Cybereason 2.12.0
- 02 Apr 2025
- 9 Minutes to read
- DarkLight
- PDF
Cybereason 2.12.0
- Updated on 02 Apr 2025
- 9 Minutes to read
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Cybereason - 2.12.0
tags: Python | EDR | Automation | Prevention
Table of Contents
Description
Integration with Cybereason is created to support CDC users by providing enrichment that consists of the details of specific domains, machines, processes, Malops (malicious operations), users, files, etc. – that are connected to Cybereason. These enable CDC users to make informed decisions regarding incident response.
Cybereason EDR consolidates intelligence about each attack into a single visual representation called a Malop. Each Malop organizes the relevant attack data into an easy-to-read, interactive graphical interface, providing a complete timeline of the attack, the flow of malware across processes and users, and all incoming and outgoing communications for affected machines. This gives security professionals unparalleled visibility into IT environments.
CyberProof uses generic adaptive cards to display host-related information in a meaningful intuitive GUI. This helps facilitate easy understanding of host data as well as the status of the host on Cybereason. CyberProof also ensures that preventive capabilities of the pack can be enabled/disabled - based on customer requirements.
We do so by providing CLI commands to prevent/un-prevent a file, enrich data about a specific connection/domain/ machine/process or processes by machine/Malop/ user/file/connection by IP/connection by machine, isolate/un-isolate a machine, add a comment to a Malop, update the malop status command. etc.
| Integration Type: | EPP/ EDR |
| Information read: | Domain, Process, User, File etc. |
| API Supported: | |
| Input: | Domain name/ Machine Name/ Hash (MD5/SHA1/SHA256) / GUID of malops/ Username/ Process Name/ Threat Name/ File Name/ Malware Name |
| Output: | Detailed enrichment consisting of relevant information. |
CDC Command Lines
* **query_process_cli**
CLI of the CDC, of query-search-process in the CDC message thread. This CLI provides information about available processes, based on the process name and other filters.
| Option | Type | Description | Required |
|---|---|---|---|
| company_name | string | The company name configured in the configuration. | False |
| process_name | string | The malop process name to filter. | True |
| guid | string | The malop guid to filter. | False |
| is_downloaded_from_internet | boolean | The process downloaded from the internet or not. | False |
| has_malops | boolean | The has malop filter. | False |
| has_suspicions | boolean | The has suspicions filter. | False |
| command_line | string | The command line is filter. | False |
| has_incoming_connection | boolean | The has incoming connection as filter. | False |
| has_outgoing_connection | boolean | The has outgoing connection as filter. | False |
* **query_user_cli**
CLI of the CDC, of query-user in the CDC message thread. This CLI gives information about user configuration, based on the available filters.
| Option | Type | Description | Required |
|---|---|---|---|
| company_name | string | The company name configured in the configuration. | False |
| domain_user_name | string | Domain/user name of the configuration. | False |
| domain | string | Domain name of the configuration. | False |
| has_suspicious | boolean | Is suspicious. | False |
| local_system | boolean | Local_system | False |
* **query_domain_cli**
CLI of the CDC, of query-domain in the CDC message thread. This CLI gives details about the domain configuration information available, based on the domain name and filters applied.
| Option | Type | Description | Required |
|---|---|---|---|
| company_name | string | The company name configured in the configuration. | False |
| domain_name | string | Domain_name. | True |
| reputation | string | Reputation filter to search. | False |
| is_internal_domain | boolean | Is it an internal domain? | False |
| was_ever_resolved | boolean | Was it ever resolved? | False |
| was_ever_resolved_as_second_domain | boolean | Was it ever resolved as second level domain? | False |
* **query_file_by_machine_cli**
CLI of the CDC, of search-file-by-machine in the CDC message thread. This CLI gives information about the file based on the machine and other filters applied.
| Option | Type | Description | Required |
|---|---|---|---|
| company_name | string | The company name configured in the configuration. | False |
| machine | string | The name of the machine. | False |
| has_suspicions | boolean | True to set only has any suspicions. | False |
| has_malops | boolean | True to set only has any malops. | False |
| has_suspicious_processes | boolean | True to set only has suspicious processes. | False |
| os_type | string | Filter to search the OS type of machine | False |
* **query_connection_by_machine_cli**
CLI of the CDC, of query-connection-by-machine in the CDC message thread. This gives details of the connection, based on the given machine and applied filters.
| Option | Type | Description | Required |
|---|---|---|---|
| machine | string | The name of the machine. | True |
| company_name | string | The company name configured in the configuration. | False |
| has_suspicions | boolean | True to set only has any suspicions. | False |
| has_malops | boolean | True to set only has any malops. | False |
| has_suspicious_processes | boolean | True to set only has suspicions processes. | False |
| os_type | string | Filter to search os_type. | False |
* **update_malop_status_cli**
As per the requirement of SoC, we have created a new CLI that updates the Malop status from the CDC. company_name, malop_guid, and status are mandatory fields in CLI. Available options for status are translated to Cybereason UI status. For example, "todo" translates to "To review", "closed"-->"Remediated", "unread" -->"Unread", "fp" --> "Not relevant" and "open" -->"Under investigation".
| Option | Type | Description | Required |
|---|---|---|---|
| company_name | string | The company name configured in the configuration. | False |
| malop_guid | string | Globally Unique Identifier of malop (malware). | True |
| status | string | The new status. | True |
* **query_process_on_machine_cli**
CLI of the CDC, of query-process-on-machine in the CDC message thread. This CLI provides information about the processes, based on the machine name other applied filters.
| Option | Type | Description | Required |
|---|---|---|---|
| company_name | string | The company name configured in the configuration. | False |
| machine_name | string | Search process by machine name. | True |
| has_malop | boolean | The has malop filter. | False |
| has_suspicions | boolean | The has suspicions filter. | False |
| has_suspicions_process | boolean | The has suspicions process filter. | False |
| os_type | string | The OS type to filter. | False |
* **is_probe_connected_cli**
CLI of the CDC, of is-probe-connected in the CDC message thread. This CLI enables checking whether the machine is connected.
| Option | Type | Description | Required |
|---|---|---|---|
| company_name | string | The company name configured in the configuration. | False |
| machine | string | The name of the machine. | True |
* **get_disabled_cli_action_list**
Get the disabled CLI action list of the pack.
| Option | Type | Description | Required |
|---|---|---|---|
| disabled_cli_action_list | array | List of CLI action names that are disabled for the pack. | True |
* **check_cli_action_availability_and_remove_disabled**
Check if CLI action is enabled and remove CLIs that are disabled.
| Option | Type | Description | Required |
|---|---|---|---|
| pack_name | string | Name of the pack. | True |
| cli_action_name | string | Name of the CLI action to be checked. | True |
* **query_connection_by_ip_cli**
CLI of the CDC, of query-connection-by-ip in the CDC message thread. This CLI returns the connection information based on the given IP and applied filters.
| Option | Type | Description | Required |
|---|---|---|---|
| company_name | string | The company name configured in the configuration. | False |
| ip | string | IP address in IPv4/v6 format. | True |
| has_suspicions | boolean | True to set only has suspicions. | False |
| used_by_malware | boolean | True to set only used by malware. | False |
| country_name | string | The country name for the filter. | False |
* **unprevent_file_cli**
CLI of the CDC, of unprevent-file in the CDC message thread. This CLI helps in unpreventing the file with the help of Cybereason.
| Option | Type | Description | Required |
|---|---|---|---|
| company_name | string | The company name configured in the configuration. | False |
| file_MD5_hash | string | The MD5 hash of the relevant file. | True |
* **unisolate_machine_cli**
CLI of the CDC, of unisolate-machine in the CDC message thread. This CLI helps in getting a machine un-isolated with the help of Cybereason.
| Option | Type | Description | Required |
|---|---|---|---|
| company_name | string | The company name configured in the configuration. | False |
| machine | string | The name of the machine. | True |
* **add_comment_cli**
As per the requirement of SoC, we have created a new CLI that adds comments to the Malop from the CDC. comment and malop_guid are mandatory fields in CLI. One important point is that you can get all available malop guids by running the query_malops_cli command, with the respective company name from the CDC.
| Option | Type | Description | Required |
|---|---|---|---|
| company_name | string | Company name configured in configuration. | False |
| malop_guid | string | Globally unique identifier of malop (malware). | True |
| comment | string | The name of the machine. | True |
* **query_malops_cli**
CLI of the CDC, of query-malops in the CDC message thread. This CLI provides details about the available malops based on the guide provided. Note : guid need to be in array format eg ['dummy_guid']
| Option | Type | Description | Required |
|---|---|---|---|
| guid_list | array | Globally Unique Identifier of malops. | False |
| company_name | string | The company name configured in the configuration. | False |
* **isolate_machine_cli**
CLI of the CDC, of the isolate-machine in the CDC message thread. This CLI is used to isolate a machine using Cybereason.
| Option | Type | Description | Required |
|---|---|---|---|
| company_name | string | The company name configured in the configuration. | False |
| machine | string | The name of the machine. | True |
* **query_file_by_process_cli**
CLI of the CDC, of search-file-by-process in the CDC message thread. This CLI helps in getting the information about the file based on filters.
| Option | Type | Description | Required |
|---|---|---|---|
| company_name | string | The company name configured in the configuration. | False |
| is_downloaded_from_internet | boolean | The process downloaded from the internet or not. | False |
| has_malops | boolean | The has malop filter. | False |
| has_suspicions | boolean | The has suspicions filter. | False |
| command_line | string | The command line filter. | False |
| has_listening_connection | boolean | The filter for listening connection status. | False |
| has_external_connection | boolean | The filter for has external connection status. | False |
* **query_file_cli**
CLI of the CDC, of search-file in the CDC message thread. This CLI gives details about the file based on the filters provided.
| Option | Type | Description | Required |
|---|---|---|---|
| company_name | string | The company name configured in the configuration. | False |
| hash_value | string | The hash value of the file to filter. | False |
| name | string | The name of the file to filter. | False |
| guid | string | The guid of the file to filter. | False |
| file_is_signed | boolean | The signed file filter. | False |
| signature_verified | boolean | The signature verified file filter. | False |
| path | string | The path of the file to filter. | False |
* **query_connection_cli**
CLI of the CDC, of query-connection in the CDC message thread. This CLI gives details of the connections configuration available, based on the given connection_name or server port.
| Option | Type | Description | Required |
|---|---|---|---|
| company_name | string | The company name configured in the configuration. | False |
| connection_name | string | Filter for the connection name to search. | False |
| server_port | integer | Filter for server port type to search. | False |
* **prevent_file_cli**
CLI of the CDC, of prevent-file in the CDC message thread. This CLI is used to perform the file prevention task using Cybereason.
| Option | Type | Description | Required |
|---|---|---|---|
| company_name | string | The company name configured in the configuration. | False |
| file_MD5_hash | string | The MD5 hash of the relevant file. | True |
Workflows
* **prevent_file_sub_workflow**
Sub-workflow to prevent a file.
* **query_file_by_process_sub_workflow**
Sub-workflow for search-file-by-process. Thread.
* **query_file_sub_workflow**
Sub-workflow to run a file search query.
* **query_user_sub_workflow**
CLI of the CDC, of query-user in the CDC message thread.
* **check_single_tenant**
Check that the installation type is of single tenant type.
* **query_connection_by_ip_sub_workflow**
CLI of the CDC, of query-connection-by-ip in the CDC message thread.
* **get_single_tenant_company_name**
Get the single tenant company name.
* **automate_malops_data_in_alert_created**
workflow for enriching malops data in CDC alerts
* **query_malops_sub_workflow**
CLI of the CDC, of query-malops in the CDC message thread.
* **query_connection_sub_workflow**
CLI of the CDC, of query-connection in the CDC message thread.
* **query_domain_sub_workflow**
CLI of the CDC, of query-domain in the CDC message thread.
* **tenant_check_sub_workflow**
Check the type of tenant if a single tenant is activated, and then fetch the company name if not provided.
* **query_connection_by_machine_sub_workflow**
CLI of the CDC, of query-connection-by-machine in the CDC message thread.
* **query_process_on_machine_sub_workflow**
CLI of the CDC, of query-process-on-machine in the CDC message thread.
* **automate_malops_data_in_alert_updated**
workflow for enriching malops data in CDC alerts
* **is_probe_connected_sub_workflow**
CLI of the CDC, of is-probe-connected in the CDC the message thread.
* **unprevent_file_sub_workflow**
Sub-workflow for unprevent file.
* **query_process_sub_workflow**
CLI of the CDC, of query-search-process in the CDC message thread.
* **query_file_by_machine_sub_workflow**
Sub-workflow to run a search file by machine.
Rules
* **automate_malops_data_enrichment_in_alert_update_rule**
Automate the malops data enrichment in alert when alert is updated.
* **automate_malops_data_enrichment_in_alert_created_rule**
Automate the malops data enrichment in alert on create
Sensors
* **MalopsSensor**
Sensor that pulls malops (malwares) from Cybereason
Poll interval - 30s
Triggers
No triggers
Known Issues
- Cybereason API for add comment to malop does not validate if the provided malop guid is valid or invalid, so add_comment to malop will always return a success message even if the malop guid is invalid/does not exist in the system.
- Cybereason API for update malop status does not validate if the provided malop guid is valid or invalid, so update_malop_status will always return a success message even if the malop guid is invalid/does not exist in the system.
- Cybereason automatic enrichment of malops data for alerts in CDC is not available in CDC version below 2.6
Was this article helpful?