Retrieve Process Classifications
Endpoint URL: https://sage.cybereason.com/rest/download_v1/process_classification
Endpoint URI: download_v1/process_classification
Action: POST
Returns details on process classifications based on the Cybereason threat intelligence service. This information is used by the Cybereason platform to identify the application type based on the process name, process image file signature, process image file path and description, product name, and company name for the product.
Request Headers
You must add an Content-Type:application/json header with the request.
Note
If you are using cURL, add the authorization cookie details or the path to the file with cookie details with every request.
Request Body
{}
Because this request uses a POST method, you must add a request body. Add only open and closed brackets without parameters between the brackets.
Request Parameters
URL/URI parameters: none
Request Body Parameters: none
Response Status Code
This request can return the following status codes:
200: Success OK or an error message saying why
Response Success Schema
The response contains the following fields:
Field |
Type |
Description |
|---|---|---|
recordList |
Array |
An object containing details on the product classifications. |
key |
Array |
An object with details on the specific product. |
name |
String |
The name of the product. |
value |
Array |
An object containing specific details on the product. |
signer |
String |
The name of the company that produces the product. |
type |
Enum |
The type of product, as classified by the Cybereason threat intelligence service. Possible values include:
|
title |
String |
The title of the product. |
lastUploadTimestamp |
Integer |
A timestamp (in epoch) when the information was last updated on the Threat Intel Server. |
Response Failure Schema
None
Important Response Fields
Important information is found in these fields:
recordList object: An object containing details on all the processes for which the Cybereason platform has a classification.
name: The process name.
productName: The official product name for the process.
companyName: The company that produces the application associated with this process.
path: The full path to the executable file that runs the process.
processType: The process type classification used by the Cybereason platform for this specific process.
isSigned: Indicates whether or not the image file for the process is signed.
Example: Retrieve process classifications
Request
curl --request POST \
--url https://12.34.56.78/rest/classification_v1/process_classification \
--header 'Content-Type:application/json' \
--data '{}'
Response
Note
This is a partial response, shortened to show the key fields. Your actual response will be much longer and contain all product classifications.
{
"recordList": [
{
"key": {
"name": "Dropbox.exe"
},
"value": [
{
"name": "Dropbox.exe",
"title": "Dropbox",
"productName": "Dropbox",
"companyName": "Dropbox, Inc.",
"fileDescription": "Dropbox",
"path": "C:\\Users\\user\\AppData\\Roaming\\Dropbox\\bin\\Dropbox.exe",
"canonizedPath": "%APPDATA%\\dropbox\\bin\\dropbox.exe",
"processType": "SHARING",
"isSigned": true
}
]
},
{
"key": {
"name": "Flock.exe"
},
"value": [
{
"name": "Flock.exe",
"title": "Flock",
"productName": "Flock",
"companyName": "Flock, Inc.",
"fileDescription": "Flock",
"path": "C:\\Program Files\\Flock\\Flock.exe",
"canonizedPath": "%PROGRAMFILES%\\flock\\flock.exe",
"processType": "BROWSER",
"isSigned": true
}
]
}
]
}
Use this request body:
Request
{}
Response
Note
This is a partial response, shortened to show the key fields. Your actual response will be much longer and contain all product classifications.
{
"recordList": [
{
"key": {
"name": "Dropbox.exe"
},
"value": [
{
"name": "Dropbox.exe",
"title": "Dropbox",
"productName": "Dropbox",
"companyName": "Dropbox, Inc.",
"fileDescription": "Dropbox",
"path": "C:\\Users\\user\\AppData\\Roaming\\Dropbox\\bin\\Dropbox.exe",
"canonizedPath": "%APPDATA%\\dropbox\\bin\\dropbox.exe",
"processType": "SHARING",
"isSigned": true
}
]
},
{
"key": {
"name": "Flock.exe"
},
"value": [
{
"name": "Flock.exe",
"title": "Flock",
"productName": "Flock",
"companyName": "Flock, Inc.",
"fileDescription": "Flock",
"path": "C:\\Program Files\\Flock\\Flock.exe",
"canonizedPath": "%PROGRAMFILES%\\flock\\flock.exe",
"processType": "BROWSER",
"isSigned": true
}
]
}
]
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
session = requests.session()
# Request URL
sage_url = "https://sage.cybereason.com"
endpoint_url = "/rest/download_v1/process_classification"
api_url = sage_url + endpoint_url
query = '{}'
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
Note
This is a partial response, shortened to show the key fields. Your actual response will be much longer and contain all product classifications.
{
"recordList": [
{
"key": {
"name": "Dropbox.exe"
},
"value": [
{
"name": "Dropbox.exe",
"title": "Dropbox",
"productName": "Dropbox",
"companyName": "Dropbox, Inc.",
"fileDescription": "Dropbox",
"path": "C:\\Users\\user\\AppData\\Roaming\\Dropbox\\bin\\Dropbox.exe",
"canonizedPath": "%APPDATA%\\dropbox\\bin\\dropbox.exe",
"processType": "SHARING",
"isSigned": true
}
]
},
{
"key": {
"name": "Flock.exe"
},
"value": [
{
"name": "Flock.exe",
"title": "Flock",
"productName": "Flock",
"companyName": "Flock, Inc.",
"fileDescription": "Flock",
"path": "C:\\Program Files\\Flock\\Flock.exe",
"canonizedPath": "%PROGRAMFILES%\\flock\\flock.exe",
"processType": "BROWSER",
"isSigned": true
}
]
}
]
}