Find MalOps where the Automatic Protection Action Failed
For many Endpoint Protection MalOps, the Cybereason platform performs an automatic protection action, baesd on the settings in your sensor policy. However, at times, the action may have failed for any number of reasons. As an analyst, you will want to know for which MalOps these actions failed so you can take manual steps to resolve the threat represented in the MalOp.
Follow these steps to search for MalOps:
Step 1: Build the request to retrieve MalOps
To help you identify the MalOps where the protection action failed, you need to build a query that filters by the protection action taken.
For Endpoint Protection MalOps, the MalOp is based on the MalopDetectionEvents Element. You can filter the results by the decisionStatus Feature. You build the query to return items where the value of the decisionStatus Feature is DDS_FAILED_TO_PREVENT or DDS_FAILED_TO_QUARANTINE.
To build the request, replace the placeholders in the relevant cURL command, request body example, or Python script:
curl --request POST \
--url https://<your server>/rest/visualsearch/query/simple \
--header 'Content-Type:application/json' \
--data '{
"queryPath":[
{
"requestedType":"MalopDetectionEvents",
"filters":[
{
"facetName":"decisionStatus",
"values":["DDS_FAILED_TO_PREVENT","DDS_FAILED_TO_QUARANTINE"]
}
],
"isResult":True
}
],
"totalResultLimit":10000,
"perGroupLimit":100,
"perFeatureLimit":100,
"templateContext":"SPECIFIC",
"queryTimeout":120000,
"pagination":{
"pageSize":1000
},
"customFields":[
"elementDisplayName",
"decisionStatuses"
]
}'
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
{
"queryPath":[
{
"requestedType":"MalopDetectionEvents",
"filters":[
{
"facetName":"decisionStatus",
"values":["DDS_FAILED_TO_PREVENT","DDS_FAILED_TO_QUARANTINE"]
}
],
"isResult": true
}
],
"totalResultLimit":10000,
"perGroupLimit":100,
"perFeatureLimit":100,
"templateContext":"SPECIFIC",
"queryTimeout":120000,
"pagination":{
"pageSize":1000
},
"customFields":[
"elementDisplayName",
"decisionStatuses"
]
}
Note
The code in this sample is repeated in the samples below. You do not need to run the script now but it is used here to help you understand how you build the request.
All Python examples are formatted for Python version 3.0 and higher, up to the latest Python version. If you are using versions of Python earlier than 3.0, ensure you manually remove parentheses for the print statements in this sample. For example, the print (response.content) statement updates to print response.content.
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/visualsearch/query/simple"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
query_element_1_filter_1 = "decisionStatus"
query_element_1_filter_1_value_1 = "DDS_FAILED_TO_PREVENT"
query_element_1_filter_1_value_2 = "DDS_FAILED_TO_QUARANTINE"
query = json.dumps({"queryPath":[{"requestedType":"MalopDetectionEvents","filters":[{"facetName":query_element_1_filter_1,"values":[query_element_1_filter_1_value_1,query_element_1_filter_1_value_2]}],"isResult": true}],"totalResultLimit":10000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"pagination":{"pageSize":1000},"customFields":["elementDisplayName","decisionStatuses"]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Step 2: Run your request and generate the response
In the command line, REST API client, or IDE, run the command or script that contains the request. After a few seconds, the Cybereason API returns a response.
Step 3: Evaluate the response
The response contains a large number fields. Focus on these fields for meaningful information:
Example
{
"data": {
"resultIdToElementDataMap": {
"AAAA1kFkoAiE4Tf9": {
"simpleValues": {
"decisionStatuses": {
"totalValues": 1,
"values": [
"DDS_FAILED_TO_PREVENT"
]
},
"elementDisplayName": {
"totalValues": 1,
"values": [
""
]
}
},
"elementValues": {},
"suspicions": {},
"filterData": {
"sortInGroupValue": "",
"groupByValue": ""
},
"isMalicious": false,
"suspicionCount": 0,
"guidString": "AAAA1kFkoAiE4Tf9",
"labelsIds": null,
"malopPriority": null,
"suspect": false,
"malicious": false
}
},
"suspicionsMap": {},
"evidenceMap": {},
"totalResults": 1,
"totalPossibleResults": 1,
"guessedPossibleResults": 1,
"queryLimits": {
"totalResultLimit": 100,
"perGroupLimit": 100,
"perFeatureLimit": 100,
"groupingFeature": {
"elementInstanceType": "MalopDetectionEvents",
"featureName": "self"
},
"sortInGroupFeature": null
},
"queryTerminated": false,
"pathResultCounts": [
{
"featureDescriptor": {
"elementInstanceType": "MalopDetectionEvents",
"featureName": null
},
"count": 1
}
],
"guids": [
"AAAA1kFkoAiE4Tf9"
],
"paginationToken": null,
"executionUUID": "23505f1c-c6c2-42a9-8bc5-ab3a1f4137e4",
"quapiMeasurementData": {
"timeToGetGuids": [
67
],
"timeToGetData": [
24
],
"timeToGetAdditionalData": [
0
],
"totalQuapiQueryTime": [
93
],
"startTime": [
1682008688827
],
"endTime": [
1682008688921
]
}
},
"status": "SUCCESS",
"hidePartialSuccess": false,
"message": "",
"expectedResults": 0,
"failures": 0,
"failedServersInfo": null
}