SOCFortress Integrations — Cylance EndPoint Protection

SOCFortress
3 min readMar 24, 2024

--

Intro

SOCFortress integration and visualization tools allow security analysts the visualization and triage of CylancePROTECT security events using a single pane of glass.

About CylancePROTECT

Cylance is a cybersecurity company that focuses on developing endpoint protection solutions powered by artificial intelligence and machine learning. The company’s flagship product, CylancePROTECT, is an advanced antivirus and endpoint detection and response (EDR) solution designed to prevent malware, ransomware, and other advanced threats.

Key aspects and features of CylancePROTECT include:

  • Artificial Intelligence and Machine Learning: CylancePROTECT utilizes AI and machine learning algorithms to analyze file behavior and identify malicious files and processes. It employs predictive modeling techniques to detect and prevent threats in real-time, without relying on signatures or updates.
  • Preventive Protection: The solution offers preventive protection against a wide range of threats, including malware, ransomware, fileless attacks, zero-day exploits, and advanced persistent threats (APTs). It aims to stop attacks before they can execute and cause damage to endpoints.
  • Minimal Performance Impact: CylancePROTECT is designed to have minimal impact on system performance and resource utilization. It operates silently in the background, providing comprehensive security without disrupting user productivity.
  • Threat Intelligence Integration: The solution integrates threat intelligence feeds and indicators of compromise (IOCs) to enhance detection accuracy and effectiveness. It leverages global threat intelligence to identify emerging threats and block known malicious entities.
  • Centralized Management Console: CylancePROTECT offers a centralized management console that allows administrators to deploy, configure, and monitor endpoint protection across the entire organization. It provides visibility into security events, alerts, and compliance status.
  • Automated Response: The solution includes automated response capabilities to help organizations quickly contain and remediate security incidents. It offers predefined response actions and workflows to streamline incident response processes.
  • Compliance and Reporting: CylancePROTECT provides compliance reporting features to help organizations demonstrate adherence to regulatory requirements and security standards. It generates detailed reports and audit logs for compliance audits and security assessments.
  • Scalability and Flexibility: CylancePROTECT is scalable and flexible, allowing organizations to deploy and manage endpoint protection across diverse environments, including on-premises, cloud, and hybrid environments.

CylancePROTECT is suitable for organizations of all sizes and industries, offering robust endpoint security capabilities to protect against evolving cyber threats. It aims to provide proactive and intelligent security that goes beyond traditional antivirus solutions.

Ingesting CylancePROTECT EndPoint Events

Reference: https://docs.blackberry.com/en/unified-endpoint-security/blackberry-ues/cylance-syslog-guide/Overview

You can configure Cylance Endpoint Security to forward events to a single SIEM solution or syslog server. The content of each event is Unicode plain text consisting of key-value pairs, separated by commas. If your organization requires events to be sent to multiple SIEM solutions or syslog servers, you may be able to configure a syslog forwarder. See the documentation for your Syslog or SIEM server for information about how to configure forwarding to multiple servers.

Cloud endpoints / Cylance public IPs list:

Different types of events:
- CylancePROTECT Desktop event types

  • CylancePROTECT Mobile event types
  • CylanceOPTICS detection events
  • CylanceGATEWAY event types
  • CylanceAVERT event types

Visualizations

Landing page:

Total events, events by type and events histogram:

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress
SOCFortress

Written by SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).