Manage the MalOp Workflow
A defined workflow can maximize your time as you work to analyze and remediate MalOps. To define a workflow, you can use MalOp statuses and labels in the Malops management screen.
In this topic:
Set the MalOp investigation status
A MalOp’s Investigation status represents the MalOp’s position in the investigation and remediation process. Investigation statuses can be set manually by the user or automatically by the Cybereason platform.
Investigation statuses with the Data Platform architecture
The following table describes the different MalOp statuses in environments with the Data Platform architecture and how they are set.
Investigation status |
Set by user |
Set by platform |
---|---|---|
New |
When you want to move MalOp back to pending status. |
When the MalOp first appears in the Malops management screen. |
Reopened |
When you want to re-evaluate a closed MalOp. |
When the system detects new activity related to a MalOp that was closed. |
Under investigation |
When you want to specify that the Malop is currently under investigation. |
When a MalOp with a Pending/New status is escalated by the user. |
On hold |
The MalOp has not been resolved, but investigation is not currently active. |
N/A |
Closed |
The MalOp review is complete and it is closed out. This can be because the MalOp was deemed as benign and marked as Exclude or because remediating action was taken for a malicious MalOp and it is no longer considered an open threat. |
N/A |
See Remediate MalOps for information on setting the investigation status during the remediation process.
Investigation status without the non-Data Platform architecture
The following table describes the different MalOp statuses in environments without the Data Platform architecture and how they are set.
Investigation status |
Description |
---|---|
Unread |
Recently discovered MalOps that have not yet been viewed. Cybereason automatically assigns new MalOps the Unread status. When you or another analyst views the MalOp the status automatically moves to Under Investigation. |
To review |
MalOps that you have read and specifically marked for review. |
Not relevant |
MalOps that are not relevant to your organization. Marking MalOps as Not relevant prevents identical MalOps from appearing in the Cybereason interface. Additionally, if the root cause of the MalOp is a file hash, IP address, or domain, Cybereason adds the root cause to the allowlist. This action is the same as using the Malop is benign - Exclude option in the Malops management screen. |
Remediated |
MalOps that you or another analyst remediated. After applying a remediation solution, you must manually mark the item as Remediated so the platform will continue monitoring similar occurrences of the threat and alert you if it reappears. The Cybereason platform moves MalOps marked as Not relevant to the Archived section on the Malop inbox screen. |
See Remediate MalOps for information on setting the investigation status during the remediation process.
For Endpoint Protection MalOps, you can use the Mark as resolved button to indicate a MalOp has been manually resolved.
View the MalOp state
When you set the MalOp’s investigation status, the platform also automatically updates the MalOp’s state to show where along the path to resolution a MalOp is at the moment.
The MalOp state differs from the investigation status as it reflects the progress toward resolution instead of the MalOp’s position in the investigation and triage process.
The MalOp states are updated accordingly depending on the investigation statuses and activities of items associated with the MalOp:
Investigation status |
MalOp state |
---|---|
New |
When the investigation status is New, the MalOp state my be one of the following:
|
Under Investigation |
When the investigation status is Under Investigation, the MalOp state may be one of the following:
|
Reopened |
When the investigation status is Reopened, the MalOp state may be one of the following:
|
Closed |
When the investigation status is Closed, the MalOp state may be one of the following:
|
On Hold |
Active |
Set the MalOp priority
You can add one of the following tags to MalOps to help prioritize the response process:
High
Medium
Low
The priority feature can help security analysts determine which MalOps are more urgent and which require further investigation. For example, you might assign a High priority to a MalOp that indicates a Remote Access Trojan (RAT) on a domain controller. Likewise, you might assign a Low priority to a known adware application on a lab or research and development (R&D) machine.
The priority feature is also helpful to organizations that do not have an external ticketing or case management system and that also rely entirely on the Malops management screen to manage MalOp workflows.
You set a MalOp’s priority from the Priority column on the Malops management screen. If the column is not visible, click the columns icon on the upper right of the MalOps list and check the box next to Priority. The priority column has a drop-down menu for each MalOp, from which you can select a priority to assign to that MalOp.
You can filter MalOps by priority. To do this, select the priority in the Filters options.
Mark a MalOp status
For AI Hunting MalOps you can use the Mark as option in the Malop details screen or the Mark as resolved button in the Malops management screen to quickly exclude a MalOp or to better organize MalOps.
Mark as options in the Malop details screen for AI Hunting MalOps include the following:
Malop status |
Description |
---|---|
Unread |
Recently discovered MalOps that have not yet been viewed. Cybereason automatically assigns new MalOps the Unread status. When you or another analyst views the MalOp the status automatically moves to Under Investigation. |
To review |
MalOps that you have read and specifically marked for review. |
Not relevant |
MalOps that are not relevant to your organization. Marking MalOps as Not relevant prevents identical MalOps from appearing in the Cybereason interface. Additionally, if the root cause of the MalOp is a file hash, IP address, or domain, Cybereason adds the root cause to the allowlist. This action is the same as using the Malop is benign - Exclude option in the Malops management screen. |
Remediated |
MalOps that you or another analyst remediated. After applying a remediation solution, you must manually mark the item as Remediated so the platform will continue monitoring similar occurrences of the threat and alert you if it reappears. Cybereason moves MalOps marked as Not relevant to the Archived section on the Malop inbox screen. |
For Endpoint Protection MalOps, you can use the Mark as resolved button in the Malops management screen to indicate that a MalOp has been manually resolved.
In addition, if your Cybereason environment uses the Data Platform infrastructure, above the MalOps list, click Set status to and select the status.
Escalate a MalOp
To quickly note that a MalOp requires addressing, click the Escalate button in the MalOp’s Escalation column. If the column is not visible, click the columns icon on the upper right of the MalOps list and check the box next to Escalation. To remove a MalOp from esclation, click the x next to the MalOp’s Escalated label in the Escalation column.
You can quickly view escalated MalOps using the Escalated Malops only checkbox on the upper right of the MalOps list (for environments not using the new Data Platform infrastructure) or by selecting Escalated in the Investigation status section in the filters on the left side of the screen (for environments using the new Data Platform infrastructure).
Escalating a MalOp only adds an internal label to the MalOp which enables you to later filter by escalated MalOps. If you escalate the MalOp, it does not affect email notificatons for MalOps.
Add MalOp labels
You can assign one or more labels to each MalOp so that you can organize any MalOps that your Cybereason platform detects.
Note
Local analysts cannot use the MalOp label function.
For example, use MalOp labels to track:
Categorization |
Examples |
---|---|
Attack Types |
RAT, Keyloger, Ransomware, Adware |
Attack Campaigns |
5/17 Spear Phishing Campaign, 2/17 DDoS |
VIP Users |
CFO, Domain Admin, DB Admin |
Threat Actors |
Fuzzy Panda, APT26, Sandworm, Shady Rat |
IT Policy Violations |
Games, P2P, Unapproved Browser |
Responsible Analyst |
Analyst_A, Analyst_B |
To create labels, follow these steps:
Above the MalOps list on the left, click Labels.
In the Manage labels dialog box, start typing the name of your new label in the search field. The Add new label button appears.
Click Add new label, and click Save.
To delete labels, follow these steps:
Above the MalOps list on the left, click Labels.
Search for existing labels.
Click the ‘x’ on the label, and then click Save.
To apply or remove labels, follow these steps:
In the list, select the MalOp or MalOps that you want.
Above the MalOps list on the left, click Labels.
From the Manage labels dialog box, do one of the following:
To apply an existing label, select the label.
To remove the label, click the ‘x’.
Click Save.
Note
When you click the ‘x’ on a label when one or more MalOps are selected, the Cybereason platform removes the label from the selected MalOps but does not delete the label. To delete a label, click the ‘x’ on the label when no MalOps are selected.
You can filter MalOps by label. To do this, select the label that you want in the Filters options.
Resolve a MalOp
For all MalOps you can manually resolve any MalOp in the main Malops management screen.
If your Cybereason environment does not use the Data Platform infrastructure, click the Mark as resolved button above the MalOp list.
If your Cybereason environment uses the Data Platform infrastructure, do one of the following: