View Suspicion and Evidence Details

When Cybereason returns a response, the response includes Suspicion information for each individual result and a summary of Suspicions associated with the queried Elements.

In each result instance, there is a suspicions object. This object contains the name of the Suspicion and the unique GUID Cybereason assigns to the Suspicion.

The Suspicion summary is reported in the suspicionsMap object. This object includes a number of parts:

• A count of elements with that suspicion

• The time when the suspicion was first seen in the firstTimestamp object

• A list of all potential evidence for the suspicion in the potentialEvidence object

The response uses this format:

{
    "suspicion": {
        "firstTimestamp": "<value>",
        "potentialEvidence": [
            "<evidence>",
            "<evidence>",
            "<evidence>",
            "<evidence>"
        ],
        "totalSuspicions": "<value>"
    }
}

Example: View suspicion data

The following example returns two types of suspicions - a DGA suspicion and an injection suspicion (specifically a process that hosts an injected thread.) The DGA suspicions appears on one of the elements, and the evidence that caused it are one or several of the potential Evidence items stated above. The injected suspicion appears on two elements and is caused by the displayed evidence.

{
  "dgaSuspicion": {
    "firstTimestamp": 1447276254985,
    "potentialEvidence": [
      "manyUnresolvedRecordNotExistsEvidence",
      "detectedInjectedEvidence",
      "hostingInjectedThreadEvidence",
      "highUnresolvedToResolvedRateEvidence"
    ],
    "totalSuspicions": 1
  },
  "hostingInjectedThreadSuspicion": {
    "firstTimestamp": 1447276308470,
    "potentialEvidence": [
      "hostingInjectedThreadEvidence"
    ],
    "totalSuspicions": 2
  }
}