Cylance collector
Configuration requirements
To run this collector, there are some configurations detailed below that you need to consider.
Configuration | Details |
---|---|
Cylance APP | You need to run a Cylance app. |
Application ID | Once you create the App, it gives you an Application ID. |
Application Secret | Once you create the App, it gives you an Application Secret. |
Tenant ID | You can find it in your Cylance console. |
More information
Refer to the Vendor setup section to know more about these configurations.
Overview
Cylance is an AI-based Endpoint Protection Platform (EPP) that blocks cyberattacks and provides controls for safeguarding against sophisticated threats. It protects organizations with networks where Internet access is severely restricted or not allowed (air-gapped environments). This collector facilitates the security-related communication between the virtual server that acts as the Cylance console and the local infrastructure - endpoints with CylancePROTECT agents installed - without exposing the local network to the broader internet
Devo collector features
Feature | Details |
---|---|
Allow parallel downloading ( |
|
Running environments |
|
Populated Devo events |
|
Flattening preprocessing |
|
Data sources
Data source | Description | API endpoint | Collector service name | Devo table | Available from release |
---|---|---|---|---|---|
Threats | Get information for a specific threat in a tenant. |
| threats |
|
|
Users | Request a page with a list of console user resources belonging to a tenant. |
| users |
|
|
Devices | Request a page with a list of device resources belonging to a tenant. |
| devices |
|
|
Policies | Request a page with a list of console policies belonging to a tenant. |
| policies |
|
|
Detections | Request a page with a list of detections belonging to a tenant. |
| detections |
|
|
Detection Rules | Retrieve a list of Detection rules available in a tenant. |
| detection_rules |
|
|
Detection Exceptions | Retrieve a list of detection exception rules available in a tenant. |
| detection_exceptions |
|
|
For more information on how the events are parsed, visit our page.
Flattening preprocessing
Data source | Collector service | Optional | Flattening details |
---|---|---|---|
Threats | threats |
| Original structure: {
"ip_addresses": ["10.0.2.15"],
"mac_addresses": ["08-00-27-E6-E5-59"]
} Result: {
"related_ips": 1,
"ip": "10.0.2.15",
"related_ip_count": 1,
"related_macs": 1,
"mac": "08-00-27-E6-E5-59",
"related_mac_count": 1
} |
Devices | devices |
| Original structure: {
"products": [
{
"name": "protect",
"version": "3.0.1000",
"status": "Online"
}
],
"policy": {
"id": "f92e4b70-1c44-4898-b2f9-21207381abee",
"name": "Default"
},
"ip_addresses": [
"10.0.2.15"
],
"mac_addresses": [
"08-00-27-E6-E5-59"
]
}
Result:
|
Policies | policies |
| Original structure: Result: |
Detections | detections |
| Original structure: Result: |
Detection Rules | detection_rules |
| Original structure: Result: |
Detection Exceptions | detection_exceptions |
| Original structure: Result: |
Vendor setup
There are some minimum requirements that are needed to set up the collector. In order to retrieve the data, we need to create an application_id and application_secret to authenticate the collector.
Log into the dashboard.
Register an app. Go to Settings → Integrations and click on Application.
Give the read permissions to the Application and click on Save.
Save the Application ID and Application secret. Note: The Application ID and Application Secret only display once.
Copy the Tenant ID in a safe place.
Minimum configuration required for basic pulling
Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.
This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check the setting sections for details.
Setting | Details |
---|---|
| Application ID of the application created during the setup. |
| Application secret created during the setup. |
| Tenant ID of the application created during the setup. |
See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.
Accepted authentication methods
Authentication method | Application ID | Application Secret | Tenant ID |
---|---|---|---|
Application Id/Application Secret/Tenant ID | REQUIRED | REQUIRED | REQUIRED |
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Collector services detail
This section is intended to explain how to proceed with specific actions for services.
Events service
Collector operations
This section is intended to explain how to proceed with specific operations of this collector.
Change log
Release | Released on | Release type | Details |
---|---|---|---|
| Oct 27, 2023 | IMPROVEMENTS | Improvements
|
| Aug 29, 2022 | IMPROVEMENT | Improvements
|
| Oct 3, 2022 | NEW FEATURE | Retrieve data for Blackberry Cylance services:
|