Products & Services
Tuotteet ja palvelut
Produkte und Dienstleistungen
Produits et services
Produkter och tjänster
Listing incidents: new fields have been added to incidents listing endpoint:
Commenting incidents: new endpoint has been implemented that allows to add comment to incidents. At the moment added comments are visible in EDR portal when viewing incident's details.
Endpoint Protection API: Subscriptions endpoints end of life on 11th of March 2024
The old subscriptions endpoints are deprecated and should be replaced by the subscription endpoints in the Provisioning API. To use this API, you need to request Read-only Provisioning API credentials from WithSecure Support. Access to Provisioning API is only for partner (SOP) accounts.
The following Endpoint Protection API subscriptions endpoints will stop working on the 11.03.2024:
New Elements Security Events query endpoint has been released and is available for new and existing integrations. New endpoint allows querying Security Events generated in Endpoint Protection (EPP), Endpoint Detection and Response (EDR) and Collaboration Protection (ECP).
Support for Collaboration Protection engines allows reading Security Events related to Microsoft Outlook, OneDrive, SharePoint and Teams from REST API. To get last 10 Collaboration Protection events with cURL run command curl -H "Authorization: Bearer <authorization token>" -d "persistenceTimestampEnd=2030-12-31T00:00:00Z&engineGroup=ecp&limit=10" https://api.connect.withsecure.com/security-events/v1/security-events. More examples can be found in endpoint documentation, Getting started guide and in Elements API Cookbook.
curl -H "Authorization: Bearer <authorization token>" -d "persistenceTimestampEnd=2030-12-31T00:00:00Z&engineGroup=ecp&limit=10" https://api.connect.withsecure.com/security-events/v1/security-events
Q: Why do you introduce new endpoint instead extending capabilities of existing one?
A: Existing GET /security-events/v1/security-events endpoint is a legacy from early releases and cannot be easily extended to support Collaboration Protection events. The new endpoint has a more modern design and will make it easier to add new features and capabilities in the future.
Q: Is Security Events query endpoint compatible with existing endpoint?
A: If you're interested only with events from EPP and EDR then you won't notice any significant differences. Security Events query endpoint preserves format of response that is known from existing endpoint. If you're interested with Collaboration Protection events you need to adjust your integration and prepare it for different response - for example they don't have device properties or user name.
Q: I'm only interested with Security Events from EPP and EDR. What I need to change after switching to new endpoint.
A: Response for EPP and EDR engines contains same properties that are present in response fromGET /security-events/v1/security-events. In order to get EPP and EDR events you need to make
following changes in your integration:
Q: What will happen with existing GET /security-events/v1/security-events endpoint.
A: Existing endpoint will stay there, we don't have plans to remove it or deprecate it. It means that you can continue using it in your integration if you're interested only with EPP and EDR events. We will keep maintaining endpoint (bug fixes) however we will stop adding new features to it. New capabilities will be added only to Security Events query endpoint.
“/incidents/v1/incidents” - description of incident entered in Elements Security Center
Property “description” contains the "incident description" that user inserts in Broad Context Detections (BCD) view under "analysis" tab. This is useful information for a reporting system or a ticketing solution
“/incidents/v1/detections” - human-friendly description of detection
Property “description” contains value that is visible in detections list in Elements Security Center
New query parameters in endpoint /devices/v1/devices allows filtering EPP devices:
Missing software updates query endpoint is available in Elements API. Integration client can list missing updates for particular EPP device and filter results by category and severity. It should be used as replacement for endpoint from legacy EPP API that has been deprecated.
To find all critical software updates for single device with curl execute following command
curl -H "Authorization: Bearer $TOKEN" -d "deviceId=$DEVICE_ID" -d "severity=critical" https://api.connect.withsecure.com/software-updates/v1/missing-updates
Replace $TOKEN with authorization token and $DEVICE_ID with device identifier that can
be found in response from device listing.
Endpoint Protection API: List missing software updates endpoint end of life on 2nd of May 2024
The old List missing software update endpoint is deprecated and should be replaced by the Query missing software updates endpoint in the Elements API.
The Endpoint Protection API is fully deprecated. The ability to create API keys is soon going to be removed from Elements Security Center.
The following endpoints have past their end of life date and should not be used anymore
The following endpoints will soon be end of life, and customers should migrate as soon as possible.
Client calling Incidents endpoint can request only not archived EDR incidents by adding to query parameter archived=false. Querying only not archived incidents is highly recommended as it might have positive impact on requests speed.
curl -H "Authorization: Bearer $TOKEN"
For the device operations endpoint support for the following new operations is added:
Two new fields are introduced: metadataParameters to POST response and metadata to GET response. Both serve the same purpose - to provide operation specific information. For example, collect diagnostic file returns fileId inside these objects, field which is used to identify diagnostic file.
For more information and request examples consult endpoints documentation: