Cybereason

Version: 2.3.0

The Cybereason Response Interface enables security teams to quickly respond to detected threats by killing processes and isolating machines.

Connect Cybereason with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for Cybereason.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • Cybereason Server Name: Server name for your Cybereason connection.
    • Cybereason Server Port: Server port for your Cybereason connection(usually 443 or 8443).
    • Email Address/Username: Username for Cybereason.
    • Password: Password to log in with.
  4. After you've entered all the details, click Connect.

Actions for Cybereason

Isolate Machine

Isolate Machine to respond to detected threats.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Column containing Machine Name or IP AddressColumn name from the parent table with the Machine Name or IP Address to isolate.Required
Data TypeData Type, either Machine Name or IP Address.Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Success/Failure message
{
   "has_error":true,
   "error":"Unable to find sensor for given Machine : 96.17.161.137"
}

Unisolate Machine

Unisolate Machine to respond to detected threats.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDesccriptionRequired
Column containing Machine Name or IP AddressColumn name from the parent table with the Machine Name or IP Address to unisolate.Required
Data TypeData Type, either Machine Name or IP Address.Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Success/Failure message

Block Process

Globally prevents file with given hash from running.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Column containing HashesColumn name from the parent table with the hashes of files to prevent running.Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Success/Failure message

Run Query

Run a query on the Cybereason deployment.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Query StringsQuery string (emulates request payload for the UI, viewable in a browser's developer tools).Required
Explode ResultsSelect the option to explode results in separate rows (default is True).Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: List of results

Run Dynamic Query

Run a dynamic query on the Cybereason deployment.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Query Column NameThe name of the column with the queries.Required
Explode ResultsSelect the option to explode results in separate rows (default is True).Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: List of results

Run Templated Query

Run a templated query on the Cybereason deployment.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Query TemplateThe query template, with optional variable substitution denoted by column names in double braces {{ and }}.Required
Explode ResultsSelect the option to explode results in separate rows (default is True).Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: List of results

Isolate Malop Machine

Isolates a machine or machines involved in a specific Malop.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Pylum IDsJinja-templated text containing the unique sensor ID the Cybereason platform uses for the machines to isolate. Example 'PYLUMCLIENT_INTERNAL_WIN_XP123456_0050568A74AC,PYLUMCLIENT_INTERNAL_WIN_XP5678_0050456757GH'Required
Malop IDJinja-templated text containing the GUID for the Malop with which the sensor is associated. Example '11.-4040827324870650429'Required

Output

JSON containing the following items:

{
    "PYLUMCLIENT_INTERNAL_WIN_XP012987_0050123A74AC": "Succeeded",
  	"has_error":false,
    "error":null
}

Set Reputation

Sets a custom, organization-specific reputation (whitelist or blacklist) for a file, IP address, or domain name.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
BodyJinja-templated JSON containing the body for the Cybereason API. Example '[{"keys": ["0aae5873aa0e9f80d3fa41524bef6825723b9e87"],"maliciousType": "whitelist","prevent": "true","remove": "false"}]'Required

Output

JSON containing the following items:

{
    "outcome":"success",
    "data":true,
  	"has_error":false,
    "error":null
}

Remediate Items

Remediates a specific process, file, or registry key if remediation is possible.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
BodyJinja-templated JSON containing the body for the Cybereason API. Example '{"malopId": "","initiatorUserName": "","actionsByMachine": {"": [{"targetId":"","actionType": ""}]}}'Required

Output

JSON containing the following items:

{
    "malopId": "11.2718161727221199870",
    "remediationId": "86f3faa1-bac0-4a17-9192-9d106b734664",
    "start": 1518604850656,
    "end": 1518604850744,
    "initiatingUser": "[email protected]",
    "statusLog": [
        {
            "machineId": "-1632138521.1198775089551518743",
            "targetId": null,
            "status": "SUCCESS",
            "actionType": "KILL_PROCESS",
            "timestamp": 1518604850714
        }
    ],
 	 	"has_error":false,
    "error":null
}

Retrieve All Malops

Returns details about all AI Hunt Malops and Endpoint Protection Malops in your environment.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Start TimeJinja-templated text containing the beginning time (in milliseconds) from which you want to retrieve Malops that were active (both created and updated). Default is batch start time. Example '1602240667000'Optional
End TimeJinja-templated text containing the ending time (in milliseconds) to which you want to retrieve Malops (both created and updated). Default is batch end time. Example '1602240667000'Optional
Additional Body ParamsJinja-templated JSON containing the body for the Cybereason API. Values specified here will override other fields (if provided). Example '{"groupIds":""}'Optional

Output

JSON containing the following items:

{
   "malops":[
      {
         "detectionEngines":[
            "SomeEngine"
         ],
         "lastUpdateTime":16844083456456,
         "labels":[
            
         ],
         "edr":false,
         "malopDetectionType":"MALICIOUS_PROCESS",
         "closerName":"[email protected]",
         "guid":"11.-3456743653548471",
         "machines":[
            {
               "displayName":"asdfasd",
               "isolated":false,
               "lastConnected":1684743334567,
               "connected":true,
               "empty":true,
               "osType":"WINDOWS",
               "guid":"345645.13456345643563",
               "@class":".MMMMMInboxModel"
            }
         ],
         "iconBase64":"",
         "group":"",
         "severity":"",
         "escalated":false,
         "detectionTypes":[
            "Malicious process behavior"
         ],
         "priority":"HIGH",
         "malopStatus":"Excluded",
         "decisionStatuses":[
            "Detected",
            "Prevented"
         ],
         "@class":".MalopInboxModel",
         "closed":true,
         "containers":[
            
         ],
         "status":"Excluded",
         "rootCauseElementType":"Process",
         "users":[
            {
               "admin":true,
               "guid":"0.-223452345",
               "displayName":"asdfasdf.tyuityu",
               "localSystem":false,
               "domainUser":false
            }
         ],
         "primaryRootCauseName":"powershell.exe",
         "malopSeverity":"",
         "rootCauseElementHashes":"f5d245f2f52d5235de8d052d4523d5234d9",
         "malopType":"MALICIOUS_PROCESS",
         "displayName":"2 Processes",
         "malopPriority":"HIGH",
         "malopCloseTime":168234523459,
         "creationTime":16823452345391,
         "empty":true,
         "rootCauseElementNamesCount":2
      }
   ],
   "has_error":false,
   "machineCounterModel":{
      "onlineCleanCount":1322,
      "offlineCleanCount":2618,
      "totalMachines":3940,
      "offlineInfectedCount":0,
      "onlineInfectedCount":0
   },
   "error":null
}

Get Malop Details

Returns details about a specified Endpoint Protection Malop.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Malop IDJinja-templated text containing the unique GUID string the Cybereason platform uses for the Malop. Example '11.-4040827324870650429'Required

Output

JSON containing the following items:

{
    "detectionEngines":[
      "SomeEngine"
    ],
    "lastUpdateTime":16844083456456,
    "labels":[

    ],
    "edr":false,
    "malopDetectionType":"MALICIOUS_PROCESS",
    "closerName":"[email protected]",
    "guid":"11.-3456743653548471",
    "machines":[
      {
        "displayName":"asdfasd",
        "isolated":false,
        "lastConnected":1684743334567,
        "connected":true,
        "empty":true,
        "osType":"WINDOWS",
        "guid":"345645.13456345643563",
        "@class":".MMMMMInboxModel"
      }
    ],
    "iconBase64":"",
    "group":"",
    "severity":"",
    "escalated":false,
    "detectionTypes":[
      "Malicious process behavior"
    ],
    "priority":"HIGH",
    "malopStatus":"Excluded",
    "decisionStatuses":[
      "Detected",
      "Prevented"
    ],
    "@class":".MalopInboxModel",
    "closed":true,
    "containers":[

    ],
    "status":"Excluded",
    "rootCauseElementType":"Process",
    "users":[
      {
        "admin":true,
        "guid":"0.-223452345",
        "displayName":"asdfasdf.tyuityu",
        "localSystem":false,
        "domainUser":false
      }
    ],
    "primaryRootCauseName":"powershell.exe",
    "malopSeverity":"",
    "rootCauseElementHashes":"f5d245f2f52d5235de8d052d4523d5234d9",
    "malopType":"MALICIOUS_PROCESS",
    "displayName":"2 Processes",
    "malopPriority":"HIGH",
    "malopCloseTime":168234523459,
    "creationTime":16823452345391,
    "empty":true,
    "rootCauseElementNamesCount":2,
    "has_error":false,
    "error":null
}

Get AI Hunt MalOp Details

Returns details about a specified AI hunt Malop details.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
BodyJinja-templated JSON containing the body for cybereason API. Example '{"totalResultLimit": 10000,"templateContext": "OVERVIEW","queryPath": [{"requestedType": "MalopProcess","guidList":["guid IDs for Malops"],"result": true,"filters": null}]}'Required

Output

JSON containing the following items:

{
   "failedServersInfo":{
      "onlineFailedServers":[
         
      ],
      "onlineFailedServersPercentage":0,
      "totalFailedServersPercentage":0,
      "offlineServers":[
         
      ]
   },
   "data":{
      "evidenceMap":{
         
      },
      "paginationToken":null,
      "quapiMeasurementData":{
         "totalQuapiQueryTime":[
            
         ],
         "timeToGetAdditionalData":[
            
         ],
         "timeToGetGuids":[
            
         ],
         "startTime":[
            
         ],
         "timeToGetData":[
            
         ],
         "endTime":[
            
         ]
      },
      "guids":[
         
      ],
      "resultIdToElementDataMap":{
         
      },
      "pathResultCounts":[
         {
            "featureDescriptor":{
               "elementInstanceType":"MalopProcess",
               "featureName":null
            },
            "count":0
         }
      ],
      "queryLimits":{
         "groupingFeature":{
            "elementInstanceType":"MalopProcess",
            "featureName":"self"
         },
         "totalResultLimit":10000,
         "perGroupLimit":0,
         "sortInGroupFeature":null,
         "perFeatureLimit":0
      },
      "queryTerminated":false,
      "totalPossibleResults":2,
      "suspicionsMap":{
         
      },
      "totalResults":0,
      "executionUUID":null,
      "guessedPossibleResults":0
   },
   "has_error":false,
   "error":null,
   "status":"SUCCESS",
   "failures":0,
   "hidePartialSuccess":false,
   "message":"",
   "expectedResults":2
}

Check Remediation Progress

Returns details on the progress of a specific remediation operation.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Malop IDJinja-templated text containing the GUID for the Malop with which the sensor is associated. Example '11.-4040827324870650429'Required
UsernameJinja-templated text containing the username.Required
Remediation IdJinja-templated text containing the remediation Id.Required

Output

JSON containing the following items:

{
    "malopId": 11.2718161727221199870,
    "remediationId": "86f3faa1-bac0-4a17-9192-9d106b734664",
    "start": 1518604850656,
    "end": 1518604850744,
    "initiatingUser": "[email protected]",
    "statusLog": [
                    {
                        "machineId": "-1632138521.1198775089551518743",
                        "targetId": null,
                        "status": "SUCCESS",
                        "actionType": "KILL_PROCESS",
                        "timestamp": 1518604850714
                    }
                  ],
    "error": null,
    "has_error": false
}

Get Custom Reputation

Returns details on custom reputations for all or a specific item from your organization’s private threat intelligence.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
BodyJinja-templated JSON containing the body for cybereason API. Example '{"filter": { "key": "", "reputationType": "", "isBlocking": true, "maliciousType": "", "includeExpired": true, "comment": "", "owningUser": "", "text": ""},"column": "", "order": "", "page": 0,"size": 20}'Required

Output

JSON containing the following items:

{
    "outcome":"success",
  	"error": null,
    "has_error": false,
    "data": {
                "reputations":
                                [
                                    {
                                        "key":"4df4308dd3c36cfee0fe11cfa4856165",
                                        "reputationType":"FILE",
                                        "isBlocking":true,
                                        "maliciousType":"blacklist",
                                        "comment":"registed by SOC",
                                        "expiration":1648674000000,
                                        "owningUser":"[email protected]",
                                        "firstSeen":1641378554120,
                                        "lastUpdated":1641487058169
                                    },
                                    {
                                        "key":"0f3491280f5492cd028eb9e6b8b1b930",
                                        "reputationType":"FILE",
                                        "isBlocking":true,
                                        "maliciousType":"blacklist",
                                        "comment":"registed by SOC",
                                        "expiration":-1,
                                        "owningUser":"[email protected]",
                                        "firstSeen":1641378554120,
                                        "lastUpdated":1641378554120
                                    },
                                    {
                                        "key":"db8a4847285b41d09aa90ecbd4290526",
                                        "reputationType":"FILE",
                                        "isBlocking":true,
                                        "maliciousType":"blacklist",
                                        "comment":"registed by SOC",
                                        "expiration":-1,
                                        "owningUser":"[email protected]"
                                        "firstSeen":1641378554120,
                                        "lastUpdated":1641487820991
                                    }
                                ],
                "total":760
            }
}

Release Notes

  • v2.3.0 - Added 2 new action: Get Custom Reputation and Check Remediation Progress.
  • v2.2.0 - Added 1 new action: Get AI Hunt MalOp Details.
  • v2.1.0 - Added 5 new actions: Isolate Malop Machine, Set Reputation, Remediate Items, Retrieve All Malops and Get Malop Details.
  • v2.0.0 - Updated architecture to support IO via filesystem