Skip to main content
Sumo Logic

Collect Logs for the Cylance App

This procedure demonstrates how to collect logs from Cylance into Sumo Logic. Cylance applies artificial intelligence, algorithmic science, and machine learning to cyber security, and provides visibility to their service through integrations with a central security analytics platform like Sumo Logic. By combining the threat events data from Cylance and other data sources, you can reduce your security risk and improve your overall security posture.

The Sumo Logic App for Cylance allows you to analyze Cylance security events by type, status, and detection method. You can use the App to investigate Cylance-specific events and provide operational visibility to team members without needing to log into Cylance.

Log Types

The Sumo Logic App for Cylance supports the following event and log types:

  • Device (Device Mgmt - Register, Remove, Updates, SystemSecurity)
  • Threat (Threats identified and actioned)
  • ScriptControl (Script Execution control and actions)
  • ExploitAttempt (Memory Protection)
  • Threat Classification (Threat classification by Cylance research team)
  • AuditLog (User Actions performed from Cylance Web Console)
  • DeviceControl (Control external device like USB, storage connected to system under monitoring)
  • AppControl

For details on the format and definitions, refer to Cylance documentation.

Step 1: Configure a Collector

To create a new Sumo Logic Hosted Collector, perform the steps in Configure a Hosted Collector.

Step 2: Configure a Source

  1. Perform the steps in Configure a Cloud Syslog Source. and configure the following Source fields:
    1. Name. (Required) A name is required. Description is optional. 
    2. Source Category. (Required) [Provide a realistic Source Category example for this data type.] The Source Category metadata field is a fundamental building block to organize and label Sources.
      Example: prod/web/apache/access.
      For details see Best Practices.
  2. In the Advanced section, specify the following configurations:
    1. Enable Timestamp Parsing. True
    2. Time Zone. Logs are in UTC by default
    3. Timestamp Format. Auto Detect
  3. Click Save

Copy and paste the token in a secure location. You will need this when you configure Cylance Syslog Settings.

Step 3: Configure Logging in Cylance

Before your can configure Sumo Logic to ingest logs, you must set up remote log streaming on Cylance. For instructions, refer to the following documentation:

  1. In Cylance, go to Settings > Application.
    cyclance_app_syslog.png
  2. In the Integrations section, activate the Syslog/SIEM check box.  
  3. Under Event Types, activate the checkboxes for all events.  
  4. For SIEM, select Sumo Logic as the destination. cyclance_app_sumologic_settings.png
  5. For Protocol, select TCP.
  6. Activate the check box TLS/SSL.
  7. Enter your IP/Domain.
  8. Enter your Port.
  9. For Severity, select Alert (1).
  10. For Facility, select Internal (5).
  11. For Custom Token, enter the token from the Sumo Logic Cloud Syslog Source. The token should end with @41123. This number is the Sumo Logic Private Enterprise Number (PEN).
  12. Click Save.

Field Extraction Rules

The following extraction rules use different approaches.

AuditLog
_sourceCategory=*cylance* "Event Type:" AuditLog
| parse "Event Type: *, Event Name: *," as event_type, event_name nodrop
| parse "Message: *," as msg nodrop | parse "Source IP: *," as src_ip nodrop | parse "User: *" as user nodrop
| parse field=msg "Device: * was auto assigned to Zone: *" as device_name, zone nodrop
| parse field=msg "Provider: *" as provider nodrop
| parse regex field=msg "Device:\s*(?<device_name>[^\s]*)\s*$" nodrop
| parse field=msg "Tier: *; Zones: *; Agent Version: *" as tier, zone, agent_version nodrop
| parse field=msg "Policy Assigned: *; Devices: *" as policy, device_name nodrop
| parse field=msg "Device: *; " as device_name nodrop
| parse field=msg "Devices: *" as device_name nodrop
| parse field=msg "SHA256: *" as sha nodrop
| parse field=msg "Zone: *; Policy Assigned: *; Policy Applied To All Devices In Zone: *" as zone, policy, PolicyAppliedToAllDevicesInZone
Device
_sourceCategory=*cylance* "Event Type: Device"
| parse "Event Type: *, Event Name: *," as event_type, event_name nodrop
| parse "Device Name: *, Agent Version: *, IP Address: (*), MAC Address: (*), Logged On Users: (*), OS: *, Zone Names: (*)" as device_name, agent_version, ip_address, mac_address, LoggedOnUsers, os, zone nodrop
| parse "Device Name: *, Zone Names: (*), Device Id: *" as device_name, zone, device_id  
| parse "Device Message: *, User: *, Zone Names: (*), Device Id: *" as  device_message, user, zone, device_id nodrop
| parse regex field=ip_address "\s*(?<ipaddress>[^,]*)" multi nodrop
| parse field=device_message "Device: *; " as device_name nodrop
| if (isempty(ipaddress), ip_address, ipaddress) as ip_address
| parse regex field=LoggedOnUsers "\s*(?<users>[^,]*)" multi nodrop
| if (isempty(users), user, users) as user
DeviceControl
_sourceCategory=*cylance* "Event Type: DeviceControl"
| parse "Event Type: *, Event Name: *," as event_type, event_name nodrop
| parse "Device Name: *, External Device Type: *, External Device Vendor ID: *, 
External Device Name: *, External Device Product ID: *, External Device Serial Number: *, 
Zone Names: (*), Device Id: *, Policy Name: *" as device_name, external_device_type, 
external_device_vendor_id, external_device_name, external_device_product_id, 
external_device_serialno, zone, device_id, policy nodrop
ExploitAttempt
_sourceCategory=*cylance* ExploitAttempt
| parse "Event Type: *, Event Name: *, Device Name: *, IP Address: (*), Action: *, Process ID: *,
 Process Name: *, User Name: *, Violation Type: *, Zone Names: (*), Device Id: *, Policy Name: 
 *" as event_type, event_name, device_name, ip_address, action, pid, pname, user, violation, 
 zone, device_id, policy
ScriptControl
_sourceCategory=*cylance* ScriptControl
| parse "Event Type: *, Event Name: *, Device Name: *, File Path: *, Interpreter: *, Interpreter 
Version: *, Zone Names: (*), User Name: *, Device Id: *, Policy Name: *" as event_type, 
event_name, device_name, filepath, interpreter, interpreterVersion, zone, user, device_id, 
policy nodrop
Threat
_sourceCategory=*cylance* Threat "Event Type: Threat"
| parse "Is Malware: *, " as malware_status nodrop
| parse "Event Type: *, Event Name: *," as event_type, event_name nodrop
| parse "Device Name: *, IP Address: (*), File Name: *, Path: *, Drive Type: *, SHA256: *, 
MD5: *, Status: *, Cylance Score: *, Found Date: *, File Type: *, Is Running: *, Auto Run: *, 
Detected By: *, Zone Names: (*)" as device_name, ip_address, file_name, path, drive_type, sha, 
md5, status, score, found, file_type, isRunning, autoRun, detected_by, zone  nodrop
| parse "Is Unique To Cylance: *, Threat Classification: *, Device Id: *, Policy Name: *" 
as isUniqueToCylance, threatClassification, device_id, policy nodrop
ThreatClassification
_sourceCategory=*cylance* ThreatClassification
| parse "Event Type: *, Event Name: *, Threat Class: *, Threat Subclass: *, SHA256: *, MD5: *" 
as event_type, event_name, threat_class, threat_subclass, sha, md5
AppControl
_sourceCategory=*cylance* "Event Type:" AppControl
| parse "Event Type: *," as event_type nodrop
| parse "Event Name: *, Device Name: *, IP Address: (*), Action: *, Action Type: *, File Path: *, 
SHA256: *" as event_name, device_name, ip_address, action, action_type, filepath, sha nodrop

Sample log message

850 <44>1 2019-02-27T04:57:20.4390000Z sysloghost CylancePROTECT - - - Event Type: 
Threat, Event Name: threat_changed, Device Name: SumoStg05, IP Address: (242.95.35.166), 
File Name: ChkRestart.exe, Path: C:\Windows\Dell_Scripts\Chk_Restart\, Drive Type: 
`Internal Hard Drive, SHA256: EBAD535255B99420C2387B6DD195AFBF8EDC0F88A74037E998DBAEB5EE93A2AE, 
MD5: C917371E290C185FFED3138F574ADEDD, Status: Abnormal, Cylance Score: 50, Found Date: 
1/18/2019 2:28:32 PM, File Type: Executable, Is Running: False, Auto Run: False, Detected By: 
ExecutionControl, Zone Names: (BLR), Is Malware: False, Is Unique To Cylance: True, 
Threat Classification: Trusted - Local, Device Id: 81-89cec180584-1fede63f-460414-fe-4c, 
Policy Name: Allowed Anywhere Internally

Query sample

The following query is from the Event Name Trend panel of the Cylance - AuditLog Dashboard.

_sourceCategory=*cylance* "Event Type:" AuditLog
| parse "Event Type: *, Event Name: *," as event_type, event_name nodrop
| parse "Message: *," as msg nodrop | parse "Source IP: *," as src_ip nodrop | parse "User: *" as user nodrop
| parse field=msg "Device: * was auto assigned to Zone: *" as device_name, zone nodrop
| parse field=msg "Provider: *" as provider nodrop
| parse regex field=msg "Device:\s*(?<device_name>[^\s]*)\s*$" nodrop
| parse field=msg "Tier: *; Zones: *; Agent Version: *" as tier, zone, agent_version nodrop
| parse field=msg "Policy Assigned: *; Devices: *" as policy, device_name nodrop
| parse field=msg "Device: *; " as device_name nodrop
| parse field=msg "Devices: *" as device_name nodrop
| parse field=msg "SHA256: *" as sha nodrop
| parse field=msg "Zone: *; Policy Assigned: *; Policy Applied To All Devices In Zone: *" as zone, policy, PolicyAppliedToAllDevicesInZone
| where event_type = "AuditLog"
| timeslice 1d
| count by _timeslice, event_name
| transpose row _timeslice column event_name