Skip to content

Cybereason EDR

Cybereason EDR

About

The Cybereason XDR Platform moves beyond endless alerting to instead recognize, expose, and end malicious operations before they take hold. The result: Defenders can end attacks in minutes.

Product Details

Vendor URL: Cybereason EDR

Product Type: Endpoint Detection and Response

Product Tier: Tier I

Integration Method: Custom

Integration URL: Cybereason EDR - Cyderes Documentation

Log Guide: N/A

Parser Details

Log Format: JSON

Expected Normalization Rate: 95%

Data Label: CYBEREASON_EDR

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
description ioc.description
description metadata.description
description security_result.summary
detectionEngine principal.application
detectionEngine security_result.description
detectionValue security_result.threat_id
detectionValueType security_result.description
detectionValueType security_result.threat_name
direction network.direction
domain security_result.about.administrative_domain
domainName target.administrative_domain
elementDisplayName security_result.about.registry.registry_value_name
elementDisplayName security_result.description
extendedDisplayId security_result.about.user.user_display_name
file target.process.file.full_path
filePath target.file.full_path
guid metadata.product_log_id
id.malwareType security_result.summary
local_ip principal.ip
localAddressString principal.ip
machineName principal.hostname
machineName target.hostname
maliciousClassification security_result.severity_details
malop_connection.elementValues.domainName.elementValues.0.name ioc.domain_and_ports.domain
malop_connection.elementValues.ownerMachine.elementValues.0.name ioc.feed_name
malop_connection.elementValues.ownerMachine.elementValues.0.name principal.hostname
malop_connection.elementValues.ownerProcess.elementValues.0.guid principal.process.product_specific_process_id
malop_connection.elementValues.ownerProcess.elementValues.0.name target.file.full_path
malop_connection.elementValues.ownerProcess.user.elementValues.0.guid principal.user.userid
malop_connection.elementValues.ownerProcess.user.elementValues.0.name principal.user.user_display_name
malop_connection.elementValues.remoteAddress.elementValues.0.name target.ip
malop_connection.guidString metadata.product_log_id
malop_connection.simpleValues.localPort.values.0 principal.port
malop_connection.simpleValues.receivedBytesCount.values.0 network.received_bytes
malop_connection.simpleValues.remoteAddressCountryName.values.0 target.location.country_or_region
malop_connection.simpleValues.remotePort.values.0 target.port
malop_connection.simpleValues.transmittedBytesCount.values.0 network.sent_bytes
malop_connection.simpleValues.transportProtocol.values.0 network.ip_protocol
malop_data.malopPriority security_result.priority
malop_data.simpleValues.detectionType.values.0 security_result.threat_name
malop_data.simpleValues.elementDisplayName.values.0 metadata.product_event_type
malop_process.elementValues.calculatedUser.elementValues.0.guid principal.user.userid
malop_process.elementValues.calculatedUser.elementValues.0.name principal.user.user_display_name
malop_process.elementValues.ownerMachine.elementValues.0.name principal.hostname
malop_process.elementValues.parentProcess.elementValues.0.guid principal.process.product_specific_parent_process_id
malop_process.elementValues.self.elementValues.0.guid principal.process.product_specific_process_id
malop_process.elementValues.self.elementValues.0.guid target.process.pid
malop_process.guidString metadata.product_log_id
malop_process.simpleValues.calculatedName.values.0 principal.process.file.full_path
malop_process.simpleValues.calculatedName.values.0 target.file.full_path
malop_process.simpleValues.calculatedName.values.0 target.process.file.full_path
malop_process.simpleValues.commandLine.values.0 principal.process.command_line
malop_process.simpleValues.imageFile.md5String.values.0 target.file.md5
malop_process.simpleValues.imageFile.sha1String.values.0 target.file.sha1
malop_severity ioc.raw_severity
malop_severity security_result.severity
malop_status security_result.description
malop_url metadata.url_back_to_product
malop_url security_result.url_back_to_product
malop_url target.url
malop_user.simpleValues.passwordAgeDays.values.0 security_result.description
malop_user.simpleValues.privileges.values.0 security_result.description
malwareDataModel.detectionName security_result.rule_name
malwareDataModel.filePath principal.process.command_line
malwareDataModel.filePath target.process.file.full_path
malwareDataModel.processName principal.process.file.full_path
name principal.process.file.full_path
name security_result.about.registry.registry_key
name security_result.summary
name security_result.threat_name
name target.file.full_path
needsAttention security_result.threat_status
ownerMachine principal.hostname
path security_result.about.file.full_path
portType network.application_protocol
processName principal.process.file.full_path
receivedBytesCount network.received_bytes
recordType metadata.product_event_type
remoteAddressCountryName target.location.country_or_region
remotePort target.port
score security_result.about.investigation.severity_score
self observer.hostname
serverAddress target.ip
servicePort principal.port
sizeOfImage target.file.size
sourceDomain principal.administrative_domain
state metadata.product_event_type
state security_result.summary
status security_result.about.investigation.comments
targetIpAddress target.ip
timestamp metadata.event_timestamp
transmittedBytesCount network.sent_bytes
transportProtocol network.ip_protocol
type metadata.product_event_type
user principal.user.userid
username principal.user.user_display_name
value security_result.about.registry.registry_value_data

Product Event Types

event_type, type needsAttention, status, is_alert UDM Event Type Security Result Category alerting
all other events GENERIC_EVENT
malop SOFTWARE_MALICIOUS
MALWARE SCAN_HOST
Malware SCAN_HOST
NETWORK_CONNECTION NETWORK_CONNECTION
PROCESS_OPEN PROCESS_OPEN
Detected TRUE
Prevented TRUE
TRUE TRUE

Log Sample

{"detectionEngine":"Script","detectionValue":"amsi_as_pastebin","detectionValueType":"DVT_SIGNATURE","elementType":"Process","guid":"194560-10150662","id":{"elementType":"Process","guid":"194560-10150662","malwareType":"FilelessMalware","timestamp":1646479827420},"machineName":"Hostname1","malwareDataModel":{"@class":".FilelessMalwareDataModel","description":"EXECUTE_MALICIOUS_ACTIVITY","detectionRule":"amsi_as_pastebin","module":"amsi_as_pastebin","processName":"cscript.exe","url":null},"name":"SDT_PS_EXECUTE_MALICIOUS_ACTIVITY","needsAttention":false,"referenceElementType":"Process","referenceGuid":"194560-10150662","schedulerScan":false,"score":null,"status":"Prevented","timestamp":1646479827420,"type":"FilelessMalware"}

Sample Parsing

metadata.product_log_id = "194560-10150662"
metadata.event_timestamp = "2022-03-05T11:30:27Z"
metadata.event_type = "SCAN_HOST"
metadata.vendor_name = "Cybereason"
metadata.product_name = "Cybereason EDR"
metadata.product_event_type = "FilelessMalware"
metadata.ingested_timestamp = "2022-03-05T11:48:02.804128Z"
principal.hostname = "Hostname1"
principal.process.file.full_path = "cscript.exe"
principal.application = "Script"
principal.asset.hostname = "Hostname1"
security_result.about.investigation.comments = "Prevented"
security_result.threat_name = "SDT_PS_EXECUTE_MALICIOUS_ACTIVITY"
security_result.summary = "FilelessMalware"
security_result.description = "DVT_SIGNATURE"
security_result.severity = "HIGH"
security_result.confidence = "HIGH_CONFIDENCE"
security_result.priority = "HIGH_PRIORITY"
security_result.threat_id = "amsi_as_pastebin"
security_result.threat_status = "CLEARED"
security_result.alert_state = "ALERTING"

Parser Alerting

Alerting criteria is listed in the Product Event Types table above.