Technical Tip: Retrieving Files from Collectors by using Rest-API

Description

This article describes how to retrieve a file from a running collector by using Rest-API.

Scope

FortiEDR version 5 and above.

Solution

About Get-File API Command:

1. Login to the EDR console with the desired credentials.
2. To the end of the console address, add '/rest-ui' and press enter.
• As an Example: https://youredrconsoleaddress.com/rest-ui.
• Download the Open API Profiles: Select the Download button and save the file 'api-docs.json'.
3. From the top left corner of the web-page, locate the search bar and type 'get-file'.
4. Carefully inspect each parameter.
   
   

Recommended Rest-API Software Tool.

Postman: Download Link.

1. Select the 'Import' button located at the upper-left corner of the Postman application.
   
   
   • Upload the previously downloaded api-docs.json file.
     
     

2. Search for 'get-file'.
   
   

4. Edit Parameters according to the needs.

   • Encode the path using a query param encoder, such as https://www.coderstool.com/querystring-encode.
   • In this example, it will retrieve the system.ini file.
   • The path of the file will be converted to 'C:%5CWindows %5system.ini'.
     
     

5. For Authorization, make sure the user will have an API role assigned and select 'Basic Authentication'.

6. Once the result is retrieved successfully, save the response in a ***.zip file format.

    

7. Extract the file by using the 'enCrypted' zip password.

    

8. The file extracted will have ***.ensilo as an extension, modify and remove ***.ensilo.#.

    

9. Now the original file is restored and retrieved from the target host.