Find MalOps where the Automatic Protection Action Failed

For many Endpoint Protection MalOps, the Cybereason platform performs an automatic protection action, baesd on the settings in your sensor policy. However, at times, the action may have failed for any number of reasons. As an analyst, you will want to know for which MalOps these actions failed so you can take manual steps to resolve the threat represented in the MalOp.

Step 1: Build the request to retrieve MalOps

To help you identify the MalOps where the protection action failed, you need to build a query that filters by the protection action taken.

For Endpoint Protection MalOps, the MalOp is based on the MalopDetectionEvents Element. You can filter the results by the decisionStatus Feature. You build the query to return items where the value of the decisionStatus Feature is DDS_FAILED_TO_PREVENT or DDS_FAILED_TO_QUARANTINE.

To build the request, replace the placeholders in the relevant cURL command, request body example, or Python script:

curl --request POST \
          --url https://<your server>/rest/visualsearch/query/simple \
          --header 'Content-Type:application/json' \
          --data '{
                    "queryPath":[
                             {
                                "requestedType":"MalopDetectionEvents",
                                "filters":[
                                           {
                                            "facetName":"decisionStatus",
                                            "values":["DDS_FAILED_TO_PREVENT","DDS_FAILED_TO_QUARANTINE"]
                                           }
                                          ],
                                "isResult":True
                             }
                           ],
                    "totalResultLimit":10000,
                    "perGroupLimit":100,
                    "perFeatureLimit":100,
                    "templateContext":"SPECIFIC",
                    "queryTimeout":120000,
                    "pagination":{
                                   "pageSize":1000
                                 },
                    "customFields":[
                                     "elementDisplayName",
                                     "decisionStatuses"
                                   ]
                  }'

Step 2: Run your request and generate the response

In the command line, REST API client, or IDE, run the command or script that contains the request. After a few seconds, the Cybereason API returns a response.

Step 3: Evaluate the response

The response contains a large number fields. Focus on these fields for meaningful information:

Example

{
 "data": {
     "resultIdToElementDataMap": {
         "AAAA1kFkoAiE4Tf9": {
             "simpleValues": {
                 "decisionStatuses": {
                     "totalValues": 1,
                     "values": [
                         "DDS_FAILED_TO_PREVENT"
                     ]
                 },
                 "elementDisplayName": {
                     "totalValues": 1,
                     "values": [
                         ""
                     ]
                 }
             },
             "elementValues": {},
             "suspicions": {},
             "filterData": {
                 "sortInGroupValue": "",
                 "groupByValue": ""
             },
             "isMalicious": false,
             "suspicionCount": 0,
             "guidString": "AAAA1kFkoAiE4Tf9",
             "labelsIds": null,
             "malopPriority": null,
             "suspect": false,
             "malicious": false
         }
     },
     "suspicionsMap": {},
     "evidenceMap": {},
     "totalResults": 1,
     "totalPossibleResults": 1,
     "guessedPossibleResults": 1,
     "queryLimits": {
         "totalResultLimit": 100,
         "perGroupLimit": 100,
         "perFeatureLimit": 100,
         "groupingFeature": {
             "elementInstanceType": "MalopDetectionEvents",
             "featureName": "self"
         },
         "sortInGroupFeature": null
     },
     "queryTerminated": false,
     "pathResultCounts": [
         {
             "featureDescriptor": {
                 "elementInstanceType": "MalopDetectionEvents",
                 "featureName": null
             },
             "count": 1
         }
     ],
     "guids": [
         "AAAA1kFkoAiE4Tf9"
     ],
     "paginationToken": null,
     "executionUUID": "23505f1c-c6c2-42a9-8bc5-ab3a1f4137e4",
     "quapiMeasurementData": {
         "timeToGetGuids": [
             67
         ],
         "timeToGetData": [
             24
         ],
         "timeToGetAdditionalData": [
             0
         ],
         "totalQuapiQueryTime": [
             93
         ],
         "startTime": [
             1682008688827
         ],
         "endTime": [
             1682008688921
         ]
     }
 },
    "status": "SUCCESS",
    "hidePartialSuccess": false,
    "message": "",
    "expectedResults": 0,
    "failures": 0,
    "failedServersInfo": null
 }