Skip to main content

Cybereason

This Integration is part of the Cybereason Pack.#

Endpoint detection and response to manage and query malops, connections and processes. This integration was integrated and tested with version 21.2 of Cybereason

Configure Cybereason in Cortex#

ParameterRequired
Server URL (e.g. https://192.168.0.1)True
CredentialsFalse
PasswordFalse
Trust any certificate (not secure)False
Use system proxy settingsFalse
Fetch incidentsFalse
Incident typeFalse
First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)False
Fetch by "MALOP CREATION TIME" or by "MALOP UPDATE TIME" (Fetching by Malop update time might create duplicates of Malops as incidents)False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cybereason-query-processes#


Searches for processes with various filters.

Base Command#

cybereason-query-processes

Input#

Argument NameDescriptionRequired
machineThe hostname of the machine.Optional
onlySuspiciousShow only suspicious processes. Possible values are: true, false. Default is false.Optional
limitMaximum number of results to retrieve. Default is 10000.Optional
processNameProcess name to filter by.Optional
saveToContextIf true, save the result to the context. Possible values are: true, false. Default is false.Optional
hasIncomingConnectionFilter only processes with incoming connections. Possible values are: true, false. Default is false.Optional
hasOutgoingConnectionFilter only processes with outgoing connections. Possible values are: true, false. Default is false.Optional
hasExternalConnectionIf process has external connection. Possible values are: true, false.Optional
unsignedUnknownReputationIf process is not known to reputation services and its image file is unsigned. Possible values are: true, false.Optional
fromTemporaryFolderIf process is running from temporary folder. Possible values are: true, false.Optional
privilegesEscalationIf process was identified elevating its privileges to local system user. Possible values are: true, false.Optional
maliciousPsExecIf the process was executed by PsExec service and is suspicious as being executed maliciously. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
Cybereason.Process.NameUnknownThe process name
Cybereason.Process.MaliciousUnknownMalicious status of the process
Cybereason.Process.CreationTimeUnknownThe process creation time
Cybereason.Process.EndTimeUnknownThe process end time
Cybereason.Process.CommandLineUnknownThe command line of the process
Cybereason.Process.SignedAndVerifiedUnknownIs the process signed and verified
Cybereason.Process.ProductTypeUnknownThe product type
Cybereason.Process.ChildrenUnknownChildren of the process
Cybereason.Process.ParentUnknownThe parent process
Cybereason.Process.OwnerMachineUnknownThe machine's hostname
Cybereason.Process.UserUnknownThe user who ran the process
Cybereason.Process.ImageFileUnknownImage file of the process
Cybereason.Process.SHA1UnknownSHA1 of the process file
Cybereason.Process.MD5UnknownMD5 of the process file
Cybereason.Process.CompanyNameUnknownThe company's name
Cybereason.Process.ProductNameUnknownThe product's name

Command example#

!cybereason-query-processes machine=machine-name hasOutgoingConnection=true hasIncomingConnection=true

Context Example#

{
"Process": [
{
"Children": null,
"CommandLine": "C:\\WINDOWS\\system32\\svchost.exe -k LocalService -s W32Time",
"CompanyName": "Microsoft Corporation",
"CreationTime": "2022-05-06T04:15:33.939000",
"EndTime": "",
"ImageFile": "svchost.exe",
"MD5": "<md5>",
"Malicious": "indifferent",
"Name": "svchost.exe",
"OwnerMachine": "<machine-name>",
"Parent": "services.exe",
"ProductName": "Microsoft\u00ae Windows\u00ae Operating System",
"ProductType": "SVCHOST",
"SHA1": "<sha1>",
"SignedandVerified": "true",
"User": "machine-name\\local service"
}
]
}

Human Readable Output#

Cybereason Processes#

NameMaliciousCreation TimeEnd TimeCommand LineSigned and VerifiedProduct TypeChildrenParentOwner MachineUserImage FileSHA1MD5Company NameProduct Name
svchost.exeindifferent2022-05-06T04:15:33.939000C:\WINDOWS\system32\svchost.exe -k LocalService -s W32TimetrueSVCHOSTservices.exemachine-namemachine-name\local servicesvchost.exewxyz1234abc123Microsoft CorporationMicrosoft® Windows® Operating System

cybereason-is-probe-connected#


Checks if the machine is currently connected to the Cybereason server

Base Command#

cybereason-is-probe-connected

Input#

Argument NameDescriptionRequired
machineThe hostname of the machine to check.Required

Context Output#

PathTypeDescription
Cybereason.Machine.isConnectedbooleantrue if machine is connected, else false
Cybereason.Machine.NamestringMachine name

Command example#

!cybereason-is-probe-connected machine=machine-name

Context Example#

{
"Cybereason": {
"Machine": {
"Name": "<machine-name>",
"isConnected": true
}
}
}

Human Readable Output#

true

cybereason-query-connections#


Searches for connections.

Base Command#

cybereason-query-connections

Input#

Argument NameDescriptionRequired
ipFilter connections which contain this IP (in or out).Optional
machineFilter connections on the given machine.Optional
saveToContextIf true, save the result to the context. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
Cybereason.Connection.NameUnknownThe connection's name
Cybereason.Connection.DirectionUnknownOUTGOING/INCOMING
Cybereason.Connection.ServerAddressUnknownAddress of the Cybereason machine
Cybereason.Connection.ServerPortUnknownPort of the Cybereason machine
Cybereason.Connection.PortTypeUnknownType of the connection
Cybereason.Connection.ReceivedBytesUnknownReceived bytes count
Cybereason.Connection.TransmittedBytesUnknownTransmitted bytes count
Cybereason.Connection.RemoteCountryUnknownThe connection's remote country
Cybereason.Connection.OwnerMachineUnknownThe machine's hostname
Cybereason.Connection.OwnerProcessUnknownThe process which performed the connection
Cybereason.Connection.CreationTimeUnknownCreation time of the connection
Cybereason.Connection.EndTimeUnknownEnd time of the connection

Command example#

!cybereason-query-connections ip=<host>

Context Example#

{
"Connection": [
{
"CreationTime": "2021-04-20T00:00:00.00000",
"Direction": "OUTGOING",
"EndTime": "2021-04-20T00:00:00.000000",
"Name": "<connection_ip_addresses>",
"OwnerMachine": "simplify-cyber",
"OwnerProcess": "nbtscan.exe",
"PortType": "SERVICE_WINDOWS",
"ReceivedBytes": "0",
"RemoteCountry": null,
"ServerAddress": "<server_address>",
"ServerPort": "137",
"TransmittedBytes": "50"
}
]
}

Human Readable Output#

Cybereason Connections for: 192.168.1.103#

Creation TimeDirectionEnd TimeNameOwner MachineOwner ProcessPort TypeReceived BytesRemote CountryServer AddressServer PortTransmitted Bytes
2021-04-20T00:00:00.000000OUTGOING2021-04-20T00:00:00.000000connection_ip_addressessimplify-cybertest.exeSERVICE_WINDOWS0192.168.1.10313750

cybereason-isolate-machine#


Isolates a machine that has been infected from the rest of the network

Base Command#

cybereason-isolate-machine

Input#

Argument NameDescriptionRequired
machineMachine name to be isolated.Required

Context Output#

PathTypeDescription
Cybereason.MachinestringMachine name
Cybereason.IsIsolatedbooleanIs the machine isolated

Command example#

!cybereason-isolate-machine machine=machine-name

Context Example#

{
"Cybereason": {
"IsIsolated": true,
"Machine": "<machine-name>"
}
}

Human Readable Output#

Machine was isolated successfully.

cybereason-unisolate-machine#


Stops isolation of a machine

Base Command#

cybereason-unisolate-machine

Input#

Argument NameDescriptionRequired
machineMachine name to be un-isolated.Required

Context Output#

PathTypeDescription
Cybereason.MachinestringMachine name
Cybereason.IsIsolatedbooleanIs the machine isolated

Command example#

!cybereason-unisolate-machine machine=machine-name

Context Example#

{
"Cybereason": {
"IsIsolated": false,
"Machine": "<machine-name>"
}
}

Human Readable Output#

Machine was un-isolated successfully.

cybereason-query-malops#


Returns a list of all Malops and details on the Malops.

Base Command#

cybereason-query-malops

Input#

Argument NameDescriptionRequired
filtersFilter to filter response by, given in Cybereason API syntax.Optional
totalResultLimitThe total number of results to return for your Server. Ensure you make the limit a reasonable number to maximize Server performance and not to overload the system.Optional
perGroupLimitThe number of items to return per Malop group.Optional
templateContextThe level of detail to provide in the response. Possible values include: SPECIFIC: References value contain only the count in the ElementValues class. The Suspicions map is calculated for each results, with the suspicion name and the first time the suspicion appeared. The Evidence map is not calculated for the results. CUSTOM: Reference values contain the specific Elements, up to the limit defined in the perFeatureLimit parameter. The Suspicions map is not calculated for the results. The Evidence map is not calculated for the results. DETAILS: Reference values contain the specific Elements, up to the limit defined in the perFeatureLimit parameter. The Suspicions map is calculated for each result, containing the suspicion name and the first time the suspicion appeared. The Evidence map is not calculated for the results. Possible values are: MALOP, SPECIFIC, CUSTOM, DETAILS, OVERVIEW. Default is MALOP.Optional
withinLastDaysReturn all the malops within the last days.Optional
malopGuidMalop GUIDs to filter by (Comma separated values supported, e.g. 11.123456789,11.9874563210).Optional

Context Output#

PathTypeDescription
Cybereason.Malops.GUIDstringThe unique globally unique identifier (guid) for the Malop.
Cybereason.Malops.CreationTimestringThe time reported as when the malicious behavior began on the system. This is not the time that the Malop was first detected by Cybereason.
Cybereason.Malops.DecisionFeaturestringThe reason that Cybereason has raised the Malop.
Cybereason.Malops.LinkstringLink to the Malop on Cybereason.
Cybereason.Malops.SuspectsstringMalop suspect type and name
Cybereason.Malops.LastUpdatedTimestringLast updated time of malop
Cybereason.Malops.AffectedMachinestringList of machines affected by this Malop
Cybereason.Malops.InvolvedHashstringList of file hashes involved in this Malop
Cybereason.Malops.StatusstringMalop managemant status

Command example#

!cybereason-query-malops

Context Example#

{
"Cybereason": {
"Malops": [
{
"AffectedMachine": [
"win10-cybereaso",
"marketing"
],
"CreationTime": "2021-07-12T00:00:00.000000",
"DecisionFailure": "blackListedFileHash",
"GUID": "<malop_id>",
"InvolvedHash": [
1
],
"LastUpdateTime": "2021-08-28T00:00:00.000000",
"Link": "<malop_link>",
"Status": "OPEN",
"Suspects": "Process: test.exe"
}
]
}
}

Human Readable Output#

Cybereason Malops#

GUIDLinkCreationTimeStatusLastUpdateTimeDecisionFailureSuspectsAffectedMachineInvolvedHash
<malop_id>https://test.server.net:0000/#/malop/11.12345678902021-07-12T00:00:00.000000OPEN2021-08-28T00:00:00.000000blackListedFileHashProcess: test.exeaffected_machine_name1

cybereason-malop-processes#


Returns a list of malops

Base Command#

cybereason-malop-processes

Input#

Argument NameDescriptionRequired
malopGuidsArray of malop GUIDs separated by comma. (Malop GUID can be retrieved with the command cybereason-query-malops command).Required
machineNameMachine names which were affected by malop. Comma separated values supported (e.g., machine1,machine2).Optional
dateTimeStarting Date and Time to filter the Processes based on their creation date. The format for the input is ("YYYY/MM/DD HH:MM:SS").Optional

Context Output#

PathTypeDescription
Cybereason.Process.NamestringThe process name
Cybereason.Process.MaliciousUnknownMalicious status of the process
Cybereason.Process.CreationTimedateThe process creation time
Cybereason.Process.EndTimedateThe process end time
Cybereason.Process.CommandLinestringThe command line of the process
Cybereason.Process.SignedAndVerifiedUnknownIs the process signed and verified
Cybereason.Process.ProductTypeUnknownThe product type
Cybereason.Process.ChildrenUnknownChildren of the process
Cybereason.Process.ParentUnknownThe parent process
Cybereason.Process.OwnerMachineUnknownThe machine's hostname
Cybereason.Process.UserstringThe user who ran the process
Cybereason.Process.ImageFileUnknownImage file of the process
Cybereason.Process.SHA1stringSHA1 of the process file
Cybereason.Process.MD5stringMD5 of the process file
Cybereason.Process.CompanyNamestringThe company's name
Cybereason.Process.ProductNamestringThe product's name

Command example#

!cybereason-malop-processes malopGuids=<malop_id>

Context Example#

{
"Process": [
{
"Children": null,
"CommandLine": "\"C:\\Users\\user\\winrar-x64-602.pdf.exe\"",
"CompanyName": "Hello World",
"CreationTime": "2022-03-14T00:00:00.000000",
"EndTime": "2022-03-14T00:00:00.000000",
"ImageFile": "<image_file_name>",
"MD5": "<md5>",
"Malicious": "indifferent",
"Name": "<file_name>",
"OwnerMachine": "<machine-name>",
"Parent": "explorer.exe",
"ProductName": "WinRAR",
"ProductType": null,
"SHA1": "<sha1>",
"SignedandVerified": null,
"User": "machine-name\\user"
}
]
}

Human Readable Output#

Cybereason Malop Processes#

NameMaliciousCreation TimeEnd TimeCommand LineParentOwner MachineUserImage FileSHA1MD5Company NameProduct Name
winrar-x64-602.exeindifferent2022-03-14T00:00:00.0000002022-03-14T00:00:00.000000"C:\Users\user\winrar-x64-602.exe"explorer.exemachine-namemachine-name\userwinrar-x64-602.exe1234sajklfshljjvhlsdfhilh23md5_hashHello WorldWinRAR

cybereason-add-comment#


Add new comment to malop

Base Command#

cybereason-add-comment

Input#

Argument NameDescriptionRequired
commentComment to add to the malop.Required
malopGuidMalop GUID to add comment to. (Malop GUID can be retrieved with the command cybereason-query-malops command).Required

Context Output#

There is no context output for this command.

Command example#

!cybereason-add-comment comment=NewComment malopGuid=<malop_id>

Human Readable Output#

Comment added successfully

cybereason-update-malop-status#


Updates malop status

Base Command#

cybereason-update-malop-status

Input#

Argument NameDescriptionRequired
malopGuidMalop GUID to update its status.Required
statusStatus to update. Possible values are: To Review, Unread, Remediated, Not Relevant, Open.Required

Context Output#

PathTypeDescription
Cybereason.Malops.GUIDstringMalop GUID
Cybereason.Malops.StatusstringMalop status: To Review,Unread,Remediated,Not Relevant

Command example#

!cybereason-update-malop-status malopGuid=<malop_id> status="To Review"

Context Example#

{
"Cybereason": {
"Malops": {
"GUID": "<malop_id>",
"Status": "To Review"
}
}
}

Human Readable Output#

Successfully updated malop <malop_id> to status To Review

cybereason-prevent-file#


Prevent malop process file

Base Command#

cybereason-prevent-file

Input#

Argument NameDescriptionRequired
md5Malop process file MD5 to prevent.Required

Context Output#

PathTypeDescription
Cybereason.Process.MD5stringProcess file MD5
Cybereason.Process.PreventbooleanTrue if process file is prevented, else false

Command example#

!cybereason-prevent-file md5=MD5

Context Example#

{
"Process": {
"MD5": "<md5>",
"Prevent": true
}
}

Human Readable Output#

File was prevented successfully

cybereason-unprevent-file#


Unprevent malop process file

Base Command#

cybereason-unprevent-file

Input#

Argument NameDescriptionRequired
md5Malop process file MD5 to unprevent.Required

Context Output#

PathTypeDescription
Cybereason.Process.MD5stringProcess file MD5
Cybereason.Process.PreventbooleanTrue if process file is prevented, else false

Command example#

!cybereason-unprevent-file md5=MD5

Context Example#

{
"Process": {
"MD5": "MD5",
"Prevent": false
}
}

Human Readable Output#

File was unprevented successfully

cybereason-query-file#


Query files as part of investigation

Base Command#

cybereason-query-file

Input#

Argument NameDescriptionRequired
file_hashFile hash (SHA-1 and MD5 supported).Required

Context Output#

PathTypeDescription
Cybereason.File.PathstringFile path
Cybereason.File.SHA1stringFile SHA-1 hash
Cybereason.File.MachinestringMachine name on which file is located
Cybereason.File.SuspicionsCountnumberFile suspicions count
Cybereason.File.NamestringFile name
Cybereason.File.CreationTimedateFile creation time
Cybereason.File.SuspicionstringFile suspicions object of suspicion as key and detected date as value
Cybereason.File.OSVersionstringMachine OS version on which file is located
Cybereason.File.ModifiedTimedateFile modified date
Cybereason.File.MaliciousbooleanIs file malicious
Cybereason.File.CompanystringCompany name
Cybereason.File.MD5stringFile MD5 hash
Cybereason.File.IsConnectedbooleanIs machine connected to Cybereason
Cybereason.File.SignedbooleanIs file signed
Cybereason.File.EvidencestringFile evidences

Command example#

!cybereason-query-file file_hash=<file_hash>

Context Example#

{
"Cybereason": {
"File": {
"Company": "Hello World",
"CreationTime": "2022-02-28T00:00:00.000Z",
"Evidence": [],
"IsConnected": false,
"MD5": "<md5>",
"Machine": "<machine-name>",
"Malicious": false,
"ModifiedTime": "2022-05-09T00:00:00.000Z",
"Name": "<file_name>",
"OSVersion": null,
"Path": "c:\\users\\user\\winrar-x64-602.exe",
"SHA1": "<sha1>",
"Signed": true,
"Suspicion": {},
"SuspicionsCount": null
}
}
}

Human Readable Output#

Cybereason file query results for the file hash: 77ab1e20c685e716b82c7c90b373316fc84cde23#

CompanyCreationTimeIsConnectedMD5MachineMaliciousModifiedTimeNamePathSHA1Signed
Hello World2022-02-28T00:00:00.000ZfalseMD5machine-namefalse2022-05-09T00:00:00.000Zwinrar-x64-602.pdf.exec:\users\test\winrar-x64-602.pdf.exe1245sedecthebdfkjkgjljldl2348true

cybereason-query-domain#


Query domains as part of investigation

Base Command#

cybereason-query-domain

Input#

Argument NameDescriptionRequired
domainDomain to query.Required

Context Output#

PathTypeDescription
Cybereason.Domain.NamestringDomain name
Cybereason.Domain.MaliciousbooleanIs domain malicious
Cybereason.Domain.IsInternalDomainbooleanIs domain internal
Cybereason.Domain.ReputationstringDomain reputation
Cybereason.Domain.SuspicionsCountnumberDomain suspicions count
Cybereason.Domain.WasEverResolvedbooleanWas domain ever resolved
Cybereason.Domain.WasEverResolvedAsASecondLevelDomainbooleanWas domain ever resolved as a second level domain

Command example#

!cybereason-query-domain domain=www2.bing.com

Context Example#

{
"Cybereason": {
"Domain": {
"IsInternalDomain": false,
"Malicious": false,
"Name": "www2.bing.com",
"Reputation": null,
"SuspicionsCount": 0,
"WasEverResolved": false,
"WasEverResolvedAsASecondLevelDomain": true
}
}
}

Human Readable Output#

Cybereason domain query results for the domain: www2.bing.com#

NameReputationIsInternalDomainWasEverResolvedWasEverResolvedAsASecondLevelDomainMaliciousSuspicionsCount
www2.bing.comindifferentfalsefalsetruefalse0
www2.bing.comfalsefalsetruefalse0

cybereason-query-user#


Query users as part of investigation

Base Command#

cybereason-query-user

Input#

Argument NameDescriptionRequired
usernameUsername to query.Required

Context Output#

PathTypeDescription
Cybereason.User.UsernamestringUser name
Cybereason.User.DomainstringUser domain
Cybereason.User.LastMachineLoggedInTostringLast machine which user logged in to
Cybereason.User.LocalSystembooleanIs local system
Cybereason.User.OrganizationstringUser organization

Command example#

!cybereason-query-user username="user-name"

Context Example#

{
"Cybereason": {
"User": {
"Domain": "<machine-name>",
"LastMachineLoggedInTo": "<machine-name>",
"LocalSystem": false,
"Organization": "INTEGRATION",
"Username": "user-name"
}
}
}

Human Readable Output#

Cybereason user query results for the username: machine-name\prase#

UsernameDomainLastMachineLoggedInToOrganizationLocalSystem
machine-name\prasemachine-namemachine-nameINTEGRATIONfalse

cybereason-archive-sensor#


Archives a Sensor.

Base Command#

cybereason-archive-sensor

Input#

Argument NameDescriptionRequired
sensorIDSensor ID of Cybereason Sensor.Required
archiveReasonReason for Archiving Cybereason Sensor.Required

Context Output#

There is no context output for this command.

Command example#

!cybereason-archive-sensor sensorID=SENSOR_ID archiveReason="Archive this Sensor"

Human Readable Output#

Sensor archive status: Failed Actions: 0. Succeeded Actions: 1

cybereason-unarchive-sensor#


Unarchives a Sensor.

Base Command#

cybereason-unarchive-sensor

Input#

Argument NameDescriptionRequired
sensorIDSensor ID of Cybereason Sensor.Required
unarchiveReasonReason for Unarchiving Cybereason Sensor.Required

Context Output#

There is no context output for this command.

Command example#

!cybereason-unarchive-sensor sensorID=SENSOR_ID unarchiveReason="Unarchive this Sensor"

Human Readable Output#

Sensor unarchive status: Failed Actions: 0. Succeeded Actions: 1

cybereason-delete-sensor#


Deletes a Sensor.

Base Command#

cybereason-delete-sensor

Input#

Argument NameDescriptionRequired
sensorIDSensor ID of Cybereason Sensor.Required

Context Output#

There is no context output for this command.

Command example#

!cybereason-delete-sensor sensorID=SENSOR_ID

Human Readable Output#

Sensor deleted successfully.

cybereason-start-fetchfile#


Start fetching the file to download

Base Command#

cybereason-start-fetchfile

Input#

Argument NameDescriptionRequired
malopGUIDMalop GUID for fetching a file from a sensor to download.Required
userNameThe complete Cybereason user name string for the user performing the request.Required

Context Output#

There is no context output for this command.

Command example#

!cybereason-start-fetchfile malopGUID=<malop_id> userName=<user_name>

Human Readable Output#

Successfully started fetching file for the given malop

cybereason-fetchfile-progress#


Return a batch id for files waiting for download

Base Command#

cybereason-fetchfile-progress

Input#

Argument NameDescriptionRequired
malopGuidMalop GUID to know the progress for downloading a file.Required

Context Output#

PathTypeDescription
Cybereason.Download.Progress.fileNameunknownFilename for tha given malop
Cybereason.Download.Progress.statusunknownStatus for batch ID
Cybereason.Download.Progress.batchIDunknownUnique batch id

Command example#

!cybereason-fetchfile-progress malopGuid=<malop_id>

Context Example#

{
"Download": {
"progress": {
"MalopID": "<malop_id>",
"batchID": [
-1234
],
"fileName": [
"<file_name>"
],
"status": [
true
]
}
}
}

Human Readable Output#

Filename: ['winrar-x64-602.exe'] Status: [True] Batch ID: [-1234]

cybereason-download-file#


Downloads the actual file to the machine

Base Command#

cybereason-download-file

Input#

Argument NameDescriptionRequired
batchIDThe batch id for the file download operation.Required

Context Output#

There is no context output for this command.

Command example#

!cybereason-download-file batchID=-1234

Context Example#

{
"File": {
"EntryID": "<entry_id>",
"Extension": "zip",
"Info": "application/zip",
"MD5": "<md5>",
"Name": "download.zip",
"SHA1": "<sha1>",
"SHA256": "<SHA256>",
"SHA512": "<SHA512>",
"SSDeep": "<SSDeep_value>",
"Size": 3168792,
"Type": "Zip archive data, at least v2.0 to extract"
}
}

Human Readable Output#

Integration log: Downloading the file with this Batch ID: -1234

cybereason-close-file-batch-id#


Aborts a file download operation that is in progress

Base Command#

cybereason-close-file-batch-id

Input#

Argument NameDescriptionRequired
batchIDThe batch id to abort a file download operation.Required

Context Output#

There is no context output for this command.

Command example#

!cybereason-close-file-batch-id batchID=-1234

Human Readable Output#

Successfully aborts a file download operation that is in progress.

cybereason-available-remediation-actions#


Get all remediation action details whatever available for that malop

Base Command#

cybereason-available-remediation-actions

Input#

Argument NameDescriptionRequired
malopGuidThe unique ID assigned by the Cybereason platform for the Malop.Required

Context Output#

There is no context output for this command.

Command example#

!cybereason-available-remediation-actions malopGuid=<malop_id>

Human Readable Output#

{
"data": [
{
"machineConnected": false,
"machineId": "machine_id",
"machineName": "<machine-name>",
"machinesCount": 1,
"malopId": "<malop_id>",
"malopType": "MalopProcess",
"remediationType": "BLOCK_FILE",
"targetId": "<target_id>",
"targetName": "<target_name>",
"uniqueId": "<unique_id>"
},
{
"machineConnected": false,
"machineId": "<machine_id>",
"machineName": "<machine-name>",
"machinesCount": 1,
"malopId": "<malop_id>",
"malopType": "MalopProcess",
"remediationType": "UNQUARANTINE_FILE",
"targetId": "<target_id>",
"targetName": "<target_name>",
"uniqueId": "<unique_id>"
}
],
"errorMessage": "",
"status": "SUCCESS"
}

cybereason-kill-process#


Kill a processes for the malicious file. (User will get inputs by executing the 'cybereason-available-remediation-actions' command if this remediation action is available for that Malop)

Base Command#

cybereason-kill-process

Input#

Argument NameDescriptionRequired
malopGuidThe unique ID assigned by the Cybereason platform for the Malop.Required
machineMachine name to kill the process.Required
targetIdTarget ID to kill the process.Required
userNameThe complete Cybereason user name string for the user performing the request.Required
commentComment to add to the malop.Optional

Context Output#

There is no context output for this command.

Command example#

!cybereason-kill-process machine=machine-name malopGuid=<malop_id> targetId=<target_id> userName=<user_name> comment="Kill the Process"

Human Readable Output#

Kill process remediation action status is: SUCCESS Remediation ID: REMEDIATION_ID

cybereason-quarantine-file#


Quarantine the detected malicious file in a secure location. (User will get inputs by executing the 'cybereason-available-remediation-actions' command if this remediation action is available for that Malop)

Base Command#

cybereason-quarantine-file

Input#

Argument NameDescriptionRequired
malopGuidThe unique ID assigned by the Cybereason platform for the Malop.Required
machineMachine name to quarantine a file.Required
targetIdTarget ID to quarantine a file.Required
userNameThe complete Cybereason user name string for the user performing the request.Required
commentComment to add to the malop.Optional

Context Output#

There is no context output for this command.

Command example#

!cybereason-quarantine-file machine=machine-name malopGuid=<malop_id> targetId=<target_id> userName=<user_name> comment="Quarantine the File"

Human Readable Output#

Quarantine file remediation action status is: SUCCESS Remediation ID: REMEDIATION_ID

cybereason-unquarantine-file#


Unquarantine the detected malicious file in a secure location. (User will get inputs by executing the 'cybereason-available-remediation-actions' command if this remediation action is available for that Malop)

Base Command#

cybereason-unquarantine-file

Input#

Argument NameDescriptionRequired
malopGuidThe unique ID assigned by the Cybereason platform for the Malop.Required
machineMachine name to unquarantine a file.Required
targetIdTarget ID to unquarantine a file.Required
userNameThe complete Cybereason user name string for the user performing the request.Required
commentComment to add to the malop.Optional

Context Output#

There is no context output for this command.

Command example#

!cybereason-unquarantine-file machine=machine-name malopGuid=<malop_id> targetId=<target_id> userName=<user_name> comment="Unquarantine the File"

Human Readable Output#

Unquarantine file remediation action status is: SUCCESS Remediation ID: REMEDIATION_ID

cybereason-block-file#


Block a file only in particular machine. (User will get inputs by executing the 'cybereason-available-remediation-actions' command if this remediation action is available for that Malop)

Base Command#

cybereason-block-file

Input#

Argument NameDescriptionRequired
malopGuidThe unique ID assigned by the Cybereason platform for the Malop.Required
machineMachine name whose files needs to be blocked.Required
targetIdTarget ID of file to be blocked.Required
userNameThe complete Cybereason user name string for the user performing the request.Required
commentComment to add to the malop.Optional

Context Output#

There is no context output for this command.

Command example#

!cybereason-block-file machine=machine-name malopGuid=<malop_id> targetId=<target_id> userName=<user_name> comment="Block a File"

Human Readable Output#

Block file remediation action status is: SUCCESS Remediation ID: REMEDIATION_ID

cybereason-delete-registry-key#


Delete a registry entry associated with a malicious process. (User will get inputs by executing the 'cybereason-available-remediation-actions' command if this remediation action is available for that Malop)

Base Command#

cybereason-delete-registry-key

Input#

Argument NameDescriptionRequired
malopGuidThe unique ID assigned by the Cybereason platform for the Malop.Required
machineMachine name to delete the registry key.Required
targetIdTarget ID to delete the registry key.Required
userNameThe complete Cybereason user name string for the user performing the request.Required
commentComment to add to the malop.Optional

Context Output#

There is no context output for this command.

Command example#

!cybereason-delete-registry-key machine=machine-name malopGuid=<malop_id> targetId=<target_id> userName=<user_name> comment="Remove the registry key"

Human Readable Output#

Delete registry key remediation action status is: SUCCESS Remediation ID: REMEDIATION_ID

cybereason-kill-prevent-unsuspend#


Prevent detected ransomware from running on the machine. (User will get inputs by executing the 'cybereason-available-remediation-actions' command if this remediation action is available for that Malop)

Base Command#

cybereason-kill-prevent-unsuspend

Input#

Argument NameDescriptionRequired
malopGuidThe unique ID assigned by the Cybereason platform for the Malop.Required
machineMachine name to prevent detected ransomware from running on the machine.Required
targetIdTarget ID to prevent detected ransomware from running on the machine.Required
userNameThe complete Cybereason user name string for the user performing the request.Required
commentComment to add to the malop.Optional

Context Output#

There is no context output for this command.

Command example#

!cybereason-kill-prevent-unsuspend machine=machine-name malopGuid=<malop_id> targetId=<target_id> userName=<user_name> comment="Kill Prevent"

Human Readable Output#

Kill prevent unsuspend remediation action status is: SUCCESS Remediation ID: REMEDIATION_ID

cybereason-unsuspend-process#


Prevent a file associated with ransomware. (User will get inputs by executing the 'cybereason-available-remediation-actions' command if this remediation action is available for that Malop)

Base Command#

cybereason-unsuspend-process

Input#

Argument NameDescriptionRequired
malopGuidThe unique ID assigned by the Cybereason platform for the Malop.Required
machineMachine name to prevent a file associated with ransomware.Required
targetIdTarget ID to prevent a file associated with ransomware.Required
userNameThe complete Cybereason user name string for the user performing the request.Required
commentComment to add to the malop.Optional

Context Output#

There is no context output for this command.

Command example#

!cybereason-unsuspend-process machine=machine-name malopGuid=<malop_id> targetId=<target_id> userName=<user_name> comment="Unsuspend Process"

Human Readable Output#

Unsuspend process remediation action status is: SUCCESS Remediation ID: REMEDIATION_ID

cybereason-malware-query#


Malware query with options and values to filter

Base Command#

cybereason-malware-query

Input#

Argument NameDescriptionRequired
needsAttentionFilter for Fetching Malwares by Malware needsAttention. Possible values are: True, False.Optional
typeFilter for Fetching Malwares by Malware Type. (Possible filter values for Type are "KnownMalware,UnknownMalware,FilelessMalware,ApplicationControlMalware,RansomwareMalware").Optional
statusFilter for Fetching Malwares by Malware Status. (Possible filter values for Status are "Done,Excluded,Detected,Prevented,Remediated,DeleteOnRestart,Quarantined").Optional
timestampFilter for Fetching Malwares by Timestamp. Enter the time (in epoch).Optional
limitFilter for Fetching Malwares by Malware Limit.Required

Context Output#

There is no context output for this command.

Command example#

!cybereason-malware-query limit=5 needsAttention=True status=Done type=KnownMalware timestamp=1582206286000

Human Readable Output#

{
"data": {
"hasMoreResults": false,
"malwares": [],
"totalResults": 0
},
"expectedResults": 0,
"failedServersInfo": null,
"failures": 0,
"hidePartialSuccess": false,
"message": "",
"status": "SUCCESS"
}

cybereason-start-host-scan#


Start or stop a full or quick scan for a host.

Base Command#

cybereason-start-host-scan

Input#

Argument NameDescriptionRequired
sensorIDSensor ID of a sensor. (Comma separated values supported.).Required
scanTypeSelect a method/type to scan a host. Possible values are: FULL, QUICK, STOP.Required

Context Output#

There is no context output for this command.

Command example#

!cybereason-start-host-scan sensorID=SENSOR_ID scanType=FULL

Human Readable Output#

Batch ID: -11156

cybereason-fetch-scan-status#


Get the results for host scanning.

Base Command#

cybereason-fetch-scan-status

Input#

Argument NameDescriptionRequired
batchIDThe batch ID obtained after initiating the scan.Required

Context Output#

There is no context output for this command.

Command example#

!cybereason-fetch-scan-status batchID=-11156

Human Readable Output#

{
"abortHttpStatusCode": null,
"abortTime": 0,
"abortTimeout": false,
"aborterUser": null,
"actionArguments": [
"ScheduleScanAction",
"FULL"
],
"actionType": "SchedulerScan",
"batchId": -11156,
"creatorUser": "<user_name>",
"finalState": true,
"globalStats": {
"stats": {
"AbortTimeout": 0,
"Aborted": 0,
"Aborting": 0,
"AlreadyUpdated": 0,
"BadArgument": 0,
"ChunksRequired": 0,
"Disconnected": 0,
"EndedWithInvalidParam": 0,
"EndedWithNoValidFolder": 0,
"EndedWithSensorTimeout": 0,
"EndedWithTooManyResults": 0,
"EndedWithTooManySearches": 0,
"EndedWithUnknownError": 0,
"EndedWithUnsupportedFilter": 0,
"EndedWithYaraCompileError": 0,
"Failed": 0,
"FailedSending": 0,
"FailedSendingToServer": 0,
"GettingChunks": 0,
"InProgress": 0,
"InvalidState": 0,
"MsiFileCorrupted": 0,
"MsiSendFail": 0,
"NewerInstalled": 0,
"None": 0,
"NotSupported": 0,
"Pending": 0,
"Primed": 0,
"ProbeRemoved": 0,
"SendingMsi": 0,
"SendingPlatform": 0,
"Started": 0,
"Succeeded": 1,
"Timeout": 0,
"TimeoutSending": 0,
"UnauthorizedUser": 0,
"UnknownProbe": 0,
"partialResponse": 0
}
},
"initiatorUser": "<user_name>",
"startTime": 1652279731232,
"totalNumberOfProbes": 1
}

cybereason-get-sensor-id#


Get the Sensor ID of a machine.

Base Command#

cybereason-get-sensor-id

Input#

Argument NameDescriptionRequired
machineNameThe hostname of the machine.Optional

Context Output#

There is no context output for this command.

Command example#

!cybereason-get-sensor-id machineName=machine-name

Human Readable Output#

Sensor ID for the machine 'machine-id' is: SENSOR_ID

cybereason-get-machine-details#


Get the results related to machines.

Base Command#

cybereason-get-machine-details

Input#

Argument NameDescriptionRequired
machineNameThe hostname of the machine.Required
pageThe page number of machine records to retrieve (used for pagination) starting from 1. The page size is defined by the "pageSize" argument.Optional
pageSizeThe number of machine records per page to retrieve (used for pagination). The page number is defined by the "page" argument.Optional
limitThe maximum number of records to retrieve. If "pageSize" is defined, this argument is ignored. Default is 50.Optional

Context Output#

PathTypeDescription
Cybereason.Sensor.MachineIDstringSensor ID of machine
Cybereason.Sensor.MachineNamestringHost name of machine
Cybereason.Sensor.MachineFQDNstringFQDN of machine
Cybereason.Sensor.GroupIDstringGroup ID of machine
Cybereason.Sensor.GroupNamestringGroup Name of machine

Command example#

!cybereason-get-machine-details machineName=xyz-1

Context Example#

{
"MachineID": "example-machine-id",
"MachineName": "example-machine-name",
"MachineFQDN": "example-machine-fqdn",
"GroupID": "example-group-id",
"GroupName": "example-group-name"
}

Base Command#

cybereason-query-malop-management

Input#

Argument NameDescriptionRequired
malopGuidmalopGuid of the Cybereason Malop.Required

Context Output#

PathTypeDescription
Cybereason.Malops.GUIDstringThe unique globally unique identifier (guid) for the Malop.
Cybereason.Malops.CreationTimestringThe time reported as when the malicious behavior began on the system. This is not the time that the Malop was first detected by Cybereason.
Cybereason.Malops.LinkstringLink to the Malop on Cybereason.
Cybereason.Malops.LastUpdatedTimestringLast updated time of malop
Cybereason.Malops.InvolvedHashstringList of file hashes involved in this Malop
Cybereason.Malops.StatusstringMalop managemant status

Command example#

!cybereason-query-malop-management malopGuid=<malop-guid>

Context Example#

{
"GUID": "malop-guid",
"Link": "malop-url",
"CreationTime": 1686720403740,
"LastUpdateTime": 1686720403743,
"Status": "Pending",
"InvolvedHash": "involed-hash"
}

Base Command#

cybereason_process_attack_tree_command

Input#

Argument NameDescriptionRequired
malopGuidmalopGuid of the Cybereason MalopRequired

Context Output#

PathTypeDescription
Cybereason.Process.ProcessIDstringCybereason Process ID
Cybereason.Process.URLstringAttack tree url for a given Process

Command example#

!cybereason-process-attack-tree processGuid=<process-guid>

Context Example#

{
"Process": [
{
"ProcessID": "<process-id>",
"URL": "<url>"
},
{
"ProcessID": "<process-id>",
"URL": "<url>"
}
]
}