Cybereason: Playbook
Cybereason
Release Notes
1.0.0 (2022-04-27)
- APP-1503 Initial Release
Category
- Endpoint Detection & Response
Description
This app is a set of actions designed to work with the Cybereason API.
The following actions are included:
-
Add Indicator Reputation - Add a custom reputation based on a file hash value (MD5 or SHA1), IP Address, or domain name.
-
Create Malop Comment - Add a comment to a Malop.
-
Get Auto Hunt Malop - Retrieve details for an Auto Hunt Malop.
-
Get Endpoint Malop - Retrieve details for an Endpoint Protection Malop.
-
List Malops - Retrieve all Malops of every type from a specified time window.
-
Isolate Machine - Isolate a machine or machines involved in a specific Malop.
-
Remove Indicator Reputation - Remove a custom reputation based on a file hash value (MD5 or SHA1), IP Address, or domain name.
-
Unisolate Machine - Remove from isolation a machine or machines associated with a Malop.
-
Update Malop Status - Update a Malop's status.
Actions
Add Indicator Reputation
Add a custom reputation based on a file hash value (MD5 or SHA1), IP Address, or domain name.
Inputs
Connection
Server URL (String)
The Cybereason Server instance's URL (e.g. https://[your_instance.]cybereason.net:1234).
Username (String)
The Cybereason User ID.
Password (String)
The Cybereason password for the respective username.
Verify SSL Cert (Boolean, Default: Selected)
Verify the SSL Certificate of the API host during connection.
Configure
Indicators (String)
The file hash value (MD5 or SHA1), IP Address, or domain name to set a custom reputation.
Allows: String, StringArray, TCEntity, TCEntityArray
Malicious Type (EditChoice)
Choose between which reputation to set, Allow or Block. This will be applied too all indicators.
Valid Values: Allow, Block
Advanced
Prevent Execution (Boolean, Default: Unselected)
If your request includes IP addresses or domain names to update, leave this unchecked. Indicates whether or not to prevent a file's execution with Application Control. This option is only applicable for File types, leave it unchecked for addresses or domains.
Outputs
- cybereason.action (String)
- cybereason.response.status_code (String)
- cybereason.response.error_code (String)
- cybereason.response.error_message (String)
- cybereason.response.json.raw (String)
- cybereason.reputation.malicious_type (String)
- cybereason.reputation.outcome (String)
- cybereason.reputation.data (String)
Create Malop Comment
Add a comment to a Malop.
Inputs
Connection
Server URL (String)
The Cybereason Server instance's URL (e.g. https://[your_instance.]cybereason.net:1234).
Username (String)
The Cybereason User ID.
Password (String)
The Cybereason password for the respective username.
Verify SSL Cert (Boolean, Default: Selected)
Verify the SSL Certificate of the API host during connection.
Configure
Malop ID (String)
The ID of the Malop to use. Commonly referred to as Malop GUID in the Cybereason platform.
Comment (String)
The comment to add to the Malop.
Outputs
- cybereason.action (String)
- cybereason.response.status_code (String)
- cybereason.response.error_code (String)
- cybereason.response.error_message (String)
- cybereason.response.json.raw (String)
Get Auto Hunt Malop
Retrieve details for an Auto Hunt Malop.
Inputs
Connection
Server URL (String)
The Cybereason Server instance's URL (e.g. https://[your_instance.]cybereason.net:1234).
Username (String)
The Cybereason User ID.
Password (String)
The Cybereason password for the respective username.
Verify SSL Cert (Boolean, Default: Selected)
Verify the SSL Certificate of the API host during connection.
Configure
Malop ID (String)
The ID of the Malop to use. Commonly referred to as Malop GUID in the Cybereason platform.
Advanced
Fail on No Results (Boolean, Default: Selected)
If an action would return an empty result, exit with a failure.
Outputs
- cybereason.action (String)
- cybereason.response.status_code (String)
- cybereason.response.error_code (String)
- cybereason.response.error_message (String)
- cybereason.response.json.raw (String)
- cybereason.autohunt_malop.guid_string (String)
- cybereason.autohunt_malop.is_malicious (String)
- cybereason.autohunt_malop.malicious (String)
- cybereason.autohunt_malop.malop_priority (String)
- cybereason.autohunt_malop.suspect (String)
- cybereason.autohunt_malop.suspicion_count (String)
- cybereason.autohunt_malop.suspicions (String)
- cybereason.total_possible_results (String)
- cybereason.message (String)
- cybereason.status (String)
- cybereason.path_result_counts.count (StringArray)
- cybereason.path_result_counts.feature_descriptor.element_instance_type (StringArray)
- cybereason.path_result_counts.feature_descriptor.feature_name (StringArray)
- cybereason.autohunt_malop.simple.all_ransomware_processes_suspended.values (StringArray)
- cybereason.autohunt_malop.simple.close_time.values (StringArray)
- cybereason.autohunt_malop.simple.closer_name.values (StringArray)
- cybereason.autohunt_malop.simple.creation_time.values (StringArray)
- cybereason.autohunt_malop.simple.custom_classification.values (StringArray)
- cybereason.autohunt_malop.simple.decision_feature.values (StringArray)
- cybereason.autohunt_malop.simple.detection_type.values (StringArray)
- cybereason.autohunt_malop.simple.element_display_name.values (StringArray)
- cybereason.autohunt_malop.simple.has_ransomware_suspended_processes.values (StringArray)
- cybereason.autohunt_malop.simple.is_blocked.values (StringArray)
- cybereason.autohunt_malop.simple.malop_activity_types.values (StringArray)
- cybereason.autohunt_malop.simple.malop_last_update_time.values (StringArray)
- cybereason.autohunt_malop.simple.malop_start_time.values (StringArray)
- cybereason.autohunt_malop.simple.management_status.values (StringArray)
- cybereason.autohunt_malop.simple.root_cause_element_company_product.values (StringArray)
- cybereason.autohunt_malop.simple.root_cause_element_hashes.values (StringArray)
- cybereason.autohunt_malop.simple.root_cause_element_names.values (StringArray)
- cybereason.autohunt_malop.simple.root_cause_element_types.values (StringArray)
Get Endpoint Malop
Retrieve details for an Endpoint Protection Malop.
Inputs
Connection
Server URL (String)
The Cybereason Server instance's URL (e.g. https://[your_instance.]cybereason.net:1234).
Username (String)
The Cybereason User ID.
Password (String)
The Cybereason password for the respective username.
Verify SSL Cert (Boolean, Default: Selected)
Verify the SSL Certificate of the API host during connection.
Configure
Malop ID (String)
The ID of the Malop to use. Commonly referred to as Malop GUID in the Cybereason platform.
Advanced
Fail on No Results (Boolean, Default: Selected)
If an action would return an empty result, exit with a failure.
Outputs
- cybereason.action (String)
- cybereason.response.status_code (String)
- cybereason.response.error_code (String)
- cybereason.response.error_message (String)
- cybereason.response.json.raw (String)
- cybereason.endpoint_malop.active_processes_count (String)
- cybereason.endpoint_malop.creation_time (String)
- cybereason.endpoint_malop.display_name (String)
- cybereason.endpoint_malop.edr (String)
- cybereason.endpoint_malop.escalated (String)
- cybereason.endpoint_malop.file_classification_type (String)
- cybereason.endpoint_malop.file_hash (String)
- cybereason.endpoint_malop.guid (String)
- cybereason.endpoint_malop.has_any_scan_event (String)
- cybereason.endpoint_malop.icon_base64 (String)
- cybereason.endpoint_malop.labels (String)
- cybereason.endpoint_malop.last_update_time (String)
- cybereason.endpoint_malop.malop_detection_type (String)
- cybereason.endpoint_malop.priority (String)
- cybereason.endpoint_malop.root_cause_element_names_count (String)
- cybereason.endpoint_malop.root_cause_element_type (String)
- cybereason.endpoint_malop.severity (String)
- cybereason.endpoint_malop.signer (String)
- cybereason.endpoint_malop.status (String)
- cybereason.endpoint_malop.total_processes_count (String)
- cybereason.endpoint_malop.command_lines (StringArray)
- cybereason.endpoint_malop.decision_statuses (StringArray)
- cybereason.endpoint_malop.decoded_command_lines (StringArray)
- cybereason.endpoint_malop.descriptions (StringArray)
- cybereason.endpoint_malop.detection_engines (StringArray)
- cybereason.endpoint_malop.detection_types (StringArray)
- cybereason.endpoint_malop.detection_values (StringArray)
- cybereason.endpoint_malop.file_paths (StringArray)
- cybereason.endpoint_malop.files (StringArray)
- cybereason.endpoint_malop.machines.ad_display_name (StringArray)
- cybereason.endpoint_malop.machines.ad_location (StringArray)
- cybereason.endpoint_malop.machines.ad_machine_role (StringArray)
- cybereason.endpoint_malop.machines.ad_ou (StringArray)
- cybereason.endpoint_malop.machines.ad_organization (StringArray)
- cybereason.endpoint_malop.machines.connected (StringArray)
- cybereason.endpoint_malop.machines.display_name (StringArray)
- cybereason.endpoint_malop.machines.guid (StringArray)
- cybereason.endpoint_malop.machines.isolated (StringArray)
- cybereason.endpoint_malop.machines.last_connected (StringArray)
- cybereason.endpoint_malop.machines.os_type (StringArray)
- cybereason.endpoint_malop.machines.pylum_id (StringArray)
- cybereason.endpoint_malop.processes.calculated_user (StringArray)
- cybereason.endpoint_malop.processes.guid (StringArray)
- cybereason.endpoint_malop.processes.owner_machine (StringArray)
- cybereason.endpoint_malop.processes.pid (StringArray)
- cybereason.endpoint_malop.script_detection_types (StringArray)
- cybereason.endpoint_malop.users.ad_company (StringArray)
- cybereason.endpoint_malop.users.ad_display_name (StringArray)
- cybereason.endpoint_malop.users.ad_logon_name (StringArray)
- cybereason.endpoint_malop.users.ad_mail (StringArray)
- cybereason.endpoint_malop.users.ad_primary_group_id (StringArray)
- cybereason.endpoint_malop.users.ad_sam_account_name (StringArray)
- cybereason.endpoint_malop.users.ad_sid (StringArray)
- cybereason.endpoint_malop.users.admin (StringArray)
- cybereason.endpoint_malop.users.guid (StringArray)
Isolate Machine
Isolate a machine or machines involved in a specific Malop.
Inputs
Connection
Server URL (String)
The Cybereason Server instance's URL (e.g. https://[your_instance.]cybereason.net:1234).
Username (String)
The Cybereason User ID.
Password (String)
The Cybereason password for the respective username.
Verify SSL Cert (Boolean, Default: Selected)
Verify the SSL Certificate of the API host during connection.
Configure
Malop ID (String)
The ID of the Malop to use. Commonly referred to as Malop GUID in the Cybereason platform.
Pylum IDs (String)
The unique sensor ID the Cybereason platform uses for the machines to isolate. If you are entering multiple values, add a comma between each sensor ID.
Allows: String, StringArray
Outputs
- cybereason.action (String)
- cybereason.response.status_code (String)
- cybereason.response.error_code (String)
- cybereason.response.error_message (String)
- cybereason.response.json.raw (String)
- cybereason.isolate.pylum_id (StringArray)
- cybereason.isolate.status (StringArray)
List Malops
Retrieve all Malops of every type from a specified time window.
Inputs
Connection
Server URL (String)
The Cybereason Server instance's URL (e.g. https://[your_instance.]cybereason.net:1234).
Username (String)
The Cybereason User ID.
Password (String)
The Cybereason password for the respective username.
Verify SSL Cert (Boolean, Default: Selected)
Verify the SSL Certificate of the API host during connection.
Configure
Start Time (String, Optional, Default: 1 day ago)
The beginning time from which you want to retrieve Malops. If left blank, the default value of 1 day ago will be used. Please use an ISO-8601 format or a relative time format (e.g. 3 hours ago).
End Time (String, Optional, Default: Now)
The ending time from which you want to retrieve Malops. If left blank the default value will be now. Please use an ISO-8601 format or a relative time format (e.g. 3 hours ago).
Advanced
Fail on No Results (Boolean, Default: Selected)
If an action would return an empty result, exit with a failure.
Outputs
- cybereason.action (String)
- cybereason.response.status_code (String)
- cybereason.response.error_code (String)
- cybereason.response.error_message (String)
- cybereason.response.json.raw (String)
- cybereason.malops.machine_counter_model.offline_clean_count (String)
- cybereason.malops.machine_counter_model.offline_infected_count (String)
- cybereason.malops.machine_counter_model.online_clean_count (String)
- cybereason.malops.machine_counter_model.online_infected_count (String)
- cybereason.malops.machine_counter_model.total_machines (String)
- cybereason.malops.creation_time (StringArray)
- cybereason.malops.decision_statuses (StringArray)
- cybereason.malops.display_name (StringArray)
- cybereason.malops.edr (StringArray)
- cybereason.malops.escalated (StringArray)
- cybereason.malops.guid (StringArray)
- cybereason.malops.icon_base64 (StringArray)
- cybereason.malops.last_update_time (StringArray)
- cybereason.malops.malop_detection_type (StringArray)
- cybereason.malops.priority (StringArray)
- cybereason.malops.root_cause_element_names_count (StringArray)
- cybereason.malops.root_cause_element_type (StringArray)
- cybereason.malops.severity (StringArray)
- cybereason.malops.status (StringArray)
Remove Indicator Reputation
Remove a custom reputation based on a file hash value (MD5 or SHA1), IP Address, or domain name.
Inputs
Connection
Server URL (String)
The Cybereason Server instance's URL (e.g. https://[your_instance.]cybereason.net:1234).
Username (String)
The Cybereason User ID.
Password (String)
The Cybereason password for the respective username.
Verify SSL Cert (Boolean, Default: Selected)
Verify the SSL Certificate of the API host during connection.
Configure
Indicators (String)
The file hash value (MD5 or SHA1), IP Address, or domain name to set a custom reputation.
Allows: String, StringArray, TCEntity, TCEntityArray
Outputs
- cybereason.action (String)
- cybereason.response.status_code (String)
- cybereason.response.error_code (String)
- cybereason.response.error_message (String)
- cybereason.response.json.raw (String)
- cybereason.reputation.outcome (String)
- cybereason.reputation.data (String)
Unisolate Machine
Remove from isolation a machine or machines associated with a Malop.
Inputs
Connection
Server URL (String)
The Cybereason Server instance's URL (e.g. https://[your_instance.]cybereason.net:1234).
Username (String)
The Cybereason User ID.
Password (String)
The Cybereason password for the respective username.
Verify SSL Cert (Boolean, Default: Selected)
Verify the SSL Certificate of the API host during connection.
Configure
Malop ID (String)
The ID of the Malop to use. Commonly referred to as Malop GUID in the Cybereason platform.
Pylum IDs (String)
The unique sensor ID the Cybereason platform uses for the machines to isolate. If you are entering multiple values, add a comma between each sensor ID.
Allows: String, StringArray
Outputs
- cybereason.action (String)
- cybereason.response.status_code (String)
- cybereason.response.error_code (String)
- cybereason.response.error_message (String)
- cybereason.response.json.raw (String)
- cybereason.isolate.pylum_id (StringArray)
- cybereason.unisolate.status (StringArray)
Update Malop Status
Update a Malop's status.
Inputs
Connection
Server URL (String)
The Cybereason Server instance's URL (e.g. https://[your_instance.]cybereason.net:1234).
Username (String)
The Cybereason User ID.
Password (String)
The Cybereason password for the respective username.
Verify SSL Cert (Boolean, Default: Selected)
Verify the SSL Certificate of the API host during connection.
Configure
Malop ID (String)
The ID of the Malop to use. Commonly referred to as Malop GUID in the Cybereason platform.
Malop Status (EditChoice)
Valid Values: -- SELECT --, TODO, CLOSED, UNREAD, FP, OPEN
Outputs
- cybereason.action (String)
- cybereason.response.status_code (String)
- cybereason.response.error_code (String)
- cybereason.response.error_message (String)
- cybereason.response.json.raw (String)
- cybereason.malop.management_status (String)
- cybereason.malop.status (String)
Advanced Request
Inputs
Connection
Server URL (String)
The Cybereason Server instance's URL (e.g. https://[your_instance.]cybereason.net:1234).
Username (String)
The Cybereason User ID.
Password (String)
The Cybereason password for the respective username.
Verify SSL Cert (Boolean, Default: Selected)
Verify the SSL Certificate of the API host during connection.
Configure
API Endpoint/Path (String)
The API Path request.
HTTP Method (Choice, Default: GET)
HTTP method to use.
Valid Values: GET, POST, DELETE, PUT, HEAD, PATCH, OPTIONS
Query Parameters (KeyValueList, Optional)
Query parameters to append to the URL. For sensitive information like API keys, using variables is recommended to ensure that the Playbook will not export sensitive data.
Allows: String, StringArray
Exclude Empty/Null Parameters (Boolean)
Some API endpoint don't handle null/empty query parameters properly (e.g., ?name=&type=String). If selected this options will exclude any query parameters that has a null/empty value.
Headers (KeyValueList, Optional)
Headers to include in the request. When using Multi-part Form/File data, do not add a Content-Type header. For sensitive information like API keys, using variables is recommended to ensure that the Playbook will not export sensitive data.
Body (String, Optional)
Content of the HTTP request.
Allows: String, Binary
URL Encode JSON Body (Boolean)
URL encode a JSON-formatted body. Typically used for 'x-www-form-urlencoded' data, where the data can be configured in the body as a JSON string.
Fail for Status (Boolean, Default: Selected)
Fail if the response status code is 4XX - 5XX.
Outputs
- cybereason.request.content (String)
- cybereason.request.content.binary (Binary)
- cybereason.request.headers (String)
- cybereason.request.ok (String)
- cybereason.request.reason (String)
- cybereason.request.status_code (String)
- cybereason.request.url (String)
Labels
- block, edr, endpoint, isolate, malop, quarantine
Updated 5 months ago