View MalOps with the Data Platform Architecture

In the Cybereason platform, you use the Malops management screen to gain an overall view of MalOps in your environment, and to manage the MalOp remediation workflow.

Malops management screen

Malops management screen with DI

Malops management screen with DI with the top widgets hidden

Note

If you are using an environment without the newer Data Platform architecture, your Malops management screen may look different than what is described here. Visit the View Malops topic instead.

The above screenshot calls out the six main parts of the Malops management screen:

  1. View overall statistics from the Malops management dashboard

  2. Search for MalOps in your environment

  3. Filter MalOps by specific characteristics

  4. Change how MalOps appear on the Malops management screen

  5. View details about each MalOp

  6. Respond to MalOps (see Understand Threat Activity)

View the Malops management dashboard

The dashboard in the Malops management screen presents important information about the environment in a graphical, easy to read format.

Regardless of your filters, the dashboard on top of the MalOp Management table shows the data based on the Last One Year time filter.

Dashboard widgets include:

MalOps view

Description

Active MalOps

Shows the number of active and total MalOps in your organization as a ratio.

MalOps by detection module

Shows the number of AI Hunt MalOps, or MalOps that the Cybereason platform Cross Machine Correlation Engine created, as well as the number of Endpoint Protection MalOps, or MalOps that the Cybereason platform NGAV features created. This box also shows the connection status of Cybereason’s threat intelligence services.

Machines overview

Information about the number of online, offline, infected, and clean machines. Infected machines have at least one active MalOp. Clean machines have no active MalOps.

MalOps trend over past week

A graph showing the trend of MalOp creation over the past week.

Beginning in version 23.1.125 and later, you can minimize the dashboard to view more MalOps in the grid:

Hide the dashboard in the Malops management screen

Show the dashboard in the Malops management screen

Search for MalOps

Malops management search

Using the search feature, you can select a MalOp characteristic (Element) and enter free text to search for MalOps whose selected characteristic contains your text.

You can search by a MalOp’s associated:

  • Subject

  • MalOp name

  • Label

  • Root cause hash

  • MalOp GUID

  • Machine name

  • User Name

For example, a search for admin with Machines selected will return all Malops that have affected machines with admin in the name, but will not return MalOps where admin only appears elsewhere, such as within an affected user’s username.

Filter Malops

Select the filter icon to open the filter menu. You can filter by:

Filter

Example

Time range

The time the MalOp was created. You can select All time, Today, Last week, Last month, Last three months, Last year, or a custom time range.

Filter MalOps by time range

Note

When you filter by a time range, the Malops management screen updates the MalOps in the list, but not the dashboard widgets.

MalOp investigation status

Filter MalOps by investigation status

MalOp state

The state of the MalOp that the Cybereason platform assigns for the MalOp.

Filter MalOps by MalOp state

Detection engine

The engine that detected a MalOp.

Filter MalOps by MalOp detection engine

Detection type

Filter by Potentially Unwanted Programs (PUP) (versions 23.2.20 and later).

MalOp priority

The priority an analyst assigned for a MalOp.

Filter MalOps by MalOp priority

MalOp severity

The severity of the MalOp assigned by an analyst. You can filter by High, Medium, or Low.

MalOp labels

Any custom labels applied to a MalOp.

Filter MalOps by MalOp labels

MalOp type

(Versions 23.2.126 and later) The type of MalOp. You can filter by EDR (AI Hunting) or NGAV (Endpoint Protection MalOps).

Filter MalOps by MalOp type

Machine status

The status of the machines on which the activity represented in a MalOp occurred.

Filter MalOps by machine status

OS type

The type of operating system (Windows, macOS, or Linux) for the machines associated with a MalOp.

Filter MalOps by machine OS type

Protection type

The automatic protection action taken by the sensor for the activity represented in a MalOp.

Filter MalOps by protection type

User privileges

The privilege level for the users associated with the MalOp.

Filter MalOps by user privileges

Applied filters display above the results, which enables you to remove one of the filters while viewing the results.

Applied filters in the Malops management screen

In versions 23.1.125 and higher, click Clear filters to remove the current filters:

Applied filters in the Malops management screen

For a description of the different values used in the filters, see the section below on Select data to view.

Change how Malops are displayed

Malops management views

Next to the View label, choose between the Grid view and Card view. The only difference between the two views is in how the Malop information is presented in the Subject column, as described below.

View

Description

Suitable for

Grid

Displays a brief description of the Malop, including the triggering item and a matching icon (e.g., Firefox logo for Firefox processes)

Actively working with Malops, such as assigning priority, escalating, or responding.

Card

Displays information about the Malop, including the triggering item, primary root cause, and detection type. This view also displays different infographics depending on the subject’s behavior (see the following table).

Quickly assessing threats.

If you select the Card view, you are able to see additional information. The following table describes the infographics that are visible when the Subject column card view is active.

Behavior

Graphic

Graphic Description

Command and control

Command and Control

Network icon on a server connection to the target machine.

Reconnaissance

Reconnaissance card

Process icon with radar image connected to target machine.

Injection

Injection card

Process icon with code pointing to an additional process connected to the target machine.

Persistence

Persistence card

Process icon pointing to an anchor connected to the target machine.

Ransomware

Ransomware card

Ransomware icon connected to locked files connected to the target machine.

Lateral movement

Lateral Movement card

Process icon with an arrow branching to multiple machines connected to the initial target machine.

Credential theft

Credential Theft card

Process icon pointing to a badge connected to the target machine.

Known malware

Known Malware card

Process icon with a shield connected to target machine.

Select a sensor group

If you enable sensor grouping, analysts with the Local Analyst L1 and L2 role can view MalOps associated with the sensors in the sensor groups the user has permissions for.

To select which sensor group MalOps to view, check the relevant boxes in the sensor group drop-down menu on the right, above the list of MalOps.

Local Analyst Malop

For more information on local analysts and sensor grouping, see Manage Sensor Groups.

Select data to view

Use the column icon on the upper right of the results to customize which columns to view.

Column options include:

Column name

Description

Values

State (icon)

The type and state of the MalOp

MalOp type:

  • AI Hunting MalOp

  • Endpoint Protection MalOp

MalOp states:

  • Active (red)

  • Inactive (orange)

  • Resolved (green)

  • Excluded (grey)

For more information, see Malop Types and Components.

Subject

Brief description of the item involved in the MalOp

Grid view:

  • Triggering item

  • Item type (icon)

Card view:

  • Detection type

  • Triggering item

  • Item type (icon)

  • Threat engine

Group (for environments with sensor grouping enabled)

The names of the groups to which the machines associated with the MalOp belong.

Group names

Resolved by

Populated if the MalOp was resolved.

One of the following:

  • Cybereason: The Cybereason platform automatically prevented, disinfected, or quarantined a malicious item.

  • Analyst username: An analyst An analyst manually resolves the MalOp using the ‘Mark as remediated/resolved’ button in the Malops management or Malop details screen.

Affected machines

Machines associated with the MalOp

Machine name, or machine count if more than one machine is involved

OS type (icon)

Machine types associated with the MalOp

  • Windows

  • Linux

  • MacOS

Affected users

Users associated with the MalOp

User name, or user count if more than one user is involved

User privileges (icon)

Type of users associated with the MalOp

  • Administrator

  • Domain user

  • Local system

Detection description

The type of behavior that triggered the MalOp

For Endpoint Protection MalOps:

  • AI malware classification

  • Known malware

  • Ransomware behavior

For AI Hunting MalOps, see the list of MalOp types in the MalOp Types topic.

Detection modules

Which Cybereason component detected the malicious behavior

  • AI Hunting

  • Anti-Malware

  • AI-based Anti-Malware

  • Fileless protection

  • Anti-Ransomware

  • Behavioral Document Protection

  • Mobile

  • Exploit Protection

  • Application Control

  • Behavioral Execution Prevention

  • Variant Payload Protection

  • Sensor Tampering Protection

Start time

The time the MalOp was triggered

Month day, year at hh:mm:ss AM/PM timezone (ex. September 25, 2019 at 01:22:45 PM GMT-5)

Update time

The last time the MalOp was updated

Month day, year at hh:mm:ss AM/PM timezone

Escalation

Whether or not the MalOp is currently escalated

Escalate button or ‘x’ button to de-escalate

Severity

The severity of the threat as determined by Cybereason.

  • High

  • Medium

  • Low

Priority

The priority setting for the MalOp

  • High

  • Medium

  • Low

Labels

Custom labels

Label name

Protection type

The type of automatic prevention action taken by the sensor on the machines associated with the MalOp.

Any of the following values:

  • Detected: The sensor detected the activity but did not prevent the execution of the activity.

  • Prevented: The sensor prevented the activity

  • Quarantined: The sensor quarantined the file associated with the MalOp.

  • Disinfected: The sensor removed the file associated with the MalOp from the machine.

  • Failed: The sensor failed to remove the file associated with the MalOp from the machine.

  • Failed to quarantine: The sensor failed to quarantine a file associated with the MalOp.

  • Failed to prevent: The sensor failed to stop the execution of the activity that caused the MalOp.

  • Deleting on restart: The sensor will remove the file after a machine restart.

  • Mitigated: (Mobile MalOps only) The sensor already took actions to mitigate the threat associated with the MalOp.

As needed, in versions 23.1.125 and later, you can sort the columns accordingly to help you view the MalOps in a more meaningful way.