Connecting to a Cybereason asset data source

Edit online

The Cybereason Connected Assets and Risk connector can be run in the platform cluster. The connector incrementally synchronizes the contents of the Cybereason asset databases with the data that is managed by the Connected Assets and Risk service.

Before you begin

Collaborate with a Cybereason administrator or account owner to obtain login credentials to access the Cybereason API.

About this task

The Cybereason connector is designed to work with Cybereason version 21.1 by using the following API endpoints:
  • Sensors (sensors/query)
  • Malops (detection/inbox)
  • Hunt and Investigate (visualsearch/query/simple)
  • Remediation (remediate/status/:malopId)

Procedure

  1. Go to Menu > Connections > Data sources.
  2. On the Assets tab, click Connect an asset.
  3. Click Cybereason, then click Next.
  4. Configure the connection to the data source.
    1. In the Connector name field, assign a name to uniquely identify the data source connection.
      Tip: Only alphanumeric characters and the following special characters are allowed: - . _
    2. In the Connector description field, write a description to indicate the purpose of the data source connection.
      Tip: Only alphanumeric characters and the following special characters are allowed: - . _
    3. In the Edge gateway (optional) field, specify which IBM® Security Edge Gateway to use.

      Select an Edge Gateway to host the connector. The Edge Gateway must be version 1.6 or later. It can take up to 5 minutes to establish the connection to the Edge Gateway.

      Important: If you have a firewall between your platform cluster and the data source target, use the Edge Gateway to host the containers.

      For more information, see Setting up Edge Gateway.

    4. In the Frequency field, set how often the connector imports data from the data source, in minutes.
      The value must be an integer.
      For example, a value of 5 causes the connector to run every 5 minutes.
      If the data source doesn't have many assets, or you don't want to import data often, reduce the frequency.
    5. In the Management IP address or Hostname field, enter the hostname or IP address of the data source so that the platform can communicate with it.
    6. In the Host port field, enter the port number that is associated with the data source host. The default port is 8443.
    7. In the Vulnerability Retention Period field, enter the number of days of vulnerabilities that you want to import. The default value is 30 days and the minimum value is 1 day.
  5. In the Configurations section, click Add a Configuration.
  6. Configure identity and access.
    1. Click Edit access and choose which users can connect to the data source and the type of access.
    2. In the Configuration name field, enter a unique name to describe the access configuration and distinguish it from the other access configurations for this data source connection that you might set up. Only alphanumeric characters and the following special characters are allowed: - . _
    3. In the Configuration description field, enter a unique description to describe the access configuration and distinguish it from the other access configurations for this data source connection that you might set up. Only alphanumeric characters and the following special characters are allowed: - . _
    4. In the Username field, enter the username from Cybereason API credentials.
    5. In the Password field, enter the password from Cybereason API credentials.
    6. Click Add.
    7. To save your configuration and establish the connection, click Done.
  7. To edit your configurations, complete the following steps:
    1. On the Assets tab, select the data source connection that you want to edit.
    2. In the Configurations section, click Edit Configuration (Edit configuration icon).
    3. Edit the identity and access parameters and click Save.

Results

The connector imports data from the data source. The connector imports data source again at the interval that you set in the Frequency field.

You can see the data source connection configuration that you added under Connections on the Assets tab of the Data source settings page. A message on the card indicates connection with the data source.

When you add a data source, it might take a few minutes before the data source shows as being connected.
Tip: After you connect a data source, it might take up to 30 seconds to retrieve the data. Before the full data set is returned, the data source might display as unavailable. After the data is returned, the data source shows as being connected, and a polling mechanism occurs to validate the connection status. The connection status is valid for 60 seconds after every poll.

You can add other connection configurations for this data source that have different users and different data access permissions.

What to do next

Test the connection by searching for an IP address in IBM Security Data Explorer that matches an asset data source. In Data Explorer, click an IP address to view its associated assets and risk.

To use Data Explorer, you must have data sources that are connected so that the application can run queries and retrieve results across a unified set of data sources. The search results vary depending on the data that is contained in your configured data sources. For more information about how to build a query in Data Explorer, see Build a query.