Cybereason

the cybereason connector enables seamless integration with swimlane turbine, allowing automated threat detection and response workflows cybereason is a leader in endpoint protection and cyber attack prevention the cybereason turbine connector enables users to automate the management of isolation rules, retrieve detailed threat intelligence, and conduct comprehensive scans across endpoints by integrating with cybereason, swimlane turbine users can enhance their security posture with streamlined incident response and proactive threat hunting capabilities, leveraging cybereason's powerful ai hunting engine and endpoint security features directly within their security workflows limitations none to date supported versions this cybereason connector uses the latest version api additional docs https //nest cybereason com/documentation/api documentation/all versions/log api https //nest cybereason com/documentation/api documentation/all versions/cybereason api guide configuration prerequisites to effectively utilize the cybereason connector within swimlane turbine, ensure you have the following prerequisites cybereason custom authentication with the following parameters url endpoint url for the cybereason api username your cybereason account username password your cybereason account password authentication methods custom authentication url the base url for your server, including port 8443, should be in the format https // 8443 username your cybereason username password the password for your cybereason username capabilities this cybereason connector provides the following capabilities create an isolation rule delete an isolation rule get ai hunting malops only get all malops get all malops for environments query sensors retrieve a list of isolation rules retrieve all malops of all types set anti malware mode set anti ransomware mode start or stop a full or quick scan update an isolation rule create an isolation rule creates an isolation exception rule you must have the l3 analyst or system admin role assigned to use this request cybereason documentation for this action can be found https //nest cybereason com/documentation/api documentation/all versions/create isolation exception rule delete an isolation rule deletes an isolation exception rule you must have the l3 analyst or system admin role assigned to use this request cybereason documentation for this action can be found https //nest cybereason com/documentation/api documentation/all versions/delete isolation exception rule get ai hunting malops only retrieve only the malops results from cybereason's ai hunting engine, using specified criteria in the json body when you are monitoring security threats in your environment, it is important to regularly view and respond to new or existing malops the cybereason api enables you to obtain a list of malops and see details about these malicious operations cybereason documentation for this action can be found https //developer atlassian com/cloud/jira/service desk/rest/api group request/#api rest servicedeskapi request post get all malops retrieve all malicious operation data from cybereason, including details and status for analysis and response cybereason documentation for this action can be found https //developer atlassian com/cloud/jira/service desk/rest/api group request/#api rest servicedeskapi request post get all malops for environments retrieve all malicious operations (malops) for environments using cybereason's new data platform infrastructure cybereason documentation for this action can be found https //developer atlassian com/cloud/jira/service desk/rest/api group request/#api rest servicedeskapi request post query sensors sends a request to return details on all or a selected group of sensors you are limited to retrieving 30,000 sensors in a single request you must be assigned the system admin role, system viewer, policy admin, sensor admin l1, or sensor viewer role (if your cybereason environment uses sensor grouping) to send requests to this endpoint url cybereason documentation for this action can be found https //nest cybereason com/documentation/api documentation/all versions/query sensors retrieve a list of isolation rules retrieves a list of all rules for isolating specific machines you must have the l3 analyst, system admin, system viewer, or sensor admin l1 role assigned to use this request cybereason documentation for this action can be found https //nest cybereason com/documentation/api documentation/all versions/retrieve isolation exeption rules retrieve all malops of all types returns details about all ai hunt malops and endpoint protection malops in your environment cybereason documentation for this action can be found https //nest cybereason com/documentation/api documentation/all versions/retrieve all malops all types legacy set anti malware mode sets the anti ransomware mode for all sensors or a group of filtered sensors you must be assigned the system admin role, policy admin, or sensor admin l1 role (if your cybereason environment uses sensor grouping) to send requests to this endpoint url cybereason documentation for this action can be found https //nest cybereason com/documentation/api documentation/all versions/set anti malware mode set anti ransomware mode sets the anti malware mode for all sensors or a group of filtered sensors you must be assigned the system admin role, policy admin, or sensor admin l1 role (if your cybereason environment uses sensor grouping) to send requests to this endpoint url cybereason documentation for this action can be found https //nest cybereason com/documentation/api documentation/all versions/set anti ransomware mode start or stop a full or quick scan retrieve only the malops results from cybereason's ai hunting engine, using specified criteria in the json body when you are monitoring security threats in your environment, it is important to regularly view and respond to new or existing malops the cybereason api enables you to obtain a list of malops and see details about these malicious operations cybereason documentation for this action can be found https //nest cybereason com/documentation/api documentation/all versions/start or stop full or quick scan update an isolation rule updates an isolation exception rule you must have the l3 analyst or system admin role assigned to use this request cybereason documentation for this action can be found https //nest cybereason com/documentation/api documentation/all versions/update isolation exception rule notes filter field example the filters field allows users to apply specific conditions when querying data each filter consists of the following attributes fieldname the name of the field to filter on (e g , "outdated") operator the comparison operator used for filtering (e g , "equals") values an array of values to compare against (e g , \["true"]) example "filters" \[ { "fieldname" "outdated", "operator" "equals", "values" \["true"] } ] for additional filter options, please check the action documentation under the request parameters section configurations cybereason custom authentication cybereason custom authentication using username and password configuration parameters parameter description type required url the base url for your server, including port 8443, should be in the format https // 8443 string required username your cybereason username string required password the password for your cybereason username string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create an isolation rule create an isolation exception rule in cybereason for a specified ip address, requiring an ip address string endpoint url /rest/settings/isolation rule method post input argument name type required description ipaddress string optional the ip address of the machine to which the rule applies ipaddressstring string optional the ip address of the machine to which the rule applies domain string optional domain port number optional optional if the ipaddressstring parameter exists the port by which cybereason communicates with an isolated machine, according to the rule direction string optional the direction of the allowed communication lastupdated number optional the epoch timestamp for the last update time for the rule blocking boolean optional states whether communication with the given ip or port is allowed set to true if communication is blocked input example {"json body" {"ipaddress" "aqebaq==","ipaddressstring" "1 1 1 1","domain" "localhost","port" 443,"direction" "incoming","lastupdated" 1523873848045,"blocking"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase ruleid string unique identifier ipaddress string output field ipaddress ipaddressstring string output field ipaddressstring domain string output field domain ports string output field ports direction string output field direction lastupdated number output field lastupdated groupids array unique identifier description string output field description lastupdatedby string output field lastupdatedby blocking boolean output field blocking output example {"status code" 200,"response headers" {"strict transport security" "max age=31536000;includesubdomains","x frame options" "deny","x content type options" "nosniff","cache control" "no cache, no store, must revalidate","vary" "accept encoding","content encoding" "gzip","content type" "application/json","content length" "205","date" "mon, 03 feb 2025 10 41 08 gmt","keep alive" "timeout=60","connection" "keep alive"},"reason" "","json body" {"ruleid" "67a09d441cefd54a538189be","ipaddress" "aqebag== delete an isolation rule removes a specific isolation exception rule in cybereason by utilizing the provided ruleid and lastupdated values endpoint url /rest/settings/isolation rule/delete method post input argument name type required description ruleid string optional id of isolation exception rule port number optional optional if the ipaddressstring parameter exists the port by which cybereason communicates with an isolated machine, according to the rule blocking boolean optional states whether communication with the given ip or port is allowed set to true if communication is blocked direction string optional the direction of the allowed communication lastupdated number optional the epoch timestamp for the last update time for the rule ipaddressstring string optional the ip address of the machine to which the rule applies input example {"json body" {"ruleid" "5859b3d0ae8eeb920e9d2f4e","port" 8443,"blocking"\ true,"direction" "all","lastupdated" 1525594605852,"ipaddressstring" "1 1 1 1"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 200,"response headers" {"strict transport security" "max age=31536000;includesubdomains","x frame options" "deny","x content type options" "nosniff","cache control" "no cache, no store, must revalidate","content length" "0","date" "mon, 03 feb 2025 10 27 10 gmt","keep alive" "timeout=60","connection" "keep alive"},"reason" "","response text" ""} get ai hunting malops only retrieve only the malops results from cybereason's ai hunting engine using specified criteria endpoint url /rest/crimes/unified method post input argument name type required description totalresultlimit number optional this parameter limits the total number of malops returned in the response if you want to speed up the response time and limit the stress on your servers, set this limit appropriately pergrouplimit number optional in some responses, if the response contains a large number of similar responses, these items are grouped accordingly to help you aggregate and view the results in a more efficient way perfeaturelimit number optional this is the number of responses for a specific feature templatecontext string optional parameter for get ai hunting malops only querypath array optional parameter for get ai hunting malops only querypath requestedtype string optional type of the resource querypath isresult boolean optional result of the operation querypath filters array optional parameter for get ai hunting malops only querypath filters facetname string optional name of the resource querypath filters filtertype string optional type of the resource querypath filters values array optional value for the parameter input example {"totalresultlimit" 123,"pergrouplimit" 123,"perfeaturelimit" 123,"templatecontext" "string","querypath" \[{"requestedtype" "string","isresult"\ true,"filters" \[{"facetname" "example name","filtertype" "string","values" \[123]}]}]} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data resultidtoelementdatamap object response data data resultidtoelementdatamap 11 5133381726858807240 object response data data resultidtoelementdatamap 11 5133381726858807240 simplevalues object response data data resultidtoelementdatamap 11 5133381726858807240 simplevalues hasransomwaresuspendedprocesses object response data data resultidtoelementdatamap 11 5133381726858807240 simplevalues decisionfeature object response data data resultidtoelementdatamap 11 5133381726858807240 simplevalues rootcauseelementcompanyproduct object response data data resultidtoelementdatamap 11 5133381726858807240 simplevalues malopstarttime object response data data resultidtoelementdatamap 11 5133381726858807240 simplevalues detectiontype object response data data resultidtoelementdatamap 11 5133381726858807240 simplevalues malopactivitytypes object response data data resultidtoelementdatamap 11 5133381726858807240 simplevalues elementdisplayname object response data data resultidtoelementdatamap 11 5133381726858807240 simplevalues creationtime object response data data resultidtoelementdatamap 11 5133381726858807240 simplevalues isblocked object response data data resultidtoelementdatamap 11 5133381726858807240 simplevalues rootcauseelementtypes object response data data resultidtoelementdatamap 11 5133381726858807240 simplevalues rootcauseelementnames object response data data resultidtoelementdatamap 11 5133381726858807240 simplevalues maloplastupdatetime object response data data resultidtoelementdatamap 11 5133381726858807240 simplevalues allransomwareprocessessuspended object response data data resultidtoelementdatamap 11 5133381726858807240 simplevalues rootcauseelementhashes object response data data resultidtoelementdatamap 11 5133381726858807240 simplevalues managementstatus object response data data resultidtoelementdatamap 11 5133381726858807240 simplevalues closetime object response data data resultidtoelementdatamap 11 5133381726858807240 simplevalues closername object response data data resultidtoelementdatamap 11 5133381726858807240 simplevalues customclassification object response data data resultidtoelementdatamap 11 5133381726858807240 elementvalues object response data output example {"data" {"resultidtoelementdatamap" {"11 5133381726858807240" {},"11 3698575578138794465" {}},"suspicionsmap" {},"evidencemap" {},"totalresults" 123,"totalpossibleresults" 123,"guessedpossibleresults" 123,"querylimits" {"totalresultlimit" 123,"pergrouplimit" 123,"perfeaturelimit" 123,"groupingfeature" {},"sortingroupfeature" {}},"queryterminated"\ true,"pathresultcounts" \[{}],"guids" \["string"],"paginationtoken" {},"executionuuid" "string","quapimeasurementdata" {"timetogetguids" \[],"timetogetda get all malops gather comprehensive malicious operation data from cybereason, providing essential details for analysis and incident response endpoint url /rest/detection/inbox method post input argument name type required description starttime number optional time value endtime number optional time value input example {"json body" {"starttime" 1581621505486,"endtime" 1582226305530}} output parameter type description status code number http status code of the response reason string response reason phrase malops array output field malops machinecountermodel object output field machinecountermodel machinecountermodel totalmachines number output field machinecountermodel totalmachines machinecountermodel onlineinfectedcount number count value machinecountermodel onlinecleancount number count value machinecountermodel offlineinfectedcount number count value machinecountermodel offlinecleancount number count value output example {"status code" 200,"response headers" {"strict transport security" "max age=31536000;includesubdomains","x frame options" "deny","x content type options" "nosniff","cache control" "no cache, no store, must revalidate","vary" "accept encoding","content encoding" "gzip","content type" "application/json","content length" "113","date" "mon, 03 feb 2025 09 59 43 gmt","keep alive" "timeout=60","connection" "keep alive"},"reason" "","json body" {"malops" \[],"machinecountermodel" {"totalmachines" 475,"o get all malops for environments retrieve all malicious operations (malops) across environments from cybereason's data platform infrastructure endpoint url /rest/mmng/v2/malops method post input argument name type required description search object optional parameter for get all malops for environments search malop object optional parameter for get all malops for environments search malop guid string optional unique identifier range object optional parameter for get all malops for environments range from number optional parameter for get all malops for environments range to number optional parameter for get all malops for environments pagination object optional parameter for get all malops for environments pagination pagesize number optional parameter for get all malops for environments pagination offset number optional parameter for get all malops for environments federation object optional parameter for get all malops for environments federation groups array optional parameter for get all malops for environments sort array optional parameter for get all malops for environments sort field string optional parameter for get all malops for environments sort order string optional parameter for get all malops for environments input example {"json body" {"search" {"malop" {"guid" "tkljfbci55eytiwx"}},"range" {"from" 0,"to" 1687803548337},"pagination" {"pagesize" 50,"offset" 0},"federation" {"groups" \[]},"sort" \[{"field" "lastupdatetime","order" "desc"}]}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data pagesize number response data data pages number response data data offset number response data data totalhits number response data data token string response data data data array response data data data guid string response data data data displayname string response data data data creationtime number response data data data lastupdatetime number response data data data metadataupdatetime number response data data data decisionstatuses array response data data data detectionengines array response data data data mitretactics array response data data data mitretechniques array response data data data mitresubtechniques array response data data data rootcauseelementhashes array response data data data iocs array response data data data detectiontypes array response data data data labels array response data data data investigationstatus string response data data data closername object response data output example {"data" {"pagesize" 123,"pages" 123,"offset" 123,"totalhits" 123,"token" "string","data" \[{}]},"status" "active"} query sensors retrieve a specific subset of sensor details from cybereason using limit and offset parameters, with a maximum of 30,000 sensors endpoint url /rest/sensors/query method post input argument name type required description limit number optional the number of sensors to return in the list of sensors for the response the maximum limit for this parameter is 30,000 offset number optional the position in the list of sensors on which to start retrieving sensors for example, if you set the limit parameter to 100, if you set the offset parameter to 1, the list of sensors returned will begin with the sensor in the position 101 in the list set to 0 to receive the first limit set of sensors sortdirection string optional the order in which to receive results valid values are asc (ascending) or desc (descending) filters array optional an object containing details on the filter to apply to return a select group of sensors see readme for more details filters fieldname string optional name of the resource filters operator string optional use the following operators with the respective filters object, depending on the parameter you use in the filters object filters values array optional value for the parameter input example {"json body" {"limit" 1000,"offset" 0,"sortdirection" "asc","filters" \[{"fieldname" "ostype","operator" "equals","values" \["windows","linux"]}]}} output parameter type description status code number http status code of the response reason string response reason phrase totalresults number result of the operation sensorsstatus object status value sensorsstatus \@class string status value sensorsstatus onlinecount number status value sensorsstatus offlinecount number status value sensorsstatus stalecount number status value sensorsstatus archivedcount number status value sensorsstatus turnedoncount number status value sensorsstatus turnedoffcount number status value sensorsstatus suspendedcount number status value sensorsstatus advancedcount number status value sensorsstatus outdatedcount number status value sensorsstatus serviceerrorcount number status value sensors array output field sensors sensors sensorid string unique identifier sensors pylumid string unique identifier sensors guid string unique identifier sensors fqdn string output field sensors fqdn sensors machinename string name of the resource sensors internalipaddress string output field sensors internalipaddress sensors externalipaddress string output field sensors externalipaddress sensors sitename string name of the resource sensors siteid number unique identifier output example {"totalresults" 123,"sensorsstatus" {"@class" "string","onlinecount" 123,"offlinecount" 123,"stalecount" 123,"archivedcount" 123,"turnedoncount" 123,"turnedoffcount" 123,"suspendedcount" 123,"advancedcount" 123,"outdatedcount" 123,"serviceerrorcount" 123},"sensors" \[{"sensorid" "string","pylumid" "string","guid" "string","fqdn" "string","machinename" "example name","internalipaddress" "string","externalipaddress" "string","sitename" "example name","siteid" 123,"ransomwarestatus" "active","preven retrieve a list of isolation rules retrieve a comprehensive list of isolation rules configured within the cybereason platform endpoint url /rest/settings/isolation rule method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"cache control" "no cache, no store, must revalidate","strict transport security" "max age=31536000;includesubdomains","x frame options" "deny","x content type options" "nosniff","vary" "accept encoding","content encoding" "gzip","content type" "application/json","content length" "1049","date" "mon, 03 feb 2025 10 17 37 gmt","keep alive" "timeout=60","connection" "keep alive"},"reason" "","json body" \[{"ruleid" "5e859886e4b0ce8c6bed5012","ipaddress" "ndvlyw\ retrieve all malops of all types retrieves all ai hunt and endpoint protection malops from cybereason within a specified time range, using starttime and endtime parameters endpoint url /rest/detection/inbox method post input argument name type required description starttime number optional the beginning time (in milliseconds) from which you want to retrieve malop that were active (both created and updated) endtime number optional the ending time (in milliseconds) to which you want to retrieve malops (both created and updated) groupids string optional the group id(s) if the sensors from which you want to retrieve malops (from version 21 1 21 and later, for soc federation customers only) input example {"json body" {"starttime" 1581621505486,"endtime" 1582226305530,"groupids" "00000000 0000 0000 0000 000000000000"}} output parameter type description status code number http status code of the response reason string response reason phrase malops array output field malops malops guid string unique identifier malops status string status value malops displayname string name of the resource malops rootcauseelementtype string type of the resource malops rootcauseelementnamescount number name of the resource malops detectionengines array output field malops detectionengines malops detectiontypes array type of the resource malops malopdetectiontype string type of the resource malops machines array output field malops machines malops machines guid string unique identifier malops machines displayname string name of the resource malops machines ostype string type of the resource malops machines connected boolean output field malops machines connected malops machines isolated boolean output field malops machines isolated malops machines lastconnected number output field malops machines lastconnected malops users array output field malops users malops users guid string unique identifier malops users displayname string name of the resource malops users admin boolean output field malops users admin malops users localsystem boolean output field malops users localsystem malops users domainuser boolean output field malops users domainuser malops creationtime number time value output example {"status code" 200,"response headers" {"strict transport security" "max age=31536000;includesubdomains","x frame options" "deny","x content type options" "nosniff","cache control" "no cache, no store, must revalidate","vary" "accept encoding","content encoding" "gzip","content type" "application/json","content length" "113","date" "mon, 03 feb 2025 05 23 13 gmt","keep alive" "timeout=60","connection" "keep alive"},"reason" "","json body" {"malops" \[{}],"machinecountermodel" {"totalmachines" 104, set anti malware mode configures the anti malware mode in cybereason across sensors, utilizing the 'argument' parameter for specificity endpoint url /rest/sensors/action/set antimalware status method post input argument name type required description sensorsids array optional add the unique pylum id string value used for the sensor in the sensors ids filters array optional an object containing details on the filter to apply to return a select group of sensors see readme for more details filters fieldname string optional name of the resource filters operator string optional use the following operators with the respective filters object, depending on the parameter you use in the filters object filters values array optional value for the parameter argument object optional parameter for set anti malware mode argument ammode string required setting for the general anti malware mode possible values include disabled, enabled, set by policy argument avmode string required the setting for the anti malware signatures mode possible values include disabled, detect, disinfect, set by policy argument aidetectmode string required the setting for the ai (artificial intelligence) detect mode possible values include disabled, cautious, moderate, aggressive, set by policy argument aipreventmode string required the setting for the ai prevent mode possible values include disabled, cautious, moderate, aggressive input example {"json body" {"sensorsids" \["58ae74fae4b06dca39c1d4bc\ pylumclient internal cyberdemo7x64 005056a13a24"],"filters" \[{"fieldname" "ostype","operator" "equals","values" \["windows","linux"]}],"argument" {"ammode" "disabled","avmode" "disabled","aidetectmode" "disabled","aipreventmode" "disabled"}}} output parameter type description status code number http status code of the response reason string response reason phrase batchid number unique identifier actiontype string type of the resource actionarguments object output field actionarguments actionarguments \@class string output field actionarguments \@class actionarguments configurationitemlist array output field actionarguments configurationitemlist actionarguments configurationitemlist type string type of the resource actionarguments configurationitemlist name string name of the resource actionarguments configurationitemlist lastupdated number output field actionarguments configurationitemlist lastupdated actionarguments configurationitemlist modelsconfiguration array output field actionarguments configurationitemlist modelsconfiguration actionarguments configurationitemlist modelsconfiguration detectthresholdsmap object output field actionarguments configurationitemlist modelsconfiguration detectthresholdsmap actionarguments configurationitemlist modelsconfiguration detectthresholdsmap disabled number output field actionarguments configurationitemlist modelsconfiguration detectthresholdsmap disabled actionarguments configurationitemlist modelsconfiguration detectthresholdsmap cautious number output field actionarguments configurationitemlist modelsconfiguration detectthresholdsmap cautious actionarguments configurationitemlist modelsconfiguration detectthresholdsmap moderate number output field actionarguments configurationitemlist modelsconfiguration detectthresholdsmap moderate actionarguments configurationitemlist modelsconfiguration detectthresholdsmap aggressive number output field actionarguments configurationitemlist modelsconfiguration detectthresholdsmap aggressive actionarguments configurationitemlist modelsconfiguration preventthresholdsmap object output field actionarguments configurationitemlist modelsconfiguration preventthresholdsmap actionarguments configurationitemlist modelsconfiguration preventthresholdsmap disabled number output field actionarguments configurationitemlist modelsconfiguration preventthresholdsmap disabled actionarguments configurationitemlist modelsconfiguration preventthresholdsmap cautious number output field actionarguments configurationitemlist modelsconfiguration preventthresholdsmap cautious actionarguments configurationitemlist modelsconfiguration preventthresholdsmap moderate number output field actionarguments configurationitemlist modelsconfiguration preventthresholdsmap moderate actionarguments configurationitemlist modelsconfiguration preventthresholdsmap aggressive number output field actionarguments configurationitemlist modelsconfiguration preventthresholdsmap aggressive actionarguments configurationitemlist modelsconfiguration modelid string unique identifier actionarguments configurationitemlist modelsconfiguration reportthreshold number output field actionarguments configurationitemlist modelsconfiguration reportthreshold actionarguments configurationitemlist detectsensitivitylevel string output field actionarguments configurationitemlist detectsensitivitylevel actionarguments configurationitemlist preventsensitivitylevel string output field actionarguments configurationitemlist preventsensitivitylevel output example {"batchid" 123,"actiontype" "string","actionarguments" {"@class" "string","configurationitemlist" \[{}]},"globalstats" {"stats" {"started" 123,"primed" 123,"endedwithinvalidparam" 123,"timeout" 123,"disconnected" 123,"timeoutsending" 123,"succeeded" 123,"notsupported" 123,"chunksrequired" 123,"pending" 123,"gettingchunks" 123,"none" 123,"aborttimeout" 123,"unknownprobe" 123,"failedsending" 123}},"finalstate"\ true,"totalnumberofprobes" 123,"initiatoruser" "string","starttime" 123,"aborteruser" "st set anti ransomware mode configures the anti ransomware mode on cybereason sensors or a specific group with a given 'argument' endpoint url /rest/sensors/action/setransomwaremode method post input argument name type required description sensorsids array optional add the unique pylum id string value used for the sensor in the sensors ids filters array optional an object containing details on the filter to apply to return a select group of sensors see readme for more details filters fieldname string optional name of the resource filters operator string optional use the following operators with the respective filters object, depending on the parameter you use in the filters object filters values array optional value for the parameter argument string optional possible values include disable, detection only, suspend, remediate and default the default value is supported only for versions 17 5 and later input example {"json body" {"sensorsids" \["58ae74fae4b06dca39c1d4bc\ pylumclient internal cybersetup7x64 005056a13a24"],"filters" \[{"fieldname" "ostype","operator" "equals","values" \["windows","linux"]}],"argument" "suspend"}} output parameter type description status code number http status code of the response reason string response reason phrase batchid number unique identifier actiontype string type of the resource actionarguments array output field actionarguments globalstats object output field globalstats globalstats stats object output field globalstats stats globalstats stats failedsending number output field globalstats stats failedsending globalstats stats invalidstate number unique identifier globalstats stats proberemoved number output field globalstats stats proberemoved globalstats stats timeoutsending number output field globalstats stats timeoutsending globalstats stats pending number output field globalstats stats pending globalstats stats chunksrequired number output field globalstats stats chunksrequired globalstats stats msifilecorrupted number output field globalstats stats msifilecorrupted globalstats stats sendingmsi number output field globalstats stats sendingmsi globalstats stats newerinstalled number output field globalstats stats newerinstalled globalstats stats msisendfail number output field globalstats stats msisendfail globalstats stats partialresponse number output field globalstats stats partialresponse globalstats stats endedwithsensortimeout number output field globalstats stats endedwithsensortimeout globalstats stats failedsendingtoserver number output field globalstats stats failedsendingtoserver globalstats stats gettingchunks number output field globalstats stats gettingchunks globalstats stats aborted number output field globalstats stats aborted globalstats stats started number output field globalstats stats started globalstats stats inprogress number output field globalstats stats inprogress globalstats stats disconnected number output field globalstats stats disconnected output example {"status code" 200,"response headers" {"strict transport security" "max age=31536000;includesubdomains","x frame options" "deny","x content type options" "nosniff","cache control" "no cache, no store, must revalidate","vary" "accept encoding","content encoding" "gzip","content type" "application/json","content length" "2371","date" "mon, 03 feb 2025 07 16 22 gmt","keep alive" "timeout=60","connection" "keep alive"},"reason" "","json body" {"batchid" 1305541032,"actiontype" "setransomewaremode"," start or stop a full or quick scan initiates or halts a full or quick scan on cybereason sensors for all, groups, or specific targets endpoint url /rest/sensors/action/schedulerscan method post input argument name type required description sensorsids array optional add the unique pylum id string value used for the sensor in the sensors ids filters array optional an object containing details on the filter to apply to return a select group of sensors see readme for more details filters fieldname string optional name of the resource filters operator string optional use the following operators with the respective filters object, depending on the parameter you use in the filters object filters values array optional value for the parameter argument string optional possible values include full, quick, stop input example {"json body" {"sensorsids" \["611cb44ee4b0ad9947dd34fd\ pylumclient internal bb w10 19h2 005056a63271"],"filters" \[{"fieldname" "ostype","operator" "equals","values" \["windows","linux"]}],"argument" "quick"}} output parameter type description status code number http status code of the response reason string response reason phrase batchid number unique identifier actiontype string type of the resource actionarguments array output field actionarguments globalstats object output field globalstats globalstats stats object output field globalstats stats globalstats stats chunksrequired number output field globalstats stats chunksrequired globalstats stats succeeded number output field globalstats stats succeeded globalstats stats proberemoved number output field globalstats stats proberemoved globalstats stats endedwithtoomanyresults number result of the operation globalstats stats failedsending number output field globalstats stats failedsending globalstats stats timeoutsending number output field globalstats stats timeoutsending globalstats stats unknownprobe number output field globalstats stats unknownprobe globalstats stats failedsendingtoserver number output field globalstats stats failedsendingtoserver globalstats stats sendingplatform number output field globalstats stats sendingplatform globalstats stats badargument number output field globalstats stats badargument globalstats stats endedwithsensortimeout number output field globalstats stats endedwithsensortimeout globalstats stats uninstallerlaunchfailure number output field globalstats stats uninstallerlaunchfailure globalstats stats aborting number output field globalstats stats aborting globalstats stats osnotsupportedforuninstallation number output field globalstats stats osnotsupportedforuninstallation globalstats stats msifilecorrupted number output field globalstats stats msifilecorrupted globalstats stats upgradepackagedownloaded number output field globalstats stats upgradepackagedownloaded globalstats stats none number output field globalstats stats none globalstats stats missingpackagefromfilesystem number output field globalstats stats missingpackagefromfilesystem output example {"status code" 200,"response headers" {"strict transport security" "max age=31536000;includesubdomains","x frame options" "deny","x content type options" "nosniff","cache control" "no cache, no store, must revalidate","vary" "accept encoding","content encoding" "gzip","content type" "application/json","content length" "660","date" "mon, 03 feb 2025 09 44 40 gmt","keep alive" "timeout=60","connection" "keep alive"},"reason" "","json body" {"batchid" 458665084,"actiontype" "schedulerscan","actiona update an isolation rule updates an existing isolation exception rule in cybereason with a given rule id, ip address, and timestamp endpoint url /rest/settings/isolation rule method put input argument name type required description ruleid string optional a unique identifier for the rule ipaddressstring string optional the ip address of the machine to which the rule applies port number optional optional if the ipaddressstring parameter exists the port by which cybereason communicates with an isolated machine, according to the rule direction string optional the direction of the allowed communication lastupdated number optional the epoch timestamp for the last update time for the rule blocking boolean optional states whether communication with the given ip or port is allowed set to true if communication is blocked input example {"json body" {"ruleid" "5859b3d0ae8eeb920e9d2f4e","ipaddressstring" "1 1 1 1","port" 443,"direction" "incoming","lastupdated" 1523873848045,"blocking"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase ruleid string unique identifier ipaddress string output field ipaddress ipaddressstring string output field ipaddressstring domain string output field domain ports string output field ports direction string output field direction lastupdated number output field lastupdated groupids array unique identifier description string output field description lastupdatedby string output field lastupdatedby blocking boolean output field blocking output example {"status code" 200,"response headers" {"cache control" "no cache, no store, must revalidate","strict transport security" "max age=31536000;includesubdomains","x frame options" "deny","x content type options" "nosniff","vary" "accept encoding","content encoding" "gzip","content type" "application/json","content length" "203","date" "mon, 03 feb 2025 11 23 59 gmt","keep alive" "timeout=60","connection" "keep alive"},"reason" "","json body" {"ruleid" "67a09d441cefd54a538189be","ipaddress" "aqebag== response headers header description example cache control directives for caching mechanisms no cache, no store, must revalidate connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 205 content type the media type of the resource application/json date the date and time at which the message was originated mon, 03 feb 2025 10 04 21 gmt duration http response header duration 198 keep alive http response header keep alive timeout=60 strict transport security http response header strict transport security max age=31536000;includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x content type options http response header x content type options nosniff x frame options http response header x frame options deny