Threat Detection in Cybereason XDR

In addition to data ingestion and processing, Cybereason XDR adds numerous detections to help you spot potentially or definitely malicious activities across your organization.

When Cybereason XDR ingests data from any source, the data is based on events reported by your integrated platforms. These could be user logon activities, network access activities, email messages, and so forth. These events also contain other data points about the user identities associated with these events, the assets on which these events occurred, and many other points.

Cybereason XDR takes this accumulated data, parses the data, and using numerous proprietary detection rules, adds detections and/or enrichment of existing third-party events. These detections report instances of known attack activities which are suspicious, as well as weaker indications that may be evidence on a larger pattern of malicious behavior, such as multi-factor authentication bombing, brute force logon attempts, mass file deletion, new user account creation, or user addition to administrative groups.

The detections can be enrichment of an event reported by another platform or product, an event that combines similar items of the same type (such as the same user identity), or an event where the activities in the events share a repeated indicator of some type.

You can se the detections throughout Cybereason XDR:

  1. Suspicious events from third-party integrated platforms, reported in the Suspicious events screen, contain enrichment details detected by Cybereason XDR, to give you a greater understanding of the event. These events come from data sources that mention the vendor and product together.

  2. Suspicious events from Cybereason XDR in the Suspicious events report events based on proprietary Cybereason detection logic, such as aggregation of many related events or correlation of similar events. These events have a source of Cybereason XDR.

  3. XDR MalOps, also based on proprietary Cybereason detections which use an AI-based engine, that show a larger attack story of multiple suspicious events.

Because the detections are adding enrichment, aggregation, or correlation to report the detected events, Cybereason XDR enables you to see and find patterns of behavior or patterns of attack that you would not see by looking at a basic or flat list of events from your integrated third-party platforms.

When you connect additional integrations, these detections enable you to add additional value to your Cybereason XDR, as Cybereason XDR is doing more than collecting logs but instead is searching for and detecting patterns of attack and malicious behavior. These detections are also used by the MalOp detection engine to build XDR MalOps which show a full attack story.

These detection rules are maintained by the Cybereason Security Research team, analyzed over time, and monitored continuously, to see the accuracy and validity of the detection. The team analyzes the number of detection to make sure there are no excessive detections which may indicate a false positive. In addition, the team also analyzes how often detections are classified as false positives to ensure that the detections are reporting on possible or likely malicious activities.

Watch this video on threat detection in Cybereason XDR: