Cybereason Integration

XGEN SOAR Integration

D3’s feature-rich integration with Cybereason enables incident responders and threat hunters to benefit from Cybereason’s MalOps—which provide fully contextualized pictures of attacks, instead of piecemeal alerts—while also being able to query virtually anything across the platform. When endpoint incidents are responded to in D3, the playbook can orchestrate remediation across endpoints via the integration with Cybereason.
Cybereason Integration

Integration Features

1
Amalgamate MalOps feeds in D3 for analysis and investigation
2
Orchestrate response actions from D3 playbooks, such as remediating processes, killing processes, and isolating hosts
3
Update IOC reputations and categories, and prevent malicious IOCs from executing
4
Run queries across the Cybereason Platform to retrieve data from sensors, MalOps, processes, and more

Key Use Case

#1

Endpoint MalOp Response Automation

When Cybereason detects a potential endpoint incident, D3 can retrieve the highly detailed MalOp for investigation. D3 then enriches the MalOp with threat intelligence and past incident data, as well as gathering additional information from Cybereason by querying sensors, users, files, processes, domains, and more. If the MalOp is deemed a true positive, D3 can trigger an automated response playbook that orchestrates a response across the security environment, including actions in Cybereason such as killing processes and isolating affected machines. When the response is complete, the D3 playbook can update the MalOp status in Cybereason with the results.
#2

IOC Update Orchestration

If D3 determines an IOC to be malicious, either through integrated threat intelligence sources or the result of an incident investigation, it can orchestrate the appropriate updates in Cybereason to protect against the threat. D3 can set the IOC reputation, assign it to a category (e.g. virus or blacklist), and—if the IOC is a file—prevent it from executing.
X Cybereason Integration