Cybereason

Details
Content
Dependencies
Version History

Download With Dependencies

Endpoint detection and response to manage and query malops, connections and processes.

Note: Support for this Pack moved to the partner on November, 3, 2022.

Please contact the partner directly via the support link on the right.

Pack Contributors

Julian Kaufmann

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Pack Contributors:

Julian Kaufmann

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Note: Support for this Pack moved to the partner on November, 3, 2022.

Please contact the partner directly via the support link on the right.

Pack Contributors

Julian Kaufmann

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Pack Contributors:

Julian Kaufmann

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Automations

Name	Description
CybereasonPreProcessingExample	Preprocessing script to run when fetching Cybereason malops. Will check if malop was already fetched, and will then update the existing incident, otherwise will create a new incident.

Integrations

Name	Description
Cybereason (Partner Contribution)	Endpoint detection and response to manage and query malops, connections and processes.

Playbooks

Name	Description
Cybereason - Download File	This playbook downloads a file from Cybereason platform, based on the Malop ID and username provided.
Unisolate Endpoint - Cybereason	This playbook unisolates a machine based on the hostname provided.
Search Endpoints By Hash - Cybereason	Hunt for endpoint activity involving hash, using Cybereason.
Isolate Endpoint - Cybereason	This playbook isolates a machine based on the hostname provided.
Block File - Cybereason	This playbook accepts an MD5 hash and blocks the file using the Cybereason integration.
Cybereason - Download Close File	This playbook aborts a file download operation which is in progress based on the Malop ID and username provided.

Automations

Name	Description
CybereasonPreProcessingExample	Preprocessing script to run when fetching Cybereason malops. Will check if malop was already fetched, and will then update the existing incident, otherwise will create a new incident.

Integrations

Name	Description
Cybereason (Partner Contribution)	Endpoint detection and response to manage and query malops, connections and processes.

Playbooks

Name	Description
Cybereason - Download File	This playbook downloads a file from Cybereason platform, based on the Malop ID and username provided.
Cybereason - Download Close File	This playbook aborts a file download operation which is in progress based on the Malop ID and username provided.
Block File - Cybereason	This playbook accepts an MD5 hash and blocks the file using the Cybereason integration.
Isolate Endpoint - Cybereason	This playbook isolates a machine based on the hostname provided.
Unisolate Endpoint - Cybereason	This playbook unisolates a machine based on the hostname provided.
Search Endpoints By Hash - Cybereason	Hunt for endpoint activity involving hash, using Cybereason.

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (3)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR

2.1.23 - R3444919 (May 18, 2025)

Integrations

Cybereason

Updated cybereason-query-malop-management
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Scripts

CybereasonPreProcessingExample

Performed safe dictionary extraction
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 38940
- 39381

Download

2.1.22 - R2988287 (March 26, 2025)

Integrations

Cybereason

Metadata and documentation improvements.

Scripts

CybereasonPreProcessingExample

Metadata and documentation improvements.

Related pull requests:
- 39010

Download

2.1.21 - 2459630 (February 13, 2025)

Integrations

Cybereason

Added a new command cybereason-update-malop-investigation-status to update the investigation status for a given MalOp.

Related pull requests:
- 37296
- 38638

Download

2.1.20 - 1946497 (January 8, 2025)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.11.11.1940698.

Related pull requests:
- 37994

Download

2.1.19 - R1931958 (January 6, 2025)

Integrations

Cybereason

Custom Fields Added: Added support for the following custom fields to enhance incident information:
malopcreationtime
malopupdatetime
maloprootcauseelementname
maloprootcauseelementtype
malopseverity
malopdetectiontype
malopedr
malopurl
malopgroup

Scripts

CybereasonPreProcessingExample

Fixed preprocessing script to deal with incident duplication.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Related pull requests:
- 37844
- 37058

Download

2.1.18 - 1748140 (December 4, 2024)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.11.10.115186.

Scripts

CybereasonPreProcessingExample

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37528
- 37524
- 37525
- 37526
- 37527

Download

2.1.17 - R1681986 (November 21, 2024)

Integrations

Cybereason

Added a new command cybereason-process-attack-tree to return Attack tree url for a given Process.
Added a new command cybereason-query-malop-management to fetch details of a single management Malop.
Updated the Docker image to: demisto/python3:3.10.13.89009.

Related pull requests:
- 33336
- 33513

Download

2.1.16 - 765039 (January 16, 2024)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.13.84405.

Related pull requests:
- 32212

Download

2.1.15 - 733853 (January 2, 2024)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31878

Download

2.1.14 - 7033788 (November 30, 2023)

Integrations

Cybereason

Added a new command cybereason-get-machine-details to fetch machine details.
Updated the Docker image to: demisto/python3:3.10.13.81631.

Scripts

CybereasonPreProcessingExample

Updated the Docker image to: demisto/python3:3.10.13.81631.

Related pull requests:
- 30647
- 31225

Download

2.1.13 - 6683114 (October 23, 2023)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.13.78960.

Related pull requests:
- 30346

Download

2.1.12 - R6592021 (October 13, 2023)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.13.72123.

Related pull requests:
- 29318

Download

2.1.11 - 5910354 (July 30, 2023)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.12.66339.

Related pull requests:
- 28580

Download

2.1.10 - R5866730 (July 25, 2023)

Scripts

CybereasonPreProcessingExample

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 28088

Download

2.1.9 - R5692327 (July 5, 2023)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27745

Download

2.1.8 - 5390938 (May 29, 2023)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.11.61265.

Related pull requests:
- 27028

Download

2.1.7 - 5265019 (May 14, 2023)

Playbooks

Unisolate Endpoint - Cybereason

Fixed a minor bug in the Unisolate Endpoint - Cybereason where the input.hostname is defined returns true when the actual hostname field is empty.

Related pull requests:
- 26048

Download

2.1.6 - 5185403 (May 4, 2023)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.11.56857.

Related pull requests:
- 26294

Download

2.1.5 - R5170573 (May 2, 2023)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.11.54132.

Related pull requests:
- 25962

Download

2.1.4 - 4923679 (March 29, 2023)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.10.50695.

Related pull requests:
- 25583

Download

2.1.3 - 4818573 (March 15, 2023)

Scripts

CybereasonPreProcessingExample

Updated the Docker image to: demisto/python3:3.10.10.48392.

Related pull requests:
- 25256

Download

2.1.2 - R4718798 (March 1, 2023)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.10.48392.

Related pull requests:
- 24921

Download

2.1.1 - R4646022 (February 19, 2023)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.10.47713.

Related pull requests:
- 24569

Download

2.1.0 - 4384217 (January 13, 2023)

Integrations

Cybereason

Added support for polling for Cybereason EPP Malops.
Updated the Docker image to: demisto/python3:3.10.9.42476.

Scripts

CybereasonPreProcessingExample

Updated the Docker image to: demisto/python3:3.10.9.42476.

Related pull requests:
- 23666
- 23476

Download

2.0.0 - 4001473 (November 9, 2022)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.8.37233.
Added 19 commands:
- cybereason-archive-sensor
- cybereason-unarchive-sensor
- cybereason-delete-sensor
- cybereason-start-fetchfile
- cybereason-fetchfile-progress
- cybereason-download-file
- cybereason-close-file-batch-id
- cybereason-available-remediation-actions
- cybereason-kill-process
- cybereason-quarantine-file
- cybereason-unquarantine-file
- cybereason-block-file
- cybereason-delete-registry-key
- cybereason-kill-prevent-unsuspend
- cybereason-unsuspend-process
- cybereason-malware-query
- cybereason-start-host-scan
- cybereason-fetch-scan-status
- cybereason-get-sensor-id

Playbooks

New: Cybereason - Download Close File

This playbook aborts a file download operation which is in progress based on the Malop ID and username provided. (Available from Cortex XSOAR 6.5.0).

New: Cybereason - Download File

This playbook downloads a file from Cybereason platform, based on the Malop ID and username provided. (Available from Cortex XSOAR 6.5.0).

Isolate Endpoint - Cybereason

This playbook isolates a machine based on the hostname provided. (Available from Cortex XSOAR 5.0.0).

Unisolate Endpoint - Cybereason

This playbook unisolates a machine based on the hostname provided. (Available from Cortex XSOAR 5.0.0).

Block File - Cybereason

This playbook accepts an MD5 hash and blocks the file using the Cybereason integration. (Available from Cortex XSOAR 5.0.0).

Search Endpoints By Hash - Cybereason

Hunt for endpoint activity involving hash, using Cybereason. (Available from Cortex XSOAR 5.0.0).

Scripts

New: CybereasonPreProcessingExample

Preprocessing script to run when fetching Cybereason malops.
Will check if malop was already fetched, and will then update the existing incident, otherwise will create a new incident.

Related pull requests:
- 22100
- 19493

Download

2.1.23 - R3444919 (May 18, 2025)

Integrations

Cybereason

Updated cybereason-query-malop-management
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Scripts

CybereasonPreProcessingExample

Performed safe dictionary extraction
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 38940
- 39381

Download

2.1.22 - R2988287 (March 26, 2025)

Integrations

Cybereason

Metadata and documentation improvements.

Scripts

CybereasonPreProcessingExample

Metadata and documentation improvements.

Related pull requests:
- 39010

Download

2.1.21 - 2459630 (February 13, 2025)

Integrations

Cybereason

Added a new command cybereason-update-malop-investigation-status to update the investigation status for a given MalOp.

Related pull requests:
- 37296
- 38638

Download

2.1.20 - 1946497 (January 8, 2025)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.11.11.1940698.

Related pull requests:
- 37994

Download

2.1.19 - R1931958 (January 6, 2025)

Integrations

Cybereason

Custom Fields Added: Added support for the following custom fields to enhance incident information:
malopcreationtime
malopupdatetime
maloprootcauseelementname
maloprootcauseelementtype
malopseverity
malopdetectiontype
malopedr
malopurl
malopgroup

Scripts

CybereasonPreProcessingExample

Fixed preprocessing script to deal with incident duplication.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Related pull requests:
- 37844
- 37058

Download

2.1.18 - 1748140 (December 4, 2024)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.11.10.115186.

Scripts

CybereasonPreProcessingExample

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37528
- 37524
- 37525
- 37526
- 37527

Download

2.1.17 - R1681986 (November 21, 2024)

Integrations

Cybereason

Added a new command cybereason-process-attack-tree to return Attack tree url for a given Process.
Added a new command cybereason-query-malop-management to fetch details of a single management Malop.
Updated the Docker image to: demisto/python3:3.10.13.89009.

Related pull requests:
- 33336
- 33513

Download

2.1.16 - 765039 (January 16, 2024)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.13.84405.

Related pull requests:
- 32212

Download

2.1.15 - 733853 (January 2, 2024)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31878

Download

2.1.14 - 7033788 (November 30, 2023)

Integrations

Cybereason

Added a new command cybereason-get-machine-details to fetch machine details.
Updated the Docker image to: demisto/python3:3.10.13.81631.

Scripts

CybereasonPreProcessingExample

Updated the Docker image to: demisto/python3:3.10.13.81631.

Related pull requests:
- 30647
- 31225

Download

2.1.13 - 6683114 (October 23, 2023)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.13.78960.

Related pull requests:
- 30346

Download

2.1.12 - R6592021 (October 13, 2023)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.13.72123.

Related pull requests:
- 29318

Download

2.1.11 - 5910354 (July 30, 2023)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.12.66339.

Related pull requests:
- 28580

Download

2.1.10 - R5866730 (July 25, 2023)

Scripts

CybereasonPreProcessingExample

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 28088

Download

2.1.9 - 5636258 (June 28, 2023)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27745

Download

2.1.8 - 5390938 (May 29, 2023)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.11.61265.

Related pull requests:
- 27028

Download

2.1.7 - 5265019 (May 14, 2023)

Playbooks

Unisolate Endpoint - Cybereason

Fixed a minor bug in the Unisolate Endpoint - Cybereason where the input.hostname is defined returns true when the actual hostname field is empty.

Related pull requests:
- 26048

Download

2.1.6 - 5185403 (May 4, 2023)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.11.56857.

Related pull requests:
- 26294

Download

2.1.5 - R5170573 (May 2, 2023)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.11.54132.

Related pull requests:
- 25962

Download

2.1.4 - 4923679 (March 29, 2023)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.10.50695.

Related pull requests:
- 25583

Download

2.1.3 - 4818573 (March 15, 2023)

Scripts

CybereasonPreProcessingExample

Updated the Docker image to: demisto/python3:3.10.10.48392.

Related pull requests:
- 25256

Download

2.1.2 - R4718798 (March 1, 2023)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.10.48392.

Related pull requests:
- 24921

Download

2.1.1 - R4646022 (February 19, 2023)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.10.47713.

Related pull requests:
- 24569

Download

2.1.0 - 4384217 (January 12, 2023)

Integrations

Cybereason

Added support for polling for Cybereason EPP Malops.
Updated the Docker image to: demisto/python3:3.10.9.42476.

Scripts

CybereasonPreProcessingExample

Updated the Docker image to: demisto/python3:3.10.9.42476.

Related pull requests:
- 23666
- 23476

Download

2.0.0 - 4001473 (November 9, 2022)

Integrations

Cybereason

Updated the Docker image to: demisto/python3:3.10.8.37233.
Added 19 commands:
- cybereason-archive-sensor
- cybereason-unarchive-sensor
- cybereason-delete-sensor
- cybereason-start-fetchfile
- cybereason-fetchfile-progress
- cybereason-download-file
- cybereason-close-file-batch-id
- cybereason-available-remediation-actions
- cybereason-kill-process
- cybereason-quarantine-file
- cybereason-unquarantine-file
- cybereason-block-file
- cybereason-delete-registry-key
- cybereason-kill-prevent-unsuspend
- cybereason-unsuspend-process
- cybereason-malware-query
- cybereason-start-host-scan
- cybereason-fetch-scan-status
- cybereason-get-sensor-id

Playbooks

New: Cybereason - Download Close File

This playbook aborts a file download operation which is in progress based on the Malop ID and username provided. (Available from Cortex XSOAR 6.5.0).

New: Cybereason - Download File

This playbook downloads a file from Cybereason platform, based on the Malop ID and username provided. (Available from Cortex XSOAR 6.5.0).

Isolate Endpoint - Cybereason

This playbook isolates a machine based on the hostname provided. (Available from Cortex XSOAR 5.0.0).

Unisolate Endpoint - Cybereason

This playbook unisolates a machine based on the hostname provided. (Available from Cortex XSOAR 5.0.0).

Block File - Cybereason

This playbook accepts an MD5 hash and blocks the file using the Cybereason integration. (Available from Cortex XSOAR 5.0.0).

Search Endpoints By Hash - Cybereason

Hunt for endpoint activity involving hash, using Cybereason. (Available from Cortex XSOAR 5.0.0).

Scripts

New: CybereasonPreProcessingExample

Preprocessing script to run when fetching Cybereason malops.
Will check if malop was already fetched, and will then update the existing incident, otherwise will create a new incident.

Related pull requests:
- 22100
- 19493

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	June 30, 2020
Last Release	May 18, 2025

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.