Cylance Protect

[jamiehynds]

Description

Acquired by BlackBerry, Cylance is an AI-driven endpoint detection and response (EDR) platform that allows companies to intelligently strengthen, automate, and streamline their overall endpoint security efforts 24/7/365. Able to catch and mitigate highly advanced security threats as they emerge in real-time, Cylance’s EDR capabilities allow security teams to keep critical company assets protected from modern cyber attacks with virtually no impact on endpoint performance.

This integration will replace our current experimental Cylance integration.

Architecture

Syslog is supported, with an integration guide available here.

Integration release checklist

This checklist is intended for integrations maintainers to ensure consistency when creating or updating a Package, Module or Dataset for an Integration.

All changes

• [ ] Change follows the contributing guidelines
• [ ] Supported versions of the monitoring target are documented
• [ ] Supported operating systems are documented (if applicable)
• [ ] Integration or System tests exist
• [ ] Documentation exists
• [ ] Fields follow ECS and naming conventions
• [ ] At least a manual test with ES / Kibana / Agent has been performed.
• [ ] Required Kibana version set to:

New Package

• [ ] Screenshot of the "Add Integration" page on Fleet added

Dashboards changes

• [ ] Dashboards exists
• [ ] Screenshots added or updated
• [ ] Datastream filters added to visualizations

Log dataset changes

• [ ] Pipeline tests exist (if applicable)
• [ ] Generated output for at least 1 log file exists
• [ ] Sample event (sample_event.json) exists

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[nugroho-exp]

Is there any plan on this new Cylance integration to support CylanceOPTICS?

We would like to create alerting based the the CylanceOPTICS detection but the integration does not support it.

We tried the current Cylance integration but it only supports Cylance Protect events type. For the Cylance Optics we get dissect_parsing_error in tag and no information is parsed.

Here is an example of an original event log from CylanceOPTICS:

746 <44>1 2021-08-26T09:06:07.894000Z sysloghost CylanceOPTICS - - - Event Type: OpticsCaeProcessEvent, Event Name: OpticsCaeProcessEvent, Device Name: --REMOVED-- , Zone Names: (Optics3 Agent Update), Event Id: --REMOVED-- , Severity: Medium, Description: RegSvcs RegAsm Bypass (MITRE), Instigating Process Name: powershell.exe, Instigating Process Owner: NT AUTHORITY//SYSTEM, Instigating Process ImageFileSha256: --REMOVED--, Target Process Name: csc.exe, Target Process Owner: NT AUTHORITY//SYSTEM, Target Process ImageFileSha256: --REMOVED--, Device Id: --REMOVED--

[botelastic[bot]]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

[jamiehynds]

Keeping this open.

[botelastic[bot]]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!