View Malops
In the Cybereason platform, you use the Malops management screen to gain an overall view of MalOps in your environment, and to manage the MalOp remediation workflow.
In this topic:
Malops management screen overview
Note
If you are using an environment with the newer Data Platform model, your Malops management screen may look different than what is described here. Visit the View MalOps with the Data Platform Architecture topic instead.
The above screenshot calls out the six main parts of the Malops management screen:
Malops management dashboard
Search and filter options
Quick filters
View options
MalOps list
Response options (see Remediate MalOps)
View the Malops management dashboard
The dashboard in the Malops management screen presents important information about the environment in a graphical, easy to read format.
The dashboard widgets update based on the time frame you select in the time frame filter.
Dashboard widgets include:
MalOps view |
Description |
---|---|
Active MalOps |
Shows the number of active and total MalOps in your organization as a ratio. |
MalOps by detection module |
Shows the number of AI Hunt MalOps, or MalOps that the Cybereason platform Cross Machine Correlation Engine created, as well as the number of Endpoint Protection MalOps, or MalOps that the Cybereason platform NGAV features created. This box also shows the connection status of Cybereason’s threat intelligence services. |
Machines overview |
Information about the number of online, offline, infected, and clean machines. Infected machines have at least one active MalOp. Clean machines have no active MalOps. |
MalOps trend over past week |
A graph showing the trend of MalOp creation over the past week. |
Search for MalOps
Using the search field, you can enter free text to search for MalOps by a custom value.
The Cybereason platform returns MalOps that contain your search term anywhere in their metadata. For example, a search for ‘admin’ will return MalOps that have affected users with ‘admin’ in their username, as well as MalOps that have affected machines with ‘admin’ in their name.
Filter Malops
You can filter MalOps by time frame or by a variety of MalOp characteristics.
Select the time frame drop-down menu to limit results to MalOps triggered today, last week, last month, last three months, last year, or all time.
Select the Filters button to toggle the filter menu. You can filter by MalOp state, Detection module, Priority, OS type, machine status, user privileges, or labels.
The numbers next to the filters represent the number of MalOps that have that property. As you add more filters, the numbers next to the other filters update.
The quick filters allow you to filter by:
AI hunting MalOps only
Escalated Malops (MalOps that a lower-level analyst has escalated)
Active MalOps
Change how MalOps are displayed
Next to the View label, choose between the Grid view and Card view. The only difference between the two views is in how the Malop information is presented in the Subject column, as described below.
View |
Description |
Suitable for |
---|---|---|
Grid |
Displays a brief description of the Malop, including the triggering item and a matching icon (e.g., Firefox logo for Firefox processes) |
Actively working with Malops, such as assigning priority, escalating, or responding. |
Card |
Displays information about the Malop, including the triggering item, primary root cause, and detection type. This view also displays different infographics depending on the subject’s behavior (see the following table). |
Quickly assessing threats. |
If you select the Card view, you are able to see additional information. The following table describes the infographics that are visible when the Subject column card view is active.
Behavior |
Graphic |
Graphic Description |
---|---|---|
Command and control |
Network icon on a server connection to the target machine. |
|
Reconnaissance |
Process icon with radar image connected to target machine. |
|
Injection |
Process icon with code pointing to an additional process connected to the target machine. |
|
Persistence |
Process icon pointing to an anchor connected to the target machine. |
|
Ransomware |
Ransomware icon connected to locked files connected to the target machine. |
|
Lateral movement |
Process icon with an arrow branching to multiple machines connected to the initial target machine. |
|
Credential theft |
Process icon pointing to a badge connected to the target machine. |
|
Known malware |
Process icon with a shield connected to target machine. |
Select a Sensor Group
Users with the Local Analyst L1 and L2 role can view MalOps associated with the sensors in the sensor groups the user has permissions for.
To select which sensor group MalOps to view, check the relevant boxes in the sensor group drop-down menu on the right, above the list of Malops.
For more information on local analysts and sensor grouping, see Manage Sensor Groups.
Select data to view
Use the column icon on the upper right of the results to customize which columns to view.
Column options include:
Column name |
Description |
Values |
---|---|---|
State (icon) |
The type and state of the Malop |
MalOp type:
MalOp states:
For more information, see Malop Types and Components. |
Subject |
Brief description of the item involved in the MalOp |
Grid view:
Card view:
|
Resolved by |
Populated if the MalOp was resolved. |
One of the following:
|
Affected machines |
Machines associated with the MalOp |
Machine name, or machine count if more than one machine is involved |
OS type (icon) |
Machine types associated with the MalOp |
|
Affected users |
Users associated with the MalOp |
User name, or user count if more than one user is involved |
User privileges (icon) |
Type of users associated with the MalOp |
|
Detection description |
The type of behavior that triggered the Malop |
For Endpoint Protection Malops:
For AI Hunting MalOps, see the list of MalOp types in the MalOp Types topic. |
Detection modules |
Which Cybereason component detected the malicious behavior |
|
Auto response |
The Cybereason platform NGAV automatic response to the Endpoint Protection MalOp. |
|
Start time |
The time the MalOp was triggered |
Month day, year at hh:mm:ss AM/PM timezone (ex. September 25, 2019 at 01:22:45 PM GMT-5) |
Update time |
The last time the MalOp was updated |
Month day, year at hh:mm:ss AM/PM timezone |
Escalation |
Whether or not the MalOp is currently escalated |
Escalate button or ‘x’ button to de-escalate |
Severity |
The severity of the threat as determined by Cybereason. |
|
Priority |
The priority setting for the MalOp |
|
Labels |
Custom labels |
Label name |
Group results
To organize your view of MalOps by machine, detection type, and label, select a Group by option from the upper right of the Malops list. The left-most button removes the grouping selection. Each MalOp remains on an individual line and a banner is visible above each group.
Next Steps
After you have a broad understanding of what MalOps are in your environment, you can investigate specific MalOps. See Examine MalOp Details to learn more.