Endpoint Data Collection

Cybereason sensors collect data about the events and operations occurring on each endpoint throughout your organization to aid in identifying patterns of malicious behavior. The platform uses and analyzes this data to discover potentially or definite malicious behavior. Many of these data collections are available out-of-the-box without additional configuration, while other collections require additional configuration through Technical Support. For details on those collections not available by default, see Features Disabled by Default.

Data retention

By default, the Cybereason platform retains MalOp core data for one year and MalOp triage data for 30 days. MalOp core data includes the key points in the MalOp, visible in the Malops management screen. MalOp Triage includes all data related to the attack to empower security analysts to perform efficient triage and investigation and to enhance the attack scoping and quick remediation. MalOp Triage data includes the timeframe and Element relations, such as a Parent process, Child process, File events, and so forth.

In addition, to assist with data storage and availability for all collected events and operations, Cybereason offers multiple extended data retention packages for telemetry data (non-malicious data collected from endpoint sensors and sent to the Detection servers). Contact your Customer Success Manager to learn more about these data retention packages.

Collected System-Level data

Cybereason sensors collect the following system-level data:

Note

OS support varies for different system-level data collections are supported. For details on the supported operating systems for each collection, see Endpoint machine data collection features.

Data Type

Description

Information Collected

Connections

Any connection opened on a machine.

  • Connection properties, including address/port, direction, connection origin, and connection state

  • Data transmitted, both received bytes and transmitted bytes

  • Creation time, end time, and the first time the connection was seen by Cybereason

  • Remote port or server address and port used by the connection

  • Transport protocol

  • Machines and processes involved in the connection

  • DNS query and domains in the connection

  • Proxies utilized by the connection

When the Deep Packet Inspection (DPI) collection is enabled, collection information also includes:

  • URL domains requested for a given connection

DNS query (all types)

Requests to a particular site or address to get the domain name.

  • Resolved Domain-to-Domain

  • Resolved Domain-to-IP

  • Resolved IP-to-Domain

  • Unresolved to Domain

  • Unresolved to IP

DNS queries can also be called Domain request and response. Collected information includes:

  • Source and target domains

  • The resolving server for the DNS request and resolution status

  • Record type for the DNS request

  • TTL range for the DNS query resolution

  • Error codes sent for unresolved DNS queries

Drivers

All drivers currently installed on the machine.

  • Driver properties, including name, path, hash value, version, and size

  • Creation time

  • File associated with the driver

  • Machine name on which the driver is found

  • Services associated with the driver

Files

Details about the file, its properties, internal details, and behavior.

  • Properties, including name, path, size, file type, file version, extension types

  • Description information from file metadata, including description, product name and title for the program that created the file, product type and version, company name, internal file name, legal copyright, legal trademarks, private build markers, special build markers, and comments added to the file

  • Hash values (MD5, SHA-1, and SHA-256 values)

  • Signatures (both MD5 and SHA1) and signer details

  • Creation and end times of the file and the last time the file was modified

  • Download details, including the email address of the person sending the file, email message ID, email subject of the email containing the file, or the URL from which the file was downloaded

  • Machine name on which the file is found

  • Original file name and file version if a file is quarantined

  • Scan information and remediation status

  • Security user ID for the user opening the file

File events

CREATE, RENAME, and DELETE operations on files.

  • Event type

  • The first time Cybereason collected the file event

  • The file on which the file event is performed

  • The machine on which the file event occurs

  • The process that performed the file event

  • The user currently logged into the machine on which the file event occurs

Hosts file

Details translating IP addresses or domain names into other names on a specific machine.

  • The number of entries in the file

  • The machine name on which the hosts file is found

  • DNS entries in the hosts file

IP Address

IP addresses for connections.

  • The numerical address

  • Physical location information, including city, country name and code, region, and latitude/longitude

  • The IP version

  • The name of the machine to which the IP address belongs

  • Related DHCP and network interfaces

IP Range Scans

IP addresses retrieved from scan process.

  • The range of IP addresses

  • The creation time of the scan

  • The process performing the scan

Listening Connection

Any listening connection opened on a machine.

  • Local address and port used by the connection

  • Transport protocol the connection uses

  • Address type the connection uses

  • End time for the connection

  • Machine name on which the listening connection is found

  • Owner process for the listening connection

Local Network

Information on the local network

  • Address details, including the gateway IP, gateway MAC address and MAC address format

  • DHCP and DNS server addresses

  • Machine name on which the local network is found

  • Default search domain for the network

  • Wifi SSID

  • IP ranges on the local network

Logon Sessions

Details for logon sessions.

  • Session IP

  • Session UID

  • Source IP

  • Windows logon details for the session

  • Logon application and type used to log on to the session

  • Creation and end time and the last time the logon session was seen by Cybereason

  • Machines involved in the logon session

  • Remote machine or remote network machine names involved in the session

  • Client logon sessions associated with this logon session

  • Processes opened in the logon session

  • User who opened the logon session

Machine

Machine details

  • Machine properties, including name and FQDN, model, machine type, operating system type, platform, and organization

  • Last time the machine was seen by Cybereason and last connection time

  • Performance statistics, including CPU count, total and free disk space, and free memory

  • First active user on the machine

  • Hash value of the Master Boot Record

  • Processes running on the machine

  • Users logged into the machine

  • Services running on the machine

  • Removable devices and mount points connected to the machine

  • Device model and serial number (on macOS machines in versions 23.1.44 and later)

Modules

All modules running on the machine.

  • Module properties including module name, size, hash value, and address

  • Allocated protection for the module

  • Header allocated size

  • Header protection

  • End time for the module

  • File associated with the module

  • Machine on which the module is found

  • Modules found in the operating system standard load database

  • Registry keys associated with the module

  • Address to which the module was loaded

Mount Points

Associated mount points.

  • Mount point properties, including drive/volume name, device name, and mount point type

  • Source of the mount point

  • Creation time and end time for the mount point

  • Machine on which the mount point is found

  • User and user credentials used to create the mount point

  • The files associated with the mount point

Network Interface

Information on the network interface.

  • Interface ID

  • Address details including gateway IP and internal IP

  • MAC address format

  • Related server information for the interface’s DHCP and NDS servers

  • IP addresses associated with the network interface

  • End time of the interface

  • Transaction statistics for the interface

  • Network interface flags

  • Machine name on which the interface is found

  • Proxies used by the interface

  • Local networks using the interface

Network Machine

Information on the network machine.

  • Host name

  • Domain FQDN

Processes

Short-lived and long-lived process information. On Linux machines, these processes may display as aggregated processes.

  • Process properties, including ID, file hash, state, functions, path, integrity, CPU/memory usage, RWX sections, and hidden process status

  • Process hierarchy

  • Creation and end time, and the first and last time seen by Cybereason

  • User and machine information about the process

  • Connections (with IP address/domain name) that the process opens, connection source, data transmitted by the process, and download information

  • Files opened by the process and file events performed on these files

  • Process command line

  • Modules associated and loaded by the process

  • Process injection details, including Thread IDs and count, and injected processes or threads and the injection method

  • Details on the process image file, including hash value, extension, path, and signature

  • WMI details, including the source of the WMI activity, cause, queries used, and WMI persistent objects created

  • Windows opened by the process

  • Details on what the process has downloaded

  • Changes in the input or output used by the process (in versions 23.2.8X and later)

Proxy

All proxies configured on the machine.

  • IP address for the proxy

  • URL for the proxy PAC file

  • Port the proxy uses

  • Host name

  • Discovery type used for the proxy

Quarantine File

The version of a file after it has been quarantined by the Cybereason platform.

  • MD5 and SHA1 hash values for the file

  • Original file name

  • Creation time of the quarantined file (not the original file)

Registry Entry

Specific registry keys associated with autoruns.

  • Registry key for this entry

  • Value of the registry entry

  • End time of the entry

  • Machine name on which this entry is found

Registry Events

Specified registry keys that you select.

  • Registry key associated with this registry event

  • Path to the registry key

  • Data and data type in the registry key

  • Process and machine for the registry key associated with the registry events

Remote Logon Sessions

Information on remote logon sessions.

  • Authentication protocol used for the remote session

  • Client machine, client machine user, and client remote session

  • Server machine and logon session

  • First time the remote session was detected by Cybereason

  • Resource type for the remote session

  • User that started the remote session

  • Processes opened during the remote session

Remote Procedure Calls

Information about select Remote Procedure Call (RPC) operations associated with the machine (in the MS-RPC Element.

  • Authentication level used by the RPC operation

  • Authentication service used by the RPC operation

  • Target port and target IP address for the RPC operation

  • Source for the RPC operation

  • Impersonation level for the RPC operation

  • UUID and unique operation number generated by the machine for the RPC operation

  • Protocol used by the RPC operation

  • Process that created the RPC operation

  • Machine on which the RPC operation ran

Scheduled Task

Information on scheduled tasks.

  • User who created the scheduled task and the last user to update the task

  • Scheduled task state

  • Task status

  • Last time the task was run

  • Machine name on which the scheduled task is found

Scheduled Task Actions

Information on scheduled task actions.

  • Action arguments

  • Path to the scheduled task for the action

  • File associated with the scheduled task action

Service

All services currently running on a machine.

  • Service properties including service state and sub-state, service type, and service characteristics

  • Login name used by the service when it runs

  • Binary file associated with the service

  • Command line used by the program that runs the service

  • Unit file path for the file associated with the service

  • System process status for the process associated with the service

  • Process that created the service

  • Machine on which the service is running

  • Drivers associated with the service

  • End time for the service

Users

Information on all users.

  • User properties, including user name and organization, domain, and privilege levels

  • Security identifier (SID)

  • Last login time

  • Number of days since a password change

  • Machine names and number of machines to which this user is logged into

  • Processes the user is running

  • Number of downloaded processes

WMI Activity

Information on both local WMI activity and remote WMI activity. While this is information is collected separately from other Elements, the WMI activity is reported under Process activity details.

  • Operation that created the WMI activity

  • Source of the WMI activity

  • Creation time for the WMI activity

  • WMI client information, including the IP address, machine name, and process creating the WMI activity

  • Executed processes and server processes in the context of the WMI activity

  • WMI persistent objects created by the WMI activity

  • WMI queries used in the context of the WMI activity

WMI Persistent Objects

Information on WMI persistent objects.

  • WMI client information, including the IP address, machine name, and process creating the WMI activity

  • Persistent object consumer details, including the consumer name, action, file path, and image file

  • Process that created the object

  • Filter details

  • Machine name on which the WMI Persistent object is found

The Cybereason platform collects data in all languages. The data is displayed according to the endpoint sensor OS language.

Note

Sensors do not collect the file content, or network packet information. Analysts can Search for Files on Machines to gain further insight into potentially malicious files.

Collected Active Directory data

Each sensor gathers the following Active Directory information for the machine and its users every 30 minutes:

User attributes:

  • SID

  • Display name

  • User principal name

  • Department

  • Company

  • Email

  • sAMAccountName

  • Primary GroupId

  • Member Of (multiple values)

  • Organizational Units (multiple values)

  • Country

  • Title

  • Created Time

Machine attributes:

  • SID

  • Description

  • Organizational Units (multiple values)

  • DNS Host Name

  • Location

  • Office

YOU can use the Investigation screen to search for specific Active Directory data. The following screen shot displays the User Element’s Active Directory filters.

Active Directory User

Note

Not every Active Directory-related filter has the term ‘Active Directory’ in the title.

Enable or disable collections

You can enable or disable data collection processes at the sensor level from the System > Sensors screen:

Set data collection modes

  1. Select the sensor or sensors whose data collection processes you want to enable or disable.

  2. Click the Actions button.

  3. Select Set Collection modes.

  4. Select one of the following:

    • To specify that the selected sensors apply the data collection settings in their associated sensor security policies, select Set by policy.

    • To enable general data collection processes on the selected sensors, select Enabled

    • To disable general data collection processes on the selected sensors, select Disabled

  5. If necessary, adjust the advanced data collection settings. See Configure Additional Endpoint Data Collections for information on advanced data collection options.

  6. Click Apply.