Cybereason

Version: 2.0.0

The Cybereason Response Interface enables security teams to quickly respond to detected threats by killing processes and isolating machines.

Connect Cybereason with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for Cybereason.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • Cybereason Server Name: Server name for your Cybereason connection.
    • Cybereason Server Port: Server port for your Cybereason connection(usually 443 or 8443).
    • Email Address/Username: Username for Cybereason.
    • Password: Password to log in with.
  4. After you've entered all the details, click Connect.

Actions for Cybereason

Isolate Machine

Isolate Machine to respond to detected threats.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Column containing Machine Name or IP AddressColumn name from the parent table with the Machine Name or IP Address to isolate.Required
Data TypeData Type, either Machine Name or IP Address.Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Success/Failure message
{
   "has_error":true,
   "error":"Unable to find sensor for given Machine : 96.17.161.137"
}

Unisolate Machine

Unisolate Machine to respond to detected threats.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDesccriptionRequired
Column containing Machine Name or IP AddressColumn name from the parent table with the Machine Name or IP Address to unisolate.Required
Data TypeData Type, either Machine Name or IP Address.Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Success/Failure message

Block Process

Globally prevents file with given hash from running.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Column containing HashesColumn name from the parent table with the hashes of files to prevent running.Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Success/Failure message

Run Query

Run a query on the Cybereason deployment.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Query StringsQuery string (emulates request payload for the UI, viewable in a browser's developer tools).Required
Explode ResultsSelect the option to explode results in separate rows (default is True).Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: List of results

Run Dynamic Query

Run a dynamic query on the Cybereason deployment.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Query Column NameThe name of the column with the queries.Required
Explode ResultsSelect the option to explode results in separate rows (default is True).Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: List of results

Run Templated Query

Run a templated query on the Cybereason deployment.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Query TemplateThe query template, with optional variable substitution denoted by column names in double braces {{ and }}.Required
Explode ResultsSelect the option to explode results in separate rows (default is True).Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: List of results

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem

© 2017-2021 LogicHub®. All Rights Reserved.