Cybereason

The Cybereason Response Interface enables security teams to quickly respond to detected threats by killing processes and isolating machines.

Integration with LogicHub

Connecting with Cybereason

To connect with Cybereason following details are required:

  • Label: Connection name.
  • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
  • Cybereason Server Name: Server name for your Cybereason connection.
  • Cybereason Server Port: Server port for your Cybereason connection(usually 443 or 8443).
  • Email Address/Username: Username for Cybereason.
  • Password: Password to log in with.

Actions with Cybereason

Isolate Machine

Isolate Machine to respond to detected threats.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Column containing Machine Name or IP Address: Column name from the parent table with the Machine Name or IP Address to isolate.
  • Data Type: Data Type, either Machine Name or IP Address.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Success/Failure message
{
   "has_error":true,
   "error":"Unable to find sensor for given Machine : 96.17.161.137"
}

Unisolate Machine

Unisolate Machine to respond to detected threats.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Column containing Machine Name or IP Address: Column name from the parent table with the Machine Name or IP Address to unisolate.
  • Data Type: Data Type, either Machine Name or IP Address.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Success/Failure message

Block Process

Globally prevents file with given hash from running.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Column containing Hashes: Column name from the parent table with the hashes of files to prevent running.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Success/Failure message

Run Query

Run a query on the Cybereason deployment.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Query Strings: Query string (emulates request payload for the UI, viewable in a browser's developer tools).
  • Explode Results: Select the option to explode results in separate rows (default is True).

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: List of results

Run Dynamic Query

Run a dynamic query on the Cybereason deployment.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Query Column Name: The name of the column with the queries.
  • Explode Results: Select the option to explode results in separate rows (default is True).

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: List of results

Run Templated Query

Run a templated query on the Cybereason deployment.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Query Template: The query template, with optional variable substitution denoted by column names in double braces {{ and }}.
  • Explode Results: Select the option to explode results in separate rows (default is True).

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: List of results

Did this page help you?