RESTful API for managing WatchGuard Endpoint Security (WES) devices and security operations. Provides device listing and protection status, device isolation and release, immediate scan initiation, security event counters and exports, security overview, risk assessment summaries, and configuration management.
openapi: 3.1.0
info:
title: WatchGuard Endpoint Security Management API
description: >-
The WatchGuard Endpoint Security Management API provides RESTful access to
WatchGuard Endpoint Security (WES) features including device management,
security events, risk assessment, configuration management, and license
information. All endpoints require OAuth 2.0 bearer authentication and the
WatchGuard-API-Key header.
version: v1
contact:
name: WatchGuard Support
url: https://www.watchguard.com/help/docs/API/Content/en-US/endpoint_security/WES_endpoint_security/v1/WES_endpoint_security.html
servers:
- url: https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1
description: USA Region
- url: https://api.eu.cloud.watchguard.com/rest/endpoint-security/management/api/v1
description: EU Region
tags:
- name: Devices
description: Manage and query endpoint devices.
- name: Device Actions
description: Perform actions on endpoint devices such as isolation and scanning.
- name: Security Events
description: Retrieve security event data and overviews.
- name: Risk Assessment
description: Retrieve risk assessment summaries and detected risks.
- name: Configurations
description: Manage endpoint security configurations.
- name: Licenses
description: Retrieve endpoint security license information.
paths:
/accounts/{accountId}/licenses:
get:
operationId: getLicenses
summary: Get Licenses
description: Retrieve endpoint security license information for the account.
tags:
- Licenses
parameters:
- $ref: '#/components/parameters/AccountId'
security:
- bearerAuth: []
apiKeyAuth: []
responses:
'200':
description: License information.
'401':
$ref: '#/components/responses/Unauthorized'
/accounts/{accountId}/devices:
get:
operationId: listDevices
summary: List Devices
description: >-
Retrieve a paginated, searchable list of managed endpoint devices
for the account. Supports OData-style query parameters.
tags:
- Devices
parameters:
- $ref: '#/components/parameters/AccountId'
- $ref: '#/components/parameters/ODataTop'
- $ref: '#/components/parameters/ODataSkip'
- $ref: '#/components/parameters/ODataSearch'
- $ref: '#/components/parameters/ODataCount'
- $ref: '#/components/parameters/ODataOrderby'
- name: $config
in: query
description: Include configuration details in the response.
schema:
type: string
security:
- bearerAuth: []
apiKeyAuth: []
responses:
'200':
description: List of managed devices.
content:
application/json:
schema:
$ref: '#/components/schemas/DeviceList'
'401':
$ref: '#/components/responses/Unauthorized'
/accounts/{accountId}/devicesprotectionstatus:
get:
operationId: getDevicesProtectionStatus
summary: Get Devices Protection Status
description: Retrieve protection status information for all managed devices.
tags:
- Devices
parameters:
- $ref: '#/components/parameters/AccountId'
- $ref: '#/components/parameters/ODataTop'
- $ref: '#/components/parameters/ODataSkip'
- $ref: '#/components/parameters/ODataSearch'
- $ref: '#/components/parameters/ODataCount'
- $ref: '#/components/parameters/ODataOrderby'
security:
- bearerAuth: []
apiKeyAuth: []
responses:
'200':
description: Device protection status list.
'401':
$ref: '#/components/responses/Unauthorized'
/accounts/{accountId}/unmanageddevices:
get:
operationId: listUnmanagedDevices
summary: List Unmanaged Devices
description: Retrieve devices discovered on the network that are not yet managed.
tags:
- Devices
parameters:
- $ref: '#/components/parameters/AccountId'
- $ref: '#/components/parameters/ODataTop'
- $ref: '#/components/parameters/ODataSkip'
- $ref: '#/components/parameters/ODataSearch'
- $ref: '#/components/parameters/ODataCount'
- $ref: '#/components/parameters/ODataOrderby'
security:
- bearerAuth: []
apiKeyAuth: []
responses:
'200':
description: List of unmanaged devices.
'401':
$ref: '#/components/responses/Unauthorized'
/accounts/{accountId}/devices/isolation:
post:
operationId: isolateDevices
summary: Isolate Devices
description: >-
Isolate specified devices from network communication, optionally allowing
specific programs and displaying a customized alert message.
tags:
- Device Actions
parameters:
- $ref: '#/components/parameters/AccountId'
security:
- bearerAuth: []
apiKeyAuth: []
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/IsolationRequest'
responses:
'200':
description: Isolation initiated.
'401':
$ref: '#/components/responses/Unauthorized'
/accounts/{accountId}/devices/noisolation:
post:
operationId: removeDeviceIsolation
summary: Remove Device Isolation
description: Remove network isolation from previously isolated devices.
tags:
- Device Actions
parameters:
- $ref: '#/components/parameters/AccountId'
security:
- bearerAuth: []
apiKeyAuth: []
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/DeviceIdsRequest'
responses:
'200':
description: Isolation removed.
'401':
$ref: '#/components/responses/Unauthorized'
/accounts/{accountId}/devices/uninstall:
post:
operationId: uninstallDeviceProtection
summary: Uninstall Device Protection
description: Uninstall WatchGuard endpoint protection from specified devices.
tags:
- Device Actions
parameters:
- $ref: '#/components/parameters/AccountId'
security:
- bearerAuth: []
apiKeyAuth: []
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/DeviceIdsRequest'
responses:
'200':
description: Uninstall initiated.
'401':
$ref: '#/components/responses/Unauthorized'
/accounts/{accountId}/devices/action:
post:
operationId: performDeviceAction
summary: Perform Device Action
description: Initiate a device action such as reboot on specified devices.
tags:
- Device Actions
parameters:
- $ref: '#/components/parameters/AccountId'
security:
- bearerAuth: []
apiKeyAuth: []
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/DeviceActionRequest'
responses:
'200':
description: Device action initiated.
'401':
$ref: '#/components/responses/Unauthorized'
/accounts/{accountId}/immediatescan:
post:
operationId: startImmediateScan
summary: Start Immediate Scan
description: Initiate an immediate security scan task on specified devices.
tags:
- Device Actions
parameters:
- $ref: '#/components/parameters/AccountId'
security:
- bearerAuth: []
apiKeyAuth: []
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ImmediateScanRequest'
responses:
'200':
description: Immediate scan started.
'401':
$ref: '#/components/responses/Unauthorized'
/accounts/{accountId}/securityeventcounters/{type}:
get:
operationId: getSecurityEventCounters
summary: Get Security Event Counters
description: Retrieve counts of security events by type for the account.
tags:
- Security Events
parameters:
- $ref: '#/components/parameters/AccountId'
- name: type
in: path
required: true
description: Bitmask value specifying the event types to retrieve.
schema:
type: integer
- name: filter
in: query
schema:
type: string
security:
- bearerAuth: []
apiKeyAuth: []
responses:
'200':
description: Security event counters.
'401':
$ref: '#/components/responses/Unauthorized'
/accounts/{accountId}/securityevents/{type}/export/{period}:
get:
operationId: exportSecurityEvents
summary: Export Security Events
description: >-
Retrieve detailed security event records for a specified type and time
period (1 or 7 days).
tags:
- Security Events
parameters:
- $ref: '#/components/parameters/AccountId'
- name: type
in: path
required: true
description: Security event type (1-19).
schema:
type: integer
minimum: 1
maximum: 19
- name: period
in: path
required: true
description: Time period in days (1 or 7).
schema:
type: integer
enum: [1, 7]
- name: hostname
in: query
description: Base-64 encoded hostname to filter events by device.
schema:
type: string
security:
- bearerAuth: []
apiKeyAuth: []
responses:
'200':
description: Security event export.
'401':
$ref: '#/components/responses/Unauthorized'
/accounts/{accountId}/securityoverview/{period}:
get:
operationId: getSecurityOverview
summary: Get Security Overview
description: >-
Retrieve a security overview summary for the account covering the
specified number of days (1, 7, or 30).
tags:
- Security Events
parameters:
- $ref: '#/components/parameters/AccountId'
- name: period
in: path
required: true
description: Period in days (1, 7, or 30).
schema:
type: integer
enum: [1, 7, 30]
security:
- bearerAuth: []
apiKeyAuth: []
responses:
'200':
description: Security overview summary.
'401':
$ref: '#/components/responses/Unauthorized'
/accounts/{accountId}/riskassessment/companyrisksummary:
get:
operationId: getCompanyRiskSummary
summary: Get Company Risk Summary
description: Retrieve company-wide risk summary categorized by severity level.
tags:
- Risk Assessment
parameters:
- $ref: '#/components/parameters/AccountId'
security:
- bearerAuth: []
apiKeyAuth: []
responses:
'200':
description: Company risk summary.
'401':
$ref: '#/components/responses/Unauthorized'
/accounts/{accountId}/riskassessment/detectedrisks:
get:
operationId: getDetectedRisks
summary: Get Detected Risks
description: >-
Retrieve detected risk counts by type, with optional filtering by
device type and operating system.
tags:
- Risk Assessment
parameters:
- $ref: '#/components/parameters/AccountId'
- name: $filter
in: query
description: OData filter expression supporting device type and OS filtering.
schema:
type: string
security:
- bearerAuth: []
apiKeyAuth: []
responses:
'200':
description: Detected risks.
'401':
$ref: '#/components/responses/Unauthorized'
/accounts/{accountId}/managedconfigurations/{type}:
get:
operationId: getManagedConfigurations
summary: Get Managed Configurations
description: Retrieve managed endpoint security configurations by type.
tags:
- Configurations
parameters:
- $ref: '#/components/parameters/AccountId'
- name: type
in: path
required: true
description: Configuration type (1-12).
schema:
type: integer
minimum: 1
maximum: 12
- $ref: '#/components/parameters/ODataTop'
- $ref: '#/components/parameters/ODataSkip'
- $ref: '#/components/parameters/ODataSearch'
- $ref: '#/components/parameters/ODataCount'
- $ref: '#/components/parameters/ODataOrderby'
security:
- bearerAuth: []
apiKeyAuth: []
responses:
'200':
description: List of managed configurations.
'401':
$ref: '#/components/responses/Unauthorized'
/accounts/{accountId}/installers:
get:
operationId: getInstaller
summary: Get Installer
description: >-
Retrieve the download URL for an endpoint security installation package
for a specific platform and configuration.
tags:
- Configurations
parameters:
- $ref: '#/components/parameters/AccountId'
- name: platformId
in: query
required: true
description: Target platform identifier.
schema:
type: string
- name: managedConfigurationId
in: query
required: true
description: Configuration ID to associate with the installer.
schema:
type: string
- name: useActiveDirectory
in: query
required: true
description: Whether to use Active Directory for deployment.
schema:
type: boolean
security:
- bearerAuth: []
apiKeyAuth: []
responses:
'200':
description: Installer download URL.
'401':
$ref: '#/components/responses/Unauthorized'
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
description: OAuth 2.0 access token from the WatchGuard Authentication API.
apiKeyAuth:
type: apiKey
in: header
name: WatchGuard-API-Key
description: API key from the WatchGuard Cloud Managed Access page.
parameters:
AccountId:
name: accountId
in: path
required: true
description: WatchGuard Cloud account ID.
schema:
type: string
ODataTop:
name: $top
in: query
description: Number of records to return (max 3000).
schema:
type: integer
maximum: 3000
ODataSkip:
name: $skip
in: query
description: Number of records to skip for pagination.
schema:
type: integer
ODataSearch:
name: $search
in: query
description: Text search across supported fields.
schema:
type: string
ODataCount:
name: $count
in: query
description: Include total count in response.
schema:
type: boolean
ODataOrderby:
name: $orderby
in: query
description: Sort results (e.g., hostname+asc).
schema:
type: string
responses:
Unauthorized:
description: Unauthorized — invalid or expired access token or API key.
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
NotFound:
description: Resource not found.
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
schemas:
DeviceList:
type: object
properties:
value:
type: array
items:
$ref: '#/components/schemas/Device'
count:
type: integer
Device:
type: object
description: An endpoint device managed by WatchGuard Endpoint Security.
properties:
deviceId:
type: string
hostname:
type: string
ipAddress:
type: string
operatingSystem:
type: string
agentVersion:
type: string
protectionStatus:
type: string
enum: [Protected, AtRisk, Unprotected]
lastSeen:
type: string
format: date-time
DeviceIdsRequest:
type: object
properties:
device_ids:
type: array
items:
type: string
description: List of device IDs to perform the action on.
IsolationRequest:
type: object
properties:
device_ids:
type: array
items:
type: string
exclusion_programs:
type: array
items:
type: string
description: Programs allowed to communicate during isolation.
customized_message:
type: string
description: Message displayed to users on isolated devices.
hide_customized_alert:
type: boolean
DeviceActionRequest:
type: object
properties:
device_ids:
type: array
items:
type: string
action_type:
type: string
description: Type of action to perform (e.g., reboot).
count_down_type:
type: string
ImmediateScanRequest:
type: object
properties:
device_ids:
type: array
items:
type: string
task_name:
type: string
task_description:
type: string
scan_scope:
type: string
description: Scope of the scan (full, quick, custom).
ErrorResponse:
type: object
properties:
code:
type: integer
message:
type: string