The Cybereason Response Interface enables security teams to quickly respond to detected threats by killing processes and isolating machines.
Connect Cybereason with Devo SOAR
Navigate to Automations > Integrations.
Search for Cybereason.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
Cybereason Server Name: Server name for your Cybereason connection.
Cybereason Server Port: Server port for your Cybereason connection(usually 443 or 8443).
Email Address/Username: Username for Cybereason.
Password: Password to log in with.
After you've entered all the details, click Connect.
Actions for Cybereason
Isolate Machine
Isolate Machine to respond to detected threats.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Column containing Machine Name or IP Address | Column name from the parent table with the Machine Name or IP Address to isolate. | Required |
Data Type | Data Type, either Machine Name or IP Address. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Success/Failure message
``` {json}{ "has_error":true, "error":"Unable to find sensor for given Machine : 96.17.161.137" }
## Unisolate Machine
Unisolate Machine to respond to detected threats.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Desccription | Required |
| :------------------------------------------- | :---------------------------------------------------------------------------------- | :------- |
| Column containing Machine Name or IP Address | Column name from the parent table with the Machine Name or IP Address to unisolate. | Required |
| Data Type | Data Type, either Machine Name or IP Address. | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Success/Failure message
## Block Process
Globally prevents file with given hash from running.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :----------------------- | :----------------------------------------------------------------------------- | :------- |
| Column containing Hashes | Column name from the parent table with the hashes of files to prevent running. | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Success/Failure message
## Run Query
Run a query on the Cybereason deployment.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :-------------- | :------------------------------------------------------------------------------------------- | :------- |
| Query Strings | Query string (emulates request payload for the UI, viewable in a browser's developer tools). | Required |
| Explode Results | Select the option to explode results in separate rows (default is True). | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of results
## Run Dynamic Query
Run a dynamic query on the Cybereason deployment.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :---------------- | :----------------------------------------------------------------------- | :------- |
| Query Column Name | The name of the column with the queries. | Required |
| Explode Results | Select the option to explode results in separate rows (default is True). | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of results
## Run Templated Query
Run a templated query on the Cybereason deployment.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :-------------- | :-------------------------------------------------------------------------------------------------------------------------------- | :------- |
| Query Template | The query [template](doc:jinja-template), with optional variable substitution denoted by column names in double braces {{ and }}. | Required |
| Explode Results | Select the option to explode results in separate rows (default is True). | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of results
## Isolate Malop Machine
Isolates a machine or machines involved in a specific Malop.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- |
| Pylum IDs | [Jinja-templated](doc:jinja-template) text containing the unique sensor ID the Cybereason platform uses for the machines to isolate. Example 'PYLUMCLIENT_INTERNAL_WIN_XP123456_0050568A74AC,PYLUMCLIENT_INTERNAL_WIN_XP5678_0050456757GH' | Required |
| Malop ID | [Jinja-templated](doc:jinja-template) text containing the GUID for the Malop with which the sensor is associated. Example '11.-4040827324870650429' | Required |
### Output
JSON containing the following items:
``` {json}{
"PYLUMCLIENT_INTERNAL_WIN_XP012987_0050123A74AC": "Succeeded",
"has_error":false,
"error":null
}
Set Reputation
Sets a custom, organization-specific reputation (whitelist or blacklist) for a file, IP address, or domain name.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Body | Jinja-templated JSON containing the body for the Cybereason API. Example '[{"keys": ["0aae5873aa0e9f80d3fa41524bef6825723b9e87"],"maliciousType": "whitelist","prevent": "true","remove": "false"}]' | Required |
Output
JSON containing the following items:
``` {json}{ "outcome":"success", "data":true, "has_error":false, "error":null }
## Remediate Items
Remediates a specific process, file, or registry key if remediation is possible.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| : -------- | : -------- | : -------- |
| Body | [Jinja-templated](doc:jinja-template) JSON containing the body for the Cybereason API. Example '{"malopId": "<malopID>","initiatorUserName": "<user name>","actionsByMachine": {"<machineID>": [{"targetId":"<item GUID>","actionType": "<action>"}]}}' | Required |
### Output
JSON containing the following items:
``` {json}{
"malopId": "11.2718161727221199870",
"remediationId": "86f3faa1-bac0-4a17-9192-9d106b734664",
"start": 1518604850656,
"end": 1518604850744,
"initiatingUser": "user@myserver.com",
"statusLog": [
{
"machineId": "-1632138521.1198775089551518743",
"targetId": null,
"status": "SUCCESS",
"actionType": "KILL_PROCESS",
"timestamp": 1518604850714
}
],
"has_error":false,
"error":null
}
Retrieve All Malops
Returns details about all AI Hunt Malops and Endpoint Protection Malops in your environment.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Start Time | Jinja-templated text containing the beginning time (in milliseconds) from which you want to retrieve Malops that were active (both created and updated). Default is batch start time. Example '1602240667000' | Optional |
End Time | Jinja-templated text containing the ending time (in milliseconds) to which you want to retrieve Malops (both created and updated). Default is batch end time. Example '1602240667000' | Optional |
Additional Body Params | Jinja-templated JSON containing the body for the Cybereason API. Values specified here will override other fields (if provided). Example '{"groupIds":""}' | Optional |
Output
JSON containing the following items:
``` {json}{ "malops":[ { "detectionEngines":[ "SomeEngine" ], "lastUpdateTime":16844083456456, "labels":[
],
"edr":false,
"malopDetectionType":"MALICIOUS_PROCESS",
"closerName":"test@abc.com",
"guid":"11.-3456743653548471",
"machines":[
{
"displayName":"asdfasd",
"isolated":false,
"lastConnected":1684743334567,
"connected":true,
"empty":true,
"osType":"WINDOWS",
"guid":"345645.13456345643563",
"@class":".MMMMMInboxModel"
}
],
"iconBase64":"",
"group":"",
"severity":"",
"escalated":false,
"detectionTypes":[
"Malicious process behavior"
],
"priority":"HIGH",
"malopStatus":"Excluded",
"decisionStatuses":[
"Detected",
"Prevented"
],
"@class":".MalopInboxModel",
"closed":true,
"containers":[
],
"status":"Excluded",
"rootCauseElementType":"Process",
"users":[
{
"admin":true,
"guid":"0.-223452345",
"displayName":"asdfasdf.tyuityu",
"localSystem":false,
"domainUser":false
}
],
"primaryRootCauseName":"powershell.exe",
"malopSeverity":"",
"rootCauseElementHashes":"f5d245f2f52d5235de8d052d4523d5234d9",
"malopType":"MALICIOUS_PROCESS",
"displayName":"2 Processes",
"malopPriority":"HIGH",
"malopCloseTime":168234523459,
"creationTime":16823452345391,
"empty":true,
"rootCauseElementNamesCount":2
}
], "has_error":false, "machineCounterModel":{ "onlineCleanCount":1322, "offlineCleanCount":2618, "totalMachines":3940, "offlineInfectedCount":0, "onlineInfectedCount":0 }, "error":null }
## Get Malop Details
Returns details about a specified Endpoint Protection Malop.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- |
| Malop ID | [Jinja-templated](doc:jinja-template) text containing the unique GUID string the Cybereason platform uses for the Malop. Example '11.-4040827324870650429' | Required |
### Output
JSON containing the following items:
``` {json}{
"detectionEngines":[
"SomeEngine"
],
"lastUpdateTime":16844083456456,
"labels":[
],
"edr":false,
"malopDetectionType":"MALICIOUS_PROCESS",
"closerName":"test@abc.com",
"guid":"11.-3456743653548471",
"machines":[
{
"displayName":"asdfasd",
"isolated":false,
"lastConnected":1684743334567,
"connected":true,
"empty":true,
"osType":"WINDOWS",
"guid":"345645.13456345643563",
"@class":".MMMMMInboxModel"
}
],
"iconBase64":"",
"group":"",
"severity":"",
"escalated":false,
"detectionTypes":[
"Malicious process behavior"
],
"priority":"HIGH",
"malopStatus":"Excluded",
"decisionStatuses":[
"Detected",
"Prevented"
],
"@class":".MalopInboxModel",
"closed":true,
"containers":[
],
"status":"Excluded",
"rootCauseElementType":"Process",
"users":[
{
"admin":true,
"guid":"0.-223452345",
"displayName":"asdfasdf.tyuityu",
"localSystem":false,
"domainUser":false
}
],
"primaryRootCauseName":"powershell.exe",
"malopSeverity":"",
"rootCauseElementHashes":"f5d245f2f52d5235de8d052d4523d5234d9",
"malopType":"MALICIOUS_PROCESS",
"displayName":"2 Processes",
"malopPriority":"HIGH",
"malopCloseTime":168234523459,
"creationTime":16823452345391,
"empty":true,
"rootCauseElementNamesCount":2,
"has_error":false,
"error":null
}
Get AI Hunt MalOp Details
Returns details about a specified AI hunt Malop details.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Body | Jinja-templated JSON containing the body for cybereason API. Example '{"totalResultLimit": 10000,"templateContext": "OVERVIEW","queryPath": [{"requestedType": "MalopProcess","guidList":["guid IDs for Malops"],"result": true,"filters": null}]}' | Required |
Output
JSON containing the following items:
{
"failedServersInfo":{
"onlineFailedServers":[
],
"onlineFailedServersPercentage":0,
"totalFailedServersPercentage":0,
"offlineServers":[
]
},
"data":{
"evidenceMap":{
},
"paginationToken":null,
"quapiMeasurementData":{
"totalQuapiQueryTime":[
],
"timeToGetAdditionalData":[
],
"timeToGetGuids":[
],
"startTime":[
],
"timeToGetData":[
],
"endTime":[
]
},
"guids":[
],
"resultIdToElementDataMap":{
},
"pathResultCounts":[
{
"featureDescriptor":{
"elementInstanceType":"MalopProcess",
"featureName":null
},
"count":0
}
],
"queryLimits":{
"groupingFeature":{
"elementInstanceType":"MalopProcess",
"featureName":"self"
},
"totalResultLimit":10000,
"perGroupLimit":0,
"sortInGroupFeature":null,
"perFeatureLimit":0
},
"queryTerminated":false,
"totalPossibleResults":2,
"suspicionsMap":{
},
"totalResults":0,
"executionUUID":null,
"guessedPossibleResults":0
},
"has_error":false,
"error":null,
"status":"SUCCESS",
"failures":0,
"hidePartialSuccess":false,
"message":"",
"expectedResults":2
}
Check Remediation Progress
Returns details on the progress of a specific remediation operation.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Malop ID | Jinja-templated text containing the GUID for the Malop with which the sensor is associated. Example '11.-4040827324870650429' | Required |
Username | Jinja-templated text containing the username. | Required |
Remediation Id | Jinja-templated text containing the remediation Id. | Required |
Output
JSON containing the following items:
``` {json}{ "malopId": 11.2718161727221199870, "remediationId": "86f3faa1-bac0-4a17-9192-9d106b734664", "start": 1518604850656, "end": 1518604850744, "initiatingUser": "user@myserver.com", "statusLog": [ { "machineId": "-1632138521.1198775089551518743", "targetId": null, "status": "SUCCESS", "actionType": "KILL_PROCESS", "timestamp": 1518604850714 } ], "error": null, "has_error": false }
## Get Custom Reputation
Returns details on custom reputations for all or a specific item from your organization’s private threat intelligence.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| : -------- | : -------- | : -------- |
| Body | [Jinja-templated](doc:jinja-template) JSON containing the body for cybereason API. Example '{"filter": { "key": "<item key>", "reputationType": "<item type>", "isBlocking": true, "maliciousType": "<whitelist or blacklist>", "includeExpired": true, "comment": "<text contained within a comment>", "owningUser": "<user that created the reputation>", "text": "<partial key or partial comment string>"},"column": "<value by which to sort>", "order": "<sort order>", "page": 0,"size": 20}' | Required |
### Output
JSON containing the following items:
``` {json}{
"outcome":"success",
"error": null,
"has_error": false,
"data": {
"reputations":
[
{
"key":"4df4308dd3c36cfee0fe11cfa4856165",
"reputationType":"FILE",
"isBlocking":true,
"maliciousType":"blacklist",
"comment":"registed by SOC",
"expiration":1648674000000,
"owningUser":"admin@yourserver.com",
"firstSeen":1641378554120,
"lastUpdated":1641487058169
},
{
"key":"0f3491280f5492cd028eb9e6b8b1b930",
"reputationType":"FILE",
"isBlocking":true,
"maliciousType":"blacklist",
"comment":"registed by SOC",
"expiration":-1,
"owningUser":"admin@cybereason.com",
"firstSeen":1641378554120,
"lastUpdated":1641378554120
},
{
"key":"db8a4847285b41d09aa90ecbd4290526",
"reputationType":"FILE",
"isBlocking":true,
"maliciousType":"blacklist",
"comment":"registed by SOC",
"expiration":-1,
"owningUser":"admin@yourserver.com"
"firstSeen":1641378554120,
"lastUpdated":1641487820991
}
],
"total":760
}
}
Release Notes
v2.3.0- Added 2 new action:Get Custom ReputationandCheck Remediation Progress.v2.2.0- Added 1 new action:Get AI Hunt MalOp Details.v2.1.0- Added 5 new actions:Isolate Malop Machine,Set Reputation,Remediate Items,Retrieve All MalopsandGet Malop Details.v2.0.0- Updated architecture to support IO via filesystem