Cybereason

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Malware

✅

cybereason_malware

NDJSON

API

Sensors

✅

✅

cybereason_sensors

NDJSON

API


Overview

imageCybereason provides a next-generation antivirus (NGAV) solution that safeguards company endpoints against highly advanced and unknown security threats, including ransomware and fileless attacks.

Integrating Cybereason into Hunters will allow collection and ingestion of key data types into the datalake. Furthermore, alerts will be created over the logs, auto-investigated and correlated to other related signals.

Supported data types

Cybereason's API provides the following data types:

Malware

Table name: cybereason_malware

Lists the details for the collected malware in the environment.

Sensors

Table name: cybereason_sensors

Lists all the sensors which were implemented by Cybereason

Send data to Hunters

Hunters supports the collection of logs from Cybereason using API.

To connect Cybereason logs:

  1. Gather the following information from your Cybereason account:

    • Client domain (should be with the following pattern: user@domain)

    • Client username

    • Client password

      📘Note

      The provided user should have Super user permissions.

  2. Complete the process on the Hunters platform, following this process.

Expected format

In case Cybereason events are already being collected on your environment, it is possible to ship them to Hunters via a shared AWS S3 bucket. Logs are expected in JSON format.

Malware

{
                "guid": "1428",
                "timestamp": 1660158463435,
                "name": "name",
                "type": "KnownMalware",
                "elementType": "File",
                "machineName": "john's machine",
                "status": "Detected",
                "needsAttention": false,
                "referenceGuid": "14286371",
                "referenceElementType": "File",
                "score": 0.0,
                "detectionValue": "value",
                "detectionValueType": "DVT_FILE",
                "detectionEngine": "AntiVirus",
                "malwareDataModel": {
                    "@class": ".BaseFileMalwareDataModel",
                    "type": "KnownMalware",
                    "detectionName": "Trojan.Generic",
                    "filePath": "/Users/user/Library/Trial/v6/Database/file"
                },
                "id": {
                    "guid": "1428637194.5",
                    "timestamp": 1660158463435,
                    "malwareType": "KnownMalware",
                    "elementType": "File"
                },
                "schedulerScan": false
            }

Sensors

{
   "sensorId":"id",
   "pylumId":"Pylum",
   "guid":"guid",
   "fqdn":"fqdn",
   "machineName":"machine",
   "internalIpAddress":"192.168.1.1",
   "externalIpAddress":"2.1.1.1",
   "siteName":"site",
   "siteId":0,
   "ransomwareStatus":"DISABLED",
   "preventionStatus":"NOT_INSTALLED",
   "isolated":false,
   "disconnectionTime":1665039360493,
   "lastPylumInfoMsgUpdateTime":1665039048911,
   "lastPylumUpdateTimestampMs":1665039360493,
   "status":"Offline",
   "serviceStatus":"Down",
   "onlineTimeMS":0,
   "offlineTimeMS":0,
   "staleTimeMS":0,
   "archiveTimeMs":null,
   "statusTimeMS":0,
   "lastStatusAction":"None",
   "archivedOrUnarchiveComment":"",
   "sensorArchivedByUser":"",
   "serverName":"server",
   "serverId":"id",
   "serverIp":"10.1.1.1",
   "privateServerIp":"10.1.1.1",
   "collectiveUuid":"uuid",
   "osType":"OSX",
   "osVersionType":"Monterey_12",
   "collectionStatus":"ENABLED",
   "version":"1.1.1.0",
   "consoleVersion":null,
   "firstSeenTime":1625047496227,
   "upTime":844684,
   "cpuUsage":0.0,
   "memoryUsage":0,
   "outdated":true,
   "amStatus":"AM_DETECT_ONLY",
   "amModeOrigin":null,
   "avDbVersion":"ver",
   "avDbLastUpdateTime":1665029579000,
   "powerShellStatus":"PS_DISABLED",
   "remoteShellStatus":"AC_DISABLED",
   "usbStatus":"DISABLED",
   "fwStatus":"DISABLED",
   "antiExploitStatus":"AE_UNKNOWN",
   "documentProtectionStatus":"DS_UNKNOWN",
   "documentProtectionMode":"DM_UNKNOWN",
   "serialNumber":"",
   "deviceModel":"MacBookPro17,1",
   "organizationalUnit":"",
   "antiMalwareStatus":"AM_ENABLED",
   "antiMalwareModeOrigin":null,
   "organization":"org",
   "proxyAddress":"",
   "preventionError":"",
   "exitReason":"STOP_REQUEST_FROM_PYLUM",
   "actionsInProgress":0,
   "pendingActions":[
      
   ],
   "lastUpgradeResult":"Succeeded",
   "department":null,
   "location":null,
   "criticalAsset":null,
   "deviceType":null,
   "customTags":null,
   "lastUpgradeSteps":[
      {
         "name":"Started",
         "startTime":1631697376839
      },
      {
         "name":"SendingMsi",
         "startTime":1631697376882
      },
      {
         "name":"InProgress",
         "startTime":1631697389025
      },
      {
         "name":"Succeeded",
         "startTime":1631697439416
      }
   ],
   "disconnected":true,
   "staticAnalysisDetectMode":"DISABLED",
   "staticAnalysisDetectModeOrigin":null,
   "staticAnalysisPreventMode":"DISABLED",
   "staticAnalysisPreventModeOrigin":null,
   "collectionComponents":[
      
   ],
   "sensorLastUpdate":0,
   "fullScanStatus":"IDLE",
   "quickScanStatus":"IDLE",
   "lastFullScheduleScanSuccessTime":0,
   "lastQuickScheduleScanSuccessTime":0,
   "policyName":"Default",
   "deliveryTime":1663137867278,
   "policyId":"policy",
   "compliance":false,
   "groupId":"00000000-0000-0000-0000-000000000000",
   "groupName":"Unassigned",
   "groupStickiness":false,
   "purgedSensors":false,
   "sensorPurgedByUser":null,
   "purgeTimestamp":null,
   "groupStickinessLabel":"Dynamic"
}