Cybereason Integration

Note: This integration requires Cisco XDR Advantage or Cisco XDR Premier licensing tier.

Cybereason is an Extended Detection and Response (XDR) and Endpoint Detection and Response (EDR) offering. In Cisco XDR, we enable Cybereason users to leverage it for threat hunting and investigation features, as well as rapid response actions to understand and defend against threats on the endpoint. It also provides important device inventory context to help triage detected threats.

Use the Cybereason integration to search for security detections involving specific hostnames, host GUIDs, or file names. Cybereason can also be used through Cisco XDR to isolate hosts from the network and block file hashes on endpoints.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Third-Party tab and navigate to the Cybereason integration.

  3. Click the plus sign (+) in the lower-right corner of the card. The Cybereason integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Cybereason integration in Cisco XDR.

You can perform the following tasks after you integrate Cybereason with Cisco XDR:

  • Investigations - Start a new investigation into any combination of file names, host GUIDs, and hostnames and the results will include any records of them found in your Cybereason. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know Cybereason has recent information. For details, see Investigate.

  • Pivot Menu - Use the Pivot menu to access actions in Cybereason. Available actions include isolating hosts from the network. You can also install Cybereason workflows from the Automation Exchange to add more actions to the Pivot menu.

  • Assets - View devices as reported by Cybereason. For more information, including how to filter the view to only the reports from Cybereason, see Devices.

  • Automation:

    • Atomic Actions - The atomic actions for Cybereason can be used as building blocks in custom workflows. These can be found as available Actions in the left menu of the Workflow Editor. See Atomic Actions and Workflows.

    • Workflows - The workflows for Cybereason can be installed from the Automation Exchange. See Workflows and Exchange.

    • Target - The Cybereason target is automatically created for out-of-box and custom workflows. See Targets Created From Integrations.

    • Playbooks - Automation system workflows that use Cybereason and are included in the Cisco Managed Incident Playbook can be used to contain assets (devices) and validate eradicated hosts and unquarantine assets. See Containment and Recovery on the Response page.