MalOp Grouping
To simplify and clarify your view of MalOps in your organization, a single MalOp may represent multiple malicious items or activities. The single “grouped” MalOp lists information about all associated malicious elements and activities, including all root causes.
Note
MalOp grouping is different from sensor grouping. For information on interacting with MalOps in a specific sensor group, see MalOps and sensor grouping.
How Malop grouping works
When the Cybereason platform decides to group MalOps together, the MalOps must also share the same root cause detection when they are grouped.
Grouping decisions are based on the following:
MalOp types |
Details |
---|---|
For all MalOps |
|
For AI Hunt MalOps |
If the root cause Element is File, the Cybereason platform aggregates by file hash except in the following cases:
|
For Endpoint Protection MalOps |
|
If the Cybereason platform encounters a malicious element or activity whose root cause triggered a MalOp in the past, the Cybereason platform adds the new item’s details to the existing MalOp, including any new root causes, instead of generating a new MalOp.
You can view detailed information about each instance of the malicious element or activity in the Malop Details screen.
If the root cause has not triggered a MalOp in the past, the Cybereason platform creates a new MalOp.
Viewing grouped MalOps
Grouped MalOps display in both the Malops management and Malop details screen:
View |
Details |
---|---|
From the Malops management screen |
The Malops management screen shows one row per MalOp, even if the grouping functionality was applied. In grid view, the root causes are listed in the Detection description column, separated by a comma. In card view, the root causes are listed in the Subject column in red above the malicious behavior. |
From the Malop details screen |
The Malop details screen lists the multiple root causes (if applicable) under the name of the file or process that triggered the Malop. Details about each root cause can be found on the left side of the Malop details screen. If a MalOp was reopened, an Only new activity check box appears at the top of the screen. Select this checkbox to view details for only the events that occurred since the MalOp was reopened. Because only new events are displayed, you may not see all the tabs at the bottom of the MalOp details screen. For example, if there are no new processes, the processes tab will not be displayed. You can investigate the primary root cause from the Investigate drop down menu. |