Create an L2 Responder User

Note

To use the incident response or data ingestion tool features, you can add the DFIR package to your instance of the Cybereason platform for an additional cost or request an Express IR environment (partners only). Contact your Customer Success representative to request access to this package or for details on how to submit the request, see How to Request a Cybereason Express IR Environment.

Endpoint URL: https://<your server>/rest/users/<email address>
Endpoint URI: users/<email address>

Action: POST

Creates a user for the Cybereason platform with the Responder L2 role.

This request is supported for versions 21.1.81 and later. You must enable two-factor authentication (TFA) or SSO for users with the Responder L2 role. Two-factor authentication (TFA) or SSO is only required for users with the Responder L1 role if they will use the Remote Shell utility in Unrestricted mode.

Note

Ensure that you have logged into the Cybereason platform. For details, see Log in with the API.

Request Headers

You must add an Content-Type:application/json header with the request.

Note

If you are using cURL, add the authorization cookie details or the path to the file with cookie details with every request.


Request Body

Input: JSON

Download JSON syntax file

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

{
    "username": "<email address>",
    "password": "<password>",
    "roles": ["responder_l2"],
    "changePasswordOnNextLogin": false,
    "totpEnabled": true,
    "isDailyNotifications": false,
    "allowedLoginMethod": "PASSWORD"
}

Request Parameters

URL/URI parameters: none

Request Body Parameters: Add these REQUIRED parameters as part of the request:

Field

Type

Description

username

String

The email address for the Cybereason platform user.

password

String

The password to use for the Cybereason platform user.

roles

Array

The roles to add for this user. Add responder_l2 to enable this user to run IR tool requests.

If you add the responder_l2 role for this user, you cannot assign them the Sensor Admin L1, Local Analyst L1, or Local Analyst L2 roles.

changePasswordOnNextLogin

Boolean

Indicates whether to require the user to update their password on the next login to the platform. Set this value to false.

totpEnabled

Boolean

Indicates whether this user has two-factor authentication enabled. Set this value to true to enable you to use the IR tools requests.

Ensure that a system admin for your platform enables two-factor (TFA) globally for the platform before you set this option to true.

isDailyNotifications

Boolean

Indicates whether this user should receive daily notifications from the platform. Set this value to false.

allowedLoginMethod

Enum

The allowed login method for this user. Set this value to PASSWORD.


Response Status Codes

This request can return the following status codes:

  • 200: Success OK


Response Success Schema

The response includes a message success after the user creation.


Response Failure Schema

None


Example: Create a user with the Responder L2 role

Request

curl --request POST \
    --url https://12.34.56.78/rest/users/[email protected] \
    --header 'Content-Type:application/json' \
    --data '{
                                                "username": "[email protected]",
                                                "password": "mypassword",
                                                "roles": ["responder_l2"],
                                                "changePasswordOnNextLogin": false,
                                                "totpEnabled": true,
                                                "isDailyNotifications": false,
                                                "allowedLoginMethod": "PASSWORD"
                                            }'

Response

"success"