Versions Compared

Version Old Version 1 New Version Current
Changes made by

Juan Tomás Alonso Nieto

Virginia Camuñas Núñez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Cybereason exposes REST API resources to extract data such as:

Resource type

Definition

Devo table

Malop API

Returns the list of MalOps.

A MalOp (malicious operation) gives a contextualized view of the full narrative of an attack, correlated across all impacted endpoints.

Endpoint: https://<your server address>:<port>/rest/crimes/unified

Learn more here.

edr.cybereason.api_malop

Malware API

Returns details on malware currently in your environment.

Malware is any software intentionally designed to disrupt a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or unknowingly interfere with the user's computer security and privacy.

Endpoint: https://<your server address>:<port>/rest/malware/query

Learn more here.

edr.cybereason.api_malware

Information about the endpoints

...

To pull the logs from the Cybereason endpoint you need:

Parameter

Description

Host

The service address of the Cybereason installation.

Port

The service port of the Cybereason installation.

Username

Your Cybereason service username.

Password

Your Cybereason service password.

With this information, the Cybereason collector can be configured later.

...

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Rw ui tabs macro

Rw tab
titleCloud collector

The Collector Server is a managed platform that allows running sets of different collectors grouped by Devo domain destinations.

To run an instance of this data collector, the next steps must be followed:

  1. In the Collector Server GUI, access the domain where you want to create this instance, click Add Collector, search for “Cybereason - Integrations Factory”, then click on the result.

  2. In the Version field, select the latest value.

  3. In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).

  4. In the Parameters section, establish the Collector Parameters as follows below:

Info

Please, replace the placeholders <username>, <password>, <host>, and <port> with the values obtained in previous sections of this document, except the <short_unique_identifier> that can have the value you choose.Collector services detail

Code Block
{
  "cybereason": {
    "id": "<short_unique_identifier>",
    "enabled": true,
    "credentials": {
      "username": "<username>",
      "password": "<password>"
    },
    "endpoint": {
      "host": "<host_value>",
      "port": "<port_value>"
    },
    "services": {
      "malop": {
        "request_period_in_seconds": 300,
        "tag": "edr.cybereason.api_malop",
        "start_time": "<YYYY-mm-DDTHH:MM:SS.sssZ>"
      },
      "malware": {
        "request_period_in_seconds": 300,
        "tag": "edr.cybereason.api_malware"
      }
    }
  }
}
Info

The value chosen for the id field will be used internally for having independent persistence areas.

Rw tab
titleOn-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for being used when running the collector:

Code Block
<any_directory>
└── devo-collectors/
    └── <product_name>/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        ├── state/
        └── config/ 
            └── config.yaml
Note

Replace <product_name> with the proper value.

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.

image-20240514-100348.png
Note

Replace <product_name> with the proper value.

Editing the config.yaml file

Code Block
globals:
  debug: false
  id: not_used
  name: cybereason
  persistence:
    type: filesystem
    config:
      directory_name: state

outputs:
  console_1:
    type: console

inputs:
  cybereason:
      id: <short_unique_id>
      enabled: true
      endpoint:
        host: "<host.to.cybereason.ext>"
        port: "<port>"
      credentials:
        username: "<username>"
        password: "<password>"
      services:
        malop:
          request_period_in_seconds: 300
          tag: edr.cybereason.api_malop
          start_time: 2021-10-29T00:00:00.000Z
        malware:
          request_period_in_seconds: 300
          tag: edr.cybereason.api_malware

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image

SHA-256 hash

collector-cybereason_if-docker-image-1.4.0

e5c8bb77414b3231e2fc3e31d7983f18a20434cab223b4477fd96bb46ea778f8

Use the following command to add the Docker image to the system:

Code Block
gunzip -c <image_file>-<version>.tgz | docker load
Note

Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file> and <version> with a proper value.

The Docker image can be deployed on the following services:

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/

Code Block
docker run 
--name collector-<product_name> 
--volume $PWD/certs:/devo-collector/certs 
--volume $PWD/config:/devo-collector/config 
--volume $PWD/state:/devo-collector/state 
--env CONFIG_FILE=config.yaml 
--rm 
--interactive 
--tty 
<image_name>:<version>
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.

Code Block
version: '3'
services:
  collector-<product_name>:
    image: <image_name>:${IMAGE_VERSION:-latest}
    container_name: collector-<product_name>
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./credentials:/devo-collector/credentials
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Rw tab
titleCloud collector

The Collector Server is a managed platform that allows running sets of different collectors grouped by Devo domain destinations.

To run an instance of this data collector, the next steps must be followed:

  1. In the Collector Server GUI, access the domain where you want to create this instance, click Add Collector, search for “Cybereason - Integrations Factory”, then click on the result.

  2. In the Version field, select the latest value.

  3. In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).

  4. In the Parameters section, establish the Collector Parameters as follows below:

Info

Please, replace the placeholders <username>, <password>, <host>, and <port> with the values obtained in previous sections of this document, except the <short_unique_identifier> that can have the value you choose.Collector services detail

Code Block
{
  "cybereason": {
    "id": "<short_unique_identifier>",
    "enabled": true,
    "credentials": {
      "username": "<username>",
      "password": "<password>"
    },
    "endpoint": {
      "host": "<host_value>",
      "port": "<port_value>"
    },
    "services": {
      "malop": {
        "request_period_in_seconds": 300,
        "tag": "edr.cybereason.api_malop",
        "start_time": "<YYYY-mm-DDTHH:MM:SS.sssZ>"
      },
      "malware": {
        "request_period_in_seconds": 300,
        "tag": "edr.cybereason.api_malware"
      }
    }
  }
}
Info

The value chosen for the id field will be used internally for having independent persistence areas.

...

Release

Released on

Release type

Details

Recommendations

v1.4.0

Status
colourYellow
titleIMPROVEMENT

Improvements:

  • Upgrade DC SDK to the latest version 1.11.1

  • Upgrade the Docker base image to 1.2.0

Recommended version

v1.3.0

Status
colourYellow
titleIMPROVEMENT

Improvements:

  • Upgraded DCSDK from 1.9.1 to 1.10.2

Update