Skip to main content
Sumo Logic

Collect Logs for Cylance

This procedure documents how to collect logs from Cylance into Sumo Logic. Cylance applies artificial intelligence, algorithmic science, and machine learning to cyber security, and provides visibility to their service through integrations with a central security analytics platform like Sumo Logic. By combining the threat events data from Cylance and other data sources, you can reduce your security risk and improve your overall security posture.

The Sumo Logic App for Cylance allows you to analyze Cylance security events by type, status, and detection method. You can use the App to investigate Cylance-specific events and provide operational visibility to team members without needing to log into Cylance.

Log Types

Sumo Logic supports two Cylance log types:

  • Threat Events
  • Threat Classifications

Both types are in syslog format. For details on the format and definition of these log types, refer to the Cylance documentation.

Configure a Collector

Configure a Hosted Collector.

Configure a Source

  1. Configure a Cloud Syslog Source (BETA).
  2. Configure the Source fields:
    1. Name. (Required) A name is required. Description is optional. 
    2. Source Category. (Required) [Provide a realistic Source Category example for this data type.] The Source Category metadata field is a fundamental building block to organize and label Sources. Example: prod/web/apache/access. For details see Best Practices.
  3. Configure the Advanced section:
    1. Enable Timestamp Parsing. True
    2. Time Zone. Make sure to set it to (UTC) Etc/UTC
    3. Timestamp Format. Auto Detect
  4. Click Save

Copy and paste the token in a secure location. You will need this when you configure Cylance Syslog Settings.

Configure Logging in Cylance

Before your can configure Sumo Logic to ingest logs, you must set up remote log streaming on Cylance. For instructions, refer to the following documentation:

  1. In Cylance, go to Settings > Application.
    cyclance_app_syslog.png
  2. In the Integrations section, activate the Syslog/SIEM check box.  
  3. Under Event Types, activate the checkboxes for all events.  
  4. SIEM. Select Sumo Logic as the destination. cyclance_app_sumologic_settings.png
  5. Protocol. Select TCP.
  6. Activate the check box TLS/SSL.
  7. Enter your IP/Domain.
  8. Enter your Port.
  9. Severity. Select Alert (1).
  10. Facility. Select Internal (5).
  11. Custom Token. Enter the token from the Sumo Logic Cloud Syslog Source. The token should end with @41123. This number is the Sumo Logic Private Enterprise Number (PEN).
  12. Click Save.

Field Extraction Rules

Here are two extraction rules that use different approaches. The name in each case is "Events." The parse expressions are as follows:

Parse

parse "Event Type: *, Event Name: *, Device Name: *, IP Address: (*, *),
File Name: *, Path: *, Drive Type: *, SHA256: *, MD5: *, Status: *,
Cylance Score: *, Found Date: *, File Type: *, Is Running: *,
Auto Run: *, Detected By: *" as event_type,event_name,device_name,src_ip,dest_ip,file_name,path,
drive_type,sha,md5,status,score,found,file_type,isRunning,autoRun,
detected

Keyvalue Regex

keyvalue regex ": ([^,;]*)" keys "Event Type", "Event Name","Device Name","Path","Interpreter","Interpreter Version","Threat Class",
"Threat Subclass","Agent Version","File Name","SHA256","MD5",
"MAC Addresses","Drive Type","OS","Status","Cylance Score","Found Date",
"File Type","Is Running","Auto Run","Detected By","Reason","Added To" as EventType,EventName,DeviceName,FilePath,Interpreter,InterpreterVer,
ThreatClass,ThreatSubclass,AgentVer,FileName,SHA256,MD5,src_mac,
DriveType,OS,Status,CylanceScore,DateFound,FileType,IsRunning,AutoRun,
Detection,Action_Reason,Action nodrop

Sample Log Message

636 <41>1 2017-01-12T18:19:29.7781755Z sysloghost CylancePROTECT - - - Event Type: Threat, Event Name: corrupt_found, Device Name: Test, IP Address: (10.0.1.8), File Name: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}-1.0.2743.1_chrome_installer.exe, Path: C:\Windows\Temp\, Drive Type: None, SHA256: XXX, MD5: , Status: Corrupt, Cylance Score: 0, Found Date: 1/12/2017 6:19:30 PM, File Type: Executable, Is Running: False, Auto Run: False, Detected By: BackgroundThreatDetection, Zone Names: (Test)

Query Samples

Local User Logins

| parse "), Logged On Users: (*), OS:" as local_user
| where !(local_user matches "AGDOMAIN\\*" OR local_user="" OR isNULL(local_user))
| timeslice 5m
| count _messageTime,hostname,src_ip,local_user
| count by _messageTime,local_user,hostname,src_ip
| formatDate(_messagetime)
| "Cylance has detected a local user authentication" as Message

Number of Unique Threats over Time

| parse "Event Type: *, Event Name: *, Device Name: *, IP Address: (*, *), File Name: *, Path: *, Drive Type: *, SHA256: *, MD5: *, Status: *, Cylance Score: *, Found Date: *, File Type: *, Is Running: *, Auto Run: *, Detected By: *" as event_type,event_name,device_name,src_ip,dest_ip,file_name,path,drive_type,sha,md5,status,score,found,file_type,isRunning,autoRun,detected
| where !(sha256="" or isNull(sha256))
| where event_name = "threat_quarantined"
| timeslice 1h
| count_distinct(sha) by _timeslice