Cybereason collector

[ 1 Overview ] [ 2 Integration overview ] [ 3 Vendor configuration ] [ 4 Run the collector ] [ 5 Change log ]

Overview

Cybereason offers an endpoint protection platform. It delivers antivirus software, endpoint detection and response with one agent, and a suite of managed services.

Integration overview

The data is collected using a Devo Collector that can be run on the Devo Collector server or standalone in a Docker container. The data is sent and stored in the Devo platform in these tables:

edr.cybereason.api_malop
edr.cybereason.api_malware

Cybereason exposes REST API resources to extract data such as:

Resource type	Definition	Devo table

Resource type

Definition

Devo table

Malop API

Returns the list of MalOps.

A MalOp (malicious operation) gives a contextualized view of the full narrative of an attack, correlated across all impacted endpoints.

Endpoint: https://<your server address>:<port>/rest/crimes/unified

Learn more here.

edr.cybereason.api_malop

Malware API

Returns details on malware currently in your environment.

Malware is any software intentionally designed to disrupt a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or unknowingly interfere with the user's computer security and privacy.

Endpoint: https://<your server address>:<port>/rest/malware/query

Learn more here.

edr.cybereason.api_malware

Information about the endpoints

Log in with the API: https://nest.cybereason.com/api-documentation/all-versions/authentication.html
MalOp endpoint info: https://nest.cybereason.com/documentation/api-documentation/all-versions/get-malops#getmalops
Malware endpoint info: https://nest.cybereason.com/documentation/api-documentation/all-versions/query-malware-types#querymalware

Vendor configuration

To pull the logs from the Cybereason endpoint you need:

Parameter	Description

Parameter	Description
Host	The service address of the Cybereason installation.
Port	The service port of the Cybereason installation.
Username	Your Cybereason service username.
Password	Your Cybereason service password.

With this information, the Cybereason collector can be configured later.

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Change log

Release	Released on	Release type	Details	Recommendations

Release

Released on

Release type

Details

Recommendations

v1.4.0

May 9, 2024

IMPROVEMENT

Improvements:

Upgrade DC SDK to the latest version 1.11.1
Upgrade the Docker base image to 1.2.0

Recommended version

v1.3.0

Jan 24, 2024

IMPROVEMENT

Improvements:

Upgraded DCSDK from 1.9.1 to 1.10.2

Update