Open jamiehynds opened 3 years ago
Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Is there any plan on this new Cylance integration to support CylanceOPTICS?
We would like to create alerting based the the CylanceOPTICS detection but the integration does not support it.
We tried the current Cylance integration but it only supports Cylance Protect events type. For the Cylance Optics we get dissect_parsing_error in tag and no information is parsed.
Here is an example of an original event log from CylanceOPTICS:
746 <44>1 2021-08-26T09:06:07.894000Z sysloghost CylanceOPTICS - - - Event Type: OpticsCaeProcessEvent, Event Name: OpticsCaeProcessEvent, Device Name: --REMOVED-- , Zone Names: (Optics3 Agent Update), Event Id: --REMOVED-- , Severity: Medium, Description: RegSvcs RegAsm Bypass (MITRE), Instigating Process Name: powershell.exe, Instigating Process Owner: NT AUTHORITY//SYSTEM, Instigating Process ImageFileSha256: --REMOVED--, Target Process Name: csc.exe, Target Process Owner: NT AUTHORITY//SYSTEM, Target Process ImageFileSha256: --REMOVED--, Device Id: --REMOVED--
Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale
to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1
. Thank you for your contribution!
Keeping this open.
Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale
to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1
. Thank you for your contribution!
Description
Acquired by BlackBerry, Cylance is an AI-driven endpoint detection and response (EDR) platform that allows companies to intelligently strengthen, automate, and streamline their overall endpoint security efforts 24/7/365. Able to catch and mitigate highly advanced security threats as they emerge in real-time, Cylance’s EDR capabilities allow security teams to keep critical company assets protected from modern cyber attacks with virtually no impact on endpoint performance.
This integration will replace our current experimental Cylance integration.
Architecture
Syslog is supported, with an integration guide available here.
Integration release checklist
This checklist is intended for integrations maintainers to ensure consistency when creating or updating a Package, Module or Dataset for an Integration.
All changes
New Package
Dashboards changes
Log dataset changes
sample_event.json
) exists