Retrieve Credentials for a GCP Bucket
Note
To use the incident response tool features, you can add the DFIR package to your instance of the Cybereason platform for an additional cost or request an Express IR environment (partners only). Contact your Customer Success representative to request access to this package or for details on how to submit the request, see How to Request a Cybereason Express IR Environment.
Endpoint URL: https://<your server>/rest/irtools/credentials
Endpoint URI: irtools/credentials
Action: GET
Retrieves credentials for a predefined GCP bucket of your environment that you can use to access the tool results output.
This request is supported for versions 21.1.81 and later.
You must have the Responder L2 role assigned for your Cybereason user to run this request.
Note
Ensure that you have logged into the Cybereason platform. For details, see Log in with the API.
Request Headers
You must add an Content-Type:application/json header with the request.
Note
If you are using cURL, add the authorization cookie details or the path to the file containing the cookie details as part of every request.
Request Body
None
Request Parameters
URL/URI parameters: none
Request Body Parameters: none
Response Status Codes
This request can return the following status codes:
200: Request OK
Response Success Schema
The response contains the following fields:
Field |
Type |
Description |
---|---|---|
bucketName |
String |
The name of the bucket containing your tool’s output. |
serviceAccount |
JSON |
An object containing details on the bucket. For details on the fields in this object, see your GCP documentation. |
Response Failure Schema
None
Important Response Fields
All fields in the response are important. You should save the content of the response as a JSON file to access the GCP bucket later.
You can also use the contents of the response with the GCP API to retrieve and use the data. For details, see your GCP documentation.
Example: Retrieve GCP credentials to access the bucket with the tool output
Request
curl --request GET \
--url https://12.34.56.78/rest/irtools/credentials \
--header 'Content-Type:application/json' \
Response
{
"bucketName": "cr-ir-bucket-ir-test-cycle-2-a9e96119",
"serviceAccount": {
"token_uri": "https://oauth2.googleapis.com/token",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cr-ir-sa-ir-test-cycle-2%40ir-test-cycle-2-50149bf5.iam.gserviceaccount.com",
"private_key_id": "3f5026e48ff25307669d312b09a30ad6c8d1408e",
"project_id": "ir-test-cycle-2-50149bf5",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"client_email": "cr-ir-sa-ir-test-cycle-2@ir-test-cycle-2-50249bg5.iam.gserviceaccount.com",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQClptH9DH9cImme\nFfyCmZ40v04hujOtlX3vcaVJS5WZf2e0T1q4zS66Kll4wXM6oPMpqkADPPA0jP86\nsq+UZz3fO7OQdhQ9xWVCexeMz9nrD9fvFnK2dog4f50J0td2ZW8dtUys1Za+zvUk\n+9xt9y6fDYdt5kOIc+kHD/EGi+zj76VEyQ7npHRr0kpNez7+/Zr95c8Qgg73npWD\n/P/U/SlBNbQaj48szMUW0EgdFW+mDQxeGIZVmfffWkA7wLRXahS9slU1iPFWs6X0\nCP1uPhxW0y6OwOotPApoSkR6UqFhHWCLcW6mh9LloYzCp62f7D9wMY/IzHK9k3S7\nmerAM5NFAgMBAAECggEADjLKSkJJTasKxSi6nVxwGbKmuRquAJw7pcu75cMQw44O\nuX8ZFkCgAgeh5kkj3fabC7XdXr8DvRKzcw3gdtE9QGZsRwmX7+N81myZNtHp/806\ng50M9WQbhkbfPaRQy4POOQxSfM33PyDwv4bG/LX0d7WVJ2+r14T33Z8ZgvzOBTYL\nStdPl76ccGiCJJVvV3zAifEdVL0h3EyYdK3R7iDO7A0XRv00DTb1sSpW/AxZucJK\nbo6x6zxfrmMqrscqQf1q80Clo8v/Gbi9Yy85SSfX4SFqOPRQDu5W14auA0kezSXe\nqUh8DzEqSMqeGq6IzbrXoSkNC9+hzFW5B31o1UKpUQKBgQDPh0YTh66FTm5k+f4G\ndu7ie9OyVEFgS2y6wRK4z+8/4r7xfOH6y2rHUUkG5Avt8MxgnTTMwJkVn34OLlhy\nV/CrA7o3gtISBL2Npswi3h4A5sB3nQGnDMuUck7otgzDDWJqjZMNL0ZjYWmebShF\nB/tXRPX3YTMtp/69q0yNR2ZXPwKBgQDMV5zgzZm/CL95Dh2UyljaHAhsUAKlCXpA\nTRxpHGJymKzui3zUZGUUTzgC5C4BhU8QOA7I/Sumg4sWUOSYWiY+nS9uhpCUkAJJ\n0/wt2oKepPCYNg1b5GqbfSyB5dq052rxaYVr3wvGMt/vEI/WoCkNS7XvUPamL+nn\nvctvs3ZYewKBgQCHLAYx7Ft5StfO/6I9FbSNYrhF3Glkzlv43I9UP2QHiapzYrNS\nhrJ7Nu/JBDrc9c45U8wzXXOYyPTzSa6kz7E3wsrFI3mu8NWCcVVflKuYTLSqdGLC\nKyxi+X16SDHRzmL/Ik3Y9aT0UFvaLCFhrUxB0JIhWndaUqUzZ2MKVqpLQwKBgQDH\n4i/v6s4pAzqhBMDE6gZuHBvVL5LWs2Wlfoh6/SwD4vrOQR3zdPOLIU6t7VxfWnKT\nb/Jugs/vCx/DzY8+xHhCqWlbWUAWQqQqabV1eRhqbPd4PO9mYxIxVQlza087xF9l\nFI5RjZYr41oPtQiurm5ZtiSam30Z5SaN7KcSdd8e/wKBgEVKlOG6slN7TwEMuBbT\nGHwC8IhFEJDvHoOKyopvhdfGAmeoBjBwvDUk6NGlxIAXsh0QyPvZHzYxF/rqC7GA\nz0bPW6GX9sxwW2IxWeoqIXOVaEZV4jGRoq5VorSWVESINZ+W9xKdYmKvub4rT0rn\nNVKn8p4WTecpRcDpjOFM1k1u\n-----END PRIVATE KEY-----\n",
"type": "service_account",
"client_id": "115944668658311446409"
}
}
{
"bucketName": "cr-ir-bucket-ir-test-cycle-2-a9e96119",
"serviceAccount": {
"token_uri": "https://oauth2.googleapis.com/token",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cr-ir-sa-ir-test-cycle-2%40ir-test-cycle-2-50149bf5.iam.gserviceaccount.com",
"private_key_id": "3f5026e48ff25307669d312b09a30ad6c8d1408e",
"project_id": "ir-test-cycle-2-50149bf5",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"client_email": "cr-ir-sa-ir-test-cycle-2@ir-test-cycle-2-50249bg5.iam.gserviceaccount.com",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQClptH9DH9cImme\nFfyCmZ40v04hujOtlX3vcaVJS5WZf2e0T1q4zS66Kll4wXM6oPMpqkADPPA0jP86\nsq+UZz3fO7OQdhQ9xWVCexeMz9nrD9fvFnK2dog4f50J0td2ZW8dtUys1Za+zvUk\n+9xt9y6fDYdt5kOIc+kHD/EGi+zj76VEyQ7npHRr0kpNez7+/Zr95c8Qgg73npWD\n/P/U/SlBNbQaj48szMUW0EgdFW+mDQxeGIZVmfffWkA7wLRXahS9slU1iPFWs6X0\nCP1uPhxW0y6OwOotPApoSkR6UqFhHWCLcW6mh9LloYzCp62f7D9wMY/IzHK9k3S7\nmerAM5NFAgMBAAECggEADjLKSkJJTasKxSi6nVxwGbKmuRquAJw7pcu75cMQw44O\nuX8ZFkCgAgeh5kkj3fabC7XdXr8DvRKzcw3gdtE9QGZsRwmX7+N81myZNtHp/806\ng50M9WQbhkbfPaRQy4POOQxSfM33PyDwv4bG/LX0d7WVJ2+r14T33Z8ZgvzOBTYL\nStdPl76ccGiCJJVvV3zAifEdVL0h3EyYdK3R7iDO7A0XRv00DTb1sSpW/AxZucJK\nbo6x6zxfrmMqrscqQf1q80Clo8v/Gbi9Yy85SSfX4SFqOPRQDu5W14auA0kezSXe\nqUh8DzEqSMqeGq6IzbrXoSkNC9+hzFW5B31o1UKpUQKBgQDPh0YTh66FTm5k+f4G\ndu7ie9OyVEFgS2y6wRK4z+8/4r7xfOH6y2rHUUkG5Avt8MxgnTTMwJkVn34OLlhy\nV/CrA7o3gtISBL2Npswi3h4A5sB3nQGnDMuUck7otgzDDWJqjZMNL0ZjYWmebShF\nB/tXRPX3YTMtp/69q0yNR2ZXPwKBgQDMV5zgzZm/CL95Dh2UyljaHAhsUAKlCXpA\nTRxpHGJymKzui3zUZGUUTzgC5C4BhU8QOA7I/Sumg4sWUOSYWiY+nS9uhpCUkAJJ\n0/wt2oKepPCYNg1b5GqbfSyB5dq052rxaYVr3wvGMt/vEI/WoCkNS7XvUPamL+nn\nvctvs3ZYewKBgQCHLAYx7Ft5StfO/6I9FbSNYrhF3Glkzlv43I9UP2QHiapzYrNS\nhrJ7Nu/JBDrc9c45U8wzXXOYyPTzSa6kz7E3wsrFI3mu8NWCcVVflKuYTLSqdGLC\nKyxi+X16SDHRzmL/Ik3Y9aT0UFvaLCFhrUxB0JIhWndaUqUzZ2MKVqpLQwKBgQDH\n4i/v6s4pAzqhBMDE6gZuHBvVL5LWs2Wlfoh6/SwD4vrOQR3zdPOLIU6t7VxfWnKT\nb/Jugs/vCx/DzY8+xHhCqWlbWUAWQqQqabV1eRhqbPd4PO9mYxIxVQlza087xF9l\nFI5RjZYr41oPtQiurm5ZtiSam30Z5SaN7KcSdd8e/wKBgEVKlOG6slN7TwEMuBbT\nGHwC8IhFEJDvHoOKyopvhdfGAmeoBjBwvDUk6NGlxIAXsh0QyPvZHzYxF/rqC7GA\nz0bPW6GX9sxwW2IxWeoqIXOVaEZV4jGRoq5VorSWVESINZ+W9xKdYmKvub4rT0rn\nNVKn8p4WTecpRcDpjOFM1k1u\n-----END PRIVATE KEY-----\n",
"type": "service_account",
"client_id": "115944668658311446409"
}
}
Request
Note
Ensure you replace the value of the totpCode parameter in the script example below with your unique TOTP code generated from your app or program.
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
payload='totpCode=526681&Submit=Login'
tfa_headers = {"Content-Type": "application/x-www-form-urlencoded"}
tfa_url = "https://" + server + "/"
tfa_response = session.post(tfa_url, headers=tfa_headers, data=payload, verify=True)
# Request URL
endpoint_url = "/rest/irtools/credentials"
api_url = base_url + endpoint_url
api_response = session.request("GET", api_url, headers=headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
{
"bucketName": "cr-ir-bucket-ir-test-cycle-2-a9e96119",
"serviceAccount": {
"token_uri": "https://oauth2.googleapis.com/token",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cr-ir-sa-ir-test-cycle-2%40ir-test-cycle-2-50149bf5.iam.gserviceaccount.com",
"private_key_id": "3f5026e48ff25307669d312b09a30ad6c8d1408e",
"project_id": "ir-test-cycle-2-50149bf5",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"client_email": "cr-ir-sa-ir-test-cycle-2@ir-test-cycle-2-50249bg5.iam.gserviceaccount.com",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQClptH9DH9cImme\nFfyCmZ40v04hujOtlX3vcaVJS5WZf2e0T1q4zS66Kll4wXM6oPMpqkADPPA0jP86\nsq+UZz3fO7OQdhQ9xWVCexeMz9nrD9fvFnK2dog4f50J0td2ZW8dtUys1Za+zvUk\n+9xt9y6fDYdt5kOIc+kHD/EGi+zj76VEyQ7npHRr0kpNez7+/Zr95c8Qgg73npWD\n/P/U/SlBNbQaj48szMUW0EgdFW+mDQxeGIZVmfffWkA7wLRXahS9slU1iPFWs6X0\nCP1uPhxW0y6OwOotPApoSkR6UqFhHWCLcW6mh9LloYzCp62f7D9wMY/IzHK9k3S7\nmerAM5NFAgMBAAECggEADjLKSkJJTasKxSi6nVxwGbKmuRquAJw7pcu75cMQw44O\nuX8ZFkCgAgeh5kkj3fabC7XdXr8DvRKzcw3gdtE9QGZsRwmX7+N81myZNtHp/806\ng50M9WQbhkbfPaRQy4POOQxSfM33PyDwv4bG/LX0d7WVJ2+r14T33Z8ZgvzOBTYL\nStdPl76ccGiCJJVvV3zAifEdVL0h3EyYdK3R7iDO7A0XRv00DTb1sSpW/AxZucJK\nbo6x6zxfrmMqrscqQf1q80Clo8v/Gbi9Yy85SSfX4SFqOPRQDu5W14auA0kezSXe\nqUh8DzEqSMqeGq6IzbrXoSkNC9+hzFW5B31o1UKpUQKBgQDPh0YTh66FTm5k+f4G\ndu7ie9OyVEFgS2y6wRK4z+8/4r7xfOH6y2rHUUkG5Avt8MxgnTTMwJkVn34OLlhy\nV/CrA7o3gtISBL2Npswi3h4A5sB3nQGnDMuUck7otgzDDWJqjZMNL0ZjYWmebShF\nB/tXRPX3YTMtp/69q0yNR2ZXPwKBgQDMV5zgzZm/CL95Dh2UyljaHAhsUAKlCXpA\nTRxpHGJymKzui3zUZGUUTzgC5C4BhU8QOA7I/Sumg4sWUOSYWiY+nS9uhpCUkAJJ\n0/wt2oKepPCYNg1b5GqbfSyB5dq052rxaYVr3wvGMt/vEI/WoCkNS7XvUPamL+nn\nvctvs3ZYewKBgQCHLAYx7Ft5StfO/6I9FbSNYrhF3Glkzlv43I9UP2QHiapzYrNS\nhrJ7Nu/JBDrc9c45U8wzXXOYyPTzSa6kz7E3wsrFI3mu8NWCcVVflKuYTLSqdGLC\nKyxi+X16SDHRzmL/Ik3Y9aT0UFvaLCFhrUxB0JIhWndaUqUzZ2MKVqpLQwKBgQDH\n4i/v6s4pAzqhBMDE6gZuHBvVL5LWs2Wlfoh6/SwD4vrOQR3zdPOLIU6t7VxfWnKT\nb/Jugs/vCx/DzY8+xHhCqWlbWUAWQqQqabV1eRhqbPd4PO9mYxIxVQlza087xF9l\nFI5RjZYr41oPtQiurm5ZtiSam30Z5SaN7KcSdd8e/wKBgEVKlOG6slN7TwEMuBbT\nGHwC8IhFEJDvHoOKyopvhdfGAmeoBjBwvDUk6NGlxIAXsh0QyPvZHzYxF/rqC7GA\nz0bPW6GX9sxwW2IxWeoqIXOVaEZV4jGRoq5VorSWVESINZ+W9xKdYmKvub4rT0rn\nNVKn8p4WTecpRcDpjOFM1k1u\n-----END PRIVATE KEY-----\n",
"type": "service_account",
"client_id": "115944668658311446409"
}
}