Overview

Cylance provides an API that allows the Bumira platform to retrieve event data. Once Cylance’s logs are integrated with Blumira, our cloud-delivered platform provides end-to-end automated threat detection, analysis, and response with correlated data from across your entire environment. If you are using Cylance, please follow this guide to gather your Cylance credentials and configure Blumira to begin ingesting Cylance data.

Before you begin

Before Blumira can retrieve event logs from Cylance, you will first need to obtain the Tenant ID, a Cylance Application ID, and an Application Secret via your Cylance Console.

To obtain these credentials, follow these instructions:

  1. Log in to the Cylance Console as an administrator.
  2. Navigate to Settings > Integrations.
  3. Click Copy next to the Tenant ID field. Keep this information ready for later steps.
    Screen_Shot_2022-03-16_at_3.49.41_PM.png
  4. Click Add Application.
  5. Type Blumira in the Application Name field.
  6. Select the READ check box next to any or all of these event types:
    • Threats
    • Memory Protection
    • CylanceOPTICS Detections
      Note: Only the three types listed above are supported by Blumira.Screen Shot 2022-03-16 at 3.51.17 PM.png
  7. Click Save.
  8. Record the Cylance Application ID and Application Secret to use in later steps.

Providing API credentials to Blumira

Next, configure your existing Blumira sensor with a new module to connect to the Cylance API using the credentials you obtained in previous steps.

To add a module on an existing sensor and provide credentials:

  1. In Blumira, click Settings.
  2. Click Sensors.
  3. Click the sensor on which you want to add a module.
  4. On the detail page for the sensor, scroll down and click Add Module.
  5. In the Add New Module window, select the newest version of this integration’s module. Note: For the best stability and performance, Blumira will update the module version when old versions are deprecated.
  6. Enter the credentials that you gathered in the “Before you begin” section above.
  7. (Optional) Type a name for this log deployment in the Log Source Name box. This name is what will appear in the “device_address” column in the results of your event data queries. If you might have additional modules collect logs for different integrations in the future, this will help you distinguish them. Note: The name can only contain alphanumeric characters, periods, and hyphens; no spaces or underscores are allowed.
  8. Click Install.