Installation guide found here:
https://docs.blackberry.com/en/unified-endpoint-security/cylance--products/protect-application-for-splunk-admin-guide/Introduction
This integration supports both PROTECT data and OPTICS EDR data.
Note: Installation guide requires authentication to the support portal.
Final note:
1) This app should be installed on your search heads
If only using syslog data feed:
2) Our TA (Found here: https://splunkbase.splunk.com/app/3709/) should be installed on indexers and forwarders
If using optional TDR data:
2) Our full app should be used on the heavy forwarder to enable easier configuration of TDR ingestion
ADDITIONS
- None
REMOVALS
- None
CHANGES
- Python 3 migration
- UI tweaks and a reorganized About page
Version 1.5.6
ADDITIONS
- Added UserName to syslog_script_control dashboard
- Added Devices Offline for 3 days in syslog_device_summary dashboard - accounts for weekend
- Added access = read : [ * ], write : [ admin ] to all the optics menus in default.meta
- Added Tenant filter for Auditing dashboard
- syslog_threats dashboard now contains a pivot to VirusTotal
- New Optics DNS, WMI, PowershellTrace, Log CAE parsing and dashboard
REMOVALS
- None
CHANGES
- Changed all "All Time" panels in syslog_device_summary to last 30 days
- Changed the name of test.py to cy_test.py to conform to the Python 3 transition
FIXES
- Fixed Optics fields TargetProcessHash, TargetRegistryValueName, DestinationPort parsing based on Optics Syslog feed change
ADDITIONS
- Added Wildcard search to Auditing dashboard
- Syslog Overview -> Correlation search to add Zone information to Audit Log Threats Waived panel
- Syslog Optics parsing in props and transforms
- Syslog Optics Overview dashboard
- Syslog Optics File, Process, Memory, Network, and Registry dashboards
REMOVALS
- Syslog Overview - Submit button removed to keep consistent
- Syslog Overview - actions field from Threats - always shows unknown
- Syslog Threats - actions field from Threats - always shows unknown
FIXES
- Syslog Overview - Unique Devices query fix - added NOT "Device Names" NOT AuditLog
- Syslog Device Summary Count fix - NOT sourcetype="syslog_audit_log"
- Corrected typo in API connector usage table (api_connector)
- APP and TA - OS parsing issue
[syslog_device]: EXTRACT-OS = OS:\s(?P<OS>.) --> EXTRACT-OS=OS:\s(?P<OS>.)?,
- Bug in source populating search on audit dashboard changed to syslog - | tstats count where cylance_index
AND sourcetype=syslog by source | table source
...
ADDITIONS
- Searches and Reports -> Unique Threats: Added Cylance Score
- Searches and Reports -> New Threats: Added DeviceName and Score
- Operation Center -> Syslog Device Summary: Added sort 0 to Devices Online and Devices Offline
- Added framework for APIv2 communication - dashboard and bin
REMOVALS
-N/A
CHANGES
- Decoupled the cylance_index macro from eventtypes.conf - https://answers.splunk.com/answers/354859/why-does-an-eventtype-calling-a-macro-only-fails-i.html
- This was causing issues in distributed environments
FIXES
- N/A
ADDITIONS
- Searches and Reports -> Unique Threats: Added Cylance Score
- Searches and Reports -> New Threats: Added DeviceName and Score
- Operation Center -> Syslog Device Summary: Added sort 0 to Devices Online and Devices Offline
- Added framework for APIv2 communication - dashboard and bin
REMOVALS
-N/A
CHANGES
- Decoupled the cylance_index macro from eventtypes.conf - https://answers.splunk.com/answers/354859/why-does-an-eventtype-calling-a-macro-only-fails-i.html
- This was causing issues in distributed environments
FIXES
- N/A
ADDITIONS
- Searches and Reports -> Unique Threats: Added Cylance Score
- Searches and Reports -> New Threats: Added DeviceName and Score
- Operation Center -> Syslog Device Summary: Added sort 0 to Devices Online and Devices Offline
- Added framework for APIv2 communication - dashboard and bin
REMOVALS
- None
CHANGES
- Decoupled the cylance_index macro from eventtypes.conf - https://answers.splunk.com/answers/354859/why-does-an-eventtype-calling-a-macro-only-fails-i.html
- This was causing issues in distributed environments
FIXES
- None
ADDITIONS
- macros.conf file created to specify the cylance_index
: definition = index=protect OR index=cylance_protect
- props/transforms.conf added TRANSFORMS-devicehostname_ns = protecthostname_ns to rename host field for threat.py events
- eventtype and tag permissions set in default.meta to better expose data to Splunk ES
- Added syslog indicator correlation (tools -> Syslog Indicator Correlation)
- Added top policy and top zone to TDR device summary
- Added wildcard search to the indicator correlation dashboards
- Added top devicename w/ zonename to syslog exploits
- Added top devicename w/ zonename to syslog script control
- Added syslog threat detail dashboard (Threat Center -> Syslog Threat Detail)
- Added FilePath to Syslog Overview Top Script Control Interpreter Panel Drilldown
CHANGES
- eventtype=cylance_index now uses a macro: cylance_index
- All syslog dashboards now use the cylance_index
macro to populate the Tenant dropdown
- TDR Device Summary - improved drilldown of third row
Version 1.4.6 Released 2017-10-18
ADDITIONS
- Added ZoneNames parsing to syslog_device to accommodate new tenant field
- Added ZoneNames to Overview dashboard under Script Control Panel
- Auditing dashboard panels all operate based on time range picker
- Protection Center tab added
- Syslog Threats (syslog_threats) Dashboard added under Threat Center Menu
- Syslog Exploits (syslog_exploits) Dashboard added under Protection Center Menu
- Syslog Script Control (syslog_script_control) Dashboard added under Protection Center Menu
- Syslog App Control (syslog_app_control) Dashboard added under Protection Center Menu
- Syslog Device Control (syslog_device_control) Dashboard added under Protection Center Menu
- Improved CIM compliance using Alias tagging for syslog exploits, script control, app control, and device control
- Syslog Overview Total Device
- Syslog Overview dashboard - Top Threat FileType panel drilldown now displayed in a table
-- snip --
Version 1.4.5 Released 2017-10-18
ADDITIONS
- Added ZoneNames parsing to syslog_device to accommodate new tenant field
- Added ZoneNames to Overview dashboard under Script Control Panel
- Auditing dashboard panels all operate based on time range picker
- Protection Center tab added
- Syslog Threats (syslog_threats) Dashboard added under Threat Center Menu
- Syslog Exploits (syslog_exploits) Dashboard added under Protection Center Menu
- Syslog Script Control (syslog_script_control) Dashboard added under Protection Center Menu
- Syslog App Control (syslog_app_control) Dashboard added under Protection Center Menu
- Syslog Device Control (syslog_device_control) Dashboard added under Protection Center Menu
- Improved CIM compliance using Alias tagging for syslog exploits, script control, app control, and device control
- Syslog Overview Total Device
- Syslog Overview dashboard - Top Threat FileType panel drilldown now displayed in a table
-- snip --
Version 1.4.4
ADDITIONS
- Now officially parsing and displaying real-time syslog data
- Updated default props from index=protect to index=cylance_protect
- Updated eventtype=cylance_index to now include index=cylance_protect (backward and forward compatible)
- Replaced Tenant populating searches with faster tstats search
- Updated URL in About.html - SPL-167
- Added wildcard searches to dashboards
- Removed sdkjavascript from the app since the path was too long for Windows installations
- New dashboards:
- Syslog Overview
- Syslog Threats
- Syslog Device Summary
- Auditing
- Indicator Correlation
- Data Sources
- sourcetype=syslog_audit_log:
- sourcetype=syslog_device_control:
REMOVALS
- None
CHANGES
- Navigation menu
FIXES:
- Improved backwards compatibility by converting About dashboard to not use "Convert to HTML" Splunk Libraries - SPL-155
- Date sorting fixed for First Found/Last Found in New Threats - Last 30 days panel - SPL-166
- local.meta and props
--snip--
Version 1.4.3
ADDITIONS
- Now officially parsing and displaying real-time syslog data
- Updated default props from index=protect to index=cylance_protect
- Updated eventtype=cylance_index to now include index=cylance_protect (backward and forward compatible)
- Replaced Tenant populating searches with faster tstats search
- Updated URL in About.html - SPL-167
- Added wildcard searches to dashboards
- Removed sdkjavascript from the app since the path was too long for Windows installations
- New dashboards:
- Syslog Overview
- Syslog Threats
- Syslog Device Summary
- Auditing
- Indicator Correlation
- Data Sources
- sourcetype=syslog_audit_log:
- sourcetype=syslog_device_control:
REMOVALS
- None
CHANGES
- Navigation menu
FIXES:
- Improved backwards compatibility by converting About dashboard to not use "Convert to HTML" Splunk Libraries - SPL-155
- Date sorting fixed for First Found/Last Found in New Threats - Last 30 days panel - SPL-166
- local.meta and props
--snip--
Version 1.4.2 Released 2017-07-05
ADDITIONS
- Now officially parsing and displaying real-time syslog data
- Updated default props from index=protect to index=cylance_protect
- Updated eventtype=cylance_index to now include index=cylance_protect (backward and forward compatible)
- Replaced Tenant populating searches with faster tstats search
- Updated URL in About.html - SPL-167
- Added wildcard searches to dashboards
- Removed sdkjavascript from the app since the path was too long for Windows installations
- New dashboards:
- Syslog Overview
- Syslog Threats
- Syslog Device Summary
- Auditing
- Indicator Correlation
- Data Sources
- sourcetype=syslog_audit_log:
- sourcetype=syslog_device_control:
REMOVALS
- None
CHANGES
- Navigation menu
FIXES:
- Improved backwards compatibility by converting About dashboard to not use "Convert to HTML" Splunk Libraries - SPL-155
- Date sorting fixed for First Found/Last Found in New Threats - Last 30 days panel - SPL-166
--snip--
Note: before deleting a tenant, read the information on the ConfigureTenants page - the 'can_delete' role needs to be configured.
Version 1.4.1 Released 2017-01-13
FIXES
- Prefix tenant entries with tag in conf file (used for internal distinction made between tenant and non-tenant entries) [#156]
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.