Document toolboxDocument toolbox

Cybereason

Owned by Jonas Gonzalez
Last updated: Nov 29, 2024
8 min read
[ 1 Connect Cybereason with Devo SOAR ] [ 2 Actions for Cybereason ] [ 2.1 Isolate Machine ] [ 2.1.1 Input Field ] [ 2.1.2 Output ] [ 2.2 Set Reputation ] [ 2.2.1 Input Field ] [ 2.2.2 Output ] [ 2.3 Retrieve All Malops ] [ 2.3.1 Input Field ] [ 2.3.2 Output ] [ 2.4 Get AI Hunt MalOp Details ] [ 2.4.1 Input Field ] [ 2.4.2 Output ] [ 2.5 Check Remediation Progress ] [ 2.5.1 Input Field ] [ 2.5.2 Output ] [ 3 Release Notes ]

The Cybereason Response Interface enables security teams to quickly respond to detected threats by killing processes and isolating machines.

Connect Cybereason with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for Cybereason.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. Cybereason Server Name: Server name for your Cybereason connection.

  9. Cybereason Server Port: Server port for your Cybereason connection(usually 443 or 8443).

  10. Email Address/Username: Username for Cybereason.

  11. Password: Password to log in with.

  12. After you've entered all the details, click Connect.

Actions for Cybereason

Isolate Machine

Isolate Machine to respond to detected threats.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Column containing Machine Name or IP Address

Column name from the parent table with the Machine Name or IP Address to isolate.

Required

Data Type

Data Type, either Machine Name or IP Address.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Success/Failure message

``` {json}{ "has_error":true, "error":"Unable to find sensor for given Machine : 96.17.161.137" }

## Unisolate Machine Unisolate Machine to respond to detected threats. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Desccription | Required | | :------------------------------------------- | :---------------------------------------------------------------------------------- | :------- | | Column containing Machine Name or IP Address | Column name from the parent table with the Machine Name or IP Address to unisolate. | Required | | Data Type | Data Type, either Machine Name or IP Address. | Required | ### Output A JSON object containing multiple rows of result: - has_error: True/False - error: message/null - result: Success/Failure message ## Block Process Globally prevents file with given hash from running. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :----------------------- | :----------------------------------------------------------------------------- | :------- | | Column containing Hashes | Column name from the parent table with the hashes of files to prevent running. | Required | ### Output A JSON object containing multiple rows of result: - has_error: True/False - error: message/null - result: Success/Failure message ## Run Query Run a query on the Cybereason deployment. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :-------------- | :------------------------------------------------------------------------------------------- | :------- | | Query Strings | Query string (emulates request payload for the UI, viewable in a browser's developer tools). | Required | | Explode Results | Select the option to explode results in separate rows (default is True). | Required | ### Output A JSON object containing multiple rows of result: - has_error: True/False - error: message/null - result: List of results ## Run Dynamic Query Run a dynamic query on the Cybereason deployment. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :---------------- | :----------------------------------------------------------------------- | :------- | | Query Column Name | The name of the column with the queries. | Required | | Explode Results | Select the option to explode results in separate rows (default is True). | Required | ### Output A JSON object containing multiple rows of result: - has_error: True/False - error: message/null - result: List of results ## Run Templated Query Run a templated query on the Cybereason deployment. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :-------------- | :-------------------------------------------------------------------------------------------------------------------------------- | :------- | | Query Template | The query [template](doc:jinja-template), with optional variable substitution denoted by column names in double braces {{ and }}. | Required | | Explode Results | Select the option to explode results in separate rows (default is True). | Required | ### Output A JSON object containing multiple rows of result: - has_error: True/False - error: message/null - result: List of results ## Isolate Malop Machine Isolates a machine or machines involved in a specific Malop. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :--------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- | | Pylum IDs | [Jinja-templated](doc:jinja-template) text containing the unique sensor ID the Cybereason platform uses for the machines to isolate. Example 'PYLUMCLIENT_INTERNAL_WIN_XP123456_0050568A74AC,PYLUMCLIENT_INTERNAL_WIN_XP5678_0050456757GH' | Required | | Malop ID | [Jinja-templated](doc:jinja-template) text containing the GUID for the Malop with which the sensor is associated. Example '11.-4040827324870650429' | Required | ### Output JSON containing the following items: ``` {json}{ "PYLUMCLIENT_INTERNAL_WIN_XP012987_0050123A74AC": "Succeeded", "has_error":false, "error":null }

Set Reputation

Sets a custom, organization-specific reputation (whitelist or blacklist) for a file, IP address, or domain name.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Body

Jinja-templated JSON containing the body for the Cybereason API. Example '[{"keys": ["0aae5873aa0e9f80d3fa41524bef6825723b9e87"],"maliciousType": "whitelist","prevent": "true","remove": "false"}]'

Required

Output

JSON containing the following items:

``` {json}{ "outcome":"success", "data":true, "has_error":false, "error":null }

## Remediate Items Remediates a specific process, file, or registry key if remediation is possible. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | : -------- | : -------- | : -------- | | Body | [Jinja-templated](doc:jinja-template) JSON containing the body for the Cybereason API. Example '{"malopId": "<malopID>","initiatorUserName": "<user name>","actionsByMachine": {"<machineID>": [{"targetId":"<item GUID>","actionType": "<action>"}]}}' | Required | ### Output JSON containing the following items: ``` {json}{ "malopId": "11.2718161727221199870", "remediationId": "86f3faa1-bac0-4a17-9192-9d106b734664", "start": 1518604850656, "end": 1518604850744, "initiatingUser": "user@myserver.com", "statusLog": [ { "machineId": "-1632138521.1198775089551518743", "targetId": null, "status": "SUCCESS", "actionType": "KILL_PROCESS", "timestamp": 1518604850714 } ], "has_error":false, "error":null }

Retrieve All Malops

Returns details about all AI Hunt Malops and Endpoint Protection Malops in your environment.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Start Time

Jinja-templated text containing the beginning time (in milliseconds) from which you want to retrieve Malops that were active (both created and updated). Default is batch start time. Example '1602240667000'

Optional

End Time

Jinja-templated text containing the ending time (in milliseconds) to which you want to retrieve Malops (both created and updated). Default is batch end time. Example '1602240667000'

Optional

Additional Body Params

Jinja-templated JSON containing the body for the Cybereason API. Values specified here will override other fields (if provided). Example '{"groupIds":""}'

Optional

Output

JSON containing the following items:

``` {json}{ "malops":[ { "detectionEngines":[ "SomeEngine" ], "lastUpdateTime":16844083456456, "labels":[

], "edr":false, "malopDetectionType":"MALICIOUS_PROCESS", "closerName":"test@abc.com", "guid":"11.-3456743653548471", "machines":[ { "displayName":"asdfasd", "isolated":false, "lastConnected":1684743334567, "connected":true, "empty":true, "osType":"WINDOWS", "guid":"345645.13456345643563", "@class":".MMMMMInboxModel" } ], "iconBase64":"", "group":"", "severity":"", "escalated":false, "detectionTypes":[ "Malicious process behavior" ], "priority":"HIGH", "malopStatus":"Excluded", "decisionStatuses":[ "Detected", "Prevented" ], "@class":".MalopInboxModel", "closed":true, "containers":[ ], "status":"Excluded", "rootCauseElementType":"Process", "users":[ { "admin":true, "guid":"0.-223452345", "displayName":"asdfasdf.tyuityu", "localSystem":false, "domainUser":false } ], "primaryRootCauseName":"powershell.exe", "malopSeverity":"", "rootCauseElementHashes":"f5d245f2f52d5235de8d052d4523d5234d9", "malopType":"MALICIOUS_PROCESS", "displayName":"2 Processes", "malopPriority":"HIGH", "malopCloseTime":168234523459, "creationTime":16823452345391, "empty":true, "rootCauseElementNamesCount":2 }

], "has_error":false, "machineCounterModel":{ "onlineCleanCount":1322, "offlineCleanCount":2618, "totalMachines":3940, "offlineInfectedCount":0, "onlineInfectedCount":0 }, "error":null }

Get AI Hunt MalOp Details

Returns details about a specified AI hunt Malop details.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Body

Jinja-templated JSON containing the body for cybereason API. Example '{"totalResultLimit": 10000,"templateContext": "OVERVIEW","queryPath": [{"requestedType": "MalopProcess","guidList":["guid IDs for Malops"],"result": true,"filters": null}]}'

Required

Output

JSON containing the following items:

Check Remediation Progress

Returns details on the progress of a specific remediation operation.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Malop ID

Jinja-templated text containing the GUID for the Malop with which the sensor is associated. Example '11.-4040827324870650429'

Required

Username

Jinja-templated text containing the username.

Required

Remediation Id

Jinja-templated text containing the remediation Id.

Required

Output

JSON containing the following items:

``` {json}{ "malopId": 11.2718161727221199870, "remediationId": "86f3faa1-bac0-4a17-9192-9d106b734664", "start": 1518604850656, "end": 1518604850744, "initiatingUser": "user@myserver.com", "statusLog": [ { "machineId": "-1632138521.1198775089551518743", "targetId": null, "status": "SUCCESS", "actionType": "KILL_PROCESS", "timestamp": 1518604850714 } ], "error": null, "has_error": false }

Release Notes

  • v2.3.0 - Added 2 new action: Get Custom Reputation and Check Remediation Progress.

  • v2.2.0 - Added 1 new action: Get AI Hunt MalOp Details.

  • v2.1.0 - Added 5 new actions: Isolate Malop Machine, Set Reputation, Remediate Items, Retrieve All Malops and Get Malop Details.

  • v2.0.0 - Updated architecture to support IO via filesystem