Endpoints

The Cybereason API contains a number of different endpoints for each group of tasks within the API.

All APIs assume a URL prefix of https://<your server>/rest.

Note

Click on any URI path to view more detailed information on a specific API request.

Group	Endpoint	Method	Description
Hunt and Investigate	visualsearch/query/simple	POST	Run investigative queries to find different suspicious or malicious behaviors in your environment.
Hunt and Investigate	sensors/action/fileSearch	POST	Search for files on machines in your environments
Hunt and Investigate	sensors/action/fileSearch/:batch ID	GET	Get the results of a specific previously performed file search
Hunt and Investigate	sensors/action/fileSearch/csv/:batch ID	GET	Get results of a previous file search and export to CSV
Hunt and Investigate	sensors/action/fileSearchRequests	GET	Return a list of all previously performed file searches for you.
Hunt and Investigate	sensors/action/fileSearchRequestsAll	GET	Return a list of all previously performed file searches for all users
Hunt and Investigate	rest/fetchfile/start	POST	Start the download of a file from the Element Details screen
Hunt and Investigate	rest/fetchfile/downloads/progress	GET	Return a list of all files waiting for download
Hunt and Investigate	fetchfile/getfiles/:batchId	GET	Download the file to your machine
Hunt and Investigate	fetchfile/close/:batchID	GET	Abort a file download operation.
MalOps	crimes/unified	POST	Returns details on a specific AI Hunt MalOp.
MalOps	detection/inbox	POST	Return a list of all MalOps of all types.
MalOps	detection/details	POST	Return details on a specific MalOp (Endpoint Protection MalOps only)
MalOps	detection/remediate-custom-actions	POST	Perform a selected or all possible response actions for a MalOp.
MalOps	detection/exclude	POST	Exclude a behavior that caused a MalOp from causing future MalOps.
.”
MalOps	monitor/global/commands/isolate	POST	Isolate a specific machine involved in a MalOp.
MalOps	monitor/global/commands/un-isolate	POST	Remove a specific machine involved in a MalOp from isolation.
MalOps	crimes/status	POST	Update a MalOp’s status.
MalOps	crimes/comment/:malopID	POST	Add a comment to a MalOp.
MalOps	detection/labels	POST	Return a list of all MalOp labels.
MalOps	detection/add-label	POST	Add a MalOp label to the list of MalOp labels.
MalOps	detection/delete-labels	POST	Delete a MalOp label from the list of MalOp labels.
MalOps	detection/update-labels	POST	Update a MalOp label from the list of MalOp labels.
MalOps	settings/configurations	GET	Get details on settings us including MalOp notification settings.
MalOps	settings/configurations	POST	Update details on MalOp notification settings.
Remediation	remediate	POST	Remediate an item.
Remediation	remediate/progress/:username/:malopId/:remediationId	GET	Check the status of a particular remediation operation.
Remediation	remediate/abort/:malopId/:remediationId	POST	Abort a remediation operation.
Remediation	remediate/status/:malopId	GET	Get a list of remediations for a particular MalOp.
Malware	malware/counts	POST	Get a count of all Malware per type
Malware	malware/query	POST	Returns details on malware currently in your environment
Custom Rules	v2/customRules/decisionFeature/live	GET	Retrieve a list of custom detection rules currently active
Custom Rules	v2/customRules/decisionFeature/deleted	GET	Retrieve a list of custom detection rules currently disabled
Custom Rules	v2/customRules/rootCauses	GET	Retrieve a list of all available root causes
Custom Rules	v2/customRules/getMalopDetectionTypes	GET	Retrieve a list of all available MalOp detection types for generated MalOps
Custom Rules	v2/customRules/getMalopActivityTypes	GET	Retrieve a list of all available MalOp activity types for generated MalOps
Custom Rules	v2/customRules/decisionFeature/create	POST	Create a custom detection rule
Custom Rules	v2/customRules/decisionFeature/update	POST	Update an existing custom detection rule
Custom Rules	v2/customRules/history/:rule id	GET	Get a list of modifications to the custom rule
Reputations	classification/download	GET	Download a CSV list of reputations.
Reputations	classification/classify/:item key	GET	Retrieve platform threat intelligence for an item.
Reputations	classification/reputations/list	POST	Retrieve private threat intelligence for an item.
Reputations	classification/update	POST	Add or update a custom reputation for an item.
Threat Intel	classification_v1/file_batch	POST	Get Threat Intel information for a file.
Threat Intel	classification_v1/domain_batch	POST	Get Threat Intel information for a domain.
Threat Intel	classification_v1/ip_batch	POST	Get Threat Intel information for an IP address.
Threat Intel	download_v1/productClassifications	POST	Retrieve a list of product classifications used by the Cybereason platform.
Threat Intel	download_v1/process_classification	POST	Retrieve a list of process classifications used by the Cybereason platform.
Threat Intel	download_v1/process_hierarchy	POST	Retrieve a list of process hierarchy used by the Cybereason platform.
Threat Intel	download_v1/file_extension	POST	Retrieve a list of file extensions used by the Cybereason platform.
Threat Intel	download_v1/port	POST	Retrieve a list of port details used by the Cybereason platform.
Threat Intel	download_v1/const	POST	Retrieve a list of collections used by the Cybereason platform.
Threat Intel	download_v1/ip_reputations	POST	Retrieve a list of IP address reputations used by the Cybereason platform.
Threat Intel	download_v1/domain_reputation	POST	Retrieve a list of domain reputations used by the Cybereason platform.
Threat Intel	download_v1/:API name/service	POST	Check for reputation database updates.
Sensors	sensors/query	POST	Get a list of all sensors.
Sensors	sensors/allActions	GET	Retrieve a list of all current or queued actions on sensors.
Sensors	sensors/action/setRansomwareMode	POST	Set the Anti-Ransomware mode for a sensor.
Sensors	sensors/action/setPreventionMode	POST	Set the Application Control mode for a sensor.
Sensors	sensors/action/set-antimalware-status	POST	Set the Anti-Malware status for a sensor.
Sensors	sensors/action/set-PowershellProtection-status	POST	Set the Powershell protection mode for a sensor.
Sensors	sensors/action/startCollection	POST	Start collection on a sensor.
Sensors	sensors/action/stopCollection	POST	Stop collection on a sensor.
Sensors	sensors/action/delete	POST	Delete a sensor.
Sensors	sensors/action/purgeSensors	POST	Remove a sensor from the Sensors list.
Sensors	sensors/action/revertPurgedSensors	POST	Restore a sensor that was removed from the Sensors list.
Sensors	sensors/action/restart	POST	Restarts a sensor.
Sensors	sensors/action/fetchLogs	POST	Retrieve logs from a Sensor and download them to the machine on which the sensor is installed.
Sensors	sensors/action/download-logs/:batchID	GET	Downloads logs to your machine
Sensors	sensors/download/csv	GET	Download a CSV list of sensors.
Sensors	sensors/action/upgrade	POST	Upgrade the sensor to the latest version.
Sensors	sensors/abort/:batchID	POST	Abort any in-progress operations for given batch ID.
Sensors	sensors/action/archive	POST	Archive a sensor
Sensors	sensors/action/unarchive	POST	Remove a sensor previously archived from the archive.
Sensors	tagging/process_tags	POST	Create, update, or remove sensor tags
Sensors	tagging/get/:machineName	GET	Retrieve a list of Sensor tags for a specific sensor.
Sensors	groups	GET	Retrieve a list of all sensor groups
Sensors	groups	POST	Create a sensor group
Sensors	groups/:group ID	PUT	Edit a sensor group
Sensors	sensors/action/addToGroup	POST	Add a sensor to a sensor group
Sensors	sensors/action/removeFromGroup	POST	Remove a sensor from a sensor group
Sensors	sensors/:group ID	DELETE	Delete a sensor group
Sensors	sensors/action/schedulerScan	POST	Start or end a full or quick scan on a sensor.
Sensors	policies	POST	Create a sensor policy
Sensors	policies	GET	Retrieve a list of sensor policies.
Sensors	policies/:policyID	GET	Retrieve details on a single sensor policy.
Isolation	settings/isolation-rule	GET	Retrieve a list of all isolation rules.
Isolation	settings/isolation-rule	POST	Create an isolation rule.
Isolation	settings/isolation-rule	PUT	Update an existing isolation rule.
Isolation	settings/isolation-rule/delete	POST	Delete an existing isolation rule.
Incident Response	irtools/upload	POST	Upload a incident response package to your environment and deploy it to machines.
Incident Response	sensors/action/getPackagesDeployment	POST	Check the status of an incident response tool deployment on a machine.
Incident Response	irtools/packages	GET	Retrieve a list of packages uploaded to your environment.
Incident Response	sensors/action/runIRTool	POST	Run an incident response tool on a machine.
Incident Response	sensors/action/getRunIRToolStatus/:batchID	GET	Check the status of an incident response tool execution.
Incident Response	sensors/action/getIRToolResults	POST	Retrieve results from an incident response tool execution on a machine.
Incident Response	irtools/delete	POST	Delete an incident response tool package and remove the package from endpoint machines.
Incident Response	irtools/credentials	GET	Retrieve credentials for a GCP bucket containing your results.
Incident Response	forensics/forensicsTools	GET	Retrieve a list of supported forensics tool packages.
Incident Response	forensics/uploadForensicTool	POST	Deploy a forensic tool package
Incident Response	forensics/getForensicToolDeploymentStatus	POST	Check the deployment status of a forensic tool package
Incident Response	forensics/runForensicTool	POST	Run a forensic tool package
Incident Response	forensics/runForensicToolWithInputFile	POST	Run a forensic tool package on sensors from a CSV list
Incident Response	forensics/getForensicToolRunStatus/:batchId	POST	Check the execution status of a forensic tool package
Incident Response	forensics/deleteForensicTool	POST	Remove a forensic tool package from your platform and endpoints
User Management	users	GET	Retrieve a list of all users
User Management	users:username	POST	Create a user
User Management	users:username	PUT	Update user details
User Management	users:username	DELETE	Delete a user