Current ThreatQ Version Filter
 

Cybereason CDF

The web format of this guide reflects the most current release.  Guides for older iterations are available in PDF format.  

Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

Cybereason is an EDR tool used to monitor, detect, and prevent malware from executing in an internal host machine. The Cybereason CDF for ThreatQ enables you to ingest Malware Alerts that are generated in the Cybereason platform.

The integration provides the following feed:

  • Cybereason Alerts - ingests any Events and Indicators from Cybereason.

The integration ingests the following system objects:

  • Events
    • Event Attributes
  • Indicators
    • Indicator Attributes

Installation

This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

  1. Navigate to your integrations management page in ThreatQ.
  2. Select the OSINT option from the Category dropdown (optional).

    If you are installing the integration for the first time, it will be located under the Disabled tab.

  3. Click on the integration entry to open its details page.
  4. Enter the following parameters under the Configuration tab:
    Parameter Description
    Cybereason Host and Port Your Cybereason host and port (if required). 
    Username Your Cybereason Username.
    Password Your Cybereason Password.
    Needs Attention Only Enabling this will only ingest malware alerts that "need attention."
    Malware Types Select one or more malware types to ingest for alerts:
    • Known Malware
    • Unknown Malware
    • Fileless
    • App Control
  5. Review any additional settings, make any changes if needed, and click on Save.
  6. Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

Cybereason Alerts

The Cybereason Alerts feed enables ThreatQ to ingest any Events and Indicators from Cybereason.

POST {host}/rest/malware/query

Sample Response:

{
  "data": {
    "malwares": [
      {
        "guid": "-1682067831.-373350822606094116",
        "timestamp": 1605611665000,
        "name": "wmplayer.exe",
        "type": "UnknownMalware",
        "elementType": "File",
        "machineName": "w7-cbr-se2",
        "status": "Detected",
        "needsAttention": false,
        "referenceGuid": "-1682067831.-373350822606094116",
        "referenceElementType": "File",
        "score": 0.6942690445239349,
        "detectionValue": "0630086e4eb057a1a3b89642cc0213ee",
        "detectionValueType": "DVT_FILE",
        "detectionEngine": "StaticAnalysis",
        "malwareDataModel": {
          "@class": ".BaseFileMalwareDataModel",
          "type": "UnknownMalware",
          "detectionName": null,
          "filePath": "c:\\program files (x86)\\windows media player\\wmplayer.exe"
        },
        "id": {
          "guid": "-1682067831.-373350822606094116",
          "timestamp": 1605611665000,
          "malwareType": "UnknownMalware",
          "elementType": "File"
        },
        "schedulerScan": false
      },
      {
        "guid": "-1682067831.-373350822606094116",
        "timestamp": 1605611498000,
        "name": "wmplayer.exe",
        "type": "UnknownMalware",
        "elementType": "File",
        "machineName": "w7-cbr-se2",
        "status": "Detected",
        "needsAttention": false,
        "referenceGuid": "-1682067831.-373350822606094116",
        "referenceElementType": "File",
        "score": 0.6942690445239349,
        "detectionValue": "0630086e4eb057a1a3b89642cc0213ee",
        "detectionValueType": "DVT_FILE",
        "detectionEngine": "StaticAnalysis",
        "malwareDataModel": {
          "@class": ".BaseFileMalwareDataModel",
          "type": "UnknownMalware",
          "detectionName": null,
          "filePath": "c:\\program files (x86)\\windows media player\\wmplayer.exe"
        },
        "id": {
          "guid": "-1682067831.-373350822606094116",
          "timestamp": 1605611498000,
          "malwareType": "UnknownMalware",
          "elementType": "File"
        },
        "schedulerScan": false
      }
    ],
    "totalResults": 2,
    "hasMoreResults": false
  },
  "status": "SUCCESS",
  "message": ""
}

ThreatQuotient provides the following default mapping for this feed:

Feed Data Path ThreatQ Entity ThreatQ Object Type or Attribute Key Published Date Examples Notes
.data.malwares[].[name&type&
malwareDataModel.detectionN
ame&status&detectionEngine]		 Event.Title Malware data.malwares[].timestamp gsecdump.exe - Application.Hacktool.
Gsecdump.E - Prevented via AntiVirus		 Event Title is made by adding all the values from the respective keys
.data.malwares[].malwareData
Model.filePath		 Related.Indicator Value File Path data.malwares[].timestamp c:\program files (x86)\
windows media player\
wmplayer.exe		 N/A
.data.malwares[].name Related.Indicator Value Filename data.malwares[].timestamp wmplayer.exe N/A
.data.malwares[].detectionValue Related.Indicator Value MD5 data.malwares[].timestamp 0630086e4eb057a1a3b
89642cc0213ee		 N/A
.data.malwares[].machineName Event.Attribute Host Machine data.malwares[].timestamp WIN-123-123 N/A
.data.malwares[].needsAttention Event.Attribute Needs Attention data.malwares[].timestamp Yes N/A
.data.malwares[].detectionValueType Event.Attribute Detection Value Type data.malwares[].timestamp DVT_FILE N/A
.data.malwares[].type Event.Attribute & Indicator.Attribute Malware Type data.malwares[].timestamp KnownMalware N/A
.data.malwares[].malwareData
Model.detectionName		 Event.Attribute & Indicator.Attribute Detection data.malwares[].timestamp Gen:Variant.Mimikatz.10 N/A
.data.malwares[].elementType Event.Attribute & Indicator.Attribute Element Type data.malwares[].timestamp File N/A
.data.malwares[].detectionEngine Event.Attribute & Indicator.Attribute Detection Engine data.malwares[].timestamp AntiVirus N/A
.data.malwares[].score Event.Attribute & Indicator.Attribute Cybereason Score data.malwares[].timestamp 0.76273662732 N/A

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

Cybereason Alerts

Metric Result
Run Time 4 minutes
Events 951
Event Attributes 5,875
Indicators 143
Indicator Attributes 984

Change Log

  • Version 1.0.0
    • Initial release

PDF Guides

Document ThreatQ Version
Cybereason CDF Guide v1.0.0 4.45.0 or Greater