Cylance PROTECT¶
About¶
BlackBerry® Protect is an artificial intelligence (AI) based endpoint protection platform (EPP) that prevents breaches and provides added controls for safeguarding against sophisticated cyberthreats—no human intervention, Internet connections, signature files, heuristics or sandboxes required.
Product Details¶
Vendor URL: Cylance PROTECT
Product Type: AV
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Cylance PROTECT - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: near 100%
Data Label: CYLANCE_PROTECT
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
Agent Version | principal.asset.attribute.labels |
Destination IP | target.ip |
Destination Port | target.port |
Device Id | principal.asset_id |
Device Name | principal.hostname |
Device Name | principal.hostname |
Device Names | principal.hostname |
EventName | metadata.description |
EventType | metadata.product_event_type |
EventType | security_result.summary |
External Device Name | target.resource.name |
External Device Product ID | target.resource.id |
External Device Type | target.resource.type |
File Name | target.process.file.full_path |
Insitgating Process Name | principal.process.file.full_path |
Instigating Process ImageFileSha256 | principal.process.file.sha256 |
Instigating Process Owner | principal.user.userid |
Interpreter | target.process.parent_pid |
Interpreter Version | about.labels |
IP Address | principal.ip |
Kernel Version | principal.platform_patch_level |
MD5 | target.process.file.md5 |
OS | principal.platform_version |
Path | target.process.file.full_path |
Policy Name | security_result.rule_name |
Process ID | target.process.parent_pid |
Process Name | target.process.file.full_path |
Product | metadata.vendor_name |
Resolved Address | event.idm.read_only_target.ip |
ServerAddress | intermediary.hostname |
ServerAddress | target.hostname |
Severity | security_result.severity |
SHA256 | target.process.file.sha256 |
Source IP | principal.ip |
Target Process ImageFileSha256 | target.process.file.sha256 |
Target Process Name | target.process.file.full_path |
Target Process Owner | target.user.userid |
Target Registry KeyPath | target.registry.registry_key |
Target Registry ValueName | target.registry.registry_value_name |
Threat Classification | security_result.summary |
User | principal.user.userid |
User Name | principal.user.userid |
Violation Type | security_result.summary |
Zone Name | intermediary.administrative_domain |
Zone Names | intermediary.administrative_domain |
Product Event Types¶
Event | UDM Event Classification | Security Category | alerting enabled |
---|---|---|---|
AuditLog | GENERIC_EVENT | ||
Device | STATUS_HEARTBEAT | ||
DeviceControl | STATUS_UNCATEGORIZED | ||
ExploitAttempt | PROCESS_LAUNCH | POLICY_VIOLATION | |
LoginSuccess | USER_UNCATEGORIZED | ||
OpticsCaeDnsEvent | GENERIC_EVENT | ||
OpticsCaeNetworkEvent | GENERIC_EVENT | ||
OpticsCaeProcessEvent | GENERIC_EVENT | ||
OpticsCaeRegistryEvent | GENERIC_EVENT | ||
ScriptControl | PROCESS_LAUNCH | POLICY_VIOLATION | |
Threat | PROCESS_LAUNCH | POLICY_VIOLATION | |
threat_found | PROCESS_LAUNCH | POLICY_VIOLATION | TRUE |
threat_quarantined | PROCESS_LAUNCH | POLICY_VIOLATION | TRUE |
Log Sample¶
399 <41>1 2021-07-30T13:01:22.432000Z sysloghost CylancePROTECT - - - Event Type: Device, Event Name: SystemSecurity, Device Name: hostname1, Agent Version: 2.1.1574.39, IP Address: (10.10.10.10), MAC Address: (ffffffffffff), Logged On Users: (devices\user1), OS: Microsoft Windows 10 Enterprise 2016 LTSB x64 10.0.14393, Kernel Version: 10.0.14393, Zone Names: (SERVERS)
Sample Parsing¶
metadata.event_timestamp = "2021-07-30T13:01:22.432Z"
metadata.event_type = "STATUS_HEARTBEAT"
metadata.vendor_name = "Cylance"
metadata.product_name = "PROTECT"
metadata.product_event_type = "Device"
metadata.description = "SystemSecurity"
metadata.ingested_timestamp = "2021-07-30T13:03:21.038042Z"
principal.hostname = "hostname1"
principal.platform_version = "Microsoft Windows 10 Enterprise 2016 LTSB x64 10.0.14393"
principal.platform_patch_level = "10.0.14393"
principal.asset.attribute.labels.key = "Agent Version"
principal.asset.attribute.labels.value = "2.1.1574.39"
intermediary.administrative_domain = "(SERVERS)"
Parser Alerting¶
Alerting criteria is listed in the Product Event Types table above.