PREVIOUS dns.bind

NEXT my.app

edr.cylance

 CylancePROTECT supports Syslog forwarding for sending events to Devo.

The logs from CylancePROTECT are labeled with the edr.cylance.threats tag.

  • Each event is in plain text and contains key-value pairs separated by commas.
  • The size of each event is constrained at 2048 characters.

In-house Relay configuration

See below the step-by-step procedure to configure the Devo relay to accept events from CylancePROTECT, and to tag them appropriately. Note that this configuration uses the most basic options and that more advanced configurations are available if necessary.

  1. Log in to the Devo web application and go to Administration → Relays area.
  2. Select the relay that will be accepting the forwarded events by clicking on its name.
  3. Click on New Rule.



  4. Configure the rule settings:
    • Set rule name to Cylance Protect
    • Set source port. Note the port setting will vary depending on other rules configured on the Relay. These instructions assume that this port setting will be only used for this rule and is not already in use.
    • Set Target Tag to edr.cylance.threats
    • Mark as checked the Send Without Tag box
  5. Click on Add Rule and Apply Configuration.

The Relay will apply this new rule on its next heartbeat, typically within 2 minutes.

Cyclance configuration

See below the step-by-step procedure on how to configure CylancePROTECT to forward events to a Syslog server or to a Devo relay.

  1. In the Cylance console go to Settings → Application area.
  2. Scroll to the Integrations section.



  3. Fill out the Syslog/SIEM configuration settings form:
    • Choose the event types desired. Devo supports all 6 main types.
    • Set SIEM to None
    • Set Protocol to TCP
    • Leave the TLS/SSL box unchecked. (Contact Devo Support if this option is required)
    • Set IP/Domain to the IP address of the Devo relay (or the Syslog server)
    • Set Port to the Devo relay port that is configured in the CylancePROTECT rule. Typically, this will be 13006 or greater.
    • Set Severity and Facility to the desired levels.

  4. Click on Test Connection. An event should be available to view in the edr.cylance.threats table in the Devo finder.

CylancePROTECT events

There are six main event types that CylancePROTECT will generate. Below are examples of each type:

  • Application Control

    2018-03-18 10:06:47.134 cylancehost local4.info threatintel.discovery.cylanceprotect CylancePROTECT: Event Type: AppControl, Event Name: executionfromexternaldrives, Device Name: WIN-SERVER1, IP Address: (192.168.0.31), Action: PEFileChange, Action Type: Allow, File Path: \\\\docs\\exececutable.exe, SHA256: 3908826942578D1C1E268B0F97CCD64F BC0FF5C81C64B4FA6C58FEB8F617
  • Audit Log

    2018-03-18 10:06:47.134 cylancehost local4.info threatintel.discovery.cylanceprotect CylancePROTECT: Event Type: AuditLog, Event Name: ThreatGlobalQuarantine, Message: SHA256: 3908826942578D1C1E268B0F97CCD64F BC0FF5C81C64B4FA6C58FEB8F617, 3908826942578D1C1E268B0F97CCD64F BC0FF5C81C64B4FA6C58FEB8F617; Reason: Manually blacklisting these 2 threats., User: (user1@customer.com)
  • Devices

    2018-03-18 10:06:47.134 cylancehost local4.info threatintel.discovery.cylanceprotect CylancePROTECT: Event Type: Device, Event Name: Registration, Device Name: WIN-SERVER1

    2018-03-18 10:06:47.134 cylancehost local4.info threatintel.discovery.cylanceprotect CylancePROTECT: Event Type: Device, Event Name: SystemSecurity, Device Name: WIN-SERVER1, Agent Version: 1.1.1270.58, IP Address: (192.168.0.31), MAC Address: (123456789123), Logged On Users: (WIN-SERVER1\\Administrator), OS: Microsoft Windows Server 2008 R2 Standard Service Pack 1 x64 6.1.7601

    2018-03-18 10:06:47.134 cylancehost local4.info threatintel.discovery.cylanceprotect CylancePROTECT: Event Type: Device, Event Name: Device Removed, Device Names: (win-server1), User: (user1@customer.com)
    2018-03-18 10:06:47.134 cylancehost local4.info threatintel.discovery.cylanceprotect CylancePROTECT: Event Type: Device, Event Name: Device Updated, Device Message: Renamed: \'WIN-SERVER1\' to \'WIN-SERVER2\'; Policy Changed: \'Default\' to \'CSOPolicy\'; Zones Added: \'Zone1\', User: User 1 (user1@customer.com)
  • Memory Protection

    2018-03-18 10:06:47.134 cylancehost local4.info threatintel.discovery.cylanceprotect CylancePROTECT: Event Type: ExploitAttempt, Event Name: blocked, Device Name: WIN-SERVER1, IP Address: (192.168.0.31), Action: Blocked, Process ID: 6581, Process Name: C:\\BadActor32.exe, User Name: admin, Violation Type: LSASS Read
  • Threats

    2018-03-18 10:06:47.134 cylancehost local4.info threatintel.discovery.cylanceprotect CylancePROTECT: Event Type: Threat, Event Name: threat_found, Device Name: SH-Win81- 1, IP Address: (192.168.0.21), File Name: badfile_12faf4de4a16544d98b8e19752a 51ba4, Path: c:\\doc\\files\\data\\value\\options_123\\, SHA256: 3908826942578D1C1E268B0F97CCD64F BC0FF5C81C64B4FA6C58FEB8F617, Status: Unsafe, Cylance Score: 100, Found Date: 7/15/2017 11:14:26 PM, File Type: Executable, Is Running: False, Auto Run: False, Detected By: FileWatcher
  • Threat Classifications

    2018-03-18 10:06:47.134 cylancehost local4.info threatintel.discovery.cylanceprotect CylancePROTECT: Event Type: ThreatClassification, Event Name: ResearchSaved, Threat Class: Malware, Threat Subclass: Worm, SHA256: 3908826942578D1C1E268B0F97CCD64F BC0FF5C81C64B4FA6C58FEB8F617 6E31

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US

PREVIOUS dns.bind

NEXT my.app