Cybereason

Cybereason is an Endpoint Detection and Response (EDR) platform that detects events that comprise malicious operations, also known as Malops. If you use Cybereason version 20.1 or later, you can use its API to have it send events to InsightIDR in order to generate investigations around that data.

To set up Cybereason, you’ll need to:

  1. Review the Before you Begin section.
  2. Set up the Cybereason event source in InsightIDR.
  3. Verify the configuration works.

Before you begin

Cybereason’s integration with Insight IDR is secured by JSON Web Token (JWT) authentication in version 20.1 or later of their product. By default, JWT-based authentication is disabled. You will need to contact Cybereason tech support to enable JWT authentication on your Cybereason server.

  • Install and configure Cybereason version 20.1 or later
  • Contact Cybereason support to enable API access on your account.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Cybereason in the event sources search bar.
    • In the Product Type filter, select Third Party Alerts.
  3. Select the Cybereason event source tile.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. If you are sending additional events beyond alerts, select the unparsed logs checkbox.
  6. Enter your Cybereason server address and port, then select or create your Cybereason credentials in the form of username-password.
  7. Click Save.

Server Address Format

Please note that you should not include protocol information when entering your Cybereason server address. For example, this would mean you should enter your server address in the format server.example.net rather than https://server.example.net.

Verify the configuration

Complete the following steps to view your logs and ensure events are making it to the Collector.

  1. From the left menu, click Log Search to view your raw logs to ensure events are making it to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or Cybereason if you didn’t name the event source. Cybereason logs flow into the Third Party Alert Log Sets.
  2. Next, perform a Log Search to make sure Cybereason events are coming through. Please note that you should cross-reference your logs with existing malops. If there have not been any new malops in the last 24 hours, there will be no logs to view.

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.

Sample logs

Here is an example of what the Cybereason log search data looks like:

JSON
1
{
2
"simpleValues":{
3
"hasRansomwareSuspendedProcesses":{
4
"totalValues":1,
5
"values":[
6
"false"
7
]
8
},
9
"decisionFeature":{
10
"totalValues":1,
11
"values":[
12
"Process.maliciousWebShellExecution(Malop decision)"
13
]
14
},
15
"rootCauseElementCompanyProduct":{
16
"totalValues":1,
17
"values":[
18
" : basel2"
19
]
20
},
21
"malopStartTime":{
22
"totalValues":1,
23
"values":[
24
"1599487825054"
25
]
26
},
27
"detectionType":{
28
"totalValues":1,
29
"values":[
30
"MALICIOUS_PROCESS"
31
]
32
},
33
"malopActivityTypes":{
34
"totalValues":1,
35
"values":[
36
"MALICIOUS_INFECTION"
37
]
38
},
39
"elementDisplayName":{
40
"totalValues":1,
41
"values":[
42
"MALICIOUS_INFECTION"
43
]
44
},
45
"creationTime":{
46
"totalValues":1,
47
"values":[
48
"1599487956501"
49
]
50
},
51
"isBlocked":{
52
"totalValues":1,
53
"values":[
54
"false"
55
]
56
},
57
"rootCauseElementTypes":{
58
"totalValues":1,
59
"values":[
60
"Process"
61
]
62
},
63
"rootCauseElementNames":{
64
"totalValues":1,
65
"values":[
66
"w3wp.exe"
67
]
68
},
69
"malopLastUpdateTime":{
70
"totalValues":1,
71
"values":[
72
"1599487975114"
73
]
74
},
75
"allRansomwareProcessesSuspended":{
76
"totalValues":1,
77
"values":[
78
"false"
79
]
80
},
81
"rootCauseElementHashes":{
82
"totalValues":1,
83
"values":[
84
"d6fe37b2ed8d70d75bb2ba2f4d4e050cd02e165c"
85
]
86
},
87
"managementStatus":{
88
"totalValues":1,
89
"values":[
90
"OPEN"
91
]
92
},
93
"closeTime":{
94
"totalValues":1,
95
"values":[
96
null
97
]
98
},
99
"closerName":{
100
"totalValues":1,
101
"values":[
102
null
103
]
104
},
105
"customClassification":{
106
"totalValues":1,
107
"values":[
108
"None"
109
]
110
}
111
},
112
"elementValues":{
113
"primaryRootCauseElements":{
114
"totalValues":1,
115
"elementValues":[
116
{
117
"elementType":"Process",
118
"guid":"-2143953455.-772403910525185597",
119
"name":"w3wp.exe",
120
"hasSuspicions":true,
121
"hasMalops":true
122
}
123
],
124
"totalSuspicious":1,
125
"totalMalicious":1,
126
"guessedTotal":0
127
},
128
"affectedUsers":{
129
"totalValues":1,
130
"elementValues":[
131
{
132
"elementType":"User",
133
"guid":"0.957500363184525212",
134
"name":"a-win10-64-rs5\\admin",
135
"hasSuspicions":false,
136
"hasMalops":false
137
}
138
],
139
"totalSuspicious":0,
140
"totalMalicious":0,
141
"guessedTotal":0
142
},
143
"affectedMachines":{
144
"totalValues":1,
145
"elementValues":[
146
{
147
"elementType":"Machine",
148
"guid":"-2143953455.1198775089551518743",
149
"name":"A-WIN10-64-RS5",
150
"hasSuspicions":false,
151
"hasMalops":false
152
}
153
],
154
"totalSuspicious":0,
155
"totalMalicious":0,
156
"guessedTotal":0
157
}
158
},
159
"suspicions":null,
160
"filterData":{
161
"sortInGroupValue":"11.7941800102332716393",
162
"groupByValue":"MalopProcessRuntime:11.7941800102332716393 "
163
},
164
"isMalicious":false,
165
"suspicionCount":0,
166
"guidString":"11.7941800102332716393",
167
"labelsIds":[
168
169
],
170
"malopPriority":null,
171
"suspect":false,
172
"malicious":false,
173
"id":"11.7941800102332716393"
174
}

Troubleshoot common issues

If you are experiencing issues with the Cybereason event source, ensure that the following conditions are met:

  • You have Cybereason Version 20.1 or greater
  • You have JWT authentication enabled on your Cybereason server