Skip to content

Cybereason MalOp

Overview

Cybereason offers a set of Endpoint Detection and Response (EDR) solutions. Through the Cybereason platform, all suspicious operations will be gathered in MalOps, a multi-stage visualizations of device activities.

Please find below information available in MalOp activities:

  • the list of affected machines
  • the list of affected users
  • all suspicious network connections
  • all suspicious executions

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Application logs CybeReason MalOps platform provides activities of MalOps

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind ``
Category ``
Type info

Event Samples

Find below few samples of events and how they are normalized by SEKOIA.IO.

{
    "@timestamp": "2021-08-20T22:53:27.043000Z",
    "message": "CEF:0|Cybereason|Cybereason|1.0|5|Malop Connection Added|5|CybereasonCEFgeneratorBatchId1=58bc2665-b22f-4345-bd90-3f84be47c8b6 cs1=11.1323449861766643222 CybereasonCEFgeneratorcountry1Name=None dst=3.226.77.3 dpt=443 rt=1629500007043 cs1Label=MalopId",
    "observer": {
        "vendor": "Cybereason",
        "product": "Cybereason",
        "version": "1.0"
    },
    "destination": {
        "ip": "3.226.77.3",
        "port": 443
    },
    "event": {
        "severity": 5,
        "code": "5",
        "kind": "event",
        "type": "info",
        "category": [
            "session"
        ],
        "action": "Malop Connection Added"
    },
    "cybereason": {
        "event": {
            "id": "58bc2665-b22f-4345-bd90-3f84be47c8b6"
        },
        "malop": {
            "id": "11.1323449861766643222"
        },
        "cef": {
            "version": "0"
        }
    }
}
{
    "@timestamp": "2021-08-23T06:53:42.409000Z",
    "message": "CEF:0|Cybereason|Cybereason|1.0|1|Malop Created|5|rt=1629701622409 deviceCustomDate1=1636629776184 deviceFacility=Under Investigation CybereasonCEFgeneratorBatchId1=078e369b-ea4e-4e98-bc0d-ee71fd40d19d cs1=11.4718101284717793977 cs2=EXTENSION_MANIPULATION cs3=MALICIOUS_INFECTION cs5=maliciousByDualExtensionByFileRootCause cn1=1 cs6=https://yourserver.cybereason.net:8443//#/malop/11.4718101284717793977 cn2=1 cs4=bb9dbdca921d84381c893086f65ffca17120b23d requestContext=flashget3.7.0.1220en.pdf.exe, which has an unknown reputation, has dual extensions, which is hiding the true nature of the process. cs1Label=MalopId cs2Label=MalopDetectionType cs3Label=MalopActivityType cs4Label=MalopHashList cs5Label=DecisionFeatures cs6Label=IncidentLink cn1Label=AffectedMachinesCount cn2Label=AffectedUsersCount cn3Label=isSigned deviceCustomDate1Label=ModifiedTime",
    "observer": {
        "vendor": "Cybereason",
        "product": "Cybereason",
        "version": "1.0"
    },
    "event": {
        "severity": 5,
        "code": "1",
        "kind": "alert",
        "type": "info",
        "category": [
            "malware"
        ],
        "action": "Malop Created",
        "reason": "flashget3.7.0.1220en.pdf.exe, which has an unknown reputation, has dual extensions, which is hiding the true nature of the process.",
        "url": "https://yourserver.cybereason.net:8443//#/malop/11.4718101284717793977"
    },
    "file": {
        "hash": {
            "sha1": "bb9dbdca921d84381c893086f65ffca17120b23d"
        }
    },
    "cybereason": {
        "event": {
            "id": "078e369b-ea4e-4e98-bc0d-ee71fd40d19d"
        },
        "malop": {
            "id": "11.4718101284717793977",
            "status": "Under Investigation",
            "modified_at": "2021-11-11T11:22:56.184000Z",
            "detection": {
                "type": "EXTENSION_MANIPULATION"
            },
            "activity": {
                "type": "MALICIOUS_INFECTION"
            },
            "decision": "maliciousByDualExtensionByFileRootCause",
            "counters": {
                "affected_machines": 1,
                "affected_users": 1
            }
        },
        "cef": {
            "version": "0"
        }
    }
}
{
    "@timestamp": "2021-07-08T12:48:29.151000Z",
    "message": "CEF:0|Cybereason|Cybereason|1.0|3|Malop Machine Added|5|destinationDnsDomain=desktop-aas6kq7 dst=10.0.2.15 destinationTranslatedAddress=117.99.232.147 CybereasonCEFgeneratorBatchId1=2ac124fd-def2-4073-b408-d3b3f0e764b0 cs1=11.-6654920844431693523 flexString2=True dhost=desktop-aas6kq7 CybereasonCEFgeneratorOSandVersion1=Windows_10 CybereasonCEFgeneratorMachineGuid1=-592942600.1198775089551518743 cfp3=1 rt=1625748509151 cfp2=1 cs1Label=MalopId flexString2Label=isMalicious cfp2Label=isOnline cfp3Label=isOriginalMachine request=\"C:\\\\Users\\\\chand\\\\Downloads\\\\BT_21.40.5_32_Win7.pdf.exe\" deviceProcessName=explorer.exe CybereasonCEFgeneratorChildProcess1=None",
    "observer": {
        "vendor": "Cybereason",
        "product": "Cybereason",
        "version": "1.0"
    },
    "event": {
        "severity": 5,
        "code": "3",
        "kind": "event",
        "type": "info",
        "category": [
            "intrusion_detection"
        ],
        "action": "Malop Machine Added"
    },
    "destination": {
        "ip": "10.0.2.15",
        "nat": {
            "ip": "117.99.232.147"
        }
    },
    "host": {
        "hostname": "desktop-aas6kq7",
        "ip": [
            "10.0.2.15",
            "117.99.232.147"
        ],
        "id": "-592942600.1198775089551518743",
        "os": {
            "full": "Windows 10"
        }
    },
    "process": {
        "command_line": "C:\\Users\\chand\\Downloads\\BT_21.40.5_32_Win7.pdf.exe",
        "parent": {
            "name": "explorer.exe"
        }
    },
    "cybereason": {
        "event": {
            "id": "2ac124fd-def2-4073-b408-d3b3f0e764b0"
        },
        "malop": {
            "id": "11.-6654920844431693523",
            "host": {
                "is_online": true,
                "is_malicious": true,
                "is_original_machine": true
            }
        },
        "cef": {
            "version": "0"
        }
    }
}
{
    "@timestamp": "2021-08-23T06:38:02.928000Z",
    "message": "CEF:0|Cybereason|Cybereason|1.0|2|Malop Process Added|5|CybereasonCEFgeneratorBatchId1=2ac124fd-def2-4073-b408-d3b3f0e764b0 cs1=11.-6654920844431693523 cs4=76030baf8e80653b883474f56c06164c33417ece request=\"C:\\\\Users\\\\chand\\\\Downloads\\\\BT_21.40.5_32_Win7.pdf.exe\" flexString2=True cn3=1 reason=indifferent rt=1629700682928 cs1Label=MalopId flexString2Label=isMalicious cs4Label=processSha1 cn3Label=isSigned",
    "observer": {
        "vendor": "Cybereason",
        "product": "Cybereason",
        "version": "1.0"
    },
    "event": {
        "severity": 5,
        "code": "2",
        "kind": "event",
        "type": "info",
        "category": [
            "intrusion_detection"
        ],
        "action": "Malop Process Added"
    },
    "file": {
        "hash": {
            "sha1": "76030baf8e80653b883474f56c06164c33417ece"
        }
    },
    "process": {
        "command_line": "C:\\Users\\chand\\Downloads\\BT_21.40.5_32_Win7.pdf.exe",
        "start": "2021-08-23T06:38:02.928000Z"
    },
    "cybereason": {
        "event": {
            "id": "2ac124fd-def2-4073-b408-d3b3f0e764b0"
        },
        "malop": {
            "id": "11.-6654920844431693523",
            "host": {
                "is_malicious": true
            },
            "file": {
                "is_signed": true
            }
        },
        "cef": {
            "version": "0"
        }
    }
}
{
    "message": "CEF:0|Cybereason|Cybereason|1.0|6|Malop User Added|5|CybereasonCEFgeneratorBatchId1=2ac124fd-def2-4073-b408-d3b3f0e764b0 cs1=11.-6654920844431693523 dpriv=None dhost=desktop-aas6kq7 CybereasonCEFgeneratorOrganizationName1=INTEGRATION duser=system cs1Label=MalopId",
    "observer": {
        "vendor": "Cybereason",
        "product": "Cybereason",
        "version": "1.0"
    },
    "event": {
        "severity": 5,
        "code": "6",
        "kind": "event",
        "type": "info",
        "category": [
            "intrusion_detection"
        ],
        "action": "Malop User Added"
    },
    "user": {
        "name": "system",
        "domain": "INTEGRATION"
    },
    "host": {
        "hostname": "desktop-aas6kq7"
    },
    "cybereason": {
        "event": {
            "id": "2ac124fd-def2-4073-b408-d3b3f0e764b0"
        },
        "malop": {
            "id": "11.-6654920844431693523"
        },
        "cef": {
            "version": "0"
        }
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
cybereason.cef.version keyword None
cybereason.event.id keyword None
cybereason.malop.activity.type keyword None
cybereason.malop.counters.affected_machines float None
cybereason.malop.counters.affected_users float None
cybereason.malop.decision text None
cybereason.malop.detection.type keyword None
cybereason.malop.file.is_signed boolean None
cybereason.malop.host.is_malicious boolean None
cybereason.malop.host.is_online boolean None
cybereason.malop.host.is_original_machine boolean None
cybereason.malop.id keyword None
cybereason.malop.modified_at text None
cybereason.malop.status keyword None
destination.geo.country_name keyword Country name.
destination.ip ip IP address of the destination.
destination.nat.ip ip Destination NAT ip
destination.port long Port of the destination.
event.action keyword The action captured by the event.
event.code keyword Identification code for this event.
event.reason keyword Reason why this event happened, according to the source
event.severity long Numeric severity of the event.
event.type keyword Event type. The third categorization field in the hierarchy.
event.url keyword Event investigation URL
file.hash.sha1 keyword SHA1 hash.
host.hostname keyword Hostname of the host.
host.id keyword Unique host id.
host.ip ip Host ip addresses.
host.os.full keyword Operating system name, including the version or code name.
observer.product keyword The product name of the observer.
observer.vendor keyword Vendor name of the observer.
observer.version keyword Observer version.
process.command_line wildcard Full command line that started the process.
process.name keyword Process name.
process.parent.name keyword Process name.
process.start date The time the process started.
user.domain keyword Name of the directory the user is a member of.
user.name keyword Short name or login of the user.

Configure

This setup guide shows how to forward all MalOp activities to SEKOIA.IO.

Create your intake

On SEKOIA.IO, go to the Intakes page and generate a new intake with the Cybereason MalOp format. Keep aside the intake key.

Setup the Syslog collector

Check the Rsyslog Transport documentation to install and set up the syslog collector.

Setup the CybeReason CEF Forwarder

Contact the Cybereason Customer Success Manager to get the Cybereason CEF Forwarder.

Connect to the Cybereason Partner Nest and follow these instructions for the installation of the CEF forwarder.

Create a new configuration to forward MalOp activities to the syslog collector: fill host and port with the address and the listening port of the syslog collector.

Start the forwarding

Start the CEF Forwarder with your new configuration

$ cybereason-forwarders/scripts/run_forwarder.sh config/<my new configuration>.json

Enjoy your events

Go to the Events page and wait for your incoming events!

Back to top