CylancePROTECT Cloud

CylancePROTECT cloud is an advanced threat protection solution that uses artificial intelligence to prevent, detect, and respond to threats. You can configure CylancePROTECT cloud to send detection events to InsightIDR to generate virus infection and third-party alerts.

To set up CylancePROTECT Cloud, you’ll need to:

  1. Review the requirements.
  2. Create an application in CylancePROTECT
  3. Set up the CylancePROTECT Cloud event source in InsightIDR.
  4. Verify the configuration works.

Requirements

To complete the tasks outlined in this article, you’ll need the following:

  • Access to an Administrator account for CylancePROTECT.
  • The Tenant ID, ApplicationID, and Application Secret for CylancePROTECT.
  • A license for CylanceOPTICS. CylanceOPTICS is required to ingest CylancePROTECT events.

Create an application in CylancePROTECT

You must create an application in CylancePROTECT to obtain your Tenant ID, ApplicationID, and Application Secret. You will need these to set up CylancePROTECT Cloud in InsightIDR.

  1. Log in to CylancePROTECT as an Administrator.
  2. Navigate to Settings > Integrations.
  3. Record the Tenant ID that appears in the upper right corner on the interigations page.
  4. Click Add Application.
  5. Specify a unique name for the application.
  6. Define access permissions for the console data type. At a minimum, you must grant read permissions to CylanceOPTICS detection events.
  7. Click Save.
  8. Record the Application ID and Application Secret, which will appear at the top of your application after it’s been set up.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for CylancePROTECT Cloud in the event sources search bar.
    • In the Product Type filter, select Third Party Alerts.
  3. Select the CylancePROTECT Cloud event source tile.
  4. On the Add Event Source panel, choose your Collector and event source type.
  5. Enter the name of your event source.
  6. Enter your Tenant ID and credentials. Your username is your Application ID and your password is your Application Secret.
  7. Select either CylanceOPTICS Detections, CylancePROTECT Threats, or both.
  8. Enter the refresh rate, which indicates how often you’d like InsightIDR to fetch data from CylancePROTECT.
  9. From the dropdown menu, select the region where your account originates from.
  10. Click Save.

Verify the configuration

Complete the following steps to view your logs and ensure events are making it to the Collector.

  1. On the new event source that was just created, click the View Raw Log button. If you see log messages in the box, then this shows that logs are flowing to the Collector.
  2. Click Log Search in the left menu.
  3. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “CylancePROTECT Cloud” if you did not name the event source. CylancePROTECT Cloud logs flow into the CylancePROTECT Cloud log set.

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.

Sample Logs

The logs in this section generate third party alerts and virus infection alerts.

Third Party Alerts

JSON
1
{
2
"Id": "47e70635-b10a-4bde-9ffe-b0258f656a1e",
3
"ActivationTime": "2019-05-10T22:00:54.195Z",
4
"AppliedExceptions": [
5
{
6
"Id": "e669a5f7-2a6b-4860-bb83-47e90283e396",
7
"Version": 1
8
}
9
],
10
"ArtifactsOfInterest": {
11
"StateA": [
12
{
13
"Artifact": {
14
"Type": "Process",
15
"Uid": "fbDWDrQaWm1DCa8dmJkOXx=="
16
},
17
"Source": "Instigating Process"
18
},
19
{
20
"Artifact": {
21
"Type": "Process",
22
"Uid": "56ss5cDa88ob0hTQgNOIkR=="
23
},
24
"Source": "Target Process"
25
}
26
]
27
},
28
"AssociatedArtifacts": [
29
{
30
"Uid": "yNhcNbEDtsdCHSFqyOftjv==",
31
"Name": "WindowsKernel",
32
"Version": "1",
33
"ArtifactType": "Sensor"
34
},
35
{
36
"Uid": "fbDWDrQaWm1DCa8dmJkOXx==",
37
"ProcessId": 7953,
38
"ParentId": 2921,
39
"Name": "file.exe",
40
"PrimaryImage": {
41
"Type": "File",
42
"Uid": "yw0mERK08DXy4XCWNdoobB=="
43
},
44
"Owner": {
45
"Type": "User",
46
"Uid": "bBvAnM5K4Dtp3RSgGq3m1h=="
47
},
48
"CommandLine": "\"C:\\folder\\path\\file.exe\" ",
49
"Description": "Some description of the file",
50
"StartDateTime": "2019-05-10T18:11:23.482Z",
51
"EndDateTime": "2019-05-10T18:11:23.482Z",
52
"PrimaryImageFile": "",
53
"PrimaryUser": "",
54
"ParentUid": "",
55
"Parent": {
56
"Type": "Process",
57
"Uid": "yNhcNbEDtsdCHSFqyOftjv=="
58
},
59
"ParentStartDateTime": "2019-05-10T18:11:23.482Z",
60
"SessionId": -1,
61
"IsBeingDebugged": false,
62
"ArtifactType": "Process"
63
}
64
],
65
"Comment": "",
66
"DetectionRule": {
67
"Name": "Fileless Powershell Malware",
68
"Id": "7c050000-9b99-4f05-a6e0-e598141370d5",
69
"PolicyGroup": "TestRuleset",
70
"Version": 1,
71
"ObjectType": "DetectionRule",
72
"Description": "Fileless Powershell Malware",
73
"Category": "Custom"
74
},
75
"Detector": {
76
"Name": "OpticsDetector",
77
"Version": "2"
78
},
79
"Device": {
80
"CylanceId": "e378dacb-9324-453a-b8c6-5a8406952195",
81
"Name": "User-Laptop-A123",
82
"IpAddresses": [
83
"00-00-00-00-00-00",
84
"123.45.67.89"
85
],
86
"LoggedOnUsers": [
87
{
88
"AccountType": "Normal",
89
"FullName": "",
90
"Id": "",
91
"User": "User-Laptop-A123\\Admin"
92
}
93
]
94
},
95
"Name": "Fileless Powershell Malware",
96
"OccurrenceTime": "2019-05-03T17:07:09.963Z",
97
"Product": {
98
"Name": "CylanceOPTICS",
99
"Version": "2.3.2050.930"
100
},
101
"PhoneticId": "E669-A5F7",
102
"ReceivedTime": "2019-05-03T17:07:10Z",
103
"SchemaVersion": 1,
104
"Severity": "High",
105
"SeveritySortLevel": 4,
106
"Status": "New",
107
"StatusSortLevel": 1,
108
"TenantId": "4b1640d2-d563-41cf-94a7-0da1dca6aa98",
109
"ZoneIds": [],
110
"Trace": [
111
{
112
"StateName": "filelesspowershellmalware",
113
"Event": {
114
"Uid": "gwFYUE/5tH4zlTxVsbTHrh==",
115
"EventCategory": "Process",
116
"Mode": "UserMode",
117
"Subcategory": "",
118
"Source": {
119
"Type": "Sensor",
120
"Uid": "sndMjFxw26PtNedf6ZGeFx=="
121
},
122
"OccurrenceTime": "2019-05-03T17:07:09.386Z",
123
"RegistrationTime": "2019-05-03T17:07:09.386Z",
124
"EventType": "Start",
125
"EventDetails": {},
126
"InstigatingProcess": {
127
"Type": "Process",
128
"Uid": "bzfq6/BcV+ilp6GcN6yhYx=="
129
},
130
"ProviderUid": "",
131
"ProviderSequenceId": 11930,
132
"Targets": [
133
{
134
"Type": "Process",
135
"Uid": "JsDqqMyGW8++RKWPK9H8Dx=="
136
}
137
],
138
"GroupUid": ""
139
}
140
}
141
],
142
"Responses": [
143
{
144
"Status": "New",
145
"Comment": "5550-5F91",
146
"TenantId": "4b1640d2-d563-41cf-94a7-0da1dca6aa98",
147
"PhoneticId": "",
148
"DetectionId": "98e025bd-7f39-4baa-bfab-4faa1c26f8c0",
149
"OccurrenceTime": "2019-05-03T17:07:09.963Z",
150
"ActionResults": {
151
"additionalProp1": {
152
"HandlingResponderVersion": 1,
153
"HandlingResponderName": "OpticsResponder",
154
"Results": [
155
{
156
"Status": {
157
"Message": "",
158
"Code": {
159
"Ordinal": 0,
160
"Reason": "The action was completed successfully",
161
"Name": "Success"
162
}
163
},
164
"ArtifactsOfInterestType": "None"
165
}
166
]
167
},
168
"additionalProp2": {
169
"HandlingResponderVersion": 0,
170
"HandlingResponderName": "",
171
"Results": [
172
{
173
"Status": {
174
"Message": "",
175
"Code": {
176
"Ordinal": 0,
177
"Reason": "",
178
"Name": ""
179
}
180
},
181
"ArtifactsOfInterestType": ""
182
}
183
]
184
}
185
},
186
"SchemaVersion": 1,
187
"ReceivedTime": "2019-05-10T20:45:52Z",
188
"ObjectType": "ResponseEvent"
189
}
190
]
191
}

CylancePROTECT Threat API Response

{
1
"id": "f8b32d88-59a2-4012-a8a4-5b24a5b31b8e",
2
"name": "CP-AGENT-WIN7",
3
"state": "OnLine",
4
"agent_version": "2.1.1574",
5
"policy_id": null,
6
"date_found": "2021-07-01T16:04:37",
7
"file_status": "Default",
8
"file_path": "C:\\Program Files (x86)\\Rapid7\\Endpoint Agent\\honeyhashx86.exe",
9
"ip_addresses": [
10
"10.4.92.4"
11
],
12
"mac_addresses": [
13
"00-50-56-94-DE-A1"
14
]
15
}

Example of a virus infection document:

JSON
1
{
2
"Id": "3c255e48-a619-494e-80d5-d9d28eb1332c",
3
"ActivationTime": "2021-10-07T17:00:06Z",
4
"AppliedExceptions": [],
5
"ArtifactsOfInterest": {
6
"MiniDumpWriteDump": [
7
{
8
"Artifact": {
9
"Type": "Process",
10
"Uid": "NRdxa/UEdjr8KOcMnUo3vQ=="
11
},
12
"Source": "Target Process"
13
},
14
{
15
"Artifact": {
16
"Type": "Process",
17
"Uid": "ok0yv3HOotbSKWY5x4uLKQ=="
18
},
19
"Source": "Instigating Process"
20
},
21
{
22
"Artifact": {
23
"Type": "File",
24
"Uid": "gt5S1OC0TBKeAcAg45x70Q=="
25
},
26
"Source": "Target Process Image File"
27
}
28
]
29
},
30
"AssociatedArtifacts": [
31
{
32
"Uid": "W9WOsuhw+8geHEs0NcDl/A==",
33
"Name": "EnhancedIntrospection",
34
"Version": "1",
35
"ArtifactType": "Sensor"
36
},
37
{
38
"Uid": "ok0yv3HOotbSKWY5x4uLKQ==",
39
"ProcessId": 736,
40
"ParentId": 720,
41
"Name": "csrss.exe",
42
"PrimaryImage": {
43
"Type": "File",
44
"Uid": "69mnmT8yfM6rXsXM40OIZA=="
45
},
46
"Owner": {
47
"Type": "User",
48
"Uid": "ricxoJVJO0ccIpO9tuPclQ=="
49
},
50
"CommandLine": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16",
51
"Description": "Client Server Runtime Process",
52
"StartDateTime": "2021-03-21T06:36:45.697Z",
53
"EndDateTime": "1970-01-01T00:00:00.000Z",
54
"PrimaryImageFile": "",
55
"PrimaryUser": "",
56
"ParentUid": "",
57
"ParentStartDateTime": "1970-01-01T00:00:00.000Z",
58
"SessionId": 1,
59
"IsBeingDebugged": false,
60
"IsElevated": "Unknown",
61
"IntegrityLevel": 0,
62
"ArtifactType": "Process"
63
},
64
{
65
"Uid": "ricxoJVJO0ccIpO9tuPclQ==",
66
"Name": "SYSTEM",
67
"OsAssignedId": "S-1-5-18",
68
"Domain": "NT AUTHORITY",
69
"Groups": "",
70
"HomeDirectory": "",
71
"FullName": "",
72
"LogonServer": "",
73
"IsAccountLocked": "Unknown",
74
"IsAccountDisabled": "Unknown",
75
"IsPasswordRequired": "Unknown",
76
"HasPasswordExpired": "Unknown",
77
"PasswordDoesNotExpire": "Unknown",
78
"AccountType": "",
79
"IsPasswordChangeable": "Unknown",
80
"ScriptPath": "",
81
"Comment": "",
82
"Workstations": "",
83
"FailedPasswordAttempts": -1,
84
"CountryCode": -1,
85
"LanguageCodePage": -1,
86
"ProfilePath": "",
87
"IsRoamingConfigured": "Unknown",
88
"IsSpecialAccount": "Unknown",
89
"IsLocalAccount": "Unknown",
90
"ArtifactType": "User"
91
},
92
{
93
"Uid": "69mnmT8yfM6rXsXM40OIZA==",
94
"Path": "c:\\windows\\system32\\csrss.exe",
95
"Size": 17808,
96
"WritePosition": -1,
97
"CreationDateTime": "2019-03-19T04:44:35.895Z",
98
"LastModifiedDateTime": "2019-03-19T04:44:35.911Z",
99
"Owner": {
100
"Type": "User",
101
"Uid": "+QbCHM+ZGbIi/E77faishA=="
102
},
103
"Md5Hash": "23019322FFECB179746210BE52D6DE60",
104
"Sha1Hash": "",
105
"Sha256Hash": "F2C7D894ABE8AC0B4C2A597CAA6B3EFE7AD2BDB4226845798D954C5AB9C9BF15",
106
"IsAlternateDataStream": "False",
107
"IsReadOnly": "False",
108
"IsDirectory": "False",
109
"IsHidden": "False",
110
"IsOnRemovableDrive": "False",
111
"IsDeletePending": "Unknown",
112
"SuspectedFileType": "Executable/PE",
113
"FileSignatureJson": "",
114
"ArtifactType": "File"
115
},
116
{
117
"Uid": "NRdxa/UEdjr8KOcMnUo3vQ==",
118
"ProcessId": 6860,
119
"ParentId": 2304,
120
"Name": "r7service.exe",
121
"PrimaryImage": {
122
"Type": "File",
123
"Uid": "gt5S1OC0TBKeAcAg45x70Q=="
124
},
125
"Owner": {
126
"Type": "User",
127
"Uid": "FlbwNkDZ1jXUJUlqSgZgTw=="
128
},
129
"CommandLine": "\"C:\\Windows\\System32\\r7service.exe\" -u",
130
"Description": "",
131
"StartDateTime": "2021-03-21T06:47:08.513Z",
132
"EndDateTime": "2021-10-07T17:00:00.989Z",
133
"PrimaryImageFile": "",
134
"PrimaryUser": "",
135
"ParentUid": "",
136
"ParentStartDateTime": "2021-03-21T06:44:48.874Z",
137
"SessionId": 1,
138
"IsBeingDebugged": false,
139
"IsElevated": "Unknown",
140
"IntegrityLevel": 0,
141
"ArtifactType": "Process"
142
},
143
{
144
"Uid": "FlbwNkDZ1jXUJUlqSgZgTw==",
145
"Name": "test",
146
"OsAssignedId": "S-1-5-21-4104492477-607778023-1703461394-1001",
147
"Domain": "DESKTOP-BTCMDQO",
148
"Groups": "Admin",
149
"HomeDirectory": "",
150
"FullName": "",
151
"LogonServer": "\\\\*",
152
"IsAccountLocked": "False",
153
"IsAccountDisabled": "False",
154
"IsPasswordRequired": "False",
155
"HasPasswordExpired": "False",
156
"PasswordDoesNotExpire": "True",
157
"AccountType": "Normal",
158
"PasswordAge": "926:22:02:18",
159
"IsPasswordChangeable": "Unknown",
160
"ScriptPath": "",
161
"Comment": "",
162
"Workstations": "",
163
"FailedPasswordAttempts": 0,
164
"CountryCode": 0,
165
"LanguageCodePage": 0,
166
"ProfilePath": "\\\\*",
167
"IsRoamingConfigured": "Unknown",
168
"IsSpecialAccount": "Unknown",
169
"IsLocalAccount": "True",
170
"ArtifactType": "User"
171
}
172
],
173
"Comment": "",
174
"DetectionRule": {
175
"Name": "Win Lsass MiniDumpWriteDump Mitre T1003",
176
"Id": "c076cc65-5c50-4410-abb6-7d8a46ecd560",
177
"PolicyGroup": "CylanceOfficialDetectionRuleset",
178
"Version": 1,
179
"ObjectType": "DetectionRule",
180
"Description": "Detects an executabling running with common process memory dumping function in it's import table",
181
"Category": "MitreCA"
182
},
183
"Detector": {
184
"Name": "OpticsDetector",
185
"Version": "3"
186
},
187
"Device": {
188
"CylanceId": "7ed0bd24-b089-450e-992c-20b252d7da8f",
189
"Name": "DESKTOP-BTCMDQO",
190
"IpAddresses": [
191
"fe80::48ea:ac04:71e:be38%2",
192
"172.16.228.174"
193
],
194
"LoggedOnUsers": [
195
{
196
"AccountType": "Normal",
197
"FullName": "",
198
"Id": "S-1-5-21-4104492477-607778023-1703461394-1001",
199
"User": "DESKTOP-BTCMDQO\\test"
200
}
201
]
202
},
203
"Name": "Win Lsass MiniDumpWriteDump Mitre T1003",
204
"ObjectType": "Detection",
205
"OccurrenceTime": "2021-10-07T17:00:06Z",
206
"Product": {
207
"Name": "CylanceOPTICS",
208
"Version": "2.5.2100.1184"
209
},
210
"PhoneticId": "3C25-5E48",
211
"ReceivedTime": "2021-10-07T17:00:07Z",
212
"SchemaVersion": 1,
213
"Severity": "High",
214
"SeveritySortLevel": 4,
215
"Status": "New",
216
"StatusSortLevel": 1,
217
"TenantId": "1D2040550AE3489A898A2272DED25465",
218
"ZoneIds": [
219
"C829B9275AD3436AB9ED2353CDFF6273"
220
],
221
"Trace": [
222
{
223
"StateName": "MiniDumpWriteDump",
224
"Event": {
225
"Uid": "hzDoJnPBU2thLZ36IChOEw==",
226
"EventCategory": "Process",
227
"Mode": "UserMode",
228
"Subcategory": "",
229
"Source": {
230
"Type": "Sensor",
231
"Uid": "W9WOsuhw+8geHEs0NcDl/A=="
232
},
233
"OccurrenceTime": "2021-10-07T17:00:00.667Z",
234
"RegistrationTime": "2021-10-07T17:00:05.598Z",
235
"EventType": "Terminate",
236
"EventDetails": {},
237
"InstigatingProcess": {
238
"Type": "Process",
239
"Uid": "ok0yv3HOotbSKWY5x4uLKQ=="
240
},
241
"ProviderUid": "",
242
"ProviderSequenceId": 1858,
243
"Targets": [
244
{
245
"Type": "Process",
246
"Uid": "NRdxa/UEdjr8KOcMnUo3vQ=="
247
}
248
],
249
"GroupUid": ""
250
}
251
}
252
]
253
}