Elements and Features
When you a query, you translate the actions of system components into a specific query. In Cybereason, the components and their behaviors are represented by Elements and Features.
The Cybereason platform maps each system component to a specific Element in the Cybereason data model. The platform represents characteristics/behaviors as Features of the Element.
In this topic:
Elements
When the Cybereason platform collects and analyzes information from Sensors, it associates the data with a specific system component. In turn, the platform maps these components to Elements. Elements are components such as machines, users, and processes, and so forth. For example, the Cybereason platform has created Elements for:
The following table lists Elements that analysts can use in the UI Investigation screen. For a list of Elements in the API, see the Query Elements and Features in the Cybereason API documentation.
Elements in the UI
Element UI Name |
Description |
|---|---|
Automatic Execution |
An operation that is run automatically. |
Connection |
A connection operation between machines, processes, and so forth. |
DNS query resolved Domain to Domain |
A DNS query from one domain to another that was resolved. |
DNS query resolved Domain to IP |
A DNS query from a Domain to an IP address that was resolved. |
DNS query resolved IP to Domain |
A DNS query from an IP to a Domain that was resolved. |
DNS query unresolved from Domain |
A DNS query from a domain that is still not resolved. |
DNS query unresolved from IP |
A DNS query from an IP address that is still not resolved. |
Domain Name |
The name of a domain. |
Driver |
A driver for a machine, process, and so forth. |
File |
A file involved in an operation. |
File Event |
Operation performed by a process on a file. |
Function Details |
The information about a function running |
Hosts File |
The file on an operating system that maps host names to IP addresses. |
Image file |
The file from the disk that executes the process. |
IP Address |
The IP address of an operation. |
IP Range Scan |
An operation that scans the IP addresses in a range. |
Listening connection |
The connection on the machine that listens for incoming connection requests. |
Local network |
A LAN for a specific area. |
Logon session |
A computing session beginning with successful logon and ending with a user log off operation. |
Machine |
The machine involved in an operation. |
Malop Logon session |
The specific computing session when the user was logged on in which a MalOp was created. |
Malop Process |
The specific process involved in a MalOp. |
Module |
The module involved in an operation. |
Mount point |
A directory on which an accessible file system is mounted. |
Network Interface |
The interface between two items in a computer network. |
Network Machine |
A machine running on a network involved in an operation. |
Process |
The process involved in an operation. |
Proxy |
The proxy used for a connection. |
QuarantineFile |
The file involved in a quarantine operation. |
Registry Entry |
An item in the computer’s registry. |
Registry Event |
An event performed on a specific registry entry. |
Remote Session |
A computing session where a user accesses a machine running in a remote place. |
Scheduled task |
A task scheduled to run at a certain time by the operating system’s task scheduler. |
Scheduled task action |
The action that runs when a task runs from the task scheduler. |
Service |
A service involved in an operation. |
User |
The user involved in an operation. |
Wmi Persistent Object |
An object created when working with the WMI capability of the Windows operating system. |
Features
Each Element type has descriptive Features. Features are characteristics of a Element. These characteristics include properties of the Element, such as the name of the Element, or behaviors of the Element. Some Features enable you visibility into what an Element is doing.
For a full list of Features per Element, see the Query Elements and Features in the Cybereason API documentation.
For example, the Cybereason platform uses Features for processes (the Process Element) such as these:
The name of the process -> Process name feature
The ID number of the thread the process uses -> Thread ID feature
Process opens a connection to a known malicious IP address -> Connecting to a Known Malicious Address feature
Process opens a module in a temporary folder -> Module in temporary folder feature
Command line the process uses to run -> Command line feature
You can use evidence and suspicions created through Cybereason detection rules as Features. If a Feature is a evidence or suspicion Feature, it displays an icon:
Evidence uses an eye icon (
).Suspicion uses the Suspicion icon (
).
Features that are not evidence or suspicions use a filter icon (
).
State of collected data on Elements
For some Elements, the information displayed reflects the state of the Element at the time of data collection. This may not be the current time. As a result, certain Elements (such as a specific file) in the UI may not be found on the endpoint if that Element has moved or been removed by the time you investigate.