Retrieve Process Hierarchies
Endpoint URL: https://sage.cybereason.com/rest/download_v1/process_hierarchy
Endpoint URI: download_v1/process_hierarchy
Action: POST
Returns details on process hierarchy based on the Cybereason threat intelligence service. This is used by the Cybereason platform to identify the expected hierarchy of operating system processes.
Request Headers
You must add an Content-Type:application/json header with the request.
Note
If you are using cURL, add the authorization cookie details or the path to the file with cookie details with every request.
Request Body
{}
Because this request uses a POST method, you must add a request body. Add only open and closed brackets without parameters between the brackets.
Request Parameters
URL/URI parameters: none
Request Body Parameters: none
Response Status Code
This request can return the following status codes:
200: Success OK or an error message saying why
Response Success Schema
The response contains the following fields:
Field |
Type |
Description |
|---|---|---|
recordList |
Array |
An object containing details on the process hierarchy. |
key |
Array |
An object with details on the specific process. |
name |
String |
The name of the process. |
value |
Array |
An object containing specific details on the process’s hierarchy. |
parent |
String |
The parent process of the selected process. |
lastUploadTimestamp |
Integer |
The timestamp (in epoch) when this information was last updated on the Global Threat Intelligence server. |
Response Failure Schema
None
Important Response Fields
Important information is found in these fields:
name The name of the process for which the Cybereason platform has a process hierarchy.
parent: The expected parent process for this process.
Example: Retrieve process hierarchies
Request
curl --request POST \
--url https://12.34.56.78/rest/classification_v1/process_hierarchy \
--header 'Content-Type:application/json' \
--data '{}'
Response
{
"recordList": [
{
"key": {
"name": "lsass.exe"
},
"value": [
{
"parent": "wininit.exe"
}
]
},
{
"key": {
"name": "svchost.exe"
},
"value": [
{
"parent": "services.exe"
}
]
},
{
"key": {
"name": "smss.exe"
},
"value": [
{
"parent": "system"
},
{
"parent": "smss.exe"
}
]
},
{
"key": {
"name": "services.exe"
},
"value": [
{
"parent": "wininit.exe"
}
]
},
{
"key": {
"name": "lsm.exe"
},
"value": [
{
"parent": "wininit.exe"
}
]
}
],
"lastUploadTimestamp": 1476350910397
}
Use this request body:
Request
{}
Response
{
"recordList": [
{
"key": {
"name": "lsass.exe"
},
"value": [
{
"parent": "wininit.exe"
}
]
},
{
"key": {
"name": "svchost.exe"
},
"value": [
{
"parent": "services.exe"
}
]
},
{
"key": {
"name": "smss.exe"
},
"value": [
{
"parent": "system"
},
{
"parent": "smss.exe"
}
]
},
{
"key": {
"name": "services.exe"
},
"value": [
{
"parent": "wininit.exe"
}
]
},
{
"key": {
"name": "lsm.exe"
},
"value": [
{
"parent": "wininit.exe"
}
]
}
],
"lastUploadTimestamp": 1476350910397
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
session = requests.session()
# Request URL
sage_url = "https://sage.cybereason.com"
endpoint_url = "/rest/download_v1/process_hierarchy"
api_url = sage_url + endpoint_url
query = '{}'
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
{
"recordList": [
{
"key": {
"name": "lsass.exe"
},
"value": [
{
"parent": "wininit.exe"
}
]
},
{
"key": {
"name": "svchost.exe"
},
"value": [
{
"parent": "services.exe"
}
]
},
{
"key": {
"name": "smss.exe"
},
"value": [
{
"parent": "system"
},
{
"parent": "smss.exe"
}
]
},
{
"key": {
"name": "services.exe"
},
"value": [
{
"parent": "wininit.exe"
}
]
},
{
"key": {
"name": "lsm.exe"
},
"value": [
{
"parent": "wininit.exe"
}
]
}
],
"lastUploadTimestamp": 1476350910397
}