Delete a Tool Package
Note
To use the incident response tool features, you can add the DFIR package to your instance of the Cybereason platform for an additional cost or request an Express IR environment (partners only). Contact your Customer Success representative to request access to this package or for details on how to submit the request, see How to Request a Cybereason Express IR Environment.
Endpoint URL: https://<your server>/rest/irtools/delete
Endpoint URI: irtools/delete
Action: POST
Enables you to delete a tool package for a third-party incident response tool from your Cybereason platform and remove that package from endpoint machines.
This request is supported for versions 21.1.261/21.2.41 and higher.
You must have the Responder L2 role assigned for your Cybereason user to run this request.
Note
Ensure that you have logged into the Cybereason platform. For details, see Log in with the API.
Request Headers
None
Request Body
Input: JSON
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
{
"packageName": "<package name>"
}
Request Parameters
URL/URI parameters: none
Request Body Parameters: You must add a string value for the tool package name to delete in the required packageName key.
Response Status Codes
This request can return the following status codes:
200: IR Tool delete request was submitted successfully
400: Bad params
503: Packages delivery service is disabled
Response Success Schema
The response contains a message IR Tool delete request was submitted successfully.
Response Failure Schema
The response returns an error code with a description of the error:
IR Tool delete request was submitted successfully
Bad params
Packages delivery service is disabled
Example: Remove a tool for all Windows endpoints with a C:/collectorOutDir output directory
Request
curl --request POST \
--url https://12.34.56.78/rest/irtools/delete \
--data '{
"packageName": "deploy-example1"
}'
Response
IR Tool delete request was submitted successfully
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{ "packageName": "deploy-example1" }Response
IR Tool delete request was submitted successfully
Request
Note
Ensure you replace the value of the totpCode parameter in the script example below with your unique TOTP code generated from your app or program.
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
payload='totpCode=814920&Submit=Login'
tfa_headers = {"Content-Type": "application/x-www-form-urlencoded"}
tfa_url = "https://" + server + "/"
tfa_response = session.post(tfa_url, headers=tfa_headers, data=payload, verify=True)
# Request URL
endpoint_url = "/rest/sensors/action/delete"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
package_name = "deploy-example1"
query = json.dumps({"packageName":package_name})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
IR Tool delete request was submitted successfully