Retrieve a List of Supported Forensics Ingestion Tools
Note
To use the data ingestion tool features, you can add the DFIR package to your instance of the Cybereason platform for an additional cost or request an Express IR environment (partners only). Contact your Customer Success representative to request access to this package or for details on how to submit the request, see How to Request a Cybereason Express IR Environment.
Endpoint URL: https://<your server>/rest/forensics/forensicTools
Endpoint URI: forensics/forensicTools
Action: GET
Retrieves a list of supported forensic data ingestion tools.
This request is supported for versions 21.2.221 and later.
You must have the Responder L2 role assigned for your Cybereason user to run this request.
Note
Ensure that you have logged into the Cybereason platform. For details, see Log in with the API.
Request Headers
You must add a Content-Type:application/json header with the request.
Note
If you are using cURL, add the authorization cookie details or the path to the file containing the cookie details as part of every request.
Request Body
None
Request Parameters
URL/URI parameters: none
Request Body Parameters: none
Response Status Codes
This request can return the following status codes:
200: Request OK
403: Lack of permissions to perform the request
503: The forensics service is disabled
Response Success Schema
The response contains the following fields:
Field |
Type |
Parameter |
---|---|---|
name |
String |
The name of the forensics data package. |
description |
String |
A description of the forensic data package. |
version |
Integer |
The version of the forensic data package. |
type |
Enum |
The type of package. Possible values include:
|
Response Failure Schema
An error code with a description of the error.
Important Response Fields
Important information is found in these fields:
name: The name of the package
Example: Retrieve a list of suppported forensic data ingestion tools
Request
curl --request GET \
--url https://12.34.56.78/rest/forensics/forensicTools \
--header 'Content-Type:application/json' \
Response
[
{
"name": "CustomPrefetchOfflineCollector",
"description": "Collects Windows prefetch files from the endpoint",
"version": "1.0",
"type": "PREFETCH",
"supportedOsTypes": [
"WINDOWS_TYPES"
]
}
]
[
{
"name": "CustomPrefetchOfflineCollector",
"description": "Collects Windows prefetch files from the endpoint",
"version": "1.0",
"type": "PREFETCH",
"supportedOsTypes": [
"WINDOWS_TYPES"
]
}
]
Request
Note
Ensure you replace the value of the totpCode parameter in the script example below with your unique TOTP code generated from your app or program.
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
payload='totpCode=526681&Submit=Login'
tfa_headers = {"Content-Type": "application/x-www-form-urlencoded"}
tfa_url = "https://" + server + "/"
tfa_response = session.post(tfa_url, headers=tfa_headers, data=payload, verify=True)
# Request URL
endpoint_url = "/rest/forensics/forensicTools"
api_url = base_url + endpoint_url
api_response = session.request("GET", api_url, headers=headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
[
{
"name": "CustomPrefetchOfflineCollector",
"description": "Collects Windows prefetch files from the endpoint",
"version": "1.0",
"type": "PREFETCH",
"supportedOsTypes": [
"WINDOWS_TYPES"
]
}
]