MalOp Grouping

To simplify and clarify your view of MalOps in your organization, a single MalOp may represent multiple malicious items or activities. The single “grouped” MalOp lists information about all associated malicious elements and activities, including all root causes.

Note

MalOp grouping is different from sensor grouping. For information on interacting with MalOps in a specific sensor group, see MalOps and sensor grouping.

How Malop grouping works

When the Cybereason platform decides to group MalOps together, the MalOps must also share the same root cause detection when they are grouped.

Grouping decisions are based on the following:

MalOp types

Details

For all MalOps

  • If the Cybereason platform generates a MalOp multiple times because of scheduled scans, the platform groups the instances into a single MalOp. In this case, the Cybereason platform notes the time that the platform first detected the MalOp, the time the platform most recently detected the MalOp, and the number of instances of the MalOp.

  • The item stems from a source found in a previously generated MalOp.

  • The item satisfies more than one root cause.

For AI Hunt MalOps

If the root cause Element is File, the Cybereason platform aggregates by file hash except in the following cases:

  • If the file is classified as a potentially unwanted program (PUP), the Cybereason platform aggregates by company.

  • If the file is signed, and has an internal name, company name, and product name, the Cybereason platform aggregates by those elements (all values per element have to be identical in this case).

For Endpoint Protection MalOps

  • If the Cybereason platform Anti-Malware feature identifies the item, the Cybereason platform groups the malicious files into one MalOp by file hash value.

  • If Cybereason’s Anti-Malware feature identifies the item as a PowerShell process, the Cybereason platform groups the MalOps by the root cause, such as the domain, URL, or script pattern.

If the Cybereason platform encounters a malicious element or activity whose root cause triggered a MalOp in the past, the Cybereason platform adds the new item’s details to the existing MalOp, including any new root causes, instead of generating a new MalOp.

You can view detailed information about each instance of the malicious element or activity in the Malop Details screen.

If the root cause has not triggered a MalOp in the past, the Cybereason platform creates a new MalOp.

Viewing grouped MalOps

Grouped MalOps display in both the Malops management and Malop details screen:

View

Details

From the Malops management screen

The Malops management screen shows one row per MalOp, even if the grouping functionality was applied.

In grid view, the root causes are listed in the Detection description column, separated by a comma. In card view, the root causes are listed in the Subject column in red above the malicious behavior.

From the Malop details screen

The Malop details screen lists the multiple root causes (if applicable) under the name of the file or process that triggered the Malop. Details about each root cause can be found on the left side of the Malop details screen.

Malop Grouping

If a MalOp was reopened, an Only new activity check box appears at the top of the screen. Select this checkbox to view details for only the events that occurred since the MalOp was reopened. Because only new events are displayed, you may not see all the tabs at the bottom of the MalOp details screen. For example, if there are no new processes, the processes tab will not be displayed.

Grouping new activity

You can investigate the primary root cause from the Investigate drop down menu.

Malop Grouping