Get Malop Details

Endpoint URL: https://<your server>/rest/detection/details
Endpoint URI: detection/details

Action: POST

Returns details about a specified Endpoint Protection Malop. If you want to retrieve details for AI Hunt Malops, see Get Details on a Specific AI Hunt Malop.

This request is supported for versions 20.1.43 and later.

Note

Ensure that you have logged into the Cybereason platform. For details, see Log in with the API.

Request Headers

You must add an Content-Type:application/json header with the request.

Note

If you are using cURL, add the authorization cookie details or the path to the file containing the cookie details as part of every request.


Request Body

Input: JSON

Download JSON syntax file

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

Note

When sending this request, there may be a delay in returning a response, depending on how much data and activity is in your system. Ensure you do not send this request multiple times while waiting for a response as this may cause unexpected results and performance issues in your environment.

{
	"malopGuid":"<malop ID>"
}

Request Parameters

URL/URI parameters: none

Request Body Parameters: Add the unique GUID string the Cybereason platform uses for the Malop.


Response Status Codes

This request can return the following status codes:

  • 200: Success OK

  • 400: Malop ID is not valid


Response Success Schema

The response contains the following fields:

Field

Type

Description

guid

Integer

The unique identifier the Cybereason platform assigns to the item.

Note that the first guid parameter in the response is the GUID for the Malop. Other guid parameters refer to a specific items like a file or a process.

status

Enum

The status of the specific Malop. Possible values include:

  • Active

  • Remediated

  • Closed

  • Excluded

displayName

String

The name for the Malop or related Element in the Malops management screen or Malop details screen.

detectionEngines

Enum

The detection engine that generates the Malop. Possible values include:

  • AntiVirus

  • StaticAnalysis

  • ApplicationControl

  • Script

  • Document

  • Mobile

  • AntiExploit

detectionTypes

Enum

The type of detection for the root cause. Possible values include:

  • Blacklist

  • Command and Control

  • Credential theft

  • Custom rule

  • Data transmission volume

  • Elevated access

  • Extension manipulation

  • Injected process

  • Known malware

  • Lateral Movement

  • Unknown malware

  • Malicious tool

  • Known malware

  • Mobile Device

  • Persistence

  • Phishing

  • Process injection

  • PUP

  • Ransomware

  • Reconnaissance

  • Unauthorized

  • Compromised user

  • Unknown

  • Potentially unwanted program

malopDetectionType

Enum

The category of detection that recognized the malicious behavior. Possible values include:

  • BLACKLIST

  • CNC

  • UNAUTHORIZED_USER

  • CREDENTIAL_THEFT

  • DATA_TRANSMISSION_VOLUME

  • ELEVATED_ACCESS

  • EXTENSION_MANIPULATION

  • HIJACKED_PROCESS

  • KNOWN_MALWARE

  • MALWARE_PROCESS

  • MALICIOUS_PROCESS

  • MALICIOUS_TOOL_PROCESS

  • PUP

  • PERSISTENCE

  • PHISHING

  • UNWANTED_PROCESS

  • RANSOMWARE

  • RECONNAISSANCE

  • UNAUTHORIZED_AUTH

  • UNKNOWN

machines

Array

An object that contains a list of machines associated with the root cause of the Malop. Each machine has an individual GUID.

osType

Enum

The type of operating system found on the machine. Possible values include:

  • LINUX

  • UNKNOWN_OS

  • WINDOWS

  • OSX

connected

Boolean

Indicates whether or not the sensor on the machine is connected to the Cybereason server.

isolated

Boolean

Indicates whether or not the machine is currently isolated from outside communication.

lastConnected

Integer

The time (in epoch) when the sensor was last seen as connected to the Cybereason server.

adOU

String

The organizational unit associated with this machine according to Active Directory information.

adOrganization

String

The organization details associated with this machine according to Active Directory information.

adDisplayName

String

The machine display name according to Active Directory information.

adDNSHostName

String

The DNS host according to Active Directory information.

adDepartment

String

The department associated with this machine according to Active Directory information.

adCompany

String

The company associated with this machine according to Active Directory information.

adLocation

String

The location for the machine according to the Active Directory information.

adMachineRole

String

The machine role according to Active Directory information.

pylumID

String

The unique identifier the Cybereason platform assigned to the sensor installed on the machine.

labels

String

Details on the Malop’s labels

priority

Enum

The priority of this Malop. Possible values include:

  • LOW

  • MEDIUM

  • HIGH

If there is no priority set, this value returns null.

decisionStatuses

Enum

The prevention action that the Cybereason platform applied to this Malop. Possible values include:

  • DDS_UNKNOWN

  • DDS_DETECTED

  • DDS_PREVENTED

  • DDS_FAILURE

  • DDS_QUARANTINED

  • DDS_WHITELISTED

  • DDS_DISINFECTED

  • DDS_USER_DETECT_ONLY

  • DDS_DELETE_AFTER_REBOOT

  • DDS_FAILED_TO_PREVENT

  • DDS_FAILED_TO_QUARANTINE

  • DDS_COLLECTED

  • DDS_MITIGATED

severity

Enum

The severity for the Malop. Possible values include:

  • Low

  • Medium

  • High

detectionValues

String

The event detection for this Endpoint Protection Malop.

detectionValueTypes

Enum

The detection type for the file. Possible values include:

  • DVT_DOMAIN

  • DVT_FILE

  • DVT_SIGNATURE

  • DVT_MODULE

description

String

The description the Cybereason platform uses for this type of Malop.

hasAnyScanEvent

Boolean

Indicates whether the Malop had any events discovered in a scan.

activeProcessesCount

Integer

The count of any processes associated with the Malop that are still active.

totalProcessesCount

Integer

The count of the total number of processes associated with the Malop.

processes

Array

An object that contains a list of processes associated with the root cause of the Malop. Each user has an individual GUID.

pid

Integer

The Process ID number in the operating system.

commandLines

String

The command line for the processes associated with the Malop.

decodedCommandLines

String

The command line that was decoded for any obfuscated command lines.

calculatedUser

String

The user account under which the process is run.

commandLine

String

The command line used with this specific process.

iconBase64

String

The icon used for the image file associated with this Malop.

files

Array

An object containing details on the files associated with the Malop.

sha1String

String

The SHA1 hash value for the file associated with the Malop.

correctedPath

String

The path to the file associated with the Malop.

signer

String

The name of the company that signed the image file associated with the Malop.

fileClassificationType

Enum

The file classification that the Cybereason platform assigned to the file. Possible values include:

  • blacklist

  • av_detected

  • hacktool

  • maltool

  • malware

  • indifferent

  • no_type_found

  • ransomware

  • sinkholed

  • suspicious

  • unknown

  • unresolved

  • unwanted

  • whitelist

filePaths

String

The path to the file associated with the Malop.

modifiedTime

Integer

The time (in epoch) when the file was last modified.

quarantined

Boolean

Indicates whether the file associated with the Malop has been quarantined.

fileHash

String

The file hash value for the file associated with the Malop.

scriptDetectionTypes

Enum

The type of detection that the PowerShell Protection script analysis used. Possible values include:

  • SDT_UNKNOWN

  • SDT_PS_UNKNOWN

  • SDT_PS_INVOKE_EXPRESSION_AFTER_DOWNLOAD_STRING

  • SDT_PS_DOWNLOAD_FROM_MALICIOUS_DOMAIN

  • SDT_PS_EXECUTE_MALICIOUS_ACTIVITY

  • SDT_PS_MALICIOUS_FLOATING_MODULE

users

Array

An object that contains a list of users associated with the root cause of the Malop. Each user has an individual GUID.

admin

Boolean

Indicates whether a user has administrative privileges on the machine.

localSystem

Boolean

Indicates whether the user has local system privileges on the machine.

domainUser

Boolean

Indicates whether a user is a domain user on the machine.

ownerMachine

String

The machine on which the item such as a process or file is found.

ownerMachineName

String

The name of the machine on which the item such as a file or process associated with the Malop is found.

ownerMachineGuid

String

The unique identifier used by the Cybereason platform for the machine on which the item such as a file or process associated with the Malop was found.

elementDisplayName

String

The name of the item, such as a file or process associated with the Malop.

creationTime

Integer

The time (in epoch) when the Cybereason platform generated this Malop or an item such as a file or process was created.

lastUpdateTime

Integer

The time (in epoch) when this Malop was last updated by the Cybereason platform or an item (file, process, and so forth) was updated.

edr

Boolean

Indicates whether the Malop is an Auto Hunt Malop or an Endpoint Protection Malop.

escalated

Boolean

Indicates whether someone has marked the Malop as escalated.


Response Failure Schema

None


Important Response Fields

Important information is found in these fields:

  • status parameter: The status for this specific Malop.

  • displayName parameter: The name of the Malop (usually the process name or logon session name that is the root cause of the Malop).

  • rootCauseElementType parameter: The Element identified as the root cause of the Malop.

  • detectionEngines parameter: The method by which the Cybereason platform detected the malicious activity.

  • malopDetectionType parameter: The type of Malop.

  • machines object: An object containing details on the machines associated with the Malop.

  • users object: An object containing details on the users associated with the Malop.

  • files object: An object containing details on the files associated with the Malop.

  • processes object: An object containing details on the processes associated with the Malop.

  • creationTime parameter: The timestamp (in epoch) when the Malop was generated by the platform.

  • lastUpdateTime parameter: The timestamp (in epoch) when the Malop was last updated with additional information.

  • severity parameter: The assigned severity for the Malop.

  • filePaths parameter: The path to the file (if a file is the root cause Element of the Malop).

  • commandLines parameter: The command line used by the process (if a file is the root cause of a Malop).

  • fileHash parameter: The hash value of the file (if a file is the root cause Element of the Malop).


Example: Retrieve Malop details

Request

curl --request POST \
  --url https://12.34.56.78/rest/detection/details \
  --header 'Content-Type:application/json' \
  --data '{
            "malopGuid":"11.-7739814009106746960"
          }'

Response

{
  "guid":"11.-7739814009106746960",
  "status":"Closed",
  "displayName":"_outputadc485f.exe",
  "rootCauseElementType":"File",
  "rootCauseElementNamesCount":1,
  "detectionEngines":["AntiVirus"],
  "detectionTypes":["Known malware"],
  "malopDetectionType":"KNOWN_MALWARE",
  "machines": [
                {
                  "guid":"16789215.1198775089551518743",
                  "displayName":"A07-B08",
                  "osType":"WINDOWS",
                  "connected":true,
                  "isolated":false,
                  "lastConnected":1567303896673,
                  "adOU":null,
                  "adOrganization":null,
                  "adDisplayName":null,
                  "adDNSHostName":null,
                  "adDepartment":null,
                  "adCompany":null,
                  "adLocation":null,
                  "adMachineRole":null,
                  "pylumId":"PYLUMCLIENT_NSS-AUG19_A07-B08_0050568DA00B"
                }
              ],
  "users":null,
  "creationTime":1566536032000,
  "lastUpdateTime":1566561957000,
  "labels":"nulcl",
  "iconBase64":null,
  "priority":null,
  "decisionStatuses":["Disinfect"],
  "severity":"Low",
  "signer":null,
  "fileClassificationType":"av_detected",
  "filePaths": ["c:\\users\\admin\\downloads\\_outputadc485f.exe"],
  "commandLines":[],
  "decodedCommandLines":[],
  "detectionValues":["Trojan.GenericKD.41607134"],
  "detectionValueTypes":["DVT_FILE"],
  "fileHash":"4ffb2c3b932d9e2c105d84618a05af22ec515912",
  "scriptDetectionTypes":["SDT_UNKNOWN"],
  "descriptions":["Known malware with 4 file names was detected"],
  "hasAnyScanEvent":false,
  "activeProcessesCount":0,
  "totalProcessesCount":0,
  "processes":[],
  "files":[
            {
              "guid":"1696013243.-2055634601357941533",
              "ownerMachineName":"a07-b33",
              "ownerMachineGuid":"1696013243.1198775089551518743",
              "sha1String":"4ffb2c3b932d9e2c105d84618a05af22ec515912",
              "correctedPath":"c:\\users\\admin\\downloads\\_outputadc485f.exe",
              "modifiedTime":null,
              "elementDisplayName":"_outputadc485f.exe",
              "quarantined":false
            }
          ],
  "edr":false,
  "escalated":false
}