Return Live File Search Request Details

Note

To use the Live File Search, you can add the DFIR package to your instance of the Cybereason platform for an additional cost or request an Express IR environment (partners only). Contact your Customer Success representative to request access to this package or for details on how to submit the request, see How to Request a Cybereason Express IR Environment.

Endpoint URL: https://<your server>/rest/sensors/action/fileSearchRequests
Endpoint URI: sensors/action/fileSearchRequests

Action: GET

Returns a list of all file search requests for the current user. This request is supported from versions 17.5 and higher.

This operation returns your recent searches, not the searches of all users. To return details on searches for all users, see Return Live File Search Requests for All Users.

Note

Before running this request, ensure that you have logged into the Cybereason platform. For details, see Log in with the API.


Request Headers

You must add an Content-Type:application/json header with the request.

Note

If you are using cURL, add the authorization cookie details or the path to the file with cookie details with every request.


Request Body

None


Request Parameters

URL/URI parameters: none

Request Body Parameters: none


Response Status Codes

This request can return the following status codes:

  • 200: Success OK


Response Success Schema

The response is a list of the following objects which contains the following fields:

Field

Type

Description

batchID

Integer

The numeric identifier of the file search. Use this in the API to retrieve the data on file searches to get specific information about the files found. For details, see Get Results From a Live File Search.

actionType

Enum

The request returns FileSearchStart.

filters

Array

The data included in the filters and fileFilters object in the request.

machines

String

The machine or machines on which the search was performed.

yaraName

String

The YARA file used for the search.

globalStats

Array

A list of details about the search.

finalState

Boolean

Lists whether the operation is finished. Note that this does not mean that the search was completed successfully, but that the operation is finished.

totalNumberOfProbes

Integer

The total number of Sensors that returned results.

initiatorUser

String

The user name of the user performing the search.

startTime

Integer

The time that the search began, in epoch.

aborterUser

String

The Cybereason user name of the user that aborted this search.

abortTime

Integer

The time (in epoch) when the user aborted the search.

wasAborted

Boolean

Indicates whether a particular search was aborted.

answersNumber

Integer

The number of results found.


Response Failure Schema

None


Important Response Fields

Important information is found in these fields:

  • batchID parameter: The operation identifier for the file search operation. You use this batch ID parameter in other requests to retrieve results for the file search filters.

  • filters object: This object contains the details for the criteria used in the file search.

  • fieldName parameter: This is the field on which you are searching for a file.

  • values parameter: This is the value for which you searched.


Example: Find a list of recent searches

Request

curl --request GET \
    --url https://12.34.56.78/rest/sensors/action/fileSearchRequests \
    --header 'Content-Type:application/json' \

Response

[
    {
        "batchId": 1135967280,
        "actionType": "FileSearchStart",
        "filters": [
            {
                "fieldName": "fileName",
                "values": [
                    "exe"
                ],
                "operator": "Equals"
            }
        ],
        "globalStats": {
            "stats": {
                "Pending": 0,
                "partialResponse": 0,
                "AbortTimeout": 1,
                "EndedWithSensorTimeout": 0,
                "UnauthorizedUser": 0,
                "FailedSendingToServer": 0,
                "GettingChunks": 0,
                "NewerInstalled": 0,
                "SendingMsi": 0,
                "None": 0,
                "MsiSendFail": 0,
                "EndedWithInvalidParam": 0,
                "Failed": 0,
                "InProgress": 0,
                "Disconnected": 0,
                "Aborted": 43,
                "FailedSending": 0,
                "MsiFileCorrupted": 0,
                "UnknownProbe": 0,
                "NotSupported": 0,
                "Primed": 0,
                "ChunksRequired": 0,
                "ProbeRemoved": 0,
                "Started": 0,
                "EndedWithTooManySearches": 0,
                "TimeoutSending": 0,
                "InvalidState": 0,
                "Timeout": 0,
                "EndedWithUnknownError": 0,
                "AlreadyUpdated": 0,
                "EndedWithTooManyResults": 0,
                "Succeeded": 8
            }
        },
        "finalState": true,
        "totalNumberOfProbes": 52,
        "initiatorUser": "[email protected]",
        "startTime": 1524038245429,
        "aborterUser": "[email protected]",
        "abortTime": 1524038250306,
        "wasAborted": false,
        "answersNumber": 0
    },
    {
        "batchId": -1550659616,
        "actionType": "FileSearchStart",
        "filters": [
            {
                "fieldName": "fileName",
                "values": [
                    ".doc"
                ],
                "operator": "Equals"
            }
        ],
        "globalStats": {
            "stats": {
                "Pending": 0,
                "partialResponse": 0,
                "AbortTimeout": 0,
                "EndedWithSensorTimeout": 0,
                "UnauthorizedUser": 0,
                "FailedSendingToServer": 0,
                "GettingChunks": 0,
                "NewerInstalled": 0,
                "SendingMsi": 0,
                "None": 0,
                "MsiSendFail": 0,
                "EndedWithInvalidParam": 0,
                "Failed": 0,
                "InProgress": 0,
                "Disconnected": 0,
                "Aborted": 43,
                "FailedSending": 0,
                "MsiFileCorrupted": 0,
                "UnknownProbe": 0,
                "NotSupported": 0,
                "Primed": 0,
                "ChunksRequired": 0,
                "ProbeRemoved": 0,
                "Started": 0,
                "EndedWithTooManySearches": 0,
                "TimeoutSending": 0,
                "InvalidState": 0,
                "Timeout": 0,
                "EndedWithUnknownError": 0,
                "AlreadyUpdated": 0,
                "EndedWithTooManyResults": 1,
                "Succeeded": 8
            }
        },
        "finalState": true,
        "totalNumberOfProbes": 52,
        "initiatorUser": "[email protected]",
        "startTime": 1524399273929,
        "aborterUser": "[email protected]",
        "abortTime": 1524399283763,
        "wasAborted": false,
        "answersNumber": 62
    }
]