Skip to main content

Cloud ConnectorsExabeam Cloud Connectors Configuration Guide

CylanceProtect Cloud Connector

CylanceProtect is an artificial intelligence (AI) based endpoint security solution that employs machine learning and AI techniques to identify malicious code based on its behavior and prevent breaches, malware, and advanced threats. In addition to AI-driven malware prevention, CylanceProtect provides script management, device usage policy enforcement, memory exploitation detection and prevention, and application control for fixed-function devices. For more information see their website.

Prerequisites to Configure the CylanceProtect Connector

Before you configure the CylanceProtect connector you must obtain the values for application ID, application secret, tenant ID, and region.

Obtain the Application ID and Secret

CylanceProtect APIs are authenticated via application keys. You must obtain the application ID and secret to use while configuring the CylanceProtect connector.

To obtain the tenant ID, application ID, and secret:

  1. Log in to CylanceProtect console by accessing https:/login.cylance.com/Login as an administrator.

  2. Navigate to Settings > Integrations.

  3. Copy and record the tenant ID that appears on the upper right corner.

  4. Click Add Application.

  5. Specify a name for the application.

  6. Define access permissions for console data type by selecting the Read check box for Devices and Threat privileges.

  7. Click Save. Note the values for the application ID and application secret. Use the values while configuring the CylanceProtect Connector on the Exabeam Cloud Connector platform.

Configure the CylanceProtect Connector

CylanceProtect is an artificial intelligence (AI) based endpoint security solution that employs machine learning and AI techniques to identify malicious code based on its behavior and prevent breaches, malware, and advanced threats. In addition to AI-driven malware prevention, CylanceProtect provides script management, device usage policy enforcement, memory exploitation detection and prevention, and application control for fixed-function devices. For more information see their website.

The following table displays audit source API and security events supported by the connector.

Audit Source: API

Service or Module Covered

Event Included

Threats

Threat detection alerts and information

Memory Protection

Threats related to memory vulnerabilities

Devices

Threats detected via endpoints. Used to enrich threats detected alerts with the device specific information

Table 11. Audit source API and security events supported by the connector


To configure the CylanceProtect connector to import data into the Exabeam Cloud Connector platform:

  1. Complete the Prerequisites to Configure the CylanceProtect Connector.

  2. Log in to the Exabeam Cloud Connectors platform with your registered credentials.

  3. Navigate to Settings > Accounts > Add Account.

  4. Click Select Service to Add, then select CylanceProtect from the list.

  5. In the Accounts section, enter the required information.

    1. Account Name – Specify a name for the CylanceProtect connector. For example, Corporate endpoint security solution.

    2. (optional) Description – Describe the CylanceProtect connector. For example, CylanceProtect AI-based endpoint security solution.

    3. App ID – Enter the value for application ID that you obtained while completing prerequisites.

    4. App Secret – Enter the value for application secret that you obtained while completing prerequisites.

    5. Tenant ID – Enter the value for tenant ID that you obtained while completing prerequisites.

    6. Region – Select one of the following tenant regions based on your CylanceProtect deployment region.

      • Asia Pacific – North

      • Asia Pacific – Southeast

      • Europe – Central

      • Government

      • South America

      • North America

  6. To confirm that the Exabeam Cloud Connector platform communicates with the service, click Test Connection.

  7. Click Done to save your changes. The cloud connector is now set up on the Exabeam Cloud Connector platform.

  8. To ensure that the connector is ready to send and collect data, Start the connector and check that the status shows OK.

Troubleshooting

If you receive an HTTP error when you click Test Connection, run the test script described in the CylanceProtect documentation to analyze and debug the problem.  

To run the test script:

  1. Using the Exabeam Cloud Connector command-line interface (CLI), use the following commands to install Python and additional required components:

    • Install Python: apt install python

    • Install pip: apt install python-pip

    • Install pyjwt: pip install pyjwt

    • Install requests: pip install requests

      Note

      These commands to install Python and other prerequisites are for the Ubuntu operating system. For other operating systems, run the equivalent package management commands.

  2. Create a new test.py file and add the following syntax to the file.

    import jwt # PyJWT version 1.5.3 as of the time of authoring. import uuid import requests # requests version 2.18.4 as of the time of authoring. import json import json from datetime import datetime, timedelta # 30 minutes from now timeout = 1800 now = datetime.utcnow() timeout_datetime = now + timedelta(seconds=timeout) epoch_time = int((now - datetime(1970, 1, 1)).total_seconds()) epoch_timeout = int((timeout_datetime - datetime(1970, 1, 1)).total_seconds()) jti_val = str(uuid.uuid4()) tid_val = "123" # The tenant's unique identifier. app_id = "456" # The application's unique identifier. app_secret = "789" # The application's secret to sign the auth token with. AUTH_URL = "https://protectapi.cylance.com/auth/v2/token" claims = { "exp": epoch_timeout, "iat": epoch_time, "iss": "http:/cylance.com", "sub": app_id, "tid": tid_val, "jti": jti_val # The following is optional and is being noted here as an example on how one can restrict # the list of scopes being requested # "scp": "policy:create, policy:list, policy:read, policy:update" } encoded = jwt.encode(claims, app_secret, algorithm='HS256') print("auth_token:\n" + encoded.decode('utf-8') + "\n") payload = {"auth_token": encoded.decode('utf-8')} headers = {"Content-Type": "application/json; charset=utf-8"} resp = requests.post(AUTH_URL, headers=headers, data=json.dumps(payload)) print("http_status_code: " + str(resp.status_code)) print("access_token:\n" + json.loads(resp.text)['access_token'] + "\n")

  3. Replace the values for tid_val, app_id, app_secret, and AUTH_URL with the correct values for tenant, app ID, app secret, and URL.

  4. Save the file.

  5. Execute the script by entering python test.py in the command line. After executing the script, a token represented by a string of letters and numbers appears.

    1. If you see a token without any error but the test connection fails, contact Exabeam customer support.

    2. If you do not see a token or receive an HTTP error (such as 401 or 403), contact CylanceProtect customer support. For HTTP errors 401 and 403, the CylanceProtect support team must validate the user credentials.