Cybereason
Cybereason Pack.#
This Integration is part of theEndpoint detection and response to manage and query malops, connections and processes. This integration was integrated and tested with version 21.2 of Cybereason
#
Configure Cybereason in CortexParameter | Required |
---|---|
Server URL (e.g. https://192.168.0.1) | True |
Credentials | False |
Password | False |
Trust any certificate (not secure) | False |
Use system proxy settings | False |
Fetch incidents | False |
Incident type | False |
First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year) | False |
Fetch by "MALOP CREATION TIME" or by "MALOP UPDATE TIME" (Fetching by Malop update time might create duplicates of Malops as incidents) | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
cybereason-query-processesSearches for processes with various filters.
#
Base Commandcybereason-query-processes
#
InputArgument Name | Description | Required |
---|---|---|
machine | The hostname of the machine. | Optional |
onlySuspicious | Show only suspicious processes. Possible values are: true, false. Default is false. | Optional |
limit | Maximum number of results to retrieve. Default is 10000. | Optional |
processName | Process name to filter by. | Optional |
saveToContext | If true, save the result to the context. Possible values are: true, false. Default is false. | Optional |
hasIncomingConnection | Filter only processes with incoming connections. Possible values are: true, false. Default is false. | Optional |
hasOutgoingConnection | Filter only processes with outgoing connections. Possible values are: true, false. Default is false. | Optional |
hasExternalConnection | If process has external connection. Possible values are: true, false. | Optional |
unsignedUnknownReputation | If process is not known to reputation services and its image file is unsigned. Possible values are: true, false. | Optional |
fromTemporaryFolder | If process is running from temporary folder. Possible values are: true, false. | Optional |
privilegesEscalation | If process was identified elevating its privileges to local system user. Possible values are: true, false. | Optional |
maliciousPsExec | If the process was executed by PsExec service and is suspicious as being executed maliciously. Possible values are: true, false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Cybereason.Process.Name | Unknown | The process name |
Cybereason.Process.Malicious | Unknown | Malicious status of the process |
Cybereason.Process.CreationTime | Unknown | The process creation time |
Cybereason.Process.EndTime | Unknown | The process end time |
Cybereason.Process.CommandLine | Unknown | The command line of the process |
Cybereason.Process.SignedAndVerified | Unknown | Is the process signed and verified |
Cybereason.Process.ProductType | Unknown | The product type |
Cybereason.Process.Children | Unknown | Children of the process |
Cybereason.Process.Parent | Unknown | The parent process |
Cybereason.Process.OwnerMachine | Unknown | The machine's hostname |
Cybereason.Process.User | Unknown | The user who ran the process |
Cybereason.Process.ImageFile | Unknown | Image file of the process |
Cybereason.Process.SHA1 | Unknown | SHA1 of the process file |
Cybereason.Process.MD5 | Unknown | MD5 of the process file |
Cybereason.Process.CompanyName | Unknown | The company's name |
Cybereason.Process.ProductName | Unknown | The product's name |
#
Command example!cybereason-query-processes machine=machine-name hasOutgoingConnection=true hasIncomingConnection=true
#
Context Example#
Human Readable Output#
Cybereason Processes
Name Malicious Creation Time End Time Command Line Signed and Verified Product Type Children Parent Owner Machine User Image File SHA1 MD5 Company Name Product Name svchost.exe indifferent 2022-05-06T04:15:33.939000 C:\WINDOWS\system32\svchost.exe -k LocalService -s W32Time true SVCHOST services.exe machine-name machine-name\local service svchost.exe wxyz1234 abc123 Microsoft Corporation Microsoft® Windows® Operating System
#
cybereason-is-probe-connectedChecks if the machine is currently connected to the Cybereason server
#
Base Commandcybereason-is-probe-connected
#
InputArgument Name | Description | Required |
---|---|---|
machine | The hostname of the machine to check. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cybereason.Machine.isConnected | boolean | true if machine is connected, else false |
Cybereason.Machine.Name | string | Machine name |
#
Command example!cybereason-is-probe-connected machine=machine-name
#
Context Example#
Human Readable Outputtrue
#
cybereason-query-connectionsSearches for connections.
#
Base Commandcybereason-query-connections
#
InputArgument Name | Description | Required |
---|---|---|
ip | Filter connections which contain this IP (in or out). | Optional |
machine | Filter connections on the given machine. | Optional |
saveToContext | If true, save the result to the context. Possible values are: true, false. Default is false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Cybereason.Connection.Name | Unknown | The connection's name |
Cybereason.Connection.Direction | Unknown | OUTGOING/INCOMING |
Cybereason.Connection.ServerAddress | Unknown | Address of the Cybereason machine |
Cybereason.Connection.ServerPort | Unknown | Port of the Cybereason machine |
Cybereason.Connection.PortType | Unknown | Type of the connection |
Cybereason.Connection.ReceivedBytes | Unknown | Received bytes count |
Cybereason.Connection.TransmittedBytes | Unknown | Transmitted bytes count |
Cybereason.Connection.RemoteCountry | Unknown | The connection's remote country |
Cybereason.Connection.OwnerMachine | Unknown | The machine's hostname |
Cybereason.Connection.OwnerProcess | Unknown | The process which performed the connection |
Cybereason.Connection.CreationTime | Unknown | Creation time of the connection |
Cybereason.Connection.EndTime | Unknown | End time of the connection |
#
Command example!cybereason-query-connections ip=<host>
#
Context Example#
Human Readable Output#
Cybereason Connections for: 192.168.1.103
Creation Time Direction End Time Name Owner Machine Owner Process Port Type Received Bytes Remote Country Server Address Server Port Transmitted Bytes 2021-04-20T00:00:00.000000 OUTGOING 2021-04-20T00:00:00.000000 connection_ip_addresses simplify-cyber test.exe SERVICE_WINDOWS 0 192.168.1.103 137 50
#
cybereason-isolate-machineIsolates a machine that has been infected from the rest of the network
#
Base Commandcybereason-isolate-machine
#
InputArgument Name | Description | Required |
---|---|---|
machine | Machine name to be isolated. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cybereason.Machine | string | Machine name |
Cybereason.IsIsolated | boolean | Is the machine isolated |
#
Command example!cybereason-isolate-machine machine=machine-name
#
Context Example#
Human Readable OutputMachine was isolated successfully.
#
cybereason-unisolate-machineStops isolation of a machine
#
Base Commandcybereason-unisolate-machine
#
InputArgument Name | Description | Required |
---|---|---|
machine | Machine name to be un-isolated. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cybereason.Machine | string | Machine name |
Cybereason.IsIsolated | boolean | Is the machine isolated |
#
Command example!cybereason-unisolate-machine machine=machine-name
#
Context Example#
Human Readable OutputMachine was un-isolated successfully.
#
cybereason-query-malopsReturns a list of all Malops and details on the Malops.
#
Base Commandcybereason-query-malops
#
InputArgument Name | Description | Required |
---|---|---|
filters | Filter to filter response by, given in Cybereason API syntax. | Optional |
totalResultLimit | The total number of results to return for your Server. Ensure you make the limit a reasonable number to maximize Server performance and not to overload the system. | Optional |
perGroupLimit | The number of items to return per Malop group. | Optional |
templateContext | The level of detail to provide in the response. Possible values include: SPECIFIC: References value contain only the count in the ElementValues class. The Suspicions map is calculated for each results, with the suspicion name and the first time the suspicion appeared. The Evidence map is not calculated for the results. CUSTOM: Reference values contain the specific Elements, up to the limit defined in the perFeatureLimit parameter. The Suspicions map is not calculated for the results. The Evidence map is not calculated for the results. DETAILS: Reference values contain the specific Elements, up to the limit defined in the perFeatureLimit parameter. The Suspicions map is calculated for each result, containing the suspicion name and the first time the suspicion appeared. The Evidence map is not calculated for the results. Possible values are: MALOP, SPECIFIC, CUSTOM, DETAILS, OVERVIEW. Default is MALOP. | Optional |
withinLastDays | Return all the malops within the last days. | Optional |
malopGuid | Malop GUIDs to filter by (Comma separated values supported, e.g. 11.123456789,11.9874563210). | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Cybereason.Malops.GUID | string | The unique globally unique identifier (guid) for the Malop. |
Cybereason.Malops.CreationTime | string | The time reported as when the malicious behavior began on the system. This is not the time that the Malop was first detected by Cybereason. |
Cybereason.Malops.DecisionFeature | string | The reason that Cybereason has raised the Malop. |
Cybereason.Malops.Link | string | Link to the Malop on Cybereason. |
Cybereason.Malops.Suspects | string | Malop suspect type and name |
Cybereason.Malops.LastUpdatedTime | string | Last updated time of malop |
Cybereason.Malops.AffectedMachine | string | List of machines affected by this Malop |
Cybereason.Malops.InvolvedHash | string | List of file hashes involved in this Malop |
Cybereason.Malops.Status | string | Malop managemant status |
#
Command example!cybereason-query-malops
#
Context Example#
Human Readable Output#
Cybereason Malops
GUID Link CreationTime Status LastUpdateTime DecisionFailure Suspects AffectedMachine InvolvedHash <malop_id> https://test.server.net:0000/#/malop/11.1234567890 2021-07-12T00:00:00.000000 OPEN 2021-08-28T00:00:00.000000 blackListedFileHash Process: test.exe affected_machine_name 1
#
cybereason-malop-processesReturns a list of malops
#
Base Commandcybereason-malop-processes
#
InputArgument Name | Description | Required |
---|---|---|
malopGuids | Array of malop GUIDs separated by comma. (Malop GUID can be retrieved with the command cybereason-query-malops command). | Required |
machineName | Machine names which were affected by malop. Comma separated values supported (e.g., machine1,machine2). | Optional |
dateTime | Starting Date and Time to filter the Processes based on their creation date. The format for the input is ("YYYY/MM/DD HH:MM:SS"). | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Cybereason.Process.Name | string | The process name |
Cybereason.Process.Malicious | Unknown | Malicious status of the process |
Cybereason.Process.CreationTime | date | The process creation time |
Cybereason.Process.EndTime | date | The process end time |
Cybereason.Process.CommandLine | string | The command line of the process |
Cybereason.Process.SignedAndVerified | Unknown | Is the process signed and verified |
Cybereason.Process.ProductType | Unknown | The product type |
Cybereason.Process.Children | Unknown | Children of the process |
Cybereason.Process.Parent | Unknown | The parent process |
Cybereason.Process.OwnerMachine | Unknown | The machine's hostname |
Cybereason.Process.User | string | The user who ran the process |
Cybereason.Process.ImageFile | Unknown | Image file of the process |
Cybereason.Process.SHA1 | string | SHA1 of the process file |
Cybereason.Process.MD5 | string | MD5 of the process file |
Cybereason.Process.CompanyName | string | The company's name |
Cybereason.Process.ProductName | string | The product's name |
#
Command example!cybereason-malop-processes malopGuids=<malop_id>
#
Context Example#
Human Readable Output#
Cybereason Malop Processes
Name Malicious Creation Time End Time Command Line Parent Owner Machine User Image File SHA1 MD5 Company Name Product Name winrar-x64-602.exe indifferent 2022-03-14T00:00:00.000000 2022-03-14T00:00:00.000000 "C:\Users\user\winrar-x64-602.exe" explorer.exe machine-name machine-name\user winrar-x64-602.exe 1234sajklfshljjvhlsdfhilh23 md5_hash Hello World WinRAR
#
cybereason-add-commentAdd new comment to malop
#
Base Commandcybereason-add-comment
#
InputArgument Name | Description | Required |
---|---|---|
comment | Comment to add to the malop. | Required |
malopGuid | Malop GUID to add comment to. (Malop GUID can be retrieved with the command cybereason-query-malops command). | Required |
#
Context OutputThere is no context output for this command.
#
Command example!cybereason-add-comment comment=NewComment malopGuid=<malop_id>
#
Human Readable OutputComment added successfully
#
cybereason-update-malop-statusUpdates malop status
#
Base Commandcybereason-update-malop-status
#
InputArgument Name | Description | Required |
---|---|---|
malopGuid | Malop GUID to update its status. | Required |
status | Status to update. Possible values are: To Review, Unread, Remediated, Not Relevant, Open. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cybereason.Malops.GUID | string | Malop GUID |
Cybereason.Malops.Status | string | Malop status: To Review,Unread,Remediated,Not Relevant |
#
Command example!cybereason-update-malop-status malopGuid=<malop_id> status="To Review"
#
Context Example#
Human Readable OutputSuccessfully updated malop <malop_id> to status To Review
#
cybereason-prevent-filePrevent malop process file
#
Base Commandcybereason-prevent-file
#
InputArgument Name | Description | Required |
---|---|---|
md5 | Malop process file MD5 to prevent. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cybereason.Process.MD5 | string | Process file MD5 |
Cybereason.Process.Prevent | boolean | True if process file is prevented, else false |
#
Command example!cybereason-prevent-file md5=MD5
#
Context Example#
Human Readable OutputFile was prevented successfully
#
cybereason-unprevent-fileUnprevent malop process file
#
Base Commandcybereason-unprevent-file
#
InputArgument Name | Description | Required |
---|---|---|
md5 | Malop process file MD5 to unprevent. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cybereason.Process.MD5 | string | Process file MD5 |
Cybereason.Process.Prevent | boolean | True if process file is prevented, else false |
#
Command example!cybereason-unprevent-file md5=MD5
#
Context Example#
Human Readable OutputFile was unprevented successfully
#
cybereason-query-fileQuery files as part of investigation
#
Base Commandcybereason-query-file
#
InputArgument Name | Description | Required |
---|---|---|
file_hash | File hash (SHA-1 and MD5 supported). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cybereason.File.Path | string | File path |
Cybereason.File.SHA1 | string | File SHA-1 hash |
Cybereason.File.Machine | string | Machine name on which file is located |
Cybereason.File.SuspicionsCount | number | File suspicions count |
Cybereason.File.Name | string | File name |
Cybereason.File.CreationTime | date | File creation time |
Cybereason.File.Suspicion | string | File suspicions object of suspicion as key and detected date as value |
Cybereason.File.OSVersion | string | Machine OS version on which file is located |
Cybereason.File.ModifiedTime | date | File modified date |
Cybereason.File.Malicious | boolean | Is file malicious |
Cybereason.File.Company | string | Company name |
Cybereason.File.MD5 | string | File MD5 hash |
Cybereason.File.IsConnected | boolean | Is machine connected to Cybereason |
Cybereason.File.Signed | boolean | Is file signed |
Cybereason.File.Evidence | string | File evidences |
#
Command example!cybereason-query-file file_hash=<file_hash>
#
Context Example#
Human Readable Output#
Cybereason file query results for the file hash: 77ab1e20c685e716b82c7c90b373316fc84cde23
Company CreationTime IsConnected MD5 Machine Malicious ModifiedTime Name Path SHA1 Signed Hello World 2022-02-28T00:00:00.000Z false MD5 machine-name false 2022-05-09T00:00:00.000Z winrar-x64-602.pdf.exe c:\users\test\winrar-x64-602.pdf.exe 1245sedecthebdfkjkgjljldl2348 true
#
cybereason-query-domainQuery domains as part of investigation
#
Base Commandcybereason-query-domain
#
InputArgument Name | Description | Required |
---|---|---|
domain | Domain to query. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cybereason.Domain.Name | string | Domain name |
Cybereason.Domain.Malicious | boolean | Is domain malicious |
Cybereason.Domain.IsInternalDomain | boolean | Is domain internal |
Cybereason.Domain.Reputation | string | Domain reputation |
Cybereason.Domain.SuspicionsCount | number | Domain suspicions count |
Cybereason.Domain.WasEverResolved | boolean | Was domain ever resolved |
Cybereason.Domain.WasEverResolvedAsASecondLevelDomain | boolean | Was domain ever resolved as a second level domain |
#
Command example!cybereason-query-domain domain=www2.bing.com
#
Context Example#
Human Readable Output#
Cybereason domain query results for the domain: www2.bing.com
Name Reputation IsInternalDomain WasEverResolved WasEverResolvedAsASecondLevelDomain Malicious SuspicionsCount www2.bing.com indifferent false false true false 0 www2.bing.com false false true false 0
#
cybereason-query-userQuery users as part of investigation
#
Base Commandcybereason-query-user
#
InputArgument Name | Description | Required |
---|---|---|
username | Username to query. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cybereason.User.Username | string | User name |
Cybereason.User.Domain | string | User domain |
Cybereason.User.LastMachineLoggedInTo | string | Last machine which user logged in to |
Cybereason.User.LocalSystem | boolean | Is local system |
Cybereason.User.Organization | string | User organization |
#
Command example!cybereason-query-user username="user-name"
#
Context Example#
Human Readable Output#
Cybereason user query results for the username: machine-name\prase
Username Domain LastMachineLoggedInTo Organization LocalSystem machine-name\prase machine-name machine-name INTEGRATION false
#
cybereason-archive-sensorArchives a Sensor.
#
Base Commandcybereason-archive-sensor
#
InputArgument Name | Description | Required |
---|---|---|
sensorID | Sensor ID of Cybereason Sensor. | Required |
archiveReason | Reason for Archiving Cybereason Sensor. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!cybereason-archive-sensor sensorID=SENSOR_ID archiveReason="Archive this Sensor"
#
Human Readable OutputSensor archive status: Failed Actions: 0. Succeeded Actions: 1
#
cybereason-unarchive-sensorUnarchives a Sensor.
#
Base Commandcybereason-unarchive-sensor
#
InputArgument Name | Description | Required |
---|---|---|
sensorID | Sensor ID of Cybereason Sensor. | Required |
unarchiveReason | Reason for Unarchiving Cybereason Sensor. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!cybereason-unarchive-sensor sensorID=SENSOR_ID unarchiveReason="Unarchive this Sensor"
#
Human Readable OutputSensor unarchive status: Failed Actions: 0. Succeeded Actions: 1
#
cybereason-delete-sensorDeletes a Sensor.
#
Base Commandcybereason-delete-sensor
#
InputArgument Name | Description | Required |
---|---|---|
sensorID | Sensor ID of Cybereason Sensor. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!cybereason-delete-sensor sensorID=SENSOR_ID
#
Human Readable OutputSensor deleted successfully.
#
cybereason-start-fetchfileStart fetching the file to download
#
Base Commandcybereason-start-fetchfile
#
InputArgument Name | Description | Required |
---|---|---|
malopGUID | Malop GUID for fetching a file from a sensor to download. | Required |
userName | The complete Cybereason user name string for the user performing the request. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!cybereason-start-fetchfile malopGUID=<malop_id> userName=<user_name>
#
Human Readable OutputSuccessfully started fetching file for the given malop
#
cybereason-fetchfile-progressReturn a batch id for files waiting for download
#
Base Commandcybereason-fetchfile-progress
#
InputArgument Name | Description | Required |
---|---|---|
malopGuid | Malop GUID to know the progress for downloading a file. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cybereason.Download.Progress.fileName | unknown | Filename for tha given malop |
Cybereason.Download.Progress.status | unknown | Status for batch ID |
Cybereason.Download.Progress.batchID | unknown | Unique batch id |
#
Command example!cybereason-fetchfile-progress malopGuid=<malop_id>
#
Context Example#
Human Readable OutputFilename: ['winrar-x64-602.exe'] Status: [True] Batch ID: [-1234]
#
cybereason-download-fileDownloads the actual file to the machine
#
Base Commandcybereason-download-file
#
InputArgument Name | Description | Required |
---|---|---|
batchID | The batch id for the file download operation. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!cybereason-download-file batchID=-1234
#
Context Example#
Human Readable OutputIntegration log: Downloading the file with this Batch ID: -1234
#
cybereason-close-file-batch-idAborts a file download operation that is in progress
#
Base Commandcybereason-close-file-batch-id
#
InputArgument Name | Description | Required |
---|---|---|
batchID | The batch id to abort a file download operation. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!cybereason-close-file-batch-id batchID=-1234
#
Human Readable OutputSuccessfully aborts a file download operation that is in progress.
#
cybereason-available-remediation-actionsGet all remediation action details whatever available for that malop
#
Base Commandcybereason-available-remediation-actions
#
InputArgument Name | Description | Required |
---|---|---|
malopGuid | The unique ID assigned by the Cybereason platform for the Malop. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!cybereason-available-remediation-actions malopGuid=<malop_id>
#
Human Readable Output#
cybereason-kill-processKill a processes for the malicious file. (User will get inputs by executing the 'cybereason-available-remediation-actions' command if this remediation action is available for that Malop)
#
Base Commandcybereason-kill-process
#
InputArgument Name | Description | Required |
---|---|---|
malopGuid | The unique ID assigned by the Cybereason platform for the Malop. | Required |
machine | Machine name to kill the process. | Required |
targetId | Target ID to kill the process. | Required |
userName | The complete Cybereason user name string for the user performing the request. | Required |
comment | Comment to add to the malop. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!cybereason-kill-process machine=machine-name malopGuid=<malop_id> targetId=<target_id> userName=<user_name> comment="Kill the Process"
#
Human Readable OutputKill process remediation action status is: SUCCESS Remediation ID: REMEDIATION_ID
#
cybereason-quarantine-fileQuarantine the detected malicious file in a secure location. (User will get inputs by executing the 'cybereason-available-remediation-actions' command if this remediation action is available for that Malop)
#
Base Commandcybereason-quarantine-file
#
InputArgument Name | Description | Required |
---|---|---|
malopGuid | The unique ID assigned by the Cybereason platform for the Malop. | Required |
machine | Machine name to quarantine a file. | Required |
targetId | Target ID to quarantine a file. | Required |
userName | The complete Cybereason user name string for the user performing the request. | Required |
comment | Comment to add to the malop. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!cybereason-quarantine-file machine=machine-name malopGuid=<malop_id> targetId=<target_id> userName=<user_name> comment="Quarantine the File"
#
Human Readable OutputQuarantine file remediation action status is: SUCCESS Remediation ID: REMEDIATION_ID
#
cybereason-unquarantine-fileUnquarantine the detected malicious file in a secure location. (User will get inputs by executing the 'cybereason-available-remediation-actions' command if this remediation action is available for that Malop)
#
Base Commandcybereason-unquarantine-file
#
InputArgument Name | Description | Required |
---|---|---|
malopGuid | The unique ID assigned by the Cybereason platform for the Malop. | Required |
machine | Machine name to unquarantine a file. | Required |
targetId | Target ID to unquarantine a file. | Required |
userName | The complete Cybereason user name string for the user performing the request. | Required |
comment | Comment to add to the malop. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!cybereason-unquarantine-file machine=machine-name malopGuid=<malop_id> targetId=<target_id> userName=<user_name> comment="Unquarantine the File"
#
Human Readable OutputUnquarantine file remediation action status is: SUCCESS Remediation ID: REMEDIATION_ID
#
cybereason-block-fileBlock a file only in particular machine. (User will get inputs by executing the 'cybereason-available-remediation-actions' command if this remediation action is available for that Malop)
#
Base Commandcybereason-block-file
#
InputArgument Name | Description | Required |
---|---|---|
malopGuid | The unique ID assigned by the Cybereason platform for the Malop. | Required |
machine | Machine name whose files needs to be blocked. | Required |
targetId | Target ID of file to be blocked. | Required |
userName | The complete Cybereason user name string for the user performing the request. | Required |
comment | Comment to add to the malop. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!cybereason-block-file machine=machine-name malopGuid=<malop_id> targetId=<target_id> userName=<user_name> comment="Block a File"
#
Human Readable OutputBlock file remediation action status is: SUCCESS Remediation ID: REMEDIATION_ID
#
cybereason-delete-registry-keyDelete a registry entry associated with a malicious process. (User will get inputs by executing the 'cybereason-available-remediation-actions' command if this remediation action is available for that Malop)
#
Base Commandcybereason-delete-registry-key
#
InputArgument Name | Description | Required |
---|---|---|
malopGuid | The unique ID assigned by the Cybereason platform for the Malop. | Required |
machine | Machine name to delete the registry key. | Required |
targetId | Target ID to delete the registry key. | Required |
userName | The complete Cybereason user name string for the user performing the request. | Required |
comment | Comment to add to the malop. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!cybereason-delete-registry-key machine=machine-name malopGuid=<malop_id> targetId=<target_id> userName=<user_name> comment="Remove the registry key"
#
Human Readable OutputDelete registry key remediation action status is: SUCCESS Remediation ID: REMEDIATION_ID
#
cybereason-kill-prevent-unsuspendPrevent detected ransomware from running on the machine. (User will get inputs by executing the 'cybereason-available-remediation-actions' command if this remediation action is available for that Malop)
#
Base Commandcybereason-kill-prevent-unsuspend
#
InputArgument Name | Description | Required |
---|---|---|
malopGuid | The unique ID assigned by the Cybereason platform for the Malop. | Required |
machine | Machine name to prevent detected ransomware from running on the machine. | Required |
targetId | Target ID to prevent detected ransomware from running on the machine. | Required |
userName | The complete Cybereason user name string for the user performing the request. | Required |
comment | Comment to add to the malop. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!cybereason-kill-prevent-unsuspend machine=machine-name malopGuid=<malop_id> targetId=<target_id> userName=<user_name> comment="Kill Prevent"
#
Human Readable OutputKill prevent unsuspend remediation action status is: SUCCESS Remediation ID: REMEDIATION_ID
#
cybereason-unsuspend-processPrevent a file associated with ransomware. (User will get inputs by executing the 'cybereason-available-remediation-actions' command if this remediation action is available for that Malop)
#
Base Commandcybereason-unsuspend-process
#
InputArgument Name | Description | Required |
---|---|---|
malopGuid | The unique ID assigned by the Cybereason platform for the Malop. | Required |
machine | Machine name to prevent a file associated with ransomware. | Required |
targetId | Target ID to prevent a file associated with ransomware. | Required |
userName | The complete Cybereason user name string for the user performing the request. | Required |
comment | Comment to add to the malop. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!cybereason-unsuspend-process machine=machine-name malopGuid=<malop_id> targetId=<target_id> userName=<user_name> comment="Unsuspend Process"
#
Human Readable OutputUnsuspend process remediation action status is: SUCCESS Remediation ID: REMEDIATION_ID
#
cybereason-malware-queryMalware query with options and values to filter
#
Base Commandcybereason-malware-query
#
InputArgument Name | Description | Required |
---|---|---|
needsAttention | Filter for Fetching Malwares by Malware needsAttention. Possible values are: True, False. | Optional |
type | Filter for Fetching Malwares by Malware Type. (Possible filter values for Type are "KnownMalware,UnknownMalware,FilelessMalware,ApplicationControlMalware,RansomwareMalware"). | Optional |
status | Filter for Fetching Malwares by Malware Status. (Possible filter values for Status are "Done,Excluded,Detected,Prevented,Remediated,DeleteOnRestart,Quarantined"). | Optional |
timestamp | Filter for Fetching Malwares by Timestamp. Enter the time (in epoch). | Optional |
limit | Filter for Fetching Malwares by Malware Limit. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!cybereason-malware-query limit=5 needsAttention=True status=Done type=KnownMalware timestamp=1582206286000
#
Human Readable Output#
cybereason-start-host-scanStart or stop a full or quick scan for a host.
#
Base Commandcybereason-start-host-scan
#
InputArgument Name | Description | Required |
---|---|---|
sensorID | Sensor ID of a sensor. (Comma separated values supported.). | Required |
scanType | Select a method/type to scan a host. Possible values are: FULL, QUICK, STOP. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!cybereason-start-host-scan sensorID=SENSOR_ID scanType=FULL
#
Human Readable OutputBatch ID: -11156
#
cybereason-fetch-scan-statusGet the results for host scanning.
#
Base Commandcybereason-fetch-scan-status
#
InputArgument Name | Description | Required |
---|---|---|
batchID | The batch ID obtained after initiating the scan. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!cybereason-fetch-scan-status batchID=-11156
#
Human Readable Output#
cybereason-get-sensor-idGet the Sensor ID of a machine.
#
Base Commandcybereason-get-sensor-id
#
InputArgument Name | Description | Required |
---|---|---|
machineName | The hostname of the machine. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!cybereason-get-sensor-id machineName=machine-name
#
Human Readable OutputSensor ID for the machine 'machine-id' is: SENSOR_ID
#
cybereason-get-machine-detailsGet the results related to machines.
#
Base Commandcybereason-get-machine-details
#
InputArgument Name | Description | Required |
---|---|---|
machineName | The hostname of the machine. | Required |
page | The page number of machine records to retrieve (used for pagination) starting from 1. The page size is defined by the "pageSize" argument. | Optional |
pageSize | The number of machine records per page to retrieve (used for pagination). The page number is defined by the "page" argument. | Optional |
limit | The maximum number of records to retrieve. If "pageSize" is defined, this argument is ignored. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Cybereason.Sensor.MachineID | string | Sensor ID of machine |
Cybereason.Sensor.MachineName | string | Host name of machine |
Cybereason.Sensor.MachineFQDN | string | FQDN of machine |
Cybereason.Sensor.GroupID | string | Group ID of machine |
Cybereason.Sensor.GroupName | string | Group Name of machine |
#
Command example!cybereason-get-machine-details machineName=xyz-1
#
Context Example#
Base Commandcybereason-query-malop-management
#
InputArgument Name | Description | Required |
---|---|---|
malopGuid | malopGuid of the Cybereason Malop. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cybereason.Malops.GUID | string | The unique globally unique identifier (guid) for the Malop. |
Cybereason.Malops.CreationTime | string | The time reported as when the malicious behavior began on the system. This is not the time that the Malop was first detected by Cybereason. |
Cybereason.Malops.Link | string | Link to the Malop on Cybereason. |
Cybereason.Malops.LastUpdatedTime | string | Last updated time of malop |
Cybereason.Malops.InvolvedHash | string | List of file hashes involved in this Malop |
Cybereason.Malops.Status | string | Malop managemant status |
#
Command example!cybereason-query-malop-management malopGuid=<malop-guid>
#
Context Example#
Base Commandcybereason_process_attack_tree_command
#
InputArgument Name | Description | Required |
---|---|---|
malopGuid | malopGuid of the Cybereason Malop | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cybereason.Process.ProcessID | string | Cybereason Process ID |
Cybereason.Process.URL | string | Attack tree url for a given Process |
#
Command example!cybereason-process-attack-tree processGuid=<process-guid>