Cylance collector

[ 1 Configuration requirements ] [ 2 Overview ] [ 3 Devo collector features ] [ 4 Data sources ] [ 5 Flattening preprocessing ] [ 6 Vendor setup ] [ 7 Minimum configuration required for basic pulling ] [ 8 Accepted authentication methods ] [ 9 Run the collector ] [ 10 Collector services detail ] [ 11 Collector operations ] [ 12 Change log ]

Configuration requirements

To run this collector, there are some configurations detailed below that you need to consider.

Configuration	Details

Configuration	Details
Cylance APP	You need to run a Cylance app.
Application ID	Once you create the App, it gives you an Application ID.
Application Secret	Once you create the App, it gives you an Application Secret.
Tenant ID	You can find it in your Cylance console.

More information

Refer to the Vendor setup section to know more about these configurations.

Overview

Cylance is an AI-based Endpoint Protection Platform (EPP) that blocks cyberattacks and provides controls for safeguarding against sophisticated threats. It protects organizations with networks where Internet access is severely restricted or not allowed (air-gapped environments). This collector facilitates the security-related communication between the virtual server that acts as the Cylance console and the local infrastructure - endpoints with CylancePROTECT agents installed - without exposing the local network to the broader internet

Devo collector features

Feature	Details

Feature	Details
Allow parallel downloading (`multipod`)	`Not allowed`
Running environments	`Collector server` `On-premise`
Populated Devo events	`Table`
Flattening preprocessing	`Yes`

Data sources

Data source	Description	API endpoint	Collector service name	Devo table	Available from release

Data source	Description	API endpoint	Collector service name	Devo table	Available from release
Threats	Get information for a specific threat in a tenant.	`https://protectapi-{region-code}.cylance.com/threats/v2`	threats	`edr.blackberry.cylance.threats`	`v1.0.0`
Users	Request a page with a list of console user resources belonging to a tenant.	`https://protectapi-{region-code}.cylance.com/users/v2`	users	`edr.blackberry.cylance.users`	`v1.0.0`
Devices	Request a page with a list of device resources belonging to a tenant.	`https://protectapi-{region-code}.cylance.com/devices/v2`	devices	`edr.blackberry.cylance.devices`	`v1.0.0`
Policies	Request a page with a list of console policies belonging to a tenant.	`https://protectapi-{region-code}.cylance.com/policies/v2`	policies	`edr.blackberry.cylance.policies`	`v1.0.0`
Detections	Request a page with a list of detections belonging to a tenant.	`https://protectapi-{region-code}.cylance.com/detections/v2`	detections	`edr.blackberry.cylance.optics_detections`	`v1.0.0`
Detection Rules	Retrieve a list of Detection rules available in a tenant.	`https://protectapi-{region-code}.cylance.com/rules/v2`	detection_rules	`edr.blackberry.cylance.optics_detections_rules`	`v1.0.0`
Detection Exceptions	Retrieve a list of detection exception rules available in a tenant.	`https://protectapi-{region-code}.cylance.com/exceptions/v2`	detection_exceptions	`edr.blackberry.cylance.optics_detections_exceptions`	`v1.0.0`

For more information on how the events are parsed, visit our page.

Flattening preprocessing

Data source	Collector service	Optional	Flattening details

Data source	Collector service	Optional	Flattening details
Threats	threats	`yes`	Original structure: `{ "ip_addresses": ["10.0.2.15"], "mac_addresses": ["08-00-27-E6-E5-59"] }` Result: `{ "related_ips": 1, "ip": "10.0.2.15", "related_ip_count": 1, "related_macs": 1, "mac": "08-00-27-E6-E5-59", "related_mac_count": 1 }`
Devices	devices	`yes`	Original structure: `{ "products": [ { "name": "protect", "version": "3.0.1000", "status": "Online" } ], "policy": { "id": "f92e4b70-1c44-4898-b2f9-21207381abee", "name": "Default" }, "ip_addresses": [ "10.0.2.15" ], "mac_addresses": [ "08-00-27-E6-E5-59" ] }` Result: `{ "related_ips": 1, "ip": "10.0.2.15", "related_ip_count": 1, "related_macs": 1, "mac": "08-00-27-E6-E5-59", "related_mac_count": 1, "policy_id": "f92e4b70-1c44-4898-b2f9-21207381abee", "policy_name": "Default", "product_name": "protect", "product_version": "3.0.100", "product_status": "Online", }`
Policies	policies	`yes`	Original structure: `{ "policy": [ { "name": "auto_blocking", "value": "0" }, { "value": "0", "name": "auto_uploading" } ], "logpolicy": { "log_upload": null, "maxlogsize": "100", "retentiondays": "30" } }` Result: `{ "log_policy_log_upload": null, "log_policy_maxlogsize": "100", "log_policy_retentiondays": "30", "related_policys": 43, "related_policy_count": 22, "policy_name": "Default", "policy_value": "0" }`
Detections	detections	`yes`	Original structure: { "Detector": { "Name": "OpticsDetector", "Version": "3" }, "Device": { "CylanceId": "62fc6104-c288-440f-acfa-fa0ba7bb359f", "Name": "MSEDGEWIN10", "IpAddresses": [ "fe80::c50d:519f:96a4:e108%5", "10.0.2.15" ], "LoggedOnUsers": [ { "AccountType": "Normal", "FullName": "IEUser", "Id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "User": "MSEDGEWIN10\\IEUser" } ] }, "DetectionRule": { "Name": "Internet Browser Launched Unsigned Process", "Id": "dd64897b-5cbf-4df3-beca-ec17c18add71", "PolicyGroup": "CylanceOfficialDetectionRuleset", "Version": 3, "ObjectType": "DetectionRule", "Description": "An Internet browser has spawned a new child process that is not signed", "Category": "Cylance Windows Official" } } Result: { "detection_rule_Name": "Internet Browser Launched Unsigned Process", "detection_rule_Id": "dd64897b-5cbf-4df3-beca-ec17c18add71", "detection_rule_PolicyGroup": "CylanceOfficialDetectionRuleset", "detection_rule_Version": 3, "detection_rule_ObjectType": "DetectionRule", "detection_rule_Description": "An Internet browser has spawned a new child process that is not signed", "detection_rule_Category": "Cylance Windows Official", "detector_Name": "OpticsDetector", "detector_Version": "3", "device_CylanceId": "62fc6104-c288-440f-acfa-fa0ba7bb359f", "device_Name": "MSEDGEWIN10", "device_IpAddresses": [ "fe80::c50d:519f:96a4:e108%5", "10.0.2.15" ], "device_LoggedOnUsers": [ { "AccountType": "Normal", "FullName": "IEUser", "Id": "S-1-5-21-3461203602-4096304019-2269080069-1000", "User": "MSEDGEWIN10\\IEUser" } ], "product_Name": "CylanceOPTICS", "product_Version": "2.5.3010.1204", "related_zone_ids": 1, "zone_id": "1931D5ED09C5417E904E7EEC30844C87", }
Detection Rules	detection_rules	`yes`	Original structure: `{ "Product": { "Name": "CylanceOPTICS" }, "Plugin": { "Name": "OpticsDetector" } }` Result: `{ "product_Name": "CylanceOPTICS", "plugin_Name": "OpticsDetector" }`
Detection Exceptions	detection_exceptions	`yes`	Original structure: `{ "Product": { "Name": "CylanceOPTICS" }, "Plugin": { "Name": "OpticsDetector" }, }` Result: `{ "product_Name": "CylanceOPTICS", "plugin_Name": "OpticsDetector" }`

Vendor setup

There are some minimum requirements that are needed to set up the collector. In order to retrieve the data, we need to create an application_id and application_secret to authenticate the collector.

Log into the dashboard.
Register an app. Go to Settings → Integrations and click on Application.
Give the read permissions to the Application and click on Save.
Save the Application ID and Application secret. Note: The Application ID and Application Secret only display once.
Copy the Tenant ID in a safe place.

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check the setting sections for details.

Setting	Details

Setting	Details
`application_id`	Application ID of the application created during the setup.
`application_secret`	Application secret created during the setup.
`tenant_id`	Tenant ID of the application created during the setup.

See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.

Accepted authentication methods

Authentication method	Application ID	Application Secret	Tenant ID

Authentication method	Application ID	Application Secret	Tenant ID
Application Id/Application Secret/Tenant ID	REQUIRED	REQUIRED	REQUIRED

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Events service

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

Change log

Release	Released on	Release type	Details

Release	Released on	Release type	Details
`v1.4.0`	Jun 3, 2025	bug fixing	Bug fixes Reviewed and updated the time format in the URL for threat and detection services.
`v1.4.0`	Jun 3, 2025	IMPROVEMENTS	Improvements Upgraded DCSDK from 1.16.1 to 1.16.2 Upgraded docker base image to 1.5.1
`v1.3.0`	May 19, 2025	IMPROVEMENTS	Improvements Upgraded DCSDK from 1.10.0 to 1.16.1 Upgraded docker base image to 1.5.0
`v1.2.0`	Oct 27, 2023	IMPROVEMENTS	Improvements Upgraded DCSDK from 1.9.1. to 1.9.2 Upgraded Dependencies
`v1.1.0`	Aug 29, 2022	IMPROVEMENT	Improvements Upgraded DCSDK from 1.4.2 to 1.9.1 Store lookup instances into DevoSender to avoid creation of new instances for the same lookup Ensure service_config is a dict into templates Ensure special characters are properly sent to the platform Changed log level to some messages from info to debug Changed some wrong log messages Upgraded some internal dependencies Changed queue passed to setup instance constructor New “templates” functionality Functionality for detecting some system signals for starting the controlled stopping Input objects sends again the internal messages to devo.collectors.out table Upgraded DevoSDK to version 3.6.4 to fix a bug related to a connection loss with Devo Refactored source code structure Changed way of executing the controlled stopping Minimized probabilities of suffering a DevoSDK bug related to “sender” to be null Ability to validate collector setup and exit without pulling any data Ability to store in the persistence the messages that couldn’t be sent after the collector stopped Ability to send messages from the persistence when the collector starts and before the puller begins working Ensure special characters are properly sent to the platform Added a lock to enhance sender object Added new class attrs to the `setstate` and `getstate` queue methods Fix sending attribute value to the `setstate` and `getstate` queue methods Added log traces when queues are full and have to wait Added log traces of queues time waiting every minute in debug mode Added method to calculate queue size in bytes Block incoming events in queues when there are no space left Send telemetry events to Devo platform Upgraded internal Python dependency Redis to v4.5.4 Upgraded internal Python dependency DevoSDK to v5.1.3 Fixed obfuscation not working when messages are sent from templates New method to figure out if a puller thread is stopping Upgraded internal Python dependency DevoSDK to v5.0.6 Improved logging on messages/bytes sent to Devo platform Fixed wrong bytes size calculation for queues New functionality to count bytes sent to Devo Platform (shown in console log) Upgraded internal Python dependency DevoSDK to v5.0.4 Fixed bug in persistence management process, related to persistence reset Aligned source code typing to be aligned with Python 3.9.x Inject environment property from user config Obfuscation service can be now configured from user config and module definition Obfuscation service can now obfuscate items inside arrays Ensure special characters are properly sent to the platform Changed log level to some messages from info to debug Changed some wrong log messages Upgraded some internal dependencies Changed queue passed to setup instance constructor Added log traces for knowing the execution environment status (debug mode) Fixes in the current puller template version Docker container exits with the proper error code
`v1.0.0`	Oct 3, 2022	NEW FEATURE	Retrieve data for Blackberry Cylance services: Threats Devices Policies Users Detections Detections Rules Detection Exceptions