Endpoint Protection

 View Only
Expand all | Collapse all

Using REST API for getting suspicious files from endpoints - need help

  • 1.  Using REST API for getting suspicious files from endpoints - need help

    Posted Apr 30, 2018 04:31 AM

    Hi folks,

     

    I was trying to implement this mechanism in my integration:
    https://support.symantec.com/en_US/article.TECH239975.html
    (Endpoint Protection 14 REST API support for deleting or fetching a file based on hash value)

    Unfortunately got into dead end, maybe you can give a tip how to move further. Hers what I did:

    I use postman for API tests. I'm able to authentincate /api/v1/identity/authenticate , I get a token back. Next step is to order SEPM to go to endpoing and grab the file using:

    /api/v1/command-queue/files?file_path=c:\windows\notepad.exe&computer_ids=C[...CUT...]3&sha256=933E1778B2760B3A9194C2799D7B76052895959C3CAEDEFB4E9D764CBB6AD3B5 

    all I get as a return is a command_ID. Great. After some time I can see that command was executed successfully in the SEMP console. Now I would like to download the file (eg. for further analysis), but according to article for that I need a file_ID - /api/v1/command-queue/file/{file_id}/content

    The question is... where to get file_id?

    Did anyone actually successfully implemented the mechanism from the article?



  • 2.  RE: Using REST API for getting suspicious files from endpoints - need help

    Posted Apr 30, 2018 12:44 PM
    Do you have an ATP license? I believe this feature only work if you have ATP:Endpoint in your environment


  • 3.  RE: Using REST API for getting suspicious files from endpoints - need help

    Posted Apr 30, 2018 12:44 PM
    Do you have an ATP license? I believe this feature only work if you have ATP:Endpoint in your environment


  • 4.  RE: Using REST API for getting suspicious files from endpoints - need help

    Posted May 01, 2018 02:21 AM
      |   view attached

    All API calls separately works fine - the file is grabbed to SEPM (according to the console, check the screen shot), and I believe it is somewhere there. The only problem is where to take the value from - cause all I get back from is just command_id.

    The original article doesn't mention this, that's why I ask if anyone actually implemented this method.



  • 5.  RE: Using REST API for getting suspicious files from endpoints - need help

    Posted May 01, 2018 08:23 AM

    Whats the status of this cmd? were you able to get the file in first place? 

    We tried running this cmd last time we were unable to fetch file as the debug.log would always say "source file not found"



  • 6.  RE: Using REST API for getting suspicious files from endpoints - need help

    Posted May 01, 2018 09:59 AM

    @Rafeeq:

    I'm using this query for testing, and in SEPM I see "sucess" status after some time:

    https://<URL_HERE>:8446/sepm/api/v1/command-queue/files?file_path=c:\windows\notepad.exe&computer_ids=<COMP_ID_HERE>&sha256=933E1778B2760B3A9194C2799D7B76052895959C3CAEDEFB4E9D764CBB6AD3B5

     

    I got the same error as you when I didn't give a full path. Didn't test much yet, cause I need to first have an opportunity to actually grab the file from SEPM... which I currently don't have.



  • 7.  RE: Using REST API for getting suspicious files from endpoints - need help

    Posted May 01, 2018 10:55 AM
    I would check with support if you actually can get the file without ATP. With ATP the file is available within the ATP console that comes with the ATP appliance.


  • 8.  RE: Using REST API for getting suspicious files from endpoints - need help

    Posted May 01, 2018 10:55 AM
    I would check with support if you actually can get the file without ATP. With ATP the file is available within the ATP console that comes with the ATP appliance.


  • 9.  RE: Using REST API for getting suspicious files from endpoints - need help

    Posted May 02, 2018 04:19 AM

    I think SEPM will assign file ID once its able to grab the file.. I will check from my end as well didn't use API much due to documentation.



  • 10.  RE: Using REST API for getting suspicious files from endpoints - need help

    Posted Oct 06, 2020 12:07 PM
    Edited by sschaupp Oct 06, 2020 12:10 PM
    Check this one out (SEPM API only):
    https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=f3220c40-52df-44c2-b1b8-25407545f8f0