Cybereason 3.1.2

tags: Python | EDR | Automation | Prevention

Description

Integration with Cybereason is created to support CDC users by providing enrichment that consists of the details of specific domains, machines, processes, Malops (malicious operations), users, files, etc. – that are connected to Cybereason. These enable CDC users to make informed decisions regarding incident response.

Cybereason EDR consolidates intelligence about each attack into a single visual representation called a Malop. Each Malop organizes the relevant attack data into an easy-to-read, interactive graphical interface, providing a complete timeline of the attack, the flow of malware across processes and users, and all incoming and outgoing communications for affected machines. This gives security professionals unparalleled visibility into IT environments.

CyberProof uses generic adaptive cards to display host-related information in a meaningful intuitive GUI. This helps facilitate easy understanding of host data as well as the status of the host on Cybereason. CyberProof also ensures that preventive capabilities of the pack can be enabled/disabled - based on customer requirements.

We do so by providing CLI commands to prevent/un-prevent a file, enrich data about a specific connection/domain/machine/process or processes by machine/Malop/user/file/connection by IP/connection by machine, isolate/un-isolate a machine, add a comment to a Malop, update the malop status command, etc.

Customer Configuration

To configure the password update scheduler, follow these steps:

1. Go to the Cybereason Pack UI on StackStorm.
2. Set ‘success_details_secret_name’ by the secret name to store details of companies for which the password is updated. Do not use underscore. Example: successDetails.
3. Set ‘retry_details_secret_name’ by the secret name to store details of companies for which password update has failed. Do not use underscore. Example: retryDetails.
4. Enter the Cybereason password character length in ‘cybereason_password_length’ Example: 12. Minimum password length required is 8 characters with a maximum of 64 characters, as per Cybereason password policy.
5. Set the number of attempts with time interval to retry password update scheduler execution in ‘attempt_details_config’. Example: {"attempts_to_try":3,"timing_details_for_attempts":[1,3,8]}
   Timings details should be in hours, such as 0.5,1,3,8.
6. To display the success or error messages related to the password update scheduler execution, set ‘cdc_details_to_display_message’ with required ‘cdc_type’ - such as channel/alert/incident and respective id_value. Example: {"cdc_type":"channel","id_value":"633422ed8c36e71ea063441c"}
7. Note that all parameters mentioned in the above steps have default values as those stated in the example, except for ‘cdc_type’ and ‘id_value’.

CDC Command Lines

* **add_comment_cli**
As per the requirement of SoC, we have created a new CLI that adds comments to the Malop from the CDC. comment and malop_guid are mandatory fields in the CLI. Note that you can get all available malop guids by running the query_malops_cli command, with the respective company name from the CDC.

* **check_cli_action_availability_and_remove_disabled**
Check if the CLI action is enabled and remove CLIs that are disabled.

* **get_disabled_cli_action_list**
Get the disabled CLI action list of the pack.

* **isolate_machine_cli**
CLI of the CDC, of the isolate-machine in the CDC message thread. This CLI is used to isolate a machine using Cybereason.

* **is_probe_connected_cli**
CLI of the CDC, of is-probe-connected in the CDC message thread. This CLI enables checks whether the machine is connected.

* **prevent_file_cli**
CLI of the CDC, of prevent-file in the CDC message thread. This CLI is used to perform the file prevention task using Cybereason.

* **query_connection_by_ip_cli**
CLI of the CDC, of query-connection-by-ip in the CDC message thread. This CLI returns the connection information based on the given IP and applied filters.

* **query_connection_by_machine_cli**
CLI of the CDC, of query-connection-by-machine in the CDC message thread. This gives details of the connection, based on the given machine and applied filters.

* **query_connection_by_malops_guid_cli**
CLI of the CDC, of query-connection-by-malops-guid in the CDC message thread. This gives details of the connection, based on the given machine and applied filters.

* **query_connection_cli**
CLI of the CDC, of query-connection in the CDC message thread. This CLI gives details of the connections configuration available, based on the given connection_name or server port.

* **query_domain_cli**
CLI of the CDC, of query-domain in the CDC message thread. This CLI gives details about the domain configuration information available, based on the domain name and filters applied.

* **query_file_by_machine_cli**
CLI of the CDC, of search-file-by-machine in the CDC message thread. This CLI gives information about the file based on the machine and other filters applied.

* **query_file_by_process_cli**
CLI of the CDC, of search-file-by-process in the CDC message thread. This CLI helps in getting the information about the file based on filters.

* **query_file_cli**
CLI of the CDC, of search-file in the CDC message thread. This CLI gives details about the file based on the filters provided.

* **query_malops_cli**
CLI of the CDC, of query-malops in the CDC message thread. This CLI provides details about the available malops based on the guide provided. Note that guid needs to be in array format; e.g., ['dummy_guid'].

* **query_process_cli**
CLI of the CDC, of query-search-process in the CDC message thread. This CLI provides information about available processes, based on the process name and other filters.

* **query_process_on_machine_cli**
CLI of the CDC, of query-process-on-machine in the CDC message thread. This CLI provides information about the processes, based on the machine name other applied filters.

* **query_user_cli**
CLI of the CDC, of query-user in the CDC message thread. This CLI gives information about user configuration, based on the available filters.

* **unisolate_machine_cli**
CLI of the CDC, of unisolate-machine in the CDC message thread. This CLI helps in getting a machine un-isolated with the help of Cybereason.

* **unprevent_file_cli**
CLI of the CDC, of unprevent-file in the CDC message thread. This CLI helps in unpreventing the file with the help of Cybereason.

* **update_malop_status_cli**
As per the requirement of SoC, we have created a new CLI that updates the Malop status from the CDC. company_name, malop_guid, and status are mandatory fields in the CLI. Available options for status are translated to Cybereason UI status. For example, "todo" translates to "To review", "closed"-->"Remediated", "unread" -->"Unread", "fp" --> "Not relevant" and "open" -->"Under investigation".

Workflows

* **automate_malops_data_in_alert_async_created**
Workflow for enriching malops data in CDC alerts.

* **automate_malops_data_in_alert_created**
Workflow for enriching malops data in CDC alerts.

* **automate_malops_data_in_alert_updated**
Workflow for enriching malops data in CDC alerts.

* **check_single_tenant**
Check that the installation type is of single tenant type.

* **get_single_tenant_company_name**
Get the single tenant company name.

* **is_probe_connected_sub_workflow**
CLI of the CDC, of is-probe-connected in the CDC the message thread.

* **password_update**
Update password.

* **prevent_file_sub_workflow**
Sub-workflow to prevent a file.

* **query_connection_by_ip_sub_workflow**
CLI of the CDC, of query-connection-by-ip in the CDC message thread.

* **query_connection_by_machine_sub_workflow**
CLI of the CDC, of query-connection-by-machine in the CDC message thread.

* **query_connection_by_malops_guid_sub_workflow**
CLI of the CDC, of query-connection-by-malops-guid-sub-workflow in the CDC message thread.

* **query_connection_sub_workflow**
CLI of the CDC, of query-connection in the CDC message thread.

* **query_domain_sub_workflow**
CLI of the CDC, of query-domain in the CDC message thread.

* **query_file_by_machine_sub_workflow**
Sub-workflow to run a search file by machine.

* **query_file_by_process_sub_workflow**
Sub-workflow for search-file-by-process. Thread.

* **query_file_sub_workflow**
Sub-workflow to run a file search query.

* **query_malops_sub_workflow**
CLI of the CDC, of query-malops in the CDC message thread.

* **query_process_on_machine_sub_workflow**
CLI of the CDC, of query-process-on-machine in the CDC message thread.

* **query_process_sub_workflow**
CLI of the CDC, of query-search-process in the CDC message thread.

* **query_user_sub_workflow**
CLI of the CDC, of query-user in the CDC message thread.

* **tenant_check_sub_workflow**
Check the type of tenant if a single tenant is activated, and then fetch the company name if not provided.

* **unprevent_file_sub_workflow**
Sub-workflow for unprevent file.

Rules

* **automate_malops_data_enrichment_in_alert_created_async_rule**
Automate the malops data enrichment in an alert when an alert is created.

* **automate_malops_data_enrichment_in_alert_update_rule**
Automate the malops data enrichment in an alert when an alert is updated.

* **updates_cybereason_password_retry**
Scheduler to update password for Cybereason companies/user.

* **update_cybereason_password**
Scheduler to update password for Cybereason companies/user.

Sensors

* **MalopsSensor**
Sensor that pulls malops (malwares) from Cybereason

Poll interval - 30s

Triggers

No triggers

Known Issues

• Cybereason API for add comment to malop does not validate if the provided malop guid is valid or invalid, so add_comment to malop will always return a success message even if the malop guid is invalid/does not exist in the system.
• Cybereason API for update malop status does not validate if the provided malop guid is valid or invalid, so update_malop_status will always return a success message even if the malop guid is invalid/does not exist in the system.
• Cybereason automatic enrichment of malops data for alerts in CDC is not available in CDC versions below 2.6.

Change Log