Manage Incident Response and Forensic Data Ingestion Tools

Note

To use the incident response tool or data ingestion tool features, you can add the DFIR package to your instance of the Cybereason platform for an additional cost or request an Express IR environment (partners only). Contact your Customer Success representative to request access to this package or for details on how to submit the request, see How to Request a Cybereason Express IR Environment.

By using the API you can deploy third party incident response tools or forensic data ingestion tool directly from your Cybereason platform. This can help you quickly deploy the necessary tools to respond to an active breach in your organization.

Note

Incident response tool management or forensic data ingestion tool features in the Cybereason platform are currently available only for Cybereason partners.

Tasks

All APIs assume a URL prefix of https://<your server>/rest.

Note

Click on any URI path to view more detailed information on a specific API request.

Task	Endpoint	Method	Returns
Upload a tool package to your environment and deploy to machines	irtools/upload	POST	Message on upload success.
Check the status of a incident response tool deployment	sensors/action/getPackagesDeployment	POST	Details about tool deployment
Check uploaded packages	irtools/packages	GET	List of packages uploaded to your environment
Run an incident response tool on a machine	sensors/action/runIRTool	POST	Details about tool execution operation
Monitor the execution of an incident response tool on a machine	sensors/action/getRunIRToolStatus?:batchID	GET	Details about tool execution operation
Retrieve and upload results from an incident response result execution	sensors/action/getIRToolResults	POST	Result details
Delete an incident response tool	irtools/delete	POST	Message with success or failure result
Get credentials for a GCP bucket with your results	irtools/credentials	GET	Credential details for a GCP bucket.
Get a list of supported forensics tools	forensics/forensicsTools	GET	List of supported tool packages
Deploy a forensic tool package	forensics/uploadForensicTool	POST	Message on deploy operation
Monitor deployment of forensic tools	forensics/getForensicToolDeploymentStatus	POST	Details on deployment operation
Run a forensic tool	forensics/runForensicTool	POST	Details on execution operation
Run a forensic tool on specific sensors from a CSV list	forensics/runForensicTool	POST	Details on execution operation
Monitor execution of a forensic tool	forensics/getForensicToolRunStatus/:batchId	POST	Details on execution operation
Delete a forensic tool	forensics/deleteForensicTool	POST	Details on delete operation