Skip to main content
Sumo Logic

Install the Cylance App and view the Dashboard

This page demonstrates how to install the Cylance App, as well as providing examples of each of the dashboards. The App preconfigured searches and Dashboards provide easy-to-access analytic visualizations of your data.

Install the Sumo Logic App

Now that you have set up log collection for Cylance, you can install the Cylance App.

To install the app:

Locate and install the app you need from the App Catalog. If you want to see a preview of the dashboards included with the app before installing, click Preview Dashboards.

  1. From the App Catalog, search for and select the app. 
  2. To install the app, click Add to Library and complete the following fields.
    1. App Name. You can retain the existing name, or enter a name of your choice for the app.

    2. Data Source. Select either of these options for the data source.

      • Choose Source Category, and select a source category from the list.

      • Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. Example: (_sourceCategory=MyCategory).

    3. Advanced. Select the Location in Library (the default is the Personal folder in the library), or click New Folder to add a new folder.
    4. Click Add to Library.

Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization. See Welcome to the New Library for information on working with the library in the new UI.

Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps. 

Dashboard filters  

Each dashboard has a set of filters that you can apply to the entire dashboard, as shown in the following example. Click the funnel icon in the top dashboard menu bar to display a scrollable list of filters that are applied across the entire dashboard.

Cylance_Dashboard_Filter.png

Each panel has a set of filters that are applied to the results for that panel only, as shown in the following example. Click the funnel icon in the top panel menu bar to display a list of panel-specific filters.

Cylance_Panel_Filter.png

Cylance - Overview Dashboard

The Cylance - Overview Dashboard a high-level view of threat incidents experienced on your network. The dashboard panels provide at-a-glance graphs with details and analytics on exploit control violation types, zones, threat classifications, devices, threat file types, event types and trends, event outliers, and event time compare trends.

Use this dashboard to:

  • Analyze summaries of each prevention component, such as script control, memory exploit protection, device control, application control, AI based threat classification, and user actions performed from Cylance Web Console.
  • View of threats in the system, and drill down into specific prevention mechanisms and threat events by clicking in the panel.

Cylance_Overview.png

Cylance - Threat Dashboard

The Cylance - Threat Dashboard provides a high-level view of the threats experienced on your network. Dashboard panels display graphs and detailed information with the number of events, top event names, status, file types, unique threats, severity, hosts with the most threats, threat origination, classification, and blocked threats.

Use this dashboard to:

  • Determine hosts (IP Address, device names) and zones affected by various threats identified and handled in the system.
  • Monitor files affected with SHA occurring multiple times, and various paths of the files, to understand the threat footprint.

Cylance_Threat.png

Cylance - Threat Classification Dashboard

The Cylance - Threat Classification Dashboard provides an insightful view of the types of threats experienced on your network. Dashboard panels are a mixture of graphs and detailed information on events, event names, threat class, subclass trends, safe files, malware files, and an event breakdown.

Use this dashboard to:

  • Determine how threats in your organization are analyzed and classified by Cylance Research Team.
  • Assess threats by classification: Malware, PUP - Potentially Unwanted Programs, Dual Use, Trusted Local, and Unknown.
  • Identify Trusted - Local files and add them to your Safe List in Cylance. For more details on classification and subs-classification see the Cylance documentation.

 Cylance_Threat_Classification.png

Cylance -  Memory Exploit Attempts Dashboard

The Cylance - Memory Exploit Attempts Dashboard provides a high-level view of threats on your network that attempt to exploit memory. Dashboard panels show detailed information on events, violations, blocked and terminated processes, policies, users, hosts, actions, and event trends by action.

Whenever the agent detects certain hard-coded behaviors considered to be indicative of a compromise, an event is communicated to the service before the hooked API function is allowed to complete. The service then responds with an action for the agent to take, such as:

  • Ignore the violation and let it execute
  • Alert on the violation, but let it execute
  • Block the violation and send an alert
  • Terminate the process completely

Use this dashboard to:

  • Identify the most common policy violations, processes and highly impacted systems in your environment.
  • Monitor when, where, and what actions are taken with the configured policies in  your environment.
  • Devise any necessary policies changes based on findings.  

Cylance_Memory_Exploit_Attempts.png

Cylance - Device Dashboard

The Cylance - Device Dashboard provides insights into the devices on your network that receive in threats. Dashboard panels provide information on unique device names, IP addresses, MAC addresses, users, hosts, operating systems, event names, and event trends.

Use this dashboard to:

  • Analyze devices under protection by Cylance agent.
  • Monitor new devices being registered, updated, and the policies assigned to them.
  • Investigate devices that have been removed from protection.
  • Assess whether to push the latest agent version, if any device is found running on old or outdated version.

 Cylance_Device.png

Cylance - Device Control Dashboard

The Cylance - Device Control Dashboard provides insights into external devices involved in threats on your network. Dashboard panels provide graphs and detailed information on events, hosts, unique external devices, event and action trends, and device control event details.

Use this dashboard to:

  • Monitor external devices (like USB mass storage device) connected to your environment.
  • Assess which devices to connect to your systems.
  • Grant and revoke access rights to specific devices, or agroup of device categories.
  • Monitor external devices by their Vendor ID, Product ID, and Serial Number.
  • Define exceptions to the policy by vendor ID, as necessary.

Cylance_Device_Control.png

Cylance -  Script Control Dashboard

The Cylance - Script Control Dashboard provides insights regarding scripts on your network. Dashboard panels provide graphs and detailed information on events, devices, interpreters, users, zones, hosts, files, and event trends.

Use this dashboard to:

  • Monitor when, where, and how scripts are used in the environment. This ultimately reduces the attack surface on which an evildoer may distribute malware.
  • Monitor and protect against scripts running in the environment.
  • Monitor the interpreter version on your systems and decide to push latest version, when the system is running an out-dated version.
  • Detect the script and script path before the script is executed.
  • Monitor which scripts are getting blocked or executed with notification alerts.
  • Change alert settings to block mode and only allow scripts to run out of specified folders, as necessary.

Cylance_Script_Control.png

Cylance - AuditLog Dashboard

The Cylance - AuditLog Dashboard has easy to access information about audit logs for your network. Dashboard panels provide high-level graphs and detailed information showing the number of events, event names and trends, users and user geographic locations, source IPs, and a list of recent events.

Use this dashboard to:

  • Monitor user activity performed from Cylance Web Console.
  • Monitor users overriding, updating policies manually using Cylance Web Console.

 Cylance_AuditLog.png