Page Comparison

Table of Contents

minLevel	3
maxLevel	3
outline	false
type	list
printable	false

Assumptions

The user has a Log Relay device online
The user is not blocking traffic on port TCP and UDP port 14015 between the Cylance and the Log Relay

Setup

Upon activation of your account, you will receive an email with your login information for the Console.
Click the link in the email and go to the login page.
Login to the Console as an Administrator.
Select Settings > Application.
Record the displayed token. Download the installer by clicking either Windows or Linux or Mac OS X and then selecting the installation format.
Use the token when prompted during installation.

Info

Note: CylancePROTECT Agent 1400 or higher must be installed on the endpoint before installing CylanceOPTICS for Windows.

For more info on CylanceOPTICS click here

Procedure

CYLANCEPROTECT SYSLOG SETTINGS

Click on Settings, then Application submenu.
When the page loads, scroll down to the INTEGRATIONS section of the page.
The following sections will provide details and descriptions for each sub heading in this section

Info

EVENT TYPES

Syslog events have standard fields like timestamp, severity level, facility and a Cylance-specific payload (message). Examples provided in this section only contain the Cylance-specific message

Expand

title	Application Control

This option is only visible to Tenant's that have the Application Control feature enabled. Application Control events represent actions occurring when the device is in AppControl mode. Checking this option will send a message to the Syslog server whenever an attempt is made to modify or copy an executable file, or when an attempt to made to execute a file from an external device or network location.

Example Message for Deny PE File Change

1

Code Block
theme	Midnight
firstline

linenumbers	true
CylancePROTECT: Event Type: AppControl, Event Name: pechange, Device Name: WIN-7entSh64, IP Address: (192.168.119.128), Action: PEFileChange, Action Type: Deny, File Path: C:\Users\admin\AppData\Local\Temp\MyInstaller.exe, SHA256: 04D4DC02D96673ECA9050FE7201044FDB380E3CFE0D727E93DB35A709B 45EDAA

Example Message for Deny Execution from External Drive

theme

Code Block

Midnight
firstline	1
linenumbers	true
CylancePROTECT: Event Type: AppControl, Event Name: executionfromexternaldrives, Device Name: WIN-7entSh64, IP Address: (192.168.119.128), Action: PEFileChange, Action Type: Allow, File Path: \\shared1\psexec.exe, SHA256: F8DBABDFA03068130C277CE49C60E35C029FF29D9E3C74C362521F3FB0 2670D5

Expand

title	Audit Log

When this option is checked, the audit log of user actions performed in the CylancePROTECT Web console will be sent to the Syslog server. Audit Log events will always appear in the Audit Log screen even when this option is unchecked.

Example Message for Audit Log being forwarded to Syslog

linenumbers

Code Block
theme	Midnight
firstline	1

true	CylancePROTECT: Event Type: AuditLog, Event Name: ThreatGlobalQuarantine, Message: SHA256: A1E92E2E84A1321F499A5EC500E8B9A9C0CA28701668BF13EA56D3995A 96153F,1CCC95B7B2F781D55D538CA01D6049762FDF6A75B32A06DF3CC 2EDC1F1573BFA; Reason: Manually blacklisting these 2 threats., User: (johnsmith@contoso.com)

1

Expand

title	Devices

When this option is checked, these device events will be logged to the Syslog server:

When a new device is registered (you'll always get 2 messages for this: Registration and SystemSecurity).
1. Example Message for Device Registered Event
  Code Block

theme

Midnight

firstline

linenumberstrue

CylancePROTECT: Event Type: Device, Event Name:
Registration, Device Name: WIN-55NATVQHBUU
CylancePROTECT: Event Type: Device, Event Name:
SystemSecurity, Device Name: WIN-55NATVQHBUU, Agent
Version: 1.1.1270.58, IP Address: (10.3.0.154), MAC
Address: (005056881877), Logged On Users: (WIN55NATVQHBUU\Administrator), OS: Microsoft Windows Server
2008 R2 Standard Service Pack 1 x64 6.1.7601

When a device is removed.
1. Example Message for Device Removed Event
  Code Block

themefirstline1linenumberstrue

Midnight

CylancePROTECT: Event Type: Device, Event Name: Device Removed, Device
Names: (test-xp-test), User: (test@test.com)

When a device's policy, zone, name, or logging level has changed.
1. Example Message for Device Updated Event
  Code Block

themeMidnightfirstline1linenumbers

true

CylancePROTECT: Event Type: Device, Event Name: Device
Updated, Device Message: Renamed: 'WIN-55NATVQHBUU' to
'WIN-2008R2-IRV1'; Policy Changed: 'Default' to
'IRVPolicy1'; Zones Added: 'IRV1', User: test
(test@test.com)

Expand

title	Memory Protection

When this option is checked, any Memory EXPLOIT ATTEMPTS that might be considered an attack from any of the Tenant's devices will be logged to the Syslog server.

None: Allowed because no policy has been defined for this violation.
Allowed: Allowed by policy.
Blocked: Blocked from running by policy.
Terminated: Process has been terminated.

Example Message of Memory Protection Event

1

Code Block
theme	Midnight
firstline

linenumbers	true
Cyl CylancePROTECT: Event Type: ExploitAttempt, Event Name: blocked, Device Name: WIN-7entSh64, IP Address: (192.168.119.128), Action: Blocked, Process ID: 3804, Process Name: C:\AttackTest64.exe, User Name: admin, Violation Type: LSASS Read

Expand

title	Threats

When this option is checked, any newly found threats, or changes observed for an existing threat will be logged to the Syslog server. Changes include a threat being removed, quarantined, waived, or executed.

There are 5 types of Threat Events:

threat_found: A new threat has been found in an Unsafe status.
threat_removed: An existing threat has been removed.
threat_quarantined: A new threat has been found in the Quarantine status.
threat_waived: A new threat has been found in the Waived status.
threat_changed: The behavior of an existing threat has changed (e.g. score, quarantine status, running status).

Example Message of Threat Event

true

Code Block
theme	Midnight
firstline	1
linenumbers

CylancePROTECT: Event Type: Threat, Event Name: threat_found, Device Name: SH-Win81-1, IP Address: (10.3.0.132), File Name: virusshare_00fbc4cc4b42774b50a9f71074b79bd9, Path: c:\ruby\host_automation\test\data\test_files\, SHA256: 1EBF3B8A61A7E0023AAB3B0CB24938536A1D87BCE1FCC6442E137FB2A 7DD510B, Status: Unsafe, Cylance Score: 100, Found Date: 6/1/2015 10:57:42 PM, File Type: Executable, Is Running: False, Auto Run: False, Detected By: FileWatcher

Expand

title	Threat Classification

Each day, Cylance will classify hundreds of threats as either Malware or PUPs (Potentially Unwanted Programs). When that happens, you can subscribe to be notified of those events by checking this option. Example Message for Threat Classification

linenumbers

Code Block
theme	Midnight
firstline	1

true	CylancePROTECT: Event Type: ThreatClassification, Event Name: ResearchSaved, Threat Class: Malware, Threat Subclass: Worm, SHA256: 1218493137321C1D1F897B0C25BEF17CDD0BE9C99B84B4DD8B51EAC8F9 794F65

...

Info

FACILITY

Specifies what type of application is logging the message. The default is Internal (aka Syslog). This is used to categorize the messages when they are received by the Syslog server.

Click on Test Connection to test the IP/DOMAIN, PORT, AND PROTOCOL settings. If you entered valid values, after a couple of moments, you should see a success confirmation popup:

Field Reference

Image Removed

...

Rules

...

Rule	Definition
ScriptControl Alert	Detects Script Control alerts from Cylance endpoints
Threat Quarantined	Alerts if a threat is quarantined by Cylance
Threat Found	Alerts if Cylance detects a threat
ScriptControl Blocked	Detects if Script Control blocks an action
Threat Cleared	Alerts if Cylance clears a threat
Threat Changed	Alerts if Cylance detects that a threat has changed
Optics Process Event	Alerts if Cylance optics detects a process event
Optics File Event	Alerts if Cylance optics detects a file event
Optics Registry Event	Alerts if Cylance optics detects a registry event

...

Versions Compared

Old Version 4

New Version 5

Key

Assumptions

Setup

Procedure

Field Reference

Rules