Perform a Live File Search Request
Note
To use the Live File Search, you can add the DFIR package to your instance of the Cybereason platform for an additional cost or request an Express IR environment (partners only). Contact your Customer Success representative to request access to this package or for details on how to submit the request, see How to Request a Cybereason Express IR Environment.
Endpoint URL: https://<your server>/rest/sensors/action/fileSearch
Endpoint URI: sensors/action/fileSearch
Action: POST
Performs a search request for a specific file on the file systems of machines in your organizations with sensors installed. You can search all directories on a specific machine, specific folders, or use YARA rules to find a specific file.
This request returns a batch number for the File Search operation. Use this batch number in the File Search GET request to return results for a specified file search For details on that API request, see Get Results From a Live File Search. The Cybereason platform saves up to 50 previous file searches per user.
Note
Ensure that you have the file search capability enabled. If you need to enable this feature, contact Technical Support.
This request is supported for versions 17.5 and higher. Certain parameters are supported from version 19.0 and higher. These are noted accordingly in the tables with the parameter descriptions.
Note
Before running this request, ensure that you have logged into the Cybereason platform. For details, see Log in with the API.
Request Headers
You must add an Content-Type:application/json header with the request.
Note
If you are using cURL, add the authorization cookie details or the path to the file with cookie details with every request.
Request Body
Input: JSON
{
"sensorsIds": ["<sensor ID>"],
"filters": [
{
"fieldName": "<filter parameter>",
"operator": "<operator>",
"values": "<value>"
}
],
"fileFilters": [
{
"fieldName": "<field>",
"values": [
"<value1>",
"<value2>"
],
"operator": "<operator>"
}
]
}
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Request Parameters
URL/URI parameters: none
Request Body Parameters: The request body has multiple possible parameters:
Sensor ID
A Sensor filters object where you filter sensors by different criteria such as operating system
A fileFilters object where you filter by machine name, folder, file creation or modification time, file size, or Yara rule string.
Yara File name which contains a Yara rule syntax to use in the file search.
Parameter details include:
sensorsIds: A string value with the pylum ID for the Sensor. For details on retrieving this information, see Query Sensors.
filters object. Required parameters are noted in bold.
Field |
Type |
Description |
---|---|---|
actionsInProgress |
Integer |
The number of actions in progress (i.e. Not Resolved) on the machine. |
collectionStatus |
Enum |
States whether the machine has data collection enabled. Valid values include:
|
cpuUsage |
Float |
The amount of CPU used by the machine (expressed as a percentage). |
disconnectionTime |
Timestamp |
The time the machine was disconnected. This value returns NULL if the machine is currently connected. Timestamp values are returned in epoch. |
externalIpAddress |
String |
The machine’s external IP address. |
firstSeenTime |
Timestamp |
The first time the machine is recognized. Timestamp values are returned in epoch. |
fqdn |
String |
The fully qualified domain name (fqdn) for the machine. |
guid |
String |
The globally unique sensor identifier. |
internalIpAddress |
String |
The machine’s internal IP address. |
isIsolated |
Boolean |
Indicates whether the machine is isolated. Returns true if the machine is isolated. |
isOutdated |
Boolean |
States whether the machine is out of date or not. |
machineName |
String |
The name of the machine. Ensure you use the operator ContainsIgnoreCase with this parameter. The maximum number of machines you can add in this parameter is 500. |
osType |
Enum |
The operating system running on the machine. Possible values include:
|
osVersionType |
Enum |
Version of operating system for the machine. Possible values include:
|
preventionStatus |
Enum |
The Application Control mode for a Sensor. Possible values include:
|
ransomwareStatus |
Enum |
The Anti-Ransomware mode for a Sensor. Possible values include:
|
memoryUsage |
Long |
The machine’s memory usage (expressed in bytes). |
sensorID |
String |
The unique identifier for a Sensor. |
serverID |
String |
The unique identifier for the Sensor’s server. |
serverName |
String |
The name of the server for the Sensor. |
siteName |
String |
The name of the site for the sensor. |
siteID |
Long |
The identifier for the Sensor’s site. |
status |
Enum |
The online status of the machine on which the Sensors are located. Possible values include: * Online * Offline |
upTime |
Long |
The time the Sensor has been in the UP state. |
version |
String |
The Sensor version. |
fileFilters object. Required parameters are noted in bold.
If you use the yaraString parameter, you must specify the paths parameter AND add the appropriate ID for a Sensor in the sensorsIDs parameter or the machineName parameter in the filters object.
Field |
Type |
Description |
---|---|---|
fieldName |
String |
The field by which to filter. Possible values include:
|
values |
Array |
The value of the fieldName parameter. If you select fileName for the fieldName parameter, enter any character, digit, or wildcard characters. If you enter multiple file names, ensure you add a comma between each file name. |
operator |
String |
Use one of the following operators:
Note that for some types of fields in the fieldName parameter, different operators are supported. See below for details. |
fileName |
String |
The exact file name for which to search. Use any character, digit, or wildcard characters. If you enter multiple file names, ensure you add a comma between each file name. Use the ContainsIgnoreCase and NotContainsIgnoreCase operators for this field. |
creationTime |
Integer |
The date and time of the file’s creation, in epoch. Use one of the following operators with the creationTime field:
|
modificationTime |
Integer |
The date and time of the file’s modification, in epoch. Use one of the following operators with the modificationTime field.:
|
size |
Integer and String |
The numeric file size of the file. Use one of the following units for the file size:
Use one of the following operators:
|
paths |
String |
The paths on which to search for a file. The path can contain a maximum of 500 characters. Use the StartsWith or NotStartsWith operator for this parameter. |
yaraString |
String |
The YARA rule syntax to use in the search. You should insert line break characters if necessary to ensure proper JSON syntax. You must use the operator Yara for this parameter. |
yaraName: The name of the YARA file to use containing the YARA rules for the search. Ensure that you upload the YARA file to your Cybereason platform in the File Search screen in the UI. The Yara file size must be smaller than 500 MB.
Response Status Codes
This request can return the following status codes:
200: Success OK or an error message saying why
400: Error with a matching message.
Response Success Schema
The response can contain any of the following fields:
Field |
Type |
Description |
---|---|---|
batchID |
Integer |
The numeric identifier of the file search. Use this in the API to retrieve the data on file searches to get specific information about the files found. For details, see Get Results From a Live File Search. |
actionType |
Enum |
The request returns FileSearchStart. |
actionArguments |
List |
An object containing all filters used for this operation. |
filters |
Array |
An object with each individual filter used. |
machines |
Array |
A list of specific machines added in the file search request. If no specific machines are added in the request, this array is empty. |
yaraName |
String |
The name of the YARA file specified in the request. If no YARA file is specified in the request, this field reports null. |
fileSearchRequestConfiguration |
Array |
An object containing the details on the configuration used in the file search operation. These configurations are set for the Cybereason platform. |
globalStats |
Object |
A list of details about the sensor operation. For details about this object, see globalStatsObject. |
finalState |
Boolean |
Lists whether the operation is finished. Note that this does not mean that the search was completed successfully, but that the operation is finished. |
totalNumberOfProbes |
Integer |
The total number of Sensors that returned results. |
initiatorUser |
String |
The user name of the user performing the search. |
startTime |
Timestamp |
The time that the search began, in epoch. |
abortTimeout |
Boolean |
Indicates whether a particular search was aborted. |
abortHttpStatusCode |
Integer |
The status code returned for an abort operation. |
Response Failure Schema
A 400 error code with a message indicating:
Invalid string parameter
Invalid sensor filter name
Invalid string parameter for {Yara File name}
Failed to compile yara file
Invalid path filter
File search action was not created (usually because there were no matching machines)
No file filters provided
Machines filter has exceeded its maximum length
Path filter has exceeded its max length
Yara file content has exceeded its max length
Yara filter must contain also a path filter
Yara file content is empty
Too many requests in progress
Important Response Fields
Important information is found in these fields:
batchID parameter: This value represents the operation identifier for the file search operation. You use this batch ID parameter in other requests to retrieve results for the file search filters.
Example: Search for files on all sensors
Request
curl --request POST \ --url https://12.34.56.78/rest/sensors/action/fileSearch \ --header 'Content-Type:application/json' \ --data '{ "filters": [], "fileFilters": [ { "fieldName": "fileName", "values": ["ShadowCopy.ps"], "operator": "Equals" } ] }'
Response
{ "batchId": -1312043715, "actionType": "FileSearchStart", "actionArguments": { "@class": "com.cybereason.configuration.models.FileSearchParameters", "filters": [ { "fieldName": "fileName", "values": [ "ShadowCopy.ps" ], "operator": "Equals" } ], "maxAnswers": 20 }, "globalStats": { "stats": { "Pending": 0, "partialResponse": 0, "AbortTimeout": 0, "EndedWithSensorTimeout": 0, "UnauthorizedUser": 0, "FailedSendingToServer": 0, "GettingChunks": 0, "NewerInstalled": 0, "SendingMsi": 0, "None": 52, "MsiSendFail": 0, "EndedWithInvalidParam": 0, "Failed": 0, "InProgress": 0, "Disconnected": 0, "Aborted": 0, "FailedSending": 0, "MsiFileCorrupted": 0, "UnknownProbe": 0, "NotSupported": 0, "Primed": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "Started": 0, "EndedWithTooManySearches": 0, "TimeoutSending": 0, "InvalidState": 0, "Timeout": 0, "EndedWithUnknownError": 0, "AlreadyUpdated": 0, "EndedWithTooManyResults": 0, "Succeeded": 0 } }, "finalState": false, "totalNumberOfProbes": 52, "initiatorUser": "[email protected]", "startTime": 1524400763922, "aborterUser": null, "abortTime": 0, "abortTimeout": false, "abortHttpStatusCode": null }
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"filters": [],
"fileFilters": [
{
"fieldName": "fileName",
"values": [
"ShadowCopy.ps"
],
"operator": "Equals"
}
]
}
Response
{ "batchId": -1312043715, "actionType": "FileSearchStart", "actionArguments": { "@class": "com.cybereason.configuration.models.FileSearchParameters", "filters": [ { "fieldName": "fileName", "values": [ "ShadowCopy.ps" ], "operator": "Equals" } ], "maxAnswers": 20 }, "globalStats": { "stats": { "Pending": 0, "partialResponse": 0, "AbortTimeout": 0, "EndedWithSensorTimeout": 0, "UnauthorizedUser": 0, "FailedSendingToServer": 0, "GettingChunks": 0, "NewerInstalled": 0, "SendingMsi": 0, "None": 52, "MsiSendFail": 0, "EndedWithInvalidParam": 0, "Failed": 0, "InProgress": 0, "Disconnected": 0, "Aborted": 0, "FailedSending": 0, "MsiFileCorrupted": 0, "UnknownProbe": 0, "NotSupported": 0, "Primed": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "Started": 0, "EndedWithTooManySearches": 0, "TimeoutSending": 0, "InvalidState": 0, "Timeout": 0, "EndedWithUnknownError": 0, "AlreadyUpdated": 0, "EndedWithTooManyResults": 0, "Succeeded": 0 } }, "finalState": false, "totalNumberOfProbes": 52, "initiatorUser": "[email protected]", "startTime": 1524400763922, "aborterUser": null, "abortTime": 0, "abortTimeout": false, "abortHttpStatusCode": null }
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print *(login_response.status_code)
print (session.cookies.items())
# URL for the request
endpoint_url = "/rest/sensors/action/fileSearch"
# These are the variables that represent different fields in the request.
api_url = base_url + endpoint_url
filter_1_field = "fileName"
filter_1_value = "ShadowCopy.ps"
search = json.dumps({"filters":[],"fileFilters":[{"fieldName":filter_1_field,"values":[filter_1_value],"operator": "Equals"}]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=search, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
{ "batchId": -1312043715, "actionType": "FileSearchStart", "actionArguments": { "@class": "com.cybereason.configuration.models.FileSearchParameters", "filters": [ { "fieldName": "fileName", "values": [ "ShadowCopy.ps" ], "operator": "Equals" } ], "maxAnswers": 20 }, "globalStats": { "stats": { "Pending": 0, "partialResponse": 0, "AbortTimeout": 0, "EndedWithSensorTimeout": 0, "UnauthorizedUser": 0, "FailedSendingToServer": 0, "GettingChunks": 0, "NewerInstalled": 0, "SendingMsi": 0, "None": 52, "MsiSendFail": 0, "EndedWithInvalidParam": 0, "Failed": 0, "InProgress": 0, "Disconnected": 0, "Aborted": 0, "FailedSending": 0, "MsiFileCorrupted": 0, "UnknownProbe": 0, "NotSupported": 0, "Primed": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "Started": 0, "EndedWithTooManySearches": 0, "TimeoutSending": 0, "InvalidState": 0, "Timeout": 0, "EndedWithUnknownError": 0, "AlreadyUpdated": 0, "EndedWithTooManyResults": 0, "Succeeded": 0 } }, "finalState": false, "totalNumberOfProbes": 52, "initiatorUser": "[email protected]", "startTime": 1524400763922, "aborterUser": null, "abortTime": 0, "abortTimeout": false, "abortHttpStatusCode": null }
Example: Search for files on specific sensors
Request
curl --request POST \ --url https://12.34.56.78/rest/sensors/action/fileSearch \ --header 'Content-Type:application/json' \ --data '{ "sensorsIds": ["5c78106ae4b04874028ee720:PYLUMCLIENT_CYBEREASON_DEMO-WIN7-64_0028F89F1ED7"], "fileFilters": [ { "fieldName": "fileName", "operator": "Equals", "values": [ "ShadowCopy.ps" ] } ] }'
Response
{ "batchId": 2008699419, "actionType": "FileSearchStart", "actionArguments": { "@class": "com.cybereason.configuration.models.filesearch.FileSearchParameters", "filters": [ { "fieldName": "fileName", "values": [ "ShadowCopy.ps" ], "operator": "Equals" } ], "machines": [], "yaraName": null, "fileSearchRequestConfiguration": { "maxResults": 20, "maxYaraTimeouts": 10, "timoutPerFileScan": 9, "diskRateBytesPerMilli": 5120, "maxReadBytesPerFile": 110100480, "maxDiskIOWindowMilli": 10000, "minThrottleAmountMilli": 5, "minFileReadPriceMilli": 1, "searchTimeoutDataScanSec": 200000, "searchTimeoutSec": 1200, "targetCpuPercentage": 20, "cpuTrackingWindowMilli": 1000, "maxConcurrentFileSearches": 10, "shouldUseNewAPI": true } }, "globalStats": { "stats": { "UnauthorizedUser": 0, "MsiSendFail": 0, "Pending": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "None": 1, "NotSupported": 0, "Aborting": 0, "NewerInstalled": 0, "Started": 0, "FailedSending": 0, "AbortTimeout": 0, "TimeoutSending": 0, "EndedWithInvalidParam": 0, "EndedWithYaraCompileError": 0, "EndedWithUnsupportedFilter": 0, "Failed": 0, "Succeeded": 0, "EndedWithTooManySearches": 0, "BadArgument": 0, "Disconnected": 0, "SendingMsi": 0, "EndedWithUnknownError": 0, "InProgress": 0, "GettingChunks": 0, "Aborted": 0, "EndedWithNoValidFolder": 0, "SendingPlatform": 0, "AlreadyUpdated": 0, "FailedSendingToServer": 0, "Primed": 0, "UnknownProbe": 0, "EndedWithTooManyResults": 0, "Timeout": 0, "MsiFileCorrupted": 0, "partialResponse": 0, "EndedWithSensorTimeout": 0, "InvalidState": 0 } }, "finalState": false, "totalNumberOfProbes": 1, "initiatorUser": "[email protected]", "startTime": 1553696624715, "aborterUser": null, "abortTime": 0, "abortTimeout": false, "abortHttpStatusCode": null }
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"sensorsIds": [
"5c78106ae4b04874028ee720:PYLUMCLIENT_CYBEREASON_DEMO-WIN7-64_0028F89F1ED7"
],
"fileFilters": [
{
"fieldName": "fileName",
"operator": "Equals",
"values": [
"ShadowCopy.ps"
]
}
]
}
Response
{ "batchId": 2008699419, "actionType": "FileSearchStart", "actionArguments": { "@class": "com.cybereason.configuration.models.filesearch.FileSearchParameters", "filters": [ { "fieldName": "fileName", "values": [ "ShadowCopy.ps" ], "operator": "Equals" } ], "machines": [], "yaraName": null, "fileSearchRequestConfiguration": { "maxResults": 20, "maxYaraTimeouts": 10, "timoutPerFileScan": 9, "diskRateBytesPerMilli": 5120, "maxReadBytesPerFile": 110100480, "maxDiskIOWindowMilli": 10000, "minThrottleAmountMilli": 5, "minFileReadPriceMilli": 1, "searchTimeoutDataScanSec": 200000, "searchTimeoutSec": 1200, "targetCpuPercentage": 20, "cpuTrackingWindowMilli": 1000, "maxConcurrentFileSearches": 10, "shouldUseNewAPI": true } }, "globalStats": { "stats": { "UnauthorizedUser": 0, "MsiSendFail": 0, "Pending": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "None": 1, "NotSupported": 0, "Aborting": 0, "NewerInstalled": 0, "Started": 0, "FailedSending": 0, "AbortTimeout": 0, "TimeoutSending": 0, "EndedWithInvalidParam": 0, "EndedWithYaraCompileError": 0, "EndedWithUnsupportedFilter": 0, "Failed": 0, "Succeeded": 0, "EndedWithTooManySearches": 0, "BadArgument": 0, "Disconnected": 0, "SendingMsi": 0, "EndedWithUnknownError": 0, "InProgress": 0, "GettingChunks": 0, "Aborted": 0, "EndedWithNoValidFolder": 0, "SendingPlatform": 0, "AlreadyUpdated": 0, "FailedSendingToServer": 0, "Primed": 0, "UnknownProbe": 0, "EndedWithTooManyResults": 0, "Timeout": 0, "MsiFileCorrupted": 0, "partialResponse": 0, "EndedWithSensorTimeout": 0, "InvalidState": 0 } }, "finalState": false, "totalNumberOfProbes": 1, "initiatorUser": "[email protected]", "startTime": 1553696624715, "aborterUser": null, "abortTime": 0, "abortTimeout": false, "abortHttpStatusCode": null }
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
endpoint_url = "/rest/sensors/action/fileSearch"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
sensor_id = "5c78106ae4b04874028ee720:PYLUMCLIENT_CYBEREASON_DEMO-WIN7-64_0028F89F1ED7"
filter_1_field = "fileName"
filter_1_value = "ShadowCopy.ps"
search = json.dumps({"sensorsIds":[sensor_id],"fileFilters":[{"fieldName": filter_1_field,"operator":"Equals","values":[filter_1_value]}]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=search, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
{ "batchId": 2008699419, "actionType": "FileSearchStart", "actionArguments": { "@class": "com.cybereason.configuration.models.filesearch.FileSearchParameters", "filters": [ { "fieldName": "fileName", "values": [ "ShadowCopy.ps" ], "operator": "Equals" } ], "machines": [], "yaraName": null, "fileSearchRequestConfiguration": { "maxResults": 20, "maxYaraTimeouts": 10, "timoutPerFileScan": 9, "diskRateBytesPerMilli": 5120, "maxReadBytesPerFile": 110100480, "maxDiskIOWindowMilli": 10000, "minThrottleAmountMilli": 5, "minFileReadPriceMilli": 1, "searchTimeoutDataScanSec": 200000, "searchTimeoutSec": 1200, "targetCpuPercentage": 20, "cpuTrackingWindowMilli": 1000, "maxConcurrentFileSearches": 10, "shouldUseNewAPI": true } }, "globalStats": { "stats": { "UnauthorizedUser": 0, "MsiSendFail": 0, "Pending": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "None": 1, "NotSupported": 0, "Aborting": 0, "NewerInstalled": 0, "Started": 0, "FailedSending": 0, "AbortTimeout": 0, "TimeoutSending": 0, "EndedWithInvalidParam": 0, "EndedWithYaraCompileError": 0, "EndedWithUnsupportedFilter": 0, "Failed": 0, "Succeeded": 0, "EndedWithTooManySearches": 0, "BadArgument": 0, "Disconnected": 0, "SendingMsi": 0, "EndedWithUnknownError": 0, "InProgress": 0, "GettingChunks": 0, "Aborted": 0, "EndedWithNoValidFolder": 0, "SendingPlatform": 0, "AlreadyUpdated": 0, "FailedSendingToServer": 0, "Primed": 0, "UnknownProbe": 0, "EndedWithTooManyResults": 0, "Timeout": 0, "MsiFileCorrupted": 0, "partialResponse": 0, "EndedWithSensorTimeout": 0, "InvalidState": 0 } }, "finalState": false, "totalNumberOfProbes": 1, "initiatorUser": "[email protected]", "startTime": 1553696624715, "aborterUser": null, "abortTime": 0, "abortTimeout": false, "abortHttpStatusCode": null }
Example: Search for a specific file on a specific machine
Request
curl --request POST \ --url https://12.34.56.78/rest/sensors/action/fileSearch \ --header 'Content-Type:application/json' \ --data '{ "sensorsIds": [], "filters": [ { "fieldName": "machineName", "operator": "ContainsIgnoreCase", "values": [ "demo-win7-64" ] } ], "fileFilters": [ { "fieldName": "fileName", "operator": "Equals", "values": [ "ShadowCopy.ps" ] } ] }'
Response
{ "batchId": -1804504432, "actionType": "FileSearchStart", "actionArguments": { "@class": "com.cybereason.configuration.models.filesearch.FileSearchParameters", "filters": [ { "fieldName": "fileName", "values": [ "elizabeth" ], "operator": "Equals" } ], "machines": [ "demo-win7-64" ], "yaraName": null, "fileSearchRequestConfiguration": { "maxResults": 20, "maxYaraTimeouts": 10, "timoutPerFileScan": 9, "diskRateBytesPerMilli": 5120, "maxReadBytesPerFile": 110100480, "maxDiskIOWindowMilli": 10000, "minThrottleAmountMilli": 5, "minFileReadPriceMilli": 1, "searchTimeoutDataScanSec": 200000, "searchTimeoutSec": 1200, "targetCpuPercentage": 20, "cpuTrackingWindowMilli": 1000, "maxConcurrentFileSearches": 10, "shouldUseNewAPI": true } }, "globalStats": { "stats": { "UnauthorizedUser": 0, "MsiSendFail": 0, "Pending": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "None": 2, "NotSupported": 0, "Aborting": 0, "NewerInstalled": 0, "Started": 0, "FailedSending": 0, "AbortTimeout": 0, "TimeoutSending": 0, "EndedWithInvalidParam": 0, "EndedWithYaraCompileError": 0, "EndedWithUnsupportedFilter": 0, "Failed": 0, "Succeeded": 0, "EndedWithTooManySearches": 0, "BadArgument": 0, "Disconnected": 0, "SendingMsi": 0, "EndedWithUnknownError": 0, "InProgress": 0, "GettingChunks": 0, "Aborted": 0, "EndedWithNoValidFolder": 0, "SendingPlatform": 0, "AlreadyUpdated": 0, "FailedSendingToServer": 0, "Primed": 0, "UnknownProbe": 0, "EndedWithTooManyResults": 0, "Timeout": 0, "MsiFileCorrupted": 0, "partialResponse": 0, "EndedWithSensorTimeout": 0, "InvalidState": 0 } }, "finalState": false, "totalNumberOfProbes": 2, "initiatorUser": "[email protected]", "startTime": 1553703345312, "aborterUser": null, "abortTime": 0, "abortTimeout": false, "abortHttpStatusCode": null }
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"sensorsIds": [],
"filters": [
{
"fieldName": "machineName",
"operator": "ContainsIgnoreCase",
"values": [
"demo-win7-64"
]
}
],
"fileFilters": [
{
"fieldName": "fileName",
"operator": "Equals",
"values": [
"ShadowCopy.ps"
]
}
]
}
Response
{ "batchId": -1804504432, "actionType": "FileSearchStart", "actionArguments": { "@class": "com.cybereason.configuration.models.filesearch.FileSearchParameters", "filters": [ { "fieldName": "fileName", "values": [ "elizabeth" ], "operator": "Equals" } ], "machines": [ "demo-win7-64" ], "yaraName": null, "fileSearchRequestConfiguration": { "maxResults": 20, "maxYaraTimeouts": 10, "timoutPerFileScan": 9, "diskRateBytesPerMilli": 5120, "maxReadBytesPerFile": 110100480, "maxDiskIOWindowMilli": 10000, "minThrottleAmountMilli": 5, "minFileReadPriceMilli": 1, "searchTimeoutDataScanSec": 200000, "searchTimeoutSec": 1200, "targetCpuPercentage": 20, "cpuTrackingWindowMilli": 1000, "maxConcurrentFileSearches": 10, "shouldUseNewAPI": true } }, "globalStats": { "stats": { "UnauthorizedUser": 0, "MsiSendFail": 0, "Pending": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "None": 2, "NotSupported": 0, "Aborting": 0, "NewerInstalled": 0, "Started": 0, "FailedSending": 0, "AbortTimeout": 0, "TimeoutSending": 0, "EndedWithInvalidParam": 0, "EndedWithYaraCompileError": 0, "EndedWithUnsupportedFilter": 0, "Failed": 0, "Succeeded": 0, "EndedWithTooManySearches": 0, "BadArgument": 0, "Disconnected": 0, "SendingMsi": 0, "EndedWithUnknownError": 0, "InProgress": 0, "GettingChunks": 0, "Aborted": 0, "EndedWithNoValidFolder": 0, "SendingPlatform": 0, "AlreadyUpdated": 0, "FailedSendingToServer": 0, "Primed": 0, "UnknownProbe": 0, "EndedWithTooManyResults": 0, "Timeout": 0, "MsiFileCorrupted": 0, "partialResponse": 0, "EndedWithSensorTimeout": 0, "InvalidState": 0 } }, "finalState": false, "totalNumberOfProbes": 2, "initiatorUser": "[email protected]", "startTime": 1553703345312, "aborterUser": null, "abortTime": 0, "abortTimeout": false, "abortHttpStatusCode": null }
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/sensors/action/fileSearch"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
filter_1_field = "machineName"
filter_1_value = "demo-win7-64"
filter_2_field = "fileName"
filter_2_value = "ShadowCopy.ps"
search = json.dumps({"sensorsIds":[],"filters":[{"fieldName":filter_1_field,"operator":"ContainsIgnoreCase","values":[filter_1_value]}],"fileFilters":[{"fieldName":filter_2_field,"operator":"Equals","values":[filter_2_value]}]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=search, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
{ "batchId": -1804504432, "actionType": "FileSearchStart", "actionArguments": { "@class": "com.cybereason.configuration.models.filesearch.FileSearchParameters", "filters": [ { "fieldName": "fileName", "values": [ "elizabeth" ], "operator": "Equals" } ], "machines": [ "demo-win7-64" ], "yaraName": null, "fileSearchRequestConfiguration": { "maxResults": 20, "maxYaraTimeouts": 10, "timoutPerFileScan": 9, "diskRateBytesPerMilli": 5120, "maxReadBytesPerFile": 110100480, "maxDiskIOWindowMilli": 10000, "minThrottleAmountMilli": 5, "minFileReadPriceMilli": 1, "searchTimeoutDataScanSec": 200000, "searchTimeoutSec": 1200, "targetCpuPercentage": 20, "cpuTrackingWindowMilli": 1000, "maxConcurrentFileSearches": 10, "shouldUseNewAPI": true } }, "globalStats": { "stats": { "UnauthorizedUser": 0, "MsiSendFail": 0, "Pending": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "None": 2, "NotSupported": 0, "Aborting": 0, "NewerInstalled": 0, "Started": 0, "FailedSending": 0, "AbortTimeout": 0, "TimeoutSending": 0, "EndedWithInvalidParam": 0, "EndedWithYaraCompileError": 0, "EndedWithUnsupportedFilter": 0, "Failed": 0, "Succeeded": 0, "EndedWithTooManySearches": 0, "BadArgument": 0, "Disconnected": 0, "SendingMsi": 0, "EndedWithUnknownError": 0, "InProgress": 0, "GettingChunks": 0, "Aborted": 0, "EndedWithNoValidFolder": 0, "SendingPlatform": 0, "AlreadyUpdated": 0, "FailedSendingToServer": 0, "Primed": 0, "UnknownProbe": 0, "EndedWithTooManyResults": 0, "Timeout": 0, "MsiFileCorrupted": 0, "partialResponse": 0, "EndedWithSensorTimeout": 0, "InvalidState": 0 } }, "finalState": false, "totalNumberOfProbes": 2, "initiatorUser": "[email protected]", "startTime": 1553703345312, "aborterUser": null, "abortTime": 0, "abortTimeout": false, "abortHttpStatusCode": null }
Example: Search for a specific file on a specific machine and folder
Request
curl --request POST \ --url https://12.34.56.78/rest/sensors/action/fileSearch \ --header 'Content-Type:application/json' \ --data '{ "sensorsIds": [], "filters": [ { "fieldName": "machineName", "operator": "ContainsIgnoreCase", "values": [ "demo-win7-64" ] } ], "fileFilters": [ { "fieldName": "fileName", "operator": "Equals", "values": [ "ShadowCopy.ps" ] }, { "fieldName": "paths", "operator": "StartsWith", "values": [ "%userprofile%/Desktop/Malwares" ] } ] }'
Response
{ "batchId": -1804504432, "actionType": "FileSearchStart", "actionArguments": { "@class": "com.cybereason.configuration.models.filesearch.FileSearchParameters", "filters": [ { "fieldName": "fileName", "values": [ "ShadowCopy.ps" ], "operator": "Equals" }, { "fieldName": "paths", "values": [ "%userprofile%/Desktop/Malwares" ], "operator": "StartsWith" } ], "machines": [ "demo-win7-64" ], "yaraName": null, "fileSearchRequestConfiguration": { "maxResults": 20, "maxYaraTimeouts": 10, "timoutPerFileScan": 9, "diskRateBytesPerMilli": 5120, "maxReadBytesPerFile": 110100480, "maxDiskIOWindowMilli": 10000, "minThrottleAmountMilli": 5, "minFileReadPriceMilli": 1, "searchTimeoutDataScanSec": 200000, "searchTimeoutSec": 1200, "targetCpuPercentage": 20, "cpuTrackingWindowMilli": 1000, "maxConcurrentFileSearches": 10, "shouldUseNewAPI": true } }, "globalStats": { "stats": { "UnauthorizedUser": 0, "MsiSendFail": 0, "Pending": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "None": 2, "NotSupported": 0, "Aborting": 0, "NewerInstalled": 0, "Started": 0, "FailedSending": 0, "AbortTimeout": 0, "TimeoutSending": 0, "EndedWithInvalidParam": 0, "EndedWithYaraCompileError": 0, "EndedWithUnsupportedFilter": 0, "Failed": 0, "Succeeded": 0, "EndedWithTooManySearches": 0, "BadArgument": 0, "Disconnected": 0, "SendingMsi": 0, "EndedWithUnknownError": 0, "InProgress": 0, "GettingChunks": 0, "Aborted": 0, "EndedWithNoValidFolder": 0, "SendingPlatform": 0, "AlreadyUpdated": 0, "FailedSendingToServer": 0, "Primed": 0, "UnknownProbe": 0, "EndedWithTooManyResults": 0, "Timeout": 0, "MsiFileCorrupted": 0, "partialResponse": 0, "EndedWithSensorTimeout": 0, "InvalidState": 0 } }, "finalState": false, "totalNumberOfProbes": 2, "initiatorUser": "[email protected]", "startTime": 1553703345312, "aborterUser": null, "abortTime": 0, "abortTimeout": false, "abortHttpStatusCode": null }
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"sensorsIds": [],
"filters": [
{
"fieldName": "machineName",
"operator": "ContainsIgnoreCase",
"values": [
"demo-win7-64"
]
}
],
"fileFilters": [
{
"fieldName": "fileName",
"operator": "Equals",
"values": [
"ShadowCopy.ps"
]
},
{
"fieldName": "paths",
"operator": "StartsWith",
"values": [
"%userprofile%/Desktop/Malwares"
]
}
]
}
Response
{ "batchId": -1804504432, "actionType": "FileSearchStart", "actionArguments": { "@class": "com.cybereason.configuration.models.filesearch.FileSearchParameters", "filters": [ { "fieldName": "fileName", "values": [ "ShadowCopy.ps" ], "operator": "Equals" }, { "fieldName": "paths", "values": [ "%userprofile%/Desktop/Malwares" ], "operator": "StartsWith" } ], "machines": [ "demo-win7-64" ], "yaraName": null, "fileSearchRequestConfiguration": { "maxResults": 20, "maxYaraTimeouts": 10, "timoutPerFileScan": 9, "diskRateBytesPerMilli": 5120, "maxReadBytesPerFile": 110100480, "maxDiskIOWindowMilli": 10000, "minThrottleAmountMilli": 5, "minFileReadPriceMilli": 1, "searchTimeoutDataScanSec": 200000, "searchTimeoutSec": 1200, "targetCpuPercentage": 20, "cpuTrackingWindowMilli": 1000, "maxConcurrentFileSearches": 10, "shouldUseNewAPI": true } }, "globalStats": { "stats": { "UnauthorizedUser": 0, "MsiSendFail": 0, "Pending": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "None": 2, "NotSupported": 0, "Aborting": 0, "NewerInstalled": 0, "Started": 0, "FailedSending": 0, "AbortTimeout": 0, "TimeoutSending": 0, "EndedWithInvalidParam": 0, "EndedWithYaraCompileError": 0, "EndedWithUnsupportedFilter": 0, "Failed": 0, "Succeeded": 0, "EndedWithTooManySearches": 0, "BadArgument": 0, "Disconnected": 0, "SendingMsi": 0, "EndedWithUnknownError": 0, "InProgress": 0, "GettingChunks": 0, "Aborted": 0, "EndedWithNoValidFolder": 0, "SendingPlatform": 0, "AlreadyUpdated": 0, "FailedSendingToServer": 0, "Primed": 0, "UnknownProbe": 0, "EndedWithTooManyResults": 0, "Timeout": 0, "MsiFileCorrupted": 0, "partialResponse": 0, "EndedWithSensorTimeout": 0, "InvalidState": 0 } }, "finalState": false, "totalNumberOfProbes": 2, "initiatorUser": "[email protected]", "startTime": 1553703345312, "aborterUser": null, "abortTime": 0, "abortTimeout": false, "abortHttpStatusCode": null }
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/sensors/action/fileSearch"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
filter_1_field = "machineName"
filter_1_value = "demo-win7-64"
filter_2_field = "fileName"
filter_2_value = "ShadowCopy.ps"
filter_3_field = "paths"
filter_3_value = "%userprofile%/Desktop/Malwares"
search = json.dumps({"sensorsIds":[],"filters":[{"fieldName":filter_1_field,"operator":"ContainsIgnoreCase","values":[filter_1_value]}],"fileFilters":[{"fieldName":filter_2_field,"operator":"Equals","values":[filter_2_value]},{"fieldName":filter_3_field,"operator":"StartsWith","values":[filter_3_value]}]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
{ "batchId": -1804504432, "actionType": "FileSearchStart", "actionArguments": { "@class": "com.cybereason.configuration.models.filesearch.FileSearchParameters", "filters": [ { "fieldName": "fileName", "values": [ "ShadowCopy.ps" ], "operator": "Equals" }, { "fieldName": "paths", "values": [ "%userprofile%/Desktop/Malwares" ], "operator": "StartsWith" } ], "machines": [ "demo-win7-64" ], "yaraName": null, "fileSearchRequestConfiguration": { "maxResults": 20, "maxYaraTimeouts": 10, "timoutPerFileScan": 9, "diskRateBytesPerMilli": 5120, "maxReadBytesPerFile": 110100480, "maxDiskIOWindowMilli": 10000, "minThrottleAmountMilli": 5, "minFileReadPriceMilli": 1, "searchTimeoutDataScanSec": 200000, "searchTimeoutSec": 1200, "targetCpuPercentage": 20, "cpuTrackingWindowMilli": 1000, "maxConcurrentFileSearches": 10, "shouldUseNewAPI": true } }, "globalStats": { "stats": { "UnauthorizedUser": 0, "MsiSendFail": 0, "Pending": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "None": 2, "NotSupported": 0, "Aborting": 0, "NewerInstalled": 0, "Started": 0, "FailedSending": 0, "AbortTimeout": 0, "TimeoutSending": 0, "EndedWithInvalidParam": 0, "EndedWithYaraCompileError": 0, "EndedWithUnsupportedFilter": 0, "Failed": 0, "Succeeded": 0, "EndedWithTooManySearches": 0, "BadArgument": 0, "Disconnected": 0, "SendingMsi": 0, "EndedWithUnknownError": 0, "InProgress": 0, "GettingChunks": 0, "Aborted": 0, "EndedWithNoValidFolder": 0, "SendingPlatform": 0, "AlreadyUpdated": 0, "FailedSendingToServer": 0, "Primed": 0, "UnknownProbe": 0, "EndedWithTooManyResults": 0, "Timeout": 0, "MsiFileCorrupted": 0, "partialResponse": 0, "EndedWithSensorTimeout": 0, "InvalidState": 0 } }, "finalState": false, "totalNumberOfProbes": 2, "initiatorUser": "[email protected]", "startTime": 1553703345312, "aborterUser": null, "abortTime": 0, "abortTimeout": false, "abortHttpStatusCode": null }
Example: Search for files on a specific machine and folder
Request
curl --request POST \ --url https://12.34.56.78/rest/sensors/action/fileSearch \ --header 'Content-Type:application/json' \ --data '{ "filters": [ { "fieldName": "machineName", "operator": "ContainsIgnoreCase", "values": [ "demo-win7-64" ] } ], "fileFilters": [ { "fieldName": "fileName", "values": [".doc"], "operator": "Equals" }, { "fieldName": "paths", "values": [ "%userprofile%/Desktop/Malwares" ], "operator": "StartsWith" } ] }'
Response
{ "batchId": -1312043715, "actionType": "FileSearchStart", "actionArguments": { "@class": "com.cybereason.configuration.models.FileSearchParameters", "filters": [ { "fieldName": "fileName", "values": [ ".doc" ], "operator": "Equals" } ], "maxAnswers": 20 }, "globalStats": { "stats": { "Pending": 0, "partialResponse": 0, "AbortTimeout": 0, "EndedWithSensorTimeout": 0, "UnauthorizedUser": 0, "FailedSendingToServer": 0, "GettingChunks": 0, "NewerInstalled": 0, "SendingMsi": 0, "None": 52, "MsiSendFail": 0, "EndedWithInvalidParam": 0, "Failed": 0, "InProgress": 0, "Disconnected": 0, "Aborted": 0, "FailedSending": 0, "MsiFileCorrupted": 0, "UnknownProbe": 0, "NotSupported": 0, "Primed": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "Started": 0, "EndedWithTooManySearches": 0, "TimeoutSending": 0, "InvalidState": 0, "Timeout": 0, "EndedWithUnknownError": 0, "AlreadyUpdated": 0, "EndedWithTooManyResults": 0, "Succeeded": 0 } }, "finalState": false, "totalNumberOfProbes": 52, "initiatorUser": "[email protected]", "startTime": 1524400763922, "aborterUser": null, "abortTime": 0, "abortTimeout": false, "abortHttpStatusCode": null }
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"filters": [
{
"fieldName": "machineName",
"operator": "ContainsIgnoreCase",
"values": [
"demo-win7-64"
]
}
],
"fileFilters": [
{
"fieldName": "fileName",
"values": [".doc"],
"operator": "Equals"
},
{
"fieldName": "paths",
"values": [
"%userprofile%/Desktop/Malwares"
],
"operator": "StartsWith"
}
]
}
Response
{ "batchId": -1312043715, "actionType": "FileSearchStart", "actionArguments": { "@class": "com.cybereason.configuration.models.FileSearchParameters", "filters": [ { "fieldName": "fileName", "values": [ ".doc" ], "operator": "Equals" } ], "maxAnswers": 20 }, "globalStats": { "stats": { "Pending": 0, "partialResponse": 0, "AbortTimeout": 0, "EndedWithSensorTimeout": 0, "UnauthorizedUser": 0, "FailedSendingToServer": 0, "GettingChunks": 0, "NewerInstalled": 0, "SendingMsi": 0, "None": 52, "MsiSendFail": 0, "EndedWithInvalidParam": 0, "Failed": 0, "InProgress": 0, "Disconnected": 0, "Aborted": 0, "FailedSending": 0, "MsiFileCorrupted": 0, "UnknownProbe": 0, "NotSupported": 0, "Primed": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "Started": 0, "EndedWithTooManySearches": 0, "TimeoutSending": 0, "InvalidState": 0, "Timeout": 0, "EndedWithUnknownError": 0, "AlreadyUpdated": 0, "EndedWithTooManyResults": 0, "Succeeded": 0 } }, "finalState": false, "totalNumberOfProbes": 52, "initiatorUser": "[email protected]", "startTime": 1524400763922, "aborterUser": null, "abortTime": 0, "abortTimeout": false, "abortHttpStatusCode": null }
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/sensors/action/fileSearch"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
filter_1_field = "machineName"
filter_1_value = "demo-win7-64"
filter_2_field = "fileName"
filter_2_value = ".doc"
filter_3_field = "paths"
filter_3_value = "%userprofile%/Desktop/Malwares"
search = json.dumps({"filters":[{"fieldName":filter_1_field,"operator":"ContainsIgnoreCase","values":[filter_1_value]}],"fileFilters":[{"fieldName":filter_2_field,"values":[filter_2_value],"operator":"Equals"},{"fieldName":filter_3_field,"values":[filter_3_value],"operator":"StartsWith"}]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=search, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
{ "batchId": -1312043715, "actionType": "FileSearchStart", "actionArguments": { "@class": "com.cybereason.configuration.models.FileSearchParameters", "filters": [ { "fieldName": "fileName", "values": [ ".doc" ], "operator": "Equals" } ], "maxAnswers": 20 }, "globalStats": { "stats": { "Pending": 0, "partialResponse": 0, "AbortTimeout": 0, "EndedWithSensorTimeout": 0, "UnauthorizedUser": 0, "FailedSendingToServer": 0, "GettingChunks": 0, "NewerInstalled": 0, "SendingMsi": 0, "None": 52, "MsiSendFail": 0, "EndedWithInvalidParam": 0, "Failed": 0, "InProgress": 0, "Disconnected": 0, "Aborted": 0, "FailedSending": 0, "MsiFileCorrupted": 0, "UnknownProbe": 0, "NotSupported": 0, "Primed": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "Started": 0, "EndedWithTooManySearches": 0, "TimeoutSending": 0, "InvalidState": 0, "Timeout": 0, "EndedWithUnknownError": 0, "AlreadyUpdated": 0, "EndedWithTooManyResults": 0, "Succeeded": 0 } }, "finalState": false, "totalNumberOfProbes": 52, "initiatorUser": "[email protected]", "startTime": 1524400763922, "aborterUser": null, "abortTime": 0, "abortTimeout": false, "abortHttpStatusCode": null }
Example: Search for files using YARA rules
Request
curl --request POST \ --url https://12.34.56.78/rest/sensors/action/fileSearch \ --header 'Content-Type:application/json' \ --data '{ "sensorsIds": [], "fileFilters": [ { "fieldName": "fileName", "values": [ "elizabeth" ], "operator": "Equals" }, { "fieldName": "yaraString", "values": [ "rule UPX_Detection_Generic\n{\n\tstrings:\n\t\t$a = \"UPX0\"\n\t\t$b = \"UPX1\"\n\t\n\tcondition:\n\t\t$a and $b\n}\n" ], "operator": "Equals" } ] }'
Response
{ "batchId": 2008699419, "actionType": "FileSearchStart", "actionArguments": { "@class": "com.cybereason.configuration.models.filesearch.FileSearchParameters", "filters": [ { "fieldName": "fileName", "values": [ "elizabeth" ], "operator": "Equals" }, { "fieldName": "paths", "values": [ "%userprofile%/Desktop/Malwares" ], "operator": "StartsWith" }, { "fieldName": "yaraString", "values": [ "rule UPX_Detection_Generic{strings:\n\t\t$a = \"UPX0\"\n\t\t$b = \"UPX1\"\n\t\n\tcondition:\n\t\t$a and $b\n}\n" ], "operator": "Yara" } ], "machines": [], "yaraName": null, "fileSearchRequestConfiguration": { "maxResults": 20, "maxYaraTimeouts": 10, "timoutPerFileScan": 9, "diskRateBytesPerMilli": 5120, "maxReadBytesPerFile": 110100480, "maxDiskIOWindowMilli": 10000, "minThrottleAmountMilli": 5, "minFileReadPriceMilli": 1, "searchTimeoutDataScanSec": 200000, "searchTimeoutSec": 1200, "targetCpuPercentage": 20, "cpuTrackingWindowMilli": 1000, "maxConcurrentFileSearches": 10, "shouldUseNewAPI": true } }, "globalStats": { "stats": { "UnauthorizedUser": 0, "MsiSendFail": 0, "Pending": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "None": 1, "NotSupported": 0, "Aborting": 0, "NewerInstalled": 0, "Started": 0, "FailedSending": 0, "AbortTimeout": 0, "TimeoutSending": 0, "EndedWithInvalidParam": 0, "EndedWithYaraCompileError": 0, "EndedWithUnsupportedFilter": 0, "Failed": 0, "Succeeded": 0, "EndedWithTooManySearches": 0, "BadArgument": 0, "Disconnected": 0, "SendingMsi": 0, "EndedWithUnknownError": 0, "InProgress": 0, "GettingChunks": 0, "Aborted": 0, "EndedWithNoValidFolder": 0, "SendingPlatform": 0, "AlreadyUpdated": 0, "FailedSendingToServer": 0, "Primed": 0, "UnknownProbe": 0, "EndedWithTooManyResults": 0, "Timeout": 0, "MsiFileCorrupted": 0, "partialResponse": 0, "EndedWithSensorTimeout": 0, "InvalidState": 0 } }, "finalState": false, "totalNumberOfProbes": 1, "initiatorUser": "[email protected]", "startTime": 1553696624715, "aborterUser": null, "abortTime": 0, "abortTimeout": false, "abortHttpStatusCode": null }
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"sensorsIds": [],
"fileFilters": [
{
"fieldName": "fileName",
"values": [
"elizabeth"
],
"operator": "Equals"
},
{
"fieldName": "yaraString",
"values": [
"rule UPX_Detection_Generic\n{\n\tstrings:\n\t\t$a = \"UPX0\"\n\t\t$b = \"UPX1\"\n\t\n\tcondition:\n\t\t$a and $b\n}\n"
],
"operator": "Equals"
}
]
}
Response
{ "batchId": 2008699419, "actionType": "FileSearchStart", "actionArguments": { "@class": "com.cybereason.configuration.models.filesearch.FileSearchParameters", "filters": [ { "fieldName": "fileName", "values": [ "elizabeth" ], "operator": "Equals" }, { "fieldName": "paths", "values": [ "%userprofile%/Desktop/Malwares" ], "operator": "StartsWith" }, { "fieldName": "yaraString", "values": [ "rule UPX_Detection_Generic{strings:\n\t\t$a = \"UPX0\"\n\t\t$b = \"UPX1\"\n\t\n\tcondition:\n\t\t$a and $b\n}\n" ], "operator": "Yara" } ], "machines": [], "yaraName": null, "fileSearchRequestConfiguration": { "maxResults": 20, "maxYaraTimeouts": 10, "timoutPerFileScan": 9, "diskRateBytesPerMilli": 5120, "maxReadBytesPerFile": 110100480, "maxDiskIOWindowMilli": 10000, "minThrottleAmountMilli": 5, "minFileReadPriceMilli": 1, "searchTimeoutDataScanSec": 200000, "searchTimeoutSec": 1200, "targetCpuPercentage": 20, "cpuTrackingWindowMilli": 1000, "maxConcurrentFileSearches": 10, "shouldUseNewAPI": true } }, "globalStats": { "stats": { "UnauthorizedUser": 0, "MsiSendFail": 0, "Pending": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "None": 1, "NotSupported": 0, "Aborting": 0, "NewerInstalled": 0, "Started": 0, "FailedSending": 0, "AbortTimeout": 0, "TimeoutSending": 0, "EndedWithInvalidParam": 0, "EndedWithYaraCompileError": 0, "EndedWithUnsupportedFilter": 0, "Failed": 0, "Succeeded": 0, "EndedWithTooManySearches": 0, "BadArgument": 0, "Disconnected": 0, "SendingMsi": 0, "EndedWithUnknownError": 0, "InProgress": 0, "GettingChunks": 0, "Aborted": 0, "EndedWithNoValidFolder": 0, "SendingPlatform": 0, "AlreadyUpdated": 0, "FailedSendingToServer": 0, "Primed": 0, "UnknownProbe": 0, "EndedWithTooManyResults": 0, "Timeout": 0, "MsiFileCorrupted": 0, "partialResponse": 0, "EndedWithSensorTimeout": 0, "InvalidState": 0 } }, "finalState": false, "totalNumberOfProbes": 1, "initiatorUser": "[email protected]", "startTime": 1553696624715, "aborterUser": null, "abortTime": 0, "abortTimeout": false, "abortHttpStatusCode": null }
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/sensors/action/fileSearch"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
filter_1_field = "fileName"
filter_1_value = "elizabeth"
filter_2_field = "yaraString"
filter_2_value = "rule UPX_Detection_Generic\n{\n\tstrings:\n\t\t$a = \"UPX0\"\n\t\t$b = \"UPX1\"\n\t\n\tcondition:\n\t\t$a and $b\n}\n"
search = json.dumps({"sensorsIds": [],"fileFilters": [{"fieldName":filter_1_field,"values":[filter_1_value],"operator": "Equals"},{"fieldName":filter_2_field,"values": [filter_2_value],"operator": "Equals"}]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=search, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
{
"batchId": 2008699419,
"actionType": "FileSearchStart",
"actionArguments": {
"@class": "com.cybereason.configuration.models.filesearch.FileSearchParameters",
"filters": [
{
"fieldName": "fileName",
"values": [
"elizabeth"
],
"operator": "Equals"
},
{
"fieldName": "paths",
"values": [
"%userprofile%/Desktop/Malwares"
],
"operator": "StartsWith"
},
{
"fieldName": "yaraString",
"values": [
"rule UPX_Detection_Generic{strings:\n\t\t$a = \"UPX0\"\n\t\t$b = \"UPX1\"\n\t\n\tcondition:\n\t\t$a and $b\n}\n"
],
"operator": "Yara"
}
],
"machines": [],
"yaraName": null,
"fileSearchRequestConfiguration": {
"maxResults": 20,
"maxYaraTimeouts": 10,
"timoutPerFileScan": 9,
"diskRateBytesPerMilli": 5120,
"maxReadBytesPerFile": 110100480,
"maxDiskIOWindowMilli": 10000,
"minThrottleAmountMilli": 5,
"minFileReadPriceMilli": 1,
"searchTimeoutDataScanSec": 200000,
"searchTimeoutSec": 1200,
"targetCpuPercentage": 20,
"cpuTrackingWindowMilli": 1000,
"maxConcurrentFileSearches": 10,
"shouldUseNewAPI": true
}
},
"globalStats": {
"stats": {
"UnauthorizedUser": 0,
"MsiSendFail": 0,
"Pending": 0,
"ChunksRequired": 0,
"ProbeRemoved": 0,
"None": 1,
"NotSupported": 0,
"Aborting": 0,
"NewerInstalled": 0,
"Started": 0,
"FailedSending": 0,
"AbortTimeout": 0,
"TimeoutSending": 0,
"EndedWithInvalidParam": 0,
"EndedWithYaraCompileError": 0,
"EndedWithUnsupportedFilter": 0,
"Failed": 0,
"Succeeded": 0,
"EndedWithTooManySearches": 0,
"BadArgument": 0,
"Disconnected": 0,
"SendingMsi": 0,
"EndedWithUnknownError": 0,
"InProgress": 0,
"GettingChunks": 0,
"Aborted": 0,
"EndedWithNoValidFolder": 0,
"SendingPlatform": 0,
"AlreadyUpdated": 0,
"FailedSendingToServer": 0,
"Primed": 0,
"UnknownProbe": 0,
"EndedWithTooManyResults": 0,
"Timeout": 0,
"MsiFileCorrupted": 0,
"partialResponse": 0,
"EndedWithSensorTimeout": 0,
"InvalidState": 0
}
},
"finalState": false,
"totalNumberOfProbes": 1,
"initiatorUser": "[email protected]",
"startTime": 1553696624715,
"aborterUser": null,
"abortTime": 0,
"abortTimeout": false,
"abortHttpStatusCode": null
}