View Malops

In the Cybereason platform, you use the Malops management screen to gain an overall view of MalOps in your environment, and to manage the MalOp remediation workflow.

Malops management screen overview

Malops management overview

Note

If you are using an environment with the newer Data Platform model, your Malops management screen may look different than what is described here. Visit the View MalOps with the Data Platform Architecture topic instead.

The above screenshot calls out the six main parts of the Malops management screen:

  1. Malops management dashboard

  2. Search and filter options

  3. Quick filters

  4. View options

  5. MalOps list

  6. Response options (see Remediate MalOps)

View the Malops management dashboard

The dashboard in the Malops management screen presents important information about the environment in a graphical, easy to read format.

The dashboard widgets update based on the time frame you select in the time frame filter.

Dashboard widgets include:

Malops management dashboard

MalOps view

Description

Active MalOps

Shows the number of active and total MalOps in your organization as a ratio.

MalOps by detection module

Shows the number of AI Hunt MalOps, or MalOps that the Cybereason platform Cross Machine Correlation Engine created, as well as the number of Endpoint Protection MalOps, or MalOps that the Cybereason platform NGAV features created. This box also shows the connection status of Cybereason’s threat intelligence services.

Machines overview

Information about the number of online, offline, infected, and clean machines. Infected machines have at least one active MalOp. Clean machines have no active MalOps.

MalOps trend over past week

A graph showing the trend of MalOp creation over the past week.

Search for MalOps

Malops management search

Using the search field, you can enter free text to search for MalOps by a custom value.

The Cybereason platform returns MalOps that contain your search term anywhere in their metadata. For example, a search for ‘admin’ will return MalOps that have affected users with ‘admin’ in their username, as well as MalOps that have affected machines with ‘admin’ in their name.

Filter Malops

Malops management filters

You can filter MalOps by time frame or by a variety of MalOp characteristics.

Select the time frame drop-down menu to limit results to MalOps triggered today, last week, last month, last three months, last year, or all time.

Select the Filters button to toggle the filter menu. You can filter by MalOp state, Detection module, Priority, OS type, machine status, user privileges, or labels.

The numbers next to the filters represent the number of MalOps that have that property. As you add more filters, the numbers next to the other filters update.

The quick filters allow you to filter by:

  • AI hunting MalOps only

  • Escalated Malops (MalOps that a lower-level analyst has escalated)

  • Active MalOps

Change how MalOps are displayed

Malops management views

Next to the View label, choose between the Grid view and Card view. The only difference between the two views is in how the Malop information is presented in the Subject column, as described below.

View

Description

Suitable for

Grid

Displays a brief description of the Malop, including the triggering item and a matching icon (e.g., Firefox logo for Firefox processes)

Actively working with Malops, such as assigning priority, escalating, or responding.

Card

Displays information about the Malop, including the triggering item, primary root cause, and detection type. This view also displays different infographics depending on the subject’s behavior (see the following table).

Quickly assessing threats.

If you select the Card view, you are able to see additional information. The following table describes the infographics that are visible when the Subject column card view is active.

Behavior

Graphic

Graphic Description

Command and control

Command and Control

Network icon on a server connection to the target machine.

Reconnaissance

Reconnaissance card

Process icon with radar image connected to target machine.

Injection

Injection card

Process icon with code pointing to an additional process connected to the target machine.

Persistence

Persistence card

Process icon pointing to an anchor connected to the target machine.

Ransomware

Ransomware card

Ransomware icon connected to locked files connected to the target machine.

Lateral movement

Lateral Movement card

Process icon with an arrow branching to multiple machines connected to the initial target machine.

Credential theft

Credential Theft card

Process icon pointing to a badge connected to the target machine.

Known malware

Known Malware card

Process icon with a shield connected to target machine.

Select a Sensor Group

Users with the Local Analyst L1 and L2 role can view MalOps associated with the sensors in the sensor groups the user has permissions for.

To select which sensor group MalOps to view, check the relevant boxes in the sensor group drop-down menu on the right, above the list of Malops.

Local Analyst Malop

For more information on local analysts and sensor grouping, see Manage Sensor Groups.

Select data to view

Use the column icon on the upper right of the results to customize which columns to view.

Malops management columns

Column options include:

Column name

Description

Values

State (icon)

The type and state of the Malop

MalOp type:

  • AI Hunting MalOp

  • Endpoint Protection MalOp

MalOp states:

  • Active (red)

  • Inactive (orange)

  • Resolved (green)

  • Excluded (grey)

For more information, see Malop Types and Components.

Subject

Brief description of the item involved in the MalOp

Grid view:

  • Triggering item

  • Item type (icon)

Card view:

  • Detection type

  • Triggering item

  • Item type (icon)

  • Threat engine

Resolved by

Populated if the MalOp was resolved.

One of the following:

  • Cybereason: The Cybereason platform automatically prevented, disinfected, or quarantined a malicious item.

  • Analyst username: An analyst An analyst manually resolves the MalOp using the ‘Mark as remediated/resolved’ button in the Malops management or Malop details screen.

Affected machines

Machines associated with the MalOp

Machine name, or machine count if more than one machine is involved

OS type (icon)

Machine types associated with the MalOp

  • Windows

  • Linux

  • MacOS

Affected users

Users associated with the MalOp

User name, or user count if more than one user is involved

User privileges (icon)

Type of users associated with the MalOp

  • Administrator

  • Domain user

  • Local system

Detection description

The type of behavior that triggered the Malop

For Endpoint Protection Malops:

  • AI malware classification

  • Known malware

  • Ransomware behavior

For AI Hunting MalOps, see the list of MalOp types in the MalOp Types topic.

Detection modules

Which Cybereason component detected the malicious behavior

  • AI Hunting

  • Anti-Malware

  • AI-based Anti-Malware

  • PowerShell and .NET protection

  • Anti-Ransomware

Auto response

The Cybereason platform NGAV automatic response to the Endpoint Protection MalOp.

  • Disinfected

  • Failed to disinfect

  • Detected

  • Prevented

  • Done

  • Excluded

  • Deleting on restart

  • Quarantined

Start time

The time the MalOp was triggered

Month day, year at hh:mm:ss AM/PM timezone (ex. September 25, 2019 at 01:22:45 PM GMT-5)

Update time

The last time the MalOp was updated

Month day, year at hh:mm:ss AM/PM timezone

Escalation

Whether or not the MalOp is currently escalated

Escalate button or ‘x’ button to de-escalate

Severity

The severity of the threat as determined by Cybereason.

  • High

  • Medium

  • Low

Priority

The priority setting for the MalOp

  • High

  • Medium

  • Low

Labels

Custom labels

Label name

Group results

To organize your view of MalOps by machine, detection type, and label, select a Group by option from the upper right of the Malops list. The left-most button removes the grouping selection. Each MalOp remains on an individual line and a banner is visible above each group.

Malops management card view

Next Steps

After you have a broad understanding of what MalOps are in your environment, you can investigate specific MalOps. See Examine MalOp Details to learn more.