Document toolboxDocument toolbox

Cylance collector

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
20 min read
[ 1 Configuration requirements ] [ 2 Overview ] [ 3 Devo collector features ] [ 4 Data sources ] [ 5 Flattening preprocessing ] [ 6 Vendor setup ] [ 7 Minimum configuration required for basic pulling ] [ 8 Accepted authentication methods ] [ 9 Run the collector ] [ 10 Collector services detail ] [ 11 Collector operations ] [ 12 Change log for v1.x.x ]

Configuration requirements

To run this collector, there are some configurations detailed below that you need to consider.

Configuration

Details

Configuration

Details

Cylance APP

You need to run a Cylance app.

Application ID

Once you create the App, it gives you an Application ID.

Application Secret

Once you create the App, it gives you an Application Secret.

Tenant ID

You can find it in your Cylance console.

More information

Refer to the Vendor setup section to know more about these configurations.

Overview

Cylance is an AI-based Endpoint Protection Platform (EPP) that blocks cyberattacks and provides controls for safeguarding against sophisticated threats. It protects organizations with networks where Internet access is severely restricted or not allowed (air-gapped environments). This collector facilitates the security-related communication between the virtual server that acts as the Cylance console and the local infrastructure - endpoints with CylancePROTECT agents installed - without exposing the local network to the broader internet

Devo collector features

Feature

Details

Feature

Details

Allow parallel downloading (multipod)

  • Not allowed

Running environments

  • Collector server

  • On-premise

Populated Devo events

  • Table

Flattening preprocessing

  • Yes

Data sources

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

Threats

Get information for a specific threat in a tenant.

https://protectapi-{region-code}.cylance.com/threats/v2

threats

edr.blackberry.cylance.threats

v1.0.0

Users

Request a page with a list of console user resources belonging to a tenant.

https://protectapi-{region-code}.cylance.com/users/v2

users

edr.blackberry.cylance.users

v1.0.0

Devices

Request a page with a list of device resources belonging to a tenant.

https://protectapi-{region-code}.cylance.com/devices/v2

devices

edr.blackberry.cylance.devices

v1.0.0

Policies

Request a page with a list of console policies belonging to a tenant.

https://protectapi-{region-code}.cylance.com/policies/v2

policies

edr.blackberry.cylance.policies

v1.0.0

Detections

Request a page with a list of detections belonging to a tenant.

https://protectapi-{region-code}.cylance.com/detections/v2

detections

edr.blackberry.cylance.optics_detections

v1.0.0

Detection Rules

Retrieve a list of Detection rules available in a tenant.

https://protectapi-{region-code}.cylance.com/rules/v2

detection_rules

edr.blackberry.cylance.optics_detections_rules

v1.0.0

Detection Exceptions

Retrieve a list of detection exception rules available in a tenant.

https://protectapi-{region-code}.cylance.com/exceptions/v2

detection_exceptions

edr.blackberry.cylance.optics_detections_exceptions

v1.0.0

For more information on how the events are parsed, visit our page.

Flattening preprocessing

Data source

Collector service

Optional

Flattening details

Data source

Collector service

Optional

Flattening details

Threats

threats

yes

 

Original structure:

{ "ip_addresses": ["10.0.2.15"], "mac_addresses": ["08-00-27-E6-E5-59"] }

Result:

{ "related_ips": 1, "ip": "10.0.2.15", "related_ip_count": 1, "related_macs": 1, "mac": "08-00-27-E6-E5-59", "related_mac_count": 1 }

Devices

devices

yes

 

Original structure:

{ "products": [ { "name": "protect", "version": "3.0.1000", "status": "Online" } ], "policy": { "id": "f92e4b70-1c44-4898-b2f9-21207381abee", "name": "Default" }, "ip_addresses": [ "10.0.2.15" ], "mac_addresses": [ "08-00-27-E6-E5-59" ] }

 

Result:

 

Policies

policies

yes

Original structure:

Result:

Detections

detections

yes

 

Original structure:

Result:

Detection Rules

detection_rules

yes

 

Original structure:

Result:

Detection Exceptions

detection_exceptions

yes

Original structure:

Result:

Vendor setup

There are some minimum requirements that are needed to set up the collector. In order to retrieve the data, we need to create an application_id and application_secret to authenticate the collector.

  1. Log into the dashboard.

     

  2. Register an app. Go to Settings → Integrations and click on Application.

  3. Give the read permissions to the Application and click on Save.

     

  4. Save the Application ID and Application secret. Note: The Application ID and Application Secret only display once.

     

  5. Copy the Tenant ID in a safe place.

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check the setting sections for details.

Setting

Details

Setting

Details

application_id

Application ID of the application created during the setup.

application_secret

Application secret created during the setup.

tenant_id

Tenant ID of the application created during the setup.

See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.

Accepted authentication methods

Authentication method

Application ID

Application Secret

Tenant ID

Authentication method

Application ID

Application Secret

Tenant ID

Application Id/Application Secret/Tenant ID

REQUIRED

REQUIRED

REQUIRED

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Events service

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component

Description

Component

Description

Setup

The setup module is in charge of authenticating the service and managing the token expiration when needed.

Puller

The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

Puller output

A successful initial run has the following output messages for the puller module:

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

  1. Edit the configuration file.

  2. Change the value of the historic_date_utc parameter to a different one.

  3. Save the changes.

  4. Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error type

Error ID

Error message

Cause

Solution

Error type

Error ID

Error message

Cause

Solution

SetupError

100

Error occurred while requesting access token from the Cylance server

Cylance API not working.

See collector logs for more info.

101

access token has expired or invalid. status code: 401

Invalid or expired token

Check credentials given in the configuration.

102

The provided credentials are valid but they do not have the permission to generate access

Not enough permissions.

Check app permissions in your app.

103

The resource requested is not found

Resource not found.

Make sure your configuration is properly defined.

104

Unexpected error occurred at the Cylance server

Cylance API not working.

See collector logs for more info.

105

Error occurred while retrieving users from Cylance server

Cylance API not working.

See collector logs for more info.

InitVariablesError

10

region code specified is not valid. Valid region codes are apne1, au, euc1, sae1. Leave blank if the region is North America

Region code is not valid.

Change the region code for one of these:

  • apne1

  • au

  • euc1

  • sae1

11

Required setting, historic_date_utc not of expected type: str

historic_date_utc should be string, not a number

Change config file for a valid date.

12

Invalid value is provided for the historic_date. Provide the date in %Y-%m-%d %H:%M:%S format.

Invalid format

Change value in config with a valid format:

%Y-%m-%d %H:%M:%S

13

Time format for historic date must be %Y-%m-%d %H:%M:%S

Invalid format

Change value in config with a valid format:

%Y-%m-%d %H:%M:%S

14

historic datetime cannot be greater than the present UTC time

Value of the historic_date_utc is greater than current time.

Change historic_date_utc for a valid value.

PullError

300

Error occurred while retrieving threats from Cylance server.

Cylance API not responding properly.

See collector ouput logs.

302

access token has expired or invalid. status code: 401.

Invalid token

Go to the Cylance console and check app token.

302

The access token does not have valid permissions to perform this request.

Enough permissions.

Go to the Cylance console and check permissions.

303

The resource requested is not found.

Resource you are looking for is not available.

 

304

Unexpected error occurred at the Cylance server.

Unexpected Cylance API response.

Check collector logs.

305

After 3 retries still getting the too many requests error."

You are receiving 429 status code but after wait needed time API isn’t still responding.

 

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

Initialization

The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.

A successful run has the following output messages for the initializer module:

Events delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.

A successful run has the following output messages for the initializer module:

Sender services

The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:

Sender services

Description

Sender services

Description

internal_senders

In charge of delivering internal metrics to Devo such as logging traces or metrics.

standard_senders

In charge of delivering pulled events to Devo.

Sender statistics

Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace

Description

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 21 (elapsed 0.007 seconds)

Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:

  • 44 events were sent to Devo since the collector started.

  • The last checkpoint timestamp was 2022-06-28 10:39:22.511671+00:00.

  • 21 events where sent to Devo between the last UTC checkpoint and now.

  • Those 21 events required 0.007 seconds to be delivered.

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

  • The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.

  • The global pressure of the available memory is displayed in the global value.

  • All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

Change log for v1.x.x

Release

Released on

Release type

Details

Release

Released on

Release type

Details

v1.0.0

Oct 3, 2022

NEW FEATURE

Retrieve data for Blackberry Cylance services:

  • Threats

  • Devices

  • Policies

  • Users

  • Detections

  • Detections Rules

  • Detection Exceptions