Use Cybereason Connect

Note

To use these features, you can add the XDR package to your instance of the Cybereason platform for an additional cost. Contact your Customer Success Manager for details about this package.

After you enable your Cybereason XDR package, you will want to start adding integrations to your Cybereason XDR instance. Cybereason XDR ingests the logs from any supported and connected platforms to begin detection of potentially malicious activity. You manage the addition and connection of integrations from the Cybereason Connect screen.

Watch this video on Cybereason Connect:

Integration data retrieval and collection

For integrations associated with Cybereason XDR, you have different options to retrieve data.

Some platforms, such as Google Workspace, Slack, or Okta, store their data in the cloud. When you provide access details in Connect and configure the data export on the other platform, the Cybereason platform retrieves the data through a cloud feed.

For other platforms, such as your firewall, the platform hosts the data in a secure on-site location that the Cybereason platform may not be able to access automatically. In these cases, you must install a special on-site collector in your own network. These on-site collectors retrieve logs from various sources, and securely forward them to your Cybereason platform.

Integration classification

In the Connect screen, all supported integrations are grouped into categories that represent the integration’s purpose.

Categories include:

  • Identity and Access Management

  • Workspace

  • Email and Workspace Protection

  • Email Server

  • Firewall

  • IDS/IPS

  • SaaS Application

  • SIEM

  • Workflow and Response

  • Enrichment and Telemetry

  • Infrastructure

  • Cyber Posture

  • Security Analytics

You will see additional categories as the Cybereason platform adds support for additional integrations.

In addition, each integration has a specific function to describe how Cybereason XDR uses the data from the integration. Functions include:

Detection

Retrieves third-party events and security alerts and utilizes them for Malop detection.

Context data

Enriches already collected information through the correlation of collected data from XDR integrations with EDR data.

Investigation

Retrieves third-party events and utilizes them for powerful graph query investigations.

Response

Automatically executes response actions through third-party vendors APIs.

Analytics

Analyzes and reports trends in behavior.

Orchestration

Helps manage and automate your security workflows.

Attack Simulation

Enables you to run simulated attacks safely to test your protection levels.

Management

Helps you manage all your security assets efficiently.

Likewise, you will see additional functions as the Cybereason platform adds support for additional integrations.

Filter the list of integrations

By default, when you open the Cybereason Connect screen, you see all available integrations. To find the integration you need, you have a number of different options to narrow down the list.

In the All Integrations tab, in the search bar at the top of the screen, enter any of the parts of the product name, such as Google for the Google Workspace, Google Gmail, or Google Alerts Center integration:

Add a search term to filter the list of integrations in Connect

In addition, next to the search bar, click the Filter icon to display types of filter categories:

Available filters to filter the list of integrations in Connect

You can use this filter list to filter by integration category, product vendor, or integration function. As you select a specific filter, the Cybereason Connect screen updates the displayed integrations to match your filter. For example, if you select Workspace as a filter, the screen displays all integrations with the category label of Workspace:

Integrations list updated by filter selection in the Connect screen

Add a cloud feed integration to your environment

For details, see Add a Cloud Feed Integration.

Add an on-site integration to your environment

For details, see Add an On-Site Integration.

View your integrations

After you add and configure a specific integration, the Cybereason Connect screen displays the integrations in the My Integrations tab, along with the status of each integration:

My Integrations tab in the Connect screen

If your integration displays ERROR, you may have a problem with the incorrect credentials or insufficient permissions. Check the following to help resolve the error:

  1. Verify you entered the correct credentials, such as the integration host name, tenant ID, application key, secret token, password, and so forth.

  2. Verify that the provided application or user for the integration has the right permissions. You can find the appropriate configuration documentation for each integration on the Cybereason Integrations page.

If you remove any of your integrations, all log source data collected and received is retained by your Cybereason platform according to your data retention package.

Please see our Legal Disclaimer on links to third party web sites.