`	How many total instances of this device have been seen
`className`	`String`	Class of the device
`isRemovable`	`Boolean`	Is the device removable media
`firstSeenComputer`	`String`	Computer on which the device was first identified
`platform`	`String`	Device’s operating system
`platformId`	`Int32`	ID of the device’s operating system
`dateApprovedOrBanned`	`DateTime`	Date when the device was either approved or banned

Properties modifiable Using PUT/POST Request for device

Name	Type	Property Description
`deviceStateId`	`Int32`	Can be set to 1 (Unapproved), 2 (Approved), or 3 (Banned)
`acknowledged`	`Boolean`	Set to ‘true’ to acknowledge this device

POST Request for device

Required permissions: ‘View devices’, ‘Manage device rules’

Call syntax: bit9platform/v1/device

Name	Source	Type	Description
`value`	FromBody	device

PUT Request for device

Required permissions: ‘View devices’

Call syntax: bit9platform/v1/device/{id}?acknowledge={acknowledge}&newDeviceState={newDeviceState}

Name	Source	Type
`id`	FromUri	Int32
`acknowledge`	FromUri	Boolean
`newDeviceState`	FromUri	DeviceState

GET Request for device

Required permissions: ‘View devices’

Call syntax: bit9platform/v1/device/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for device

Required permissions: ‘View devices’

Call syntax: bit9platform/v1/device?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» deviceInstance

v1/deviceInstance object shows all storage devices found on all connected computers. Read-only.

All Object Properties for deviceInstance

Name	Type	Property Description
`id`	`Int64`	Unique identifier of this device instance
`deviceInstanceId`	`Int32`	Identifier of this device instance
`deviceId`	`Int32`	Id of device associated with this instanceThis is a foreign key and can be expanded to expose fields from the related `device` object
`name`	`String`	Device name
`vendor`	`String`	Device vendor
`friendlyName`	`String`	User-friendly name of the device
`serialNumber`	`String`	Device’s serial number
`computerId`	`Int32`	Id of computer associated with this instanceThis is a foreign key and can be expanded to expose fields from the related `computer` object
`deviceStateId`	`Int32`	Id corresponding to the device’s state
`state`	`String`	Human-readable device state
`exceptions`	`Boolean`	Exceptions
`attached`	`Boolean`	Is the device currently attached?
`lastAttachDate`	`DateTime`	Date on which device was last attached to the computer
`lastDetachDate`	`DateTime`	Date on which device was last detatched to the computer
`firstSeenDate`	`DateTime`	Date when the device was first identified
`dateAcknowledged`	`DateTime`	Date when the device was acknowledged by an App Control user
`acknowledged`	`Boolean`	Has the device been acknowledged by an App Control user?
`acknowledgedByUserId`	`Int32`	User ID of the user who acknowledged the deviceThis is a foreign key and can be expanded to expose fields from the related `user` object
`acknowledgedBy`	`String`	Username of the user who acknowledged the device
`computerCount`	`Int32`	On how many computers has this device been seen
`className`	`String`	Class of the device
`isRemovable`	`Boolean`	Is the device removable media
`computerName`	`String`	Name of the computer associated with this instance
`firstSeenComputer`	`String`	Computer on which the device was first identified
`firstSeenComputerId`	`Int32`	Id of `computer` on which the device was first identifiedThis is a foreign key and can be expanded to expose fields from the related `computer` object
`platform`	`String`	Device’s operating system
`platformId`	`Int32`	Id of the device’s operating system
`policyId`	`Int32`	Id of the policy associated with this instanceThis is a foreign key and can be expanded to expose fields from the related `policy` object

deviceInstance is a read-only object and has no modifiable properties.

GET Request for deviceInstance

Required permissions: ‘View devices’

Call syntax: bit9platform/v1/deviceInstance/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for deviceInstance

Required permissions: ‘View devices’

Call syntax: bit9platform/v1/deviceInstance?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» deviceRule

v1/deviceRule object controls device rules for Carbon Black App Control Agent.

All Object Properties for deviceRule

Name	Type	Property Description
`id`	`Int32`	Unique rule ID
`name`	`String`	Rule name
`description`	`String`	Rule description
`deviceName`	`String`	Device name
`deviceVendor`	`String`	Device vendor
`approveEx`	`String`	If the device is unapproved or banned, a specification of approval exceptions: a list of approved serial numbers separated by commas, or a wildcard pattern
`banEx`	`String`	If the device is unapproved or approved, a specification of ban exceptions: a list of banned serial numbers separated by commas, or a wildcard pattern
`state`	`Int32`	Device state: 1=Unapproved 2=Approved 3=Banned
`enabled`	`Boolean`	True if rule is enabled
`hidden`	`Boolean`	True if rule is hidden
`configListVersion`	`Int64`	CL version associated with the rule
`policyIds`	`String`	List of IDs of policies where this rule applies. Empty if this is a global rule
`createdByUserId`	`Int32`	ID of the user who created the ruleThis is a foreign key and can be expanded to expose fields from the related `user` object
`dateCreated`	`DateTime`	Date the rule was first created
`modifiedByUserId`	`Int32`	ID of the user to last modify the ruleThis is a foreign key and can be expanded to expose fields from the related `user` object
`dateModified`	`DateTime`	Date the rule was last modified

Properties modifiable Using PUT/POST Request for deviceRule

Name	Type	Property Description
`name`	`String`	Rule name
`description`	`String`	Rule description
`deviceName`	`String`	Device name
`deviceVendor`	`String`	Device vendor
`approveEx`	`String`	If the device is unapproved or banned, a specification of approval exceptions: a list of approved serial numbers separated by commas, or a wildcard pattern
`banEx`	`String`	If the device is unapproved or approved, a specification of ban exceptions: a list of banned serial numbers separated by commas, or a wildcard pattern
`state`	`Int32`	Device state: 1=Unapproved 2=Approved 3=Banned
`enabled`	`Boolean`	True if rule is enabled
`policyIds`	`String`	List of IDs of policies where this rule applies. Empty if this is a global rule

POST Request for deviceRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/deviceRule?delete={delete}

Name	Source	Type	Description
`value`	FromBody	deviceRule
`delete`	FromUri	Boolean

PUT Request for deviceRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/deviceRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	deviceRule

DELETE Request for deviceRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/deviceRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for deviceRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/deviceRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for deviceRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/deviceRule?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» deviceSerialNumber

v1/deviceSerialNumber object shows all storage devices found on all connected computers organized by serial number. Read-only.

All Object Properties for deviceSerialNumber

Name	Type	Property Description
`id`	`Int32`	Unique identifier
`deviceId`	`Int32`	Device IdThis is a foreign key and can be expanded to expose fields from the related `device` object
`name`	`String`	Device name
`vendor`	`String`	Device vendor
`friendlyName`	`String`	User-friendly name of the device
`serialNumber`	`String`	Device’s serial number
`computerId`	`Int32`	Id of computer associated with this instanceThis is a foreign key and can be expanded to expose fields from the related `computer` object
`deviceStateId`	`Int32`	Id corresponding to the device’s state
`state`	`String`	Human-readable device state
`exceptions`	`Boolean`	Exceptions
`firstSeenDate`	`DateTime`	Date when the device was first identified
`dateAcknowledged`	`DateTime`	Date when the device was acknowledged by an App Control user
`acknowledged`	`Boolean`	Has the device been acknowledged by an App Control user?
`acknowledgedByUserId`	`Int32`	User ID of the user who acknowledged the deviceThis is a foreign key and can be expanded to expose fields from the related `user` object
`acknowledgedBy`	`String`	Username of the user who acknowledged the device
`computerCount`	`Int32`	On how many computers has this device been seen
`className`	`String`	Class of the device
`isRemovable`	`Boolean`	Is the device removable media
`computerName`	`String`	Name of the computer associated with this instance
`firstSeenComputer`	`String`	Computer on which the device was first identified
`firstSeenComputerId`	`Int32`	Id of `computer` on which the device was first identifiedThis is a foreign key and can be expanded to expose fields from the related `computer` object
`platform`	`String`	Device’s operating system
`platformId`	`Int32`	ID of the device’s operating system
`dateApprovedOrBanned`	`DateTime`	Date when the device was either approved or banned

deviceSerialNumber is a read-only object and has no modifiable properties.

GET Request for deviceSerialNumber

Required permissions: ‘View devices’

Call syntax: bit9platform/v1/deviceSerialNumber/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for deviceSerialNumber

Required permissions: ‘View devices’

Call syntax: bit9platform/v1/deviceSerialNumber?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» driftReport

v1/driftReport object exposes information about drift reports. Note that this is read-only API.

All Object Properties for driftReport

Name	Type	Property Description
`id`	`Int32`	Unique drift report ID
`name`	`String`	Name of drift report
`description`	`String`	Description of drift report
`createDate`	`DateTime`	Date drift report was created (UTC)
`modifyDate`	`DateTime`	Date drift report was last modified (UTC)
`generateStartDate`	`DateTime`	The last time this drift report started being generated (UTC)
`generateEndDate`	`DateTime`	The last time this drift report finished being generated (UTC)
`lastGenerateStepDate`	`DateTime`	The last time the last step in this drift report occurred (UTC)
`durationSec`	`Int32`	Duration in seconds of last drift report generation
`driftTimeInterval`	`Int32`	The number representing the interval between drift report generation
`driftTimeIntervalType`	`String`	The unit of time representing the interval between drift report generation (minutes, hours, days)
`createUserId`	`Int32`	The user ID of the user that created this drift reportThis is a foreign key and can be expanded to expose fields from the related `user` object
`modifyUserId`	`Int32`	The user ID of the user that last modified this drift reportThis is a foreign key and can be expanded to expose fields from the related `user` object
`reportType`	`Int32`	0 = baseline1 = historical
`baselineType`	`Int32`	0 = computer1 = policy2 = advanced filter3 = snapshot4 = self5 = none6 = computer filter
`targetType`	`Int32`	0 = computer1 = policy2 = advanced filter3 = all computers4 = computer filter
`baselineId`	`Int32`	Depends on the baseline type (computer or policy)
`snapshotId`	`Int32`	Implicit snaphot referenced by the report
`targetId`	`Int32`	Depends on the baseline type (computer or policy)
`baselineFilter`	`String`	The primary filter applied to the baseline
`finalBaselineFilter`	`String`	The final filter applied to the baseline
`targetFilter`	`String`	The primary filter applied to the target
`finalTargetFilter`	`String`	The final filter applied to the target
`generateFlags`	`Int32`	Flags representing how the reports are being generated:0x0001 = include approved0x0002 = include initialized0x0004 = include bans0x0008 = only applications0x0010 = only executed files0x1000 = track removals0x2000 = match by hash (content)0x4000 = generate details0x8000 = hidden
`enabled`	`Boolean`	Whether this drift report has been enabled
`deleted`	`Boolean`	Whether this drift report has been deleted
`regenerate`	`Boolean`	Whether this drift report needs to be regenerated
`rDrift`	`Int64`	A computed value representing raw drift from the last report
`wDrift`	`Double`	A computed value representing weighted drift from the last report
`sDrift`	`Double`	A computed value representing significant drift from the last report
`percentageDone`	`Int32`	How much of the report generation is complete

driftReport is a read-only object and has no modifiable properties.

GET Request for driftReport

Required permissions: ‘View drift reports and snapshots’

Call syntax: bit9platform/v1/driftReport/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for driftReport

Required permissions: ‘View drift reports and snapshots’

Call syntax: bit9platform/v1/driftReport?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» driftReportContents

v1/driftReportContents object provides access to drift report results. Contents are read-only.

All Object Properties for driftReportContents

Name	Type	Property Description
`computerId`	`Int32`	The ID of the computer associated with this file driftThis is a foreign key and can be expanded to expose fields from the related `computer` object
`fileId`	`Int32`	The ID of the file associated with this file driftThis is a foreign key and can be expanded to expose fields from the related `fileInstance` object
`fileName`	`String`	The file name associated with this file drift
`localState`	`Int32`	Whether this drift was unapproved (1), approved (2) or banned (3)
`date`	`DateTime`	The date when this drift occurred
`processName`	`String`	The process file name associates with this file drift

driftReportContents is a read-only object and has no modifiable properties.

GET Request for driftReportContents

Required permissions: ‘View drift reports and snapshots’

Call syntax: bit9platform/v1/driftReportContents?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&driftReportId={driftReportId}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`driftReportId`	FromUri	Int64

» event

v1/event object exposes public events.

All Object Properties for event

Name	Type	Property Description
`id`	`Int64`	Unique event Id
`timestamp`	`DateTime`	Date/Time when event was created (UTC)
`receivedTimestamp`	`DateTime`	Date/Time when event was received by the server (UTC)
`description`	`String`	Event description
`type`	`Int32`	Event type. Can be one of:0 = Server Management1 = Session Management2 = Computer Management3 = Policy Management4 = Policy Enforcement5 = Discovery6 = General Management8 = Internal Events
`subtype`	`Int32`	Event subtype. Can be one of event subtype IDs
`subtypeName`	`String`	Event subtype as string
`ipAddress`	`String`	IP address associated with this event
`computerId`	`Int32`	Id of `computer` associated with this eventThis is a foreign key and can be expanded to expose fields from the related `computer` object
`computerName`	`String`	Name of computer associated with this event
`policyId`	`Int32`	Id of `policy` where agent was at the time of the eventThis is a foreign key and can be expanded to expose fields from the related `policy` object
`policyName`	`String`	Name of policy where agent was at the time of the event
`fileCatalogId`	`Int32`	Id of `fileCatalog` entry associated with file for this eventThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`installerFileCatalogId`	`Int32`	Id of `fileCatalog` entry associated with installer for this eventThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`processFileCatalogId`	`Int32`	Id of `fileCatalog` entry associated with process for this eventThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`fileName`	`String`	Name of the file associated with this event
`pathName`	`String`	Path of the file associated with this event
`commandLine`	`String`	Full command line associated with this event. Viewing this field requires ‘View process command lines’ permission
`processPathName`	`String`	Name of the process associated with this event
`processFileName`	`String`	Path of the process associated with this event
`process`	`String`	Path and process associated with this event
`installerFileName`	`String`	Name of the installer associated with this event
`processKey`	`String`	Process key associated with this event. This key uniquely identifies the process in both Carbon Black App Control Platform and Carbon Black EDR product
`severity`	`Int32`	Event severity. Can be one of:2 = Critical3 = Error4 = Warning5 = Notice6 = Info7 = Debug
`userName`	`String`	User name associated with this event
`ruleName`	`String`	Rule name associated with this event
`banName`	`String`	Ban name associated with this event
`updaterName`	`String`	Updater name associated with this event
`rapfigName`	`String`	Rapid Config name associated with this event
`indicatorName`	`String`	Advanced threat indicator name associated with this event
`indicatorSetName`	`String`	Advanced threat indicator set name associated with this event
`param1`	`String`	Internal string parameter 1
`param2`	`String`	Internal string parameter 2
`param3`	`String`	Internal string parameter 3
`stringId`	`Int32`	Internal string Id used for description
`unifiedSource`	`String`	Unified server name that created this event
`clVersion`	`Int32`	CL version associated with this event
`eventRuleId`	`Int32`	Id of the event rule associated with this event
`customRuleId`	`Int32`	Id of the rule associated with this eventThis is a foreign key and can be expanded to expose fields from the related `customRule` object
`fileRuleId`	`Int32`	Id of the file rule associated with this eventThis is a foreign key and can be expanded to expose fields from the related `fileRule` object
`installEventId`	`Int32`	Id of the install event associated with this event
`pathNameId`	`Int32`	Id of the file path associated with this event
`processPathNameId`	`Int32`	Id of the file path of the process associated with this event
`fileNameId`	`Int32`	Id of the name of the file associated with this event
`fileFirstExecutionDate`	`DateTime`	Date of the first execution of the file associated with this event
`sha256`	`String`	SHA-256 hash of the file associated with this event
`computerPolicyId`	`Int32`	Id of the policy this computer is in
`platformId`	`Int32`	Id of the platform of this computer.Can be one of: 1 = Windows2 = Mac4 = Linux
`installerHash`	`String`	SHA-256 hash of the installer file associated with this event
`processHash`	`String`	SHA-256 hash of the process associated with this event
`computerTag`	`String`	Custom tag on the computer
`osName`	`String`	Computer’s operating system
`agentVersion`	`String`	Version of the agent running on the computer associated with this event
`fileTrust`	`Int32`	Trust value of the file associated with this event
`fileTrustMessages`	`String`	Trust messages from the file associated with this event
`fileThreat`	`Int16`	Threat value of the file associated with this event
`filePrevalence`	`Int32`	Prevalence of the file associated with this event
`processTrust`	`Int32`	Trust value of the process associated with this event
`processTrustMessages`	`String`	Trust messages from the process associated with this event
`processThreat`	`Int16`	Threat value of the process associated with this event
`processPrevalence`	`Int32`	Prevalence of the process associated with this event

event is a read-only object and has no modifiable properties.

GET Request for event

Required permissions: ‘View events’

Call syntax: bit9platform/v1/event/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for event

Required permissions: ‘View events’

Call syntax: bit9platform/v1/event?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type	Description
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32	When -2, a “quick count” will be returned.
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» eventCacheView

v1/eventCacheView object exposes cached views.

All Object Properties for eventCacheView

Name	Type	Property Description
`id`	`Int64`	Unique ID
`viewId`	`Int32`	ID of saved view to be cached
`createdByUserId`	`Int32`	Id of `user` who created this requestThis is a foreign key and can be expanded to expose fields from the related `user` object
`modifiedByUserId`	`Int32`	Id of `user` who modified this requestThis is a foreign key and can be expanded to expose fields from the related `user` object
`dateCreated`	`DateTime`	Date/time when this object was created (UTC)
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`dateLastGenerated`	`DateTime`	Date/time when this view was last cached (UTC)
`dateNextGenerated`	`DateTime`	Date/time when this view is expected to be cached next (UTC)

eventCacheView is a read-only object and has no modifiable properties.

POST Request for eventCacheView

Required permissions: ‘View events’, ‘Manage saved views’

Call syntax: bit9platform/v1/eventCacheView

Name	Source	Type	Description
`value`	FromBody	eventCacheView

DELETE Request for eventCacheView

Required permissions: ‘View events’, ‘Manage saved views’

Call syntax: bit9platform/v1/eventCacheView/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for eventCacheView

Required permissions: ‘View events’

Call syntax: bit9platform/v1/eventCacheView/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for eventCacheView

Required permissions: ‘View events’

Call syntax: bit9platform/v1/eventCacheView?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» executionControlRule

v1/executionControlRule object exposes custom execution control rules. It also allows creating, editing and deleting these rules.

All Object Properties for executionControlRule

Name	Type	Property Description
`id`	`Int32`	Unique id of this rule
`masterRuleId`	`Int32`	Id of parent of this rule
`idUnique`	`Guid`	Unique GUID of this rule
`name`	`String`	Rule name
`description`	`String`	Rule description
`ruleGroupId`	`Int32`	Group id of this rule
`ruleUITemplateId`	`Int32`	UI Template id of this rule. Can be one of:0=None1=File Integrity Control2=Trusted Path3=Execution Control4=File Creation Control5=Performance Optimization99=Advanced1000=Internal1001=Updaters
`ruleType`	`Int32`	Rule type. Can be one of:14=Memory rule 15=Registry rule 17=Custom rule
`ruleAction`	`String`	Display name of action taken by this rule. Action can be calculated from other rule parameters (flags, masks, opTypes), and is exposed as read-only field.
`pathPattern`	`String`	File path pattern to match
`processPattern`	`String`	Process path pattern to match
`execActionMask`	`Int32`	Execution action mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`combinedActionMask`	`Int32`	execActionMask combined with writeActionMask with a bitwise or. This is relevant for Advanced (ruleUITemplateId = 99) rules that have both set.
`execNegationMask`	`Int32`	Execution negation mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`execOpType`	`Int32`	Execution operation flags. Can be combination of:FileOpTypeFlagNone = 0x00000000FileOpTypeFlagOpen = 0x00000001FileOpTypeFlagOpenExecuteIntent = 0x00000002FileOpTypeFlagOpenWriteIntent = 0x00000004FileOpTypeFlagRead = 0x00000008FileOpTypeFlagWrite = 0x00000010FileOpTypeFlagWriteDelayed = 0x00000020FileOpTypeFlagDelete = 0x00000040FileOpTypeFlagExecute = 0x00000080FileOpTypeFlagRename = 0x00000100FileOpTypeFlagCleanup = 0x00000200FileOpTypeFlagCreateNew = 0x00000400FileOpTypeFlagScriptExecute = 0x00000800FileOpTypeFlagProcessCreate = 0x00001000FileOpTypeFlagProcessTerminate = 0x00002000FileOpTypeFlagImageLoad = 0x00004000FileOpTypeFlagPermissionChange = 0x00008000FileOpTypeFlagOwnerChange = 0x00010000FileOpTypeFlagLockFile = 0x00020000
`combinedOpType`	`Int32`	execOpType combined with writeOpType with a bitwise or. This is relevant for Advanced (ruleUITemplateId = 99) rules that have both set.
`policyIds`	`String`	List of IDs of policies where this rule applies. Value will be empty if this is a global rule
`platformFlags`	`Int32`	Set of platform flags where this rule will apply. combination of:1 = Windows2 = Mac4 = Linux
`hidden`	`Boolean`	True if rule is hidden
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`createdBy`	`String`	User that created this object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`modifiedByUserId`	`Int32`	Id of `user` that last modified this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`modifiedBy`	`String`	User that last modified this object
`dateImported`	`DateTime`	Date/time when this rule was imported (UTC). This field will be null if rule was not imported
`importedByUserId`	`Int32`	Id of `user` that imported this rule. This field will be null if rule was not importedThis is a foreign key and can be expanded to expose fields from the related `user` object
`importedBy`	`String`	User that imported this rule. This field will be null if rule was not imported
`importSessionHandle`	`String`	Internal session handle used during rule import. This field will be null if rule was not imported.
`sid`	`String`	List of user SIDs for which this rule applies
`userNames`	`String`	List of user names for which this rule applies
`rank`	`Int64`	Rule rank. Rules are evaluated by their rank. Note that value of the rank will be different than rank exposed in the console because API exposes more rules.
`enabled`	`Boolean`	True if rule is enabled
`clVersion`	`Int64`	CL version associated with this rule
`execNotifierId`	`Int32`	Id of `notifier` object associated with this rule’s execution action (can be 0 to use default notifier)
`effectiveNotifierId`	`Int32`	Id of `notifier` object associated with this rule
`processFlags`	`Int32`	Process flags for this rule
`negatedProcessFlags`	`Int32`	Negated process flags for this rule
`ruleClassId`	`Int32`	Rule class Id
`processFileState`	`Int32`	Rule will be active only if process file state is equal to this value (can be 0 to ignore the process file state)
`processFileFlags`	`Int32`	Flags describing required properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processDeviceType`	`Int32`	Process device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`processClassification`	`String`	Rule will be active only if process classification is equal to this
`processPublisherName`	`String`	Rule will be active only if publisher name of process is equal to this
`targetFileState`	`Int32`	Rule will be active only if target file state is equal to this value (can be 0 to ignore the target file state)
`targetFileFlags`	`Int32`	Flags describing required properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetDeviceType`	`Int32`	Target device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`targetClassification`	`String`	Rule will be active only if target classification is equal to this
`targetPublisherName`	`String`	Rule will be active only if publisher name of target is equal to this
`minPlatform`	`Int32`	Min platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`maxPlatform`	`Int32`	Max platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`classifier`	`String`	Classifier tag to set or remove for classification actions
`objectType`	`Int32`	Object types on which rule will act. This differs per rule type. For Custom rules, it can be one of:-1 = Any0 = Unknown1 = Any existing object2 = Pipe or Mailslot3 = Volume or share4 = Directory5 = File6 = Other (e.g. path with windcards, illegal, system object etc.)For Registry rules, it can be one of:-1 = Any0 = Any1 = Key2 = ValueFor Memory rules, it can be one of:-1 = Any0 = Any1 = Process2 = Thread
`enforcementFlags`	`Int32`	Flags determining in which enforcement levels rule is active. Can be combination of:0x01 = High0x02 = Medium0x04 = LocalApproval0x08 = Low0x10 = Visibility0x20 = DisabledUse -1 to specify that rule will be active in all enforcement levels
`readOnly`	`Boolean`	True if rule is read-only from the console
`updaterId`	`Int32`	Id of `updater` object that contains this ruleThis is a foreign key and can be expanded to expose fields from the related `updater` object
`minAgentVersion`	`Int32`	Min agent version code for this rule
`maxAgentVersion`	`Int32`	Max agent version code for this rule
`priority`	`Int32`	Priority of this rule
`priorityBucket`	`Int32`	Priority bucket of this rule
`priorityGroup`	`Int32`	Priority group of this rule
`unifiedFlag`	`Int32`	Local override flag for unified rule (0 if rule is not unified, 1 - no override allowed, 2 - ranking allowed, 3 - local override allowed)
`unifiedSource`	`String`	Unified server name that created this rule
`origIdUnique`	`Guid`	Unique GUID of the original rule
`version`	`Int64`	Version of this custom rule

Properties modifiable Using PUT/POST Request for executionControlRule

Name	Type	Property Description
`name`	`String`	Rule name
`description`	`String`	Rule description
`ruleGroupId`	`Int32`	Group id of this rule
`ruleType`	`Int32`	Rule type. Can be one of:14=Memory rule 15=Registry rule 17=Custom rule
`pathPattern`	`String`	File path pattern to match
`processPattern`	`String`	Process path pattern to match
`execActionMask`	`Int32`	Execution action mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`execNegationMask`	`Int32`	Execution negation mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`execOpType`	`Int32`	Execution operation flags. Can be combination of:FileOpTypeFlagNone = 0x00000000FileOpTypeFlagOpen = 0x00000001FileOpTypeFlagOpenExecuteIntent = 0x00000002FileOpTypeFlagOpenWriteIntent = 0x00000004FileOpTypeFlagRead = 0x00000008FileOpTypeFlagWrite = 0x00000010FileOpTypeFlagWriteDelayed = 0x00000020FileOpTypeFlagDelete = 0x00000040FileOpTypeFlagExecute = 0x00000080FileOpTypeFlagRename = 0x00000100FileOpTypeFlagCleanup = 0x00000200FileOpTypeFlagCreateNew = 0x00000400FileOpTypeFlagScriptExecute = 0x00000800FileOpTypeFlagProcessCreate = 0x00001000FileOpTypeFlagProcessTerminate = 0x00002000FileOpTypeFlagImageLoad = 0x00004000FileOpTypeFlagPermissionChange = 0x00008000FileOpTypeFlagOwnerChange = 0x00010000FileOpTypeFlagLockFile = 0x00020000
`policyIds`	`String`	List of IDs of policies where this rule applies. Value should be empty if this is a global rule
`platformFlags`	`Int32`	Set of platform flags where this rule will apply. combination of:1 = Windows2 = Mac4 = Linux
`sid`	`String`	List of user SIDs for which this rule applies
`userNames`	`String`	List of user names for which this rule applies
`rank`	`Int64`	Rule rank. Rules are evaluated by their rank. Change rank to move the rule
`enabled`	`Boolean`	True if rule is enabled
`clVersion`	`Int64`	CL version associated with this rule
`execNotifierId`	`Int32`	Id of `notifier` object associated with this rule’s execution action (can be 0 to use default notifier)
`processFlags`	`Int32`	Process flags for this rule
`negatedProcessFlags`	`Int32`	Negated process flags for this rule
`ruleClassId`	`Int32`	Rule class Id
`processFileState`	`Int32`	Rule will be active only if process file state is equal to this value (can be 0 to ignore the process file state)
`processFileFlags`	`Int32`	Flags describing required properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processDeviceType`	`Int32`	Process device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`processClassification`	`String`	Rule will be active only if process classification is equal to this
`processPublisherName`	`String`	Rule will be active only if publisher name of process is equal to this
`targetFileState`	`Int32`	Rule will be active only if target file state is equal to this value (can be 0 to ignore the target file state)
`targetFileFlags`	`Int32`	Flags describing required properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetDeviceType`	`Int32`	Target device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`targetClassification`	`String`	Rule will be active only if target classification is equal to this
`targetPublisherName`	`String`	Rule will be active only if publisher name of target is equal to this
`minPlatform`	`Int32`	Min platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`maxPlatform`	`Int32`	Max platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`classifier`	`String`	Classifier tag to set or remove for classification actions
`objectType`	`Int32`	Object types on which rule will act. This differs per rule type. For Custom rules, it can be one of:-1 = Any0 = Unknown1 = Any existing object2 = Pipe or Mailslot3 = Volume or share4 = Directory5 = File6 = Other (e.g. path with windcards, illegal, system object etc.)For Registry rules, it can be one of:-1 = Any0 = Any1 = Key2 = ValueFor Memory rules, it can be one of:-1 = Any0 = Any1 = Process2 = Thread
`enforcementFlags`	`Int32`	Flags determining in which enforcement levels rule is active. Can be combination of:High = 0x01Medium = 0x02LocalApproval = 0x04Low = 0x08Visibility = 0x10Disabled = 0x20 Use -1 to specify that rule will be active in all enforcement levels
`readOnly`	`Boolean`	True if rule is read-only from the console
`minAgentVersion`	`Int32`	Min agent version code for this rule
`maxAgentVersion`	`Int32`	Max agent version code for this rule
`unifiedFlag`	`Int32`	Local override flag for unified rule (0 - if rule is not unified, 1 - no override allowed, 2 - ranking allowed, 3 - local override allowed)
`unifiedSource`	`String`	Unified server name that created this rule
`origIdUnique`	`Guid`	Unique GUID of the original rule

POST Request for executionControlRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/executionControlRule?delete={delete}

Name	Source	Type	Description
`value`	FromBody	customRule
`delete`	FromUri	Boolean

PUT Request for executionControlRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/executionControlRule/{id}?delete={delete}

Name	Source	Type
`id`	FromUri	Int32
`value`	FromBody	customRule
`delete`	FromUri	Boolean

DELETE Request for executionControlRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/executionControlRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for executionControlRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/executionControlRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for executionControlRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/executionControlRule?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» expertRule

v1/expertRule object exposes custom expert rules. It also allows creating, editing and deleting these rules.

All Object Properties for expertRule

Name	Type	Property Description
`id`	`Int32`	Unique id of this rule
`masterRuleId`	`Int32`	Id of parent of this rule
`idUnique`	`Guid`	Unique GUID of this rule
`name`	`String`	Rule name
`description`	`String`	Rule description
`ruleGroupId`	`Int32`	Group id of this rule
`ruleUITemplateId`	`Int32`	UI Template id of this rule. Can be one of:0=None1=File Integrity Control2=Trusted Path3=Execution Control4=File Creation Control5=Performance Optimization99=Advanced1000=Internal1001=Updaters
`ruleType`	`Int32`	Rule type. Can be one of:14=Memory rule 15=Registry rule 17=Custom rule
`ruleAction`	`String`	Display name of action taken by this rule. Action can be calculated from other rule parameters (flags, masks, opTypes), and is exposed as read-only field.
`pathPattern`	`String`	File path pattern to match
`processPattern`	`String`	Process path pattern to match
`restrictAccessFlags`	`Int32`	Rule restrict access flags used for memory rules only on Windows platform. This is combination of process access permission allowed.
`execActionMask`	`Int32`	Execution action mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`combinedActionMask`	`Int32`	execActionMask combined with writeActionMask with a bitwise or. This is relevant for Advanced (ruleUITemplateId = 99) rules that have both set.
`execNegationMask`	`Int32`	Execution negation mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`execOpType`	`Int32`	Execution operation flags. Can be combination of:FileOpTypeFlagNone = 0x00000000FileOpTypeFlagOpen = 0x00000001FileOpTypeFlagOpenExecuteIntent = 0x00000002FileOpTypeFlagOpenWriteIntent = 0x00000004FileOpTypeFlagRead = 0x00000008FileOpTypeFlagWrite = 0x00000010FileOpTypeFlagWriteDelayed = 0x00000020FileOpTypeFlagDelete = 0x00000040FileOpTypeFlagExecute = 0x00000080FileOpTypeFlagRename = 0x00000100FileOpTypeFlagCleanup = 0x00000200FileOpTypeFlagCreateNew = 0x00000400FileOpTypeFlagScriptExecute = 0x00000800FileOpTypeFlagProcessCreate = 0x00001000FileOpTypeFlagProcessTerminate = 0x00002000FileOpTypeFlagImageLoad = 0x00004000FileOpTypeFlagPermissionChange = 0x00008000FileOpTypeFlagOwnerChange = 0x00010000FileOpTypeFlagLockFile = 0x00020000
`combinedOpType`	`Int32`	execOpType combined with writeOpType with a bitwise or. This is relevant for Advanced (ruleUITemplateId = 99) rules that have both set.
`policyIds`	`String`	List of IDs of policies where this rule applies. Value will be empty if this is a global rule
`platformFlags`	`Int32`	Set of platform flags where this rule will apply. combination of:1 = Windows2 = Mac4 = Linux
`hidden`	`Boolean`	True if rule is hidden
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`createdBy`	`String`	User that created this object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`modifiedByUserId`	`Int32`	Id of `user` that last modified this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`modifiedBy`	`String`	User that last modified this object
`dateImported`	`DateTime`	Date/time when this rule was imported (UTC). This field will be null if rule was not imported
`importedByUserId`	`Int32`	Id of `user` that imported this rule. This field will be null if rule was not importedThis is a foreign key and can be expanded to expose fields from the related `user` object
`importedBy`	`String`	User that imported this rule. This field will be null if rule was not imported
`importSessionHandle`	`String`	Internal session handle used during rule import. This field will be null if rule was not imported.
`sid`	`String`	List of user SIDs for which this rule applies
`userNames`	`String`	List of user names for which this rule applies
`rank`	`Int64`	Rule rank. Rules are evaluated by their rank. Note that value of the rank will be different than rank exposed in the console because API exposes more rules.
`enabled`	`Boolean`	True if rule is enabled
`clVersion`	`Int64`	CL version associated with this rule
`execNotifierId`	`Int32`	Id of `notifier` object associated with this rule’s execution action (can be 0 to use default notifier)
`effectiveNotifierId`	`Int32`	Id of `notifier` object associated with this rule
`processFlags`	`Int32`	Process flags for this rule
`negatedProcessFlags`	`Int32`	Negated process flags for this rule
`ruleClassId`	`Int32`	Rule class Id
`processFileState`	`Int32`	Rule will be active only if process file state is equal to this value (can be 0 to ignore the process file state)
`processFileFlags`	`Int32`	Flags describing required properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processDeviceType`	`Int32`	Process device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`processClassification`	`String`	Rule will be active only if process classification is equal to this
`processPublisherName`	`String`	Rule will be active only if publisher name of process is equal to this
`targetFileState`	`Int32`	Rule will be active only if target file state is equal to this value (can be 0 to ignore the target file state)
`targetFileFlags`	`Int32`	Flags describing required properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetDeviceType`	`Int32`	Target device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`targetClassification`	`String`	Rule will be active only if target classification is equal to this
`targetPublisherName`	`String`	Rule will be active only if publisher name of target is equal to this
`minPlatform`	`Int32`	Min platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`maxPlatform`	`Int32`	Max platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`classifier`	`String`	Classifier tag to set or remove for classification actions
`objectType`	`Int32`	Object types on which rule will act. This differs per rule type. For Custom rules, it can be one of:-1 = Any0 = Unknown1 = Any existing object2 = Pipe or Mailslot3 = Volume or share4 = Directory5 = File6 = Other (e.g. path with windcards, illegal, system object etc.)For Registry rules, it can be one of:-1 = Any0 = Any1 = Key2 = ValueFor Memory rules, it can be one of:-1 = Any0 = Any1 = Process2 = Thread
`enforcementFlags`	`Int32`	Flags determining in which enforcement levels rule is active. Can be combination of:0x01 = High0x02 = Medium0x04 = LocalApproval0x08 = Low0x10 = Visibility0x20 = DisabledUse -1 to specify that rule will be active in all enforcement levels
`readOnly`	`Boolean`	True if rule is read-only from the console
`updaterId`	`Int32`	Id of `updater` object that contains this ruleThis is a foreign key and can be expanded to expose fields from the related `updater` object
`minAgentVersion`	`Int32`	Min agent version code for this rule
`maxAgentVersion`	`Int32`	Max agent version code for this rule
`priority`	`Int32`	Priority of this rule
`priorityBucket`	`Int32`	Priority bucket of this rule
`priorityGroup`	`Int32`	Priority group of this rule
`unifiedFlag`	`Int32`	Local override flag for unified rule (0 if rule is not unified, 1 - no override allowed, 2 - ranking allowed, 3 - local override allowed)
`unifiedSource`	`String`	Unified server name that created this rule
`origIdUnique`	`Guid`	Unique GUID of the original rule
`version`	`Int64`	Version of this custom rule

Properties modifiable Using PUT/POST Request for expertRule

Name	Type	Property Description
`name`	`String`	Rule name
`description`	`String`	Rule description
`ruleGroupId`	`Int32`	Group id of this rule
`ruleType`	`Int32`	Rule type. Can be one of:14=Memory rule 15=Registry rule 17=Custom rule
`pathPattern`	`String`	File path pattern to match
`processPattern`	`String`	Process path pattern to match
`restrictAccessFlags`	`Int32`	Rule restrict access flags used for memory rules only on Windows platform. This is combination of process access permission allowed.
`execActionMask`	`Int32`	Execution action mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`execNegationMask`	`Int32`	Execution negation mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`execOpType`	`Int32`	Execution operation flags. Can be combination of:FileOpTypeFlagNone = 0x00000000FileOpTypeFlagOpen = 0x00000001FileOpTypeFlagOpenExecuteIntent = 0x00000002FileOpTypeFlagOpenWriteIntent = 0x00000004FileOpTypeFlagRead = 0x00000008FileOpTypeFlagWrite = 0x00000010FileOpTypeFlagWriteDelayed = 0x00000020FileOpTypeFlagDelete = 0x00000040FileOpTypeFlagExecute = 0x00000080FileOpTypeFlagRename = 0x00000100FileOpTypeFlagCleanup = 0x00000200FileOpTypeFlagCreateNew = 0x00000400FileOpTypeFlagScriptExecute = 0x00000800FileOpTypeFlagProcessCreate = 0x00001000FileOpTypeFlagProcessTerminate = 0x00002000FileOpTypeFlagImageLoad = 0x00004000FileOpTypeFlagPermissionChange = 0x00008000FileOpTypeFlagOwnerChange = 0x00010000FileOpTypeFlagLockFile = 0x00020000
`policyIds`	`String`	List of IDs of policies where this rule applies. Value should be empty if this is a global rule
`platformFlags`	`Int32`	Set of platform flags where this rule will apply. combination of:1 = Windows2 = Mac4 = Linux
`sid`	`String`	List of user SIDs for which this rule applies
`userNames`	`String`	List of user names for which this rule applies
`rank`	`Int64`	Rule rank. Rules are evaluated by their rank. Change rank to move the rule
`enabled`	`Boolean`	True if rule is enabled
`clVersion`	`Int64`	CL version associated with this rule
`execNotifierId`	`Int32`	Id of `notifier` object associated with this rule’s execution action (can be 0 to use default notifier)
`processFlags`	`Int32`	Process flags for this rule
`negatedProcessFlags`	`Int32`	Negated process flags for this rule
`ruleClassId`	`Int32`	Rule class Id
`processFileState`	`Int32`	Rule will be active only if process file state is equal to this value (can be 0 to ignore the process file state)
`processFileFlags`	`Int32`	Flags describing required properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processDeviceType`	`Int32`	Process device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`processClassification`	`String`	Rule will be active only if process classification is equal to this
`processPublisherName`	`String`	Rule will be active only if publisher name of process is equal to this
`targetFileState`	`Int32`	Rule will be active only if target file state is equal to this value (can be 0 to ignore the target file state)
`targetFileFlags`	`Int32`	Flags describing required properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetDeviceType`	`Int32`	Target device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`targetClassification`	`String`	Rule will be active only if target classification is equal to this
`targetPublisherName`	`String`	Rule will be active only if publisher name of target is equal to this
`minPlatform`	`Int32`	Min platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`maxPlatform`	`Int32`	Max platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`classifier`	`String`	Classifier tag to set or remove for classification actions
`objectType`	`Int32`	Object types on which rule will act. This differs per rule type. For Custom rules, it can be one of:-1 = Any0 = Unknown1 = Any existing object2 = Pipe or Mailslot3 = Volume or share4 = Directory5 = File6 = Other (e.g. path with windcards, illegal, system object etc.)For Registry rules, it can be one of:-1 = Any0 = Any1 = Key2 = ValueFor Memory rules, it can be one of:-1 = Any0 = Any1 = Process2 = Thread
`enforcementFlags`	`Int32`	Flags determining in which enforcement levels rule is active. Can be combination of:High = 0x01Medium = 0x02LocalApproval = 0x04Low = 0x08Visibility = 0x10Disabled = 0x20 Use -1 to specify that rule will be active in all enforcement levels
`readOnly`	`Boolean`	True if rule is read-only from the console
`minAgentVersion`	`Int32`	Min agent version code for this rule
`maxAgentVersion`	`Int32`	Max agent version code for this rule
`unifiedFlag`	`Int32`	Local override flag for unified rule (0 - if rule is not unified, 1 - no override allowed, 2 - ranking allowed, 3 - local override allowed)
`unifiedSource`	`String`	Unified server name that created this rule
`origIdUnique`	`Guid`	Unique GUID of the original rule

POST Request for expertRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/expertRule?delete={delete}

Name	Source	Type	Description
`value`	FromBody	customRule
`delete`	FromUri	Boolean

PUT Request for expertRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/expertRule/{id}?delete={delete}

Name	Source	Type
`id`	FromUri	Int32
`value`	FromBody	customRule
`delete`	FromUri	Boolean

DELETE Request for expertRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/expertRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for expertRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/expertRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for expertRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/expertRule?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» fileAction

v1/fileAction object Create or update requests for deleting files on selected computers.

All Object Properties for fileAction

Name	Type	Property Description
`id`	`Int32`	File action ID
`action`	`Int32`	Action to be taken on a file (DeleteFileByName = 8, DeleteFileByHash = 9)
`computerId`	`Int32`	ID of `computer` where this action should be requested (or 0 for all computers)This is a foreign key and can be expanded to expose fields from the related `computer` object
`fileCatalogId`	`Int32`	ID of a file from `fileCatalog` for DeleteFileByHash actionThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`hash`	`String`	Hash of a file for DeleteFileByHash action (This parameter is ignored if fileCatalogId is supplied)
`fileName`	`String`	Name of the file when DeleteFileByName action is used
`pathName`	`String`	Path name of the file when DeleteFileByName action is used
`createdByUserId`	`Int32`	ID of `user` who created this requestThis is a foreign key and can be expanded to expose fields from the related `user` object
`dateCreated`	`DateTime`	Date/time when this object was created (UTC)
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`status`	`Int32`	Status of the request (Queued = 0, Executing = 1, Completed = 2, Error = 3)
`errorMessage`	`String`	Error message when status = 3 (Error)
`numberOfActionsRequested`	`Int32`	Number of actions created (in the case where a request is for all computers)

fileAction is a read-only object and has no modifiable properties.

POST Request for fileAction

Required permissions: ‘Delete files’

Call syntax: bit9platform/v1/fileAction

Name	Source	Type	Description
`value`	FromBody	fileAction

GET Request for fileAction

Required permissions: ‘Delete files’

Call syntax: bit9platform/v1/fileAction/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for fileAction

Required permissions: ‘Delete files’

Call syntax: bit9platform/v1/fileAction?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» fileAnalysis

v1/fileAnalysis object exposes all files sent to analysis with Network Connectors. It also allows requesting or canceling file analysis.

All Object Properties for fileAnalysis

Name	Type	Property Description
`id`	`Int64`	Unique fileAnalysis id
`computerId`	`Int32`	Id of `computer` entry associated with this analysisThis is a foreign key and can be expanded to expose fields from the related `computer` object
`fileCatalogId`	`Int32`	Id of `fileCatalog` entry associated with this analysisThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`connectorId`	`Int32`	Id of `connector` associated with this analysisThis is a foreign key and can be expanded to expose fields from the related `connector` object
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdBy`	`String`	User that created this object
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`fileName`	`String`	Name of the file where file exists on the endpoint
`pathName`	`String`	Path of the file where file exists on the endpoint
`priority`	`Int32`	File analysis priority in range [-2, 2], where 2 is highest priority. Default priority is 0
`analysisStatus`	`Int32`	Status of analysis. Can be one of: 0 = scheduled1 = submitted (file is sent for analysis) 2 = processed (file is processed but results are not available yet)3 = analyzed (file is processed and results are available)4 = error5 = cancelled6 = submit error (file submit error)
`analysisResult`	`Int32`	Result of the analysis. Can be one of: 0 = Not yet available1 = File is clean2 = File is a potential threat3 = File is malicious
`analysisTarget`	`String`	Target of the analysis (Connector-dependent)

Properties modifiable Using PUT/POST Request for fileAnalysis

Name	Type	Property Description
`computerId`	`Int32`	Id of `computer` from which to upload the file. If 0, system will find best computer to get the file from
`fileCatalogId`	`Int32`	Id of `fileCatalog` entry for which analysis is requested
`connectorId`	`Int32`	Id of target `connector` for the analysis
`priority`	`Int32`	Analysis priority in range [-2, 2], where 2 is highest priority. Default priority is 0
`analysisStatus`	`Int32`	Status of analysis. Status of analysis in progress can be changed to 5 (Cancelled)
`analysisTarget`	`String`	Target of the analysis (Optional). It has to be one of possible analysisTarget options defined for the given `connector` object, or empty for connectors without defined analysisTargets.

POST Request for fileAnalysis

Required permissions: ‘View files and applications’, ‘Submit files for analysis’

Call syntax: bit9platform/v1/fileAnalysis

Name	Source	Type	Description
`value`	FromBody	fileAnalysis

PUT Request for fileAnalysis

Required permissions: ‘View files and applications’, ‘Submit files for analysis’

Call syntax: bit9platform/v1/fileAnalysis/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	fileAnalysis

GET Request for fileAnalysis

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/fileAnalysis/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for fileAnalysis

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/fileAnalysis?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» fileCatalog

v1/fileCatalog object exposes all unique files found by Carbon Black App Control Agents and metadata related to files. Note that this is read-only API. In order to change state of the file, you need to use fileRule object.

All Object Properties for fileCatalog

Name	Type	Property Description
`id`	`Int32`	Unique fileCatalog Id
`dateCreated`	`DateTime`	Date/Time when this unique hash was first seen (Database local time)
`dateModified`	`DateTime`	Date/Time when this unique hash was modified through the `fileRule` (Database local time)
`pathName`	`String`	Name of the path where this unique hash was first seen
`fileName`	`String`	Name of the file under which this unique hash was first seen
`fileExtension`	`String`	Extension of the file under which this unique hash was first seen
`computerId`	`Int32`	Id of `computer` where this file was first seenThis is a foreign key and can be expanded to expose fields from the related `computer` object
`md5`	`String`	Md5 hash
`sha1`	`String`	Sha-1 hash
`sha256`	`String`	Sha-256 hash
`sha256HashType`	`Int32`	Can be one of: 5:Regular hash6:Fuzzy hash for MSI installers
`fileType`	`String`	Type of the file
`fileSize`	`Int64`	Size of the file in bytes
`productName`	`String`	Name of the product associated with this file in the VERSIONINFO resource
`description`	`String`	Description of the product associated with this file in the VERSIONINFO resource
`publisher`	`String`	Subject name of the certificate that signed this file
`company`	`String`	Name of the company associated with this file in the VERSIONINFO resource
`publisherOrCompany`	`String`	Publisher name of the file if it exist. If file is not signed, this will be a company name from the VERSIONINFO resource
`productVersion`	`String`	Version of the file in the VERSIONINFO resource
`installedProgramName`	`String`	Name of the product associated with this file in the MSI package
`reputationAvailable`	`Boolean`	True if reputation information has arrived for this file
`trust`	`Int32`	Trust of this file (0-10). Special value of -1 is reserved for unknown
`trustMessages`	`String`	More details about trust of this file
`threat`	`Int16`	Threat of this file. Can be one of:-1=Unknown0=Clean50=Potential risk100=Malicious
`category`	`String`	Category of this file
`fileState`	`Int32`	File state of this hash. Can be one of: 1=Unapproved 2=Approved 3=Banned 4=Approved by Policy 5=Banned by Policy
`publisherState`	`Int32`	Publisher state of this hash. Can be one of: 1=Unapproved 2=Approved 3=Banned 4=Approved by Policy 5=Banned by Policy
`certificateState`	`Int32`	Certificate state of this hash. Can be one of: 1=Unapproved 2=Approved 3=Banned 4=Approved by Policy 5=Banned by Policy 6=Mixed
`effectiveState`	`String`	Effective state of this hash, taking into account publisherState and fileState. Can be one of: Unapproved Approved Banned Approved by Policy Banned by Policy Mixed
`approvedByReputation`	`Boolean`	True if this file was approved by reputation
`reputationEnabled`	`Boolean`	True if reputation approvals are enabled for this file
`acknowledged`	`Boolean`	True if this file was acknowledged
`clVersion`	`Int64`	CL version associated with this file
`prevalence`	`Int32`	Number of endpoints that have this file
`dirtyPrevalence`	`Int32`	Whether or not the `prevalence` value is dirty:`NULL` = The `prevalence` field is up to date.Not `NULL` = The `prevalence` field is dirty, since we have unprocessed file instances to process.
`fileFlags`	`Int32`	File flags. Can be combination of: 0x00001 = File will report executions as ‘report bans’0x00004 = File is manually marked as installer0x00010 = File is detected as installer0x00100 = File was seen as root of installation0x00200 = File was seen as a child of of installation0x01000 = File has all needed metadata0x04000 = File was executed on endpoint0x10000 = File is manually marked as ‘not installer’0x20000 = State we are sending applies to all children if this is a root hash0x40000 = File came from a Trusted Directory0x80000 = File is an msi root file0x200000 = File was seen blocking on at least one endpoint0x400000 = File can be approved by reputation0x2000000 = This is not an ‘interesting’ file0x4000000 = The signature on this file is invalid0x8000000 = We have all necessary metadata from Macintosh and Linux platforms0x10000000 = The Server has gotten the data that comes with an ABItem on a ReportABList request0x20000000 = File is excluded from inventory tracking and its prevalence count could be invalid
`publisherId`	`Int32`	Id of `publisher` that signed this fileThis is a foreign key and can be expanded to expose fields from the related `publisher` object
`certificateId`	`Int32`	Id of `certificate` that signed this fileThis is a foreign key and can be expanded to expose fields from the related `certificate` object
`verdict`	`Int32`	Combined File Analysis verdicts into one. Can be one of: 0 = Not available1 = File is potentially clean2 = File is clean3 = File is a potential risk4 = File is malicious
`stateSource`	`String`	If approved, how the file got that way
`nodeType`	`Int32`	Can be one of: 0 = None (top level)1 = Child2 = Root3 = Root + Child
`transactionId`	`Guid`	ID associated with file approval (if any)
`globalStateDetails`	`String`	How the file got into this state
`initialized`	`Boolean`	Whether the file has been initialized
`unifiedSource`	`String`	Unified server name that created this rule

Properties modifiable Using PUT/POST Request for fileCatalog

Name	Type	Property Description
`acknowledged`	`Boolean`	Set to true to acknowledge this file

POST Request for fileCatalog

Required permissions: ‘View files and applications’, ‘Manage files’

Call syntax: bit9platform/v1/fileCatalog

Name	Source	Type	Description
`value`	FromBody	fileCatalog

PUT Request for fileCatalog

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/fileCatalog/{id}?acknowledge={acknowledge}&changeLocalStateForComputerId={changeLocalStateForComputerId}&newApprovalState={newApprovalState}

Name	Source	Type
`id`	FromUri	Int32
`acknowledge`	FromUri	Boolean
`changeLocalStateForComputerId`	FromUri	Int32
`newApprovalState`	FromUri	FileState

GET Request for fileCatalog

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/fileCatalog/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for fileCatalog

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/fileCatalog?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type	Description
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32	When -2, a “quick count” will be returned.
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» fileCreationControlRule

v1/fileCreationControlRule object exposes custom file creation control rules. It also allows creating, editing and deleting these rules.

All Object Properties for fileCreationControlRule

Name	Type	Property Description
`id`	`Int32`	Unique id of this rule
`masterRuleId`	`Int32`	Id of parent of this rule
`idUnique`	`Guid`	Unique GUID of this rule
`name`	`String`	Rule name
`description`	`String`	Rule description
`ruleGroupId`	`Int32`	Group id of this rule
`ruleUITemplateId`	`Int32`	UI Template id of this rule. Can be one of:0=None1=File Integrity Control2=Trusted Path3=Execution Control4=File Creation Control5=Performance Optimization99=Advanced1000=Internal1001=Updaters
`ruleType`	`Int32`	Rule type. Can be one of:14=Memory rule 15=Registry rule 17=Custom rule
`ruleAction`	`String`	Display name of action taken by this rule. Action can be calculated from other rule parameters (flags, masks, opTypes), and is exposed as read-only field.
`pathPattern`	`String`	File path pattern to match
`processPattern`	`String`	Process path pattern to match
`restrictAccessFlags`	`Int32`	Rule restrict access flags used for memory rules only on Windows platform. This is combination of process access permission allowed.
`writeActionMask`	`Int32`	Write action mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`writeNegationMask`	`Int32`	Write negation mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`writeOpType`	`Int32`	Write operation flags. Can be combination of:FileOpTypeFlagNone = 0x00000000FileOpTypeFlagOpen = 0x00000001FileOpTypeFlagOpenExecuteIntent = 0x00000002FileOpTypeFlagOpenWriteIntent = 0x00000004FileOpTypeFlagRead = 0x00000008FileOpTypeFlagWrite = 0x00000010FileOpTypeFlagWriteDelayed = 0x00000020FileOpTypeFlagDelete = 0x00000040FileOpTypeFlagExecute = 0x00000080FileOpTypeFlagRename = 0x00000100FileOpTypeFlagCleanup = 0x00000200FileOpTypeFlagCreateNew = 0x00000400FileOpTypeFlagScriptExecute = 0x00000800FileOpTypeFlagProcessCreate = 0x00001000FileOpTypeFlagProcessTerminate = 0x00002000FileOpTypeFlagImageLoad = 0x00004000FileOpTypeFlagPermissionChange = 0x00008000FileOpTypeFlagOwnerChange = 0x00010000FileOpTypeFlagLockFile = 0x00020000
`combinedActionMask`	`Int32`	execActionMask combined with writeActionMask with a bitwise or. This is relevant for Advanced (ruleUITemplateId = 99) rules that have both set.
`combinedOpType`	`Int32`	execOpType combined with writeOpType with a bitwise or. This is relevant for Advanced (ruleUITemplateId = 99) rules that have both set.
`policyIds`	`String`	List of IDs of policies where this rule applies. Value will be empty if this is a global rule
`platformFlags`	`Int32`	Set of platform flags where this rule will apply. combination of:1 = Windows2 = Mac4 = Linux
`hidden`	`Boolean`	True if rule is hidden
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`createdBy`	`String`	User that created this object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`modifiedByUserId`	`Int32`	Id of `user` that last modified this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`modifiedBy`	`String`	User that last modified this object
`dateImported`	`DateTime`	Date/time when this rule was imported (UTC). This field will be null if rule was not imported
`importedByUserId`	`Int32`	Id of `user` that imported this rule. This field will be null if rule was not importedThis is a foreign key and can be expanded to expose fields from the related `user` object
`importedBy`	`String`	User that imported this rule. This field will be null if rule was not imported
`importSessionHandle`	`String`	Internal session handle used during rule import. This field will be null if rule was not imported.
`sid`	`String`	List of user SIDs for which this rule applies
`userNames`	`String`	List of user names for which this rule applies
`rank`	`Int64`	Rule rank. Rules are evaluated by their rank. Note that value of the rank will be different than rank exposed in the console because API exposes more rules.
`enabled`	`Boolean`	True if rule is enabled
`clVersion`	`Int64`	CL version associated with this rule
`writeNotifierId`	`Int32`	Id of `notifier` object associated with this rule’s write action (can be 0 to use default notifier)
`effectiveNotifierId`	`Int32`	Id of `notifier` object associated with this rule
`processFlags`	`Int32`	Process flags for this rule
`negatedProcessFlags`	`Int32`	Negated process flags for this rule
`ruleClassId`	`Int32`	Rule class Id
`processFileState`	`Int32`	Rule will be active only if process file state is equal to this value (can be 0 to ignore the process file state)
`processFileFlags`	`Int32`	Flags describing required properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processDeviceType`	`Int32`	Process device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`processClassification`	`String`	Rule will be active only if process classification is equal to this
`processPublisherName`	`String`	Rule will be active only if publisher name of process is equal to this
`targetFileState`	`Int32`	Rule will be active only if target file state is equal to this value (can be 0 to ignore the target file state)
`targetFileFlags`	`Int32`	Flags describing required properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetDeviceType`	`Int32`	Target device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`targetClassification`	`String`	Rule will be active only if target classification is equal to this
`targetPublisherName`	`String`	Rule will be active only if publisher name of target is equal to this
`minPlatform`	`Int32`	Min platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`maxPlatform`	`Int32`	Max platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`classifier`	`String`	Classifier tag to set or remove for classification actions
`objectType`	`Int32`	Object types on which rule will act. This differs per rule type. For Custom rules, it can be one of:-1 = Any0 = Unknown1 = Any existing object2 = Pipe or Mailslot3 = Volume or share4 = Directory5 = File6 = Other (e.g. path with windcards, illegal, system object etc.)For Registry rules, it can be one of:-1 = Any0 = Any1 = Key2 = ValueFor Memory rules, it can be one of:-1 = Any0 = Any1 = Process2 = Thread
`enforcementFlags`	`Int32`	Flags determining in which enforcement levels rule is active. Can be combination of:0x01 = High0x02 = Medium0x04 = LocalApproval0x08 = Low0x10 = Visibility0x20 = DisabledUse -1 to specify that rule will be active in all enforcement levels
`readOnly`	`Boolean`	True if rule is read-only from the console
`updaterId`	`Int32`	Id of `updater` object that contains this ruleThis is a foreign key and can be expanded to expose fields from the related `updater` object
`minAgentVersion`	`Int32`	Min agent version code for this rule
`maxAgentVersion`	`Int32`	Max agent version code for this rule
`priority`	`Int32`	Priority of this rule
`priorityBucket`	`Int32`	Priority bucket of this rule
`priorityGroup`	`Int32`	Priority group of this rule
`unifiedFlag`	`Int32`	Local override flag for unified rule (0 if rule is not unified, 1 - no override allowed, 2 - ranking allowed, 3 - local override allowed)
`unifiedSource`	`String`	Unified server name that created this rule
`origIdUnique`	`Guid`	Unique GUID of the original rule
`version`	`Int64`	Version of this custom rule

Properties modifiable Using PUT/POST Request for fileCreationControlRule

Name	Type	Property Description
`name`	`String`	Rule name
`description`	`String`	Rule description
`ruleGroupId`	`Int32`	Group id of this rule
`ruleType`	`Int32`	Rule type. Can be one of:14=Memory rule 15=Registry rule 17=Custom rule
`pathPattern`	`String`	File path pattern to match
`processPattern`	`String`	Process path pattern to match
`restrictAccessFlags`	`Int32`	Rule restrict access flags used for memory rules only on Windows platform. This is combination of process access permission allowed.
`writeActionMask`	`Int32`	Write action mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`writeNegationMask`	`Int32`	Write negation mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`writeOpType`	`Int32`	Write operation flags. Can be combination of:FileOpTypeFlagNone = 0x00000000FileOpTypeFlagOpen = 0x00000001FileOpTypeFlagOpenExecuteIntent = 0x00000002FileOpTypeFlagOpenWriteIntent = 0x00000004FileOpTypeFlagRead = 0x00000008FileOpTypeFlagWrite = 0x00000010FileOpTypeFlagWriteDelayed = 0x00000020FileOpTypeFlagDelete = 0x00000040FileOpTypeFlagExecute = 0x00000080FileOpTypeFlagRename = 0x00000100FileOpTypeFlagCleanup = 0x00000200FileOpTypeFlagCreateNew = 0x00000400FileOpTypeFlagScriptExecute = 0x00000800FileOpTypeFlagProcessCreate = 0x00001000FileOpTypeFlagProcessTerminate = 0x00002000FileOpTypeFlagImageLoad = 0x00004000FileOpTypeFlagPermissionChange = 0x00008000FileOpTypeFlagOwnerChange = 0x00010000FileOpTypeFlagLockFile = 0x00020000
`policyIds`	`String`	List of IDs of policies where this rule applies. Value should be empty if this is a global rule
`platformFlags`	`Int32`	Set of platform flags where this rule will apply. combination of:1 = Windows2 = Mac4 = Linux
`sid`	`String`	List of user SIDs for which this rule applies
`userNames`	`String`	List of user names for which this rule applies
`rank`	`Int64`	Rule rank. Rules are evaluated by their rank. Change rank to move the rule
`enabled`	`Boolean`	True if rule is enabled
`clVersion`	`Int64`	CL version associated with this rule
`writeNotifierId`	`Int32`	Id of `notifier` object associated with this rule’s write action (can be 0 to use default notifier)
`processFlags`	`Int32`	Process flags for this rule
`negatedProcessFlags`	`Int32`	Negated process flags for this rule
`ruleClassId`	`Int32`	Rule class Id
`processFileState`	`Int32`	Rule will be active only if process file state is equal to this value (can be 0 to ignore the process file state)
`processFileFlags`	`Int32`	Flags describing required properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processDeviceType`	`Int32`	Process device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`processClassification`	`String`	Rule will be active only if process classification is equal to this
`processPublisherName`	`String`	Rule will be active only if publisher name of process is equal to this
`targetFileState`	`Int32`	Rule will be active only if target file state is equal to this value (can be 0 to ignore the target file state)
`targetFileFlags`	`Int32`	Flags describing required properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetDeviceType`	`Int32`	Target device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`targetClassification`	`String`	Rule will be active only if target classification is equal to this
`targetPublisherName`	`String`	Rule will be active only if publisher name of target is equal to this
`minPlatform`	`Int32`	Min platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`maxPlatform`	`Int32`	Max platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`classifier`	`String`	Classifier tag to set or remove for classification actions
`objectType`	`Int32`	Object types on which rule will act. This differs per rule type. For Custom rules, it can be one of:-1 = Any0 = Unknown1 = Any existing object2 = Pipe or Mailslot3 = Volume or share4 = Directory5 = File6 = Other (e.g. path with windcards, illegal, system object etc.)For Registry rules, it can be one of:-1 = Any0 = Any1 = Key2 = ValueFor Memory rules, it can be one of:-1 = Any0 = Any1 = Process2 = Thread
`enforcementFlags`	`Int32`	Flags determining in which enforcement levels rule is active. Can be combination of:High = 0x01Medium = 0x02LocalApproval = 0x04Low = 0x08Visibility = 0x10Disabled = 0x20 Use -1 to specify that rule will be active in all enforcement levels
`readOnly`	`Boolean`	True if rule is read-only from the console
`minAgentVersion`	`Int32`	Min agent version code for this rule
`maxAgentVersion`	`Int32`	Max agent version code for this rule
`unifiedFlag`	`Int32`	Local override flag for unified rule (0 - if rule is not unified, 1 - no override allowed, 2 - ranking allowed, 3 - local override allowed)
`unifiedSource`	`String`	Unified server name that created this rule
`origIdUnique`	`Guid`	Unique GUID of the original rule

POST Request for fileCreationControlRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/fileCreationControlRule?delete={delete}

Name	Source	Type	Description
`value`	FromBody	customRule
`delete`	FromUri	Boolean

PUT Request for fileCreationControlRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/fileCreationControlRule/{id}?delete={delete}

Name	Source	Type
`id`	FromUri	Int32
`value`	FromBody	customRule
`delete`	FromUri	Boolean

DELETE Request for fileCreationControlRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/fileCreationControlRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for fileCreationControlRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/fileCreationControlRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for fileCreationControlRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/fileCreationControlRule?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» fileInstance

v1/fileInstance object exposes live file inventory on all Carbon Black App Control Agents. It also allows local approvals of files.

All Object Properties for fileInstance

Name	Type	Property Description
`id`	`Int64`	Unique id of this fileInstance
`fileCatalogId`	`Int32`	Id of `fileCatalog` associated with this fileInstanceThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`fileInstanceGroupId`	`Int64`	Id of `fileInstanceGroup` associated with this fileInstanceThis is a foreign key and can be expanded to expose fields from the related `fileInstanceGroup` object
`computerId`	`Int32`	Id of `computer` associated with this fileInstanceThis is a foreign key and can be expanded to expose fields from the related `computer` object
`policyId`	`Int32`	Id of `policy` associated with this fileInstanceThis is a foreign key and can be expanded to expose fields from the related `policy` object
`dateCreated`	`DateTime`	Date/Time when file was was created on agent (UTC)
`fileName`	`String`	Name of the file on the agent
`pathName`	`String`	Path of the file on the agent
`executed`	`Boolean`	True if file was ever executed on the agent
`localState`	`Int32`	Local state of the file on the agent. Can be one of: 1=Unapproved 2=Approved 3=Banned
`detailedLocalState`	`Int32`	Local state of the file on the agent. Can be one of: 1=Approved (Not Persisted)2=Unapproved (Persisted)3=Banned4=Locally Approved5=Banned by name (6.x agents only)6=Banned by name (Report only, 6.x agents only)7=Locally Approved (Auto)8=Approved as Installer11=Approved12=Approved as Installer (Top Level)13=Banned (Report only)14=Unapproved
`certificateId`	`Int32`	Id of certificate that signed this file through the catalogThis is a foreign key and can be expanded to expose fields from the related `certificate` object
`detachedPublisherId`	`Int32`	Id of detached `publisher` that signed this file through the catalogThis is a foreign key and can be expanded to expose fields from the related `publisher` object
`detachedCertificateId`	`Int32`	Id of detached `certificate` that signed this file through the catalogThis is a foreign key and can be expanded to expose fields from the related `certificate` object
`initialized`	`Boolean`	Whether fileInstance is initialized
`topLevel`	`Boolean`	Whether fileInstance is top level
`unifiedSource`	`String`	Unified server name that created the file rule
`yaraTagIds`	`String`	Yara tag ids applied to this file instance, see v1/yaraRuleTag for tags

Properties modifiable Using PUT/POST Request for fileInstance

Name	Type	Property Description
`localState`	`Int32`	Target local state for the file on the agent. Can be one of: 1=Unapproved 2=Approved. Note that changed local state might not be reflected in the object immediately, but only after agent reports new state.

POST Request for fileInstance

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/fileInstance

Name	Source	Type	Description
`value`	FromBody	fileInstance

PUT Request for fileInstance

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/fileInstance/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	fileInstance

GET Request for fileInstance

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/fileInstance/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for fileInstance

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/fileInstance?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type	Description
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32	When -2, a “quick count” will be returned.
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» fileInstanceAll

v1/fileInstanceAll object shows all file inventory on all Carbon Black App Control Agents, including deleted files. Read-only.

All Object Properties for fileInstanceAll

Name	Type	Property Description
`id`	`Int64`	Unique ID of this `fileInstanceAll`
`fileInstanceId`	`Int64`	ID of `fileInstance` associated with this `fileInstanceAll`This is a foreign key and can be expanded to expose fields from the related `fileInstance` object
`fileInstanceDeletedId`	`Int64`	ID of `fileInstanceDeleted` associated with this `fileInstanceAll`This is a foreign key and can be expanded to expose fields from the related `fileInstanceDeleted` object
`fileCatalogId`	`Int32`	Id of `fileCatalog` associated with this `fileInstanceAll`This is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`fileInstanceGroupId`	`Int64`	Id of `fileInstanceGroup` associated with this `fileInstanceAll`This is a foreign key and can be expanded to expose fields from the related `fileInstanceGroup` object
`computerId`	`Int32`	Id of `computer` associated with this `fileInstanceAll`This is a foreign key and can be expanded to expose fields from the related `findFileComputer` object
`policyId`	`Int32`	Id of `policy` associated with this `fileInstanceAll`This is a foreign key and can be expanded to expose fields from the related `policy` object
`dateCreated`	`DateTime`	Date/Time when file was was created on agent (UTC)
`dateDeleted`	`DateTime`	Date/Time when file was deleted from agent (UTC)
`fileName`	`String`	Name of the file on the agent
`pathName`	`String`	Path of the file on the agent
`executed`	`Boolean`	True if file was ever executed on the agent (null if deleted)
`localState`	`Int32`	Local state of the file on the agent (null if deleted). Can be one of: 1=Unapproved 2=Approved 3=Banned
`detailedLocalState`	`Int32`	Local state of the file on the agent (null if deleted). Can be one of: 1=Approved (Not Persisted)2=Unapproved (Persisted)3=Banned4=Locally Approved5=Banned by name (6.x agents only)6=Banned by name (Report only, 6.x agents only)7=Locally Approved (Auto)8=Approved as Installer11=Approved12=Approved as Installer (Top Level)13=Banned (Report only)14=Unapproved
`certificateId`	`Int32`	Id of certificate that signed this file through the catalogThis is a foreign key and can be expanded to expose fields from the related `findFileCertificate` object
`detachedPublisherId`	`Int32`	Id of detached `publisher` that signed this file through the catalogThis is a foreign key and can be expanded to expose fields from the related `publisher` object
`detachedCertificateId`	`Int32`	Id of detached `certificate` that signed this file through the catalogThis is a foreign key and can be expanded to expose fields from the related `certificate` object
`initialized`	`Boolean`	Whether fileInstance is initialized
`topLevel`	`Boolean`	Whether fileInstance is top level
`unifiedSource`	`String`	Unified server name that created the file rule
`yaraTagIds`	`String`	Yara tag ids applied to this file instance, see v1/yaraRuleTag for tags

fileInstanceAll is a read-only object and has no modifiable properties.

GET Request for fileInstanceAll

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/fileInstanceAll/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for fileInstanceAll

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/fileInstanceAll?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» fileInstanceDeleted

v1/fileInstanceDeleted object exposes deleted file inventory on all Carbon Black App Control Agents.

All Object Properties for fileInstanceDeleted

Name	Type	Property Description
`id`	`Int64`	Unique id of this fileInstanceDeleted
`fileInstanceGroupId`	`Int64`	Id of `fileInstanceGroup` associated with this fileInstanceDeletedThis is a foreign key and can be expanded to expose fields from the related `fileInstanceGroup` object
`fileCatalogId`	`Int32`	Id of `fileCatalog` associated with this fileInstanceDeletedThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`computerId`	`Int32`	Id of `computer` associated with this fileInstanceDeletedThis is a foreign key and can be expanded to expose fields from the related `computer` object
`policyId`	`Int32`	Id of `policy` associated with this fileInstanceThis is a foreign key and can be expanded to expose fields from the related `policy` object
`dateCreated`	`DateTime`	Date/Time when file was was created on agent (UTC)
`dateDeleted`	`DateTime`	Date/Time when file was was deleted on agent (UTC)
`fileName`	`String`	Name of the file on the agent
`pathName`	`String`	Path of the file on the agent
`certificateId`	`Int32`	Id of certificate that signed this file through the catalogThis is a foreign key and can be expanded to expose fields from the related `certificate` object
`detachedPublisherId`	`Int32`	Id of detached `publisher` that signed this file through the catalogThis is a foreign key and can be expanded to expose fields from the related `publisher` object
`detachedCertificateId`	`Int32`	Id of detached `certificate` that signed this file through the catalogThis is a foreign key and can be expanded to expose fields from the related `certificate` object
`initialized`	`Boolean`	Whether fileInstance is initialized
`topLevel`	`Boolean`	Whether fileInstance is top level
`unifiedSource`	`String`	Unified server name that created the file rule

fileInstanceDeleted is a read-only object and has no modifiable properties.

GET Request for fileInstanceDeleted

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/fileInstanceDeleted/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for fileInstanceDeleted

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/fileInstanceDeleted?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type	Description
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32	When -2, a “quick count” will be returned.
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» fileInstanceGroup

v1/fileInstanceGroup object exposes grouping of file inventory from Carbon Black App Control Agents. Grouping can be based on installed programs reported by system, or automatic, based on installations seen by the agent.

All Object Properties for fileInstanceGroup

Name	Type	Property Description
`id`	`Int64`	Unique id of this fileInstanceGroup
`fileCatalogId`	`Int32`	Id of `fileCatalog` associated with this fileInstanceGroupThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`computerId`	`Int32`	Id of `computer` associated with this fileInstanceGroupThis is a foreign key and can be expanded to expose fields from the related `computer` object
`policyId`	`Int32`	Id of `policy` associated with this fileInstanceThis is a foreign key and can be expanded to expose fields from the related `policy` object
`dateCreated`	`DateTime`	Date/Time when file was was created on agent (UTC)
`fileName`	`String`	Name of the file on the agent
`pathName`	`String`	Path of the file on the agent
`userName`	`String`	User associated with this group creation on the agent
`groupType`	`Int32`	Type of this group. It can be one of: 0=initialization group1=top level group2=process group3=MSI group
`installedProgramName`	`String`	Name of the product associated with this fileInstanceGroup
`fileGroupId`	`Int32`	ID of the overall file group
`unifiedSource`	`String`	Unified server name that created the file rule
`yaraTagIds`	`String`	Yara tag ids applied to this file, see v1/yaraRuleTag for tags
`fileInstanceId`	`Int64`	ID of the `fileInstance` associated with the top level file of this group, if applicableThis is a foreign key and can be expanded to expose fields from the related `fileInstance` object

fileInstanceGroup is a read-only object and has no modifiable properties.

GET Request for fileInstanceGroup

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/fileInstanceGroup/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for fileInstanceGroup

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/fileInstanceGroup?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» fileInstanceSnapshot

v1/fileInstanceSnapshot object exposes manual snapshots of file inventory from Carbon Black App Control Agents. Snapshots can be created from the file list view.

All Object Properties for fileInstanceSnapshot

Name	Type	Property Description
`id`	`Int64`	Unique id of this fileInstanceSnapshot
`snapshotId`	`Int32`	Unique id of the snapshot used
`snapshotName`	`String`	Name of the snapshot used
`snapshotCreated`	`DateTime`	When the snapshot was created (local time)
`fileCatalogId`	`Int32`	Id of `fileCatalog` associated with this fileInstanceSnapshotThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`computerId`	`Int32`	Id of `computer` associated with this fileInstanceSnapshotThis is a foreign key and can be expanded to expose fields from the related `computer` object
`fileName`	`String`	Name of the file on the agent
`pathName`	`String`	Path of the file on the agent
`certificateId`	`Int32`	Id of the certificateThis is a foreign key and can be expanded to expose fields from the related `certificate` object
`unifiedSource`	`String`	Unified server name that created the file rule

fileInstanceSnapshot is a read-only object and has no modifiable properties.

GET Request for fileInstanceSnapshot

Required permissions: ‘View drift reports and snapshots’

Call syntax: bit9platform/v1/fileInstanceSnapshot/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for fileInstanceSnapshot

Required permissions: ‘View drift reports and snapshots’

Call syntax: bit9platform/v1/fileInstanceSnapshot?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» fileIntegrityControlRule

v1/fileIntegrityControlRule object exposes custom file integrity control rules. It also allows creating, editing and deleting these rules.

All Object Properties for fileIntegrityControlRule

Name	Type	Property Description
`id`	`Int32`	Unique id of this rule
`masterRuleId`	`Int32`	Id of parent of this rule
`idUnique`	`Guid`	Unique GUID of this rule
`name`	`String`	Rule name
`description`	`String`	Rule description
`ruleGroupId`	`Int32`	Group id of this rule
`ruleUITemplateId`	`Int32`	UI Template id of this rule. Can be one of:0=None1=File Integrity Control2=Trusted Path3=Execution Control4=File Creation Control5=Performance Optimization99=Advanced1000=Internal1001=Updaters
`ruleType`	`Int32`	Rule type. Can be one of:14=Memory rule 15=Registry rule 17=Custom rule
`ruleAction`	`String`	Display name of action taken by this rule. Action can be calculated from other rule parameters (flags, masks, opTypes), and is exposed as read-only field.
`pathPattern`	`String`	File path pattern to match
`processPattern`	`String`	Process path pattern to match
`writeActionMask`	`Int32`	Write action mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`writeNegationMask`	`Int32`	Write negation mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`writeOpType`	`Int32`	Write operation flags. Can be combination of:FileOpTypeFlagNone = 0x00000000FileOpTypeFlagOpen = 0x00000001FileOpTypeFlagOpenExecuteIntent = 0x00000002FileOpTypeFlagOpenWriteIntent = 0x00000004FileOpTypeFlagRead = 0x00000008FileOpTypeFlagWrite = 0x00000010FileOpTypeFlagWriteDelayed = 0x00000020FileOpTypeFlagDelete = 0x00000040FileOpTypeFlagExecute = 0x00000080FileOpTypeFlagRename = 0x00000100FileOpTypeFlagCleanup = 0x00000200FileOpTypeFlagCreateNew = 0x00000400FileOpTypeFlagScriptExecute = 0x00000800FileOpTypeFlagProcessCreate = 0x00001000FileOpTypeFlagProcessTerminate = 0x00002000FileOpTypeFlagImageLoad = 0x00004000FileOpTypeFlagPermissionChange = 0x00008000FileOpTypeFlagOwnerChange = 0x00010000FileOpTypeFlagLockFile = 0x00020000
`combinedActionMask`	`Int32`	execActionMask combined with writeActionMask with a bitwise or. This is relevant for Advanced (ruleUITemplateId = 99) rules that have both set.
`combinedOpType`	`Int32`	execOpType combined with writeOpType with a bitwise or. This is relevant for Advanced (ruleUITemplateId = 99) rules that have both set.
`policyIds`	`String`	List of IDs of policies where this rule applies. Value will be empty if this is a global rule
`platformFlags`	`Int32`	Set of platform flags where this rule will apply. combination of:1 = Windows2 = Mac4 = Linux
`hidden`	`Boolean`	True if rule is hidden
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`createdBy`	`String`	User that created this object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`modifiedByUserId`	`Int32`	Id of `user` that last modified this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`modifiedBy`	`String`	User that last modified this object
`dateImported`	`DateTime`	Date/time when this rule was imported (UTC). This field will be null if rule was not imported
`importedByUserId`	`Int32`	Id of `user` that imported this rule. This field will be null if rule was not importedThis is a foreign key and can be expanded to expose fields from the related `user` object
`importedBy`	`String`	User that imported this rule. This field will be null if rule was not imported
`importSessionHandle`	`String`	Internal session handle used during rule import. This field will be null if rule was not imported.
`rank`	`Int64`	Rule rank. Rules are evaluated by their rank. Note that value of the rank will be different than rank exposed in the console because API exposes more rules.
`enabled`	`Boolean`	True if rule is enabled
`clVersion`	`Int64`	CL version associated with this rule
`writeNotifierId`	`Int32`	Id of `notifier` object associated with this rule’s write action (can be 0 to use default notifier)
`effectiveNotifierId`	`Int32`	Id of `notifier` object associated with this rule
`processFlags`	`Int32`	Process flags for this rule
`negatedProcessFlags`	`Int32`	Negated process flags for this rule
`ruleClassId`	`Int32`	Rule class Id
`processFileState`	`Int32`	Rule will be active only if process file state is equal to this value (can be 0 to ignore the process file state)
`processFileFlags`	`Int32`	Flags describing required properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processDeviceType`	`Int32`	Process device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`processClassification`	`String`	Rule will be active only if process classification is equal to this
`processPublisherName`	`String`	Rule will be active only if publisher name of process is equal to this
`targetFileState`	`Int32`	Rule will be active only if target file state is equal to this value (can be 0 to ignore the target file state)
`targetFileFlags`	`Int32`	Flags describing required properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetDeviceType`	`Int32`	Target device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`targetClassification`	`String`	Rule will be active only if target classification is equal to this
`targetPublisherName`	`String`	Rule will be active only if publisher name of target is equal to this
`minPlatform`	`Int32`	Min platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`maxPlatform`	`Int32`	Max platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`classifier`	`String`	Classifier tag to set or remove for classification actions
`objectType`	`Int32`	Object types on which rule will act. This differs per rule type. For Custom rules, it can be one of:-1 = Any0 = Unknown1 = Any existing object2 = Pipe or Mailslot3 = Volume or share4 = Directory5 = File6 = Other (e.g. path with windcards, illegal, system object etc.)For Registry rules, it can be one of:-1 = Any0 = Any1 = Key2 = ValueFor Memory rules, it can be one of:-1 = Any0 = Any1 = Process2 = Thread
`enforcementFlags`	`Int32`	Flags determining in which enforcement levels rule is active. Can be combination of:0x01 = High0x02 = Medium0x04 = LocalApproval0x08 = Low0x10 = Visibility0x20 = DisabledUse -1 to specify that rule will be active in all enforcement levels
`readOnly`	`Boolean`	True if rule is read-only from the console
`updaterId`	`Int32`	Id of `updater` object that contains this ruleThis is a foreign key and can be expanded to expose fields from the related `updater` object
`minAgentVersion`	`Int32`	Min agent version code for this rule
`maxAgentVersion`	`Int32`	Max agent version code for this rule
`priority`	`Int32`	Priority of this rule
`priorityBucket`	`Int32`	Priority bucket of this rule
`priorityGroup`	`Int32`	Priority group of this rule
`unifiedFlag`	`Int32`	Local override flag for unified rule (0 if rule is not unified, 1 - no override allowed, 2 - ranking allowed, 3 - local override allowed)
`unifiedSource`	`String`	Unified server name that created this rule
`origIdUnique`	`Guid`	Unique GUID of the original rule
`version`	`Int64`	Version of this custom rule

Properties modifiable Using PUT/POST Request for fileIntegrityControlRule

Name	Type	Property Description
`name`	`String`	Rule name
`description`	`String`	Rule description
`ruleGroupId`	`Int32`	Group id of this rule
`ruleType`	`Int32`	Rule type. Can be one of:14=Memory rule 15=Registry rule 17=Custom rule
`pathPattern`	`String`	File path pattern to match
`processPattern`	`String`	Process path pattern to match
`writeActionMask`	`Int32`	Write action mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`writeNegationMask`	`Int32`	Write negation mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`writeOpType`	`Int32`	Write operation flags. Can be combination of:FileOpTypeFlagNone = 0x00000000FileOpTypeFlagOpen = 0x00000001FileOpTypeFlagOpenExecuteIntent = 0x00000002FileOpTypeFlagOpenWriteIntent = 0x00000004FileOpTypeFlagRead = 0x00000008FileOpTypeFlagWrite = 0x00000010FileOpTypeFlagWriteDelayed = 0x00000020FileOpTypeFlagDelete = 0x00000040FileOpTypeFlagExecute = 0x00000080FileOpTypeFlagRename = 0x00000100FileOpTypeFlagCleanup = 0x00000200FileOpTypeFlagCreateNew = 0x00000400FileOpTypeFlagScriptExecute = 0x00000800FileOpTypeFlagProcessCreate = 0x00001000FileOpTypeFlagProcessTerminate = 0x00002000FileOpTypeFlagImageLoad = 0x00004000FileOpTypeFlagPermissionChange = 0x00008000FileOpTypeFlagOwnerChange = 0x00010000FileOpTypeFlagLockFile = 0x00020000
`policyIds`	`String`	List of IDs of policies where this rule applies. Value should be empty if this is a global rule
`platformFlags`	`Int32`	Set of platform flags where this rule will apply. combination of:1 = Windows2 = Mac4 = Linux
`rank`	`Int64`	Rule rank. Rules are evaluated by their rank. Change rank to move the rule
`enabled`	`Boolean`	True if rule is enabled
`clVersion`	`Int64`	CL version associated with this rule
`writeNotifierId`	`Int32`	Id of `notifier` object associated with this rule’s write action (can be 0 to use default notifier)
`processFlags`	`Int32`	Process flags for this rule
`negatedProcessFlags`	`Int32`	Negated process flags for this rule
`ruleClassId`	`Int32`	Rule class Id
`processFileState`	`Int32`	Rule will be active only if process file state is equal to this value (can be 0 to ignore the process file state)
`processFileFlags`	`Int32`	Flags describing required properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processDeviceType`	`Int32`	Process device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`processClassification`	`String`	Rule will be active only if process classification is equal to this
`processPublisherName`	`String`	Rule will be active only if publisher name of process is equal to this
`targetFileState`	`Int32`	Rule will be active only if target file state is equal to this value (can be 0 to ignore the target file state)
`targetFileFlags`	`Int32`	Flags describing required properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetDeviceType`	`Int32`	Target device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`targetClassification`	`String`	Rule will be active only if target classification is equal to this
`targetPublisherName`	`String`	Rule will be active only if publisher name of target is equal to this
`minPlatform`	`Int32`	Min platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`maxPlatform`	`Int32`	Max platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`classifier`	`String`	Classifier tag to set or remove for classification actions
`objectType`	`Int32`	Object types on which rule will act. This differs per rule type. For Custom rules, it can be one of:-1 = Any0 = Unknown1 = Any existing object2 = Pipe or Mailslot3 = Volume or share4 = Directory5 = File6 = Other (e.g. path with windcards, illegal, system object etc.)For Registry rules, it can be one of:-1 = Any0 = Any1 = Key2 = ValueFor Memory rules, it can be one of:-1 = Any0 = Any1 = Process2 = Thread
`enforcementFlags`	`Int32`	Flags determining in which enforcement levels rule is active. Can be combination of:High = 0x01Medium = 0x02LocalApproval = 0x04Low = 0x08Visibility = 0x10Disabled = 0x20 Use -1 to specify that rule will be active in all enforcement levels
`readOnly`	`Boolean`	True if rule is read-only from the console
`minAgentVersion`	`Int32`	Min agent version code for this rule
`maxAgentVersion`	`Int32`	Max agent version code for this rule
`unifiedFlag`	`Int32`	Local override flag for unified rule (0 - if rule is not unified, 1 - no override allowed, 2 - ranking allowed, 3 - local override allowed)
`unifiedSource`	`String`	Unified server name that created this rule
`origIdUnique`	`Guid`	Unique GUID of the original rule

POST Request for fileIntegrityControlRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/fileIntegrityControlRule?delete={delete}

Name	Source	Type	Description
`value`	FromBody	customRule
`delete`	FromUri	Boolean

PUT Request for fileIntegrityControlRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/fileIntegrityControlRule/{id}?delete={delete}

Name	Source	Type
`id`	FromUri	Int32
`value`	FromBody	customRule
`delete`	FromUri	Boolean

DELETE Request for fileIntegrityControlRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/fileIntegrityControlRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for fileIntegrityControlRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/fileIntegrityControlRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for fileIntegrityControlRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/fileIntegrityControlRule?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» fileName

v1/fileName object exposes a set of all distinct filenames processed by the Carbon Black App Control Agent. This is a read-only call (only GET is valid)

All Object Properties for fileName

Name	Type	Property Description
`id`	`Int32`	Unique id of this fileName.
`name`	`String`	The full name of the file.

fileName is a read-only object and has no modifiable properties.

GET Request for fileName

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/fileName/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for fileName

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/fileName?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» fileRule

v1/fileRule object exposes rules related to unique files. It allows creation and editing of file Approvals and Bans.

All Object Properties for fileRule

Name	Type	Property Description
`id`	`Int64`	Unique id of this fileRule
`fileCatalogId`	`Int32`	Id of `fileCatalog` entry associated with this fileRule. Can be null if file hasn’t been seen on any endpoints yetThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`name`	`String`	Name of this rule
`description`	`String`	Description of this rule
`fileState`	`Int32`	File state for this rule. Can be one of: 1=Unapproved 2=Approved 3=Banned
`sourceType`	`Int32`	Mechanism that created this rule. Can be one of: 1 = Manual2 = Trusted Directory3 = Reputation4 = Imported5 = External (API)6 = Event Rule7 = Application Template8 = Unified Management
`sourceId`	`Int32`	Id of source of this rule. Can be event rule id or trusted directory id
`reportOnly`	`Boolean`	True if this has a report-only ban
`reputationApprovalsEnabled`	`Boolean`	True if reputation approvals are enabled for this file
`forceInstaller`	`Boolean`	True if this file is forced to act as installer, even if product detected it as ‘not installer’
`forceNotInstaller`	`Boolean`	True if this file is forced to act as ‘not installer’, even if product detected it as installer
`policyIds`	`String`	List of IDs of policies where this rule applies. Value will be empty if this is a global rule
`hash`	`String`	Hash associated with this rule. Note that hash will be available only if rule was created through md5 or sha-1 hash. If rule was created through fileName, fileCatalogId or sha-256 hash that exists in the catalog, this field will be empty.
`fileName`	`String`	File name associated with this rule. Note that file name will be available only if rule was created through file name. If rule was created through fileCatalogId or hash, this field will be empty.
`lazyApproval`	`Boolean`	This field is valid only when creating approvals. When set to true, it will cause the approval to be sent to the agent only if the file is marked as an installer or if it blocked on any agent. This is useful when proactively creating a lot of approvals that may or may not be required, since it is using fewer resources. Note that, as soon as the lazy approval is sent to agents, this field will change to ‘false’.
`platformFlags`	`Int32`	Set of platform flags where this file rule will be valid. combination of: 1 = Windows2 = Mac4 = Linux
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdBy`	`String`	User that created this object
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`modifiedBy`	`String`	User that last modified this object
`modifiedByUserId`	`Int32`	Id of `user` that last modified this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`clVersion`	`Int64`	CL version associated with this file rule
`idUnique`	`Guid`	Unique GUID of this rule
`origIdUnique`	`Guid`	Unique GUID of the original rule
`unifiedFlag`	`Int32`	Local override flag for unified rule (0 - if rule is not unified, 1 - no override allowed, 3 - local override allowed)
`unifiedSource`	`String`	Unified server name that created this rule
`fileRuleType`	`String`	Text description of file rule type
`version`	`Int64`	Version of this file rule
`visible`	`Boolean`	If rule should be visible in the UI or not

Properties modifiable Using PUT/POST Request for fileRule

Name	Type	Property Description
`fileCatalogId`	`Int32`	Id of `fileCatalog` entry associated with this fileRule. Can be 0 if creating/modifying rule based on hash or file name
`name`	`String`	Name of this rule
`description`	`String`	Description of this rule
`fileState`	`Int32`	File state for this rule. Can be one of: 1=Unapproved 2=Approved 3=Banned
`sourceType`	`Int32`	Mechanism that created this rule. Can be one of: 1 = Manual2 = Trusted Directory3 = Reputation4 = Imported5 = External (API)6 = Event Rule7 = Application Template8 = Unified Management
`reportOnly`	`Boolean`	Set to true to create a report-only ban. Note: fileState has to be set to 1 (unapproved) before this flag can be set
`reputationApprovalsEnabled`	`Boolean`	True if reputation approvals are enabled for this file
`forceInstaller`	`Boolean`	True if this file is forced to act as installer, even if product detected it as ‘not installer’
`forceNotInstaller`	`Boolean`	True if this file is forced to act as ‘not installer’, even if product detected it as installer
`policyIds`	`String`	List of IDs of policies where this rule applies. Value should be empty if this is a global rule
`hash`	`String`	Hash associated with this rule. This parameter is ignored if fileCatalogId is supplied
`fileName`	`String`	File name associated with this rule. This parameter is ignored if fileCatalogId or hash is supplied
`lazyApproval`	`Boolean`	This field is valid only when creating approvals. When set to true, it will cause the approval to be sent to the agent only if the file is marked as an installer or if it blocked on any agent. This is useful when proactively creating a lot of approvals that may or may not be required, since it is using fewer resources. Note that, as soon as the lazy approval is sent to agents, this field will change to ‘false’.
`platformFlags`	`Int32`	Set of platform flags where this file rule will be valid. combination of: 1 = Windows2 = Mac4 = Linux
`origIdUnique`	`Guid`	Unique GUID of the original rule
`unifiedFlag`	`Int32`	Local override flag for unified rule (0 if rule is not unified, 1 - no override allowed, 3 - local override allowed)
`unifiedSource`	`String`	Unified server name that created this rule

POST Request for fileRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/fileRule?delete={delete}

Name	Source	Type	Description
`value`	FromBody	fileRule
`delete`	FromUri	Boolean

PUT Request for fileRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/fileRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	fileRule

DELETE Request for fileRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/fileRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for fileRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/fileRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for fileRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/fileRule?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type	Description
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32	When -2, a “quick count” will be returned.
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» fileRuleTriggerSummary

v1/fileRuleTriggerSummary object exposes data related to file rules triggering for Carbon Black App Control Agent

All Object Properties for fileRuleTriggerSummary

Name	Type	Property Description
`id`	`Int64`	ID of the rule
`idUnique`	`Guid`	Unique GUID of the rule
`ruleName`	`String`	Rule name
`createdBy`	`String`	Rule created by
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`dateModified`	`DateTime`	Date/time when this rule was modified (UTC)
`lastTriggerDate`	`DateTime`	Date/time when this rule was last triggered (UTC) regardless of applied filters
`maxTriggerDate`	`DateTime`	Date/time when this rule was last triggered (UTC) based on the applied filters
`triggerCount`	`Int64`	Rule trigger count

fileRuleTriggerSummary is a read-only object and has no modifiable properties.

GET Request for fileRuleTriggerSummary

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/fileRuleTriggerSummary?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

GET Request for fileRuleTriggerSummary

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/fileRuleTriggerSummary/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

» fileUpload

v1/fileUpload object exposes all uploaded files from the Carbon Black App Control Agents. It also allows requesting or canceling new uploads. Uploaded files can be accessed through the API.

All Object Properties for fileUpload

Name	Type	Property Description
`id`	`Int32`	Unique id of this fileUpload
`computerId`	`Int32`	Id of `computer` entry associated with this analysisThis is a foreign key and can be expanded to expose fields from the related `computer` object
`fileCatalogId`	`Int32`	Id of `fileCatalog` entry associated with this uploadThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdBy`	`String`	User that created this object
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`fileName`	`String`	Name of the file where file exists on the endpoint
`pathName`	`String`	Path of the file where file exists on the endpoint
`priority`	`Int32`	Upload priority in range [-2, 2], where 2 is highest priority. Default priority is 0
`uploadPath`	`String`	Local upload path for this file on the server (can be a shared network path). Note that file is compressed in a ZIP archive
`uploadedFileSize`	`Int64`	Size of uploaded file. This will be 0 unless uploadStatus is 3 (Completed)
`uploadStatus`	`Int32`	Status of upload. Can be one of: 0 = Queued1 = Initiated2 = Uploading3 = Completed4 = Error5 = Cancelled6 = Deleted

Properties modifiable Using PUT/POST Request for fileUpload

Name	Type	Property Description
`computerId`	`Int32`	Id of `computer` from which to upload the file. If 0, system will find best computer to get the file from
`fileCatalogId`	`Int32`	Id of `fileCatalog` entry for file to upload
`priority`	`Int32`	Upload priority in range [-2, 2], where 2 is highest priority. Default priority is 0
`uploadStatus`	`Int32`	Status of upload. Status of upload in progress can be changed to 5 (Cancelled). Any upload can be changed to 6 (Deleted)

GET Request for fileUpload

Required permissions: ‘View file uploads’

Call syntax: bit9platform/v1/fileUpload/{id}?downloadFile={downloadFile}

Name	Source	Type	Description
`id`	FromUri	Int64
`downloadFile`	FromUri	Boolean

GET Request for fileUpload

Required permissions: ‘View file uploads’

Call syntax: bit9platform/v1/fileUpload/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for fileUpload

Required permissions: ‘View file uploads’

Call syntax: bit9platform/v1/fileUpload?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

POST Request for fileUpload

Required permissions: ‘View file uploads’, ‘Manage uploads of inventoried files’

Call syntax: bit9platform/v1/fileUpload

Name	Source	Type	Description
`value`	FromBody	fileUpload

PUT Request for fileUpload

Required permissions: ‘View file uploads’, ‘Manage uploads of inventoried files’

Call syntax: bit9platform/v1/fileUpload/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	fileUpload

» findFileCertificate

v1/findFileCertificate object exposes a minimal set of certificate information. Primarily used in expansion from v1/fileInstanceAll and v1/findFileInstance. Read-only.

All Object Properties for findFileCertificate

Name	Type	Property Description
`id`	`Int32`	Unique certificate id
`subjectName`	`String`	Certificate subject name
`certificateState`	`Int32`	One of assigned states: 1=Unapproved 2=Approved 3=Banned
`certificateStateSource`	`String`	How the certificate got into this state

findFileCertificate is a read-only object and has no modifiable properties.

GET Request for findFileCertificate

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/findFileCertificate/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for findFileCertificate

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/findFileCertificate?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» findFileComputer

v1/findFileComputer object exposes a minimal set of computer information. Primarily used in expansion from v1/fileInstanceAll and v1/findFileInstance. Read-only.

All Object Properties for findFileComputer

Name	Type	Property Description
`id`	`Int32`	Unique computer id
`name`	`String`	Computer name
`ipAddress`	`String`	Last known IP address of this computer
`connected`	`Boolean`	True if this computer is connected
`computerTag`	`String`	Custom computer tag
`osShortName`	`String`	Short OS name
`daysOffline`	`Int32`	Number of days this computer was offline
`uninstalled`	`Boolean`	True if this computer was uninstalled
`deleted`	`Boolean`	True if computer is disabled
`platformId`	`Int32`	Platform Id. Can be one of: 1 = Windows2 = Mac4 = Linux

findFileComputer is a read-only object and has no modifiable properties.

GET Request for findFileComputer

Required permissions: ‘View computers’

Call syntax: bit9platform/v1/findFileComputer/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for findFileComputer

Required permissions: ‘View computers’

Call syntax: bit9platform/v1/findFileComputer?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» findFileInstance

v1/findFileInstance object exposes file inventory on all Carbon Black App Control Agents. Read-only.

All Object Properties for findFileInstance

Name	Type	Property Description
`id`	`Int64`	Unique id of this fileInstance
`fileCatalogId`	`Int32`	Id of `fileCatalog` associated with this fileInstanceThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`fileInstanceGroupId`	`Int64`	Id of `fileInstanceGroup` associated with this fileInstanceThis is a foreign key and can be expanded to expose fields from the related `fileInstanceGroup` object
`computerId`	`Int32`	Id of `computer` associated with this fileInstanceThis is a foreign key and can be expanded to expose fields from the related `findFileComputer` object
`policyId`	`Int32`	Id of `policy` associated with this fileInstanceThis is a foreign key and can be expanded to expose fields from the related `policy` object
`dateCreated`	`DateTime`	Date/Time when file was was created on agent (UTC)
`fileName`	`String`	Name of the file on the agent
`pathName`	`String`	Path of the file on the agent
`executed`	`Boolean`	True if file was ever executed on the agent
`localState`	`Int32`	Local state of the file on the agent. Can be one of: 1=Unapproved 2=Approved 3=Banned
`detailedLocalState`	`Int32`	Local state of the file on the agent. Can be one of: 1=Approved (Not Persisted)2=Unapproved (Persisted)3=Banned4=Locally Approved5=Banned by name (6.x agents only)6=Banned by name (Report only, 6.x agents only)7=Locally Approved (Auto)8=Approved as Installer11=Approved12=Approved as Installer (Top Level)13=Banned (Report only)14=Unapproved
`certificateId`	`Int32`	Id of certificate that signed this file through the catalogThis is a foreign key and can be expanded to expose fields from the related `findFileCertificate` object
`detachedPublisherId`	`Int32`	Id of detached `publisher` that signed this file through the catalogThis is a foreign key and can be expanded to expose fields from the related `publisher` object
`detachedCertificateId`	`Int32`	Id of detached `certificate` that signed this file through the catalogThis is a foreign key and can be expanded to expose fields from the related `certificate` object
`initialized`	`Boolean`	Whether fileInstance is initialized
`topLevel`	`Boolean`	Whether fileInstance is top level
`unifiedSource`	`String`	Unified server name that created the file rule
`yaraTagIds`	`String`	Yara tag ids applied to this file instance, see v1/yaraRuleTag for tags

findFileInstance is a read-only object and has no modifiable properties.

GET Request for findFileInstance

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/findFileInstance/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for findFileInstance

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/findFileInstance?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» grantedUserPolicyPermission

v1/grantedUserPolicyPermission object exposes granted permissions for the user. This is a read-only object and can only be modified through the userGroup API.

All Object Properties for grantedUserPolicyPermission

Name	Type	Property Description
`id`	`String`	Unique id of granted permission
`userId`	`Int32`	id of the userThis is a foreign key and can be expanded to expose fields from the related `user` object
`permissions`	`String`	Permissions associated with users of this userGroup as a hexadecimal string. Can be combination of:PERMISSION_COMPUTERS_VIEW = 0x0000000000000001PERMISSION_COMPUTERS_ASSIGN = 0x0000000000000002PERMISSION_COMPUTERS_TEMPORARY_ASSIGN = 0x0000000000000004PERMISSION_COMPUTERS_ADVANCED = 0x0000000000000008PERMISSION_FILES_VIEW = 0x0000000000000010PERMISSION_FILES_MANAGE_STATE = 0x0000000000000020PERMISSION_FILES_MANAGE_LOCAL_STATE = 0x0000000000000040PERMISSION_POLICIES_VIEW = 0x0000000000000080PERMISSION_POLICIES_MANAGE = 0x0000000000000100PERMISSION_POLICIES_MAPPINGS = 0x0000000000000200PERMISSION_RULES_VIEW = 0x0000000000000400PERMISSION_RULES_MANAGE_DEVICE = 0x0000000000000800PERMISSION_RULES_MANAGE_EVENT = 0x0000000000001000PERMISSION_RULES_MANAGE_DIRECTORIES = 0x0000000000002000PERMISSION_RULES_MANAGE_PUBLISHERS = 0x0000000000004000PERMISSION_RULES_MANAGE_USERS = 0x0000000000008000PERMISSION_RULES_MANAGE_CUSTOM = 0x0000000000010000PERMISSION_REPORTS_VIEW_EVENTS = 0x0000000000020000PERMISSION_REPORTS_MANAGE_DASHBOARDS = 0x0000000000040000PERMISSION_REPORTS_VIEW_DRIFT = 0x0000000000080000PERMISSION_REPORTS_MANAGE_DRIFT = 0x0000000000100000PERMISSION_REPORTS_MANAGE_SNAPSHOTS = 0x0000000000200000PERMISSION_REPORTS_SAVED_VIEWS = 0x0000000000400000PERMISSION_TOOLS_VIEW_ALERTS = 0x0000000000800000PERMISSION_TOOLS_MANAGE_ALERTS = 0x0000000001000000PERMISSION_TOOLS_VIEW_METERS = 0x0000000002000000PERMISSION_TOOLS_MANAGE_METERS = 0x0000000004000000PERMISSION_ADMINISTRATION_VIEW_CONFIG = 0x0000000008000000PERMISSION_ADMINISTRATION_VIEW_USERS = 0x0000000010000000PERMISSION_ADMINISTRATION_MANAGE_CONFIG = 0x0000000020000000PERMISSION_ADMINISTRATION_MANAGE_USERS = 0x0000000040000000PERMISSION_ADMINISTRATION_MANAGE_USER_GROUPS = 0x0000000100000000PERMISSION_DEVICES_VIEW = 0x0000000200000000PERMISSION_RULES_MANAGE_UPDATERS = 0x0000000400000000PERMISSION_MANAGE_APPROVAL_REQUESTS = 0x0000000800000000PERMISSION_VIEW_APPROVAL_REQUESTS = 0x0000001000000000PERMISSION_VIEW_UPLOADED_FILES = 0x0000002000000000PERMISSION_ALLOW_UPLOAD_INVENTORY = 0x0000004000000000PERMISSION_ALLOW_EXECUTE_COMMANDS = 0x0000008000000000PERMISSION_RULES_MANAGE_SCRIPT = 0x0000010000000000PERMISSION_NOTIFIERS_VIEW = 0x0000020000000000PERMISSION_NOTIFIERS_MANAGE = 0x0000040000000000PERMISSION_ACCESS_UPLOAD_FILES = 0x0000080000000000PERMISSION_ALLOW_UPLOAD_FILES_BY_PATH = 0x0000100000000000PERMISSION_ALLOW_ANALYZE_FILES = 0x0000200000000000PERMISSION_RULES_MANAGE_ATI_SETS = 0x0000400000000000PERMISSION_VIEW_EXTERNAL_ANALYTICS = 0x0000800000000000PERMISSION_VIEW_PROCESS_COMMAND_LINES = 0x0001000000000000PERMISSION_VIEW_SYSTEM_HEALTH = 0x0002000000000000PERMISSION_EXTEND_CONNECTORS = 0x0004000000000000PERMISSION_MANAGE_OBJECTTAGS = 0x0008000000000000PERMISSION_VIEW_PLUGINS = 0x0010000000000000PERMISSION_MANAGE_PLUGINS = 0x0020000000000000PERMISSION_REPORTS_VIEW_GLOBAL_EVENTS = 0x0040000000000000PERMISSION_USE_UNIFIED_MANAGEMENT = 0x0080000000000000PERMISSION_CONFIGURE_UNIFIED_MANAGEMENT = 0x0100000000000000PERMISSION_LOCAL_LOGIN_OVERRIDE = 0x0200000000000000PERMISSION_FILES_DELETE = 0x0400000000000000PERMISSION_USE_API = 0x0800000000000000
`policyId`	`Int32`	Id of policy associated with this granted permission. It can be 0, indicating that permission is granted in all policiesThis is a foreign key and can be expanded to expose fields from the related `policy` object

grantedUserPolicyPermission is a read-only object and has no modifiable properties.

GET Request for grantedUserPolicyPermission

Required permissions: Unknown

Call syntax: bit9platform/v1/grantedUserPolicyPermission/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for grantedUserPolicyPermission

Required permissions: Unknown

Call syntax: bit9platform/v1/grantedUserPolicyPermission?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» identityProvider

v1/identityProvider object exposes identity provider information.

All Object Properties for identityProvider

Name	Type	Property Description
`id`	`Int32`	Identity provider ID
`name`	`String`	The name of the identity provider
`entityId`	`String`	The entity ID of this identity provider
`signonBinding`	`String`	A binding for this identity provider’s signon service
`signonLocation`	`String`	A location URL for this identity provider’s signon service
`logoutBinding`	`String`	A binding for this identity provider’s logout service
`logoutLocation`	`String`	A location URL for this identity provider’s logout service
`signingCert`	`String`	The base64-encoded contents of the certificate used for signing
`encryptionCert`	`String`	The base64-encoded contents of the certificate used for encryption

Properties modifiable Using PUT/POST Request for identityProvider

Name	Type	Property Description
`name`	`String`	The name of the identity provider
`entityId`	`String`	The entity ID of this identity provider
`signonBinding`	`String`	A binding for this identity provider’s signon service
`signonLocation`	`String`	A location URL for this identity provider’s signon service
`logoutBinding`	`String`	A binding for this identity provider’s logout service
`logoutLocation`	`String`	A location URL for this identity provider’s logout service
`signingCert`	`String`	The base64-encoded contents of the certificate used for signing
`encryptionCert`	`String`	The base64-encoded contents of the certificate used for encryption

POST Request for identityProvider

Required permissions: ‘’, ‘Manage system configuration’

Call syntax: bit9platform/v1/identityProvider?delete={delete}

Name	Source	Type	Description
`value`	FromBody	identityProvider
`delete`	FromUri	Boolean

PUT Request for identityProvider

Required permissions: ‘’, ‘Manage system configuration’

Call syntax: bit9platform/v1/identityProvider/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	identityProvider

DELETE Request for identityProvider

Required permissions: ‘’, ‘Manage system configuration’

Call syntax: bit9platform/v1/identityProvider/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for identityProvider

Required permissions: '’

Call syntax: bit9platform/v1/identityProvider/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for identityProvider

Required permissions: ''

Call syntax: bit9platform/v1/identityProvider?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» internalEvent

v1/internalEvent object exposes private events.

All Object Properties for internalEvent

Name	Type	Property Description
`id`	`Int64`	Unique event Id
`timestamp`	`DateTime`	Date/Time when event was created (UTC)
`receivedTimestamp`	`DateTime`	Date/Time when event was received by the server (UTC)
`description`	`String`	Event description
`type`	`Int32`	Event type. Can be one of:0 = Server Management1 = Session Management2 = Computer Management3 = Policy Management4 = Policy Enforcement5 = Discovery6 = General Management8 = Internal Events
`subtype`	`Int32`	Event subtype. Can be one of event subtype IDs
`subtypeName`	`String`	Event subtype as string
`ipAddress`	`String`	IP address associated with this event
`computerId`	`Int32`	Id of `computer` associated with this eventThis is a foreign key and can be expanded to expose fields from the related `computer` object
`computerName`	`String`	Name of computer associated with this event
`policyId`	`Int32`	Id of `policy` where agent was at the time of the eventThis is a foreign key and can be expanded to expose fields from the related `policy` object
`policyName`	`String`	Name of policy where agent was at the time of the event
`fileCatalogId`	`Int32`	Id of `fileCatalog` entry associated with file for this eventThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`installerFileCatalogId`	`Int32`	Id of `fileCatalog` entry associated with installer for this eventThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`processFileCatalogId`	`Int32`	Id of `fileCatalog` entry associated with process for this eventThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`fileName`	`String`	Name of the file associated with this event
`pathName`	`String`	Path of the file associated with this event
`commandLine`	`String`	Full command line associated with this event. Viewing this field requires ‘View process command lines’ permission
`processPathName`	`String`	Name of the process associated with this event
`processFileName`	`String`	Path of the process associated with this event
`process`	`String`	Path and process associated with this event
`installerFileName`	`String`	Name of the installer associated with this event
`processKey`	`String`	Process key associated with this event. This key uniquely identifies the process in both Carbon Black App Control Platform and Carbon Black EDR product
`severity`	`Int32`	Event severity. Can be one of:2 = Critical3 = Error4 = Warning5 = Notice6 = Info7 = Debug
`userName`	`String`	User name associated with this event
`ruleName`	`String`	Rule name associated with this event
`banName`	`String`	Ban name associated with this event
`updaterName`	`String`	Updater name associated with this event
`rapfigName`	`String`	Rapid Config name associated with this event
`indicatorName`	`String`	Advanced threat indicator name associated with this event
`indicatorSetName`	`String`	Advanced threat indicator set name associated with this event
`param1`	`String`	Internal string parameter 1
`param2`	`String`	Internal string parameter 2
`param3`	`String`	Internal string parameter 3
`stringId`	`Int32`	Internal string Id used for description
`unifiedSource`	`String`	Unified server name that created this event
`clVersion`	`Int32`	CL version associated with this event
`eventRuleId`	`Int32`	Id of the event rule associated with this event
`customRuleId`	`Int32`	Id of the rule associated with this eventThis is a foreign key and can be expanded to expose fields from the related `customRule` object
`fileRuleId`	`Int32`	Id of the file rule associated with this eventThis is a foreign key and can be expanded to expose fields from the related `fileRule` object
`installEventId`	`Int32`	Id of the install event associated with this event
`pathNameId`	`Int32`	Id of the file path associated with this event
`processPathNameId`	`Int32`	Id of the file path of the process associated with this event
`fileNameId`	`Int32`	Id of the name of the file associated with this event
`fileFirstExecutionDate`	`DateTime`	Date of the first execution of the file associated with this event
`sha256`	`String`	SHA-256 hash of the file associated with this event
`computerPolicyId`	`Int32`	Id of the policy this computer is in
`platformId`	`Int32`	Id of the platform of this computer.Can be one of: 1 = Windows2 = Mac4 = Linux
`installerHash`	`String`	SHA-256 hash of the installer file associated with this event
`processHash`	`String`	SHA-256 hash of the process associated with this event
`computerTag`	`String`	Custom tag on the computer
`osName`	`String`	Computer’s operating system
`agentVersion`	`String`	Version of the agent running on the computer associated with this event
`fileTrust`	`Int32`	Trust value of the file associated with this event
`fileTrustMessages`	`String`	Trust messages from the file associated with this event
`fileThreat`	`Int16`	Threat value of the file associated with this event
`filePrevalence`	`Int32`	Prevalence of the file associated with this event
`processTrust`	`Int32`	Trust value of the process associated with this event
`processTrustMessages`	`String`	Trust messages from the process associated with this event
`processThreat`	`Int16`	Threat value of the process associated with this event
`processPrevalence`	`Int32`	Prevalence of the process associated with this event

internalEvent is a read-only object and has no modifiable properties.

GET Request for internalEvent

Required permissions: ‘View events’

Call syntax: bit9platform/v1/internalEvent/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for internalEvent

Required permissions: ‘View events’

Call syntax: bit9platform/v1/internalEvent?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type	Description
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32	When -2, a “quick count” will be returned.
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» meteredExecution

v1/meteredExecution object exposes metered executions. This is a read-only object and can only be configured from the Carbon Black App Control Console.

All Object Properties for meteredExecution

Name	Type	Property Description
`id`	`Int32`	Unique id of this meteredExecution
`meterId`	`Int32`	Id of meter associated with this execution
`name`	`String`	Name of meter associated with this execution
`description`	`String`	Description of meter associated with this execution
`type`	`Int32`	How the meter was defined. Can be one of: 1=md5 hash2=sha1 hash4=file name5=sha-256 hash6=fuzzy sha-256 hash
`data`	`String`	Data from definition of meter. Data depends on type, and can be file name or hash
`eventId`	`Int64`	Id of `event` associated with this executionThis is a foreign key and can be expanded to expose fields from the related `Event` object
`computerId`	`Int32`	Id of `computer` associated with this executionThis is a foreign key and can be expanded to expose fields from the related `computer` object
`fileCatalogId`	`Int32`	Id of `filecatalog` entry associated with this executionThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`timestamp`	`DateTime`	Date/time associated with this execution (UTC)
`userName`	`String`	User name associated with this execution

meteredExecution is a read-only object and has no modifiable properties.

GET Request for meteredExecution

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/meteredExecution/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for meteredExecution

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/meteredExecution?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» notification

v1/notification object allows pushing notifications from the Network Connectors through POST request. These notifications can be based on previously requested file analysis, or can come directly from the network appliance, such as firewall.

Properties modifiable Using PUT/POST Request for notification

Name	Type	Property Description
`connectorId`	`Int64`	Id of `connector` object that sent the notification
`time`	`DateTime`	Date/time of the notification (UTC)
`analysisResult`	`Int32`	Analysis result. Can be one of:0 = Unknown1 = Not malicious2 = Potential risk3 = Malicious
`fileAnalysisId`	`Int64`	Id of `fileAnalysis` object associated with the notification. This should be available if notification came as a result of the file analysis
`fileName`	`String`	File name (Optional)
`md5`	`String`	Md5 hash of the file (Optional)
`sha256`	`String`	Sha256 hash of the file (Optional)
`sha1`	`String`	Sha-1 hash of the file (Optional)
`malwareName`	`String`	Name of malware (Optional)
`malwareType`	`String`	Type of malware (Optional)
`externalUrl`	`String`	External URL showing more details about the results (Optional)
`externalId`	`Int32`	External Id (Optional)
`severity`	`String`	Severity of notification (Optional)
`type`	`String`	Type of notification (Optional)
`appliance`	`String`	Name of appliance (Optional)
`product`	`String`	Name of product (Optional)
`version`	`String`	Vesion of the product (Optional)
`srcIp`	`String`	Source IP address (Optional)
`srcHost`	`String`	Source computer name (Optional)
`destIp`	`String`	Destination IP address (Optional)
`msgFormat`	`String`	Message format (Optional)
`anomaly`	`String`	Anomaly detected by the appliance (Optional)
`targetApp`	`String`	Application associated with the notification(Optional)
`targetOS`	`String`	Target OS used when analyzing file (Optional)
`httpHeader`	`String`	Http header associated with the notification (Optional)
`status`	`Int32`	Status associated with the notification (Optional)
`srcUsername`	`String`	Source user name associated with the network traffic (Optional)
`destUsername`	`String`	Destination user name associated with the network traffic (Optional)
`flags`	`Int32`	Flags associated with the notification (Optional)
`files`	`NotificationFile[]`	Optional array of file objects with following fields:
`• md5`	``	Md5 hash of the file (Optional)
`• sha1`	``	Sha-1 hash of the file (Optional)
`• sha256`	``	Sha-256 hash of the file (Optional)
`• fileSize`	``	Size of the file (Optional)
`• fileName`	``	Name of the file (Optional)
`• filePath`	``	Path of the file (Optional)
`• processName`	``	Name of the process that created this directory (Optional)
`• processPath`	``	Path of the process that created this directory (Optional)
`• operation`	``	Operation associated with this directory (Optional)
`• topLevel`	``	True if this is a top-level file (Optional)
`regKeys`	`NotificationRegKey[]`	Optional array of regkey objects with following fields:
`• regKey`	``	Registry key path (Optional)
`• regName`	``	Registry key name (Optional)
`• regValue`	``	Registry key value (Optional)
`• processMd5`	``	Md5 hash of the process that created this directory (Optional)
`• Operation`	``	Operation associated with this registry key (Optional)
`directories`	`NotificationDirectory[]`	Optional array of directory objects with following fields:
`• dirPath`	``	Path of the created directory (Optional)

POST Request for notification

Required permissions: ‘Extend connectors through API’

Call syntax: bit9platform/v1/notification

Name	Source	Type	Description
`value`	FromBody	notification

» notifier

v1/notifier object exposes notifiers that are used in customRule and fileRule objects. Notifiers are displayed on the agents when file is blocked because of the rule. This is a read-only object and can only be modified from the Carbon Black App Control Console.

All Object Properties for notifier

Name	Type	Property Description
`id`	`Int32`	Unique id of this notifier
`name`	`String`	Name of this notifier
`title`	`String`	Notifier dialog title
`messageText`	`String`	Full message text appearing in notifier dialog
`eventLogText`	`String`	Event log text
`url`	`String`	Url link appearing on notifier dialog
`fgImageLocation`	`String`	Foreground image of notifier dialog
`bgImageLocation`	`String`	Background image of notifier dialog
`timeout`	`Int32`	Timeout of notifier in seconds
`showLogo`	`Boolean`	True to show logo on notifier dialog
`logoUrl`	`String`	Url to the logo image
`flags`	`Int32`	Notifier flags. Can be 0 or combination of:1 = Show approval request fields2 = Show justification fields
`systemNotifier`	`Boolean`	True if this is system notifier
`defaultRuleType`	`Int32`	Default `customRule` type for this notifier
`defaultRuleGroupId`	`Int32`	Default `customRule` group Id for this notifier
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdBy`	`String`	User that created this object
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`modifiedBy`	`String`	User that last modified this object
`modifiedByUserId`	`Int32`	Id of `user` that last modified this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`usageCount`	`Int32`	Number of `customRule` objects that reference this notifier
`clVersion`	`Int64`	CL version associated with this notifier

notifier is a read-only object and has no modifiable properties.

GET Request for notifier

Required permissions: ‘View notifiers’

Call syntax: bit9platform/v1/notifier/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for notifier

Required permissions: ‘View notifiers’

Call syntax: bit9platform/v1/notifier?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» objectTag

v1/objectTag object handles object-tags. (Update capability not available)

All Object Properties for objectTag

Name	Type	Property Description
`id`	`Int32`	The internal ID of the object-tag
`name`	`String`	The object-tag name
`dateCreated`	`DateTime`	The date this object-tag was created

objectTag is a read-only object and has no modifiable properties.

POST Request for objectTag

Required permissions: ‘Manage object-tags’, ‘Manage object-tags’

Call syntax: bit9platform/v1/objectTag?delete={delete}

Name	Source	Type	Description
`value`	FromBody	objectTag
`delete`	FromUri	Boolean

DELETE Request for objectTag

Required permissions: ‘Manage object-tags’, ‘Manage object-tags’

Call syntax: bit9platform/v1/objectTag/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for objectTag

Required permissions: ‘Manage object-tags’

Call syntax: bit9platform/v1/objectTag/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for objectTag

Required permissions: ‘Manage object-tags’

Call syntax: bit9platform/v1/objectTag?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» objectTagMap

v1/objectTagMap object allows you to add and remove tags from various objects (computers and policies so far). (Update capability not available)

All Object Properties for objectTagMap

Name	Type	Property Description
`id`	`Int32`	The internal ID of the `objectTagMap`
`objectTagId`	`Int32`	The internal ID of the `objectTag`This is a foreign key and can be expanded to expose fields from the related `objectTag` object
`objectTagTypeId`	`ObjectTagType`	The ID of the object type (1 for computer, 2 for policy)
`objectId`	`Int32`	The ID of the object being tagged (host_id for computers, host_group_id for policies)
`dateCreated`	`DateTime`	The date this `objectTagMap` was created

objectTagMap is a read-only object and has no modifiable properties.

POST Request for objectTagMap

Required permissions: ‘Manage object-tags’, ‘Manage object-tags’

Call syntax: bit9platform/v1/objectTagMap?delete={delete}

Name	Source	Type	Description
`value`	FromBody	objectTagMap
`delete`	FromUri	Boolean

DELETE Request for objectTagMap

Required permissions: ‘Manage object-tags’, ‘Manage object-tags’

Call syntax: bit9platform/v1/objectTagMap/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for objectTagMap

Required permissions: ‘Manage object-tags’

Call syntax: bit9platform/v1/objectTagMap/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for objectTagMap

Required permissions: ‘Manage object-tags’

Call syntax: bit9platform/v1/objectTagMap?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» pendingAnalysis

v1/pendingAnalysis object exposes all pending analysis requests for a given connector. Only external connectors can be accessed. Analyized files can be accessed through the API.

All Object Properties for pendingAnalysis

Name	Type	Property Description
`id`	`Int64`	Unique fileAnalysis id
`priority`	`Int64`	Priority of this file analysis
`uploaded`	`Boolean`	True if file is available
`fileCatalogId`	`Int32`	Id of `fileCatalog` entry associated with this analysisThis is a foreign key and can be expanded to expose fields from the related `fileCatalog` object
`connectorId`	`Int32`	Id of `connector` associated with this analysisThis is a foreign key and can be expanded to expose fields from the related `connector` object
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdBy`	`String`	User that created this object
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`fileName`	`String`	Name of the file where file exists on the endpoint
`pathName`	`String`	Path of the file where file exists on the endpoint
`md5`	`String`	Md5 hash of file to be analyzed (if available)
`sha1`	`String`	Sha-1 hash of file to be analyzed (if available)
`sha256`	`String`	Sha-256 hash of file to be analyzed
`uploadPath`	`String`	Local upload path for this file on the server (can be a shared network path). Note that file is compressed in a ZIP archive
`uploadedFileSize`	`Int64`	Size of uploaded file. This will be 0 if analysisStatus is 0 (Scheduled)
`analysisStatus`	`Int32`	Status of analysis. Can be one of: 0 = scheduled1 = submitted (file is sent for analysis) 2 = processed (file is processed but results are not available yet)3 = analyzed (file is processed and results are available)4 = error5 = cancelled6 = submit error (file submit error)
`analysisResult`	`Int32`	Result of the analysis. Can be one of: 0 = Not yet available1 = File is clean2 = File is a potential risk3 = File is malicious
`analysisTarget`	`String`	Target of the analysis (Connector-dependent)
`analysisError`	`String`	Error that occurred during analysis

Properties modifiable Using PUT/POST Request for pendingAnalysis

Name	Type	Property Description
`analysisStatus`	`Int32`	Status of analysis. Can be one of: 0 = scheduled1 = submitted (file is sent for analysis) 2 = processed (file is processed but results are not available yet)3 = analyzed (file is processed and results are available)4 = error5 = cancelled6 = submit error (file submit error)
`analysisResult`	`Int32`	Result of the analysis. Can be set only if analysisStatus is set to 3. Possible values are: 0 = Not yet available1 = File is clean2 = File is a potential threat3 = File is malicious
`analysisError`	`String`	Error that occurred during analysis (can be set only if analysisStatus is set to 4)

GET Request for pendingAnalysis

Required permissions: ‘Extend connectors through API’

Call syntax: bit9platform/v1/pendingAnalysis?connectorId={connectorId}&maxCount={maxCount}

Name	Source	Type	Description
`connectorId`	FromUri	Int32
`maxCount`	FromUri	Int32

GET Request for pendingAnalysis

Required permissions: ‘Extend connectors through API’

Call syntax: bit9platform/v1/pendingAnalysis/{id}?downloadFile={downloadFile}

Name	Source	Type	Description
`id`	FromUri	Int64
`downloadFile`	FromUri	Boolean

GET Request for pendingAnalysis

Required permissions: ‘Extend connectors through API’

Call syntax: bit9platform/v1/pendingAnalysis/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for pendingAnalysis

Required permissions: ‘Extend connectors through API’

Call syntax: bit9platform/v1/pendingAnalysis?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

PUT Request for pendingAnalysis

Required permissions: ‘Extend connectors through API’

Call syntax: bit9platform/v1/pendingAnalysis

Name	Source	Type	Description
`value`	FromBody	pendingAnalysis

» performanceOptimizationRule

v1/performanceOptimizationRule object exposes custom performance optimization rules. It also allows creating, editing and deleting these rules.

All Object Properties for performanceOptimizationRule

Name	Type	Property Description
`id`	`Int32`	Unique id of this rule
`masterRuleId`	`Int32`	Id of parent of this rule
`idUnique`	`Guid`	Unique GUID of this rule
`name`	`String`	Rule name
`description`	`String`	Rule description
`ruleGroupId`	`Int32`	Group id of this rule
`ruleUITemplateId`	`Int32`	UI Template id of this rule. Can be one of:0=None1=File Integrity Control2=Trusted Path3=Execution Control4=File Creation Control5=Performance Optimization99=Advanced1000=Internal1001=Updaters
`ruleType`	`Int32`	Rule type. Can be one of:14=Memory rule 15=Registry rule 17=Custom rule
`ruleAction`	`String`	Display name of action taken by this rule. Action can be calculated from other rule parameters (flags, masks, opTypes), and is exposed as read-only field.
`pathPattern`	`String`	File path pattern to match
`processPattern`	`String`	Process path pattern to match
`combinedActionMask`	`Int32`	execActionMask combined with writeActionMask with a bitwise or. This is relevant for Advanced (ruleUITemplateId = 99) rules that have both set.
`combinedOpType`	`Int32`	execOpType combined with writeOpType with a bitwise or. This is relevant for Advanced (ruleUITemplateId = 99) rules that have both set.
`policyIds`	`String`	List of IDs of policies where this rule applies. Value will be empty if this is a global rule
`platformFlags`	`Int32`	Set of platform flags where this rule will apply. combination of:1 = Windows2 = Mac4 = Linux
`hidden`	`Boolean`	True if rule is hidden
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`createdBy`	`String`	User that created this object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`modifiedByUserId`	`Int32`	Id of `user` that last modified this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`modifiedBy`	`String`	User that last modified this object
`dateImported`	`DateTime`	Date/time when this rule was imported (UTC). This field will be null if rule was not imported
`importedByUserId`	`Int32`	Id of `user` that imported this rule. This field will be null if rule was not importedThis is a foreign key and can be expanded to expose fields from the related `user` object
`importedBy`	`String`	User that imported this rule. This field will be null if rule was not imported
`importSessionHandle`	`String`	Internal session handle used during rule import. This field will be null if rule was not imported.
`rank`	`Int64`	Rule rank. Rules are evaluated by their rank. Note that value of the rank will be different than rank exposed in the console because API exposes more rules.
`enabled`	`Boolean`	True if rule is enabled
`clVersion`	`Int64`	CL version associated with this rule
`processFlags`	`Int32`	Process flags for this rule
`negatedProcessFlags`	`Int32`	Negated process flags for this rule
`ruleClassId`	`Int32`	Rule class Id
`processFileState`	`Int32`	Rule will be active only if process file state is equal to this value (can be 0 to ignore the process file state)
`processFileFlags`	`Int32`	Flags describing required properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processDeviceType`	`Int32`	Process device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`processClassification`	`String`	Rule will be active only if process classification is equal to this
`processPublisherName`	`String`	Rule will be active only if publisher name of process is equal to this
`targetFileState`	`Int32`	Rule will be active only if target file state is equal to this value (can be 0 to ignore the target file state)
`targetFileFlags`	`Int32`	Flags describing required properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetDeviceType`	`Int32`	Target device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`targetClassification`	`String`	Rule will be active only if target classification is equal to this
`targetPublisherName`	`String`	Rule will be active only if publisher name of target is equal to this
`minPlatform`	`Int32`	Min platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`maxPlatform`	`Int32`	Max platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`classifier`	`String`	Classifier tag to set or remove for classification actions
`objectType`	`Int32`	Object types on which rule will act. This differs per rule type. For Custom rules, it can be one of:-1 = Any0 = Unknown1 = Any existing object2 = Pipe or Mailslot3 = Volume or share4 = Directory5 = File6 = Other (e.g. path with windcards, illegal, system object etc.)For Registry rules, it can be one of:-1 = Any0 = Any1 = Key2 = ValueFor Memory rules, it can be one of:-1 = Any0 = Any1 = Process2 = Thread
`enforcementFlags`	`Int32`	Flags determining in which enforcement levels rule is active. Can be combination of:0x01 = High0x02 = Medium0x04 = LocalApproval0x08 = Low0x10 = Visibility0x20 = DisabledUse -1 to specify that rule will be active in all enforcement levels
`readOnly`	`Boolean`	True if rule is read-only from the console
`updaterId`	`Int32`	Id of `updater` object that contains this ruleThis is a foreign key and can be expanded to expose fields from the related `updater` object
`minAgentVersion`	`Int32`	Min agent version code for this rule
`maxAgentVersion`	`Int32`	Max agent version code for this rule
`priority`	`Int32`	Priority of this rule
`priorityBucket`	`Int32`	Priority bucket of this rule
`priorityGroup`	`Int32`	Priority group of this rule
`unifiedFlag`	`Int32`	Local override flag for unified rule (0 if rule is not unified, 1 - no override allowed, 2 - ranking allowed, 3 - local override allowed)
`unifiedSource`	`String`	Unified server name that created this rule
`origIdUnique`	`Guid`	Unique GUID of the original rule
`version`	`Int64`	Version of this custom rule

Properties modifiable Using PUT/POST Request for performanceOptimizationRule

Name	Type	Property Description
`name`	`String`	Rule name
`description`	`String`	Rule description
`ruleGroupId`	`Int32`	Group id of this rule
`ruleType`	`Int32`	Rule type. Can be one of:14=Memory rule 15=Registry rule 17=Custom rule
`pathPattern`	`String`	File path pattern to match
`processPattern`	`String`	Process path pattern to match
`policyIds`	`String`	List of IDs of policies where this rule applies. Value should be empty if this is a global rule
`platformFlags`	`Int32`	Set of platform flags where this rule will apply. combination of:1 = Windows2 = Mac4 = Linux
`rank`	`Int64`	Rule rank. Rules are evaluated by their rank. Change rank to move the rule
`enabled`	`Boolean`	True if rule is enabled
`clVersion`	`Int64`	CL version associated with this rule
`processFlags`	`Int32`	Process flags for this rule
`negatedProcessFlags`	`Int32`	Negated process flags for this rule
`ruleClassId`	`Int32`	Rule class Id
`processFileState`	`Int32`	Rule will be active only if process file state is equal to this value (can be 0 to ignore the process file state)
`processFileFlags`	`Int32`	Flags describing required properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processDeviceType`	`Int32`	Process device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`processClassification`	`String`	Rule will be active only if process classification is equal to this
`processPublisherName`	`String`	Rule will be active only if publisher name of process is equal to this
`targetFileState`	`Int32`	Rule will be active only if target file state is equal to this value (can be 0 to ignore the target file state)
`targetFileFlags`	`Int32`	Flags describing required properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetDeviceType`	`Int32`	Target device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`targetClassification`	`String`	Rule will be active only if target classification is equal to this
`targetPublisherName`	`String`	Rule will be active only if publisher name of target is equal to this
`minPlatform`	`Int32`	Min platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`maxPlatform`	`Int32`	Max platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`classifier`	`String`	Classifier tag to set or remove for classification actions
`objectType`	`Int32`	Object types on which rule will act. This differs per rule type. For Custom rules, it can be one of:-1 = Any0 = Unknown1 = Any existing object2 = Pipe or Mailslot3 = Volume or share4 = Directory5 = File6 = Other (e.g. path with windcards, illegal, system object etc.)For Registry rules, it can be one of:-1 = Any0 = Any1 = Key2 = ValueFor Memory rules, it can be one of:-1 = Any0 = Any1 = Process2 = Thread
`enforcementFlags`	`Int32`	Flags determining in which enforcement levels rule is active. Can be combination of:High = 0x01Medium = 0x02LocalApproval = 0x04Low = 0x08Visibility = 0x10Disabled = 0x20 Use -1 to specify that rule will be active in all enforcement levels
`readOnly`	`Boolean`	True if rule is read-only from the console
`minAgentVersion`	`Int32`	Min agent version code for this rule
`maxAgentVersion`	`Int32`	Max agent version code for this rule
`unifiedFlag`	`Int32`	Local override flag for unified rule (0 - if rule is not unified, 1 - no override allowed, 2 - ranking allowed, 3 - local override allowed)
`unifiedSource`	`String`	Unified server name that created this rule
`origIdUnique`	`Guid`	Unique GUID of the original rule

POST Request for performanceOptimizationRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/performanceOptimizationRule?delete={delete}

Name	Source	Type	Description
`value`	FromBody	customRule
`delete`	FromUri	Boolean

PUT Request for performanceOptimizationRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/performanceOptimizationRule/{id}?delete={delete}

Name	Source	Type
`id`	FromUri	Int32
`value`	FromBody	customRule
`delete`	FromUri	Boolean

DELETE Request for performanceOptimizationRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/performanceOptimizationRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for performanceOptimizationRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/performanceOptimizationRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for performanceOptimizationRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/performanceOptimizationRule?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» plugin

v1/plugin object exposes plugins.

All Object Properties for plugin

Name	Type	Property Description
`id`	`Int32`	ID of the plugin
`name`	`String`	Name of the plugin
`version`	`String`	Version of the plugin
`url`	`String`	URL of the plugin
`description`	`String`	Description of the plugin
`dateCreated`	`DateTime`	Date/Time when this plugin was registered (UTC)
`dateModified`	`DateTime`	Date/Time when this plugin was last modified (UTC)

Properties modifiable Using PUT/POST Request for plugin

Name	Type	Property Description
`version`	`String`	Version of the plugin
`url`	`String`	URL of the plugin
`description`	`String`	Description of the plugin

POST Request for plugin

Required permissions: ‘View plugins’, ‘Manage plugins’

Call syntax: bit9platform/v1/plugin?delete={delete}

Name	Source	Type	Description
`value`	FromBody	plugin
`delete`	FromUri	Boolean

PUT Request for plugin

Required permissions: ‘View plugins’, ‘Manage plugins’

Call syntax: bit9platform/v1/plugin/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	plugin

DELETE Request for plugin

Required permissions: ‘View plugins’, ‘Manage plugins’

Call syntax: bit9platform/v1/plugin/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for plugin

Required permissions: ‘View plugins’

Call syntax: bit9platform/v1/plugin/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for plugin

Required permissions: ‘View plugins’

Call syntax: bit9platform/v1/plugin?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» policy

v1/policy object exposes policy information. When a new policy is created, its notifiers will be automatically copied from the Template Policy.

All Object Properties for policy

Name	Type	Property Description
`id`	`Int32`	Unique id of this policy
`name`	`String`	Name of this policy
`description`	`String`	Description of this policy
`packageName`	`String`	Name of installer package for this policy
`enforcementLevel`	`Int32`	Target enforcement level. Can be one of: 20=High (Block Unapproved) 30=Medium (Prompt Unapproved) 40=Low (Monitor Unapproved) 60=None (Visibility) 80=None (Disabled)
`disconnectedEnforcementLevel`	`Int32`	Target enforcement level for disconnected computers. Can be one of: 20=High (Block Unapproved) 30=Medium (Prompt Unapproved) 40=Low (Monitor Unapproved) 60=None (Visibility) 80=None (Disabled)
`helpDeskUrl`	`String`	Helpdesk URL for notifiers in this policy
`imageUrl`	`String`	Image logo URL for notifiers in this policy
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`modifiedByUserId`	`Int32`	Id of `user` that last modified this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`readOnly`	`Boolean`	True if this policy is read-only
`hidden`	`Boolean`	True if this policy is hidden in the UI
`automatic`	`Boolean`	True if AD mapping is enabled for this policy
`loadAgentInSafeMode`	`Boolean`	True if agents in this policy will be loaded when machine is booted in “safe mode”
`reputationEnabled`	`Boolean`	True if reputation approvals are enabled in this policy
`fileTrackingEnabled`	`Boolean`	True if file tracking enabled in this policy
`ruleTrackingEnabled`	`Boolean`	True if rule tracking enabled in this policy
`customLogo`	`Boolean`	True if notifiers in this policy use custom logo
`automaticApprovalsOnTransition`	`Boolean`	True if agents in this policy will automatically locally approve files when transitioning into High Enforcement
`allowAgentUpgrades`	`Boolean`	True if agents can be upgraded for this policy
`totalComputers`	`Int32`	Total number of computers in this policy
`connectedComputers`	`Int32`	Number of connected computers in this policy
`atEnforcementComputers`	`Int32`	Number of computers that are at target enforcement level in this policy
`clVersionMax`	`Int32`	Max target CL version for agents in this policy

Properties modifiable Using PUT/POST Request for policy

Name	Type	Property Description
`name`	`String`	Name of this policy. Note that policy name has to be unique and can contain only ASCII characters and cannot contain one of following characters: `'
`description`	`String`	Description of this policy
`enforcementLevel`	`Int32`	Target enforcement level. Can be one of: 20=High (Block Unapproved) 30=Medium (Prompt Unapproved) 40=Low (Monitor Unapproved) 60=None (Visibility) 80=None (Disabled)
`disconnectedEnforcementLevel`	`Int32`	Target enforcement level for disconnected computers. Can be one of: 20=High (Block Unapproved) 30=Medium (Prompt Unapproved) 40=Low (Monitor Unapproved) 60=None (Visibility) 80=None (Disabled)
`automatic`	`Boolean`	True if AD mapping is enabled for this policy
`loadAgentInSafeMode`	`Boolean`	True if agents in this policy will be loaded when machine is booted in “safe mode”
`reputationEnabled`	`Boolean`	True if reputation approvals are enabled in this policy
`fileTrackingEnabled`	`Boolean`	True if file tracking enabled in this policy
`ruleTrackingEnabled`	`Boolean`	True if rule tracking enabled in this policy
`customLogo`	`Boolean`	True if notifiers in this policy use custom logo
`automaticApprovalsOnTransition`	`Boolean`	True if agents in this policy will automatically locally approve files when transitioning into High Enforcement
`allowAgentUpgrades`	`Boolean`	True if agents can be upgraded for this policy

GET Request for policy

Required permissions: Unknown

Call syntax: bit9platform/v1/policy?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

GET Request for policy

Required permissions: Unknown

Call syntax: bit9platform/v1/policy/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

POST Request for policy

Required permissions: Unknown

Call syntax: bit9platform/v1/policy?delete={delete}

Name	Source	Type	Description
`value`	FromBody	policy
`delete`	FromUri	Boolean

PUT Request for policy

Required permissions: Unknown

Call syntax: bit9platform/v1/policy/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	policy

DELETE Request for policy

Required permissions: Unknown

Call syntax: bit9platform/v1/policy/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

» productName

v1/productName object exposes product names the server has encountered. Note that this is read-only API.

All Object Properties for productName

Name	Type	Property Description
`id`	`Int32`	Unique product name Id
`name`	`String`	Product name

productName is a read-only object and has no modifiable properties.

GET Request for productName

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/productName/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for productName

Required permissions: ‘View files and applications’

Call syntax: bit9platform/v1/productName?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» publisher

v1/publisher object exposes publisher information and allows changing publisher state (Banning or Approving).

All Object Properties for publisher

Name	Type	Property Description
`id`	`Int32`	Unique id of this publisher
`name`	`String`	Subject name of leaf certificate for this publisher
`description`	`String`	User-defined description for this publisher
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`modifiedBy`	`String`	User that last modified this publisher
`modifiedByUserId`	`Int32`	Id of `user` that last modified this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`publisherReputation`	`Int32`	Reputation of this publisher. Can be one of: 0=Not trusted (Unknown) 1=Low 2=Medium 3=High
`publisherState`	`Int32`	State for this publisher. Can be one of: 1=Unapproved 2=Approved 3=Banned, 4=Approved By Policy, 5=Banned By Policy,
`firstSeenPlatformId`	`Int32`	ID of the platform where this publisher was first seen. It can be one of : 0 = Unknown1 = Windows2 = Mac4 = Linux
`acknowledged`	`Boolean`	True if this publisher is acknowledged
`acknowledgedByUserId`	`Int32`	Id of `user` that acknowledged this publisherThis is a foreign key and can be expanded to expose fields from the related `user` object
`dateAcknowledged`	`DateTime`	Date/time when this object was acknowledged (UTC)
`policyIds`	`String`	List of IDs of policies where this rule applies. Value will be empty if this is a global rule
`reputationApprovalsEnabled`	`Boolean`	True if publisher can be approved by reputation
`sourceType`	`Int32`	Mechanism that changed publisher state. Can be one of: 1 = Manual3 = Reputation5 = External (API)
`firstSeenComputerId`	`Int32`	Id of `computer` where this publisher was first seenThis is a foreign key and can be expanded to expose fields from the related `computer` object
`platformFlags`	`Int32`	Set of platform flags where this publisher will be appoved/banned. Combination of: 1 = Windows2 = Mac4 = Linux
`signedFilesCount`	`Int32`	Number of files this publisher has signed
`signedCertificateCount`	`Int32`	Number of certificates associated with this publisher
`hidden`	`Boolean`	True if publisher is hidden from the UI (because it was not seen on endpoints or modified yet)
`clVersion`	`Int64`	CL version associated with this publisher
`stateSource`	`String`	How this publisher got into this state

Properties modifiable Using PUT/POST Request for publisher

Name	Type	Property Description
`description`	`String`	User-defined description for this publisher
`publisherState`	`Int32`	State for this publisher. Can be one of: 1=Unapproved 2=Approved 3=Banned, 4=Approved By Policy, 5=Banned By Policy,
`acknowledged`	`Boolean`	Set to true to acknowledge this publisher
`policyIds`	`String`	List of IDs of policies where this rule applies. Value should be empty if this is a global rule
`reputationApprovalsEnabled`	`Boolean`	True to enable reputation approvals for this publisher
`sourceType`	`Int32`	Mechanism that changed publisher state. Can be one of: 1 = Manual3 = Reputation5 = External (API)
`platformFlags`	`Int32`	Set of platform flags where this publisher will be appoved/banned. Combination of: 1 = Windows2 = Mac4 = Linux

POST Request for publisher

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/publisher

Name	Source	Type	Description
`value`	FromBody	publisher

PUT Request for publisher

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/publisher/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	publisher

DELETE Request for publisher

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/publisher/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for publisher

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/publisher/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for publisher

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/publisher?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» publisherCertificate

v1/publisherCertificate object exposes all unique relationships between certificates and publishers.

All Object Properties for publisherCertificate

Name	Type	Property Description
`id`	`Int64`	Unique id of this relationship
`certificateId`	`Int32`	Id of `certificate` for this relationshipThis is a foreign key and can be expanded to expose fields from the related `certificate` object
`publisherId`	`Int32`	Id of `publisher` for this relationshipThis is a foreign key and can be expanded to expose fields from the related `publisher` object
`certificateStateForPublisher`	`Int32`	Certificate state in the context of a given publisher. Can be one of: 1=Unapproved 2=Approved 3=Banned

publisherCertificate is a read-only object and has no modifiable properties.

GET Request for publisherCertificate

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/publisherCertificate/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for publisherCertificate

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/publisherCertificate?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» rapidConfig

v1/rapidConfig object exposes Rapid Config information. It allows enabling/disabling. To modify settings, see v1/rapidConfigSetting.

All Object Properties for rapidConfig

Name	Type	Property Description
`id`	`Int32`	Unique ID of this Rapid Config
`rapidConfigIdUnique`	`Guid`	Unique GUID to use to look up settings in v1/rapidConfigSetting
`name`	`String`	Rapid Config name
`description`	`String`	Rapid Config description
`purpose`	`String`	Purpose of this Rapid Config
`version`	`String`	Rapid Config version
`enabled`	`Boolean`	True if Rapid Config is enabled
`platformFlags`	`Int32`	Set of platform flags where this Rapid Config is valid. combination of: 1 = Windows2 = Mac4 = Linux
`createdBy`	`String`	User that created this Rapid Config
`dateCreated`	`DateTime`	Date/time when this Rapid Config was created (UTC)
`modifiedBy`	`String`	User that last modified this Rapid Config
`dateModified`	`DateTime`	Date/time when this Rapid Config was last modified (UTC)
`dateUpgraded`	`DateTime`	Date/time when this Rapid Config was upgraded (UTC)
`clVersion`	`Int64`	CL version associated with this Rapid Config
`configured`	`Boolean`	True if required settings have been configured for this Rapid Config
`policyIds`	`String`	List of IDs of policies where this Rapid Config applies. Empty if this is a global Rapid Config

Properties modifiable Using PUT/POST Request for rapidConfig

Name	Type	Property Description
`enabled`	`Boolean`	True if Rapid Config is enabled
`policyIds`	`String`	List of IDs of policies where this Rapid Config applies. Empty if this is a global Rapid Config. This can only be configured if this Rapid Config has no settings.

POST Request for rapidConfig

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/rapidConfig

Name	Source	Type	Description
`value`	FromBody	rapidConfig

PUT Request for rapidConfig

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/rapidConfig/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	rapidConfig

GET Request for rapidConfig

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/rapidConfig/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for rapidConfig

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/rapidConfig?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» rapidConfigAvailableSetting

v1/rapidConfigAvailableSetting object Read-only default settings for Rapid Configs. This API call can be used in conjunction with v1/rapidConfigSetting and v1/rapidConfig to configure Rapid Configs.

All Object Properties for rapidConfigAvailableSetting

Name	Type	Property Description
`id`	`Guid`	Unique GUID of this available setting. Use this value as paramIdUnique in v1/rapidConfigSetting to configure Rapid Configs with this setting.
`rapidConfigIdUnique`	`Guid`	Unique GUID of the Rapid Config associated with this default setting
`label`	`String`	Brief description of this default setting
`required`	`Boolean`	True if this setting is required before enabling the associated Rapid Config
`defaultValue`	`String`	The default value of this setting
`description`	`String`	A longer description of this default setting
`possibleValues`	`List`1`	Possible values for this setting, if applicable. If this value is empty, it means the value is a free text.

rapidConfigAvailableSetting is a read-only object and has no modifiable properties.

GET Request for rapidConfigAvailableSetting

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/rapidConfigAvailableSetting/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for rapidConfigAvailableSetting

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/rapidConfigAvailableSetting?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» rapidConfigSetting

v1/rapidConfigSetting object exposes settings for Rapid Configs. This API call can be used in conjunction with v1/rapidConfigAvailableSetting and v1/rapidConfig to configure Rapid Configs.

All Object Properties for rapidConfigSetting

Name	Type	Property Description
`id`	`Int32`	Unique ID of this setting
`rapidConfigIdUnique`	`Guid`	Unique GUID of the Rapid Config associated with this default setting
`name`	`String`	Custom name given to this setting
`description`	`String`	A customizable description of this setting
`paramIdUnique`	`Guid`	Unique GUID of the setting. This value can appear multiple times with different policyIds.
`label`	`String`	A brief description of this setting
`paramDescription`	`String`	A longer description of this setting
`required`	`Boolean`	True if this setting is required before enabling the associated Rapid Config
`value`	`String`	The value of this setting
`possibleValues`	`List`1`	Possible values for this setting, if applicable. If this value is empty, it means the value is a free text.
`policyIds`	`String`	Comma-separated list of policyIds this Rapid Config Setting applies to

Properties modifiable Using PUT/POST Request for rapidConfigSetting

Name	Type	Property Description
`name`	`String`	Custom name given to this setting
`description`	`String`	A customizable description of this setting
`value`	`String`	The value of this setting
`policyIds`	`String`	Comma-separated list of policyIds this Rapid Config Setting applies to

POST Request for rapidConfigSetting

Required permissions: ‘View software rules pages’, ‘Manage Updaters and Rapid Configs’

Call syntax: bit9platform/v1/rapidConfigSetting?delete={delete}

Name	Source	Type	Description
`value`	FromBody	rapidConfigSetting
`delete`	FromUri	Boolean

DELETE Request for rapidConfigSetting

Required permissions: ‘View software rules pages’, ‘Manage Updaters and Rapid Configs’

Call syntax: bit9platform/v1/rapidConfigSetting/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for rapidConfigSetting

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/rapidConfigSetting/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for rapidConfigSetting

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/rapidConfigSetting?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» ruleTriggerData

v1/ruleTriggerData object exposes data related to rules triggering for Carbon Black App Control Agent

All Object Properties for ruleTriggerData

Name	Type	Property Description
`id`	`Int32`	Unique id
`ruleId`	`Int32`	Rule id
`name`	`String`	Rule name
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdBy`	`String`	Rule created by
`hitCount`	`Int64`	Rule trigger count
`triggerDate`	`DateTime`	Date/time when this rule was triggered (UTC)

Properties modifiable Using PUT/POST Request for ruleTriggerData

Name	Type	Property Description
`id`	`Int32`	Unique id
`ruleId`	`Int32`	Rule id
`name`	`String`	Rule name
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdBy`	`String`	Rule created by
`hitCount`	`Int64`	Rule trigger count
`triggerDate`	`DateTime`	Date/time when this rule was triggered (UTC)

GET Request for ruleTriggerData

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/ruleTriggerData?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» ruleTriggerDetails

v1/ruleTriggerDetails object exposes detailed data related to rules triggering for Carbon Black App Control Agent

All Object Properties for ruleTriggerDetails

Name	Type	Property Description
`id`	`Int32`	Unique id
`ruleId`	`Int32`	Rule id
`name`	`String`	Rule name
`deleted`	`Boolean`	Indicates if the Rule is marked deleted
`masterRuleId`	`Int32`	Id of master rule associated with current rule
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdBy`	`String`	Rule created by
`hostId`	`Int32`	Host id where rule was triggered
`hostName`	`String`	Host name where rule was triggered
`hostGroupId`	`Int32`	Host group id
`hitCount`	`Int64`	Rule trigger count
`triggerDate`	`DateTime`	Date/time when this rule was triggered (UTC)
`triggeredBy`	`String`	User name who triggered the rule
`processName`	`String`	Process name
`processPath`	`String`	Process path
`fileName`	`String`	File name
`filePath`	`String`	File path

Properties modifiable Using PUT/POST Request for ruleTriggerDetails

Name	Type	Property Description
`id`	`Int32`	Unique id
`ruleId`	`Int32`	Rule id
`name`	`String`	Rule name
`deleted`	`Boolean`	Indicates if the Rule is marked deleted
`masterRuleId`	`Int32`	Id of master rule associated with current rule
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdBy`	`String`	Rule created by
`hostId`	`Int32`	Host id where rule was triggered
`hostName`	`String`	Host name where rule was triggered
`hostGroupId`	`Int32`	Host group id
`hitCount`	`Int64`	Rule trigger count
`triggerDate`	`DateTime`	Date/time when this rule was triggered (UTC)
`triggeredBy`	`String`	User name who triggered the rule
`processName`	`String`	Process name
`processPath`	`String`	Process path
`fileName`	`String`	File name
`filePath`	`String`	File path

GET Request for ruleTriggerDetails

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/ruleTriggerDetails/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for ruleTriggerDetails

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/ruleTriggerDetails?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» ruleTriggerSummary

v1/ruleTriggerSummary object exposes data related to rules triggering for Carbon Black App Control Agent

All Object Properties for ruleTriggerSummary

Name	Type	Property Description
`id`	`Int32`	ID of the rule
`idUnique`	`Guid`	Unique GUID of the rule
`ruleType`	`Int32`	14 = memory rule, 15 = registry rule, 17 = custom rule
`ruleName`	`String`	Rule name
`createdBy`	`String`	Rule created by
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`dateModified`	`DateTime`	Date/time when this rule was modified (UTC)
`lastTriggerDate`	`DateTime`	Date/time when this rule was last triggered (UTC) regardless of applied filters
`maxTriggerDate`	`DateTime`	Date/time when this rule was last triggered (UTC) based on the applied filters
`triggerCount`	`Int64`	Rule trigger count
`masterRuleId`	`Int32`	The ID of the master rule

ruleTriggerSummary is a read-only object and has no modifiable properties.

GET Request for ruleTriggerSummary

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/ruleTriggerSummary?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

GET Request for ruleTriggerSummary

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/ruleTriggerSummary/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

» scriptRule

v1/scriptRule object exposes custom script rules. It allows creation and editing of rules that allow tracking of the script files.

All Object Properties for scriptRule

Name	Type	Property Description
`id`	`Int64`	Unique id of this scriptRule
`name`	`String`	Name of this rule
`description`	`String`	Description of this rule
`definitionType`	`Int32`	Type of script definition. It can be one of: 0 = File Association - Process is detected automatically through the file extension association on the system1=Script Type And Process - Process is defined manually
`platformId`	`Int32`	Platform where this file rule will be valid. It can be one of: 1 = Windows2 = Mac4 = Linux
`pattern`	`String`	File pattern that will be used to identify the script (e.g. *.rpm)
`processName`	`String`	Script files will be active only if file was launched by this process. Note that this field is used only when the definitionType is 1
`hidden`	`Boolean`	True if this script rule is hidden from the console
`enabled`	`Boolean`	True if this script rule is enabled
`rescanComputers`	`Boolean`	Setting this value to true will rescan all systems for existing files that match the definition and report them to the server. Note that enabling this field in a new or existing rule causes a delay during which existing local scripts might not be approved
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`createdBy`	`String`	User that created this object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`modifiedByUserId`	`Int32`	Id of `user` that last modified this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`modifiedBy`	`String`	User that last modified this object
`clVersion`	`Int64`	CL version associated with this file rule

Properties modifiable Using PUT/POST Request for scriptRule

Name	Type	Property Description
`name`	`String`	Name of this rule
`description`	`String`	Description of this rule
`definitionType`	`Int32`	Type of script definition. It can be one of: 0 = File Association - Process is detected automatically through the file extension association on the system1=Script Type And Process - Process is defined manually
`platformId`	`Int32`	Platform where this file rule will be valid. It can be one of: 1 = Windows2 = Mac4 = Linux
`pattern`	`String`	File pattern that will be used to identify the script (e.g. *.rpm)
`processName`	`String`	Script files will be active only if file was launched by this process. Note that this field is used only when the definitionType is 1
`hidden`	`Boolean`	True if this script rule is hidden from the console
`enabled`	`Boolean`	True if this script rule is enabled
`rescanComputers`	`Boolean`	Setting this value to true will rescan all systems for existing files that match the definition and report them to the server. Note that enabling this field in a new or existing rule causes a delay during which existing local scripts might not be approved

POST Request for scriptRule

Required permissions: ‘View software rules pages’, ‘Manage custom scripts’

Call syntax: bit9platform/v1/scriptRule?delete={delete}

Name	Source	Type	Description
`value`	FromBody	scriptRule
`delete`	FromUri	Boolean

PUT Request for scriptRule

Required permissions: ‘View software rules pages’, ‘Manage custom scripts’

Call syntax: bit9platform/v1/scriptRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	scriptRule

DELETE Request for scriptRule

Required permissions: ‘View software rules pages’, ‘Manage custom scripts’

Call syntax: bit9platform/v1/scriptRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for scriptRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/scriptRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for scriptRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/scriptRule?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» serverConfig

v1/serverConfig object exposes configuration properties for the server. Warning: Modifying these properties can negatively impact server behavior. Some of more interesting configuration properties are:

API_Version: Version of this API
ParityServerVersion: Version of this server installation
WebServerAddress: URL of this server
BinaryPort: Port used for agent connections
CBServerUrl: URL of CarbonBlack server if installed
ParityServerOSDescription: OS of this system

All Object Properties for serverConfig

Name	Type	Property Description
`id`	`Int32`	Unique id of this serverConfig
`name`	`String`	Name of property
`value`	`String`	Value of property
`dateModified`	`DateTime`	Date/time when this property was last modified (UTC)
`modifiedBy`	`String`	User that last modified this property
`readOnly`	`Boolean`	Whether this config can be modified by users.

Properties modifiable Using PUT/POST Request for serverConfig

Name	Type	Property Description
`name`	`String`	Name of property
`value`	`String`	Value of property

POST Request for serverConfig

Required permissions: ‘View system configuration’, ‘Manage system configuration’

Call syntax: bit9platform/v1/serverConfig

Name	Source	Type	Description
`value`	FromBody	serverConfig

GET Request for serverConfig

Required permissions: ‘View system configuration’

Call syntax: bit9platform/v1/serverConfig/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for serverConfig

Required permissions: ‘View system configuration’

Call syntax: bit9platform/v1/serverConfig?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» serverPerformance

v1/serverPerformance object exposes server performance statistics. This is a read-only object.

All Object Properties for serverPerformance

Name	Type	Property Description
`id`	`Int64`	Id of entry. Note id is ordinal in the result set and cannot be persisted/cached
`dateCreated`	`DateTime`	Date/Time of the performance entry (UTC)
`connectedAgents`	`Int32`	Average number of connected agents
`agentFileBacklog`	`Int64`	Size of all agent file change queues
`agentProcessingRate`	`Int64`	Total files sent from all agents today
`serverFileBacklog`	`Int64`	Size of server file backlog
`serverProcessingRate`	`Int64`	How many files sent from the Agent was server able to process
`serverFiles`	`Int64`	Total number of inventory files server is tracking
`diskDataWrite`	`Int64`	Disk data file write rate in B/second
`diskDataRead`	`Int64`	Disk data file read rate in B/second
`diskIndexWrite`	`Int64`	Disk index file write rate in B/second
`diskIndexRead`	`Int64`	Disk index file read rate in B/second
`diskLogWrite`	`Int64`	Disk log file write rate in B/second
`diskDataIOPS`	`Decimal`	Disk data file IOPS
`diskIndexIOPS`	`Decimal`	Disk index file IOPS
`diskLogIOPS`	`Decimal`	Disk log file IOPS
`avgDiskLogWriteStallMs`	`Decimal`	Average disk log file write stall in Ms
`avgDiskDataWriteStallMs`	`Decimal`	Average disk data file write stall in Ms
`avgDiskIndexWriteStallMs`	`Decimal`	Average disk index file write stall in Ms
`avgDiskDataReadStallMs`	`Decimal`	Average disk data file read stall in Ms
`avgDiskIndexReadStallMs`	`Decimal`	Average disk index file read stall in Ms
`sqlMemoryPressure`	`Decimal`	Memory pressure of SQL server in % of maximum recommended value
`sqlLatencyMs`	`Decimal`	Average network latency between Carbon Black App Control Server and SQL server in Ms
`sqlInsertLatencyMs`	`Decimal`	Average network latency between Carbon Black App Control Server and SQL server when inserting data into database in Ms

serverPerformance is a read-only object and has no modifiable properties.

GET Request for serverPerformance

Required permissions: ‘View system configuration’

Call syntax: bit9platform/v1/serverPerformance/{id}?period={period}

Name	Source	Type	Description
`id`	FromUri	Int64
`period`	FromUri	Int32

GET Request for serverPerformance

Required permissions: ‘View system configuration’

Call syntax: bit9platform/v1/serverPerformance?q={q1}&q={q2}...&group={group}&subgroup={subgroup}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&period={period}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`subgroup`	FromUri	String
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`period`	FromUri	Int32

» trustedDirectory

v1/trustedDirectory object exposes trusted directory rules. It allows creation and editing of trusted directories.

All Object Properties for trustedDirectory

Name	Type	Property Description
`id`	`Int64`	Unique id of this trustedDirectory
`name`	`String`	Name of the trusted directory as it will appear on the console. This is not the name of the directory that will be sent to the endpoint
`description`	`String`	Description of this trusted directory
`computerId`	`Int32`	Id of `computer` that is hosting this trusted directoryThis is a foreign key and can be expanded to expose fields from the related `computer` object
`directoryPath`	`String`	Path to the directory in which agent will globally approve files. This needs to be directory on the agent that is hosting trustedDirectory
`enabled`	`Boolean`	True if this trusted directory is currently enabled
`accessible`	`Int32`	Accessibility of this trustedDirectory. Can be one of:-1 = Unknown (Agent did not report the accessibility yet)0 = Inaccessible (Agent cannot find the directoryPath or it is not accessible)1 = Accesible (Agent can find and access the directoryPath)
`totalItems`	`Int32`	Number of work items scheduled for processing by the trustedDirectory. Work item is typically a directory
`completedItems`	`Int32`	Number of work items that have been processed by the agent so far. completedItems*100/totalItems gives Trusted Directory analysis progress in %.
`dateCreated`	`DateTime`	Date/time when this object was created (UTC)
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`createdBy`	`String`	User that created this object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`modifiedByUserId`	`Int32`	Id of `user` that last modified this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`modifiedBy`	`String`	User that last modified this object
`clVersion`	`Int64`	CL version associated with this trustedDirectory
`policyIds`	`String`	Comma-separated list of IDs of policies where the approvals generated by this trusted directory will apply. This value will be empty if the approvals generated by this trusted directory are global.

Properties modifiable Using PUT/POST Request for trustedDirectory

Name	Type	Property Description
`name`	`String`	Name of the trusted directory as it will appear on the console. This is not the name of the directory that will be sent to the endpoint
`description`	`String`	Description of this trusted directory
`computerId`	`Int32`	Id of `computer` that is hosting this trusted directory
`directoryPath`	`String`	Path to the directory in which agent will globally approve files. This needs to be directory on the agent that is hosting trustedDirectory
`enabled`	`Boolean`	True if this trusted directory is currently enabled
`policyIds`	`String`	Comma-separated list of IDs of policies where the approvals generated by this trusted directory will apply. This value will be empty if the approvals generated by this trusted directory are global.

POST Request for trustedDirectory

Required permissions: ‘View software rules pages’, ‘Manage trusted directories’

Call syntax: bit9platform/v1/trustedDirectory?delete={delete}

Name	Source	Type	Description
`value`	FromBody	trustedDirectory
`delete`	FromUri	Boolean

PUT Request for trustedDirectory

Required permissions: ‘View software rules pages’, ‘Manage trusted directories’

Call syntax: bit9platform/v1/trustedDirectory/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	trustedDirectory

DELETE Request for trustedDirectory

Required permissions: ‘View software rules pages’, ‘Manage trusted directories’

Call syntax: bit9platform/v1/trustedDirectory/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for trustedDirectory

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/trustedDirectory/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for trustedDirectory

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/trustedDirectory?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» trustedPathRule

v1/trustedPathRule object exposes custom trusted path rules. It also allows creating, editing and deleting these rules.

All Object Properties for trustedPathRule

Name	Type	Property Description
`id`	`Int32`	Unique id of this rule
`masterRuleId`	`Int32`	Id of parent of this rule
`idUnique`	`Guid`	Unique GUID of this rule
`name`	`String`	Rule name
`description`	`String`	Rule description
`ruleGroupId`	`Int32`	Group id of this rule
`ruleUITemplateId`	`Int32`	UI Template id of this rule. Can be one of:0=None1=File Integrity Control2=Trusted Path3=Execution Control4=File Creation Control5=Performance Optimization99=Advanced1000=Internal1001=Updaters
`ruleType`	`Int32`	Rule type. Can be one of:14=Memory rule 15=Registry rule 17=Custom rule
`ruleAction`	`String`	Display name of action taken by this rule. Action can be calculated from other rule parameters (flags, masks, opTypes), and is exposed as read-only field.
`pathPattern`	`String`	File path pattern to match
`processPattern`	`String`	Process path pattern to match
`execActionMask`	`Int32`	Execution action mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`combinedActionMask`	`Int32`	execActionMask combined with writeActionMask with a bitwise or. This is relevant for Advanced (ruleUITemplateId = 99) rules that have both set.
`execNegationMask`	`Int32`	Execution negation mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`execOpType`	`Int32`	Execution operation flags. Can be combination of:FileOpTypeFlagNone = 0x00000000FileOpTypeFlagOpen = 0x00000001FileOpTypeFlagOpenExecuteIntent = 0x00000002FileOpTypeFlagOpenWriteIntent = 0x00000004FileOpTypeFlagRead = 0x00000008FileOpTypeFlagWrite = 0x00000010FileOpTypeFlagWriteDelayed = 0x00000020FileOpTypeFlagDelete = 0x00000040FileOpTypeFlagExecute = 0x00000080FileOpTypeFlagRename = 0x00000100FileOpTypeFlagCleanup = 0x00000200FileOpTypeFlagCreateNew = 0x00000400FileOpTypeFlagScriptExecute = 0x00000800FileOpTypeFlagProcessCreate = 0x00001000FileOpTypeFlagProcessTerminate = 0x00002000FileOpTypeFlagImageLoad = 0x00004000FileOpTypeFlagPermissionChange = 0x00008000FileOpTypeFlagOwnerChange = 0x00010000FileOpTypeFlagLockFile = 0x00020000
`combinedOpType`	`Int32`	execOpType combined with writeOpType with a bitwise or. This is relevant for Advanced (ruleUITemplateId = 99) rules that have both set.
`policyIds`	`String`	List of IDs of policies where this rule applies. Value will be empty if this is a global rule
`platformFlags`	`Int32`	Set of platform flags where this rule will apply. combination of:1 = Windows2 = Mac4 = Linux
`hidden`	`Boolean`	True if rule is hidden
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`createdBy`	`String`	User that created this object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`modifiedByUserId`	`Int32`	Id of `user` that last modified this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`modifiedBy`	`String`	User that last modified this object
`dateImported`	`DateTime`	Date/time when this rule was imported (UTC). This field will be null if rule was not imported
`importedByUserId`	`Int32`	Id of `user` that imported this rule. This field will be null if rule was not importedThis is a foreign key and can be expanded to expose fields from the related `user` object
`importedBy`	`String`	User that imported this rule. This field will be null if rule was not imported
`importSessionHandle`	`String`	Internal session handle used during rule import. This field will be null if rule was not imported.
`rank`	`Int64`	Rule rank. Rules are evaluated by their rank. Note that value of the rank will be different than rank exposed in the console because API exposes more rules.
`enabled`	`Boolean`	True if rule is enabled
`clVersion`	`Int64`	CL version associated with this rule
`execNotifierId`	`Int32`	Id of `notifier` object associated with this rule’s execution action (can be 0 to use default notifier)
`effectiveNotifierId`	`Int32`	Id of `notifier` object associated with this rule
`processFlags`	`Int32`	Process flags for this rule
`negatedProcessFlags`	`Int32`	Negated process flags for this rule
`ruleClassId`	`Int32`	Rule class Id
`processFileState`	`Int32`	Rule will be active only if process file state is equal to this value (can be 0 to ignore the process file state)
`processFileFlags`	`Int32`	Flags describing required properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processDeviceType`	`Int32`	Process device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`processClassification`	`String`	Rule will be active only if process classification is equal to this
`processPublisherName`	`String`	Rule will be active only if publisher name of process is equal to this
`targetFileState`	`Int32`	Rule will be active only if target file state is equal to this value (can be 0 to ignore the target file state)
`targetFileFlags`	`Int32`	Flags describing required properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetDeviceType`	`Int32`	Target device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`targetClassification`	`String`	Rule will be active only if target classification is equal to this
`targetPublisherName`	`String`	Rule will be active only if publisher name of target is equal to this
`minPlatform`	`Int32`	Min platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`maxPlatform`	`Int32`	Max platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`classifier`	`String`	Classifier tag to set or remove for classification actions
`objectType`	`Int32`	Object types on which rule will act. This differs per rule type. For Custom rules, it can be one of:-1 = Any0 = Unknown1 = Any existing object2 = Pipe or Mailslot3 = Volume or share4 = Directory5 = File6 = Other (e.g. path with windcards, illegal, system object etc.)For Registry rules, it can be one of:-1 = Any0 = Any1 = Key2 = ValueFor Memory rules, it can be one of:-1 = Any0 = Any1 = Process2 = Thread
`enforcementFlags`	`Int32`	Flags determining in which enforcement levels rule is active. Can be combination of:0x01 = High0x02 = Medium0x04 = LocalApproval0x08 = Low0x10 = Visibility0x20 = DisabledUse -1 to specify that rule will be active in all enforcement levels
`readOnly`	`Boolean`	True if rule is read-only from the console
`updaterId`	`Int32`	Id of `updater` object that contains this ruleThis is a foreign key and can be expanded to expose fields from the related `updater` object
`minAgentVersion`	`Int32`	Min agent version code for this rule
`maxAgentVersion`	`Int32`	Max agent version code for this rule
`priority`	`Int32`	Priority of this rule
`priorityBucket`	`Int32`	Priority bucket of this rule
`priorityGroup`	`Int32`	Priority group of this rule
`unifiedFlag`	`Int32`	Local override flag for unified rule (0 if rule is not unified, 1 - no override allowed, 2 - ranking allowed, 3 - local override allowed)
`unifiedSource`	`String`	Unified server name that created this rule
`origIdUnique`	`Guid`	Unique GUID of the original rule
`version`	`Int64`	Version of this custom rule

Properties modifiable Using PUT/POST Request for trustedPathRule

Name	Type	Property Description
`name`	`String`	Rule name
`description`	`String`	Rule description
`ruleGroupId`	`Int32`	Group id of this rule
`ruleType`	`Int32`	Rule type. Can be one of:14=Memory rule 15=Registry rule 17=Custom rule
`pathPattern`	`String`	File path pattern to match
`processPattern`	`String`	Process path pattern to match
`execActionMask`	`Int32`	Execution action mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`execNegationMask`	`Int32`	Execution negation mask. Can be combination of:None = 0Allow = 0x00001 (Allow the operation)Block = 0x00002 (Block the operation)ReportOnlyBlock = 0x00004 (Report only block)PromptUser = 0x00008 (Block and ask)PromoteSourceProcess = 0x00010 (Promote the process of the operation)DemoteSourceProcess = 0x00020 (Demote the process of the operation)TellUserMode = 0x00040 (Whether the kernel should tell user mode every time this rule triggers)FinishRuleGroup = 0x00080 (Skip ahead to the next rule group (policy))StopRuleProcessing = 0x00100 (Used to stop rule processing (before we have an answer))ClassifyTarget = 0x00200 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyTarget = 0x00400 (Used to remove classification on the target object (i.e. what type of script/script processor))ClassifyProcess = 0x00800 (Used to classify the target object (i.e. what type of script/script processor))DeclassifyProcess = 0x01000 (Used to remove classification on the target object (i.e. what type of script/script processor))Silent = 0x02000 (Perform all the actions but don’t report them to user mode)Unenforceable = 0x04000 (Fired rule was for some reason unenforceable)DontPromoteChildren = 0x08000 (Promotion is not heritable)QueryAB = 0x10000 (Ask the server if the state changed (used for SRS reputation approvals)
`execOpType`	`Int32`	Execution operation flags. Can be combination of:FileOpTypeFlagNone = 0x00000000FileOpTypeFlagOpen = 0x00000001FileOpTypeFlagOpenExecuteIntent = 0x00000002FileOpTypeFlagOpenWriteIntent = 0x00000004FileOpTypeFlagRead = 0x00000008FileOpTypeFlagWrite = 0x00000010FileOpTypeFlagWriteDelayed = 0x00000020FileOpTypeFlagDelete = 0x00000040FileOpTypeFlagExecute = 0x00000080FileOpTypeFlagRename = 0x00000100FileOpTypeFlagCleanup = 0x00000200FileOpTypeFlagCreateNew = 0x00000400FileOpTypeFlagScriptExecute = 0x00000800FileOpTypeFlagProcessCreate = 0x00001000FileOpTypeFlagProcessTerminate = 0x00002000FileOpTypeFlagImageLoad = 0x00004000FileOpTypeFlagPermissionChange = 0x00008000FileOpTypeFlagOwnerChange = 0x00010000FileOpTypeFlagLockFile = 0x00020000
`policyIds`	`String`	List of IDs of policies where this rule applies. Value should be empty if this is a global rule
`platformFlags`	`Int32`	Set of platform flags where this rule will apply. combination of:1 = Windows2 = Mac4 = Linux
`rank`	`Int64`	Rule rank. Rules are evaluated by their rank. Change rank to move the rule
`enabled`	`Boolean`	True if rule is enabled
`clVersion`	`Int64`	CL version associated with this rule
`execNotifierId`	`Int32`	Id of `notifier` object associated with this rule’s execution action (can be 0 to use default notifier)
`processFlags`	`Int32`	Process flags for this rule
`negatedProcessFlags`	`Int32`	Negated process flags for this rule
`ruleClassId`	`Int32`	Rule class Id
`processFileState`	`Int32`	Rule will be active only if process file state is equal to this value (can be 0 to ignore the process file state)
`processFileFlags`	`Int32`	Flags describing required properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the process. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`processDeviceType`	`Int32`	Process device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`processClassification`	`String`	Rule will be active only if process classification is equal to this
`processPublisherName`	`String`	Rule will be active only if publisher name of process is equal to this
`targetFileState`	`Int32`	Rule will be active only if target file state is equal to this value (can be 0 to ignore the target file state)
`targetFileFlags`	`Int32`	Flags describing required properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetNegatedFileFlags`	`Int32`	Flags describing prohibited properties of the target file. Can be combination of:None = 0x00000000IsPromoted = 0x00000001IsBit9 = 0x00000002IsRoot = 0x00000004IsBit9Spawn = 0x00000008IsNotifier = 0x00000010Is64Bit = 0x00000020IsTrustedUser = 0x00000040IsScriptor = 0x00000080IsMsior = 0x00000100IsComor = 0x00000200PromotionNotHeritable = 0x00000400IsLoadTimeChecked = 0x00000800CantInheritPromotion = 0x00001000IsCrawler = 0x00002000HasDepEnabled = 0x00004000IsLocalAdmin = 0x00008000IsBackgroundTaskSvc= 0x00010000IsRunDll = 0x00400000IsAppExpRunDll = 0x00800000IsNeverTrust = 0x01000000IsWindowsUpdateClient = 0x02000000IsWindowsUpdateServer = 0x04000000IsSvchost = 0x08000000IsEnumerated = 0x10000000IsAllowedSystem = 0x20000000IsExcludePattern = 0x40000000IsPattern = 0x80000000
`targetDeviceType`	`Int32`	Target device type. Can be one of:0 = Any1 = LocalFixed2 = Network3 = AnyRemovable4 = ApprovedRemovable5 = PendingRemovable6 = Unknown7 = BannedRemovable8 = Approved9 = Pending10 = Banned
`targetClassification`	`String`	Rule will be active only if target classification is equal to this
`targetPublisherName`	`String`	Rule will be active only if publisher name of target is equal to this
`minPlatform`	`Int32`	Min platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`maxPlatform`	`Int32`	Max platform. For Windows systems, today, it can be one of:0x0A000000 = Windows 100x06030000 = Windows 8.10x06020000 = Windows 80x06010000 = Windows 70x06000100 = Windows Server 2008 or Windows Vista SP 10x06000000 = Windows Vista0x05020200 = Windows Server 2003 SP 20x05020100 = Windows Server 2003 SP 10x05020000 = Windows Server 20030x05010300 = Windows XP SP30x05010200 = Windows XP SP20x05010100 = Windows XP SP10x05010000 = Windows XP
`classifier`	`String`	Classifier tag to set or remove for classification actions
`objectType`	`Int32`	Object types on which rule will act. This differs per rule type. For Custom rules, it can be one of:-1 = Any0 = Unknown1 = Any existing object2 = Pipe or Mailslot3 = Volume or share4 = Directory5 = File6 = Other (e.g. path with windcards, illegal, system object etc.)For Registry rules, it can be one of:-1 = Any0 = Any1 = Key2 = ValueFor Memory rules, it can be one of:-1 = Any0 = Any1 = Process2 = Thread
`enforcementFlags`	`Int32`	Flags determining in which enforcement levels rule is active. Can be combination of:High = 0x01Medium = 0x02LocalApproval = 0x04Low = 0x08Visibility = 0x10Disabled = 0x20 Use -1 to specify that rule will be active in all enforcement levels
`readOnly`	`Boolean`	True if rule is read-only from the console
`minAgentVersion`	`Int32`	Min agent version code for this rule
`maxAgentVersion`	`Int32`	Max agent version code for this rule
`unifiedFlag`	`Int32`	Local override flag for unified rule (0 - if rule is not unified, 1 - no override allowed, 2 - ranking allowed, 3 - local override allowed)
`unifiedSource`	`String`	Unified server name that created this rule
`origIdUnique`	`Guid`	Unique GUID of the original rule

POST Request for trustedPathRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/trustedPathRule?delete={delete}

Name	Source	Type	Description
`value`	FromBody	customRule
`delete`	FromUri	Boolean

PUT Request for trustedPathRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/trustedPathRule/{id}?delete={delete}

Name	Source	Type
`id`	FromUri	Int32
`value`	FromBody	customRule
`delete`	FromUri	Boolean

DELETE Request for trustedPathRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/trustedPathRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for trustedPathRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/trustedPathRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for trustedPathRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/trustedPathRule?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» trustedUser

v1/trustedUser object exposes trusted user rules. It allows creation and editing of trusted users.

All Object Properties for trustedUser

Name	Type	Property Description
`id`	`Int64`	Unique id of this trustedUser
`name`	`String`	Name of the user as it will appear on the console. This is not the name that will be enforced on the endpoint.
`userSid`	`String`	Id of the user that will be trusted on the endpoint. This field can be user name, user SID (Security identifier) on Windows platforms or user’s ID on Linux and Mac platforms
`description`	`String`	Description of this rule
`platformId`	`Int32`	Platform where this trustedUser will be valid. it is one of: 1 = Windows2 = Mac4 = Linux
`dateCreated`	`DateTime`	Date/time when this object was created (UTC)
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`createdBy`	`String`	User that created this object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`modifiedByUserId`	`Int32`	Id of `user` that last modified this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`modifiedBy`	`String`	User that last modified this object
`clVersion`	`Int64`	CL version associated with this trustedUser

Properties modifiable Using PUT/POST Request for trustedUser

Name	Type	Property Description
`name`	`String`	Name of the user as it will appear on the console. This is not the name that will be enforced on the endpoint. Trusted user names need to be unique - creation of trustedUser will fail if user with the same name already exists.
`userSid`	`String`	Id of the user that will be trusted on the endpoint. This field can be user name, user SID (Security identifier) on Windows platforms or user’s ID on Linux and Mac platforms
`description`	`String`	Description of this rule
`platformId`	`Int32`	Platform where this rule will be valid. it is one of: 1 = Windows2 = Mac4 = Linux

POST Request for trustedUser

Required permissions: ‘View software rules pages’, ‘Manage trusted users’

Call syntax: bit9platform/v1/trustedUser?delete={delete}

Name	Source	Type	Description
`value`	FromBody	trustedUser
`delete`	FromUri	Boolean

DELETE Request for trustedUser

Required permissions: ‘View software rules pages’, ‘Manage trusted users’

Call syntax: bit9platform/v1/trustedUser/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for trustedUser

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/trustedUser/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for trustedUser

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/trustedUser?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» updater

v1/updater object exposes updater information and allows enabling/disabling of updaters.

All Object Properties for updater

Name	Type	Property Description
`id`	`Int32`	Unique updaterId
`name`	`String`	Updater name
`version`	`String`	Updater version
`enabled`	`Boolean`	True if updater is enabled
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdBy`	`String`	User that created this object
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`modifiedBy`	`String`	User that last modified this object
`modifiedByUserId`	`Int32`	Id of `user` that last modified this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`clVersion`	`Int64`	CL version associated with this updater
`platformFlags`	`Int32`	Set of platform flags where this updater is valid. combination of: 1 = Windows2 = Mac4 = Linux

Properties modifiable Using PUT/POST Request for updater

Name	Type	Property Description
`enabled`	`Boolean`	True if updater is enabled

POST Request for updater

Required permissions: ‘View software rules pages’, ‘Manage Updaters and Rapid Configs’

Call syntax: bit9platform/v1/updater

Name	Source	Type	Description
`value`	FromBody	updater

PUT Request for updater

Required permissions: ‘View software rules pages’, ‘Manage Updaters and Rapid Configs’

Call syntax: bit9platform/v1/updater/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	updater

GET Request for updater

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/updater/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for updater

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/updater?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» user

v1/user object exposes console users.

All Object Properties for user

Name	Type	Property Description
`id`	`Int32`	Unique id of this user
`name`	`String`	Name of this user
`userGroupIds`	`String`	Comma-separated list of IDs of corresponding `userGroup` objects
`eMailAddress`	`String`	Email address of this user
`firstName`	`String`	First name of this user
`lastName`	`String`	Last name of this user
`title`	`String`	Title of this user
`salutation`	`String`	Salutation of this user
`department`	`String`	Department this user belongs to
`homePhone`	`String`	User’s home phone
`cellPhone`	`String`	User’s cell phone
`backupCellPhone`	`String`	User’s secondary cell phone
`pager`	`String`	User’s pager number
`backupPager`	`String`	User’s secondary pager number
`comments`	`String`	Comments for this user
`adminComments`	`String`	Administrator’s comments for this user
`registrationDate`	`DateTime`	Date this user was first registered (UTC)
`datePasswordSet`	`DateTime`	Date this user last set their password (UTC)
`readOnly`	`Boolean`	True if this user is one of internal users (System or Carbon Black File Reputation Service) or AD user. These users cannot be modified through the API
`external`	`Boolean`	True if this is externally generated user (e.g. from AD).
`automatic`	`Boolean`	True if this user’s roles are assigned automatically through mappings (valid only for external users).
`unified`	`Boolean`	True if this user’s token is already connected to a remote unified environment.
`enabled`	`Boolean`	True if this user is enabled (defaults to true).
`passwordHash`	`String`	Hash of user password
`passwordSalt`	`String`	Salt used to generate password hash
`apiToken`	`String`	API token for this user (deprecated, always null)
`isPasswordTemporary`	`Boolean`	If true, the user will be prompted to change their password upon next successful login.
`isExpirable`	`Boolean`	If true AND the IsUserExpirationEnabled configuration is true, the user account will become disabled after the number of days set in the TemporaryUserExpirationInDays configuration have passed since the last login.

Properties modifiable Using PUT/POST Request for user

Name	Type	Property Description
`name`	`String`	Name of this user
`userGroupIds`	`String`	Comma-separated list of IDs of corresponding `userGroup` objects
`eMailAddress`	`String`	Email address of this user
`firstName`	`String`	First name of this user
`lastName`	`String`	Last name of this user
`title`	`String`	Title of this user
`salutation`	`String`	Salutation of this user
`department`	`String`	Department this user belongs to
`homePhone`	`String`	User’s home phone
`cellPhone`	`String`	User’s cell phone
`backupCellPhone`	`String`	User’s secondary cell phone
`pager`	`String`	User’s pager number
`backupPager`	`String`	User’s secondary pager number
`comments`	`String`	Comments for this user
`adminComments`	`String`	Administrator’s comments for this user
`automatic`	`Boolean`	True if this user’s roles are assigned automatically through mappings (valid only for external users).
`unified`	`Boolean`	True if this user’s token is already connected to a remote unified environment (token should not be changed).
`enabled`	`Boolean`	True if this user is enabled (defaults to true).
`passwordHash`	`String`	Hash of user password
`passwordSalt`	`String`	Salt used to generate password hash
`apiToken`	`String`	API token for this user (deprecated)
`isPasswordTemporary`	`Boolean`	If true, the user will be prompted to change their password upon next successful login.
`isExpirable`	`Boolean`	If true AND the IsUserExpirationEnabled configuration is true, the user account will become disabled after the number of days set in the TemporaryUserExpirationInDays configuration have passed since the last login.

POST Request for user

Required permissions: ‘View login accounts and user roles’, ‘Manage login accounts’

Call syntax: bit9platform/v1/user?delete={delete}

Name	Source	Type	Description
`value`	FromBody	user
`delete`	FromUri	Boolean

PUT Request for user

Required permissions: ‘View login accounts and user roles’, ‘Manage login accounts’

Call syntax: bit9platform/v1/user/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	user

DELETE Request for user

Required permissions: ‘View login accounts and user roles’

Call syntax: bit9platform/v1/user/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for user

Required permissions: ‘View login accounts and user roles’

Call syntax: bit9platform/v1/user/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for user

Required permissions: ‘View login accounts and user roles’

Call syntax: bit9platform/v1/user?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» userGroup

v1/userGroup object exposes user groups and associated permissions. This is a read-only object and can only be modified from the Carbon Black App Control Console.

All Object Properties for userGroup

Name	Type	Property Description
`id`	`Int32`	Unique id of this userGroup
`name`	`String`	Name of this userGroup
`description`	`String`	Description of this userGroup
`permissions`	`String`	Permissions associated with users of this userGroup as a hexadecimal string. Can be combination of:PERMISSION_COMPUTERS_VIEW = 0x0000000000000001PERMISSION_COMPUTERS_ASSIGN = 0x0000000000000002PERMISSION_COMPUTERS_TEMPORARY_ASSIGN = 0x0000000000000004PERMISSION_COMPUTERS_ADVANCED = 0x0000000000000008PERMISSION_FILES_VIEW = 0x0000000000000010PERMISSION_FILES_MANAGE_STATE = 0x0000000000000020PERMISSION_FILES_MANAGE_LOCAL_STATE = 0x0000000000000040PERMISSION_POLICIES_VIEW = 0x0000000000000080PERMISSION_POLICIES_MANAGE = 0x0000000000000100PERMISSION_POLICIES_MAPPINGS = 0x0000000000000200PERMISSION_RULES_VIEW = 0x0000000000000400PERMISSION_RULES_MANAGE_DEVICE = 0x0000000000000800PERMISSION_RULES_MANAGE_EVENT = 0x0000000000001000PERMISSION_RULES_MANAGE_DIRECTORIES = 0x0000000000002000PERMISSION_RULES_MANAGE_PUBLISHERS = 0x0000000000004000PERMISSION_RULES_MANAGE_USERS = 0x0000000000008000PERMISSION_RULES_MANAGE_CUSTOM = 0x0000000000010000PERMISSION_REPORTS_VIEW_EVENTS = 0x0000000000020000PERMISSION_REPORTS_MANAGE_DASHBOARDS = 0x0000000000040000PERMISSION_REPORTS_VIEW_DRIFT = 0x0000000000080000PERMISSION_REPORTS_MANAGE_DRIFT = 0x0000000000100000PERMISSION_REPORTS_MANAGE_SNAPSHOTS = 0x0000000000200000PERMISSION_REPORTS_SAVED_VIEWS = 0x0000000000400000PERMISSION_TOOLS_VIEW_ALERTS = 0x0000000000800000PERMISSION_TOOLS_MANAGE_ALERTS = 0x0000000001000000PERMISSION_TOOLS_VIEW_METERS = 0x0000000002000000PERMISSION_TOOLS_MANAGE_METERS = 0x0000000004000000PERMISSION_ADMINISTRATION_VIEW_CONFIG = 0x0000000008000000PERMISSION_ADMINISTRATION_VIEW_USERS = 0x0000000010000000PERMISSION_ADMINISTRATION_MANAGE_CONFIG = 0x0000000020000000PERMISSION_ADMINISTRATION_MANAGE_USERS = 0x0000000040000000PERMISSION_ADMINISTRATION_MANAGE_USER_GROUPS = 0x0000000100000000PERMISSION_DEVICES_VIEW = 0x0000000200000000PERMISSION_RULES_MANAGE_UPDATERS = 0x0000000400000000PERMISSION_MANAGE_APPROVAL_REQUESTS = 0x0000000800000000PERMISSION_VIEW_APPROVAL_REQUESTS = 0x0000001000000000PERMISSION_VIEW_UPLOADED_FILES = 0x0000002000000000PERMISSION_ALLOW_UPLOAD_INVENTORY = 0x0000004000000000PERMISSION_ALLOW_EXECUTE_COMMANDS = 0x0000008000000000PERMISSION_RULES_MANAGE_SCRIPT = 0x0000010000000000PERMISSION_NOTIFIERS_VIEW = 0x0000020000000000PERMISSION_NOTIFIERS_MANAGE = 0x0000040000000000PERMISSION_ACCESS_UPLOAD_FILES = 0x0000080000000000PERMISSION_ALLOW_UPLOAD_FILES_BY_PATH = 0x0000100000000000PERMISSION_ALLOW_ANALYZE_FILES = 0x0000200000000000PERMISSION_RULES_MANAGE_ATI_SETS = 0x0000400000000000PERMISSION_VIEW_EXTERNAL_ANALYTICS = 0x0000800000000000PERMISSION_VIEW_PROCESS_COMMAND_LINES = 0x0001000000000000PERMISSION_VIEW_SYSTEM_HEALTH = 0x0002000000000000PERMISSION_EXTEND_CONNECTORS = 0x0004000000000000PERMISSION_MANAGE_OBJECTTAGS = 0x0008000000000000PERMISSION_VIEW_PLUGINS = 0x0010000000000000PERMISSION_MANAGE_PLUGINS = 0x0020000000000000PERMISSION_REPORTS_VIEW_GLOBAL_EVENTS = 0x0040000000000000PERMISSION_USE_UNIFIED_MANAGEMENT = 0x0080000000000000PERMISSION_CONFIGURE_UNIFIED_MANAGEMENT = 0x0100000000000000PERMISSION_LOCAL_LOGIN_OVERRIDE = 0x0200000000000000PERMISSION_FILES_DELETE = 0x0400000000000000PERMISSION_USE_API = 0x0800000000000000
`policyIds`	`String`	List of IDs of policies where this user group applies. Value will be empty if this is a global user group
`enabled`	`Boolean`	True if this userGroup is enabled
`editable`	`Boolean`	True if this userGroup is editable
`dateCreated`	`DateTime`	Date/time when this rule was created (UTC)
`createdByUserId`	`Int32`	Id of `user` that created this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`createdBy`	`String`	User that created this object
`dateModified`	`DateTime`	Date/time when this object was last modified (UTC)
`modifiedByUserId`	`Int32`	Id of `user` that last modified this objectThis is a foreign key and can be expanded to expose fields from the related `user` object
`modifiedBy`	`String`	User that last modified this object
`automaticCount`	`Int32`	Number of users that belong to this group and have been assigned through AD rule (doesn’t include internal users)
`manualCount`	`Int32`	Number of users that belong to this group and have been assigned manually (doesn’t include internal users)
`enabledCount`	`Int32`	Number of users that belong to this group and are enabled (doesn’t include internal users)

Properties modifiable Using PUT/POST Request for userGroup

Name	Type	Property Description
`name`	`String`	Name of this userGroup
`description`	`String`	Description of this userGroup
`permissions`	`String`	Permissions associated with users of this userGroup as a hexadecimal string. Can be combination of:PERMISSION_COMPUTERS_VIEW = 0x0000000000000001PERMISSION_COMPUTERS_ASSIGN = 0x0000000000000002PERMISSION_COMPUTERS_TEMPORARY_ASSIGN = 0x0000000000000004PERMISSION_COMPUTERS_ADVANCED = 0x0000000000000008PERMISSION_FILES_VIEW = 0x0000000000000010PERMISSION_FILES_MANAGE_STATE = 0x0000000000000020PERMISSION_FILES_MANAGE_LOCAL_STATE = 0x0000000000000040PERMISSION_POLICIES_VIEW = 0x0000000000000080PERMISSION_POLICIES_MANAGE = 0x0000000000000100PERMISSION_POLICIES_MAPPINGS = 0x0000000000000200PERMISSION_RULES_VIEW = 0x0000000000000400PERMISSION_RULES_MANAGE_DEVICE = 0x0000000000000800PERMISSION_RULES_MANAGE_EVENT = 0x0000000000001000PERMISSION_RULES_MANAGE_DIRECTORIES = 0x0000000000002000PERMISSION_RULES_MANAGE_PUBLISHERS = 0x0000000000004000PERMISSION_RULES_MANAGE_USERS = 0x0000000000008000PERMISSION_RULES_MANAGE_CUSTOM = 0x0000000000010000PERMISSION_REPORTS_VIEW_EVENTS = 0x0000000000020000PERMISSION_REPORTS_MANAGE_DASHBOARDS = 0x0000000000040000PERMISSION_REPORTS_VIEW_DRIFT = 0x0000000000080000PERMISSION_REPORTS_MANAGE_DRIFT = 0x0000000000100000PERMISSION_REPORTS_MANAGE_SNAPSHOTS = 0x0000000000200000PERMISSION_REPORTS_SAVED_VIEWS = 0x0000000000400000PERMISSION_TOOLS_VIEW_ALERTS = 0x0000000000800000PERMISSION_TOOLS_MANAGE_ALERTS = 0x0000000001000000PERMISSION_TOOLS_VIEW_METERS = 0x0000000002000000PERMISSION_TOOLS_MANAGE_METERS = 0x0000000004000000PERMISSION_ADMINISTRATION_VIEW_CONFIG = 0x0000000008000000PERMISSION_ADMINISTRATION_VIEW_USERS = 0x0000000010000000PERMISSION_ADMINISTRATION_MANAGE_CONFIG = 0x0000000020000000PERMISSION_ADMINISTRATION_MANAGE_USERS = 0x0000000040000000PERMISSION_ADMINISTRATION_MANAGE_USER_GROUPS = 0x0000000100000000PERMISSION_DEVICES_VIEW = 0x0000000200000000PERMISSION_RULES_MANAGE_UPDATERS = 0x0000000400000000PERMISSION_MANAGE_APPROVAL_REQUESTS = 0x0000000800000000PERMISSION_VIEW_APPROVAL_REQUESTS = 0x0000001000000000PERMISSION_VIEW_UPLOADED_FILES = 0x0000002000000000PERMISSION_ALLOW_UPLOAD_INVENTORY = 0x0000004000000000PERMISSION_ALLOW_EXECUTE_COMMANDS = 0x0000008000000000PERMISSION_RULES_MANAGE_SCRIPT = 0x0000010000000000PERMISSION_NOTIFIERS_VIEW = 0x0000020000000000PERMISSION_NOTIFIERS_MANAGE = 0x0000040000000000PERMISSION_ACCESS_UPLOAD_FILES = 0x0000080000000000PERMISSION_ALLOW_UPLOAD_FILES_BY_PATH = 0x0000100000000000PERMISSION_ALLOW_ANALYZE_FILES = 0x0000200000000000PERMISSION_RULES_MANAGE_ATI_SETS = 0x0000400000000000PERMISSION_VIEW_EXTERNAL_ANALYTICS = 0x0000800000000000PERMISSION_VIEW_PROCESS_COMMAND_LINES = 0x0001000000000000PERMISSION_VIEW_SYSTEM_HEALTH = 0x0002000000000000PERMISSION_EXTEND_CONNECTORS = 0x0004000000000000PERMISSION_MANAGE_OBJECTTAGS = 0x0008000000000000PERMISSION_VIEW_PLUGINS = 0x0010000000000000PERMISSION_MANAGE_PLUGINS = 0x0020000000000000PERMISSION_REPORTS_VIEW_GLOBAL_EVENTS = 0x0040000000000000PERMISSION_USE_UNIFIED_MANAGEMENT = 0x0080000000000000PERMISSION_CONFIGURE_UNIFIED_MANAGEMENT = 0x0100000000000000PERMISSION_LOCAL_LOGIN_OVERRIDE = 0x0200000000000000PERMISSION_FILES_DELETE = 0x0400000000000000PERMISSION_USE_API = 0x0800000000000000
`policyIds`	`String`	List of IDs of policies where this user group applies. Value will be empty if this is a global user group
`enabled`	`Boolean`	True if this userGroup is enabled

POST Request for userGroup

Required permissions: ‘View login accounts and user roles’, ‘Manage user roles and mappings’

Call syntax: bit9platform/v1/userGroup?delete={delete}

Name	Source	Type	Description
`value`	FromBody	userGroup
`delete`	FromUri	Boolean

PUT Request for userGroup

Required permissions: ‘View login accounts and user roles’, ‘Manage user roles and mappings’

Call syntax: bit9platform/v1/userGroup/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	userGroup

DELETE Request for userGroup

Required permissions: ‘View login accounts and user roles’, ‘Manage user roles and mappings’

Call syntax: bit9platform/v1/userGroup/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for userGroup

Required permissions: ‘View login accounts and user roles’

Call syntax: bit9platform/v1/userGroup/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for userGroup

Required permissions: ‘View login accounts and user roles’

Call syntax: bit9platform/v1/userGroup?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» username

v1/username object exposes usernames the server has encountered. Note that this is read-only API.

All Object Properties for username

Name	Type	Property Description
`id`	`Int32`	Unique username Id
`name`	`String`	Username

username is a read-only object and has no modifiable properties.

GET Request for username

Required permissions: ‘View login accounts and user roles’

Call syntax: bit9platform/v1/username/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for username

Required permissions: ‘View login accounts and user roles’

Call syntax: bit9platform/v1/username?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» vulnerableDriver

v1/vulnerableDriver object exposes known vulnerable drivers for use with the Vulnerable Driver Rapid Config.

All Object Properties for vulnerableDriver

Name	Type	Property Description
`id`	`Int32`	The internal ID of this vulnerableDriver
`hash`	`String`	The hash of this vulnerableDriver
`name`	`String`	The name of this vulnerableDriver
`msid`	`String`	The Microsoft ID of this vulnerableDriver
`createdByUserId`	`Int32`	Id of `user` that created this vulnerableDriverThis is a foreign key and can be expanded to expose fields from the related `user` object
`createdBy`	`String`	Name of `user` that created this vulnerableDriver
`modifiedByUserId`	`Int32`	Id of `user` that last modified this vulnerableDriverThis is a foreign key and can be expanded to expose fields from the related `user` object
`modifiedBy`	`String`	Name of `user` that last modified this vulnerableDriver
`dateCreated`	`DateTime`	The date this vulnerableDriver was created
`dateModified`	`DateTime`	The date this vulnerableDriver was last modified

Properties modifiable Using PUT/POST Request for vulnerableDriver

Name	Type	Property Description
`hash`	`String`	The hash of this vulnerableDriver
`name`	`String`	The name of this vulnerableDriver
`msid`	`String`	The Microsoft ID of this vulnerableDriver

POST Request for vulnerableDriver

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/vulnerableDriver?delete={delete}

Name	Source	Type	Description
`value`	FromBody	vulnerableDriver
`delete`	FromUri	Boolean

PUT Request for vulnerableDriver

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/vulnerableDriver/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	vulnerableDriver

DELETE Request for vulnerableDriver

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/vulnerableDriver/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for vulnerableDriver

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/vulnerableDriver/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for vulnerableDriver

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/vulnerableDriver?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type	Description
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32	When -2, a “quick count” will be returned.
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» whoAmI

v1/whoAmI object exposes current API user.

All Object Properties for whoAmI

Name	Type	Property Description
`id`	`Int32`	Unique id of this user
`name`	`String`	Name of this user
`userGroupIds`	`String`	Comma-separated list of IDs of corresponding `userGroup` objects
`eMailAddress`	`String`	Email address of this user
`firstName`	`String`	First name of this user
`lastName`	`String`	Last name of this user
`title`	`String`	Title of this user
`salutation`	`String`	Salutation of this user
`department`	`String`	Department this user belongs to
`homePhone`	`String`	User’s home phone
`cellPhone`	`String`	User’s cell phone
`backupCellPhone`	`String`	User’s secondary cell phone
`pager`	`String`	User’s pager number
`backupPager`	`String`	User’s secondary pager number
`comments`	`String`	Comments for this user
`adminComments`	`String`	Administrator’s comments for this user
`registrationDate`	`DateTime`	Date this user was first registered (UTC)
`datePasswordSet`	`DateTime`	Date this user last set their password (UTC)
`readOnly`	`Boolean`	True if this user is one of internal users (System or Carbon Black File Reputation Service) or AD user. These users cannot be modified through the API
`external`	`Boolean`	True if this is externally generated user (e.g. from AD).
`automatic`	`Boolean`	True if this user’s roles are assigned automatically through mappings (valid only for external users).
`unified`	`Boolean`	True if this user’s token is already connected to a remote unified environment (token should not be changed).
`enabled`	`Boolean`	True if this user is enabled (defaults to true).
`passwordHash`	`String`	Hash of user password
`passwordSalt`	`String`	Salt used to generate password hash
`apiToken`	`String`	API token for this user
`mfaSeed`	`String`	Seed used for generating a multi-factor authentication token
`isPasswordTemporary`	`Boolean`	If true, the user will be prompted to change their password upon next successful login.

Properties modifiable Using PUT/POST Request for whoAmI

Name	Type	Property Description
`unified`	`Boolean`	True if this user’s token is already connected to a remote unified environment (token should not be changed).
`passwordHash`	`String`	Hash of user password
`passwordSalt`	`String`	Salt used to generate password hash
`apiToken`	`String`	API token for this user
`mfaSeed`	`String`	Seed used for generating a multi-factor authentication token

POST Request for whoAmI

Required permissions: Unknown

Call syntax: bit9platform/v1/whoAmI?delete={delete}

Name	Source	Type	Description
`value`	FromBody	whoAmI
`delete`	FromUri	Boolean

PUT Request for whoAmI

Required permissions: Unknown

Call syntax: bit9platform/v1/whoAmI/{id}

Name	Source	Type	Description
`id`	FromUri	Int32
`value`	FromBody	whoAmI

DELETE Request for whoAmI

Required permissions: Unknown

Call syntax: bit9platform/v1/whoAmI

Name	Source	Type	Description
`value`	FromBody	whoAmI

GET Request for whoAmI

Required permissions: Unknown

Call syntax: bit9platform/v1/whoAmI/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for whoAmI

Required permissions: Unknown

Call syntax: bit9platform/v1/whoAmI?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» yaraRule

v1/yaraRule object exposes Yara Rules

All Object Properties for yaraRule

Name	Type	Property Description
`id`	`Int32`	Unique rule id
`name`	`String`	Name of the rule
`enabled`	`Boolean`	True if the rule is enabled
`guid`	`Guid`	Unique GUID of the rule
`rulesetId`	`Int32`	Rule set idThis is a foreign key and can be expanded to expose fields from the related `yaraRuleset` object
`description`	`String`	Description of the rule
`qualifiers`	`String`	Qualifiers to determine whether the rule will be expanded
`encodedRules`	`String`	Text of the Yara Rule, base64 encoded
`readOnly`	`Boolean`	True if this Yara Rule is read only. User generated rules are False, Carbon Black supplied rules are True.
`dateCreated`	`DateTime`	Date and time when this rule was created (UTC)
`dateModified`	`DateTime`	Date and time when this rule was last modified (UTC)
`createdByUserId`	`Int32`	Id of `user` that created this ruleThis is a foreign key and can be expanded to expose fields from the related `user` object
`createdBy`	`String`	User that created this rule
`modifiedByUserId`	`Int32`	Id of `user` that last modified this ruleThis is a foreign key and can be expanded to expose fields from the related `user` object
`modifiedBy`	`String`	User that last modified this rule

Properties modifiable Using PUT/POST Request for yaraRule

Name	Type	Property Description
`name`	`String`	Name of the rule
`enabled`	`Boolean`	True if the rule is enabled
`guid`	`Guid`	Unique GUID of the rule
`rulesetId`	`Int32`	Rule set id
`description`	`String`	Description of the rule
`qualifiers`	`String`	Qualifiers to determine if the rule will be expanded
`encodedRules`	`String`	Text of the Yara Rule, base64 encoded

POST Request for yaraRule

Required permissions: ‘View software rules pages’, ‘Manage custom/registry/memory rules’

Call syntax: bit9platform/v1/yaraRule?delete={delete}

Name	Source	Type	Description
`value`	FromBody	yaraRule
`delete`	FromUri	Boolean

DELETE Request for yaraRule

Required permissions: ‘View software rules pages’, ‘Manage custom/registry/memory rules’

Call syntax: bit9platform/v1/yaraRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int32

GET Request for yaraRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/yaraRule/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for yaraRule

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/yaraRule?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» yaraRuleset

v1/yaraRuleset object exposes Yara Rulesets

All Object Properties for yaraRuleset

Name	Type	Property Description
`id`	`Int32`	Unique ruleset id
`name`	`String`	Name of the ruleset
`guid`	`Guid`	Unique GUID of the ruleset
`yaraNamespace`	`String`	The Yara namespace of the ruleset
`description`	`String`	Description of the ruleset

yaraRuleset is a read-only object and has no modifiable properties.

GET Request for yaraRuleset

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/yaraRuleset/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for yaraRuleset

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/yaraRuleset?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» yaraRuleTag

v1/yaraRuleTag object exposes Yara Tags

All Object Properties for yaraRuleTag

Name	Type	Property Description
`id`	`Int32`	Unique tag id
`tag`	`String`	The tag
`isRestricted`	`Boolean`	Whether the tag was provided by Carbon Black or generated by a user

yaraRuleTag is a read-only object and has no modifiable properties.

GET Request for yaraRuleTag

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/yaraRuleTag/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for yaraRuleTag

Required permissions: ‘View software rules pages’

Call syntax: bit9platform/v1/yaraRuleTag?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

» yaraVersion

v1/yaraVersion object exposes Yara rule version details

All Object Properties for yaraVersion

Name	Type	Property Description
`id`	`Int32`	ID representing this Yara rule version
`yaraRuleVersion`	`Int32`	Yara file version to which this record is associated
`ccLevel`	`Int32`	CC level to send to agents. 0 = No re-scan, 2 = Rescan known files, 3 = Full scan
`ccHourStart`	`Int32`	Start of the time range during which scan should be scheduled
`ccHourEnd`	`Int32`	End of the time range during which scan should be scheduled
`dateCreated`	`DateTime`	Date and time this record was created (UTC)

Properties modifiable Using PUT/POST Request for yaraVersion

Name	Type	Property Description
`yaraRuleVersion`	`Int32`	Yara file version to which this record is associated
`ccLevel`	`Int32`	CC level to send to agents. 0 = No re-scan, 2 = Rescan known files, 3 = Full scan
`ccHourStart`	`Int32`	Start of the time range during which scan should be scheduled
`ccHourEnd`	`Int32`	End of the time range during which scan should be scheduled

POST Request for yaraVersion

Required permissions: ‘Manage custom/registry/memory rules’

Call syntax: bit9platform/v1/yaraVersion

Name	Source	Type	Description
`value`	FromBody	yaraVersion

GET Request for yaraVersion

Required permissions: ‘Manage custom/registry/memory rules’

Call syntax: bit9platform/v1/yaraVersion/{id}

Name	Source	Type	Description
`id`	FromUri	Int64

GET Request for yaraVersion

Required permissions: ‘Manage custom/registry/memory rules’

Call syntax: bit9platform/v1/yaraVersion?q={q1}&q={q2}...&group={group}&groupType={groupType}&groupStep={groupStep}&subgroup={subgroup}&subgroupType={subgroupType}&subgroupStep={subgroupStep}&sort={sort}&offset={offset}&limit={limit}&fields={fields}&expand={expand1}&expand={expand2}...&noExecute={noExecute}&reduceFieldSets={reduceFieldSets}

Name	Source	Type
`q`	FromUri	List`1
`group`	FromUri	String
`groupType`	FromUri	String
`groupStep`	FromUri	Int32
`subgroup`	FromUri	String
`subgroupType`	FromUri	String
`subgroupStep`	FromUri	Int32
`sort`	FromUri	String
`offset`	FromUri	Int32
`limit`	FromUri	Int32
`fields`	FromUri	String
`expand`	FromUri	String[]
`noExecute`	FromUri	Boolean
`reduceFieldSets`	FromUri	Boolean

Last modified on February 3, 2025

Carbon Black App Control

Page Contents

App Control REST API Reference

Introduction

Versioning

Authentication

Access Controls

Responses

Searching

Query Condition

Limiting Results and Getting Result Count

Sorting

Grouping

Subgrouping

Grouping by Time Windows

Field Expansion

Limiting Output to Specific Fields

Code Examples

Approve Publisher

Ban File per Policy

Disable Tamper Protection for Computers

Locally Approve Files

Configure Rapid Configs

API Reference

» advancedRule

All Object Properties for advancedRule

Properties modifiable Using PUT/POST Request for advancedRule

POST Request for advancedRule

PUT Request for advancedRule

DELETE Request for advancedRule

GET Request for advancedRule

GET Request for advancedRule

» agentConfig

All Object Properties for agentConfig

Properties modifiable Using PUT/POST Request for agentConfig

POST Request for agentConfig

PUT Request for agentConfig

DELETE Request for agentConfig

GET Request for agentConfig

GET Request for agentConfig

» appCatalog

All Object Properties for appCatalog

GET Request for appCatalog

GET Request for appCatalog

» appInstance

All Object Properties for appInstance

GET Request for appInstance

GET Request for appInstance

» approvalRequest

All Object Properties for approvalRequest

Properties modifiable Using PUT/POST Request for approvalRequest

POST Request for approvalRequest

PUT Request for approvalRequest

GET Request for approvalRequest

GET Request for approvalRequest

» approvalRequestRelated

All Object Properties for approvalRequestRelated

GET Request for approvalRequestRelated

GET Request for approvalRequestRelated

» approvalRequestSummary

All Object Properties for approvalRequestSummary

GET Request for approvalRequestSummary

GET Request for approvalRequestSummary

GET Request for approvalRequestSummary

» cachedEvent

All Object Properties for cachedEvent

GET Request for cachedEvent

GET Request for cachedEvent

» certificate

All Object Properties for certificate

Properties modifiable Using PUT/POST Request for certificate

POST Request for certificate

PUT Request for certificate

DELETE Request for certificate

GET Request for certificate

GET Request for certificate

» certificateBinary

All Object Properties for certificateBinary

Properties modifiable Using PUT/POST Request for certificateBinary

POST Request for certificateBinary