Skip to content

Cylance PROTECT

Cylance PROTECT

About

BlackBerry® Protect is an artificial intelligence (AI) based endpoint protection platform (EPP) that prevents breaches and provides added controls for safeguarding against sophisticated cyberthreats—no human intervention, Internet connections, signature files, heuristics or sandboxes required.

Product Details

Vendor URL: Cylance PROTECT

Product Type: AV

Product Tier: Tier II

Integration Method: Syslog

Integration URL: Cylance PROTECT - Cyderes Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: Syslog

Expected Normalization Rate: near 100%

Data Label: CYLANCE_PROTECT

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
Agent Version principal.asset.attribute.labels
Destination IP target.ip
Destination Port target.port
Device Id principal.asset_id
Device Name principal.hostname
Device Name principal.hostname
Device Names principal.hostname
EventName metadata.description
EventType metadata.product_event_type
EventType security_result.summary
External Device Name target.resource.name
External Device Product ID target.resource.id
External Device Type target.resource.type
File Name target.process.file.full_path
Insitgating Process Name principal.process.file.full_path
Instigating Process ImageFileSha256 principal.process.file.sha256
Instigating Process Owner principal.user.userid
Interpreter target.process.parent_pid
Interpreter Version about.labels
IP Address principal.ip
Kernel Version principal.platform_patch_level
MD5 target.process.file.md5
OS principal.platform_version
Path target.process.file.full_path
Policy Name security_result.rule_name
Process ID target.process.parent_pid
Process Name target.process.file.full_path
Product metadata.vendor_name
Resolved Address event.idm.read_only_target.ip
ServerAddress intermediary.hostname
ServerAddress target.hostname
Severity security_result.severity
SHA256 target.process.file.sha256
Source IP principal.ip
Target Process ImageFileSha256 target.process.file.sha256
Target Process Name target.process.file.full_path
Target Process Owner target.user.userid
Target Registry KeyPath target.registry.registry_key
Target Registry ValueName target.registry.registry_value_name
Threat Classification security_result.summary
User principal.user.userid
User Name principal.user.userid
Violation Type security_result.summary
Zone Name intermediary.administrative_domain
Zone Names intermediary.administrative_domain

Product Event Types

Event UDM Event Classification Security Category alerting enabled
AuditLog GENERIC_EVENT
Device STATUS_HEARTBEAT
DeviceControl STATUS_UNCATEGORIZED
ExploitAttempt PROCESS_LAUNCH POLICY_VIOLATION
LoginSuccess USER_UNCATEGORIZED
OpticsCaeDnsEvent GENERIC_EVENT
OpticsCaeNetworkEvent GENERIC_EVENT
OpticsCaeProcessEvent GENERIC_EVENT
OpticsCaeRegistryEvent GENERIC_EVENT
ScriptControl PROCESS_LAUNCH POLICY_VIOLATION
Threat PROCESS_LAUNCH POLICY_VIOLATION
threat_found PROCESS_LAUNCH POLICY_VIOLATION TRUE
threat_quarantined PROCESS_LAUNCH POLICY_VIOLATION TRUE

Log Sample

399 <41>1 2021-07-30T13:01:22.432000Z sysloghost CylancePROTECT - - - Event Type: Device, Event Name: SystemSecurity, Device Name: hostname1, Agent Version: 2.1.1574.39, IP Address: (10.10.10.10), MAC Address: (ffffffffffff), Logged On Users: (devices\user1), OS: Microsoft Windows 10 Enterprise 2016 LTSB x64 10.0.14393, Kernel Version: 10.0.14393, Zone Names: (SERVERS)

Sample Parsing

metadata.event_timestamp = "2021-07-30T13:01:22.432Z"
metadata.event_type = "STATUS_HEARTBEAT"
metadata.vendor_name = "Cylance"
metadata.product_name = "PROTECT"
metadata.product_event_type = "Device"
metadata.description = "SystemSecurity"
metadata.ingested_timestamp = "2021-07-30T13:03:21.038042Z"
principal.hostname = "hostname1"
principal.platform_version = "Microsoft Windows 10 Enterprise 2016 LTSB x64 10.0.14393"
principal.platform_patch_level = "10.0.14393"
principal.asset.attribute.labels.key = "Agent Version"
principal.asset.attribute.labels.value = "2.1.1574.39"
intermediary.administrative_domain = "(SERVERS)"

Parser Alerting

Alerting criteria is listed in the Product Event Types table above.