Get Reputation Information from Platform Threat Intelligence
Endpoint URL: https://<your server>/rest/classification/classify/:item key
Endpoint URI: classification/classify/:item key
Action: GET
Returns reputation information on a specific item from all platform sources.
This endpoint is supported for Cybereason versions 21.2.103 and later.
This feature is not available by default. Contact Technical Support to enable this feature.
Note
Ensure that you have logged into the Cybereason platform. For details, see Log in with the API.
Request Headers
You must add an Content-Type:application/json header with the request.
Note
If you are using cURL, add the authorization cookie details or the path to the file with cookie details with every request.
Request Body
None
Request Parameters
URL/URI parameters: You must provide the item key (SHA-1 file hash value, IP address, or domain name) as part of the request URL. Searching MD5 or SHA-256 file hash values is not supported.
Request Body Parameters: none
Response Status Codes
This request can return the following status codes:
200: Success OK or an error message saying why
Response Success Schema
The response contains these fields:
Field |
Type |
Description |
---|---|---|
outcome |
String |
Status update of the reputation retrieval request. |
data |
Object |
A JSON object containing all reputation information. |
customerClassificationReputations |
Object |
A JSON object containing individual objects with reputation details. This object can contain multiple reputation detail objects. |
priority |
Integer |
The priority the Cybereason platform assigns to the specific reputation. A value of 0 indicates that this reputation is the first source the platform uses for its classification. |
source |
String |
The source of the reputation update. |
comment |
String |
The comment added for the reputation when the reputation was added or created. |
user |
String |
The Cybereason username for the user that added the reputation. |
maliciousType |
Enum |
The reputation assigned for the item. |
blocking |
Boolean |
Indicates whether item should be blocked from execution by the Cybereason platform. |
currentMaliciousType |
Enum |
The reputation the platform currently uses for this item. |
Response Failure Schema
None
Example: Retrieve a reputation
Request
curl --request GET \
--url https://12.34.56.78/rest/classification/classify/4df4308dd3c36cfee0fe11cfa4856165 \
--header 'Content-Type:application/json' \
Response
{
"outcome":"success",
"data": {
"customerClassificationReputations": [
{
"priority":0,
"source":"Customer Classification",
"comment":"registed by SOC",
"user":"[email protected]",
"maliciousType":"blacklist",
"blocking":true
},
{
"priority":1,
"source":"AV Reported",
"comment":"",
"user":"",
"maliciousType":"no_type_found",
"blocking":false
}
],
"currentMaliciousType":"blacklist"
}
}
Request
Response
{
"outcome":"success",
"data": {
"customerClassificationReputations": [
{
"priority":0,
"source":"Customer Classification",
"comment":"registed by SOC",
"user":"[email protected]",
"maliciousType":"blacklist",
"blocking":true
},
{
"priority":1,
"source":"AV Reported",
"comment":"",
"user":"",
"maliciousType":"no_type_found",
"blocking":false
}
],
"currentMaliciousType":"blacklist"
}
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "myserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/classification/classify"
item = 4df4308dd3c36cfee0fe11cfa4856165
api_url = base_url + endpoint_url + "/" + item
api_response = session.request("GET", api_url, headers=headers)
print(api_response.content)
Response
{
"outcome":"success",
"data": {
"customerClassificationReputations": [
{
"priority":0,
"source":"Customer Classification",
"comment":"registed by SOC",
"user":"[email protected]",
"maliciousType":"blacklist",
"blocking":true
},
{
"priority":1,
"source":"AV Reported",
"comment":"",
"user":"",
"maliciousType":"no_type_found",
"blocking":false
}
],
"currentMaliciousType":"blacklist"
}
}