Cybereason Connector
Cybereason is an endpoint detection and response (EDR) platform that offers threat intelligence, behavioral analytics, and real-time incident response across enterprise environments.
What is the Cybereason API Connector?
The Cybereason API Connector enables secure integration between your Cybereason instance and Qualys Enterprise TruRisk Management (ETM). Once configured, it automatically ingests asset data via scheduled API calls. Qualys ETM then processes the incoming data by:
- De-duplicating redundant entries
- Normalizing data formats
- Enriching findings with additional context
- Calculating risk scores using TruRisk
| Category | Supported Asset Type | Supported Finding Type |
|---|---|---|
| API Connector | Endpoint Asset |
Prerequisites
User Roles and Permissions
Access credentials are issued to Cybereason subscribers and include:
- Domain (subdomain for API calls)
- Username
- Password
These are provided directly by CyberReason to authorised customer accounts.
How to Get Domain, Username, and Password
- Domain: Provided by Cybereason and used in the API base URL (e.g., https://your-domain.cybereason.net/)
- Username/Password: Issued upon subscription or user provisioning.
Create a New API Connector
Basic Details
- Provide the Connector's Name and Description.
- Select the you want to import or export - currently, we support Asset.
- Select the Asset Type - currently we support Host Asset.
The following screenshot displays the Basic Details fields.
-
Next, provide the API authentication details of the CyberReason environment as provided in the Prerequisites section.
Data Model
The CyberReason API Connector offers an out-of-box data model mapping for you to map with Qualys ETM schema. You can view the schema to understand the attributes in the data model.
Transform Maps
Map the fields from the CSV file to the corresponding fields in your target system. Transform Maps ensure the data is transformed correctly during the import or export process.
The CyberReason Connector offers an out-of-box transform map for you to proceed without further configuration. View the map to understand the data transformation or clone the map to edit its configurations.
Click Create New for a new Transform Map.
Perform the following steps to configure a Transform Model:
- Transform Map Name: Enter a unique name for the Transform Map. This name helps identify the specific transformation configuration within this connector.
- Source Data Model: Select the data model that serves as the input for the transformation. This is the model from which data will be extracted.
- Target Data Model: Choose the data model that receives the transformed data. This model defines how the data will be structured after the transformation.
Fields Mapping
The Fields Mapping section maps fields from the Source Data Model to the Target Data Model.
- Source Field: Specify the field in the Source Data Model containing the transformed data.
- Data Type: Indicate the data type of the Source Field (e.g., string, integer, date).
- Target Field: Designate the corresponding field where the transformed data will be placed in the Target Data Model.
Click Add to create and display the mapping for the Source Field, Data Type, and Target Field below the section. This visual helps ensure that all necessary fields are mapped correctly and allows easy verification and adjustments.
Profile
Create a profile for your connector. A profile decides the connector status, execution schedule and transform map to choose. The connector follows the configurations of this profile for all future executions.
Click the "+" to create a new profile.
In the Add Profile screen, provide the necessary inputs for your new profile.
Provide a Name and Description.
The Filter field allows for advanced data scoping by defining conditions to selectively retrieve assets based on attributes.
Sample filter (as shown in above image):
{
"fieldName": "osType",
"operator": "Equals",
"values": ["WINDOWS", "OSX"]
}
This filter restricts ingestion to assets running Windows or macOS operating systems.
Select the required Transform Map for the data mapping.
The Resource Types determine which resources to select for the profile. The Resource Type determine the required resource whose findings should be ingested by Qualys ETM.
The Status field determines whether the connector should be in Active or Inactive state after creation.
Lastly, the Schedule section lets you either create a Single Occurrence schedule or a Recurring schedule. Provide the exact date and time for the Single Occurence execution and provide the Start and End date/time for the Recurring schedule.
Select Identification Rules
The Identification Rules are a set of out-of-the-box precedence rules set by Qualys CSAM. The connector discovers findings based on the order set by the selected Identification Rules.
You can proceed to the next step without making any changes to this screen.
If you don't want to choose a specific rule, turn off the toggle next to it. But, ensure that at least one rule is selected.
To learn more about the different rules and options present in this screen, refer to the CSAM Online Help.
How Does a Connection Work?
The CyberReason connector functions through configured profiles, determining what data gets synchronised and when.
A Connection usually involves creating a profile that defines which vulnerabilities to import based on detection data types and asset types. The connector then automatically executes according to the schedule (or on-demand), pulling asset data from CyberReason into Qualys ETM where it can be viewed alongside other security findings.
With the CyberReason API Connector successfully configured, you are almost ready to view all the assets and findings from CyberReason.
In the Connector screen, you can find your newly configured connector listed and marked in the Processed state.
Connector States
A successfully configured connector goes through 4 states.
- Registered - The connector is successfully created and registered to fetch data from the vendor.
- Scheduled - The connector is scheduled to execute a connection with the vendor.
- Processing - A connection is executed and the connector is fetching the asset and findings data.
- Processed - The connector has successfully fetched the assets, it may still be under process of fetching the findings. Wait for some more time for the connector to fetch the findings completely.
The Processed state indicates that the Connector is successfully configured but it is under the process of importing all your assets and findings. This process (specifically for findings) may take some time.
This entire process may take up to 2 hours for completion. Once, it is done. You can find the imported data in Enterprise TruRisk Management (ETM).
View Assets in ETM
Navigate to Enterprise TruRisk Management to start analysing your Connector's vulnerability findings.
You can view the assets imported from the CyberReason connection by navigating to the Inventory tab of ETM.
Go to Assets > Host to find all of your imported assets.
Use the token, tags.name: 'CyberReason' to view all the imported CyberReason assets.
Here, you can learn about your assets' criticality and Risk Scores. Click any asset to view more details.
API Reference
| Name | Endpoint | Information |
|---|---|---|
| Auth API | https://{domain}.cybereason.net/login.html |
Auth token valid for 6 hours; auto-refreshed after expiry. |
| Fetch Asset List | https://{domain}.cybereason.net/rest/sensors/query |
Batch size: 50; retrieves endpoint inventory |
Data Model Mapping
|
Source Attribute Key |
Target Attribute Label |
|---|---|
|
uniqueSensorKey |
externalAssetId (Required) |
|
machineName |
assetName |
|
fqdn |
fqdn |
|
osType |
operatingSystemName |
|
osVersionType |
operatingSystemVersion |
|
externalIpAddress |
ipAddress |
|
deviceModel |
model |
|
serialNumber |
serialNumber |