Analyze Suspicious Events
Note
To use these features, you can add the XDR package to your instance of the Cybereason platform for an additional cost. Contact your Customer Success Manager for details about this package.
When Cybereason XDR ingests data from your connected third-party integrations, the data includes numerous events reported to the third-party platform. However, many of these events may be non-malicious, such as the creation of a user, a user login, a password update, and so forth.
Cybereason XDR analyzes these events, and using proprietary detection logic, identifies those events thought to be likely suspicious or worth further investigation by your team. These events are classified as “suspicious events”. The platform identifies these events, and enriches these events with additional information, such as the MITRE ATT&CK tactic, technique, or sub-technique for the event.
You then view suspicious events in the Suspicious events tab of the XDR screen.
You should view the event, along with the details of the event to understand more.
Watch this video on Suspicious events:
In this topic:
View suspicious events from connnected integrations
Each row in the grid on the Suspicious Events screen represents an event reported by one of your connected XDR integrations.
Each event contains the name of the event reported from your connected integration platform, as well as other selected details about the event.
You can customize what event information to display in each row. Click the and select the relevant columns:
Column |
Description |
---|---|
Suspicious name |
The event name reported in the integrated vendor platform or product. |
Severity |
Threat level as reported by the data source. Values include:
Note Presently, Suspicious events do not use the Critical severity level. This level is reserved for activities and assets that are critical to an organization. |
Data source |
The connected platform/product that generated the suspicious event alert. |
Detection time |
The time the suspicious event occurred as reported by the data source. The format for the date is dd Month yyyy h:mm timezone |
Source identity |
The entity/item that initiated the suspicious activity or behavior reported in the event. Values include:
|
Target identity |
The entity/item that was the target of the suspicious activity or behavior reported in the event. Values include:
|
Action taken |
The Cybereason platform value for the action taken by the security tool in the data source that reported the suspicious event. Values include:
These values correspond with different values in the various integrations. To see the vendor or product-specific action that was taken by your integrated platform, in the Additional details section of the event details, find the Vendor action field: Examples:
|
MITRE ATT&CK |
A MITRE ATT&CK tactic, technique, or sub-technique that characterizes the item or behavior that triggered the alert. |
Status |
Status of the event set by you or another analyst. Values include:
|
Suspicious UUID |
The individual event’s unique identifier within the Cybereason platform. |
Event ID |
The event ID for the event reported by the data source that reported the event. |
Suspicious code |
The identifier of a specific alert name, which usually exists in policy-based solutions that report the policy/rule name and its id. |
Related MalOp |
A link to the XDR Malop(s) associated with this suspicious event. Click the value to open the XDR Malops tab, which will be filtered to only include the selected Malop. |
View suspicious events from your Cybereason platform
Note
The ability to view suspicious events from your Cybereason platform is not generally available. Contact your Customer Success Manager to gain access to this feature.
In addition to events ingested from your connected integrations, you also have the ability to view detected events from your Cybereason platform. These events are equivalent to detections related to Endpoint Protection and AI Auto Hunting MalOps.
Events from your Cybereason platform are automatically exported from the Cross Machine Platform engine’s data and ingested by Cybereason XDR. Once Cybereason XDR parses these events, the events are displayed in the Suspicious events screen.
Events from your Cybereason platform contain the following:
Column |
Description |
---|---|
Alert name |
The name for the event in your Cybereason platform. |
Data source |
The source for the alert. For events related to Endpoint Protection MalOps, this value is Cybereason NGAV. For AI Hunting MalOps, the value is Cybereason EDR. |
Detection time |
The time the suspicious event was first detected by the Cybereason platform. The format for the date is is dd MM yyyy hh:mm timezone. |
Severity |
Threat level of the event. Values include:
Note Presently, Suspicious events do not use the Critical severity level. This level is reserved for activities and assets that are critical to an organization. |
Source identity |
The asset the initiated the suspicious activity or behavior reported in the event. This value is the machine on which the event occurred. |
Action taken Detection status/protection type |
Action taken by the Cybereason platform. If you are viewing the Detection status/protection type field, possible values include:
If you are viewing the Action taken field, possible values include:
|
MITRE ATT&CK |
A MITRE ATT&CK tactic, technique, or sub-technique that characterizes the item or behavior that triggered the alert. |
Type |
The type of event. |
Status |
The status for the event set by you or one of the analysts on your team. |
Suspicious UUID |
The event ID used by the Cybereason platform for the event. |
Detection Type |
The type of item to which the event is related. Possible values include:
|
Vendor detection type |
The detection engine the Cybereason platform used to detect the event. Possible values include:
|
Machine details |
Detials on the event on the machine, including:
|
File details |
Details on the file associated with the event, including:
|
Process details |
Detials on the process associated with the event, including:
|
User details |
Details for the user associated with the event, including:
|
Vendor action |
The action taken by the Cybereason platform for this event. |
Vendor category |
The related suspicious raised by the Cybereason platform for this event. |
Search and filter suspicious events
The filter and search capabilities allow you to quickly focus on alerts of interest to you and your team.
Search for events
Use the search bar at the top of the Suspicious Events screen to search for events by one of the following fields:
Alert name
MITRE ATT&CK technique or tactic
Source identity
Target identity
When you select the search box, the platform displays a list of possible values on which to search.
Subsequent searches add to the existing search criteria, as shown in the following image. To remove a search criteria, click the X in the relevant filter bubble.
Filter events
To filter which events display on the Suspicious Events screen, click the filter icon and select one or more filters to apply.
Filter options include:
Time (Today or last 7, 14, 30, or 90 days)
Status
Severity
Action taken
Data source
Note
Filters do not affect how events are generated or detected. Filters only affect how events are displayed.
Investigate the associated MITRE tactic or technique
The Cybereason platform enriches each suspicious event with a tactic, technique, or sub-technique from the MITRE ATT&CK matrix. This relationship allows analysts to:
Gain visibility into MITRE threat trends at a specific point in time
Focus on specific threat categories across vendors
Further investigate threat tactics and mitigations as presented by MITRE
Select an item in the MITRE ATT&CK column to view more information about the MITRE tactic, technique, or sub-technique on the MITRE ATT&CK website.
Investigate a specific suspicious event
To further investigate a specific suspicious event, select the event name from the list of events to open the event details pane. The details pane contains more information about the event.
Set suspicious event status
As you analyze each suspicious event, you can update the status to ensure that other analysts in your organization understand its place in the workflow.
Use any of the following status values to update a suspicious event:
Pending: Events are pending if a status has not been set
Archived: Archive an alert if it is not relevant to your organization or requires tuning
Escalated: Escalate an alert if it requires more investigation
To change the status of an suspicious event, do one of the following:
For individual suspicions, click the three vertical dots on the right end of the suspicious event entry and select a status to apply to the event.
For one or more suspicions, select the checkbox next to the suspicious event entry or entries, click the Set Status button on the top right of the screen, and select a status to apply to the selected events.
Known issues - Suspicious events
When you filter results, the system retrieves all matching items, but only displays up to 10K on the Suspicious Events screen. The results number listed above the items in the Suspicious Events screen, as well as the numbers next to the filter options, reflect the total number of results, which could be greater than 10K.
When filtering suspicious events, if you use the autocomplete functionality to enter a search string, the Suspicious events screen will return all events, regardless of the time filter you selected.
In the table with the list of suspicious events, if you resize a column to the minimum size, no characters will display in the minimized size to show there is a value in that column.
When copying values from the Severity or Action columns, the value is not copied with the exact case for the value as it was displayed in the screen. For example, the value Alert is copied as ALERT.
On the Suspicious events screen, it is possible to hide all columns in the Suspicious events list.
For environments in Japanese, the values for the Creation time for any suspicious events are not translated into Japanese.