Blackberry CylanceOPTICs provides endpoint detection and response, providing visibility, root cause analysis, scalable threat hunting, and automated threat detection and response.
Once Cylance’s logs are integrated with Blumira, our cloud-delivered platform provides end-to-end automated threat detection, analysis and response with correlated data from across your entire environment.
Set Up Instructions
Required Blumira Module: Cylance
Cylance Log Collection Configuration
Cylance provides an API that allows for the retrieval of event data into the Blumira platform. If you are using Cylance, please follow this guide to begin ingesting its data.
Before Blumira can retrieve event logs from Cylance, you will first need to obtain credentials to access the Cylance API via your Cylance Console. Cylance calls this adding an “application” or “integration.”
To obtain these credentials, please follow these instructions:
Log in to the Cylance Console as an administrator.
Go to Settings → Integrations
Click Add Application
Give your application a name in the Application Name field. We recommend “Blumira.”
Select the data type(s) that you want to export to Blumira. We currently support the three types: Threats, Memory Protection, and CylanceOPTICS Detections, as shown in the following image. Check the box under READ for any or all three of these event types (we recommend all three).
In the resulting window, you will be shown the Cylance Application ID and Application Secret, which are needed to configure Blumira, as described below. Copy these two strings somewhere for use in later steps.
Back in your Cylance Console’s Integrations Page, also copy the Tenant ID displayed near the top, as shown in the image below:
Next, you’ll need to configure your Blumira sensor to connect to the Cylance API, using the credentials you obtained above.
Here’s how to add the Cylance module:
Once you have chosen an existing or installed a new sensor that you would like to add Cylance log collection to, access that sensor’s detail page through the sensor UI (Infrastructure > Sensors).
In the Modules section for your sensor, click on the Add Module button. In the Module drop-down, find the Cylance Module, and select the latest available version.
Fill in the Add New Module form, shown here:
Cylance Tenant ID: is the tenant ID you obtained above
Cylance API Application ID: value of the Application ID from Cylance, above
Cylance API Application Secret value of the Application Secret from Cylance, above
You can leave Log Source Name empty, or, optionally, set it to a short, alphanumeric string, without spaces, that will help identify this instance of the Cylance integration, in case you later have multiple (e.g. “main” or “primary”).
Click Install and wait a few seconds for the system to process your request.
The Add New Module window should close, and, back in your sensor detail page view, you should now see the Cylance Module listed in the table of modules.
Within minutes, the module will be operational, and will ingest Cylance logs from the last 12 hours into the Blumira platform. It will then poll Cylance continuously for the latest available logs.