Manage the MalOp Workflow

A defined workflow can maximize your time as you work to analyze and remediate MalOps. To define a workflow, you can use MalOp statuses and labels in the Malops management screen.

Set the MalOp investigation status

A MalOp’s Investigation status represents the MalOp’s position in the investigation and remediation process. Investigation statuses can be set manually by the user or automatically by the Cybereason platform.

Investigation statuses with the Data Platform architecture

The following table describes the different MalOp statuses in environments with the Data Platform architecture and how they are set.

Investigation status

Set by user

Set by platform

New

When you want to move MalOp back to pending status.

When the MalOp first appears in the Malops management screen.

Reopened

When you want to re-evaluate a closed MalOp.

When the system detects new activity related to a MalOp that was closed.

Under investigation

When you want to specify that the Malop is currently under investigation.

When a MalOp with a Pending/New status is escalated by the user.

On hold

The MalOp has not been resolved, but investigation is not currently active.

N/A

Closed

The MalOp review is complete and it is closed out. This can be because the MalOp was deemed as benign and marked as Exclude or because remediating action was taken for a malicious MalOp and it is no longer considered an open threat.

N/A

See Remediate MalOps for information on setting the investigation status during the remediation process.

Investigation status without the non-Data Platform architecture

The following table describes the different MalOp statuses in environments without the Data Platform architecture and how they are set.

Investigation status

Description

Unread

Recently discovered MalOps that have not yet been viewed. Cybereason automatically assigns new MalOps the Unread status. When you or another analyst views the MalOp the status automatically moves to Under Investigation.

To review

MalOps that you have read and specifically marked for review.

Not relevant

MalOps that are not relevant to your organization. Marking MalOps as Not relevant prevents identical MalOps from appearing in the Cybereason interface. Additionally, if the root cause of the MalOp is a file hash, IP address, or domain, Cybereason adds the root cause to the allowlist.

This action is the same as using the Malop is benign - Exclude option in the Malops management screen.

Remediated

MalOps that you or another analyst remediated. After applying a remediation solution, you must manually mark the item as Remediated so the platform will continue monitoring similar occurrences of the threat and alert you if it reappears.

The Cybereason platform moves MalOps marked as Not relevant to the Archived section on the Malop inbox screen.

See Remediate MalOps for information on setting the investigation status during the remediation process.

For Endpoint Protection MalOps, you can use the Mark as resolved button to indicate a MalOp has been manually resolved.

View the MalOp state

When you set the MalOp’s investigation status, the platform also automatically updates the MalOp’s state to show where along the path to resolution a MalOp is at the moment.

The MalOp state differs from the investigation status as it reflects the progress toward resolution instead of the MalOp’s position in the investigation and triage process.

The MalOp states are updated accordingly depending on the investigation statuses and activities of items associated with the MalOp:

Investigation status

MalOp state

New

When the investigation status is New, the MalOp state my be one of the following:

  • Active (in most cases)

  • Inactive - if the root cause process for an Endpoint Protection MalOp is suspended)

  • Resolved - if the root cause process for an Endpoint Protection MalOp is prevented)

Under Investigation

When the investigation status is Under Investigation, the MalOp state may be one of the following:

  • Active (in most cases)

  • Inactive - if you use Prevent file execution response option

Reopened

When the investigation status is Reopened, the MalOp state may be one of the following:

  • Active (in most cases)

  • Inactive - if the root cause process for an Endpoint Protection MalOp is suspended

  • Resolved - if the root cause process for an Endpoint Protection MalOp is prevented

Closed

When the investigation status is Closed, the MalOp state may be one of the following:

  • Resolved (in most cases)

  • Excluded - if you use the Exclude option for a MalOp

On Hold

Active

Set the MalOp priority

You can add one of the following tags to MalOps to help prioritize the response process:

  • High

  • Medium

  • Low

The priority feature can help security analysts determine which MalOps are more urgent and which require further investigation. For example, you might assign a High priority to a MalOp that indicates a Remote Access Trojan (RAT) on a domain controller. Likewise, you might assign a Low priority to a known adware application on a lab or research and development (R&D) machine.

The priority feature is also helpful to organizations that do not have an external ticketing or case management system and that also rely entirely on the Malops management screen to manage MalOp workflows.

Priority Label

You set a MalOp’s priority from the Priority column on the Malops management screen. If the column is not visible, click the columns icon on the upper right of the MalOps list and check the box next to Priority. The priority column has a drop-down menu for each MalOp, from which you can select a priority to assign to that MalOp.

You can filter MalOps by priority. To do this, select the priority in the Filters options.

Mark a MalOp status

For AI Hunting MalOps you can use the Mark as option in the Malop details screen or the Mark as resolved button in the Malops management screen to quickly exclude a MalOp or to better organize MalOps.

Mark as options in the Malop details screen for AI Hunting MalOps include the following:

Malop status

Description

Unread

Recently discovered MalOps that have not yet been viewed. Cybereason automatically assigns new MalOps the Unread status. When you or another analyst views the MalOp the status automatically moves to Under Investigation.

To review

MalOps that you have read and specifically marked for review.

Not relevant

MalOps that are not relevant to your organization. Marking MalOps as Not relevant prevents identical MalOps from appearing in the Cybereason interface.

Additionally, if the root cause of the MalOp is a file hash, IP address, or domain, Cybereason adds the root cause to the allowlist.

This action is the same as using the Malop is benign - Exclude option in the Malops management screen.

Remediated

MalOps that you or another analyst remediated. After applying a remediation solution, you must manually mark the item as Remediated so the platform will continue monitoring similar occurrences of the threat and alert you if it reappears.

Cybereason moves MalOps marked as Not relevant to the Archived section on the Malop inbox screen.

For Endpoint Protection MalOps, you can use the Mark as resolved button in the Malops management screen to indicate that a MalOp has been manually resolved.

In addition, if your Cybereason environment uses the Data Platform infrastructure, above the MalOps list, click Set status to and select the status.

Set Malop status in the Data Platform Malops management screen

Escalate a MalOp

To quickly note that a MalOp requires addressing, click the Escalate button in the MalOp’s Escalation column. If the column is not visible, click the columns icon on the upper right of the MalOps list and check the box next to Escalation. To remove a MalOp from esclation, click the x next to the MalOp’s Escalated label in the Escalation column.

Escalate a Malop

You can quickly view escalated MalOps using the Escalated Malops only checkbox on the upper right of the MalOps list (for environments not using the new Data Platform infrastructure) or by selecting Escalated in the Investigation status section in the filters on the left side of the screen (for environments using the new Data Platform infrastructure).

Escalating a MalOp only adds an internal label to the MalOp which enables you to later filter by escalated MalOps. If you escalate the MalOp, it does not affect email notificatons for MalOps.

Add MalOp labels

You can assign one or more labels to each MalOp so that you can organize any MalOps that your Cybereason platform detects.

Note

Local analysts cannot use the MalOp label function.

For example, use MalOp labels to track:

Categorization

Examples

Attack Types

RAT, Keyloger, Ransomware, Adware

Attack Campaigns

5/17 Spear Phishing Campaign, 2/17 DDoS

VIP Users

CFO, Domain Admin, DB Admin

Threat Actors

Fuzzy Panda, APT26, Sandworm, Shady Rat

IT Policy Violations

Games, P2P, Unapproved Browser

Responsible Analyst

Analyst_A, Analyst_B

To create labels, follow these steps:

  1. Above the MalOps list on the left, click Labels.

  2. In the Manage labels dialog box, start typing the name of your new label in the search field. The Add new label button appears.

  3. Click Add new label, and click Save.

To delete labels, follow these steps:

  1. Above the MalOps list on the left, click Labels.

  2. Search for existing labels.

  3. Click the ‘x’ on the label, and then click Save.

To apply or remove labels, follow these steps:

  1. In the list, select the MalOp or MalOps that you want.

  2. Above the MalOps list on the left, click Labels.

  3. From the Manage labels dialog box, do one of the following:

    • To apply an existing label, select the label.

    • To remove the label, click the ‘x’.

  4. Click Save.

Note

When you click the ‘x’ on a label when one or more MalOps are selected, the Cybereason platform removes the label from the selected MalOps but does not delete the label. To delete a label, click the ‘x’ on the label when no MalOps are selected.

You can filter MalOps by label. To do this, select the label that you want in the Filters options.

Resolve a MalOp

For all MalOps you can manually resolve any MalOp in the main Malops management screen.

If your Cybereason environment does not use the Data Platform infrastructure, click the Mark as resolved button above the MalOp list.

If your Cybereason environment uses the Data Platform infrastructure, do one of the following:

  • In the Malop Details, set the Investigation status to Closed.

  • Above the main MalOps list, click Set status to and select the appropriate status.

    Set Malop status in the Data Platform Malops management screen