Create an L2 Responder User
Note
To use the incident response or data ingestion tool features, you can add the DFIR package to your instance of the Cybereason platform for an additional cost or request an Express IR environment (partners only). Contact your Customer Success representative to request access to this package or for details on how to submit the request, see How to Request a Cybereason Express IR Environment.
Endpoint URL: https://<your server>/rest/users/<email address>
Endpoint URI: users/<email address>
Action: POST
Creates a user for the Cybereason platform with the Responder L2 role.
This request is supported for versions 21.1.81 and later. You must enable two-factor authentication (TFA) or SSO for users with the Responder L2 role. Two-factor authentication (TFA) or SSO is only required for users with the Responder L1 role if they will use the Remote Shell utility in Unrestricted mode.
Note
Ensure that you have logged into the Cybereason platform. For details, see Log in with the API.
Request Headers
You must add an Content-Type:application/json header with the request.
Note
If you are using cURL, add the authorization cookie details or the path to the file with cookie details with every request.
Request Body
Input: JSON
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
{
"username": "<email address>",
"password": "<password>",
"roles": ["responder_l2"],
"changePasswordOnNextLogin": false,
"totpEnabled": true,
"isDailyNotifications": false,
"allowedLoginMethod": "PASSWORD"
}
Request Parameters
URL/URI parameters: none
Request Body Parameters: Add these REQUIRED parameters as part of the request:
Field |
Type |
Description |
|---|---|---|
username |
String |
The email address for the Cybereason platform user. |
password |
String |
The password to use for the Cybereason platform user. |
roles |
Array |
The roles to add for this user. Add responder_l2 to enable this user to run IR tool requests. If you add the responder_l2 role for this user, you cannot assign them the Sensor Admin L1, Local Analyst L1, or Local Analyst L2 roles. |
changePasswordOnNextLogin |
Boolean |
Indicates whether to require the user to update their password on the next login to the platform. Set this value to false. |
totpEnabled |
Boolean |
Indicates whether this user has two-factor authentication enabled. Set this value to true to enable you to use the IR tools requests. Ensure that a system admin for your platform enables two-factor (TFA) globally for the platform before you set this option to true. |
isDailyNotifications |
Boolean |
Indicates whether this user should receive daily notifications from the platform. Set this value to false. |
allowedLoginMethod |
Enum |
The allowed login method for this user. Set this value to PASSWORD. |
Response Status Codes
This request can return the following status codes:
200: Success OK
Response Success Schema
The response includes a message success after the user creation.
Response Failure Schema
None
Example: Create a user with the Responder L2 role
Request
curl --request POST \
--url https://12.34.56.78/rest/users/[email protected] \
--header 'Content-Type:application/json' \
--data '{
"username": "[email protected]",
"password": "mypassword",
"roles": ["responder_l2"],
"changePasswordOnNextLogin": false,
"totpEnabled": true,
"isDailyNotifications": false,
"allowedLoginMethod": "PASSWORD"
}'
Response
"success"
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"username": "[email protected]",
"password": "mypassword",
"roles": ["responder_l2"],
"changePasswordOnNextLogin": false,
"totpEnabled": true,
"isDailyNotifications": false,
"allowedLoginMethod": "PASSWORD"
}
Response
"success"
Request
Note
Ensure you replace the value of the totpCode parameter in the script example below with your unique TOTP code generated from your app or program.
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/users/"
api_url = base_url + endpoint_url + user_email
# These are the variables that represent different fields in the request.
user_email = "[email protected]"
user_password = "mypassword"
data = json.dumps({"username":user_email,"password":user_password,"roles":["responder_l2"],"changePasswordOnNextLogin":False,"totpEnabled":True,"isDailyNotifications":False,"allowedLoginMethod":"PASSWORD"})
api_response = session.request("POST",api_url, data=data, headers=headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
"success"