Delete a Forensic Data Ingestion Tool
Note
To use the data ingestion tool features, you can add the DFIR package to your instance of the Cybereason platform for an additional cost or request an Express IR environment (partners only). Contact your Customer Success representative to request access to this package or for details on how to submit the request, see How to Request a Cybereason Express IR Environment.
Endpoint URL: https://<your server>/rest/forensics/deleteForensicTool
Endpoint URI: forensics/deleteForensicTool
Action: POST
Enables you to delete a forensic data ingestion tool from endpoint machines.
This request is supported for versions 21.2.221 and higher.
You must have the Responder L2 role assigned for your Cybereason user to run this request.
Note
Ensure that you have logged into the Cybereason platform. For details, see Log in with the API.
Request Headers
You must add a Content-Type:application/json header with the request.
Note
If you are using cURL, add the authorization cookie details or the path to the file containing the cookie details as part of every request.
Request Body
Input: JSON
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
{
"toolName":"<tool name>"
}
Request Parameters
URL/URI parameters: none
Request Body Parameters: You must add a string value for the forensic data package name to delete in the required toolName key. To retrieve a list of supported packages, see Retrieve a List of Supported Forensics Ingestion Tools.
Response Status Codes
This request can return the following status codes:
200: The request succeeded
400: Bad request parameters
403: Lack of permissions to perform the request
500: Internal error on Perspective Server
503: Forensics/IRTools service is disabled
Response Success Schema
The response contains a message Forensic tool <tool name> delete request was submitted successfully.
Response Failure Schema
An error code with a description of the error.
Example: Remove a forensic data ingestion tool from endpoint machines
Request
curl --request POST \
--url https://12.34.56.78/rest/forensics/deleteForensicTool \
--data '{
"toolName": "CustomPrefetchOfflineCollector"
}'
Response
Forensic tool CustomPrefetchOfflineCollector delete request was submitted successfully
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{ "toolName":"<tool name>" }Response
Forensic tool CustomPrefetchOfflineCollector delete request was submitted successfully
Request
Note
Ensure you replace the value of the totpCode parameter in the script example below with your unique TOTP code generated from your app or program.
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
payload='totpCode=814920&Submit=Login'
tfa_headers = {"Content-Type": "application/x-www-form-urlencoded"}
tfa_url = "https://" + server + "/"
tfa_response = session.post(tfa_url, headers=tfa_headers, data=payload, verify=True)
# Request URL
endpoint_url = "/rest/forensics/deleteForensicTool"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
package_name = "CustomPrefetchOfflineCollector"
query = json.dumps({"toolName":package_name})
api_response = session.request("POST", api_url, data=query, headers=headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
Forensic tool CustomPrefetchOfflineCollector delete request was submitted successfully