Perform Response Actions for a MalOp
Endpoint URL: https://<your server>/rest/detection/remediate-custom-actions
Endpoint URI: detection/remediate-custom-actions
Action: POST
Performs selected or all available response action on affected Elements in a MalOp.
Note
Ensure that you have logged into the Cybereason platform. For details, see Log in with the API.
Request Headers
Add a Content-Type:application/json header.
Note
If you are using cURL, add the authorization cookie details or the path to the file containing the cookie details as part of every request.
Request Body
Input: JSON
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Note
When sending this request, there may be a delay in returning a response, depending on how much data and activity is in your system. Ensure you do not send this request multiple times while waiting for a response as this may cause unexpected results and performance issues in your environment.
[
{
"remediationType":"<remediation operation>",
"targetName":"<Element display name>",
"targetId":"<Element GUID>",
"machineName":"<machine name>",
"machineId":"<machine GUID>",
"machinesCount":1,
"uniqueId":"<remediation operation>::<target GUID>"
}
]
Request Parameters
URL/URI parameters: none
Request Body Parameters: Add the following parameters:
Field |
Type |
Description |
---|---|---|
outcome |
String |
The result of the retrieval operation. |
data |
Array |
An object containing the details of all settings. |
type |
Enum |
The type of setting about which you are retrieving information. For this response, the value of this field is PropertyConfiguration. |
name |
String |
The specific setting about which you are retrieving details. |
value |
Array |
The details on the settings. The fields inside this object differ per setting. |
lastUpdate |
Integer |
The last time the setting was updated. |
Response Status Codes
This request can return the following status codes:
200: Success OK
Response Success Schema
The response contains the following fields:
Field |
Type |
Description |
---|---|---|
malopID |
Integer |
The unique ID the Cybereason platform uses to identify a Malop. |
remediationId |
String |
The unique ID the Cybereason platform uses for the remediation operation. |
start |
Integer |
The start time (in epoch) for the remediation operation. |
initiatingUser |
String |
The Cybereason user name for the user that starts the remediation operation. |
statusLog |
Array |
An object that contains details on the remediation operation. |
machineId |
String |
The GUID for the machine on which the target Element is found. |
targetId |
String |
The GUID for the target Element in the remediation. |
status |
Enum |
The status of the remediation operation. Possible values include:
|
actionType |
Enum |
The type of operation. Possible values include:
|
message |
String |
The details for the remediation failure. |
Response Failure Schema
The response contains the following fields:
Field |
Type |
Description |
---|---|---|
malopID |
Integer |
The unique ID used by the Cybereason platform to identify a Malop. |
remediationId |
String |
The unique ID used by the Cybereason platform for the remediation operation. |
start |
Integer |
The start time (in epoch) for the remediation operation. |
initiatingUser |
String |
The Cybereason user name for the user starting the remediation operation. |
statusLog |
Array |
An object containing details on the remediation operation. |
machineId |
String |
The GUID for the machine on which the target Element is found. |
targetId |
String |
The GUID for the target Element in the remediation. |
status |
Enum |
The status of the remediation operation. Possible values include:
|
actionType |
Enum |
The type of operation. Possible values include:
|
error |
Array |
An object containing details for the remediation failure. |
message |
String |
The details for the remediation failure. |
errorType |
Enum |
The type of error which caused the failure of the remediation operation. Possible values include:
|
timestamp |
Integer |
The time (in epoch) for the remediation response. |
Important Response Fields
Important information is found in these fields:
remediationId parameter: The unique ID the Cybereason platform uses for this specific remediation operation.
start parameter: The start time for the remediation request.
machineId parameter: The unique GUID for the machine on which the remediation operation is performed.
targetId parameter: The unique GUID for item (process, file, or registry key) on which the remediation operation is performed.
status parameter: The status of processing the remediation request by the server.
actionType parameter: The remediation operation.
error object: If present, details on the failure to process the remediation request.
timestamp parameter: The time (in epoch) in which the remediation request was processed.
Example: Remediate items in a MalOp
Request
curl --request POST \
--url https://12.34.56.78/rest/detection/remediate-custom-actions \
--header 'Content-Type:application/json' \
--data '{[
{
"remediationType":"QUARANTINE_FILE",
"targetName":"_output8cf322frr.exe",
"targetId":"-2030665653.4896926850377762910",
"machineName":"A07-B07",
"machineId":"-2030665653.1198775089551518743",
"machinesCount":1,
"uniqueId":"QUARANTINE_FILE::-2030665653.4896926850377762910"}
]}'
Response
{
"malopId":null,
"remediationId":"10759ccb-a3fb-4a18-a7de-5ca6b838d739",
"start":1582229437986,
"end":1582229438055,
"initiatingUser":"[email protected]",
"statusLog": [
{
"machineId":"16789215.1198775089551518743",
"targetId":"16789215.4896926850377762910",
"status":"FAILURE",
"actionType":"QUARANTINE_FILE",
"error": {
"message":"Server error",
"errorType":"INVALID_ARGUMENT"
},
"timestamp":1582229438023
}
]
}
Request
Use this request body:
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
[ { "remediationType":"QUARANTINE_FILE", "targetName":"_output8cf322frr.exe", "targetId":"-2030665653.4896926850377762910", "machineName":"A07-B07", "machineId":"-2030665653.1198775089551518743", "machinesCount":1, "uniqueId":"QUARANTINE_FILE::-2030665653.4896926850377762910"} ]Response
{
"malopId":null,
"remediationId":"10759ccb-a3fb-4a18-a7de-5ca6b838d739",
"start":1582229437986,
"end":1582229438055,
"initiatingUser":"[email protected]",
"statusLog": [
{
"machineId":"16789215.1198775089551518743",
"targetId":"16789215.4896926850377762910",
"status":"FAILURE",
"actionType":"QUARANTINE_FILE",
"error": {
"message":"Server error",
"errorType":"INVALID_ARGUMENT"
},
"timestamp":1582229438023
}
]
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username ="[email protected]"
password = "mypassword"
server = "myserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
response = session.post(login_url, data=data, verify=True)
print (response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/detection/remediate-custom-actions"
api_url = base_url + endpoint_url
# These are the parameters required to run the request.
remediation_operation = "QUARANTINE_FILE"
target_element_name = "_output8cf322frr.exe"
target_GUID = "-2030665653.4896926850377762910"
target_machine_name = "A07-B07"
target_machine_GUID = "-2030665653.1198775089551518743"
remediation_id = "QUARANTINE_FILE::-2030665653.4896926850377762910"
query = json.dumps([{"remediationType":remediation_operation,"targetName":target_element_name,"targetId":target_GUID,"machineName":target_machine_name,"machineId":target_machine_GUID,"machinesCount":1,"uniqueId":remediation_id}])
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
{
"malopId":null,
"remediationId":"10759ccb-a3fb-4a18-a7de-5ca6b838d739",
"start":1582229437986,
"end":1582229438055,
"initiatingUser":"[email protected]",
"statusLog": [
{
"machineId":"16789215.1198775089551518743",
"targetId":"16789215.4896926850377762910",
"status":"FAILURE",
"actionType":"QUARANTINE_FILE",
"error": {
"message":"Server error",
"errorType":"INVALID_ARGUMENT"
},
"timestamp":1582229438023
}
]
}