Automate Your Hunting

By default, hunting is a manual process that involves planning and creating queries and analyzing the results. If you are performing a first-time hunt or looking for an isolated instance of malicious behavior, this approach is very beneficial.

If you plan to scale your hunting to higher frequency, you need to automate the hunting process.

We recommend the following for creating automation:

1. Once you have built a query to meet your needs, and have received worthwhile results, save the query. For details on saved queries, see Save Queries.

2. Create a sample script using the Query API to perform the hunt.

   For example, you could run the following Python script to run a query:

   import requests
   
             username = "<your user name>"
             password = "<password>"
             server = "<server URL>"
             port = "443"
   
             data = {
                     "username": username,
                     "password": password
                        }
             headers = {"Content-Type": "application/json"}
   
             base_url = "https://" + server + ":" + port
             login_url = base_url + "/login.html"
   
             session = requests.session()
             response = session.post(login_url, data=data, verify=True)
   
             print response.status_code
             print session.cookies.items()
   
   
             url = "https://12.34.56.78/rest/visualsearch/query/simple"
   
             query = '{"queryPath":[{"requestedType":"Process","filters":[{"facetName":"isDownloadedFromInternet","values":[true]},{"facetName":"firstExecutionOfDownloadedProcessEvidence","values":[true]}],"isResult":true}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout": 120000,"customFields":["elementDisplayName","commandLine","parentProcess","calculatedUser","ransomwareAutoRemediationSuspended","executionPrevented","creationTime","endTime"]}'
   
             headers = {'Content-Type': 'application/json'}
   
             response = session.request("POST", url, data=query, headers=headers)
   
             print response.content
   

   Note

   The content of the queryPath differs depending on what you put in your query.

   Tip

   To understand what to include in the queryPath object of an API request, open Chrome Developer tools, then run a query from the Investigation screen. In the Network tab of the developer tools, you will see a section called Request Body. Copy the JSON from that into the queryPath* parameter.

   For full details on using the Query API, see the Hunting and Investigation API Reference section of the Cybereason API documentation.

3. Using your automation framework, set the API script to run when needed.

4. When the query results are returned, read through the response body in JSON format. For details on the content of the response, see the topic on View the Query Response in the Hunting and Investigation API Reference section of the Cybereason API documentation.

   You can also create a script to parse the JSON response body for useful data.