Common Use Cases

The Cybereason API can help you run your security operations, from threat analysis and investigation, to Server and Sensor maintenance. Use the API to help you with common tasks, including:

Task	Examples	Relevant Links
Run investigative queries	Run investigation queries on machines in your environment, including: Asset tracking across all machines Search for file hashes Search for connections that access known domains or IP addresses Search for newly found malicious processes Find external connections for all processes Pull firewall data Search for known IOCs Search for malicious files	Run investigative queries Search for files
Manage Sensors	Perform management tasks for Sensors, including: Check Sensor versions Find all offline, archived, or stale Sensors Find Sensors assigned to a specific site Find Sensors running on a machine with a specific operating system See the NGAV settings for any Sensor Add tags to Sensors Deploy new versions to any or all Sensors Verify Sensor installation Download logs from any Sensor Update Sensor settings in bulk Update individual Sensors without uploading the CSV file	Get a list of Sensors Set Anti-Ransomware mode Set Application Control mode Set Anti-Malware mode Set Powershell Protection mode Get Sensor Logs Download Sensor logs Upgrade Sensors Archive Sensors Unarchive Sensors Tag Sensors
Investigate Malops	Retrieve details on Malops for analysis and use in your SIEM or SOAR, including: Query all Malops Get Malop details to parse for use in other reports Quickly isolate machines involved in Malop	Get a list of Malops Isolate a Machine involved in a Malop
Remediate items	Remediate items, including: Kill a process Quarantine a file Delete a registry key Block a file	For more details, see rest/remediate.
Create custom detection rules	Create and update custom detection rules, including: Create or update a custom detection rule Retrieve lists of existing custom detection rules Retriev a list of modifications for any custom rule	Create a custom detection rule Update a custom detection rule Retrieve a list of active custom detection rules Retrieve a list of disabled custom detection rules Retrieve a list of rule modifications
Update item reputations	Manage file, IP address, or domain reputations, including: Update a single item’s reputation (instead of using the CSV file) Update item reputations in bulk	Get a list of item reputations Update a reputation
Get threat intel	View threat intelligence details for files, IP addresses, and domains.	Get file reputations Get domain reputations Get IP address reputations
Create isolation rules to manage machine isolation	Create isolation rules that are triggered automatically, including: Isolate machines based on isolation rules you create Update and delete isolation rules as needed	Get isolation rules Create an isolation rule Update an isolation rule

For more details on the specific API to use to accomplish these tasks, see the links in the table above.

For more detailed examples on some of these use-cases, see Sample API Scenarios.