View Malops

In the Cybereason platform, you use the Malops management screen to gain an overall view of MalOps in your environment, and to manage the MalOp remediation workflow.

Malops management screen overview

Note

If you are using an environment with the newer Data Platform model, your Malops management screen may look different than what is described here. Visit the View MalOps with the Data Platform Architecture topic instead.

The above screenshot calls out the six main parts of the Malops management screen:

1. Malops management dashboard

2. Search and filter options

3. Quick filters

4. View options

5. MalOps list

6. Response options (see Remediate MalOps)

View the Malops management dashboard

The dashboard in the Malops management screen presents important information about the environment in a graphical, easy to read format.

The dashboard widgets update based on the time frame you select in the time frame filter.

Dashboard widgets include:

MalOps view	Description
Active MalOps	Shows the number of active and total MalOps in your organization as a ratio.
MalOps by detection module	Shows the number of AI Hunt MalOps, or MalOps that the Cybereason platform Cross Machine Correlation Engine created, as well as the number of Endpoint Protection MalOps, or MalOps that the Cybereason platform NGAV features created. This box also shows the connection status of Cybereason’s threat intelligence services.
Machines overview	Information about the number of online, offline, infected, and clean machines. Infected machines have at least one active MalOp. Clean machines have no active MalOps.
MalOps trend over past week	A graph showing the trend of MalOp creation over the past week.

Search for MalOps

Using the search field, you can enter free text to search for MalOps by a custom value.

The Cybereason platform returns MalOps that contain your search term anywhere in their metadata. For example, a search for ‘admin’ will return MalOps that have affected users with ‘admin’ in their username, as well as MalOps that have affected machines with ‘admin’ in their name.

Filter Malops

You can filter MalOps by time frame or by a variety of MalOp characteristics.

Select the time frame drop-down menu to limit results to MalOps triggered today, last week, last month, last three months, last year, or all time.

Select the Filters button to toggle the filter menu. You can filter by MalOp state, Detection module, Priority, OS type, machine status, user privileges, or labels.

The numbers next to the filters represent the number of MalOps that have that property. As you add more filters, the numbers next to the other filters update.

The quick filters allow you to filter by:

• AI hunting MalOps only

• Escalated Malops (MalOps that a lower-level analyst has escalated)

• Active MalOps

Change how MalOps are displayed

Next to the View label, choose between the Grid view and Card view. The only difference between the two views is in how the Malop information is presented in the Subject column, as described below.

View	Description	Suitable for
Grid	Displays a brief description of the Malop, including the triggering item and a matching icon (e.g., Firefox logo for Firefox processes)	Actively working with Malops, such as assigning priority, escalating, or responding.
Card	Displays information about the Malop, including the triggering item, primary root cause, and detection type. This view also displays different infographics depending on the subject’s behavior (see the following table).	Quickly assessing threats.

If you select the Card view, you are able to see additional information. The following table describes the infographics that are visible when the Subject column card view is active.

Behavior	Graphic	Graphic Description
Command and control		Network icon on a server connection to the target machine.
Reconnaissance		Process icon with radar image connected to target machine.
Injection		Process icon with code pointing to an additional process connected to the target machine.
Persistence		Process icon pointing to an anchor connected to the target machine.
Ransomware		Ransomware icon connected to locked files connected to the target machine.
Lateral movement		Process icon with an arrow branching to multiple machines connected to the initial target machine.
Credential theft		Process icon pointing to a badge connected to the target machine.
Known malware		Process icon with a shield connected to target machine.

Select a Sensor Group

Users with the Local Analyst L1 and L2 role can view MalOps associated with the sensors in the sensor groups the user has permissions for.

To select which sensor group MalOps to view, check the relevant boxes in the sensor group drop-down menu on the right, above the list of Malops.

For more information on local analysts and sensor grouping, see Manage Sensor Groups.

Select data to view

Use the column icon on the upper right of the results to customize which columns to view.

Column options include:

Column name	Description	Values
State (icon)	The type and state of the Malop	MalOp type: AI Hunting MalOp Endpoint Protection MalOp MalOp states: Active (red) Inactive (orange) Resolved (green) Excluded (grey) For more information, see Malop Types and Components.
Subject	Brief description of the item involved in the MalOp	Grid view: Triggering item Item type (icon) Card view: Detection type Triggering item Item type (icon) Threat engine
Resolved by	Populated if the MalOp was resolved.	One of the following: Cybereason: The Cybereason platform automatically prevented, disinfected, or quarantined a malicious item. Analyst username: An analyst An analyst manually resolves the MalOp using the ‘Mark as remediated/resolved’ button in the Malops management or Malop details screen.
Affected machines	Machines associated with the MalOp	Machine name, or machine count if more than one machine is involved
OS type (icon)	Machine types associated with the MalOp	Windows Linux MacOS
Affected users	Users associated with the MalOp	User name, or user count if more than one user is involved
User privileges (icon)	Type of users associated with the MalOp	Administrator Domain user Local system
Detection description	The type of behavior that triggered the Malop	For Endpoint Protection Malops: AI malware classification Known malware Ransomware behavior For AI Hunting MalOps, see the list of MalOp types in the MalOp Types topic.
Detection modules	Which Cybereason component detected the malicious behavior	AI Hunting Anti-Malware AI-based Anti-Malware PowerShell and .NET protection Anti-Ransomware
Auto response	The Cybereason platform NGAV automatic response to the Endpoint Protection MalOp.	Disinfected Failed to disinfect Detected Prevented Done Excluded Deleting on restart Quarantined
Start time	The time the MalOp was triggered	Month day, year at hh:mm:ss AM/PM timezone (ex. September 25, 2019 at 01:22:45 PM GMT-5)
Update time	The last time the MalOp was updated	Month day, year at hh:mm:ss AM/PM timezone
Escalation	Whether or not the MalOp is currently escalated	Escalate button or ‘x’ button to de-escalate
Severity	The severity of the threat as determined by Cybereason.	High Medium Low
Priority	The priority setting for the MalOp	High Medium Low
Labels	Custom labels	Label name

Group results

To organize your view of MalOps by machine, detection type, and label, select a Group by option from the upper right of the Malops list. The left-most button removes the grouping selection. Each MalOp remains on an individual line and a banner is visible above each group.

Next Steps

After you have a broad understanding of what MalOps are in your environment, you can investigate specific MalOps. See Examine MalOp Details to learn more.

Related resources

• Malops Management Screen FAQ

• How to search for new Malops

• Why is a Malop marked Not Relevant reappearing?