CMC Engine
The Cross Machine Correlation (CMC) Engine correlates millions of events from endpoint sensors on your organization’s machines. The CMC Engine then applies behavioral analysis and advanced detection rules to discover malicious behavior and clearly present the attack story to security analysts. This automatic correlation removes the need for time-consuming manual data analysis.
In this topic:
How does the CMC Engine work?
The CMC Engine is the core EDR component of the Cybereason platform Detection servers. Sensors on your organization’s endpoints continuously send real-time activity data to the CMC Engine. The CMC Engine includes an in-memory graph that represents all endpoint activity, including (but not limited to):
Processes
Files
Users
Connections
Services
Logon sessions
Activity investigation in the CMC
After processing the data and events received from all sensors, the CMC engine attempts to analyze events happening on your organization’s machines. This includes examining the activity based on a number of criteria.
After processing the data and events received from all sensors, the CMC Engine analyzes events on your organization’s machines by asking sets of questions, such as:
Was the event/behavior identified as malicious in the past?
Is this a common activity in the organization?
Which user executed this process?
What privileges does the user have?
Does the behavior exhibit similarities to malicious attack techniques?
The CMC Engine bases its numerous questions and criteria on proprietary Cybereason detection rules and techniques. The questions and criteria help the CMC engine determine whether an event or behavior is malicious or benign.
See Fact to MalOp for more details on the process of Malop discovery.