Manage Reputations - Tutorial
In this tutorial, we will explain, step-by-step, how to manage the reputation of items by adding and removing them from the allowlist and blocklist. We will use the scenario of adding multiple IP address to the allowlist or blocklist using the reputation CSV template.
To set the reputation of a single item, on the Element details screen click Set reputation.
In this topic:
Purpose
After completing this tutorial, you should be able to:
Understand which items can be added to the allowlist or blocklist.
Explain the required information to add item(s) to the allowlist or blocklist using the CSV template.
Explain how to add item(s) to the allowlist or blocklist using the CSV template.
Explain the effect that adding an item to the allowlist or blocklist will have on your platform detection capabilities.
Custom Reputations
To decrease the chances of false positives, you can add legitimate items to your allowlist. Similarly, you can add an item to your blocklist to tell Cybereason to always trigger a MalOp when that item is detected. Once you add an item to your blocklist, Cybereason creates a MalOp for all occurrences of that item currently in the environment, as well as all subsequent instances of the item.
Important
The blocklist is for detection purposes only. Blocklisting an item will not prevent that item from executing. See Prevent File Execution with Application Control for details on preventing execution.
To ensure your allowlist and blocklist work properly for your organization, the reputations that you manually add have priority over other Cybereason threat detection methods.
You can add custom reputations for the following items:
Files (if you add a file, the reputation you assign applies to all files with the same hash)
IP addresses
Domain names (not including subdomains)
Steps
Step 1: Find the Key for the Item
The Cybereason platform identifies an item on the allowlist or blocklist by using a unique key for the item. The value of this key depends on the type of item that you want to add to the allowlist or blocklist. You can add values for IP address, domains, or file hashes.
Depending on the item, you need to provide the following:
For a file, the unique key is either the MD5 or SHA-1 file hash value. Note that if you want Application Control to automatically block a file based on the file hash, you must use a MD5 file hash value and have Application Control enabled in your environment.
For an IP address, the unique key is the IP address itself.
For a domain name, the unique key is the domain name itself.
This example explains how to add an item using IP addresses. To add a file or domain name to the allowlist or blocklist, follow the same steps but update the key value accordingly.
Step 2: Download the Custom Reputation List Template
When you have the item key, follow these steps to download the custom reputation list template:
Open the Security profile > Reputation screen.
In the Upload custom reputation list section, click Download template.
The custom reputation list template CSV file downloads to your machine.
Step 3: Add Reputations for items
Once you have downloaded the custom reputation list template you are ready to add your items and details to the template file.
On your machine, open the custom_reputation_list_example.csv file.
Delete the example data contained in rows 2 and 3 of the template so that only the column headers are visible.
Populate the file with the following data:
Column |
Description |
|---|---|
key |
The IP address. You need to enter each IP address to be added to the allowlist individually in its own row. For this tutorial, we will use the following example IP addresses: 48.124.150.242, 66.56.186.46, 160.205.31.15 |
reputation |
Add whitelist to add the IP address to the allowlist or blacklist to add the IP address to the blocklist. |
prevent execution |
false |
comment |
Leave blank |
remove |
false |
To add IP addresses to the allowlist, populate the file as follows:
To add IP address to the blocklist, populate the file as follows:
Step 4: Upload the Revised Custom Reputation List Template
Once the file has been prepared, it can be uploaded on the platform.
On the Security profile > Reputation screen, under the Upload custom reputation list section, click Upload.
Select the file that you created. The file is uploaded and the file name and a summary of the changes that have been made are visible under the Upload custom reputation list section.
Click Confirm. When the file is successfully uploaded, you receive an Upload successful message.
Next Steps
On the Security profile > Reputation screen, you can verify that the IP addresses are correctly added or removed from the allowlist or blocklist by searching for the IP addresses or by downloading the custom reputation list.