Get Results From a Live File Search
Note
To use the Live File Search, you can add the DFIR package to your instance of the Cybereason platform for an additional cost or request an Express IR environment (partners only). Contact your Customer Success representative to request access to this package or for details on how to submit the request, see How to Request a Cybereason Express IR Environment.
Endpoint URL: https://<your server>/rest/sensors/action/fileSearch/{batchID}
Endpoint URI: sensors/action/fileSearch/{batchID}
Action: GET
Returns the results for a specified file search batch.
This request is supported from versions 17.5 and higher.
Note
Before running this request, ensure that you have logged into the Cybereason platform. For details, see Log in with the API.
Request Headers
You must add an Content-Type:application/json header with the request.
Note
If you are using cURL, add the authorization cookie details or the path to the file with cookie details with every request.
Request Body
None
Request Parameters
URL/URI parameters: You must provide the batchID parameter in the request URL. This value is found in the response of a successful file search operation request. For details on creating file search requests, see Perform a Live File Search Request.
Request Body Parameters: None
Response Status Codes
This request can return the following status codes:
200: Success OK
404 - Content not found: The batch ID you entered in the URL is not correct or up to date
Response Success Schema
The response contains two separate parts: a batchActionInfo object with details about the file search request, and a data object with the file search results.
batchActionInfo object
Field |
Type |
Description |
---|---|---|
batchId |
integer |
The unique ID for the search operation. |
actionType |
Enum |
The request returns FileSearchStart. |
filters |
Array |
A list of values for which you searched. |
globalStats |
Array |
A list of details about the search. |
finalState |
Boolean |
Lists whether the operation is finished. Note that this does not mean that the search was completed successfully, but that the operation is finished. |
totalNumberOfProbes |
Integer |
The total number of sensors that returned results. |
initiatorUser |
String |
The user name of the user performing the search. |
startTime |
Integer |
The time that the search began, in epoch. |
aborterUser |
String |
The Cybereason user name of the user aborting this search. |
abortTime |
Integer |
The time that the search aborted, in epoch. |
wasAborted |
Boolean |
Indicates whether the current operation was aborted or not. |
answersNumber |
Integer |
The number of results returned so far. |
machines |
String |
The machine or machines on which the search was performed. |
yaraName |
String |
The YARA file name used for the search. |
data Object
esn |
Type |
Value |
---|---|---|
pylumid |
String |
The unique sensor ID for the machine on which a result was found. |
machineName |
String |
The machine name for the machine on which a result was found. |
machineGuid |
String |
The guid for the machine on which a result was found. |
path |
String |
The path to the file on the machine with the sensor. |
fileName |
String |
The exact name of the file. |
creationTime |
Integer |
The date and time of the file’s creation, in epoch. |
modificationTime |
Integer |
The date and time of the file’s modification, in epoch. |
size |
Integer |
The size of the file, in bytes. |
matchedYaraRules |
Array |
A collection of the all the YARA rules that were matched in this file search operation. |
Response Failure Schema
None
Important Response Fields
Important information is found in these fields:
filters object. This object contains the search criteria you specified in the initial search operation.
answersNumber parameter. This is the total number of results.
data object. This object contains all the details for files that match the search criteria, including sensor ID, machine name, file name and path,
Example: View previous search results
Request
curl --request GET \
--url https://12.34.56.78/rest/sensors/action/fileSearch/-1312043715 \
--header 'Content-Type:application/json' \
Response
{ "batchActionInfo": { "batchId": -1312043715, "actionType": "FileSearchStart", "filters": [ { "fieldName": "paths", "values": [ "c:\\" ], "operator": "StartsWith" } ], "globalStats": { "stats": { "Succeeded": 0, "BadArgument": 0, "Started": 0, "EndedWithYaraCompileError": 0, "MsiSendFail": 0, "UnauthorizedUser": 0, "Aborting": 0, "MsiFileCorrupted": 0, "NewerInstalled": 0, "Disconnected": 0, "GettingChunks": 0, "NotSupported": 0, "EndedWithSensorTimeout": 0, "EndedWithNoValidFolder": 0, "EndedWithUnknownError": 0, "AbortTimeout": 0, "EndedWithUnsupportedFilter": 0, "Pending": 0, "TimeoutSending": 0, "SendingMsi": 0, "InProgress": 0, "EndedWithTooManyResults": 1, "ProbeRemoved": 0, "EndedWithTooManySearches": 0, "SendingPlatform": 0, "Aborted": 0, "InvalidState": 0, "Primed": 1, "partialResponse": 0, "Timeout": 0, "None": 0, "UnknownProbe": 0, "FailedSending": 0, "ChunksRequired": 0, "EndedWithInvalidParam": 0, "Failed": 0, "FailedSendingToServer": 0, "AlreadyUpdated": 0 } }, "finalState": false, "totalNumberOfProbes": 2, "initiatorUser": "[email protected]", "startTime": 1587118163177, "aborterUser": null, "abortTime": 0, "wasAborted": false, "answersNumber": 20, "machines": [ "desktop-hd4d1lj" ], "yaraName": null }, "data": [ { "pylumid": "5e57b2dde4b06a3a515cc0eb:PYLUMCLIENT_DEMO_000C29AD4794", "machineName": "desktop-hd4d1lj", "machineGuid": "-955767537.1198775089551518743", "path": "C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Quick", "fileName": "{F192A3F4-F10A-4A4C-8184-974C7F97AE6F}", "creationTime": 1586172011000, "modificationTime": 1586172011000, "size": 10698, "matchedYaraRules": null } ] }
Request
Response
{ "batchActionInfo": { "batchId": -1312043715, "actionType": "FileSearchStart", "filters": [ { "fieldName": "paths", "values": [ "c:\\" ], "operator": "StartsWith" } ], "globalStats": { "stats": { "Succeeded": 0, "BadArgument": 0, "Started": 0, "EndedWithYaraCompileError": 0, "MsiSendFail": 0, "UnauthorizedUser": 0, "Aborting": 0, "MsiFileCorrupted": 0, "NewerInstalled": 0, "Disconnected": 0, "GettingChunks": 0, "NotSupported": 0, "EndedWithSensorTimeout": 0, "EndedWithNoValidFolder": 0, "EndedWithUnknownError": 0, "AbortTimeout": 0, "EndedWithUnsupportedFilter": 0, "Pending": 0, "TimeoutSending": 0, "SendingMsi": 0, "InProgress": 0, "EndedWithTooManyResults": 1, "ProbeRemoved": 0, "EndedWithTooManySearches": 0, "SendingPlatform": 0, "Aborted": 0, "InvalidState": 0, "Primed": 1, "partialResponse": 0, "Timeout": 0, "None": 0, "UnknownProbe": 0, "FailedSending": 0, "ChunksRequired": 0, "EndedWithInvalidParam": 0, "Failed": 0, "FailedSendingToServer": 0, "AlreadyUpdated": 0 } }, "finalState": false, "totalNumberOfProbes": 2, "initiatorUser": "[email protected]", "startTime": 1587118163177, "aborterUser": null, "abortTime": 0, "wasAborted": false, "answersNumber": 20, "machines": [ "desktop-hd4d1lj" ], "yaraName": null }, "data": [ { "pylumid": "5e57b2dde4b06a3a515cc0eb:PYLUMCLIENT_DEMO_000C29AD4794", "machineName": "desktop-hd4d1lj", "machineGuid": "-955767537.1198775089551518743", "path": "C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Quick", "fileName": "{F192A3F4-F10A-4A4C-8184-974C7F97AE6F}", "creationTime": 1586172011000, "modificationTime": 1586172011000, "size": 10698, "matchedYaraRules": null } ] }
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests url = "https://12.34.56.78/rest/sensors/action/fileSearch/-1312043715" headers = {'Content-Type': 'application/json'} session = requests.session() response = session.request("GET", url, headers=headers) print (response.content)Response
{ "batchActionInfo": { "batchId": -1312043715, "actionType": "FileSearchStart", "filters": [ { "fieldName": "paths", "values": [ "c:\\" ], "operator": "StartsWith" } ], "globalStats": { "stats": { "Succeeded": 0, "BadArgument": 0, "Started": 0, "EndedWithYaraCompileError": 0, "MsiSendFail": 0, "UnauthorizedUser": 0, "Aborting": 0, "MsiFileCorrupted": 0, "NewerInstalled": 0, "Disconnected": 0, "GettingChunks": 0, "NotSupported": 0, "EndedWithSensorTimeout": 0, "EndedWithNoValidFolder": 0, "EndedWithUnknownError": 0, "AbortTimeout": 0, "EndedWithUnsupportedFilter": 0, "Pending": 0, "TimeoutSending": 0, "SendingMsi": 0, "InProgress": 0, "EndedWithTooManyResults": 1, "ProbeRemoved": 0, "EndedWithTooManySearches": 0, "SendingPlatform": 0, "Aborted": 0, "InvalidState": 0, "Primed": 1, "partialResponse": 0, "Timeout": 0, "None": 0, "UnknownProbe": 0, "FailedSending": 0, "ChunksRequired": 0, "EndedWithInvalidParam": 0, "Failed": 0, "FailedSendingToServer": 0, "AlreadyUpdated": 0 } }, "finalState": false, "totalNumberOfProbes": 2, "initiatorUser": "[email protected]", "startTime": 1587118163177, "aborterUser": null, "abortTime": 0, "wasAborted": false, "answersNumber": 20, "machines": [ "desktop-hd4d1lj" ], "yaraName": null }, "data": [ { "pylumid": "5e57b2dde4b06a3a515cc0eb:PYLUMCLIENT_DEMO_000C29AD4794", "machineName": "desktop-hd4d1lj", "machineGuid": "-955767537.1198775089551518743", "path": "C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Quick", "fileName": "{F192A3F4-F10A-4A4C-8184-974C7F97AE6F}", "creationTime": 1586172011000, "modificationTime": 1586172011000, "size": 10698, "matchedYaraRules": null } ] }