All Apps and Add-ons
Highlighted

Cylance Protect data integration with Enterprise Security ES

Splunk Employee
Splunk Employee

Hi,

I need to use the Cylance Protect syslog data in Enterprise Security.

Has anyone used this data in ES context ? What data models does the data to map to and whether any additional field extractions are required ?
Just an FYI - I'm receiving the following Cylance Protect sourcetypes. The Cylance TA and App are able to parse and display data and information respectively.
syslogauditlog
syslogdevice
syslog
script_control

Any pointers/directions are appreciated!

Best Regards,
Shreedeep Mitra.

Highlighted

Re: Cylance Protect data integration with Enterprise Security ES

Contributor

Hi Shreedeep,

The TA has three CIM aligned Event Types:

Event type one:. protect_alert. CIM DM: Alerts

[protectalert]
search = eventtype=cylance
index sourcetype=audit_log

Event type two:. protect_malware. CIM DM: Malware -> Attacks

[protectmalware]
search = eventtype=cylance
index (sourcetype=console_syslog AND EventType=Threat) OR sourcetype=threat OR sourcetype=exploit

Event type three:. protect_inventory. CIM DMs: Inventory -> Network, Inventory -> OS, Inventory -> User

[protectinventory]
search = eventtype=cylance
index (sourcetype=console_syslog AND EventType=Device) OR sourcetype=device

View solution in original post

0 Karma
Highlighted

Re: Cylance Protect data integration with Enterprise Security ES

Splunk Employee
Splunk Employee

Thank you!

0 Karma
Highlighted

Re: Cylance Protect data integration with Enterprise Security ES

Splunk Employee
Splunk Employee

Just a follow-up based on observations of the eventtypes.conf , props.conf and transforms.conf --

The eventtypes.conf refer to sourcetype names that are slightly different from those that are being set by transforms.conf. Could this be a bug ?

transforms.conf derives these sourcetype names (below) which are used by props.conf -
syslogauditlog, syslogthreatclassification, syslogexploit, syslogappcontrol, syslogthreat, syslogdevice, syslogdevicecontrol, syslogscript_control

eventtypes.conf refer to these sourcetype names (below)-
auditlog, consolesyslog, threat, exploit, device

0 Karma
Highlighted

Re: Cylance Protect data integration with Enterprise Security ES

Contributor

Not a bug.. look in the props.conf entry for syslog_protect sourcetype for example...

[syslogprotect]
TRANSFORMS-changesourcetype = set
auditlogsourcetype
TRANSFORMS-changesourcetype2 = set
threatclassificationsourcetype
TRANSFORMS-changesourcetype3 = set
exploitsourcetype
TRANSFORMS-changesourcetype4 = set
appcontrolsourcetype
TRANSFORMS-changesourcetype5 = set
threatsourcetype
TRANSFORMS-changesourcetype6 = set
devicesourcetype
TRANSFORMS-changesourcetype7 = set
devicecontrolsourcetype
TRANSFORMS-changesourcetype8 = set
scriptcontrol_sourcetype

looking in the transforms.conf... setauditlogsourcetype looks like this:

[setauditlogsourcetype]
REGEX = Event\sType:\s+AuditLog
FORMAT = sourcetype::syslogauditlog
DEST_KEY = MetaData:Sourcetype

So , they reroute the syslog_* sourcetypes to others based on regex matching.

0 Karma
Highlighted

Re: Cylance Protect data integration with Enterprise Security ES

Splunk Employee
Splunk Employee

I'm trying to dry run this ...

based on the log excerpt below ... (redacted IPs and usernames)
"Oct 3 09:18:00 ec2-xx-xx-xxx-xx.compute-1.amazonaws.com 1 2017-10-03T14:17:59.8346483Z sysloghost CylancePROTECT - - - Event Type: AuditLog, Event Name: LoginSuccess, Message: Provider: CylancePROTECT, Source IP: yyy.yyy.yy.yyy, User: John Doe (jdoe@foo.com)"

... the transforms.conf will set the sourcetype to syslogauditlog , right ?
But the eventtypes.conf definition refers to it as "auditlog". Correct me if I'm wrong.
[protect
alert]
priority = 5
search = eventtype=cylanceindex sourcetype=auditlog

0 Karma
Highlighted

Re: Cylance Protect data integration with Enterprise Security ES

Contributor

OK... I took a deeper look at the app and you're correct, something doesn't jive.

eventtypes has this:

[cylanceindex]
search = index=protect OR index=cylance
protect

[protectalert]
priority = 5
search = eventtype=cylance
index sourcetype=audit_log

[protectmalware]
priority = 5
search = eventtype=cylance
index (sourcetype=console_syslog AND EventType=Threat) OR sourcetype=threat OR sourcetype=exploit

[protectinventory]
priority = 5
search = eventtype=cylance
index (sourcetype=console_syslog AND EventType=Device) OR sourcetype=device

on each of the protect* searches, it has all of them looking at sourcetype=consolesyslog, with eventtype, or looking at (exploit|device) by themselves.. not looking at syslogexploit or syslogdevice.. etc.

you're gonna have to do some minor surgery to fix this,. (Be a peach & advise the dev as well. )

0 Karma
Highlighted

Re: Cylance Protect data integration with Enterprise Security ES

Splunk Employee
Splunk Employee

I'm working around this bug/glitch/typo in the Cylance TA with modifying the eventtypes.conf with a copy in the local dir.

The bigger change will be in the Cylance App which has queries using with mixed sourcetypes - i.e. auditlog and syslogautid_log etc. I'm going to inform the App developer.

0 Karma