Detection
These are the API endpoints for retrieving detection rules, catalogs, detections, detection details, and insight tuning data.
End Points
List Detection Rules
Get MITRE Catalog
Get Tags
Get Detections
Get Detection Detail
Get Detection Rule Tuning Insights
List Detection Rules
Retrieves a paginated list of installed security detection rules, filterable by the specified status, severity, execution type, rule type, source, complexity, new-rule status, and deprecation status. Use this endpoint to list only the rules installed in your account, such as when reviewing installed rules and assessing detection coverage.
Rate limit: 50 requests per minute per account.
OAuth Scope : logs360cloud.detection.READ
Role : Administrator, Operator
Query Parameters
from
integer
Pagination start index. Default: 1. Maximum: 10000.
limit
integer
Number of records to return. Default: 10. Maximum: 100.
status
string
Filter rules by status. Accepted values (case-sensitive): `enabled`, `disabled`.
severity
string
Filter rules by severity. Accepted values (case-sensitive): `critical`, `trouble`, `attention`.
execution_type
string
Filter rules by execution type. Accepted values (case-sensitive): `continuous`, `scheduled`, `intelligent`.
rule_type
string
Filter rules by type. Accepted values (case-sensitive): `standard`, `anomaly`, `advanced`.
source
string
Filter rules by source. Accepted values (case-sensitive): `predefined`, `custom`, `extension`.
complexity
string
Filter rules by complexity. Accepted values (case-sensitive): `high`, `low`.
is_deprecated
boolean
Filter rules by deprecation state. Accepted values (case-sensitive): `true`, `false`.
is_new
boolean
Filter rules by new-rule state. Accepted values (case-sensitive): `true`, `false`.
Headers
account_id
string
(Required)
headers_data = Map();
headers_data.put("account_id", "18XXXXX4");
headers_data.put("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f");
response = invokeUrl
[
url: "https://log360cloud.manageengine.com/api/v2/detection/rules"
type: GET
headers: headers_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
.url("https://log360cloud.manageengine.com/api/v2/detection/rules")
.get()
.addHeader("account_id", "18XXXXX4")
.addHeader("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f")
.build();
Response response = client.newCall(request).execute();
const options = {
method: 'GET',
headers: {
account_id: '18XXXXX4',
Authorization: 'Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f'
}
};
fetch('https://log360cloud.manageengine.com/api/v2/detection/rules', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPSConnection("log360cloud.manageengine.com")
headers = {
'account_id': "18XXXXX4",
'Authorization': "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f"
}
conn.request("GET", "/api/v2/detection/rules", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("https");
const options = {
"method": "GET",
"hostname": "log360cloud.manageengine.com",
"port": null,
"path": "/api/v2/detection/rules",
"headers": {
"account_id": "18XXXXX4",
"Authorization": "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.end();
curl --request GET \
--url https://log360cloud.manageengine.com/api/v2/detection/rules \
--header 'Authorization: Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f' \
--header 'account_id: 18XXXXX4'
{
"data": [
{
"rule_id": "10000000000339462",
"severity": "critical",
"complexity": "low",
"unique_name": "CUSTOM_RULE_10000000000339462",
"rule_type": "standard",
"is_new": false,
"is_deprecated": false,
"name": "PGSQL LogOff",
"execution_type": "continuous",
"source": "custom",
"status": "enabled"
},
{
"rule_id": "10000000000342012",
"severity": "critical",
"complexity": "low",
"unique_name": "CUSTOM_RULE_10000000000342012",
"rule_type": "standard",
"is_new": false,
"is_deprecated": false,
"name": "PGSQL Logon",
"execution_type": "continuous",
"source": "custom",
"status": "enabled"
}
],
"meta": {
"limit": 2,
"from": 1,
"total_items": 4
}
}
{
"error": {
"code": "00000107",
"title": "Invalid Parameter",
"detail": "severity value is incorrect"
}
}
{
"code": "00000101",
"title": "Unauthorized",
"detail": "Invalid OAuth Token"
}
{
"error": {
"code": "100010107",
"title": "Forbidden",
"detail": "This feature is not available in your current license plan. Please upgrade your license to access it."
}
}
{
"error": {
"code": "00000109",
"detail": "Request throttling limit reached",
"title": "Too Many Requests"
}
}
{
"error": {
"code": "100010102",
"detail": "Failed to fetch detection rules.",
"title": "Internal Server Error"
}
}
Get MITRE Catalog
Retrieves a paginated MITRE ATT&CK catalog slice. Use the required `type` query parameter to choose whether to retrieve tactics, techniques, or sub-techniques. When `type=technique`, `key_id` is mandatory and pagination is scoped to techniques under that tactic. When `type=sub_technique`, both `key_id` and `value_id` are mandatory and pagination is scoped to sub-techniques under that tactic-technique pair.
Rate limit: 50 requests per minute per account.
OAuth Scope : logs360cloud.detection.READ
Role : Administrator, Operator
Query Parameters
type
string
(Required)
MITRE catalog slice to return. Accepted values (case-sensitive): `tactic`, `technique`, `sub_technique`.
key_id
string
Required when `type` is `technique` or `sub_technique`. Use the `key_id` returned by `Get MITRE Catalog` with `type=tactic` to scope the returned catalog slice.
value_id
string
Required when `type` is `sub_technique`. Use the `value_id` returned by `Get MITRE Catalog` with `type=technique` to scope the returned sub-techniques under the selected tactic.
from
integer
Pagination start index. Default: 1. Maximum: 10000.
limit
integer
Number of MITRE items to return. Default: 10. Maximum: 100.
Headers
account_id
string
(Required)
headers_data = Map();
headers_data.put("account_id", "18XXXXX4");
headers_data.put("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f");
response = invokeUrl
[
url: "https://log360cloud.manageengine.com/api/v2/detection/mitre?type=sub_technique"
type: GET
headers: headers_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
.url("https://log360cloud.manageengine.com/api/v2/detection/mitre?type=sub_technique")
.get()
.addHeader("account_id", "18XXXXX4")
.addHeader("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f")
.build();
Response response = client.newCall(request).execute();
const options = {
method: 'GET',
headers: {
account_id: '18XXXXX4',
Authorization: 'Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f'
}
};
fetch('https://log360cloud.manageengine.com/api/v2/detection/mitre?type=sub_technique', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPSConnection("log360cloud.manageengine.com")
headers = {
'account_id': "18XXXXX4",
'Authorization': "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f"
}
conn.request("GET", "/api/v2/detection/mitre?type=sub_technique", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("https");
const options = {
"method": "GET",
"hostname": "log360cloud.manageengine.com",
"port": null,
"path": "/api/v2/detection/mitre?type=sub_technique",
"headers": {
"account_id": "18XXXXX4",
"Authorization": "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.end();
curl --request GET \
--url 'https://log360cloud.manageengine.com/api/v2/detection/mitre?type=sub_technique' \
--header 'Authorization: Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f' \
--header 'account_id: 18XXXXX4'
{
"data": {
"sub_techniques": [
{
"tactic_name": "Reconnaissance",
"key_id": "10000000000337060",
"tactic_id": "TA0043",
"technique_name": "Search Open Websites/Domains",
"sub_technique_name": "Social Media",
"technique_id": "T1593",
"value_id": "10000000000337142",
"sub_technique_id": "T1593.001"
},
{
"tactic_name": "Reconnaissance",
"key_id": "10000000000337060",
"tactic_id": "TA0043",
"technique_name": "Search Open Websites/Domains",
"sub_technique_name": "Search Engines",
"technique_id": "T1593",
"value_id": "10000000000337144",
"sub_technique_id": "T1593.002"
},
{
"tactic_name": "Reconnaissance",
"key_id": "10000000000337060",
"tactic_id": "TA0043",
"technique_name": "Search Open Websites/Domains",
"sub_technique_name": "Code Repositories",
"technique_id": "T1593",
"value_id": "10000000000337146",
"sub_technique_id": "T1593.003"
}
]
},
"meta": {
"from": 1,
"limit": 7,
"total_items": 3
}
}
{
"error": {
"code": "00000107",
"detail": "type value is incorrect",
"title": "Invalid Parameter"
}
}
{
"error": {
"code": "10001013",
"title": "Bad Request",
"detail": "REQUIRED PARAMS ARE MISSING"
}
}
{
"code": "00000101",
"title": "Unauthorized",
"detail": "Invalid OAuth Token"
}
{
"error": {
"code": "100010107",
"title": "Forbidden",
"detail": "This feature is not available in your current license plan. Please upgrade your license to access it."
}
}
{
"error": {
"code": "00000109",
"detail": "Request throttling limit reached",
"title": "Too Many Requests"
}
}
{
"error": {
"code": "100010100",
"title": "Internal Server Error",
"detail": "Failed to fetch MITRE catalog data."
}
}
Get Tags
Retrieves a paginated detection tag catalog slice. Use the required `type` query parameter to choose whether to retrieve tag keys or tag values. When `type=value`, `key_id` is mandatory and pagination is scoped to values under that key.
Rate limit: 50 requests per minute per account.
OAuth Scope : logs360cloud.detection.READ
Role : Administrator, Operator
Query Parameters
type
string
(Required)
Tag catalog slice to return. Accepted values (case-sensitive): `key`, `value`.
key_id
string
Required when `type` is `value`. Use the `key_id` returned by `Get Tags` with `type=key` to scope the returned tag values under the selected key.
from
integer
Pagination start index. Default: 1. Maximum: 10000.
limit
integer
Number of tag items to return. Default: 10. Maximum: 100.
Headers
account_id
string
(Required)
headers_data = Map();
headers_data.put("account_id", "18XXXXX4");
headers_data.put("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f");
response = invokeUrl
[
url: "https://log360cloud.manageengine.com/api/v2/detection/tags?type=value"
type: GET
headers: headers_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
.url("https://log360cloud.manageengine.com/api/v2/detection/tags?type=value")
.get()
.addHeader("account_id", "18XXXXX4")
.addHeader("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f")
.build();
Response response = client.newCall(request).execute();
const options = {
method: 'GET',
headers: {
account_id: '18XXXXX4',
Authorization: 'Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f'
}
};
fetch('https://log360cloud.manageengine.com/api/v2/detection/tags?type=value', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPSConnection("log360cloud.manageengine.com")
headers = {
'account_id': "18XXXXX4",
'Authorization': "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f"
}
conn.request("GET", "/api/v2/detection/tags?type=value", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("https");
const options = {
"method": "GET",
"hostname": "log360cloud.manageengine.com",
"port": null,
"path": "/api/v2/detection/tags?type=value",
"headers": {
"account_id": "18XXXXX4",
"Authorization": "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.end();
curl --request GET \
--url 'https://log360cloud.manageengine.com/api/v2/detection/tags?type=value' \
--header 'Authorization: Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f' \
--header 'account_id: 18XXXXX4'
Get Detections
Retrieves a list of detections within the specified time range. Use this endpoint to retrieve detection results, such as when reviewing triggered detections during threat hunting or building a detection activity dashboard. The difference between `start_time` and `end_time` must not exceed 7 days.
Rate limit: 50 requests per minute per account.
OAuth Scope : logs360cloud.detection.READ
Role : Administrator, Operator
Query Parameters
start_time
date-time
(Required)
Start time for the detection range, in ISO 8601 date-time format. The value must be ≥ 1970-01-01T00:00:00Z. Time zone offsets are supported. The time range between `start_time` and `end_time` must not exceed 7 days.
end_time
date-time
(Required)
End time for the detection range, in ISO 8601 date-time format. The value must be ≥ 1970-01-01T00:00:00Z. Time zone offsets are supported. The time range between `start_time` and `end_time` must not exceed 7 days.
from
integer
Pagination start index. Default: 1. Maximum: 10000.
limit
integer
Number of detection records to return. Default: 10. Maximum: 100.
username
string
Detection username filter. Maximum length: 255.
hostname
string
Detection hostname filter. Maximum length: 255.
mitre_key_id
string
MITRE tactic key ID filter. Use the `key_id` returned by `Get MITRE Catalog` with `type=tactic`. Maximum length: 19.
mitre_value_id
string
MITRE technique or sub-technique value ID filter. Use the `value_id` returned by `Get MITRE Catalog` with `type=technique` or `type=sub_technique`. When provided, `mitre_key_id` is also required. Maximum length: 19.
tag_value_id
string
Detection tag value ID filter. Use the `value_id` returned by `Get Tags` with `type=value`. Maximum length: 19.
rule_id
string
Detection rule ID filter. Obtain it from `GET /api/v2/detection/rules`.
Headers
account_id
string
(Required)
headers_data = Map();
headers_data.put("account_id", "18XXXXX4");
headers_data.put("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f");
response = invokeUrl
[
url: "https://log360cloud.manageengine.com/api/v2/detection/detections?start_time=2026-04-23T05:30:00Z&end_time=2026-04-24T05:30:00Z"
type: GET
headers: headers_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
.url("https://log360cloud.manageengine.com/api/v2/detection/detections?start_time=2026-04-23T05%3A30%3A00Z&end_time=2026-04-24T05%3A30%3A00Z")
.get()
.addHeader("account_id", "18XXXXX4")
.addHeader("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f")
.build();
Response response = client.newCall(request).execute();
const options = {
method: 'GET',
headers: {
account_id: '18XXXXX4',
Authorization: 'Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f'
}
};
fetch('https://log360cloud.manageengine.com/api/v2/detection/detections?start_time=2026-04-23T05%3A30%3A00Z&end_time=2026-04-24T05%3A30%3A00Z', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPSConnection("log360cloud.manageengine.com")
headers = {
'account_id': "18XXXXX4",
'Authorization': "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f"
}
conn.request("GET", "/api/v2/detection/detections?start_time=2026-04-23T05%3A30%3A00Z&end_time=2026-04-24T05%3A30%3A00Z", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("https");
const options = {
"method": "GET",
"hostname": "log360cloud.manageengine.com",
"port": null,
"path": "/api/v2/detection/detections?start_time=2026-04-23T05%3A30%3A00Z&end_time=2026-04-24T05%3A30%3A00Z",
"headers": {
"account_id": "18XXXXX4",
"Authorization": "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.end();
curl --request GET \
--url 'https://log360cloud.manageengine.com/api/v2/detection/detections?start_time=2026-04-23T05%3A30%3A00Z&end_time=2026-04-24T05%3A30%3A00Z' \
--header 'Authorization: Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f' \
--header 'account_id: 18XXXXX4'
{
"data": [
{
"rule_id": "10000000000339462",
"rule_severity": "critical",
"mitre_mappings": [
{
"sub_technique": "Social Media (T1593.001)",
"technique": "Search Open Websites/Domains (T1593)",
"tactic": "Reconnaissance (TA0043)"
},
{
"technique": "Search Victim-Owned Websites (T1594)",
"tactic": "Reconnaissance (TA0043)"
},
{
"tactic": "Reconnaissance (TA0043)"
}
],
"rule_message": "PGSQL LogOff has been triggered",
"rule_name": "PGSQL LogOff",
"usernames": [
"postgres"
],
"hostnames": [
"pgsql"
],
"time": "2026-04-23T23:59:06+05:30",
"detection_id": "777f7127-3934-4a21-9a61-73e390df184a",
"tags": [
{
"value": "Active Directory",
"key": "Data Source"
},
{
"value": "admin@338",
"key": "Threat Actor"
}
]
},
{
"rule_id": "10000000000339462",
"rule_severity": "critical",
"mitre_mappings": [
{
"sub_technique": "Social Media (T1593.001)",
"technique": "Search Open Websites/Domains (T1593)",
"tactic": "Reconnaissance (TA0043)"
},
{
"technique": "Search Victim-Owned Websites (T1594)",
"tactic": "Reconnaissance (TA0043)"
},
{
"tactic": "Reconnaissance (TA0043)"
}
],
"rule_message": "PGSQL LogOff has been triggered",
"rule_name": "PGSQL LogOff",
"usernames": [
"postgres"
],
"hostnames": [
"pgsql"
],
"time": "2026-04-23T23:56:17+05:30",
"detection_id": "3ac65a46-4813-43f7-94c1-5fbdd9894a36",
"tags": [
{
"value": "Active Directory",
"key": "Data Source"
},
{
"value": "admin@338",
"key": "Threat Actor"
}
]
}
],
"meta": {
"limit": 2,
"from": 1,
"total_items": 1090
}
}
{
"error": {
"code": "00000107",
"detail": "tag_value_id value is incorrect",
"title": "Invalid Parameter"
}
}
{
"error": {
"code": "10001013",
"title": "Bad Request",
"detail": "REQUIRED PARAMS ARE MISSING"
}
}
{
"error": {
"code": "10001057",
"title": "Bad Request",
"detail": "START_TIME must be earlier than END_TIME."
}
}
{
"error": {
"code": "10001058",
"title": "Bad Request",
"detail": "START_TIME and END_TIME values must be in the ISO 8601 date-time format."
}
}
{
"error": {
"code": "10001099",
"title": "Bad Request",
"detail": "Time range should not exceed 7 days."
}
}
{
"code": "00000101",
"title": "Unauthorized",
"detail": "Invalid OAuth Token"
}
{
"error": {
"code": "100010107",
"title": "Forbidden",
"detail": "This feature is not available in your current license plan. Please upgrade your license to access it."
}
}
{
"error": {
"code": "00000109",
"detail": "Request throttling limit reached",
"title": "Too Many Requests"
}
}
{
"error": {
"code": "100010103",
"detail": "Failed to fetch detections.",
"title": "Internal Server Error"
}
}
Get Detection Detail
Retrieves the detailed information for the specified detection record, including timeline and evidence data. Use this endpoint to review the full context of a specific detection, such as during incident investigation.
Rate limit: 50 requests per minute per account.
OAuth Scope : logs360cloud.detection.READ
Role : Administrator, Operator
Query Parameters
detection_id
string
(Required)
Detection ID. Obtain it from the `detection_id` field returned by `Get Detections`.
detection_time
date-time
(Required)
Detection time in ISO 8601 date-time format. Obtain it from the `time` field returned by `Get Detections`. The value must be ≥ 1970-01-01T00:00:00Z. Time zone offsets are supported.
Headers
account_id
string
(Required)
headers_data = Map();
headers_data.put("account_id", "18XXXXX4");
headers_data.put("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f");
response = invokeUrl
[
url: "https://log360cloud.manageengine.com/api/v2/detection/detection-detail?detection_id=777f7127-3934-4a21-9a61-73e390df184a&detection_time=2026-04-23T23:59:06+05:30"
type: GET
headers: headers_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
.url("https://log360cloud.manageengine.com/api/v2/detection/detection-detail?detection_id=777f7127-3934-4a21-9a61-73e390df184a&detection_time=2026-04-23T23%3A59%3A06%2B05%3A30")
.get()
.addHeader("account_id", "18XXXXX4")
.addHeader("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f")
.build();
Response response = client.newCall(request).execute();
const options = {
method: 'GET',
headers: {
account_id: '18XXXXX4',
Authorization: 'Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f'
}
};
fetch('https://log360cloud.manageengine.com/api/v2/detection/detection-detail?detection_id=777f7127-3934-4a21-9a61-73e390df184a&detection_time=2026-04-23T23%3A59%3A06%2B05%3A30', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPSConnection("log360cloud.manageengine.com")
headers = {
'account_id': "18XXXXX4",
'Authorization': "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f"
}
conn.request("GET", "/api/v2/detection/detection-detail?detection_id=777f7127-3934-4a21-9a61-73e390df184a&detection_time=2026-04-23T23%3A59%3A06%2B05%3A30", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("https");
const options = {
"method": "GET",
"hostname": "log360cloud.manageengine.com",
"port": null,
"path": "/api/v2/detection/detection-detail?detection_id=777f7127-3934-4a21-9a61-73e390df184a&detection_time=2026-04-23T23%3A59%3A06%2B05%3A30",
"headers": {
"account_id": "18XXXXX4",
"Authorization": "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.end();
curl --request GET \
--url 'https://log360cloud.manageengine.com/api/v2/detection/detection-detail?detection_id=777f7127-3934-4a21-9a61-73e390df184a&detection_time=2026-04-23T23%3A59%3A06%2B05%3A30' \
--header 'Authorization: Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f' \
--header 'account_id: 18XXXXX4'
{
"data": {
"timeline": [
{
"action_id": "10000000000339463",
"action_message": "Test",
"action_name": "Test",
"time": "2026-04-23T23:59:06+05:30",
"action_log": {
"hosttype": "pgsql_logs",
"iename": "pgsql logoff",
"hostname": "pgsql",
"statement": "disconnection: session time: 0:02:48.726 user=postgres database=postgres host=[local]",
"action": "logoff",
"message": "2026-04-23 23:59:06.130614 GMT [3549] user=postgres,db=postgres,client=[local] LOG: disconnection: session time: 0:02:48.726 user=postgres database=postgres host=[local]",
"processid": "3549",
"appid": "10000000000339489",
"databasename": "postgres",
"common_severity": "information",
"username": "postgres",
"status": "success"
}
}
],
"detection_detail": {
"rule_id": "10000000000339462",
"mitigation": "<div>Review whether the PostgreSQL session termination was expected, verify the user and database context, and investigate the source host for unauthorized activity.</div>",
"rule_name": "PGSQL LogOff",
"description": "Detects PostgreSQL user logoff events to help analysts review session termination activity and related account context.",
"mitre": [
{
"sub_technique": "Social Media (T1593.001)",
"technique": "Search Open Websites/Domains (T1593)",
"tactic": "Reconnaissance (TA0043)"
},
{
"technique": "Search Victim-Owned Websites (T1594)",
"tactic": "Reconnaissance (TA0043)"
},
{
"tactic": "Reconnaissance (TA0043)"
}
],
"tag": [
{
"value": "Active Directory",
"key": "Data Source"
},
{
"value": "admin@338",
"key": "Threat Actor"
}
]
}
}
}
{
"error": {
"code": "00000107",
"detail": "detection_time value is incorrect",
"title": "Invalid Parameter"
}
}
{
"error": {
"code": "10001013",
"title": "Bad Request",
"detail": "REQUIRED PARAMS ARE MISSING"
}
}
{
"code": "00000101",
"title": "Unauthorized",
"detail": "Invalid OAuth Token"
}
{
"error": {
"code": "100010107",
"title": "Forbidden",
"detail": "This feature is not available in your current license plan. Please upgrade your license to access it."
}
}
{
"error": {
"code": "00000109",
"detail": "Request throttling limit reached",
"title": "Too Many Requests"
}
}
{
"error": {
"code": "100010104",
"detail": "Failed to fetch detection detail.",
"title": "Internal Server Error"
}
}
Get Detection Rule Tuning Insights
Retrieves insight tuning data and summary for the specified detection rule within the specified time range. Use this endpoint to review tuning insights for a detection rule, such as when analyzing false positive rates or assessing rule performance before adjusting thresholds. The difference between `start_time` and `end_time` must not exceed 7 days.
Rate limit: 50 requests per minute per account.
OAuth Scope : logs360cloud.detection.READ
Role : Administrator, Operator
Path Parameters
rule_id
string
(Required)
Detection rule ID. Obtain it from `GET /api/v2/detection/rules`.
Query Parameters
start_time
date-time
(Required)
Start time for the tuning range, in ISO 8601 date-time format. The value must be ≥ 1970-01-01T00:00:00Z. Time zone offsets are supported. The time range between `start_time` and `end_time` must not exceed 7 days.
end_time
date-time
(Required)
End time for the tuning range, in ISO 8601 date-time format. The value must be ≥ 1970-01-01T00:00:00Z. Time zone offsets are supported. The time range between `start_time` and `end_time` must not exceed 7 days.
Headers
account_id
string
(Required)
headers_data = Map();
headers_data.put("account_id", "18XXXXX4");
headers_data.put("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f");
response = invokeUrl
[
url: "https://log360cloud.manageengine.com/api/v2/detection/rule/10000000000339462/tuning-insights?start_time=2026-04-23T05:30:00Z&end_time=2026-04-24T05:30:00Z"
type: GET
headers: headers_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
.url("https://log360cloud.manageengine.com/api/v2/detection/rule/10000000000339462/tuning-insights?start_time=2026-04-23T05%3A30%3A00Z&end_time=2026-04-24T05%3A30%3A00Z")
.get()
.addHeader("account_id", "18XXXXX4")
.addHeader("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f")
.build();
Response response = client.newCall(request).execute();
const options = {
method: 'GET',
headers: {
account_id: '18XXXXX4',
Authorization: 'Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f'
}
};
fetch('https://log360cloud.manageengine.com/api/v2/detection/rule/10000000000339462/tuning-insights?start_time=2026-04-23T05%3A30%3A00Z&end_time=2026-04-24T05%3A30%3A00Z', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPSConnection("log360cloud.manageengine.com")
headers = {
'account_id': "18XXXXX4",
'Authorization': "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f"
}
conn.request("GET", "/api/v2/detection/rule/10000000000339462/tuning-insights?start_time=2026-04-23T05%3A30%3A00Z&end_time=2026-04-24T05%3A30%3A00Z", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("https");
const options = {
"method": "GET",
"hostname": "log360cloud.manageengine.com",
"port": null,
"path": "/api/v2/detection/rule/10000000000339462/tuning-insights?start_time=2026-04-23T05%3A30%3A00Z&end_time=2026-04-24T05%3A30%3A00Z",
"headers": {
"account_id": "18XXXXX4",
"Authorization": "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.end();
curl --request GET \
--url 'https://log360cloud.manageengine.com/api/v2/detection/rule/10000000000339462/tuning-insights?start_time=2026-04-23T05%3A30%3A00Z&end_time=2026-04-24T05%3A30%3A00Z' \
--header 'Authorization: Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f' \
--header 'account_id: 18XXXXX4'
{
"data": {
"tuning_data": [
{
"insights": [
{
"suggestion": "Exclude below fields to minimize execution load",
"tunings": [
{
"action_order": 1,
"field": "HOSTNAME",
"action_name": "Action1",
"message": "hostname : pgsql",
"value": "pgsql",
"status": "APPLIED"
},
{
"action_order": 1,
"field": "IENAME",
"action_name": "Action1",
"message": "iename : pgsql logoff",
"value": "pgsql logoff",
"status": ""
}
],
"tooltip_text": "Exclude unnecessary fields to improve execution efficiency.",
"title": "Action1"
}
],
"type": "Event Based Insights"
}
],
"tuning_summary": [
{
"percentage": 100,
"title": "Action1",
"exclude_field_list": {
"pgsql": 0
}
}
]
}
}
{
"error": {
"code": "00000107",
"detail": "start_time value is incorrect",
"title": "Invalid Parameter"
}
}
{
"error": {
"code": "10001013",
"title": "Bad Request",
"detail": "REQUIRED PARAMS ARE MISSING"
}
}
{
"error": {
"code": "10001057",
"title": "Bad Request",
"detail": "START_TIME must be earlier than END_TIME."
}
}
{
"error": {
"code": "10001058",
"title": "Bad Request",
"detail": "START_TIME and END_TIME values must be in the ISO 8601 date-time format."
}
}
{
"error": {
"code": "10001099",
"title": "Bad Request",
"detail": "Time range should not exceed 7 days."
}
}
{
"code": "00000101",
"title": "Unauthorized",
"detail": "Invalid OAuth Token"
}
{
"error": {
"code": "100010107",
"title": "Forbidden",
"detail": "This feature is not available in your current license plan. Please upgrade your license to access it."
}
}
{
"error": {
"code": "10001098",
"detail": "Detection rule not found.",
"title": "Not Found"
}
}
{
"error": {
"code": "00000109",
"detail": "Request throttling limit reached",
"title": "Too Many Requests"
}
}
{
"error": {
"code": "100010105",
"detail": "Failed to fetch detection tuning insights.",
"title": "Internal Server Error"
}
}