Isolate MalOp Machine
Endpoint URL: https://<your server>/rest/monitor/global/commands/isolate
Endpoint URI: monitor/global/commands/isolate
Action: POST
Isolates a machine or machines involved in a specific MalOp.
If you would like to isolate a machine that is not associated with a particular MalOp, see Remediate Items.
Note
Ensure that you have logged into the Cybereason platform. For details, see Log in with the API.
Request Headers
You must add an Content-Type:application/json header with the request.
Note
If you are using cURL, add the authorization cookie details or the path to the file with cookie details with every request.
Request Body
Input: JSON
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
{
"pylumIds": [
"<sensor ID>",
"<sensor ID>"
],
"malopId": "<MalopID>"
}
Request Parameters
URL/URI parameters: none
Request Body Parameters: You must provide the following REQUIRED parameters:
pylumIds: The unique sensor ID the Cybereason platform uses for the machines to isolate. If you are entering multiple values, add a comma between each sensor ID.
malopId: The GUID for the MalOp with which the sensor is associated. This ID is found when you retrieve the list of MalOps. Use the Retrieve All MalOps request to view this GUID.
Response Status Codes
This request can return the following status codes:
200: Success OK. This means the server successfully processed the request. However, this 200 status does not mean the isolation is successful.
Response Success Schema
The response can contain a line for each sensor with:
A status message Successful operation with the message Succeeded.
Response Failure Schema
The response will return an HTTP status of 200, meaning the server has successfully processed the request. However, this 200 status does not mean the isolation is successful.
For failed isolation, the response contains the pylum/Sensor ID with a description of the request to the Sensor:
FailedSending. The isolation request to the Sensor was not sent.
Primed. Because the Sensor is offline, the request has been prepared to send to the Sensor as soon as it is online.
UnknownProbe. The Sensor specified in the request is unknown.
NotSupported. The Sensor version does not support isolation.
Disconnected. The Sensor in the request is disconnected from the server.
TimeoutSending. The isolation request exceeded the maximum allowable timeout during the period the request was sent.
Failed. The isolation request failed.
Timeout. The isolation request timed out.
UnauthorizedUser. The selected user cannnot perform this request.
partialResponse. The isolation request received a partial response from the Sensor before the timeout period.
Aborted. The isolation request was aborted.
ProbeRemoved. The Sensor was removed.
FailedSendingToServer. The isolation request failed on sending to the server.
Important Response Fields
Important information is found in these fields:
status parameter: The status of the isolation operation for the sensor. This value is found as a pair with the pylum ID parameter.
Example: Isolate a machine involved in a MalOp
Request
curl --request POST \
--url https://12.34.56.78/rest/monitor/global/commands/isolate \
--header 'Content-Type:application/json' \
--data '{
"pylumIds":["PYLUMCLIENT_INTERNAL_WIN_XP123456_0050568A74AC"],
"malopId":"11.-4040827324870650429"
}'
Response
{
"PYLUMCLIENT_INTERNAL_WIN_XP012987_0050123A74AC": "Succeeded"
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"pylumIds": ["PYLUMCLIENT_INTERNAL_WIN_XP123456_0050568A74AC"],
"malopId": "11.-4040827324870650429"
}
Response
{
"PYLUMCLIENT_INTERNAL_WIN_XP012987_0050123A74AC": "Succeeded"
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/monitor/global/commands/isolate"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
sensor_id = "PYLUMCLIENT_INTERNAL_WIN_XP123456_0050568A74AC"
malop_id = "11.-4040827324870650429"
query = json.dumps({"pylumIds":[sensor_id],"malopId":malop_id})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
{ "PYLUMCLIENT_INTERNAL_WIN_XP012987_0050123A74AC": "Succeeded" }
Example: Isolation failure for a machine involved in a MalOp due to offline Sensor
Request
curl --request POST \
--url https://12.34.56.78/rest/monitor/global/commands/isolate \
--header 'Content-Type:application/json' \
--data '{
"pylumIds":["PYLUMCLIENT_INTERNAL_WIN_XP123456_0050568A74AC"],
"malopId":"11.-4040827324870650429"
}'
Response
{
"PYLUMCLIENT_INTERNAL_WIN_XP012987_0050123A74AC": "Disconnected"
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"pylumIds": ["PYLUMCLIENT_INTERNAL_WIN_XP123456_0050568A74AC"],
"malopId": "11.-4040827324870650429"
}
Response
{
"PYLUMCLIENT_INTERNAL_WIN_XP012987_0050123A74AC": "Disconnected"
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/monitor/global/commands/isolate"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
sensor_id = "PYLUMCLIENT_INTERNAL_WIN_XP123456_0050568A74AC"
malop_id = "11.-4040827324870650429"
query = json.dumps({"pylumIds":[sensor_id],"malopId":malop_id})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
{ "PYLUMCLIENT_INTERNAL_WIN_XP012987_0050123A74AC": "Disconnected" }