Cybereason
Version: 2.3.0
The Cybereason Response Interface enables security teams to quickly respond to detected threats by killing processes and isolating machines.
Connect Cybereason with LogicHub
- Navigate to Automations > Integrations.
- Search for Cybereason.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- Cybereason Server Name: Server name for your Cybereason connection.
- Cybereason Server Port: Server port for your Cybereason connection(usually 443 or 8443).
- Email Address/Username: Username for Cybereason.
- Password: Password to log in with.
- After you've entered all the details, click Connect.
Actions for Cybereason
Isolate Machine
Isolate Machine to respond to detected threats.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Column containing Machine Name or IP Address | Column name from the parent table with the Machine Name or IP Address to isolate. | Required |
| Data Type | Data Type, either Machine Name or IP Address. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Success/Failure message
{
"has_error":true,
"error":"Unable to find sensor for given Machine : 96.17.161.137"
}
Unisolate Machine
Unisolate Machine to respond to detected threats.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Desccription | Required |
|---|---|---|
| Column containing Machine Name or IP Address | Column name from the parent table with the Machine Name or IP Address to unisolate. | Required |
| Data Type | Data Type, either Machine Name or IP Address. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Success/Failure message
Block Process
Globally prevents file with given hash from running.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Column containing Hashes | Column name from the parent table with the hashes of files to prevent running. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Success/Failure message
Run Query
Run a query on the Cybereason deployment.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Query Strings | Query string (emulates request payload for the UI, viewable in a browser's developer tools). | Required |
| Explode Results | Select the option to explode results in separate rows (default is True). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of results
Run Dynamic Query
Run a dynamic query on the Cybereason deployment.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Query Column Name | The name of the column with the queries. | Required |
| Explode Results | Select the option to explode results in separate rows (default is True). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of results
Run Templated Query
Run a templated query on the Cybereason deployment.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Query Template | The query template, with optional variable substitution denoted by column names in double braces {{ and }}. | Required |
| Explode Results | Select the option to explode results in separate rows (default is True). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of results
Isolate Malop Machine
Isolates a machine or machines involved in a specific Malop.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Pylum IDs | Jinja-templated text containing the unique sensor ID the Cybereason platform uses for the machines to isolate. Example 'PYLUMCLIENT_INTERNAL_WIN_XP123456_0050568A74AC,PYLUMCLIENT_INTERNAL_WIN_XP5678_0050456757GH' | Required |
| Malop ID | Jinja-templated text containing the GUID for the Malop with which the sensor is associated. Example '11.-4040827324870650429' | Required |
Output
JSON containing the following items:
{
"PYLUMCLIENT_INTERNAL_WIN_XP012987_0050123A74AC": "Succeeded",
"has_error":false,
"error":null
}
Set Reputation
Sets a custom, organization-specific reputation (whitelist or blacklist) for a file, IP address, or domain name.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Body | Jinja-templated JSON containing the body for the Cybereason API. Example '[{"keys": ["0aae5873aa0e9f80d3fa41524bef6825723b9e87"],"maliciousType": "whitelist","prevent": "true","remove": "false"}]' | Required |
Output
JSON containing the following items:
{
"outcome":"success",
"data":true,
"has_error":false,
"error":null
}
Remediate Items
Remediates a specific process, file, or registry key if remediation is possible.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Body | Jinja-templated JSON containing the body for the Cybereason API. Example '{"malopId": "","initiatorUserName": "","actionsByMachine": {"": [{"targetId":"","actionType": ""}]}}' | Required |
Output
JSON containing the following items:
{
"malopId": "11.2718161727221199870",
"remediationId": "86f3faa1-bac0-4a17-9192-9d106b734664",
"start": 1518604850656,
"end": 1518604850744,
"initiatingUser": "[email protected]",
"statusLog": [
{
"machineId": "-1632138521.1198775089551518743",
"targetId": null,
"status": "SUCCESS",
"actionType": "KILL_PROCESS",
"timestamp": 1518604850714
}
],
"has_error":false,
"error":null
}
Retrieve All Malops
Returns details about all AI Hunt Malops and Endpoint Protection Malops in your environment.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Start Time | Jinja-templated text containing the beginning time (in milliseconds) from which you want to retrieve Malops that were active (both created and updated). Default is batch start time. Example '1602240667000' | Optional |
| End Time | Jinja-templated text containing the ending time (in milliseconds) to which you want to retrieve Malops (both created and updated). Default is batch end time. Example '1602240667000' | Optional |
| Additional Body Params | Jinja-templated JSON containing the body for the Cybereason API. Values specified here will override other fields (if provided). Example '{"groupIds":""}' | Optional |
Output
JSON containing the following items:
{
"malops":[
{
"detectionEngines":[
"SomeEngine"
],
"lastUpdateTime":16844083456456,
"labels":[
],
"edr":false,
"malopDetectionType":"MALICIOUS_PROCESS",
"closerName":"[email protected]",
"guid":"11.-3456743653548471",
"machines":[
{
"displayName":"asdfasd",
"isolated":false,
"lastConnected":1684743334567,
"connected":true,
"empty":true,
"osType":"WINDOWS",
"guid":"345645.13456345643563",
"@class":".MMMMMInboxModel"
}
],
"iconBase64":"",
"group":"",
"severity":"",
"escalated":false,
"detectionTypes":[
"Malicious process behavior"
],
"priority":"HIGH",
"malopStatus":"Excluded",
"decisionStatuses":[
"Detected",
"Prevented"
],
"@class":".MalopInboxModel",
"closed":true,
"containers":[
],
"status":"Excluded",
"rootCauseElementType":"Process",
"users":[
{
"admin":true,
"guid":"0.-223452345",
"displayName":"asdfasdf.tyuityu",
"localSystem":false,
"domainUser":false
}
],
"primaryRootCauseName":"powershell.exe",
"malopSeverity":"",
"rootCauseElementHashes":"f5d245f2f52d5235de8d052d4523d5234d9",
"malopType":"MALICIOUS_PROCESS",
"displayName":"2 Processes",
"malopPriority":"HIGH",
"malopCloseTime":168234523459,
"creationTime":16823452345391,
"empty":true,
"rootCauseElementNamesCount":2
}
],
"has_error":false,
"machineCounterModel":{
"onlineCleanCount":1322,
"offlineCleanCount":2618,
"totalMachines":3940,
"offlineInfectedCount":0,
"onlineInfectedCount":0
},
"error":null
}
Get Malop Details
Returns details about a specified Endpoint Protection Malop.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Malop ID | Jinja-templated text containing the unique GUID string the Cybereason platform uses for the Malop. Example '11.-4040827324870650429' | Required |
Output
JSON containing the following items:
{
"detectionEngines":[
"SomeEngine"
],
"lastUpdateTime":16844083456456,
"labels":[
],
"edr":false,
"malopDetectionType":"MALICIOUS_PROCESS",
"closerName":"[email protected]",
"guid":"11.-3456743653548471",
"machines":[
{
"displayName":"asdfasd",
"isolated":false,
"lastConnected":1684743334567,
"connected":true,
"empty":true,
"osType":"WINDOWS",
"guid":"345645.13456345643563",
"@class":".MMMMMInboxModel"
}
],
"iconBase64":"",
"group":"",
"severity":"",
"escalated":false,
"detectionTypes":[
"Malicious process behavior"
],
"priority":"HIGH",
"malopStatus":"Excluded",
"decisionStatuses":[
"Detected",
"Prevented"
],
"@class":".MalopInboxModel",
"closed":true,
"containers":[
],
"status":"Excluded",
"rootCauseElementType":"Process",
"users":[
{
"admin":true,
"guid":"0.-223452345",
"displayName":"asdfasdf.tyuityu",
"localSystem":false,
"domainUser":false
}
],
"primaryRootCauseName":"powershell.exe",
"malopSeverity":"",
"rootCauseElementHashes":"f5d245f2f52d5235de8d052d4523d5234d9",
"malopType":"MALICIOUS_PROCESS",
"displayName":"2 Processes",
"malopPriority":"HIGH",
"malopCloseTime":168234523459,
"creationTime":16823452345391,
"empty":true,
"rootCauseElementNamesCount":2,
"has_error":false,
"error":null
}
Get AI Hunt MalOp Details
Returns details about a specified AI hunt Malop details.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Body | Jinja-templated JSON containing the body for cybereason API. Example '{"totalResultLimit": 10000,"templateContext": "OVERVIEW","queryPath": [{"requestedType": "MalopProcess","guidList":["guid IDs for Malops"],"result": true,"filters": null}]}' | Required |
Output
JSON containing the following items:
{
"failedServersInfo":{
"onlineFailedServers":[
],
"onlineFailedServersPercentage":0,
"totalFailedServersPercentage":0,
"offlineServers":[
]
},
"data":{
"evidenceMap":{
},
"paginationToken":null,
"quapiMeasurementData":{
"totalQuapiQueryTime":[
],
"timeToGetAdditionalData":[
],
"timeToGetGuids":[
],
"startTime":[
],
"timeToGetData":[
],
"endTime":[
]
},
"guids":[
],
"resultIdToElementDataMap":{
},
"pathResultCounts":[
{
"featureDescriptor":{
"elementInstanceType":"MalopProcess",
"featureName":null
},
"count":0
}
],
"queryLimits":{
"groupingFeature":{
"elementInstanceType":"MalopProcess",
"featureName":"self"
},
"totalResultLimit":10000,
"perGroupLimit":0,
"sortInGroupFeature":null,
"perFeatureLimit":0
},
"queryTerminated":false,
"totalPossibleResults":2,
"suspicionsMap":{
},
"totalResults":0,
"executionUUID":null,
"guessedPossibleResults":0
},
"has_error":false,
"error":null,
"status":"SUCCESS",
"failures":0,
"hidePartialSuccess":false,
"message":"",
"expectedResults":2
}
Check Remediation Progress
Returns details on the progress of a specific remediation operation.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Malop ID | Jinja-templated text containing the GUID for the Malop with which the sensor is associated. Example '11.-4040827324870650429' | Required |
| Username | Jinja-templated text containing the username. | Required |
| Remediation Id | Jinja-templated text containing the remediation Id. | Required |
Output
JSON containing the following items:
{
"malopId": 11.2718161727221199870,
"remediationId": "86f3faa1-bac0-4a17-9192-9d106b734664",
"start": 1518604850656,
"end": 1518604850744,
"initiatingUser": "[email protected]",
"statusLog": [
{
"machineId": "-1632138521.1198775089551518743",
"targetId": null,
"status": "SUCCESS",
"actionType": "KILL_PROCESS",
"timestamp": 1518604850714
}
],
"error": null,
"has_error": false
}
Get Custom Reputation
Returns details on custom reputations for all or a specific item from your organization’s private threat intelligence.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Body | Jinja-templated JSON containing the body for cybereason API. Example '{"filter": { "key": "", "reputationType": "", "isBlocking": true, "maliciousType": "", "includeExpired": true, "comment": "", "owningUser": "", "text": ""},"column": "", "order": "", "page": 0,"size": 20}' | Required |
Output
JSON containing the following items:
{
"outcome":"success",
"error": null,
"has_error": false,
"data": {
"reputations":
[
{
"key":"4df4308dd3c36cfee0fe11cfa4856165",
"reputationType":"FILE",
"isBlocking":true,
"maliciousType":"blacklist",
"comment":"registed by SOC",
"expiration":1648674000000,
"owningUser":"[email protected]",
"firstSeen":1641378554120,
"lastUpdated":1641487058169
},
{
"key":"0f3491280f5492cd028eb9e6b8b1b930",
"reputationType":"FILE",
"isBlocking":true,
"maliciousType":"blacklist",
"comment":"registed by SOC",
"expiration":-1,
"owningUser":"[email protected]",
"firstSeen":1641378554120,
"lastUpdated":1641378554120
},
{
"key":"db8a4847285b41d09aa90ecbd4290526",
"reputationType":"FILE",
"isBlocking":true,
"maliciousType":"blacklist",
"comment":"registed by SOC",
"expiration":-1,
"owningUser":"[email protected]"
"firstSeen":1641378554120,
"lastUpdated":1641487820991
}
],
"total":760
}
}
Release Notes
v2.3.0- Added 2 new action:Get Custom ReputationandCheck Remediation Progress.v2.2.0- Added 1 new action:Get AI Hunt MalOp Details.v2.1.0- Added 5 new actions:Isolate Malop Machine,Set Reputation,Remediate Items,Retrieve All MalopsandGet Malop Details.v2.0.0- Updated architecture to support IO via filesystem
Updated over 1 year ago