

Total Environment Visibility	360° Prevention and Detection	Automated Remediation
An organization’s attack surface is much wider than its endpoints. Cynet continuously monitors all Users’ logging in and logging out, internal and external traffic, and process execution on hosts. This provides real-time contextual visibility into the entire environment’s activities.	Cynet continuously builds and integrates technologies to prevent and detect attack vectors that target Users, files, the network, and hosts: AV, NGAV, EDR, network analytics, UEBA, and deception This builds a robust security protection stack across all attack stages.	Cynet provides the widest set available of remediation actions for compromised hosts and Users, malicious files, and network communication. Cynet is shipped with pre-built remediation tools, making it the only solution with the ability to automatically block attacks at multiple post-compromise stages, such as privilege escalation, credential theft, and lateral movement.
Context-Based Alert Operation	Easy Deployment and Maintenance	CyOps 24×7 Security Expertise
In the case of malicious activity without a matching pre-built remediation, Cynet provides the full User, file, network, and host context for rapid insight into an attack’s impact and scope. The resolving process concludes with manually applying remediation action on the compromised entity that can be saved as policy to automate response to future occurrences.	Cynet is based on server-agent architecture. The server can be either on-site, IaaS, or hybrid, according to customer preference. It can either be a dissolvable executable or a lightweight agent that rapidly deploys up to 50,000 hosts in a single day.	Cynet complements its automated threat protection technology with integrated security services at no additional cost. CyOps is a 24/7 team of threat analysts and security researchers that proactively hunts for threats among Cynet’s customers, as well as responding to customer escalations, assisting with file analysis, incident response, and deep investigation.

Cynet 360 Basics

This section provides instructions on logging into the system and a description of the Cynet 360 User Interface (UI).

Logging-into Cynet 360

To log into the Cynet 360 console, navigate to: https://*CYNET_SERVER*:8443.

*CYNET_SERVER* is the IP address hostname of your Cynet 360 server. Navigating to this URL brings up the Cynet 360 login page.

To log in for the first time, use the following default credentials:

Username: Operator

Password: qwdftyjkop

$C:\Users\tipro\Documents\HOME\IAN\JBS\PROJECTS\Cynet\Pics\login-screen.png$

Note

We recommend that you change the default Operator credentials after initial login and after creating additional User accounts.

You may receive the message “Your connection is not private”. The reason for this is that Cynet uses a self-signed certificate. To remove this message, install a CA-issued certificate on the Cynet IIS site. To ignore this message and proceed, click Advanced followed by Proceed to localhost.

Interface Layout

The Cynet 360 UI provides a simple layout for navigating the system. There are nine main sections. You can easily navigate the UI using the main navigation menu on the left side of the screen. The main sections of the UI are as shown in the following screenshot.

Section	Description
Dashboard	Provides an overview of Alerts, Scans, and Analysis. See “Dashboard”.
Alerts	Shows all alerts generated by the system. See “Finding Alerts”.
Forensic	Shows all data from files, Users, hosts, and the network. See “Understanding Forensics”.
Actions	Shows all remediation actions taken and the results of these actions. See “Actions”.
Scanner	Shows all scan results of hosts in the environment. See “Running Host Scans”.
Reports	Shows all reports generated by the system. See “Generating Reports”.
Map	Shows a map of all configured locations. See “Maps”.
Audit	Shows all User actions performed with the system. See “Auditing Actions”.
Settings	Enables Users to modify all system configuration settings. See “Settings”.

In addition to the main navigation menu, some pages contain sub-menus which you can use to navigate to other pages within the section, as shown in the following screenshot.

At the top of each page of the UI, the folowing displays:

Current date and time

Current logged-in User

A link to logout of the system

If the Cynet server is configured for multi-tenancy (as in the Master-Slave architecture), a drop-down menu appears next to the current logged-in User. This menu provides access to the other Cynet servers currently configured to point to this Master server. See ‎D.2.1 “Cynet Server Services”.

Dashboard

The Dashboard provides a high-level overview of the current security status of the environment. It displays the current number of open alerts, files that have been analyzed, and hosts that have been scanned. The Dashboard enables navigation to other areas of the UI based on this information. There are five main parts to the dashboard, as shown in the following screenshot.

A: Open Alerts	D: Alerts by Date
B: Threat Radar	E: Hosts Scanned
C: Files

A: Open Alerts

Open Alerts displays metrics for current open alerts of all severity levels and the numbers of Files, Users, Hosts, and amount of Network traffic associated with these open alerts. The colored ring around Total Alerts indicates the severity of the alerts.

To display the number of open alerts of a certain severity, place the cursor on a colored portion of the Total Alerts ring.

To navigate to the Files, Users, Hosts, or Network alerts pages, click the associated icon.

IMPORTANT!

Currently, system alerts do not display (for example, deception files).

B: Threat Radar

The central circular area displays the overall risk level (or Total Security Score) and the “radar” area, and indicates high risk Files, Users, Hosts, and Network traffic.

The Total Security Score is calculated from the current risk levels of every File, User, Host, and Network object, as well as from any Open Alert.

Individual risk scores for objects are shown as circles in the radar area. Objects with open alerts display as solid red circles. To view more details about these alerts, click on these circles.

If the alert has a severity score of over a 1000, a notification appears under the Cynet Radar.

To display the object name and the associated Alert, click an item in the radar area. To view the details of this object, click .

C: Files

The Files area displays metrics about files that have been scanned and analyzed by the system. The percentage of “whitelisted” files indicates the number of files that have been analyzed and deemed safe by security intelligence. The Cynet CyOps SOC determines if files are safe, based on metadata collected and behavioral analysis. The SOC reviews the remaining files.

D: Alerts by Date

Alerts by Date displays a graph of alerts generated over the past ten days. The graph is a timeline of alerts generated per day.

To see the number of alerts generated on a particular day, position the cursor over that day.

E: Hosts Scanned

Hosts Scanned displays metrics of recently-scanned Hosts. It shows statistics for the number of Hosts scanned in the past day, week, and month.

Working with Alerts—Basic

When Cynet 360 identifies a suspicious or dangerous activity, it generates an alert. Alerts are divided into the following categories:

All alerts

File alerts

User alerts

Network alerts

Host alerts

Analysts might want to investigate specific alerts recorded by the system to find out more information about them.

Finding Alerts

The Alerts page provides a customizable view of the alerts generated by the system. You can use individual filters to display specific alerts, and you can take actions on displayed alerts. This page contains the following information:

Section	Section Heading	Description
A	Alert Types Menu	Enables the filtering of alerts generated for Files, Users, Hosts, Network, or All Alerts. All Alerts is the default. It includes system alerts.
B	Quick Search	Enables the quick filtering of displayed alerts using a keyword search.
C	Alert Actions	Enables the export of displayed alerts to an Excel file and/or taking Remediation Action. See “Taking Remediation Actions”.
D	Alerts Quick Filter Bar	Enables the quick filtering of alerts by Alert Name, Severity, Status, Host name, File name, User name, Network, or Alert Date. You can select all currently visible alerts and perform actions on multiple alerts.
E	Load Entries	You can use the drop-down menu to display more or fewer alerts. The default is 25 alerts.
F	Displayed Alerts	This section displays all alerts and relevant information about them according to the filter criteria set in the Alerts Filter Bar. To view details about the alert, click . See “Understanding Alerts”.
G	Alert Status	The Alert status is displayed below the Alert name. You can change the status individually or in a group.
H	Total Open Alerts	Displays the current number of open alerts and the distribution of File, Users, Network, and Host alerts.

Understanding Alerts

To view more details on displayed alerts, click .

Additional information displays as shown below.

Section	Description
Description	Displays a detailed description of the endpoint hostname of the triggered alert, IP address, OS version, CynetEPS version, and Configuration version.
Recommendation	Displays Cynet SOC recommendations for remediation actions you can take, based on the type and severity of the alert.
Process Tree	Displays all processes that were run that triggered the alert. The tree displays the parent process (topmost), and its children, based on the process calling order (the parent leaf triggered the child leaf). The down-most process is the last process in the calling tree—this process is the one that was detected as a malicious process, by the Alert in focus.
Comments	For tracking and analysis purposes, Analysts or the CISO, can add comments based on the investigation and resolution of the alert.
Path and Hash	Some alerts also indicate the file Path and Hash—to enrich the analysis and Incident Response with more metadata.

Investigating Alerts

The Forensic page enables you to perform an in-depth investigation into an Alert. For more details on using Forensic features, see “Understanding Forensics”.

Searching for Alerts

Advanced Search enables you to customize a search for Files, Hosts, Users, and Network traffic based on any of the available metadata fields, or to change the displayed fields in the Inventory List on any Forensic page.

To begin an advanced search, or to edit the displayed file fields, click Advanced Search.

The following window displays:

Section	Section Heading	Description
A	Display Fields	Select or clear Display Fields to modify the Inventory.
B	Search Fields	To specify search criteria, use Search Fields.
C	Saved Searches	To save searches for future use, use Saved Searches.
D	Saved Policies	To apply selected search criteria as an indicator that contributes to an object’s risk level in the future, save the search criteria to Saved Policies. Saved Policies can be configured to open an alert when the policy’s search criteria are matched.

Display Fields

You can modify the Inventory List on the Forensic pages to display additional columns. To add or remove columns from the Inventory List, select or clear fields from the Display Fields menu.

After selecting the fields you want to view, the columns in the Inventory List automatically update.

A screenshot of a computer screen Description automatically generated

Search Fields

Adding Search Field Parameters

To add a field to the Search Fields window:

In the Display Fields menu, click .

From the drop-down menu, select the appropriate logical Operator for each field added.

Enter search filters for each field.

To apply the search filters to the Inventory list, click Search.

To remove a field from the Search Fields window, click

Note

Fields not selected in the Display Fields menu can still be used in the Search Fields as search filters. Although these columns do not appear in the Inventory List, they are still applied to the search results.

Saved Searches

Search filters can be saved for future use in Saved Searches.

To save search filters:

Click Save Search.

Enter a name for the saved search.

Click OK.

The saved search appears in the Saved Searches menu.

To use the saved search, click the search name in Saved Searches. The Search Fields window populates with the search filters you saved.

To add your Saved Search to Favorite Searches, click the ☆.

To delete a Saved Search:

In Saved Searches, click X next to the Saved Search name.

Click OK.

The Saved Search is deleted.

Saved Policies

You can create Saved Policies to apply a custom risk level to objects based on collected indicators. You can also create Saved Policies to open an alert on objects relevant to the policy.

To create a Saved Policy:

Enter search filter criteria in Search Fields.

To save these filters as a policy click Save Policy.

Enter a policy name.

Enter a policy risk number between one and a thousand.

Select Open alert on policy match.

To reopen an alert for a new occurrence of an event based on your Saved Policy, select Reopen alert on new occurrence.

From the drop-down menu, select the alert severity.

Click OK.

The saved policy appears under Saved Policies. To apply the saved policy to a new search, click the policy name in Saved Policies. The Search Fields window populates with the filters in that saved policy.

To delete a Saved Policy, click X next to the Saved Policy name.

Objects that match the Saved Policy criteria appear in the object’s Details Page as a triggered indicator. The risk value you entered in Saved Policy is factored into the new risk level for the object.

If the saved policy was configured to open an alert on policy match, you receive the alert in the main alerts page.

The alert name is the policy name you selected.

Investigating File Alerts

The Forensic page Files tab provides visibility into all scanned files in the organization and enables you to obtain file-specific information. The default Files Inventory list containns the following parameters:

Parameter	Description
File Name	To access the File Details page, click File Name. COMMENT: Is this correct?
Risk Level	The current risk level of the file.
Company Name	The file publisher information.
Endpoints	The number of endpoints where the file that triggered the alert resides.
Antiviruses	The number of antivirus vendors that have signatures for this file.
First Seen	The date and time when this file was first seen in the environment.
Last Seen	The date and time when this file was last seen in the environment.

You can select the columns to display in the Inventory List, as described in “Display Fields”.

File Details Page

The File Details page provides information collected by the system about the selected file. At the top of the File Details page, a timeline describes the lifecycle of the file, as shown in the following screenshot.

The file relationship screenshot displays how the file is related to other entities in the organization.

Section	Description
A	This section displays associated Hosts, Processes (parent or child), Users, or Network entities. To obtain to the details page of an entity, click it.
B	This section displays the File Name and the Risk Level.
C	This section displays all detected Indicators for this file: High severity indicators display in Red. Medium severity indicators display in Gold. Low severity indicators display in Blue. Positive indicators display in Green.

The lower section of the File Details page displays multiple tabs providing detailed information about this file, as shown in the following screenshot.

Note

Some tabs may not appear in the File Details page if there is no relevant data to be displayed for that category.

Section	Description
Details	Displays metadata about the file such as file size, path, publisher, and hashes.
Alerts	Displays all alerts associated with this file. The relevant remediation action tools are associated with each alert.
Occurrences	Displays all instances of the process on all hosts. Each row shows which host or hosts it ran on, and which User or Users ran the process. See “Occurrences”.
Hosts	Displays the hosts which contain this file.
Users	Displays all Users running this file.
Static Analysis	Displays information collected during the static analysis of the file.
Sockets	Displays the network traffic generated to and from this file.
Domains	Displays the domains queried by this process to initiate network traffic.
Process DLLs	Displays the DLL files loaded by this process.
Dynamic Analysis	Displays the information collected and generated from a sandbox execution of the file in the Cynet SSE.

Occurrences

The Occurrences tab displays each instance of a file throughout the environment. If a specific file was executed on two hosts, there would be two entries in the Occurrences tab.

To view additional information on each process occurrence, click +.

Each occurrence includes details about how the file ran during that instance, including the running User, command-line, and the path from which the file was run.

Static Analysis Results

To display Static Analysis results click the Static Analysis tab on the File Details Page.

The information in this section includes:

Section	Section Heading	Description
A	The Meta area	Displays metadata such as hashes, product name (for example, “Microsoft Windows Operations System” / version information / build information), product description, digital signature, timestamp, scattering, and fingerprinting (for example, “MS Visual C++ 8.0 DLL).
B	Strings in File	Displays all the text strings inside the file.
C	The File Analysis area	Displays imported functions, as well as File Header Information.
D	The File Headers Section	Displays file headers and portable execution (PE) sections and their respective hash. PE Section file types typically include .text, .rdata, .data, .pdata, .rsrc, and .reloc.

Investigating Host Alerts

The Forensic Page Hosts tab displays all scanned hosts in the organization and enables you to obtain host-specific information. The default Hosts Inventory list contains the following columns:

Column	Description
Host Name	This is the name of the file. To access the Host Details page, click the file name.
Risk Level	This is the host’s current risk level.
Last Scan	The date and time when this host was last scanned by the system.
Host IP	The IP address of the endpoint.
OS Version	The operating system of the endpoint.
# Process	The number of processes detected that are running on the endpoint.
# Logged Users	The number of Users logged in to the endpoint.
# Connections	The number of network connections detected at the endpoint.

You can select the columns to display in the Inventory List, as described in “Investigating User Alerts”.

Host Details Page

Click a host name to view its details. The Host Details page displays information collected by the system for the selected host. A timeline displays describing the lifecycle of the host.

The following host relationship screenshot displays how the host is related to other entities in the organization.

Section	Description
A	This section displays associated Files, Users, and Network entities. To access the details page of an entity, click on it.
B	This section displays the Host Name and Risk Level.
C	This section displays all detected Indicators for this file: High severity indicators display in Red. Medium severity indicators display in Gold. Low severity indicators display in Blue. Positive indicators display in Green.

Section

Description

This section displays associated Files, Users, and Network entities.

To access the details page of an entity, click on it.

This section displays the Host Name and Risk Level.

This section displays all detected Indicators for this file:

High severity indicators display in Red.

Medium severity indicators display in Gold.

Low severity indicators display in Blue.

Positive indicators display in Green.

The lower section of the Host Details page displays multiple tabs providing detailed information about this host, as shown in the following screenshot.

Hosts Details

The following sections appear in Host Details:

Section	Description
Details	Displays metadata about the host such as host name, IP Address, Operating system, and software versions.
Alerts	Displays all alerts associated with this host.
Files	Displays all the files & processes executed on this host.
Users	Displays all the Users who are configured on the host and some additional information regarding User logins.
Traffic	Displays the Domains accessed by this host as well as: open network sockets, cached DNS requests, configured IP addresses, ARP table entries, and NICs contained on the host. (The screenshot below displays the Host’s accessed Domains).
	Socket information presents full details regarding network activity on the protected asset IP & Port
Vulnerability Assessment	Provides a view of the Hosts Vulnerabilities, namely: a list of lacking Windows patches required to be installed on the Hosts (Windows Patches), and a list of the Unauthorized Applications installed on the Hosts (Unauthorized Applications)
File Monitor	A complete list of the files currently monitored by Cynet on the Cynet-protected Hosts.
System	Contains several lists of: security certificates, installed Operating System updates, Installed Software, and network shares on the Hosts.

1. Note
  1. Certain tabs might not appear in the Hosts Details page if there is no relevant data to be displayed for that category.

Hosts Map View

The Hosts Map view enables the Operator to view the organizations network segments and endpoints, in an inter-connected map display.

To access the Host Map view, select Map from the Hosts drop-down menu in Forensic.

A screenshot of a cell phone Description automatically generated

Hosts can appear in three different colors, where different colors represent the risk status of the host:

Red: High Risk

Blue: Low Risk

To collapse or expand an object, click it.

When you click a host, the host’s detailed information appears below the map.

As for the Forensic Host Alerts, the tabs under Hosts Map provide Forensic metadata selected in the map (metadata: Details, Alerts, File, Users, Traffic, System, Vulnerability Assessment, and File Monitor).

Host Windows Events

Windows Events collected appear under the Host Windows Events.

In the general view you can see the Event ID collected by Cynet as well as the Event Type (for example in the screenshot below Security Event 4624).

Expanding the selection showcases the full details of the collected event, which reveals the parsed event data divided into metadata fields.

Once the data is parsed by the Cynet server you can use the free text search to find all events that match specific keys. COMMENT: Make sure these red boxes are OK

Host System Overview View (IoT Discovery)

The Hosts System Overview view enables the Operator to view the organization hosts that had communication with IoT devices.

To access the Host System Overview view, in the Forensics Page, click the Hosts tab and select System Overview.

A screenshot of a cell phone Description automatically generated

After clicking, the following table appears:

The following sections appear in System Overview Details:

Section	Description
Host	The Cynet-protected Endpoint or IoT device (= the device on which the Cynet EPS module is installed)
MAC Address	Typically associated with a MAC Vendor
IP	IP address of the Host
First Seen	Select the start and end date for the investigated period
Last Seen	Select the start and end date for the investigated period
MAC Vendor	The Vendor of the Host (for example, HP or Xerox). This value is automatically updated when it is associated with the MAC Address.
Comments	All comments about the Host entered by Operators. Note If a Comment field is not displayed, it indicates that there are no comments associated with this host.

Investigating User Alerts

The Forensic page Users tab provides information on all scanned User accounts in the organization. You can also access User specific information.

The User Alert tab displays a list of all the Users’ accounts that have been logged into Cynet-protected hosts, as well as their metadata.

The default Users Inventory list contains the following columns:

Column	Description
Name	Displays the names of a User account that logged into a Cynet-protected asset (=a Cynet Host). To access the User Details Page, click the User’s Name.
Risk	The risk column displays the current risk score, or risk level of the User account.
Locked	Displays YES if the User account is currently locked out or NO if the User account is currently not locked out. To filter the results between locked out or not, or to see all the accounts, select an option from the drop-down menu.
Disabled	Displays YES if the User account is currently disabled or NO if the User account is currently not disabled. To filter the results between disabled or not, or to see all the accounts, select an option from the drop-down menu.
Running Files	Displays the number of files currently running on the User account.
Password Age	Displays the age of the User account password in days.
Last Login	The date and time of the last login to a Host from the User account.
First Seen	The date and time when the User account was first seen in the environment.

You can select the columns to display in the Inventory List, as described above in “Display Fields”.

User Details Page

The Forensic page User Details tab displays information collected by the system about the selected User. A timeline displays the recorded events of the User.

Click the + to display additional information about the objects.

The User Relationship screenshot displays how the User is related to other entities in the organization.

Section	Description
A	This section displays associated Files, Hosts, or Network entities. To access the details page of an entity, click it.
B	This section displays the User Name and Risk Level
C	This section displays all detected Indicators for this file: High severity indicators display in Red. Medium severity indicators display in Gold. Low severity indicators display in Blue. Positive indicators display in Green.

Section

Description

This section displays associated Files, Hosts, or Network entities.

To access the details page of an entity, click it.

This section displays the User Name and Risk Level

This section displays all detected Indicators for this file:

High severity indicators display in Red.

Medium severity indicators display in Gold.

Low severity indicators display in Blue.

Positive indicators display in Green.

The lower section of the page displays multiple tabs providing detailed information about this User, as shown in the screenshot.

Tab	Description
Details	Displays metadata about this User such as: User name Last login date Number of Files Running with the User The number of endpoints the User logged into in the last day, week, and month.
Alerts	Displays all alerts associated with this User.
Files	Displays all the files being run by this User.
Hosts	Displays all Hosts this User has logged into.
Domains	Displays a list of domains that the User tried to access.
Sockets	Displays the sockets accessed by this User.
Logins	Displays a list of all logins by this User across all scanned hosts.
File Monitor	Displays file monitoring data. Default view displays all (can be filtered based on action type, Execute, Created, Deleted, Access, and Rename).

Note

Certain tabs might not appear in the Details page if there is no relevant data to be displayed for that category.

Investigating Domains

The Forensic page Domains tab provides visibility into all Domains resolved on Hosts in the Cynet-protected environment.

The default Domains Inventory list contains the following columns:

Column	Description
Domain	This is the resolved domain. For additional information, click on the specific domain name (see below more details).
Risk Level	This is the Domain’s current risk level.
Classification	Displays the Domain classification based on security intelligence.
Date In	The date and time when the Domain was first resolved.
Last Seen	The last time the Domain was resolved.
URL Count	The number of URLs visited with this Domain.
Host Count	The number of Hosts that have resolved this Domain.
Remote IP Count	The number of remote IP addresses that resolve to this Domain.
Source IP Count	The number of local IPs that have resolved this Domain.
User Count	The number of Users that have resolved this domain.

You can select the columns to display in the Inventory List, as described in “Display Fields”.

Investigating Domains and IP Addresses

The Domains/IP Address Details page displays information collected by the system regarding the selected Domain. A timeline displays the User’s recorded events.

The following User Relationship screenshot displays how the User is related to other entities in the organization.

Section	Description
A	This section displays associated Files, Hosts, and User entities. To access the details page of an entity, click it.
B	This section displays the Domain Name and Risk Level
C	This section displays all detected Indicators for this file: High severity indicators display in Red. Medium severity indicators display in Gold. Low severity indicators display in Blue. Positive indicators display in Green.

The lower section of the page displays multiple tabs providing detailed information about this User, as shown in the screenshot.

Tab	Description
Details	Displays details about the domain, including: The number of endpoints that have accessed this domain The first/last time the domain was seen Domain properties Domain Overview Security Intelligence
Alerts	Displays all alerts associated with this domain.
Occurrences	Occurrences related to this domain (for example, IP address of the domain).
Hosts	Displays the Hosts accounts that have requested the domain resolution.
Users	Displays Users related to this domain.
URLs	Displays each instance of a URL in this domain, as a remote IP address.
Remote IPS to URLs	Displays the list of the Remote IPs obtained by the specific domain URL resolution (this can also be viewed, as the list of the remote IPs that the Cynet hosts have connected to, when requesting the specific URL/Domain).

Investigating Sockets

The Forensic page Sockets tab provides visibility into all network Sockets created on Hosts in the environment.

The default Sockets Inventory list contains the following columns:

Column	Description
Host Name	The Host associated with the network traffic. To go to the Host Details page, click the Host Name.
Risk Level	This is the network Socket’s current risk level.
Local IP	This is the source IP address of the network traffic. To go to the Domain/ IP_Address_Details page, click Local IP.
Local Port	This is the source port of the network traffic.
Remote IP	This is the destination IP address of the network traffic. To go to the Domain/IP Address details page, click Remote IP.
Remote Port	This is the destination port of the network traffic.
First Seen	This is the date and time of when this network traffic was first seen by CynetEPS.
Last Seen	This is the date and time of when this network traffic was last seen by CynetEPS.

You can select the columns to display in the Inventory List, as described in “Display Fields”.

Clicking on the Host Name leads the User to the Host Forensics details page, related to the clicked Host that enables the User to obtain a holistic view of the clicked Host’s Users, Alerts, Files, Sockets, Domains, and Vulnerability Assessment.

To drill-down on the specific Host’s socket monitoring, click on the Host’s Local IP.

Socket Details View

When clicking on the Host’s Local IP column, in the Socket Alert view, the Socket Forensics view is shown. The Socket Forensics view displays detailed Socket information collected by the system regarding the selected Socket (Local IP of the specific Host).

A timeline displays the User’s recorded events.

The following Socket relationship screenshot displays how the Socket is related to other entities in the organization (Users, File, and Hosts). If the metadata allows it, information, Indicators are also provided (this is not the case in the following screenshot) COMMENT: Unclear

Section	Description
A	This section displays associated Files, Hosts, and User entities. To access the details page of an entity, click it.
B	This section displays the Socket (here, the Local IP) and its Risk Level.
C	This section displays all detected Indicators for this Socket: High severity indicators display in Red. Medium severity indicators display in Gold. Low severity indicators display in Blue. Positive indicators display in Green.

The lower section of the page displays multiple tabs providing detailed information about this User, as shown in the screenshot.

Tab	Description
Details	Displays details about the domain, including: The Local IP of the Socket The Remote IP of the Socket The Port used by the Socket The File’s SHA256, for exchanged files over the Socket Remote IP: Known vs Unknown? Local or external to the LAN? First and Last seen
Files	Displays a list of the Files that have used the monitored Socket – including additional metadata (risk score incurred, NTFS owner, Running User, Host name, AV score, File type, File Status, Date in, and Last Seen).
Hosts	Displays a list of the Host accounts that have used the Socket. Including the Host metadata (Risk score, Last scan date, Host IP, OS Version, # of Processes running, # of logged-in Users, and # of current connections).
Users	Displays a list of the Users that have used the socket. Including the User’s account metadata (User Name, Risk level, Account Locked, Account Disabled, Running files – files run by this User, User’s Password age, Last login, First date seen in the Network, and Last date seen).

Finding and Managing Alerts

When an alert is generated, Cynet offers Operators options for Whitelisting or Remediation.

Creating Alert Whitelist Profiles

Cynet 360 enables you to list applications and parameters that are authorized to run in the User’s environment. Cynet does not generate alerts for anything that is whitelisted.
There are two ways to create alert whitelist profiles: (COMMENT: The formatting for the 2 ways is not correct. The first step should be “1.” And not just a bullet, and the second way should have “2.”, but it should be under the “1.”. This structural error appears throughout the document.)

From the Alert: Create whitelisting profiles directly from the displayed alert. This enables Operators to:

Name and populate whitelist profiles by extracting available data from the Alert

Filter the whitelisting options to match the alert type

Add the Whitelist to the Audit

From the Whitelisting tab: Create whitelisting profiles manually from the whitelisting tab. This enables Operators to create profiles before they appear in an alert. (COMMENT – see above)

Creating a Whitelist Profile from an Alert

To create a whitelist rule from an alert:

From the alert list on the Alert, Forensic, or Actions page, select the alert.

Click Action.

Select the Whitelisting tab.

In the Profile Name field, enter a descriptive name.

Under Whitelisted by, select the relevant options.

Under Whitelist for, select the relevant options.

Click Create Profile.

A screenshot of a cell phone Description automatically generated

Creating an Alert Whitelist Profile from the Whitelist Tab

The Whitelisting tab on the Settings menu enables Operators to create rules to exclude arguments from the detection and remediation mechanism. Examples of these arguments are:

Files

Users

Hashes

IP Addresses

To Configure a Whitelist Rule

From the Setting Page, select the Whitelisting tab.

A screenshot of a computer screen Description automatically generated

Click Create (COMMENT – this is another example of Procedure steps that are different from the ones above – for your designer to remedy)

Enter the profile name

Select the alert to whitelist and the type of alert on which the exclusion will be based

Note

When you create a rule, you exclude arguments across all Cynet agents on the network.

- - - 1. Enter the value according to the type of information selected
      2. Click +

Cynet 360 implements the Whitelist Rule.

Optional: The Whitelist can also be configured based on a specific scan group or host.

Notes

Once the Whitelist rule is added, the alert does NOT display anymore according to the rule that was set.

“All Alerts” means that the Whitelist is applied to all alerts under “Applied on alert”.

Automatically Remediate Alerts

The Auto Remediation page enables the Operator to manage rules that let Cynet 360 automatically perform remediation actions when an alert is generated. You can configure these rules to match alerts based on a number of factors. Cynet 360 takes remediation action mitigating the threat.

There are two ways to create Auto Remediation rules, using the Actions menu (as described below) and using the Alerts menu. For instructions on how to do so using the Alerts menu, see the Zendesk article, “Recommended Auto Remediation Rules”.

To access the Auto Remediation page, click Actions>Auto Remediation.

Column	Description
Name	The name of the Auto Remediation rule.
Description	The description of the Auto Remediation rule.
Remediation	The remediation action taken when this rule is matched. To filter the information displayed, select an option from the drop-down menu.
Priority	The order in which the Auto Remediation rules are processed.
Date In	The date and time when you create the Auto Remediation rule.
Is Enabled	Filters alerts according to whether the selected remediation is enabled or not or selects all.

Creating Auto Remediation Rules

To create a new Auto Remediation rule, click Create Rule.

The Auto Remediation rule creation menu opens.

Configuring General Parameters

You can configure the following general parameters:

Parameter	Description
Rule Name	Enter an alias for the rule.
Description	Enter a description for the rule.
Priority	Enter a number from 1 to 1000 (as per the firewall) used by the system to identify which rule to execute in the case where two Auto Remediation rules match an alert. The lower the number, the higher the priority.

Matching

You can create an auto-remediation rule matched to specific host groups.

The fields required for matching to host groups are as follows:

Parameter	Description
Alert Name	Enter a regular expression (RegExp) to match the name of the alert. This enables matching of multiple alerts with individual names according to a pattern. To match all alert names, use the regular expression (.*)
Host Groups	To match hosts in generated alerts, select host groups from the drop-down menu. When the host in the alert is included in a selected host group, a match is found. To match to all Host Groups, select all the checkboxes.
Alert Severity	Select the severity to use when matching generated alerts. When the severity of an alert matches one that you have selected, a match is found.

Parameter

Description

Alert Name

Enter a regular expression (RegExp) to match the name of the alert. This enables matching of multiple alerts with individual names according to a pattern. To match all alert names, use the regular expression (.*)

Host Groups

To match hosts in generated alerts, select host groups from the drop-down menu. When the host in the alert is included in a selected host group, a match is found.

To match to all Host Groups, select all the checkboxes.

Alert Severity

Select the severity to use when matching generated alerts. When the severity of an alert matches one that you have selected, a match is found.

Advanced Matching

You can also create auto-remediation rules that match specific Files, Users, Networks, and Hosts.

The fields required for Advanced Matching are as follows:

Parameter	Description
File	To increase the chances of matching this rule to a generated alert you can enter a specific File Hash or File Name. To match to any File in an alert, leave this field blank.
User	To increase the chances of matching this rule to a generated alert you can enter a specific User Name. To match to any User in an alert, leave this field blank.
Network	To increase the chances of matching this rule to a generated alert you can enter a specific IP address, Domain, or URL. To match to any Network criteria in an alert, leave this field blank.

Parameter

Description

File

To increase the chances of matching this rule to a generated alert you can enter a specific File Hash or File Name.

To match to any File in an alert, leave this field blank.

User

To increase the chances of matching this rule to a generated alert you can enter a specific User Name.

To match to any User in an alert, leave this field blank.

Network

To increase the chances of matching this rule to a generated alert you can enter a specific IP address, Domain, or URL.

To match to any Network criteria in an alert, leave this field blank.

Hosts to Match

To increase the chances of matching this rule to a generated alert you can add a specific Host.

Adding a new Host match:

Click Hosts to Match.

Click Add New Match. COMMENT: Each of these procedure steps should be numbered

In the Group Name field, to match the Host entry, add an alias.

In the Hosts to Match field, to match the Host Name, enter a regular expression.

This enables matching of multiple Hosts with different names according to a pattern.

To match on all Host names, use the regular expression ( .* ).

In the Selected OS field, to find a match based on operating systems, select an operating system from the drop-down menu.

Operating systems in the list are taken from scanned Hosts.

To find a match based on all operating systems, select *ALL* from the drop-down menu.

To edit an existing Host match entry:

Click Hosts to Match.

Click Edit Match.

Note

The Group Name field is not functional when editing an existing Host match entry.

In the Hosts to Match field, to match the Host Name, enter a regular expression.

This enables matching of multiple Hosts with individual names according to a pattern.
To match on all Host names, use the regular expression ( .* ).

In the Selected OS field, to find a match based on operating systems, select an operating system from the drop-down menu.

Operating systems in the list are taken from scanned Hosts.

To find a match based on all operating systems, select *ALL* from the drop-down menu.

Actions

You can select the type of remediation you want to use. You can also decide what actions to take when a match is found.

Remediation Type

You can select the type of remediation from the drop-down menu.

The available options are:

File remediation

Host remediation

User remediation

Network remediation

Action

For each type of remediation selected, you can select an associated action from the drop-down menus.

The options for File Remediation Actions are:

Quarantine File

Delete File

Kill Process

MyRem

The options for Host Remediation Actions are:

Restart Machine

Shutdown Machine

Disable All Nics

Run Command

The option for User Remediation Action is:

Disable User

The option for Network Remediation Action is:

Block Traffic

DNS Remediation

When you have made all the necessary configuration changes for the Auto Remediation Rule, click Save. The new rule appears in the Auto Remediation dashboard.

Cynet Recommendations for Creating Rules

For files:

For alerts that contain “Adware”, set the rule: “Kill Process” only to workstation scanning groups

For alerts that contain “Worm”, set a rule to quarantine the file

For alerts that contain “Backdoor”, set a rule to quarantine the file

For networks:

For alerts that contain “Phishing site”, set a rule to “Block URL”

For alerts that contain “Malware Distribution” or “Compromised Website”, set a rule to “Block IP”

Note

Rules created for networks are applied to the local machine and not at the DNS level.

Editing Auto Remediation Rules

To edit an Auto Remediation rule, click the Rule Name.

The Auto Remediation editing menu opens.

Edit the rule using the same procedure as in “Creating Auto Remediation Rules”.

Deleting Auto Remediation Rules

To delete an Auto Remediation rule, select the rule in the Auto Remediation rule list.

Click Delete.

To delete the rule, click Confirm Delete.

NextGen AV

Cynet 360 has traditionally focused on protecting your organization from new and advanced cyber threats. In this version of Cynet 360, the new antivirus module further reduces the attack surfaces in your environment by also protecting you from known malware. Everything is done under one system with no requirement for an additional external antivirus program.

Note

NextGen AV works with Windows 8 and above.

Activating NextGen AV

To activate NextGen AV:

Make sure that Port 5443 TCP from the endpoint to the server is open.
Install the latest version of the CynetEPS detection engine to the endpoints in your environment.
For instructions, see section ‎6.2 “Installing the CynetEPS Detection Engine”.
In Cynet 360, enable the Windows Defender antivirus engine.
For instructions, see section ‎6.3 “Enabling Cynet 360”.

Installing the CynetEPS Detection Engine

Your Cynet support representative will provide the CynetEPS installation file. Install it on every endpoint in your environment.

Enabling Cynet 360 NGAV

To enable Cynet 360 antivirus:

On the main menu, click Settings .
In the Scan Groups tab, scroll down to the Antivirus section and select Antivirus.
In the Antivirus Engines section, Cynet Antivirus Engines and Antivirus Real Time Engine must be selected. If there are more antivirus engines listed, you can select them too.

Note: You must select at least one antivirus engine.
(Optional) Select Windows Defender to enable Cynet to work with Windows Defender.

Make sure that Windows Defender Real Time is selected
It is not necessary to select Keep Windows Defender Service Running.

Select the requested Antivirus option.

Alert Only- enables alert mode only
When an alert is triggered, the following dialog box opens:

Rename File- changes the .exe to. Cynet so that the User knows that the file is malicious
Delete File- to delete the file
Click Save.

Understanding Forensics

Performing Favorite Searches

The Forensic page is divided into five distinct sub-sections: Files, Hosts, Users, Domains, and Sockets. Each sub-section provides inventories for all data collected by Cynet 360. Each page of the Forensic section has the same basic layout:

Label	Parameter	Description
A	Sub Menu	Contains links to the inventories of all Files, Hosts, Users, Domains, and Network sockets observed by the system.
B	Favorite Searches	Enables predefined searches to quickly search within the inventories.
C	Advanced Search	Enables the Operator to search within inventories in any of the available metadata fields, or to change the displayed fields in the Inventory List.
D	Actions	Enables the Operator to export inventories to Excel and/or to take Remediation Action.
E	Quick Filter	Enables the Operator to quickly filter inventories by metadata and indicators such as file name, risk level, host name, and IP address.
F	Inventory List	Lists every object that matches the filter criteria set in the Quick Filter Bar. To view more information and details about this object, click on the object name.
G	Top Results	Shows objects with high risk levels and other risky items.

File Favorite Searches

The Files page contains eight default favorite searches. The searches cannot be edited or deleted. They provide a quick and easy way to search for files based on the following parameters:

Parameter	Description
Internal Com	Files that have network communication to an internal IP address.
External Com	Files that have network communication to an external IP address.
Unique in Org	Files that are unique within your organization and exist only once.
DLL	Files with the .dll extension.
EXE	Files with the .exe extension.
No GUI	Files that are running in a hidden window.
Detected by Security Intel	Files that have been identified using Cynet’s security intelligence feeds.
Start Up	Files that have made themselves persistent at the endpoint and execute when the computer starts up.
Test	When performing an Advanced Search, Users can create their own search. Click the star to save this search. It is saved under Favorite Searches with the selected name (for example, Test).

Host Favorite Searches

The Hosts page contains three default favorites that make it quick and easy to search for hosts. The default favorite searches cannot be edited or deleted.

Parameter	Description
High Risk	Hosts with a high-risk level.
Internal Com	Hosts that have network communication to an internal IP address.
External Com	Hosts that have network communication to an external IP address.

User Favorite Searches

The Users page contains three default favorites that make it quick and easy to search for Users. The default favorite searches cannot be edited or deleted.

Parameter	Description
High Risk	User accounts with a high-risk level.
Locked	User accounts that are locked out.
Run Risky Files	User accounts running high risk files.
Old Password Age	Indicates the last time the password was changed.

Domain Favorite Searches

The Domains page contains two default favorites that make it quick and easy to search for domains. The default favorite searches cannot be edited or deleted. They provide a quick and easy way to search for domains based on:

Parameter	Description
High Risk	Domains with a high-risk level.
Detected by Security Intel	Domains identified using Cynet’s security intelligence feeds.

Socket Favorite Searches

The Socket page contains one default favorite that makes it quick and easy to search for sockets. The default favorite search cannot be edited or deleted.

Parameter	Description
High Risk	Network Sockets with a high-risk level.

Taking Actions

This section contains information on all available actions in Cynet.

Actions can be run from the actual Alert, or from the top right of the Forensics and Alert pages.

Auto Remediation can be performed as well. For more information on Auto Custom Remediation, see “Auto Custom Remediation” below.

Taking Actions on an Alert

Alert actions can be used to change an alert status or to perform a remediation action on files, hosts, or Users.

To open the Alert Actions menu:

On the Alerts Dashboard, select one or more alerts.

Click the Actions button.

A menu opens indicating which alerts are currently selected.

You can:

A: Change the Alert Status to Open, Close, or Ignore

B: Add Comments. See “Add Comments”

C: Create a whitelist profile. See “Creating an Alert Whitelist Profile from the Whitelist Tab ”

D: Perform additional Analysis actions. See “Analysis Action”

E: Perform Remediation actions. See “Taking Remediation Actions”

Create a new Auto-Remediation rule based on the alert details. See “Configuring Remediation Settings “

Note

Only actionable tabs appear in the Action window, according to the selected alerts.

Domain Actions

The Actions icon enables the Operator to insert an IP/URL of an external address, then to perform a DNS remediation on that address for the entire organization.

Block Traffic

This action blocks specific traffic to and from the selected hosts.

DNS Remediation

This action redirects all traffic to the domain to a specified IP address. A new zone in the internal DNS server is created to resolve this domain to the specified IP address. Any Hosts that attempt to resolve the domain in the network are given the specified IP address from the internal DNS server. Traffic is prevented from reaching the actual domain’s IP address.

Hosts Actions

The Actions icon enables the Operator to run actions on all the Hosts in the organization.

The Actions feature enables the Operator to perform various types of actions on all the Hosts:

Run Command

This action executes the specified commands on all the Hosts. The output is captured and presented in the console. If the output has multiple lines, it is preserved in a text file format.

Run Script

This action enables a specified file to be run on all Hosts.

To run a script on all Hosts:

Select a file from the local computer.

Upload the file to the Cynet server.

The Cynet server deploys the file to the Hosts for execution.

Add Comments

This action inserts a comment to a single alert or to multiple selected alerts simultaneously.

To add a comment to a single or multiple alerts:

From the Alert page, select the alert or alerts.

Click Actions.

Click Add Comments.

In the Add Comment window, enter your comment.

Click Add.

Analysis Action

Operators can take analysis actions on files scanned by Cynet 360.

To take an analysis action, open the Actions menu and select an action from the Analysis tab.

The following Analysis Actions are available:

Analysis Action	Description
Send to SOC	Sends the selected file(s) to the Cynet SOC for deep inspection and analysis.
Send to Analysis	Sends the selected file(s) to the Server Sent Events (SSE) Sandbox for analysis. This requires that the Cynet SSE sandbox is configured.
Verify File	Verifies that the selected file(s) still exist(s) on the Host(s).
Get Memory Strings	Performs a dump of the strings in memory allocated by the selected file(s).
Pull File	Pulls the selected file occurrence from the Host. This action is performed by selecting a specific file occurrence. It requires targeting a specified Host. Once pulled, the sample is available for download from the File Actions page. The sample has its extension stripped and is renamed to the file’s SHA256 hash. This action is limited to files of 100 MB or less.
Deep Scan	Begins a deep scan of the selected file occurrence on the Host. This action is performed by selecting a specific file occurrence. It requires a specified instance of a process on a Host.

Deep Scans

Cynet uses Deep Scans of files to monitor a specific file on an endpoint. Deep Scans monitors behaviors of a process for an extended period of time. This is a hybrid analysis combining normal scanning and sandboxing, where the deep scan analysis takes place on the endpoint. Deep Scans are initiated manually.

Initiating a Deep Scan

To initiate a Deep Scan of a file:

In Forensic, navigate to the Files Detail Page.

Click the Occurrences tab of the file to be scanned.

Note

Deep Scans can only be performed on one file per host at a time. After the deep scan has completed on the host, another deep scan can be performed on that host.

Only executable files can be added for Deep Scanning.

On the file’s Occurrence tab, select the file occurrence to be scanned.

Click Actions.

In the Actions menu, click Deep Scan.

Note

When you initiate a Deep Scan on a process occurrence, you are prompted to acknowledge that additional files (such as child processes) may be monitored as part of the scan.

Any currently-running deep scans on this host are terminated.

While the Deep Scan is running, you can view the current status of the scan. To view the current status of the Deep Scan, click the Deep Scans tab on the File Actions page.

When the Deep Scan is complete, the results can be viewed in the Deep Scan tab of the File Details Page of the specified file.

There are two options to view results: Advanced and Normal.

Advanced View shows additional information such as Hostname, Scope of the event or object, First Seen, and Last Seen timestamps.

Whitelisting Actions

The Whitelisting tab enables you to create whitelist profiles. Select alert activities such as files, processes, and commands, or the hosts, servers, and endpoints displayed in the Whitelisting tab to ensure that future alerts are disabled for the selection.

For more information, see “Creating an Alert Whitelist Profile from the Whitelist Tab ”.

A screenshot of a cell phone Description automatically generated

Parameter	Description
Profile Name	User given name of the profile to whitelist
Whitelist by	Lists the components of the alert by activities
Whitelist for	Lists the components of the alert by affected recipients

Taking Remediation Actions

You can take Remediation Actions on objects scanned by Cynet 360.

To take a Remediation Action:

Navigate to Forensic.

Select the file on which you want to take action.

Click .

Select the Remediation tab.

Select the Remediation Action you want to perform.

The Remediation tab has a sub-menu that enables navigation between the Remediation Actions available in the system.

File Remediation Actions

Cynet can take Remediation Actions on files observed on endpoints in the environment. File Remediation Actions can be taken from any Actions menu. The results of a File Remediation Action are recorded in the File Actions page.

The following File Remediation Actions are available:

Remediation Action	Description
Delete File	Deletes the selected File from the Host.
Quarantine File	Quarantines the selected file from the host. A list of Quarantined files can be found on the File Actions Page.
Kill Process	Kills the selected process on the hosts. This action leaves the file intact, only killing the process loaded in memory.

User Remediation Actions

Cynet can take Remediation Actions on Users observed in the environment. User Remediation Actions can be taken from any Actions menu. The results of a User Remediation Action are recorded in the User Actions page.

The following User Remediation Actions are available:

Remediation Action	Description
Enable User	Enables the selected User account if it was disabled.
Disable User	Disables the selected domain or local User account.

Host Remediation Actions

Cynet can take Remediation Actions on Hosts scanned in the environment. Host Remediation Actions can be taken from any Actions menu. The results of a Host Remediation Action are recorded in the Host Actions page.

The following Host Remediation Actions are available:

Remediation Action	Description
Scan	Rescans the selected Host.
Shut Down	Shuts down the selected Host.
Restart	Reboots the selected Host.
Change IP	Changes the IP address of the Host.
Disable All NICs	Disables the Network Interface Card (NIC) on the selected Host. Using this action prevents any further remote connections to the Host.
Run Command	Executes the specified commands on the selected Host. The output is captured and presented in the console. When the output contains multiple lines, it is preserved in a text file format.
Pull File	Pulls an existing file from the endpoint.
Run Script	Uploads a script and runs it on the endpoint.
Delete Service	Deletes the specified service on the selected Host.
Disable Service	Disables the specified service on the selected Host.
Delete Schedule Task	Deletes the specified scheduled task on the selected Host.
Disable Schedule Task	Disables the specified scheduled task on the selected Host.
Isolate	Isolates the endpoint for access only to the Cynet server and Active Directory Server.
Un-Isolate	Removes the Host isolation by removing the communication filter.

Domain Remediation Actions

Cynet can take Remediation Actions to block network connections observed in the environment for a specific domain. Domain Remediation Actions can be taken from the Actions menu. The results of a Domain Remediation Action are recorded in the Network Actions page.

The following Domain Remediation Actions are available:

Remediation Action	Description
Block Traffic	Blocks traffic to specified IP addresses and domains. IP addresses are blocked by modifying the route table on the selected Host. Traffic to these IPs loops back to the localhost IP address. Domains are blocked by creating an entry in the hosts file for the selected Host and the domain resolves to the localhost IP address.
DNS Remediation	Redirects all traffic to the domain to a specified IP address. Cynet does this by creating a new zone in the internal DNS server to resolve this domain to the specified IP address. Any Hosts that attempt to resolve the domain in the network receive the specified IP address from the internal DNS server. Traffic is prevented from reaching the actual domain’s IP address.

Auto-Remediation Actions

Operators can associate Auto-Remediation Actions to be triggered on Alerts, or create an Auto-Remediation rule on-the-fly.

As detailed in the Automatically Remediate Alerts section, Auto-Remediation is applied only upon strict rule-matching, based on the Alert’s entities (Files, Users, Hosts, or Network).

As for the rules, Auto-Remediation actions enable granular actions on the Alert’s aspects: Files, Users, Hosts, or Network.

To associate an Auto-Remediation Action to an Alert, or create an Auto-Remediation Action, through the Alerts View:

Navigate to Alerts.
Select the Alert on which you want to take action.
Click .
Open the Auto-Remediation tab.
To associate an existing Auto-Remediation Rule – Select the Auto-Remediation pre-defined Rule you want to associate with the Alert (the Auto-Remediation action can be available as part of the “Chosen Alerts” top pane in the Alert expandable right-hand drawer).
It is also possible to create a new Auto-Remediation rule, by using the bottom section of the Set the Alert expandable right-hand drawer, by setting the Auto-Remediation rules to control the Auto-Remediation Action to be triggered) for more details refer to the Automatically Remediate Alerts section

Actions Page

The Actions page has six subsections. These are Files, Hosts, Users, Network, Playbooks, and Auto Remediation. Each subsection lists actions taken by Cynet 360.

Each page of the Actions section has the same basic layout:

A: The Sub-Menu

The Submenu has tabs for the following interfaces:

File Actions
Host Actions
User Actions
Network Actions
Playbook Actions
Auto Remediation

B: Action Tabs

Some action pages, such as the File Actions page, have Action Tabs providing additional actions to take. These include:

Analysis – See “Hosts Actions”

The Actions icon enables the Operator to run actions on all the Hosts in the organization.

The Actions feature enables the Operator to perform various types of actions on all the Hosts: