Common Use Cases

The Cybereason API can help you run your security operations, from threat analysis and investigation, to Server and Sensor maintenance. Use the API to help you with common tasks, including:



Relevant Links

Run investigative queries

Run investigation queries on machines in your environment, including:

  • Asset tracking across all machines

  • Search for file hashes

  • Search for connections that access known domains or IP addresses

  • Search for newly found malicious processes

  • Find external connections for all processes

  • Pull firewall data

  • Search for known IOCs

  • Search for malicious files

Manage Sensors

Perform management tasks for Sensors, including:

  • Check Sensor versions

  • Find all offline, archived, or stale Sensors

  • Find Sensors assigned to a specific site

  • Find Sensors running on a machine with a specific operating system

  • See the NGAV settings for any Sensor

  • Add tags to Sensors

  • Deploy new versions to any or all Sensors

  • Verify Sensor installation

  • Download logs from any Sensor

  • Update Sensor settings in bulk

  • Update individual Sensors without uploading the CSV file

Investigate Malops

Retrieve details on Malops for analysis and use in your SIEM or SOAR, including:

  • Query all Malops

  • Get Malop details to parse for use in other reports

  • Quickly isolate machines involved in Malop

Remediate items

Remediate items, including:

  • Kill a process

  • Quarantine a file

  • Delete a registry key

  • Block a file

For more details, see rest/remediate.

Create custom detection rules

Create and update custom detection rules, including:

  • Create or update a custom detection rule

  • Retrieve lists of existing custom detection rules

  • Retriev a list of modifications for any custom rule

Update item reputations

Manage file, IP address, or domain reputations, including:

  • Update a single item’s reputation (instead of using the CSV file)

  • Update item reputations in bulk

Get threat intel

View threat intelligence details for files, IP addresses, and domains.

Create isolation rules to manage machine isolation

Create isolation rules that are triggered automatically, including:

  • Isolate machines based on isolation rules you create

  • Update and delete isolation rules as needed

For more details on the specific API to use to accomplish these tasks, see the links in the table above.

For more detailed examples on some of these use-cases, see Sample API Scenarios.