Manage Reputations

The Cybereason platform enables you to maintain a customizable private reputation list that specifies how the Cybereason platform classifies and item when the platform encounters a specific file hash, process, IP address, or domain in your environment. In addition, through the private reputatation list, you can instruct sensors how to respond if they encounter a specific file hash in your environment.

The private threat intelligence list enables you to better tailor the Cybereason platform’s threat intelligence-based analysis to your specific security needs. For example, if you have a legitimate program that the Cybereason platform classifies as malicious since your program may exhibit behaviors that resemble similar of malicious tools, you can add a custom reputation for the program that instructs the Cybereason platform to allow the program to run.

You can add up to 100,000 items to your reputation list. Adding more items can have negative performance impacts.

What items can you add to your private reputation list?

You can add custom reputations for the following items:

Item

Item type

Example

File

File hash (MD5, SHA-1, or SHA-256)

Note

To ensure that the Cybereason platform is able to allow or block SHA-1/SHA-256 hash values, you must have the Threat Intel service enabled in your environment. Contact your Customer Success Manager to enable this feature.

If you do not have the Threat Intel service enabled, the SHA-1 or SHA-256 file hash values are still prevented by the sensor, but the values are not added to te whitelist.

3f63e9f09fe59f5

Process

File hash (MD5, SHA-1, or SHA-256)

cc273fe9d442850

Domain (not including subdomains)

Domain

mydomain.com.

The platform triggers a MalOp for an exact match of the domain name, and does not trigger a MalOp for subdomains.

IP address

IP address

198.20.10.54

Reputation management options

You manage your custom reputation list from the Reputations screen. You can also set reputations for specific items during investigation using the Element details pane.

Likewise, if you use Cybereason XDR, XDR response actions may also add IP addresses to the blocklist automatically.

Note

The Cybereason platform currently maintains two versions of the Reputations screen in the UI.

The following table describes reputation options:

Desired Platform Response

How to configure

Description

Allow: Do not trigger a MalOp for this item

Perform one of the following:

  • Add the item using the Reputations screen and set Action to Allow

  • Add the item to a CSV file with whitelist in the reputation column

The item may appear in other MalOps if the item takes part in the malicious activity. For example, if a process in the reputation list injects into another process, a MalOp of type Injected Process may be generated.

Detect only: Trigger a MalOp for this item, but do not prevent it from executing

Perform one of the following:

  • Add the item using the Reputations screen and set Action to Detect Only

  • Add the item to a CSV file with blacklist in the reputation column and False in the Prevent execution column

The Cybereason platform creates a MalOp for all occurrences of the item currently in the environment, as well as all subsequent instances of the item. The item name appears as the root cause of the MalOps.

In environments with sensor grouping enabled, if you add a group assignment for this reputation, the Cybereason platform triggers a MalOp only if the item for the reputation is part of a sensor group to which you are assigned.

Detect and prevent: Trigger a MalOp for this item, and prevent it from executing

Perform one of the following:

  • Add the item using the Reputations screen and set Action to Detect & Prevent

  • Add the item to a CSV file with blacklist in the reputation column and True in the Prevent execution column.

You must have Application Control enabled to block items from executing.

In environments with sensor grouping enabled, if you add a group assignment for this reputation, the Cybereason platform triggers a MalOp only if the item for the reputation is part of a sensor group to which you are assigned.

Important

Be careful when setting reputations for critical applications such as cmd.exe, explorer.exe, and PowerShell. Detecting or preventing these applications may cause legitimate processes to trigger MalOps.

Note

Changing the reputation of an item will not affect the status of previously created MalOps. However, if the item is involved in other MalOps, the reputation update will be reflected in the details of new MalOps.

Manage reputations in the Reputations screen

Reputation Management

In the Custom Reputation List tab, you can perform the following tasks:

  1. Filter by one or more of the following properties:

    Property

    Items to Update

    Type

    • IP address

    • Domain

    • File Hash

    Action

    • Allow

    • Detect Only

    • Detect & Prevent

    Expiration

    • Active

    • Expired

  2. Search your reputation list by value or description.

  3. Add a new item.

  4. Edit or delete an item.

  5. Change a reputation using the EDR Action column.

  6. Upload a CSV file, download a CSV template, or export the items to a CSV file.

Add an item

To add an item, such as an IP address or domain, to your private reputation list, follow these steps:

  1. From the Reputations screen Custom Reputation List tab, select Add item. The Add Reputation Item window appears:

    Add an item's reputation

  2. Select the type of item you want to add.

  3. Add the value, such as the domain name.

  4. For the EDR Action, select an action. Options include:

    • Allow: The platform does not trigger a MalOp when it encounters this item.

    • Detect Only: The platform triggers a MalOp when it encounters this item.

    • Detect & Prevent: The platform triggers a MalOp when it encounters this item. In addition, the platform prevents the item from executing.

    Note

    If you have Cybereason XDR in your environment, you cannot set a value for the XDR Action. Cybereason XDR sets this value when performing a response action in an XDR MalOp.

  5. (Optional) Add a description.

  6. (Optional) Add an expiration date. The expiration date is the date at which the item will be removed from the reputation list. The date displayed in the UI reflects the local timezone.

    Note

    Because the platform checks the expiration date every few hours, the item may not expire on the exact date that you specified.

  7. (Optional) If you have sensor grouping enabled in your environment, in the Group restrictions section, select Assign to specific/multiple groups to specify a group or groups to which to assign the reputation. If you want the reputation to apply to all groups, select Assign to all local user groups.

    Add the groups for an item reputation

    You can only add the reputation to groups to which you have been assigned.

    Note

    If the item has been assigned a reputation in another group that is different from your reputation, the Cybereason platform notifies you of the conflict and you must update the reputation.

    Error message if a reputation already exists in another group

  8. Click Save.

If two or more hash values point to the same item, the Cybereason platform will combine these values into one record in the custom reputation list. For example, if a file’s MD5 hash is marked as allowed and you allow an SHA-1 hash value that points to the same file, the platform will add the second hash value to the existing record instead of creating a new entry in the reputation list. Furthermore, when a file runs on a sensor, the sensor calculates the MD5, SHA-1, and SHA-256 values for the file. The platform will add the file hash values that match with the existing hash value (if the existing hash value is in the list of custom reputations).

Merge file hash values

Edit or delete an item

To edit a reputation, select an option from the drop-down menu in the Action column.

To edit the properties for an item, follow these steps:

  1. Select the checkbox to the left of the item. The Edit button appears above the list.

  2. Select Edit and make your changes.

  3. Click Save.

To delete an item from a reputation list, follow these steps:

  1. Select one or more check boxes to the left of the items. The Delete button appears above the list.

    Note

    Use the Shift key and select two check boxes to activate all check boxes between the two selected.

  2. Select Delete.

  3. Confirm deletion.

Manage reputations in bulk using a CSV file

You can manage reputations in bulk by uploading a CSV file that contains reputation information. You can download a CSV template to get started, or download your current reputation list to make updates. These files are available in the Reputation screen, as shown in the following images.

In the Custom Reputation List screen:

Download Reputation CSV

In the Reputations screen (legacy):

Download Reputation CSV

Important

Cybereason is in the process of changing the terms “blacklist” and “whitelist” to “blocklist” and “allowlist”, respectively. Currently, these changes are not reflected in the CSV template and you must use the terms “blacklist” and “whitelist” when updating reputations in bulk.

The CSV template file includes the following columns:

Column

Description

Key

The item’s IP address, domain, or hash. Values entered in this column are case-insensitive and are saved by the system in lowercase.

Reputation

The reputation you are applying to the item. Enter whitelist to add or remove the relevant item to the allowlist. Enter ‘blacklist’ to add or remove the item to the blocklist. You specify whether to add or remove the item in the Remove column.

Prevent execution

An option to prevent the item’s execution. You must have Application Control enabled for prevention to work.

This option is only applicable for file hash keys.

Comment

A comment related to the reputation classification.

Remove

Indicates whether or not the item should be removed from the list specified in the Reputation column. True means the item should be removed from the specified list. False means the item should stay on the list, or be added to the list if the item is a new entry.

Group id (version 23.1.44 and later)

The sensor group or groups to which to assign the item’s reputation.

You must have permissions in the selected groups to assign a reputation to that group.

Expiration date

The date and time, according to UTC, on which the platform will remove the item from the reputation list. The date must be in the following format: yyyy/mm/dd/hh/mm/ss.

The columns in the CSV template are slightly different from the columns in the Custom Reputation List screen. The following table describes how the CSV columns correlate to values in the UI:

UI Values

CSV Values

Value

Key

EDR Action: Allow

reputation: whitelist

Remove: ‘False’

EDR Action: Detect

reputation: blocklist

Prevent execution: False

Remove: False

EDR Action: Detect & Prevent

reputation: blocklist

Prevent execution: True

Remove: False

Description

Comment

Group Assignment (version 23.1.44 and later)

Group ID

Expiration Date (local time)

Expiration Date (yyyy/mm/dd/hh/mm/ss format and UTC)

Created by

N/A

Note

On Mac, editing the CSV using the Numbers application may cause the CSV to have an unsupported format. Cybereason recommends using TextEdit or editing on Windows instead.

To add or remove items in bulk, follow these steps:

  1. Download your reputation CSV file from the Reputations screen. If you are adding items for the first time, download the reputation list CSV template.

  2. In the CSV file, specify the key for the item to add or remove from a reputation list in the Key column of the CSV file.

  3. In the reputation column, specify the reputation list to which you want to add or remove the item in the Key column. Enter whitelist to prevent the item from triggering a MalOp, or blacklist if you want the item to always trigger a MalOp. See the Important note above for an explanation of CSV terms.

  4. In the remove column, specify whether or not the item in the Key column should be removed from the reputation list specified in the Reputation column. Enter false to add the item, or true to remove the item.

  5. In the prevent execution column, specify whether or not you want the Cybereason platform to prevent the item from executing.

  6. Optionally, in the expiration date column, specify a time and date to remove the item from the reputation list. When editing this value in the CSV column, use the following date format: yyyy/mm/dd/hh/mm/ss.

    Note

    In the CSV file, the expiration date uses Coordinated Universal Time (UTC). The platform translates this time to local time in the UI, however you must specify the UTC date/time in the CSV file.

  7. From the Reputations screen, upload the revised CSV file for your changes to take effect.

The Cybereason platform validates the values in the CSV file and presents an error message if items are invalid. For example:

Reputation CSV Upload Error

CSV Example

In the following example, the Cybereason platform will remove the hash 3f63e9f09fe59f5 from the reputation list. The platform will add the IP address 198.20.10.54 to the reputation list and trigger a MalOp when it encounters the item.

key

reputation

prevent execution

comment

remove

3f63e9f09fe59f5

whitelist

FALSE

my comment on hash

TRUE

198.20.10.54

blacklist

FALSE

my comment on ip

FALSE

Note

If an item already exists in a list, the configuration in the CSV file will replace the current configuration.

Manage reputations from the Element details screen

You can also set the reputation for a single item from the Element details pane in the Investigation screen. You can access an item’s element details from the Malop details screen in the associated MalOp, or by building a query in the Investigation screen.

Access an item’s Element details pane from the Malop details screen

  1. If needed, from the Malops management screen, select the MalOp associated with the item you want to add or remove from the allowlist or blocklist. The Malop details screen appears.

  2. From the Process tab, select the process to add to or remove from the allowlist or blocklist, and click the Investigate button. The Investigation screen appears with the query populated to show the selected process.

  3. Click the process in the query results list to bring up the Element details pane.

Access an item’s Element details pane from the Investigation screen

  1. Build a query to search for the item you want to add to or remove from the allowlist or blocklist.

  2. From the query results, select the item to bring up the Element details pane.

Set the reputation

On the top right of the Element details pane, click Set reputation, and select whether to add the item to the allowlist or blocklist, or remove the reputation of the item.

Set Reputation

Important

The blocklist is for detection purposes only. Adding an item to the blocklist will not prevent that item from executing. See Prevent File Execution with Application Control for details on preventing execution.

Search reputation information

All analysts, including local analysts, can search for IOCs that currently exist in the system and verify the reputation.

To search for an item’s reputation, do one of the following from the Reputations screen:

  • To search within your organization’s private reputations list, enter the MD5, SHA-1, or SHA-256 file hash, domain, or IP address in the Custom Reputation List tab Find reputation field.

    Search Local Reputations

  • To search across all reputation sources, enter the SHA-1 file hash, domain, or IP address in the Global Reputation Search tab search field, and click Search all reputation sources.

    Search Global Reputations

Note

The global file hash search function only support SHA-1 values. When searching within your custom reputation list, you can use SHA-1 or MD5 values.

The search result displays the item reputation according to each reputation source. The Priority column lists which reputation decision takes precedence over others, where 1 is the highest priority.

  • Custom reputation: The reputation based on your environment custom reputation list.

  • AV Reported: The item reputation based on the Cybereason Anti-Malware feature.

  • Cybereason threat intel: The item reputation as determined by the Cybereason Global Threat Intel server.