Overview

Details

The Cylance PROTECT Application for Splunk enables security professionals and administrators to monitor for high risk threats in their organization by driving custom searches, reports, and alerts using the Cylance PROTECT and OPTICS EDR data. This application provides the ability for users to monitor, track, and analyze threat data and activity across their environment effectively using pre-set dashboards views and reports for Threat and Device Management. The dashboards, reports, and searches can be further customized and provide drill down capability for all data in order for users to perform in-depth analysis and investigation. The application can be configured with Cylance PROTECT and OPTICS Syslog and/or the Cylance Threat Data Report (TDR).

Read the details tab on where to place the app and TA:
- Matching TA (for Indexers and Forwarders) found here: https://splunkbase.splunk.com/app/3709/

Installation guide found here:
https://docs.blackberry.com/en/unified-endpoint-security/cylance--products/protect-application-for-splunk-admin-guide/Introduction

This integration supports both PROTECT data and OPTICS EDR data.

Note: Installation guide requires authentication to the support portal.

Final note:
1) This app should be installed on your search heads

If only using syslog data feed:
2) Our TA (Found here: https://splunkbase.splunk.com/app/3709/) should be installed on indexers and forwarders

If using optional TDR data:
2) Our full app should be used on the heavy forwarder to enable easier configuration of TDR ingestion

Release Notes

Version 1.6.0

April 5, 2021

ADDITIONS
- None

REMOVALS
- None

CHANGES
- Python 3 migration
- UI tweaks and a reorganized About page

Version 1.5.6

April 3, 2020

Version 1.5.6

ADDITIONS
- Added UserName to syslog_script_control dashboard
- Added Devices Offline for 3 days in syslog_device_summary dashboard - accounts for weekend
- Added access = read : [ * ], write : [ admin ] to all the optics menus in default.meta
- Added Tenant filter for Auditing dashboard
- syslog_threats dashboard now contains a pivot to VirusTotal
- New Optics DNS, WMI, PowershellTrace, Log CAE parsing and dashboard

REMOVALS
- None

CHANGES
- Changed all "All Time" panels in syslog_device_summary to last 30 days
- Changed the name of test.py to cy_test.py to conform to the Python 3 transition

FIXES
- Fixed Optics fields TargetProcessHash, TargetRegistryValueName, DestinationPort parsing based on Optics Syslog feed change

Version 1.5.4

April 23, 2019

ADDITIONS
- Added Wildcard search to Auditing dashboard
- Syslog Overview -> Correlation search to add Zone information to Audit Log Threats Waived panel
- Syslog Optics parsing in props and transforms
- Syslog Optics Overview dashboard
- Syslog Optics File, Process, Memory, Network, and Registry dashboards

REMOVALS
- Syslog Overview - Submit button removed to keep consistent
- Syslog Overview - actions field from Threats - always shows unknown
- Syslog Threats - actions field from Threats - always shows unknown

FIXES
- Syslog Overview - Unique Devices query fix - added NOT "Device Names" NOT AuditLog
- Syslog Device Summary Count fix - NOT sourcetype="syslog_audit_log"
- Corrected typo in API connector usage table (api_connector)
- APP and TA - OS parsing issue
[syslog_device]: EXTRACT-OS = OS:\s(?P<OS>.) --> EXTRACT-OS=OS:\s(?P<OS>.)?,
- Bug in source populating search on audit dashboard changed to syslog - | tstats count where cylance_index AND sourcetype=syslog by source | table source
...

Version 1.5.0

June 5, 2018

ADDITIONS
- Searches and Reports -> Unique Threats: Added Cylance Score
- Searches and Reports -> New Threats: Added DeviceName and Score
- Operation Center -> Syslog Device Summary: Added sort 0 to Devices Online and Devices Offline
- Added framework for APIv2 communication - dashboard and bin

REMOVALS
-N/A

CHANGES
- Decoupled the cylance_index macro from eventtypes.conf - https://answers.splunk.com/answers/354859/why-does-an-eventtype-calling-a-macro-only-fails-i.html
- This was causing issues in distributed environments

FIXES
- N/A

Version 1.4.9

March 23, 2018

REMOVALS
-N/A

FIXES
- N/A

Version 1.4.8

March 22, 2018

REMOVALS
- None

FIXES
- None

Version 1.4.7

Jan. 18, 2018

ADDITIONS
- macros.conf file created to specify the cylance_index: definition = index=protect OR index=cylance_protect
- props/transforms.conf added TRANSFORMS-devicehostname_ns = protecthostname_ns to rename host field for threat.py events
- eventtype and tag permissions set in default.meta to better expose data to Splunk ES
- Added syslog indicator correlation (tools -> Syslog Indicator Correlation)
- Added top policy and top zone to TDR device summary
- Added wildcard search to the indicator correlation dashboards
- Added top devicename w/ zonename to syslog exploits
- Added top devicename w/ zonename to syslog script control
- Added syslog threat detail dashboard (Threat Center -> Syslog Threat Detail)
- Added FilePath to Syslog Overview Top Script Control Interpreter Panel Drilldown

CHANGES
- eventtype=cylance_index now uses a macro: cylance_index
- All syslog dashboards now use the cylance_index macro to populate the Tenant dropdown
- TDR Device Summary - improved drilldown of third row

Version 1.4.6

Oct. 18, 2017

Version 1.4.6 Released 2017-10-18

ADDITIONS
- Added ZoneNames parsing to syslog_device to accommodate new tenant field
- Added ZoneNames to Overview dashboard under Script Control Panel
- Auditing dashboard panels all operate based on time range picker
- Protection Center tab added
- Syslog Threats (syslog_threats) Dashboard added under Threat Center Menu
- Syslog Exploits (syslog_exploits) Dashboard added under Protection Center Menu
- Syslog Script Control (syslog_script_control) Dashboard added under Protection Center Menu
- Syslog App Control (syslog_app_control) Dashboard added under Protection Center Menu
- Syslog Device Control (syslog_device_control) Dashboard added under Protection Center Menu
- Improved CIM compliance using Alias tagging for syslog exploits, script control, app control, and device control
- Syslog Overview Total Device
- Syslog Overview dashboard - Top Threat FileType panel drilldown now displayed in a table
-- snip --

Version 1.4.5

Oct. 18, 2017

Version 1.4.5 Released 2017-10-18

Version 1.4.4

July 13, 2017

Version 1.4.4

ADDITIONS
- Now officially parsing and displaying real-time syslog data
- Updated default props from index=protect to index=cylance_protect
- Updated eventtype=cylance_index to now include index=cylance_protect (backward and forward compatible)
- Replaced Tenant populating searches with faster tstats search
- Updated URL in About.html - SPL-167
- Added wildcard searches to dashboards
- Removed sdkjavascript from the app since the path was too long for Windows installations
- New dashboards:
- Syslog Overview
- Syslog Threats
- Syslog Device Summary
- Auditing
- Indicator Correlation
- Data Sources
- sourcetype=syslog_audit_log:
- sourcetype=syslog_device_control:

REMOVALS
- None

CHANGES
- Navigation menu

FIXES:
- Improved backwards compatibility by converting About dashboard to not use "Convert to HTML" Splunk Libraries - SPL-155
- Date sorting fixed for First Found/Last Found in New Threats - Last 30 days panel - SPL-166
- local.meta and props
--snip--

Version 1.4.3

July 11, 2017

Version 1.4.3

REMOVALS
- None

CHANGES
- Navigation menu

Version 1.4.2

July 10, 2017

Version 1.4.2 Released 2017-07-05

REMOVALS
- None

CHANGES
- Navigation menu

Version 1.4.1

Jan. 13, 2017

CylancePROTECT App for Splunk - Release Notes

Note: before deleting a tenant, read the information on the ConfigureTenants page - the 'can_delete' role needs to be configured.

Version 1.4.1 Released 2017-01-13

ADDITIONS

REMOVALS

CHANGES

FIXES
- Prefix tenant entries with tag in conf file (used for internal distinction made between tenant and non-tenant entries) [#156]

8,041

Downloads

Share Subscribe

Version

Built by

Adam Schieman

Support

Not Supported

Questions on Splunk Answers Flag as inappropriate