Cybereason

Version: 1.2.12

The Cybereason Response Interface enables security teams to quickly respond to detected threats by killing processes and isolating machines.

Connect Cybereason with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for Cybereason.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • Cybereason Server Name: Server name for your Cybereason connection.
    • Cybereason Server Port: Server port for your Cybereason connection(usually 443 or 8443).
    • Email Address/Username: Username for Cybereason.
    • Password: Password to log in with.
  4. After you've entered all the details, click Connect.

Actions for Cybereason

Isolate Machine

Isolate Machine to respond to detected threats.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Column containing Machine Name or IP Address

Column name from the parent table with the Machine Name or IP Address to isolate.

Required

Data Type

Data Type, either Machine Name or IP Address.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Success/Failure message
{
   "has_error":true,
   "error":"Unable to find sensor for given Machine : 96.17.161.137"
}

Unisolate Machine

Unisolate Machine to respond to detected threats.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Desccription

Required

Column containing Machine Name or IP Address

Column name from the parent table with the Machine Name or IP Address to unisolate.

Required

Data Type

Data Type, either Machine Name or IP Address.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Success/Failure message

Block Process

Globally prevents file with given hash from running.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Column containing Hashes

Column name from the parent table with the hashes of files to prevent running.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Success/Failure message

Run Query

Run a query on the Cybereason deployment.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Query Strings

Query string (emulates request payload for the UI, viewable in a browser's developer tools).

Required

Explode Results

Select the option to explode results in separate rows (default is True).

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: List of results

Run Dynamic Query

Run a dynamic query on the Cybereason deployment.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Query Column Name

The name of the column with the queries.

Required

Explode Results

Select the option to explode results in separate rows (default is True).

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: List of results

Run Templated Query

Run a templated query on the Cybereason deployment.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Query Template

The query template, with optional variable substitution denoted by column names in double braces {{ and }}.

Required

Explode Results

Select the option to explode results in separate rows (default is True).

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: List of results

Did this page help you?