Enterprise Recon v1 API

All Documentation > Enterprise Recon v1 API > Global Filters

Global Filters

Use this set of APIs to retrieve information on, update or delete global filters.

List Global Filters

Retrieve details for all or for a specific global filter.

Request

GET

https://er-master:8339/v1/filters/{filter_id}

Authorization

Basic Authentication

Path Parameters

Parameter	Data Type	Description
filter_id	string	Specify ID of the global filter to retrieve data for. If no value is specified, response returns data for all global filters. filter_id is the id response item from the /v1/filters endpoint.

Query Parameters

Parameter	Data Type	Description
type	string enum: locations matches test_data	Define this parameter to return results for specific filter types.
offset	integer default: 0	The first global filter to return data for. For offset=N, data will be fetched starting from the Nth global filter. If no value is specified or offset=0, query will return data from the very first global filter.
limit	integer default: 1000 max: 100000	Maximum number of global filters to return data for, starting from the first record determined by the offset parameter value.

Parameter

Data Type

Description

type

string

enum: locations matches test_data

Define this parameter to return results for specific filter types.

offset

integer

default: 0

The first global filter to return data for. For offset=N, data will be fetched starting from the Nth global filter. If no value is specified or offset=0, query will return data from the very first global filter.

limit

integer

default: 1000

max: 100000

Maximum number of global filters to return data for, starting from the first record determined by the offset parameter value.

Header Parameters

Parameter	Data Type	Description
Accept-Encoding	string enum: gzip deflate	Specify the compression algorithm to use on the response object. Compressed content will not be returned for endpoints that return reports as files (e.g. PDF, CSV etc), endpoints that return binary files (e.g. Node Agent installers) or unsuccessful API calls.

Parameter

Data Type

Description

Accept-Encoding

string

enum: gzip deflate

Specify the compression algorithm to use on the response object.
Compressed content will not be returned for endpoints that return reports as files (e.g. PDF, CSV etc), endpoints that return binary files (e.g. Node Agent installers) or unsuccessful API calls.

Request Samples

HTTP

GET /v1/filters
Accept: application/json

cURL

curl --request GET 'https://er-master:8339/v1/filters' \
--user apiuser:password123 \
--header "Accept: application/json"

Response Schema

200 OK

Response Item	Data Type	Description
id	string	Unique ID identifying the global filter.
apply_to	string	Group or Target ID that the filter is applied to. Only returned if filter is applied to a specific Target or Group.
name	string	Global filter name. Only returned if a name has been assigned to the filter.
description	string	Global filter description. Only returned if a description has been assigned to the filter.
enabled	boolean enum: true false	Indicates if global filter returned is enabled.
timestamp	number	Timestamp when the global filter was last modified or created (if the global filter has never been modified) in Unix time format.
type	string enum: exclude_prefix exclude_suffix exclude_expression include_date_range include_recent exclude_max_size ignore_match ignore_prefix ignore_expression test_match test_prefix test_expression	Filter type.
expression	string	Full custom expression. Only returned for the following filters: exclude_prefix, exclude_suffix, exclude_expression, ignore_match, ignore_prefix, ignore_expression, test_match, test_prefix, test_expression.
from_date	string <YYYY-MM-DD>	Scan files that were created or modified within a date range. This is the start date for the date range. Only returned for the include_date_range filter.
to_date	string <YYYY-MM-DD>	Scan files that were created or modified within a date range. This is the end date for the date range. Only returned for the include_date_range filter.
days	integer min: 1 max: 99	Scan files that have been created or modified within the specified number of days. Only returned for include_recent filter.
size	integer <MB>	Exclude locations greater than a specified file size (MB). Only returned for exclude_max_size filter.

Response Samples

200 OK

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: xxx
[
  {
    "id": "2011111590957770404",
    "name": "Filter file formats",
    "description": "Filter to exclude .dll and .exe files from the scan",
    "apply_to": "16145931871908943813",
    "type": "exclude_suffix",
    "expression": ".dll, .exe"
  },
  {
    "id": "2011111590957770405",
    "apply_to": "16145931871908944000",
    "type": "include_date_range",
    "from_date": "2018-03-01",
    "to_date": "2018-04-30"
  },
  {
    "id": "2011111590957770406",
    "type": "include_recent",
    "days": 30
  }
  {
    "id": "2011111590957770407",
    "apply_to": "16145931871908943020",
    "name": "Exclude locations in var directory",
    "description": "Exclude all locations in the "/var" directory during scans",
    "enabled": "true",
    "timestamp": "1718779693",
    "type": "exclude_expression",
    "expressions": "C:\V???"
  }
]

Update a Global Filter

Update the settings for a specific global filter.

Request

PUT

https://er-master:8339/v1/filters/<filter_id>

Authorization

Basic Authentication

Path Parameters

Parameter	Data Type	Description
filter_id	string	Specify ID of the global filter to update. filter_id is the id response item from the /v1/filters endpoint.

Request Schema

If a field is omitted in the request body, it will be cleared.

Parameter	Data Type	Description
apply_to	string	Group or Target ID that the filter is applied to. If no Group or Target ID is provided, the filter will be a global filter that applies to all Groups and Targets.
name	string	Global filter name. Must be 80 characters or less.
description	string	Global filter description. Must be 400 characters or less.
type	string enum: exclude_prefix exclude_suffix exclude_expression include_date_range include_recent exclude_max_size ignore_match ignore_prefix ignore_expression test_match test_prefix test_expression	Filter type.
expression	string	Full custom expression. Only required for the following filters: exclude_prefix, exclude_suffix, exclude_expression, ignore_match, ignore_prefix, ignore_expression, test_match, test_prefix, test_expression.
from_date	string <YYYY-MM-DD>	Scan files that were created or modified within a date range. This is the start date for the date range. Only required for the include_date_range filter.
to_date	string <YYYY-MM-DD>	Scan files that were created or modified within a date range. This is the end date for the date range. Only required for the include_date_range filter.
days	integer min: 1 max: 99	Scan files that have been created or modified within the specified number of days. Only required for include_recent filter.
size	integer <MB>	Exclude locations greater than a specified file size (MB). Only required for exclude_max_size filter.

Request Samples

HTTP

PUT /v1/filters/2011111590957770404
Content-Type: application/json
[
  {
    "apply_to": "16145931871908943813",
    "type": "exclude_suffix",
    "expression": ".dll | .exe"
    }
]

cURL

curl --request PUT 'https://er-master:8339/v1/filters/2011111590957770404' \
--user apiuser:password123 \
--header "Content-Type: application/json" \
--data-raw '[
  {
    "apply_to": "16145931871908943813",
    "type": "exclude_suffix",
    "expression": ".dll | .exe"
    }
]'

Response Samples

204 No Content

422 Unprocessable Entity

Returned if the request body contains invalid values or formats in the input fields.

HTTP/1.1 422 Unprocessable Entity
Content-Type: application/json
Content-Length: xxx
{
  "message": "Invalid input for '{fieldname}'."
}  

422 Unprocessable Entity

Returned if the specified value in the request body for the name field is more than 80 characters.

HTTP/1.1 422 Unprocessable Entity
Content-Type: application/json
Content-Length: xxx
{
  "message": "Filter name must be 80 characters or less."
}

422 Unprocessable Entity

Returned if the specified value in the request body for the description field is more than 400 characters.

HTTP/1.1 422 Unprocessable Entity
Content-Type: application/json
Content-Length: xxx
{
  "message": "Filter description must be 400 characters or less."
}

Delete a Global Filter

Delete a specific global filter.

Request

DELETE

https://er-master:8339/v1/filters/<filter_id>

Authorization

Basic Authentication

Path Parameters

Parameter	Data Type	Description
filter_id	string	Specify ID of the global filter to delete. filter_id is the id response item from the /v1/filters endpoint.

Request Samples

HTTP

DELETE /v1/filters/2011111590957770404

cURL

curl --request DELETE 'https://er-master:8339/v1/filters/2011111590957770404' \
--user apiuser:password123 

Response Samples

204 No Content

Create a Global Filter

Create or add a new global filter. Global filters created via API are enabled by default.

Request

POST

https://er-master:8339/v1/filters

Authorization

Basic Authentication

Request Schema

Parameter	Data Type	Description
apply_to	string	Group or Target ID that the filter is applied to.
name	string	Global filter name. Must be 80 characters or less.
description	string	Global filter description. Must be 400 characters or less.
type	string enum: exclude_prefix exclude_suffix exclude_expression include_date_range include_recent exclude_max_size ignore_match ignore_prefix ignore_expression test_match test_prefix test_expression	Filter type.
expression	string	Full custom expression. Only required for the following filters: exclude_prefix, exclude_suffix, exclude_expression, ignore_match, ignore_prefix, ignore_expression, test_match, test_prefix, test_expression.
from_date	string <YYYY-MM-DD>	Scan files that were created or modified within a date range. This is the start date for the date range. Only required for the include_date_range filter.
to_date	string <YYYY-MM-DD>	Scan files that were created or modified within a date range. This is the end date for the date range. Only required for the include_date_range filter.
days	integer min: 1 max: 99	Scan files that have been created or modified within the specified number of days. Only required for include_recent filter.
size	integer <MB>	Exclude locations greater than a specified file size (MB). Only required for exclude_max_size filter.

Request Samples

HTTP

POST /v1/filters
Content-Type: application/json
[
  {
    "apply_to": "16145931871908943813",
    "type": "exclude_suffix",
    "expression": ".dll | .exe"
    }
]

cURL

curl --request POST 'https://er-master:8339/v1/filters' \
--user apiuser:password123 \
--header "Content-Type: application/json" \
--data-raw '[
  {
    "apply_to": "16145931871908943813",
    "type": "exclude_suffix",
    "expression": ".dll | .exe"
    }
]'

Response Schema

201 Created

Response Item	Data Type	Description
id	string	Filter ID assigned to the newly created global filter.

Response Samples

201 Created

HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: xxx
{
  "id": "12345678901234567890"
}  

422 Unprocessable Entity

Returned if the specified value in the request body for the name field is more than 80 characters.

HTTP/1.1 422 Unprocessable Entity
Content-Type: application/json
Content-Length: xxx
{
  "message": "Filter name must be 80 characters or less."
}

422 Unprocessable Entity

Returned if the specified value in the request body for the description field is more than 400 characters.

HTTP/1.1 422 Unprocessable Entity
Content-Type: application/json
Content-Length: xxx
{
  "message": "Filter description must be 400 characters or less."
}

Enable a Global Filter

Enable (On) a specific global filter.

Request

POST

https://er-master:8339/v1/filters/<filter_id>/enable

Authorization

Basic Authentication

Path Parameters

Parameter	Data Type	Description
filter_id	string	Specify ID of the global filter to global filter. filter_id is the id response item from the /v1/filters endpoint.

Request Samples

HTTP

POST /v1/filters/5127911297873299453/enable
Accept: application/json

cURL

curl --request POST 'https://er-master:8339/v1/filters/5127911297873299453/enable' \
--user apiuser:password123 \
--header "Accept: application/json"

Response Samples

204 No Content

Disable a Global Filter

Disable (Off) a specific global filter.

Request

POST

https://er-master:8339/v1/filters/<filter_id>/disable

Authorization

Basic Authentication

Path Parameters

Parameter	Data Type	Description
filter_id	string	Specify ID of the global filter to global filter. filter_id is the id response item from the /v1/filters endpoint.

Request Samples

HTTP

POST /v1/filters/5127911297873299453/disable
Accept: application/json

cURL

curl --request POST 'https://er-master:8339/v1/filters/5127911297873299453/disable' \
--user apiuser:password123 \
--header "Accept: application/json"

Response Samples

204 No Content

List Global Filter Templates

Retrieve list of available Global Filter templates in Enterprise Recon.

Request

GET

https://er-master:8339/v1/filters/templates

Authorization

Basic Authentication

Header Parameters

Parameter	Data Type	Description
Accept-Encoding	string enum: gzip deflate	Specify the compression algorithm to use on the response object. Compressed content will not be returned for endpoints that return reports as files (e.g. PDF, CSV etc), endpoints that return binary files (e.g. Node Agent installers) or unsuccessful API calls.

Parameter

Data Type

Description

Accept-Encoding

string

enum: gzip deflate

Request Samples

HTTP

GET /v1/filters/templates
Accept: application/json

cURL

curl --request GET 'https://er-master:8339/v1/filters/templates' \
--user apiuser:password123 \
--header "Accept: application/json"

Response Schema

200 OK

Response Item	Data Type	Description
version	string example: 1.0	Global Filter template version.
filter_templates	object	List of available global filter templates.
filter_templates/name	string	Global filter templates name.
filter_templates/description	string	Global filter template description.
filter_templates/type	string enum: exclude_prefix exclude_suffix exclude_expression include_date_range include_recent exclude_max_size ignore_match ignore_prefix ignore_expression test_match test_prefix test_expression	Filter type.
filter_templates/expressions	array <string>	Full custom expression. Only returned for the following filters: exclude_prefix, exclude_suffix, exclude_expression, ignore_match, ignore_prefix, ignore_expression, test_match, test_prefix, test_expression.

Response Samples

200 OK

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: xxx

"version": "1.0",
"filter_templates":
[
  {
    "name": "Windows Folders Exclusions",
    "description": "Focuses on user data by filtering out Windows system
    directories like System32, servicing, and Windows Defender, enhancing scan
    efficiency and relevance.",
    "type": "exclude_prefix",
    "expression": [
       "C:\\Windows\\Logs\\CBS\\",
       "C:\\Windows\\System32\\catroot\\",
       "C:\\Windows\\System32\\catroot2\\",
       "C:\\Windows\\System32\\config\\",
       "C:\\Windows\\servicing\\",
       "C:\\Windows\\debug\\",
       "C:\\Windows\\WinSxS\\",
       "C:\\Windows\\Panther\\"
       ]
  },
  {
    "name": "Linux Core Directories Filter",
    "description": "Optimizes scanning of RedHat and Oracle Linux systems by
    excluding directories that commonly contain false positives, focusing
    efforts on user-generated content and significantly reducing false positive
    rates.",
    "type": "exclude_prefix",
    "expression": [
       "/var/log/audit",
       "/var/lib/rpm",
       "/var/lib/yum",
       "/var/cache/yum",
       "/usr/share/hwdata",
       "/usr/share/doc"
       ]
  }
]