Return Live File Search Requests for All Users
Note
To use the Live File Search, you can add the DFIR package to your instance of the Cybereason platform for an additional cost or request an Express IR environment (partners only). Contact your Customer Success representative to request access to this package or for details on how to submit the request, see How to Request a Cybereason Express IR Environment.
Endpoint URL: https://<your server>/rest/sensors/actions/fileSearchRequestsAll
Endpoint URI: sensors/actions/fileSearchRequestsAll
Action: GET
Returns a list of all file search requests for all users. This request is supported from versions 17.5 and higher.
This operation returns file search request details for all users. To return details on searches for your user only, see Return Live File Search Request Details.
Note
Before running this request, ensure that you have logged into the Cybereason platform. For details, see Log in with the API.
Request Headers
You must add an Content-Type:application/json header with the request.
Note
If you are using cURL, add the authorization cookie details or the path to the file with cookie details with every request.
Request Body
None
Request Parameters
URL/URI parameters: none
Request Body Parameters: none
Response Status Codes
This request can return the following status codes:
200: Success OK
Response Success Schema
The response contains the following fields:
Field |
Type |
Description |
---|---|---|
batchID |
Integer |
The numeric identifier of the file search. Use this in the API to retrieve the data on file searches to get specific information about the files found. For details, see Get Results From a Live File Search. |
actionType |
Enum |
The request returns FileSearchStart. |
filters |
Array |
The data included in the filters and fileFilters object in the request. |
machines |
String |
The machine or machines on which the search was performed. |
yaraName |
String |
The YARA file used for the search. |
globalStats |
Array |
A list of details about the search. |
finalState |
Boolean |
Lists whether the operation is finished. Note that this does not mean that the search was completed successfully, but that the operation is finished. |
totalNumberOfProbes |
Integer |
The total number of Sensors that returned results. |
initiatorUser |
String |
The user name of the user performing the search. |
startTime |
Integer |
The time that the search began, in epoch. |
aborterUser |
String |
The Cybereason user name of the user that aborted this search. |
abortTime |
Integer |
The time (in epoch) when the user aborted the search. |
wasAborted |
Boolean |
Indicates whether a particular search was aborted. |
answersNumber |
Integer |
The number of results found. |
Response Failure Schema
None
Important Response Fields
Important information is found in these fields:
batchID parameter: The operation identifier for the file search operation. You use this batch ID parameter in other requests to retrieve results for the file search filters.
filters object: The details for the criteria used in the file search.
fieldName parameter: The field on which you are searching for a file.
values parameter: The value for which you searched.
Example: Find a list of recent searches for all users
Request
curl --request GET \ --url https://12.34.56.78/rest/sensors/actions/fileSearchRequestsAll \ --header 'Content-Type:application/json' \
Response
[ { "batchId": 1135967280, "actionType": "FileSearchStart", "filters": [ { "fieldName": "fileName", "values": [ "exe" ], "operator": "Equals" } ], "globalStats": { "stats": { "Pending": 0, "partialResponse": 0, "AbortTimeout": 1, "EndedWithSensorTimeout": 0, "UnauthorizedUser": 0, "FailedSendingToServer": 0, "GettingChunks": 0, "NewerInstalled": 0, "SendingMsi": 0, "None": 0, "MsiSendFail": 0, "EndedWithInvalidParam": 0, "Failed": 0, "InProgress": 0, "Disconnected": 0, "Aborted": 43, "FailedSending": 0, "MsiFileCorrupted": 0, "UnknownProbe": 0, "NotSupported": 0, "Primed": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "Started": 0, "EndedWithTooManySearches": 0, "TimeoutSending": 0, "InvalidState": 0, "Timeout": 0, "EndedWithUnknownError": 0, "AlreadyUpdated": 0, "EndedWithTooManyResults": 0, "Succeeded": 8 } }, "finalState": true, "totalNumberOfProbes": 52, "initiatorUser": "[email protected]", "startTime": 1524038245429, "aborterUser": "[email protected]", "abortTime": 1524038250306, "wasAborted": false, "answersNumber": 0 }, { "batchId": -1550659616, "actionType": "FileSearchStart", "filters": [ { "fieldName": "fileName", "values": [ ".doc" ], "operator": "Equals" } ], "globalStats": { "stats": { "Pending": 0, "partialResponse": 0, "AbortTimeout": 0, "EndedWithSensorTimeout": 0, "UnauthorizedUser": 0, "FailedSendingToServer": 0, "GettingChunks": 0, "NewerInstalled": 0, "SendingMsi": 0, "None": 0, "MsiSendFail": 0, "EndedWithInvalidParam": 0, "Failed": 0, "InProgress": 0, "Disconnected": 0, "Aborted": 43, "FailedSending": 0, "MsiFileCorrupted": 0, "UnknownProbe": 0, "NotSupported": 0, "Primed": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "Started": 0, "EndedWithTooManySearches": 0, "TimeoutSending": 0, "InvalidState": 0, "Timeout": 0, "EndedWithUnknownError": 0, "AlreadyUpdated": 0, "EndedWithTooManyResults": 1, "Succeeded": 8 } }, "finalState": true, "totalNumberOfProbes": 52, "initiatorUser": "[email protected]", "startTime": 1524399273929, "aborterUser": "[email protected]", "abortTime": 1524399283763, "wasAborted": false, "answersNumber": 62 } ]
Request
Response
[ { "batchId": 1135967280, "actionType": "FileSearchStart", "filters": [ { "fieldName": "fileName", "values": [ "exe" ], "operator": "Equals" } ], "globalStats": { "stats": { "Pending": 0, "partialResponse": 0, "AbortTimeout": 1, "EndedWithSensorTimeout": 0, "UnauthorizedUser": 0, "FailedSendingToServer": 0, "GettingChunks": 0, "NewerInstalled": 0, "SendingMsi": 0, "None": 0, "MsiSendFail": 0, "EndedWithInvalidParam": 0, "Failed": 0, "InProgress": 0, "Disconnected": 0, "Aborted": 43, "FailedSending": 0, "MsiFileCorrupted": 0, "UnknownProbe": 0, "NotSupported": 0, "Primed": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "Started": 0, "EndedWithTooManySearches": 0, "TimeoutSending": 0, "InvalidState": 0, "Timeout": 0, "EndedWithUnknownError": 0, "AlreadyUpdated": 0, "EndedWithTooManyResults": 0, "Succeeded": 8 } }, "finalState": true, "totalNumberOfProbes": 52, "initiatorUser": "[email protected]", "startTime": 1524038245429, "aborterUser": "[email protected]", "abortTime": 1524038250306, "wasAborted": false, "answersNumber": 0 }, { "batchId": -1550659616, "actionType": "FileSearchStart", "filters": [ { "fieldName": "fileName", "values": [ ".doc" ], "operator": "Equals" } ], "globalStats": { "stats": { "Pending": 0, "partialResponse": 0, "AbortTimeout": 0, "EndedWithSensorTimeout": 0, "UnauthorizedUser": 0, "FailedSendingToServer": 0, "GettingChunks": 0, "NewerInstalled": 0, "SendingMsi": 0, "None": 0, "MsiSendFail": 0, "EndedWithInvalidParam": 0, "Failed": 0, "InProgress": 0, "Disconnected": 0, "Aborted": 43, "FailedSending": 0, "MsiFileCorrupted": 0, "UnknownProbe": 0, "NotSupported": 0, "Primed": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "Started": 0, "EndedWithTooManySearches": 0, "TimeoutSending": 0, "InvalidState": 0, "Timeout": 0, "EndedWithUnknownError": 0, "AlreadyUpdated": 0, "EndedWithTooManyResults": 1, "Succeeded": 8 } }, "finalState": true, "totalNumberOfProbes": 52, "initiatorUser": "[email protected]", "startTime": 1524399273929, "aborterUser": "[email protected]", "abortTime": 1524399283763, "wasAborted": false, "answersNumber": 62 } ]
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "rest/sensors/actions/fileSearchRequestsAll"
api_url = base_url + endpoint_url
api_headers = {'Content-Type':'application/json'}
api_response = session.request("GET", api_url, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
[ { "batchId": 1135967280, "actionType": "FileSearchStart", "filters": [ { "fieldName": "fileName", "values": [ "exe" ], "operator": "Equals" } ], "globalStats": { "stats": { "Pending": 0, "partialResponse": 0, "AbortTimeout": 1, "EndedWithSensorTimeout": 0, "UnauthorizedUser": 0, "FailedSendingToServer": 0, "GettingChunks": 0, "NewerInstalled": 0, "SendingMsi": 0, "None": 0, "MsiSendFail": 0, "EndedWithInvalidParam": 0, "Failed": 0, "InProgress": 0, "Disconnected": 0, "Aborted": 43, "FailedSending": 0, "MsiFileCorrupted": 0, "UnknownProbe": 0, "NotSupported": 0, "Primed": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "Started": 0, "EndedWithTooManySearches": 0, "TimeoutSending": 0, "InvalidState": 0, "Timeout": 0, "EndedWithUnknownError": 0, "AlreadyUpdated": 0, "EndedWithTooManyResults": 0, "Succeeded": 8 } }, "finalState": true, "totalNumberOfProbes": 52, "initiatorUser": "[email protected]", "startTime": 1524038245429, "aborterUser": "[email protected]", "abortTime": 1524038250306, "wasAborted": false, "answersNumber": 0 }, { "batchId": -1550659616, "actionType": "FileSearchStart", "filters": [ { "fieldName": "fileName", "values": [ ".doc" ], "operator": "Equals" } ], "globalStats": { "stats": { "Pending": 0, "partialResponse": 0, "AbortTimeout": 0, "EndedWithSensorTimeout": 0, "UnauthorizedUser": 0, "FailedSendingToServer": 0, "GettingChunks": 0, "NewerInstalled": 0, "SendingMsi": 0, "None": 0, "MsiSendFail": 0, "EndedWithInvalidParam": 0, "Failed": 0, "InProgress": 0, "Disconnected": 0, "Aborted": 43, "FailedSending": 0, "MsiFileCorrupted": 0, "UnknownProbe": 0, "NotSupported": 0, "Primed": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "Started": 0, "EndedWithTooManySearches": 0, "TimeoutSending": 0, "InvalidState": 0, "Timeout": 0, "EndedWithUnknownError": 0, "AlreadyUpdated": 0, "EndedWithTooManyResults": 1, "Succeeded": 8 } }, "finalState": true, "totalNumberOfProbes": 52, "initiatorUser": "[email protected]", "startTime": 1524399273929, "aborterUser": "[email protected]", "abortTime": 1524399283763, "wasAborted": false, "answersNumber": 62 } ]