Retrieve Credentials for a GCP Bucket

Note

To use the incident response tool features, you can add the DFIR package to your instance of the Cybereason platform for an additional cost or request an Express IR environment (partners only). Contact your Customer Success representative to request access to this package or for details on how to submit the request, see How to Request a Cybereason Express IR Environment.

Endpoint URL: https://<your server>/rest/irtools/credentials
Endpoint URI: irtools/credentials

Action: GET

Retrieves credentials for a predefined GCP bucket of your environment that you can use to access the tool results output.

This request is supported for versions 21.1.81 and later.

You must have the Responder L2 role assigned for your Cybereason user to run this request.

Note

Ensure that you have logged into the Cybereason platform. For details, see Log in with the API.

You must add an Content-Type:application/json header with the request.

Note

If you are using cURL, add the authorization cookie details or the path to the file containing the cookie details as part of every request.

None

URL/URI parameters: none

Request Body Parameters: none

This request can return the following status codes:

200: Request OK

The response contains the following fields:

Field	Type	Description
bucketName	String	The name of the bucket containing your tool’s output.
serviceAccount	JSON	An object containing details on the bucket. For details on the fields in this object, see your GCP documentation.

None

All fields in the response are important. You should save the content of the response as a JSON file to access the GCP bucket later.

You can also use the contents of the response with the GCP API to retrieve and use the data. For details, see your GCP documentation.

Request

curl --request GET \
  --url https://12.34.56.78/rest/irtools/credentials \
  --header 'Content-Type:application/json' \

Response

{
  "bucketName": "cr-ir-bucket-ir-test-cycle-2-a9e96119",
  "serviceAccount": {
      "token_uri": "https://oauth2.googleapis.com/token",
      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cr-ir-sa-ir-test-cycle-2%40ir-test-cycle-2-50149bf5.iam.gserviceaccount.com",
      "private_key_id": "3f5026e48ff25307669d312b09a30ad6c8d1408e",
      "project_id": "ir-test-cycle-2-50149bf5",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "client_email": "cr-ir-sa-ir-test-cycle-2@ir-test-cycle-2-50249bg5.iam.gserviceaccount.com",
      "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQClptH9DH9cImme\nFfyCmZ40v04hujOtlX3vcaVJS5WZf2e0T1q4zS66Kll4wXM6oPMpqkADPPA0jP86\nsq+UZz3fO7OQdhQ9xWVCexeMz9nrD9fvFnK2dog4f50J0td2ZW8dtUys1Za+zvUk\n+9xt9y6fDYdt5kOIc+kHD/EGi+zj76VEyQ7npHRr0kpNez7+/Zr95c8Qgg73npWD\n/P/U/SlBNbQaj48szMUW0EgdFW+mDQxeGIZVmfffWkA7wLRXahS9slU1iPFWs6X0\nCP1uPhxW0y6OwOotPApoSkR6UqFhHWCLcW6mh9LloYzCp62f7D9wMY/IzHK9k3S7\nmerAM5NFAgMBAAECggEADjLKSkJJTasKxSi6nVxwGbKmuRquAJw7pcu75cMQw44O\nuX8ZFkCgAgeh5kkj3fabC7XdXr8DvRKzcw3gdtE9QGZsRwmX7+N81myZNtHp/806\ng50M9WQbhkbfPaRQy4POOQxSfM33PyDwv4bG/LX0d7WVJ2+r14T33Z8ZgvzOBTYL\nStdPl76ccGiCJJVvV3zAifEdVL0h3EyYdK3R7iDO7A0XRv00DTb1sSpW/AxZucJK\nbo6x6zxfrmMqrscqQf1q80Clo8v/Gbi9Yy85SSfX4SFqOPRQDu5W14auA0kezSXe\nqUh8DzEqSMqeGq6IzbrXoSkNC9+hzFW5B31o1UKpUQKBgQDPh0YTh66FTm5k+f4G\ndu7ie9OyVEFgS2y6wRK4z+8/4r7xfOH6y2rHUUkG5Avt8MxgnTTMwJkVn34OLlhy\nV/CrA7o3gtISBL2Npswi3h4A5sB3nQGnDMuUck7otgzDDWJqjZMNL0ZjYWmebShF\nB/tXRPX3YTMtp/69q0yNR2ZXPwKBgQDMV5zgzZm/CL95Dh2UyljaHAhsUAKlCXpA\nTRxpHGJymKzui3zUZGUUTzgC5C4BhU8QOA7I/Sumg4sWUOSYWiY+nS9uhpCUkAJJ\n0/wt2oKepPCYNg1b5GqbfSyB5dq052rxaYVr3wvGMt/vEI/WoCkNS7XvUPamL+nn\nvctvs3ZYewKBgQCHLAYx7Ft5StfO/6I9FbSNYrhF3Glkzlv43I9UP2QHiapzYrNS\nhrJ7Nu/JBDrc9c45U8wzXXOYyPTzSa6kz7E3wsrFI3mu8NWCcVVflKuYTLSqdGLC\nKyxi+X16SDHRzmL/Ik3Y9aT0UFvaLCFhrUxB0JIhWndaUqUzZ2MKVqpLQwKBgQDH\n4i/v6s4pAzqhBMDE6gZuHBvVL5LWs2Wlfoh6/SwD4vrOQR3zdPOLIU6t7VxfWnKT\nb/Jugs/vCx/DzY8+xHhCqWlbWUAWQqQqabV1eRhqbPd4PO9mYxIxVQlza087xF9l\nFI5RjZYr41oPtQiurm5ZtiSam30Z5SaN7KcSdd8e/wKBgEVKlOG6slN7TwEMuBbT\nGHwC8IhFEJDvHoOKyopvhdfGAmeoBjBwvDUk6NGlxIAXsh0QyPvZHzYxF/rqC7GA\nz0bPW6GX9sxwW2IxWeoqIXOVaEZV4jGRoq5VorSWVESINZ+W9xKdYmKvub4rT0rn\nNVKn8p4WTecpRcDpjOFM1k1u\n-----END PRIVATE KEY-----\n",
      "type": "service_account",
      "client_id": "115944668658311446409"
  }
}

Request

Response

{
  "bucketName": "cr-ir-bucket-ir-test-cycle-2-a9e96119",
  "serviceAccount": {
      "token_uri": "https://oauth2.googleapis.com/token",
      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cr-ir-sa-ir-test-cycle-2%40ir-test-cycle-2-50149bf5.iam.gserviceaccount.com",
      "private_key_id": "3f5026e48ff25307669d312b09a30ad6c8d1408e",
      "project_id": "ir-test-cycle-2-50149bf5",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "client_email": "cr-ir-sa-ir-test-cycle-2@ir-test-cycle-2-50249bg5.iam.gserviceaccount.com",
      "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQClptH9DH9cImme\nFfyCmZ40v04hujOtlX3vcaVJS5WZf2e0T1q4zS66Kll4wXM6oPMpqkADPPA0jP86\nsq+UZz3fO7OQdhQ9xWVCexeMz9nrD9fvFnK2dog4f50J0td2ZW8dtUys1Za+zvUk\n+9xt9y6fDYdt5kOIc+kHD/EGi+zj76VEyQ7npHRr0kpNez7+/Zr95c8Qgg73npWD\n/P/U/SlBNbQaj48szMUW0EgdFW+mDQxeGIZVmfffWkA7wLRXahS9slU1iPFWs6X0\nCP1uPhxW0y6OwOotPApoSkR6UqFhHWCLcW6mh9LloYzCp62f7D9wMY/IzHK9k3S7\nmerAM5NFAgMBAAECggEADjLKSkJJTasKxSi6nVxwGbKmuRquAJw7pcu75cMQw44O\nuX8ZFkCgAgeh5kkj3fabC7XdXr8DvRKzcw3gdtE9QGZsRwmX7+N81myZNtHp/806\ng50M9WQbhkbfPaRQy4POOQxSfM33PyDwv4bG/LX0d7WVJ2+r14T33Z8ZgvzOBTYL\nStdPl76ccGiCJJVvV3zAifEdVL0h3EyYdK3R7iDO7A0XRv00DTb1sSpW/AxZucJK\nbo6x6zxfrmMqrscqQf1q80Clo8v/Gbi9Yy85SSfX4SFqOPRQDu5W14auA0kezSXe\nqUh8DzEqSMqeGq6IzbrXoSkNC9+hzFW5B31o1UKpUQKBgQDPh0YTh66FTm5k+f4G\ndu7ie9OyVEFgS2y6wRK4z+8/4r7xfOH6y2rHUUkG5Avt8MxgnTTMwJkVn34OLlhy\nV/CrA7o3gtISBL2Npswi3h4A5sB3nQGnDMuUck7otgzDDWJqjZMNL0ZjYWmebShF\nB/tXRPX3YTMtp/69q0yNR2ZXPwKBgQDMV5zgzZm/CL95Dh2UyljaHAhsUAKlCXpA\nTRxpHGJymKzui3zUZGUUTzgC5C4BhU8QOA7I/Sumg4sWUOSYWiY+nS9uhpCUkAJJ\n0/wt2oKepPCYNg1b5GqbfSyB5dq052rxaYVr3wvGMt/vEI/WoCkNS7XvUPamL+nn\nvctvs3ZYewKBgQCHLAYx7Ft5StfO/6I9FbSNYrhF3Glkzlv43I9UP2QHiapzYrNS\nhrJ7Nu/JBDrc9c45U8wzXXOYyPTzSa6kz7E3wsrFI3mu8NWCcVVflKuYTLSqdGLC\nKyxi+X16SDHRzmL/Ik3Y9aT0UFvaLCFhrUxB0JIhWndaUqUzZ2MKVqpLQwKBgQDH\n4i/v6s4pAzqhBMDE6gZuHBvVL5LWs2Wlfoh6/SwD4vrOQR3zdPOLIU6t7VxfWnKT\nb/Jugs/vCx/DzY8+xHhCqWlbWUAWQqQqabV1eRhqbPd4PO9mYxIxVQlza087xF9l\nFI5RjZYr41oPtQiurm5ZtiSam30Z5SaN7KcSdd8e/wKBgEVKlOG6slN7TwEMuBbT\nGHwC8IhFEJDvHoOKyopvhdfGAmeoBjBwvDUk6NGlxIAXsh0QyPvZHzYxF/rqC7GA\nz0bPW6GX9sxwW2IxWeoqIXOVaEZV4jGRoq5VorSWVESINZ+W9xKdYmKvub4rT0rn\nNVKn8p4WTecpRcDpjOFM1k1u\n-----END PRIVATE KEY-----\n",
      "type": "service_account",
      "client_id": "115944668658311446409"
  }
}

Request

Note

Ensure you replace the value of the totpCode parameter in the script example below with your unique TOTP code generated from your app or program.

Download Python script

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

import requests
import json

# Login information

username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"

data = {
    "username": username,
    "password": password
}

headers = {"Content-Type": "application/json"}

base_url = "https://" + server + ":" + port

login_url = base_url + "/login.html"

session = requests.session()

login_response = session.post(login_url, data=data, verify=True)

print (login_response.status_code)
print (session.cookies.items())

payload='totpCode=526681&Submit=Login'
tfa_headers = {"Content-Type": "application/x-www-form-urlencoded"}

tfa_url = "https://" + server + "/"

tfa_response = session.post(tfa_url, headers=tfa_headers, data=payload, verify=True)

# Request URL

endpoint_url = "/rest/irtools/credentials"

api_url = base_url + endpoint_url

api_response = session.request("GET", api_url, headers=headers)

your_response = json.loads(api_response.content)

print(json.dumps(your_response, indent=4, sort_keys=True))

Response

 {
  "bucketName": "cr-ir-bucket-ir-test-cycle-2-a9e96119",
  "serviceAccount": {
      "token_uri": "https://oauth2.googleapis.com/token",
      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cr-ir-sa-ir-test-cycle-2%40ir-test-cycle-2-50149bf5.iam.gserviceaccount.com",
      "private_key_id": "3f5026e48ff25307669d312b09a30ad6c8d1408e",
      "project_id": "ir-test-cycle-2-50149bf5",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "client_email": "cr-ir-sa-ir-test-cycle-2@ir-test-cycle-2-50249bg5.iam.gserviceaccount.com",
      "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQClptH9DH9cImme\nFfyCmZ40v04hujOtlX3vcaVJS5WZf2e0T1q4zS66Kll4wXM6oPMpqkADPPA0jP86\nsq+UZz3fO7OQdhQ9xWVCexeMz9nrD9fvFnK2dog4f50J0td2ZW8dtUys1Za+zvUk\n+9xt9y6fDYdt5kOIc+kHD/EGi+zj76VEyQ7npHRr0kpNez7+/Zr95c8Qgg73npWD\n/P/U/SlBNbQaj48szMUW0EgdFW+mDQxeGIZVmfffWkA7wLRXahS9slU1iPFWs6X0\nCP1uPhxW0y6OwOotPApoSkR6UqFhHWCLcW6mh9LloYzCp62f7D9wMY/IzHK9k3S7\nmerAM5NFAgMBAAECggEADjLKSkJJTasKxSi6nVxwGbKmuRquAJw7pcu75cMQw44O\nuX8ZFkCgAgeh5kkj3fabC7XdXr8DvRKzcw3gdtE9QGZsRwmX7+N81myZNtHp/806\ng50M9WQbhkbfPaRQy4POOQxSfM33PyDwv4bG/LX0d7WVJ2+r14T33Z8ZgvzOBTYL\nStdPl76ccGiCJJVvV3zAifEdVL0h3EyYdK3R7iDO7A0XRv00DTb1sSpW/AxZucJK\nbo6x6zxfrmMqrscqQf1q80Clo8v/Gbi9Yy85SSfX4SFqOPRQDu5W14auA0kezSXe\nqUh8DzEqSMqeGq6IzbrXoSkNC9+hzFW5B31o1UKpUQKBgQDPh0YTh66FTm5k+f4G\ndu7ie9OyVEFgS2y6wRK4z+8/4r7xfOH6y2rHUUkG5Avt8MxgnTTMwJkVn34OLlhy\nV/CrA7o3gtISBL2Npswi3h4A5sB3nQGnDMuUck7otgzDDWJqjZMNL0ZjYWmebShF\nB/tXRPX3YTMtp/69q0yNR2ZXPwKBgQDMV5zgzZm/CL95Dh2UyljaHAhsUAKlCXpA\nTRxpHGJymKzui3zUZGUUTzgC5C4BhU8QOA7I/Sumg4sWUOSYWiY+nS9uhpCUkAJJ\n0/wt2oKepPCYNg1b5GqbfSyB5dq052rxaYVr3wvGMt/vEI/WoCkNS7XvUPamL+nn\nvctvs3ZYewKBgQCHLAYx7Ft5StfO/6I9FbSNYrhF3Glkzlv43I9UP2QHiapzYrNS\nhrJ7Nu/JBDrc9c45U8wzXXOYyPTzSa6kz7E3wsrFI3mu8NWCcVVflKuYTLSqdGLC\nKyxi+X16SDHRzmL/Ik3Y9aT0UFvaLCFhrUxB0JIhWndaUqUzZ2MKVqpLQwKBgQDH\n4i/v6s4pAzqhBMDE6gZuHBvVL5LWs2Wlfoh6/SwD4vrOQR3zdPOLIU6t7VxfWnKT\nb/Jugs/vCx/DzY8+xHhCqWlbWUAWQqQqabV1eRhqbPd4PO9mYxIxVQlza087xF9l\nFI5RjZYr41oPtQiurm5ZtiSam30Z5SaN7KcSdd8e/wKBgEVKlOG6slN7TwEMuBbT\nGHwC8IhFEJDvHoOKyopvhdfGAmeoBjBwvDUk6NGlxIAXsh0QyPvZHzYxF/rqC7GA\nz0bPW6GX9sxwW2IxWeoqIXOVaEZV4jGRoq5VorSWVESINZ+W9xKdYmKvub4rT0rn\nNVKn8p4WTecpRcDpjOFM1k1u\n-----END PRIVATE KEY-----\n",
      "type": "service_account",
      "client_id": "115944668658311446409"
  }
}