Cybereason

This document describes how to configure the Cybereason connector, allowing OverSOC to retrieve threat protection and detection data via the Cybereason API.

Objective

The Cybereason connector retrieves the following information:

• Machine (sensor) inventory
• Endpoint protection status
• Active alerts and detections

Prerequisites

• Access to the Cybereason console with administrator rights.
• A dedicated user account for OverSOC (recommended).

Information required in OverSOC

Procedure

Obtain API credentials from Cybereason

API credentials are not self-generated in the Cybereason console. They are issued by Cybereason to subscribers upon request.

1. Contact your Cybereason account manager to request API credentials.
2. Provide your organization's details and the intended use case.
3. Cybereason will issue you the authentication credentials (username and password).

Authenticate using Cybereason API

Cybereason uses session-based authentication:

1. Your OverSOC connector will POST the username and password to the /login.html endpoint.
2. The server responds with a JSESSIONID session cookie.
3. This cookie is used for all subsequent API requests.

Configure the connector in OverSOC

1. In OverSOC, go to Data Sources Settings > Sources.
2. Select Cybereason and click Configure.
3. Fill in the fields:
   • Console URL: your console URL (e.g., https://your-tenant.cybereason.net)
   • Username: the API username issued by Cybereason
   • Password: the API password issued by Cybereason
4. Click Save Configuration.

For detailed authentication information, see Cybereason API Authentication Documentation.

Required permissions

The user account must have read access on the following resources:

• Machines / Sensors
• Detections and alerts
• Security policies

A Viewer or L1 Analyst role is sufficient — no write permissions are required.

!!! tip "Best practice" Create a dedicated service account for OverSOC and document the password expiration date to avoid any interruption in data collection.