Perform Response Actions for a MalOp

Endpoint URL: https://<your server>/rest/detection/remediate-custom-actions
Endpoint URI: detection/remediate-custom-actions

Action: POST

Performs selected or all available response action on affected Elements in a MalOp.

Note

Ensure that you have logged into the Cybereason platform. For details, see Log in with the API.

Request Headers

Add a Content-Type:application/json header.

Note

If you are using cURL, add the authorization cookie details or the path to the file containing the cookie details as part of every request.


Request Body

Input: JSON

Download JSON syntax file

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

Note

When sending this request, there may be a delay in returning a response, depending on how much data and activity is in your system. Ensure you do not send this request multiple times while waiting for a response as this may cause unexpected results and performance issues in your environment.

[
	{
		"remediationType":"<remediation operation>",
		"targetName":"<Element display name>",
		"targetId":"<Element GUID>",
		"machineName":"<machine name>",
		"machineId":"<machine GUID>",
		"machinesCount":1,
		"uniqueId":"<remediation operation>::<target GUID>"
	}
]

Request Parameters

URL/URI parameters: none

Request Body Parameters: Add the following parameters:

Field

Type

Description

outcome

String

The result of the retrieval operation.

data

Array

An object containing the details of all settings.

type

Enum

The type of setting about which you are retrieving information. For this response, the value of this field is PropertyConfiguration.

name

String

The specific setting about which you are retrieving details.

value

Array

The details on the settings. The fields inside this object differ per setting.

lastUpdate

Integer

The last time the setting was updated.

Response Status Codes

This request can return the following status codes:

  • 200: Success OK


Response Success Schema

The response contains the following fields:

Field

Type

Description

malopID

Integer

The unique ID the Cybereason platform uses to identify a Malop.

remediationId

String

The unique ID the Cybereason platform uses for the remediation operation.

start

Integer

The start time (in epoch) for the remediation operation.

initiatingUser

String

The Cybereason user name for the user that starts the remediation operation.

statusLog

Array

An object that contains details on the remediation operation.

machineId

String

The GUID for the machine on which the target Element is found.

targetId

String

The GUID for the target Element in the remediation.

status

Enum

The status of the remediation operation. Possible values include:

  • SUCCESS

  • PENDING

  • IN_PROGRESS

actionType

Enum

The type of operation. Possible values include:

  • QUARANTINE_FILE

  • KILL_PROCESS

  • DELETE_REGISTRY_KEY

  • BLOCK_FILE

  • ISOLATE_MACHINE

message

String

The details for the remediation failure.

Response Failure Schema

The response contains the following fields:

Field

Type

Description

malopID

Integer

The unique ID used by the Cybereason platform to identify a Malop.

remediationId

String

The unique ID used by the Cybereason platform for the remediation operation.

start

Integer

The start time (in epoch) for the remediation operation.

initiatingUser

String

The Cybereason user name for the user starting the remediation operation.

statusLog

Array

An object containing details on the remediation operation.

machineId

String

The GUID for the machine on which the target Element is found.

targetId

String

The GUID for the target Element in the remediation.

status

Enum

The status of the remediation operation. Possible values include:

  • FAILURE

  • ABORTED

actionType

Enum

The type of operation. Possible values include:

  • QUARANTINE_FILE

  • KILL_PROCESS

  • DELETE_REGISTRY_KEY

  • BLOCK_FILE

  • ISOLATE_MACHINE

error

Array

An object containing details for the remediation failure.

message

String

The details for the remediation failure.

errorType

Enum

The type of error which caused the failure of the remediation operation. Possible values include:

  • PROBE_DISCONNECTED: The sensor is offline.

  • TIMED_OUT_WAITING_FOR_PROBE: The remediation request timed out while waiting for the sensor to come online.

  • GENERAL_PROBE_FAILURE: There was an unknown error on the sensor.

  • UNSUPPORTED_VERSION: The sensor version does not support this remediation action.

  • PROBE_FILE_NOT_FOUND: The sensor could not find the file for the remediation action.

  • PROBE_ACCESS_IS_DENIED: The sensor cannot access the requested file for remediation.

  • PROBE_INVALID_PARAMETER: An invalid argument was sent to the sensor.

  • PROBE_TIMEOUT: There was a sensor timeout when the sensor went offline.

  • PROBE_NOT_ENOUGH_SPACE: The sensor does not have enough space to perform the selected remediation action.

  • PROBE_READ_ONLY_FILE: The file for remediation is a read-only file.

  • PROBE_HELD_BY_ANOTHER_PROCESS: The file for remediation is currently in use by another process.

  • INVALID_ARGUMENT: There is an error in your request.

  • BROADCAST_FAILURE: There was an error reaching the server or the same sensor ID is found on multiple servers.

  • SERVER_ERROR: There was a general server error.

timestamp

Integer

The time (in epoch) for the remediation response.

Important Response Fields

Important information is found in these fields:

  • remediationId parameter: The unique ID the Cybereason platform uses for this specific remediation operation.

  • start parameter: The start time for the remediation request.

  • machineId parameter: The unique GUID for the machine on which the remediation operation is performed.

  • targetId parameter: The unique GUID for item (process, file, or registry key) on which the remediation operation is performed.

  • status parameter: The status of processing the remediation request by the server.

  • actionType parameter: The remediation operation.

  • error object: If present, details on the failure to process the remediation request.

  • timestamp parameter: The time (in epoch) in which the remediation request was processed.


Example: Remediate items in a MalOp

Request

curl --request POST \
  --url https://12.34.56.78/rest/detection/remediate-custom-actions \
  --header 'Content-Type:application/json' \
  --data '{[
            {
              "remediationType":"QUARANTINE_FILE",
              "targetName":"_output8cf322frr.exe",
              "targetId":"-2030665653.4896926850377762910",
              "machineName":"A07-B07",
              "machineId":"-2030665653.1198775089551518743",
              "machinesCount":1,
              "uniqueId":"QUARANTINE_FILE::-2030665653.4896926850377762910"}
          ]}'

Response

  {
  "malopId":null,
  "remediationId":"10759ccb-a3fb-4a18-a7de-5ca6b838d739",
  "start":1582229437986,
  "end":1582229438055,
  "initiatingUser":"[email protected]",
  "statusLog": [
                {
                  "machineId":"16789215.1198775089551518743",
                  "targetId":"16789215.4896926850377762910",
                  "status":"FAILURE",
                  "actionType":"QUARANTINE_FILE",
                  "error": {
                            "message":"Server error",
                            "errorType":"INVALID_ARGUMENT"
                           },
                  "timestamp":1582229438023
                }
               ]
}