MalOp Grouping

To simplify and clarify your view of MalOps in your organization, a single MalOp may represent multiple malicious items or activities. The single “grouped” Malop lists information about all associated malicious elements and activities, including all root causes.

Note

MalOp grouping is different from sensor grouping. For information on interacting with MalOps in a specific sensor group, see MalOps and sensor grouping.

How Malop grouping works

When the Cybereason platform decides to group MalOps together, the MalOps must also share the same root cause detection when they are grouped.

Grouping decisions are based on the following:

MalOp types	Details
For all MalOps	If the Cybereason platform generates a MalOp multiple times because of scheduled scans, the platform groups the instances into a single MalOp. In this case, the Cybereason platform notes the time that the platform first detected the MalOp, the time the platform most recently detected the MalOp, and the number of instances of the MalOp. The item stems from a source found in a previously generated MalOp. The item satisfies more than one root cause.
For AI Hunt MalOps	If the root cause Element is File, the Cybereason platform aggregates by file hash except in the following cases: If the file is classified as a potentially unwanted program (PUP), the Cybereason platform aggregates by company. If the file is signed, and has an internal name, company name, and product name, the Cybereason platform aggregates by those elements (all values per element have to be identical in this case).
For Endpoint Protection MalOps	If the Cybereason platform Anti-Malware feature identifies the item, the Cybereason platform groups the malicious files into one MalOp by file hash value. If Cybereason’s Anti-Malware feature identifies the item as a PowerShell process, the Cybereason platform groups the MalOps by the root cause, such as the domain, URL, or script pattern.

If the Cybereason platform encounters a malicious element or activity whose root cause triggered a MalOp in the past, the Cybereason platform adds the new item’s details to the existing MalOp, including any new root causes, instead of generating a new MalOp.

You can view detailed information about each instance of the malicious element or activity in the Malop Details screen.

If the root cause has not triggered a MalOp in the past, the Cybereason platform creates a new MalOp.

PowerShell-related MalOps

PowerShell is a general purpose tool that can be used to facilitate a lot of different actions, including a lot of different malops.

Unlike other MalOps, the Cybereason platform groups PowerShell MalOps, identified by Malicious activity by PowerShell or .NET process, by the machine in the user’s network on which the malicious PowerShell process is running. Since PowerShell is a general purpose tool used to facilitate many different actions (some of which are legitimate), combining PowerShell MalOps by normal grouping methods could create MalOps with many potentially unrelated threats. By grouping by machine, each “Malicious Use of Powershell” MalOp is much more likely to contain threats that are connected to each other.

Viewing grouped MalOps

Grouped MalOps display in both the Malops management and Malop details screen:

View	Details
From the Malops management screen	The Malops management screen shows one row per MalOp, even if the grouping functionality was applied. In grid view, the root causes are listed in the Detection description column, separated by a comma. In card view, the root causes are listed in the Subject column in red above the malicious behavior.
From the Malop details screen	The Malop details screen lists the multiple root causes (if applicable) under the name of the file or process that triggered the Malop. Details about each root cause can be found on the left side of the Malop details screen. If a MalOp was reopened, an Only new activity check box appears at the top of the screen. Select this checkbox to view details for only the events that occurred since the MalOp was reopened. Because only new events are displayed, you may not see all the tabs at the bottom of the MalOp details screen. For example, if there are no new processes, the processes tab will not be displayed. You can investigate the primary root cause from the Investigate drop down menu.

MalOp grouping and upgrades

MalOps triggered after an upgrade are not combined with MalOps created pre-upgrade.

If a new MalOp (post-upgrade) is triggered by the same hash, injection, or domain/IP address as a pre-upgrade MalOp, the Cybereason platform creates a new grouped MalOp in your Malops management screen, instead of adding the new malicious element or activity details to the existing MalOp.

In these cases, you will have two MalOps (one from pre-upgrade and one from post-upgrade), but can see information about both from the newer MalOp.