Examine MalOp Details

For each MalOp, the Cybereason platform presents a high-level summary of all the important information for the MalOp in the Malop details screen.

Malop Details

You access a MalOp’s Malop details screen by clicking the on the Malop from the Malops management page. The Malop details screen then opens in a separate tab.

Malop Details

The upper left corner of the Malop details screen displays the MalOp type and root cause.

For AI Hunting MalOps, if the MalOp has been reopened, you can narrow down the information displayed using the View activity since option in the upper right corner of the screen. The View activity since option allows you to customize what activity is shown on the Malop details screen. Options are:

  • All time: Displays all activity related to the MalOp.

  • Remediated: Displays only the activity that occurred since the MalOp was reopened.

  • Custom Date/Time: Displays only activity that occurred since the specified data/time.

Depending on the MalOp, the screen contains the following sections:

  • Overview

  • Process

  • Files

  • Machines

  • Users

  • Communication

Overview section

The Overview section provides the high-level details of the MalOp, including a description, comments section, and a visual diagram. The diagram displays affected users and machines, the type of MalOp and its root cause, the process that was involved, and incoming and outgoing connections.

Below the diagram is a timeline of the MalOp’s activity, showing the stages the MalOp has reached, including suspicions, connections and machines affected.

Malop Details for AI Hunting Malop

Note

If there are multiple occurrences of the same type of suspicion, the timeline shows the suspicion once. You can see the full list of suspicions in the Suspicions area below the timeline.

Processes section

The Processes view gives you an in-depth look at the malicious process. This view shows:

  • The modules that the process loaded

  • Any network connections or DNS requests the process made

  • Whether and by whom the process is signed

  • The hash for the file

  • Where the process is running

  • The suspicions that caused Cybereason to label the process as a MalOp

  • The modules or child processes

From the left side of the Malop details screen > Process profile area, you can Hunt with the Attack Tree to view a specific process’s chain of execution from start to finish.

Process View

Files section

The Files section appears for Endpoint Protection MalOps, and lists information about files that are associated with the detected malware.

Malop Details Files Tab

Machines section

The Machines section provides you with:

  • Information about the machine on which the MalOp was discovered.

  • Details to help you compare what is happening on all the machines with the given MalOp

  • View how many users are defined on the machine

  • View machine details, such as the operating system, number of processes, and any network connections the machine is making.

Machine View

Users section

The Users section provides information about:

  • Users for the affected machine

  • Information about the domain to which the user is connected and the organization to which the user belongs.

  • Details on the user’s privileges

  • Details about the last time the user changed his or her password.

  • Lists the processes that are running on the machine, along with the account each process is running under. You can click a process to see additional processes that are running under the same user account.

Malop User View

Communications section

The Communications section provides information about any incoming and outgoing communications that are associated with the malicious behavior.

Communication Tab

Next Steps

See the topics in the Analyze MalOps and Determine Threat Level section for guidelines of investigating the different properties displayed in the Malop details screen.