Start a File Download Operation

Endpoint URL: https://<your server>/rest/fetchfile/start
Endpoint URI: fetchfile/start

Action: POST

Starts an operation to download files from the Element Details screen. You will need to run additional requests to:

Get the batch number for the operation. For details on the request, see Get a Download Batch Number.
Download the file. For details on the request, see Download a File.

Note

Before running this request, ensure that you have logged into the Cybereason platform. For details, see Log in with the API.

You must add an Content-Type:application/json header with the request.

Note

If you are using cURL, add the authorization cookie details or the path to the file with cookie details with every request.

Input: JSON

{
	"elementGuids":["GUID for the Element"],
	"initiatorUserName":"<user name>"
}

Download JSON syntax file

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

URL/URI parameters: none

Request Body Parameters: The request body contains these required parameters:

<element GUIDs>: The unique GUID string(s) used by the Cybereason platform to identify the files. You can get these GUIDs from the results of an investigation query. For details on how to create such a query, see Run a Query.
initiatorUserName: The complete Cybereason user name string for the user performing the request.

This request can return the following status codes:

200: Success OK or an error message saying why

The response can contain any of the following fields:

Field

Type

Description

data

Boolean

Indicates whether there is a response.

status

Enum

The status of the file download start operation. Possible values include:

PARTIAL_SUCCESS
NO_SERVERS_CONFIGURED
QUERY_LIMIT_CROSSED
FAILURE
TIMEOUT_ERROR

message

String

The message received from the server about this operation.

A message and an error in the status field with one of the following:

NO_SERVERS_CONFIGURED
QUERY_LIMIT_CROSSED
FAILURE
TIMEOUT_ERROR

Important information is found in these fields:

status parameter: This displays where the download operation start was successful.

Request

curl --request POST \
    --url https://12.34.56.78/rest/fetchfile/start \
    --header 'Content-Type:application/json' \
    --data '{
              "elementGuids":["2111376845.-3637657128836262604"],
              "initiatorUserName":"[email protected]"
            }'

Response

{
  "data":true,
  "status":"SUCCESS",
  "message":""
}

Request

Download JSON syntax file

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

Use this request body:

{
                      "filters": [],
                      "fileFilters": [
                        {
                          "fieldName": "fileName",
                          "values": [
                            "ShadowCopy.ps"
                          ],
                          "operator": "Equals"
                        }
                      ]
                    }

Response

{
  "data":true,
  "status":"SUCCESS",
  "message":""
}

Request

Download Python script

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

import requests
import json

# Login information

username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"

data = {
    "username": username,
    "password": password
}

headers = {"Content-Type": "application/json"}

base_url = "https://" + server + ":" + port

login_url = base_url + "/login.html"

session = requests.session()

login_response = session.post(login_url, data=data, verify=True)

print (login_response.status_code)
print (session.cookies.items())

# Request URL

endpoint_url = "rest/fetchfile/start"

api_url = base_url + endpoint_url

# These are the variables that represent different fields in the request.

element_id = "2111376845.-3637657128836262604"

search = json.dumps({"elementGuids":[element_id],"initiatorUserName":username})

api_headers = {'Content-Type':'application/json'}

api_response = session.request("POST", api_url, data=query, headers=api_headers)

your_response = json.loads(api_response.content)

print(json.dumps(your_response, indent=4, sort_keys=True))

Response

{
  "data":true,
  "status":"SUCCESS",
  "message":""
}