Asset Mapping Queries

Asset mapping can help with future MalOp investigations because you will have a solid understanding of the resources available to your team. Use the Cybereason Investigation screen to map assets like operating systems, servers, network connections, and available IT tools.

The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.

Each of these examples is formatted with the individual Element in the query on its own separate line, in bold text. Features (filters) applied to the Element follow the Element name in regular weight text. Each example also contains a description of the goal of the hunt and the explanatory statement of what you want to find.

OS mapping

Goal: Create a mapping of all machines for each OS.

Explanatory statement: I want to view all machines running a specific operating system.

Construct this query:

Machine Element -> filter for OS version is __ (select a supported operating system)

OS Version

Servers mapping

Goal: Find machines running certain services.

Explanatory statement: I want to find certain server services running on Windows Server 2012 R2 machines.

Construct this query:

Machine Element -> filter for OS version is Windows Server 2012 R2 THEN

Services Element -> filter for Service name contains Apache OR nginx OR IIS OR tomcat AND filter for Is active is True

Server Asset

Network connection mapping

Goal: Find connections from external addresses toward internal machines.

Explanatory statement: I want to find connections from addresses outside my organization to machines inside my organization.

Construct this query:

Process Element THEN

Connections -> filter for Direction is Incoming AND filter for Remote address type is External

Network Asset

IT tools mapping

Goal: Find a list of IT tools in the environment.

Explanatory statement: I want to find a list of tools used for IT purposes in my environment.

Construct this query:

Process Element -> filter for Product type is RunAs OR Shell OR Remote desktop

IT Asset