Monitor Incident Response Tool Execution

Note

To use the incident response tool features, you can add the DFIR package to your instance of the Cybereason platform for an additional cost or request an Express IR environment (partners only). Contact your Customer Success representative to request access to this package or for details on how to submit the request, see How to Request a Cybereason Express IR Environment.

Endpoint URL: https://<your server>/rest/sensors/action/getRunIRToolStatus/<batchID>
Endpoint URI: sensors/action/getRunIRToolStatus/<batchID>

Action: GET

Monitors the execution of an incident response tool (identified by the batch ID number from an execution request). For details on how to run an incident response tool, see Run an Incident Response Tool.

This request is supported for versions 21.1.81 and later.

You must have the Responder L2 role assigned for your Cybereason user to run this request.

Note

Ensure that you have logged into the Cybereason platform. For details, see Log in with the API.

You must add a Content-Type:application/json header with the request.

Note

If you are using cURL, add the authorization cookie details or the path to the file containing the cookie details as part of every request.

None

URL/URI parameters: You must add the required batchID string value (taken from the response of the request to run an incident response tool) in the URL.

Request Body Parameters: none

This request can return the following status codes:

200: Request OK

The response contains the following fields:

Sensor: The unique sensor ID for the sensors involved in the incident response tool execution.
Status: The status of the tool execution operation
Error: Any relevant error messages.

None

All information contained in the response is important for you to understand if the tool ran successfully.

Request

curl --request GET \
  --url https://12.34.56.78/rest/sensors/action/getRunIRToolStatus/1438096773 \
  --header 'Content-Type:application/json' \

Response

PYLUMCLIENT_IR-15-APRIL_WIN10-X64-19H1_005056A642D0,Succeeded,SEC_SUCCESS
PYLUMCLIENT_IR-15-APRIL_WIN10-X64-20H1_005056A66E2C,Succeeded,SEC_SUCCESS

Request

Response

PYLUMCLIENT_IR-15-APRIL_WIN10-X64-19H1_005056A642D0,Succeeded,SEC_SUCCESS
PYLUMCLIENT_IR-15-APRIL_WIN10-X64-20H1_005056A66E2C,Succeeded,SEC_SUCCESS

Request

Note

Ensure you replace the value of the totpCode parameter in the script example below with your unique TOTP code generated from your app or program.

Download Python script

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

import requests
import json

# Login information

username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"

data = {
    "username": username,
    "password": password
}

headers = {"Content-Type": "application/json"}

base_url = "https://" + server + ":" + port

login_url = base_url + "/login.html"

session = requests.session()

login_response = session.post(login_url, data=data, verify=True)

print (login_response.status_code)
print (session.cookies.items())

payload='totpCode=814920&Submit=Login'
tfa_headers = {"Content-Type": "application/x-www-form-urlencoded"}

tfa_url = "https://" + server + "/"

tfa_response = session.post(tfa_url, headers=tfa_headers, data=payload, verify=True)

# Request URL

batch_id = 1438096773

endpoint_url = "/rest/sensors/action/getRunIRToolStatus/"

api_url = base_url + endpoint_url + str(batch_id)

api_response = session.request("GET", api_url, headers=headers)

your_response = json.loads(api_response.content)

print(json.dumps(your_response, indent=4, sort_keys=True))

Response

PYLUMCLIENT_IR-15-APRIL_WIN10-X64-19H1_005056A642D0,Succeeded,SEC_SUCCESS
PYLUMCLIENT_IR-15-APRIL_WIN10-X64-20H1_005056A66E2C,Succeeded,SEC_SUCCESS