Cybereason
Version: 2.0.0
The Cybereason Response Interface enables security teams to quickly respond to detected threats by killing processes and isolating machines.
Connect Cybereason with LogicHub
- Navigate to Automations > Integrations.
- Search for Cybereason.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- Cybereason Server Name: Server name for your Cybereason connection.
- Cybereason Server Port: Server port for your Cybereason connection(usually 443 or 8443).
- Email Address/Username: Username for Cybereason.
- Password: Password to log in with.
- After you've entered all the details, click Connect.
Actions for Cybereason
Isolate Machine
Isolate Machine to respond to detected threats.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Column containing Machine Name or IP Address | Column name from the parent table with the Machine Name or IP Address to isolate. | Required |
| Data Type | Data Type, either Machine Name or IP Address. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Success/Failure message
{
"has_error":true,
"error":"Unable to find sensor for given Machine : 96.17.161.137"
}
Unisolate Machine
Unisolate Machine to respond to detected threats.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Desccription | Required |
|---|---|---|
| Column containing Machine Name or IP Address | Column name from the parent table with the Machine Name or IP Address to unisolate. | Required |
| Data Type | Data Type, either Machine Name or IP Address. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Success/Failure message
Block Process
Globally prevents file with given hash from running.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Column containing Hashes | Column name from the parent table with the hashes of files to prevent running. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Success/Failure message
Run Query
Run a query on the Cybereason deployment.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Query Strings | Query string (emulates request payload for the UI, viewable in a browser's developer tools). | Required |
| Explode Results | Select the option to explode results in separate rows (default is True). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of results
Run Dynamic Query
Run a dynamic query on the Cybereason deployment.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Query Column Name | The name of the column with the queries. | Required |
| Explode Results | Select the option to explode results in separate rows (default is True). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of results
Run Templated Query
Run a templated query on the Cybereason deployment.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Query Template | The query template, with optional variable substitution denoted by column names in double braces {{ and }}. | Required |
| Explode Results | Select the option to explode results in separate rows (default is True). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of results
Release Notes
v2.0.0- Updated architecture to support IO via filesystem
Updated about 1 month ago