Overview

Cybereason provides a next-generation antivirus (NGAV) solution that safeguards company endpoints against highly advanced and unknown security threats, including ransomware and fileless attacks.

Integrating Cybereason into Hunters will allow collection and ingestion of key data types into the datalake. Furthermore, alerts will be created over the logs, auto-investigated and correlated to other related signals.

Supported data types

The following data types are being collected by Hunters:

  • Malware - details the collected malware in the customer’s environment.

  • Sensors - all the agents information installed by Cybereason

Sending data to Hunters

Hunters support API collection for Cybereason data types. In order to enable it, supply the following details in the Hunters platform:

  • Client domain

    • should be with the following pattern: user@domain

  • Client username

  • Client password

Please note that the given user should be with a Super user permissions.

Expected Format

In case Cybereason events are already being collected on your environment, it is possible to ship them to Hunters via a shared blob storage such as AWS S3. The expected format for the events is:

Malware format
        {
            "guid": "1428",
            "timestamp": 1660158463435,
            "name": "name",
            "type": "KnownMalware",
            "elementType": "File",
            "machineName": "john's machine",
            "status": "Detected",
            "needsAttention": false,
            "referenceGuid": "14286371",
            "referenceElementType": "File",
            "score": 0.0,
            "detectionValue": "value",
            "detectionValueType": "DVT_FILE",
            "detectionEngine": "AntiVirus",
            "malwareDataModel": {
                "@class": ".BaseFileMalwareDataModel",
                "type": "KnownMalware",
                "detectionName": "Trojan.Generic",
                "filePath": "/Users/user/Library/Trial/v6/Database/file"
            },
            "id": {
                "guid": "1428637194.5",
                "timestamp": 1660158463435,
                "malwareType": "KnownMalware",
                "elementType": "File"
            },
            "schedulerScan": false
        }
CODE
Sensors format
     {
   "sensorId":"id",
   "pylumId":"Pylum",
   "guid":"guid",
   "fqdn":"fqdn",
   "machineName":"machine",
   "internalIpAddress":"192.168.1.1",
   "externalIpAddress":"2.1.1.1",
   "siteName":"site",
   "siteId":0,
   "ransomwareStatus":"DISABLED",
   "preventionStatus":"NOT_INSTALLED",
   "isolated":false,
   "disconnectionTime":1665039360493,
   "lastPylumInfoMsgUpdateTime":1665039048911,
   "lastPylumUpdateTimestampMs":1665039360493,
   "status":"Offline",
   "serviceStatus":"Down",
   "onlineTimeMS":0,
   "offlineTimeMS":0,
   "staleTimeMS":0,
   "archiveTimeMs":null,
   "statusTimeMS":0,
   "lastStatusAction":"None",
   "archivedOrUnarchiveComment":"",
   "sensorArchivedByUser":"",
   "serverName":"server",
   "serverId":"id",
   "serverIp":"10.1.1.1",
   "privateServerIp":"10.1.1.1",
   "collectiveUuid":"uuid",
   "osType":"OSX",
   "osVersionType":"Monterey_12",
   "collectionStatus":"ENABLED",
   "version":"1.1.1.0",
   "consoleVersion":null,
   "firstSeenTime":1625047496227,
   "upTime":844684,
   "cpuUsage":0.0,
   "memoryUsage":0,
   "outdated":true,
   "amStatus":"AM_DETECT_ONLY",
   "amModeOrigin":null,
   "avDbVersion":"ver",
   "avDbLastUpdateTime":1665029579000,
   "powerShellStatus":"PS_DISABLED",
   "remoteShellStatus":"AC_DISABLED",
   "usbStatus":"DISABLED",
   "fwStatus":"DISABLED",
   "antiExploitStatus":"AE_UNKNOWN",
   "documentProtectionStatus":"DS_UNKNOWN",
   "documentProtectionMode":"DM_UNKNOWN",
   "serialNumber":"",
   "deviceModel":"MacBookPro17,1",
   "organizationalUnit":"",
   "antiMalwareStatus":"AM_ENABLED",
   "antiMalwareModeOrigin":null,
   "organization":"org",
   "proxyAddress":"",
   "preventionError":"",
   "exitReason":"STOP_REQUEST_FROM_PYLUM",
   "actionsInProgress":0,
   "pendingActions":[
      
   ],
   "lastUpgradeResult":"Succeeded",
   "department":null,
   "location":null,
   "criticalAsset":null,
   "deviceType":null,
   "customTags":null,
   "lastUpgradeSteps":[
      {
         "name":"Started",
         "startTime":1631697376839
      },
      {
         "name":"SendingMsi",
         "startTime":1631697376882
      },
      {
         "name":"InProgress",
         "startTime":1631697389025
      },
      {
         "name":"Succeeded",
         "startTime":1631697439416
      }
   ],
   "disconnected":true,
   "staticAnalysisDetectMode":"DISABLED",
   "staticAnalysisDetectModeOrigin":null,
   "staticAnalysisPreventMode":"DISABLED",
   "staticAnalysisPreventModeOrigin":null,
   "collectionComponents":[
      
   ],
   "sensorLastUpdate":0,
   "fullScanStatus":"IDLE",
   "quickScanStatus":"IDLE",
   "lastFullScheduleScanSuccessTime":0,
   "lastQuickScheduleScanSuccessTime":0,
   "policyName":"Default",
   "deliveryTime":1663137867278,
   "policyId":"policy",
   "compliance":false,
   "groupId":"00000000-0000-0000-0000-000000000000",
   "groupName":"Unassigned",
   "groupStickiness":false,
   "purgedSensors":false,
   "sensorPurgedByUser":null,
   "purgeTimestamp":null,
   "groupStickinessLabel":"Dynamic"
}
CODE