Get Malop Details

Endpoint URL: https://<your server>/rest/detection/details
Endpoint URI: detection/details

Action: POST

Returns details about a specified Endpoint Protection Malop. If you want to retrieve details for AI Hunt Malops, see Get Details on a Specific AI Hunt Malop.

This request is supported for versions 20.1.43 and later.

Note

Ensure that you have logged into the Cybereason platform. For details, see Log in with the API.

Request Headers

You must add an Content-Type:application/json header with the request.

Note

If you are using cURL, add the authorization cookie details or the path to the file containing the cookie details as part of every request.

Request Body

Input: JSON

Download JSON syntax file

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

Note

When sending this request, there may be a delay in returning a response, depending on how much data and activity is in your system. Ensure you do not send this request multiple times while waiting for a response as this may cause unexpected results and performance issues in your environment.

{
	"malopGuid":"<malop ID>"
}

Request Parameters

URL/URI parameters: none

Request Body Parameters: Add the unique GUID string the Cybereason platform uses for the Malop.

Response Status Codes

This request can return the following status codes:

• 200: Success OK

• 400: Malop ID is not valid

Response Success Schema

The response contains the following fields:

Field	Type	Description
guid	Integer	The unique identifier the Cybereason platform assigns to the item. Note that the first guid parameter in the response is the GUID for the Malop. Other guid parameters refer to a specific items like a file or a process.
status	Enum	The status of the specific Malop. Possible values include: Active Remediated Closed Excluded
displayName	String	The name for the Malop or related Element in the Malops management screen or Malop details screen.
detectionEngines	Enum	The detection engine that generates the Malop. Possible values include: AntiVirus StaticAnalysis ApplicationControl Script Document Mobile AntiExploit
detectionTypes	Enum	The type of detection for the root cause. Possible values include: Blacklist Command and Control Credential theft Custom rule Data transmission volume Elevated access Extension manipulation Injected process Known malware Lateral Movement Unknown malware Malicious tool Known malware Mobile Device Persistence Phishing Process injection PUP Ransomware Reconnaissance Unauthorized Compromised user Unknown Potentially unwanted program
malopDetectionType	Enum	The category of detection that recognized the malicious behavior. Possible values include: BLACKLIST CNC UNAUTHORIZED_USER CREDENTIAL_THEFT DATA_TRANSMISSION_VOLUME ELEVATED_ACCESS EXTENSION_MANIPULATION HIJACKED_PROCESS KNOWN_MALWARE MALWARE_PROCESS MALICIOUS_PROCESS MALICIOUS_TOOL_PROCESS PUP PERSISTENCE PHISHING UNWANTED_PROCESS RANSOMWARE RECONNAISSANCE UNAUTHORIZED_AUTH UNKNOWN
machines	Array	An object that contains a list of machines associated with the root cause of the Malop. Each machine has an individual GUID.
osType	Enum	The type of operating system found on the machine. Possible values include: LINUX UNKNOWN_OS WINDOWS OSX
connected	Boolean	Indicates whether or not the sensor on the machine is connected to the Cybereason server.
isolated	Boolean	Indicates whether or not the machine is currently isolated from outside communication.
lastConnected	Integer	The time (in epoch) when the sensor was last seen as connected to the Cybereason server.
adOU	String	The organizational unit associated with this machine according to Active Directory information.
adOrganization	String	The organization details associated with this machine according to Active Directory information.
adDisplayName	String	The machine display name according to Active Directory information.
adDNSHostName	String	The DNS host according to Active Directory information.
adDepartment	String	The department associated with this machine according to Active Directory information.
adCompany	String	The company associated with this machine according to Active Directory information.
adLocation	String	The location for the machine according to the Active Directory information.
adMachineRole	String	The machine role according to Active Directory information.
pylumID	String	The unique identifier the Cybereason platform assigned to the sensor installed on the machine.
labels	String	Details on the Malop’s labels
priority	Enum	The priority of this Malop. Possible values include: LOW MEDIUM HIGH If there is no priority set, this value returns null.
decisionStatuses	Enum	The prevention action that the Cybereason platform applied to this Malop. Possible values include: DDS_UNKNOWN DDS_DETECTED DDS_PREVENTED DDS_FAILURE DDS_QUARANTINED DDS_WHITELISTED DDS_DISINFECTED DDS_USER_DETECT_ONLY DDS_DELETE_AFTER_REBOOT DDS_FAILED_TO_PREVENT DDS_FAILED_TO_QUARANTINE DDS_COLLECTED DDS_MITIGATED
severity	Enum	The severity for the Malop. Possible values include: Low Medium High
detectionValues	String	The event detection for this Endpoint Protection Malop.
detectionValueTypes	Enum	The detection type for the file. Possible values include: DVT_DOMAIN DVT_FILE DVT_SIGNATURE DVT_MODULE
description	String	The description the Cybereason platform uses for this type of Malop.
hasAnyScanEvent	Boolean	Indicates whether the Malop had any events discovered in a scan.
activeProcessesCount	Integer	The count of any processes associated with the Malop that are still active.
totalProcessesCount	Integer	The count of the total number of processes associated with the Malop.
processes	Array	An object that contains a list of processes associated with the root cause of the Malop. Each user has an individual GUID.
pid	Integer	The Process ID number in the operating system.
commandLines	String	The command line for the processes associated with the Malop.
decodedCommandLines	String	The command line that was decoded for any obfuscated command lines.
calculatedUser	String	The user account under which the process is run.
commandLine	String	The command line used with this specific process.
iconBase64	String	The icon used for the image file associated with this Malop.
files	Array	An object containing details on the files associated with the Malop.
sha1String	String	The SHA1 hash value for the file associated with the Malop.
correctedPath	String	The path to the file associated with the Malop.
signer	String	The name of the company that signed the image file associated with the Malop.
fileClassificationType	Enum	The file classification that the Cybereason platform assigned to the file. Possible values include: blacklist av_detected hacktool maltool malware indifferent no_type_found ransomware sinkholed suspicious unknown unresolved unwanted whitelist
filePaths	String	The path to the file associated with the Malop.
modifiedTime	Integer	The time (in epoch) when the file was last modified.
quarantined	Boolean	Indicates whether the file associated with the Malop has been quarantined.
fileHash	String	The file hash value for the file associated with the Malop.
scriptDetectionTypes	Enum	The type of detection that the PowerShell Protection script analysis used. Possible values include: SDT_UNKNOWN SDT_PS_UNKNOWN SDT_PS_INVOKE_EXPRESSION_AFTER_DOWNLOAD_STRING SDT_PS_DOWNLOAD_FROM_MALICIOUS_DOMAIN SDT_PS_EXECUTE_MALICIOUS_ACTIVITY SDT_PS_MALICIOUS_FLOATING_MODULE
users	Array	An object that contains a list of users associated with the root cause of the Malop. Each user has an individual GUID.
admin	Boolean	Indicates whether a user has administrative privileges on the machine.
localSystem	Boolean	Indicates whether the user has local system privileges on the machine.
domainUser	Boolean	Indicates whether a user is a domain user on the machine.
ownerMachine	String	The machine on which the item such as a process or file is found.
ownerMachineName	String	The name of the machine on which the item such as a file or process associated with the Malop is found.
ownerMachineGuid	String	The unique identifier used by the Cybereason platform for the machine on which the item such as a file or process associated with the Malop was found.
elementDisplayName	String	The name of the item, such as a file or process associated with the Malop.
creationTime	Integer	The time (in epoch) when the Cybereason platform generated this Malop or an item such as a file or process was created.
lastUpdateTime	Integer	The time (in epoch) when this Malop was last updated by the Cybereason platform or an item (file, process, and so forth) was updated.
edr	Boolean	Indicates whether the Malop is an Auto Hunt Malop or an Endpoint Protection Malop.
escalated	Boolean	Indicates whether someone has marked the Malop as escalated.

Response Failure Schema

None

Important Response Fields

Important information is found in these fields:

• status parameter: The status for this specific Malop.

• displayName parameter: The name of the Malop (usually the process name or logon session name that is the root cause of the Malop).

• rootCauseElementType parameter: The Element identified as the root cause of the Malop.

• detectionEngines parameter: The method by which the Cybereason platform detected the malicious activity.

• malopDetectionType parameter: The type of Malop.

• machines object: An object containing details on the machines associated with the Malop.

• users object: An object containing details on the users associated with the Malop.

• files object: An object containing details on the files associated with the Malop.

• processes object: An object containing details on the processes associated with the Malop.

• creationTime parameter: The timestamp (in epoch) when the Malop was generated by the platform.

• lastUpdateTime parameter: The timestamp (in epoch) when the Malop was last updated with additional information.

• severity parameter: The assigned severity for the Malop.

• filePaths parameter: The path to the file (if a file is the root cause Element of the Malop).

• commandLines parameter: The command line used by the process (if a file is the root cause of a Malop).

• fileHash parameter: The hash value of the file (if a file is the root cause Element of the Malop).

Example: Retrieve Malop details

CURLREST API ClientPython

Request

curl --request POST \
  --url https://12.34.56.78/rest/detection/details \
  --header 'Content-Type:application/json' \
  --data '{
            "malopGuid":"11.-7739814009106746960"
          }'

Response

{
  "guid":"11.-7739814009106746960",
  "status":"Closed",
  "displayName":"_outputadc485f.exe",
  "rootCauseElementType":"File",
  "rootCauseElementNamesCount":1,
  "detectionEngines":["AntiVirus"],
  "detectionTypes":["Known malware"],
  "malopDetectionType":"KNOWN_MALWARE",
  "machines": [
                {
                  "guid":"16789215.1198775089551518743",
                  "displayName":"A07-B08",
                  "osType":"WINDOWS",
                  "connected":true,
                  "isolated":false,
                  "lastConnected":1567303896673,
                  "adOU":null,
                  "adOrganization":null,
                  "adDisplayName":null,
                  "adDNSHostName":null,
                  "adDepartment":null,
                  "adCompany":null,
                  "adLocation":null,
                  "adMachineRole":null,
                  "pylumId":"PYLUMCLIENT_NSS-AUG19_A07-B08_0050568DA00B"
                }
              ],
  "users":null,
  "creationTime":1566536032000,
  "lastUpdateTime":1566561957000,
  "labels":"nulcl",
  "iconBase64":null,
  "priority":null,
  "decisionStatuses":["Disinfect"],
  "severity":"Low",
  "signer":null,
  "fileClassificationType":"av_detected",
  "filePaths": ["c:\\users\\admin\\downloads\\_outputadc485f.exe"],
  "commandLines":[],
  "decodedCommandLines":[],
  "detectionValues":["Trojan.GenericKD.41607134"],
  "detectionValueTypes":["DVT_FILE"],
  "fileHash":"4ffb2c3b932d9e2c105d84618a05af22ec515912",
  "scriptDetectionTypes":["SDT_UNKNOWN"],
  "descriptions":["Known malware with 4 file names was detected"],
  "hasAnyScanEvent":false,
  "activeProcessesCount":0,
  "totalProcessesCount":0,
  "processes":[],
  "files":[
            {
              "guid":"1696013243.-2055634601357941533",
              "ownerMachineName":"a07-b33",
              "ownerMachineGuid":"1696013243.1198775089551518743",
              "sha1String":"4ffb2c3b932d9e2c105d84618a05af22ec515912",
              "correctedPath":"c:\\users\\admin\\downloads\\_outputadc485f.exe",
              "modifiedTime":null,
              "elementDisplayName":"_outputadc485f.exe",
              "quarantined":false
            }
          ],
  "edr":false,
  "escalated":false
}