Cylance Protect
App Vendor: Blackberry Cylance
App Category: Endpoint/Forensics & Malware Analysis
Connector version: 2.0.2
App version: 1.0.0
About App
Cylance Protect is an endpoint protection platform that provides protection against breaches and enables security teams to safeguard against sophisticated threats. The Cylance Protect application enables organizations to prevent known and unknown malware threats and prevents them before they can start exploiting or spreading on a network. With reduced human intervention, the application utilizes automation to adopt a prevention-first approach to effectively prevent advanced and persistent threats.
The Cyware Protect app built for the Orchestrate application helps security teams to perform asset management-related actions on the Cylance Protect application and enable security orchestration workflows. You can execute the following actions using the app.
Action Name | Description |
|---|---|
Update Device | This action updates a specific device resource belonging to a tenant. |
Update Device Threat | This action updates the status of a convicted threat. |
Get Device by MAC Address | This action retrieves the details of a particular device using a MAC address. |
Get Threat Download Link | This action downloads a link for a given file with its SHA256 hash. |
Get List of Device Zones | This action retrieves a list of zones. |
Get Zone Details | This action retrieves the details of a particular zone. |
Get List of Zones | This action retrieves a list of zones. |
Remove Hash from Global List | This action removes a SHA256 hash from a global list. |
Get List of Global Lists | This action retrieves all the global white/black lists. |
Get List of Threat Devices | This action retrieves a list of devices affected by a specific threat. |
Get Device Threats | This action retrieves a list of threats found on a specific device. |
Get List of Devices | This action retrieves a list of devices. |
Get Device Details | This action retrieves the details of a particular device. |
Get List of Users | This action retrieves a list of users. |
Get User Details | This action retrieves the details of a particular user. |
Get List of Policies | This action retrieves a list of policies. |
Get Policy Details | This action retrieves the details of a particular policy. |
Get List of Threats | This action retrieves a list of threats. |
Get Threat Details | This action retrieves the details of a particular threat. |
Add Hash to Global List | This action adds a SHA256 hash to the global list. |
Configuration Parameters
The following configuration parameters are required for the Cylance Protect App to communicate with the Cylance Protect application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the Base URL for the Cylance Protect application. Example: "https://protectapi-XX.cylance.com" | Text | Required | |
Tenant ID | Specify the unique Tenant ID for your Cylance Protect application. Example: "xxxa3615-4392-42ea-a0cf-c86cfb8e9b9a" | Text | Required | |
Application ID | Specify the application ID for your Cylance Protect application. Example: "xxx6ba69-ee76-437f-b838-7162ea4b3596" | Text | Required | |
Application Secret | Enter the application secret key to authenticate the Cylance Protect application. | Text | Required |
Action: Get Threat Details
This action retrieves the details of a particular threat.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
SHA256 Hash | Enter the hash value to get the details of the associated threat. | Text | Required | Note: This action supports only SHA256 hash threat details. |
Example Input
[
{
"sha256": "A8450E281F26963CB91656B71026E8578D9360F8653"
}
]Action: Update Device
This action updates a specific device resource belonging to a tenant.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device ID | Enter the device ID to update the details. | Text | Required | |
Device Name | Enter the name of the device to update. Example: "Example Device Name" | Text | Required | |
Policy ID | Enter the Policy ID to update the device. Leave this field empty to remove the current policy from the device. | Text | Required | |
Add Zone IDs List | Enter the list of zone IDs to assign. | Any | Optional | |
Remove Zone IDs List | Enter the list of zone IDs to remove. | Any | Optional |
Example Input
[
{
"device_id": "df14719e-f8a2-4b7e-97c6-90a6097c6e57",
"device_name": "Example Device Name",
"policy_id": "df14719e-f8a2-4b7e-97c6-90a6097c6e57"
}
]Action: Update Device Threat
This action updates the status of a convicted threat.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device ID | Enter the device ID to update the threat details. | Text | Required | |
Threat ID | Enter the threat ID to map to the device. | Text | Required | |
Event Status | Enter the status for the convicted threat. Example: "Waive" | Text | Required | Allowed values:
|
Example Input
[
{
"device_id": "df14719e-f8a2-4b7e-97c6-90a6097c6e57",
"threat_id": "3c15e582318cb4c93ac03ec2352383741",
"event_status": "Waive"
}
]Action: Get Device by MAC Address
This action retrieves the details of a particular device using a MAC address.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
MAC Address | Enter the MAC address for the device. The format must be XX-XX-XX-XX-XX-XX or XX:XX:XX:XX:XX:XX | Text | Required |
Example Input
[
{
"mac_address": "B8-86-87-17-9E-C9"
}
]Action: Get Threat Download Link
This action downloads a link for a given file with its SHA256 hash.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
SHA256 Hash | Enter the SHA256 hash to get the download link. | Text | Required |
Example Input
[
{
"sha256": "5B01F3A4AFF63D51385BCB021F4B2AF39A67A8A38D1B9"
}
]Action: Get List of Device Zones
This action retrieves a list of zones.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device ID | Enter the device ID to retrieve the list of device zones. | Text | Required | |
Page Number | Enter the page to number to get the list of device zones. Example: "3" | Integer | Optional | Default value:
|
Page Size | Enter the page size between the range 1-200 to list the result. Example: "8" | Integer | Optional | Default value:
|
Example Input
[
{
"device_id": "a5686a0e-da01-499e-9611-ef054d0a54cf"
}
]Action: Get Zone Details
This action retrieves the details of a particular zone.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Zone ID | Enter the zone ID to get the details. | Text | Required |
Example Input
[
{
"zone_id": "19d64344-ba65-4964-9c67-b5520254620f"
}
]Action: Get List of Zones
This action retrieves a list of zones.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page Number | Enter the page number to get the list results. Example: "3" | Integer | Optional | Default values:
|
Page Size | Enter the page size between the range 1-200 to list the result. Example: "8" | Integer | Optional | Default value:
|
Example Input
[
{
"page_number": "3",
"page_size": "8"
}
]Action: Remove Hash from Global List
This action removes a SHA256 hash from a global list.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
SHA256 Hash | Enter the hash value to remove it from the global list. | Text | Required | |
List Type | Enter the list type to remove the hash value. Example: "GlobalQuarantine" | Text | Required | Allowed values:
|
Example Input
[
{
"sha256": "A8450E281F26963CB91656611026E8578D9360F8653",
"list_type": "GlobalQuarantine"
}
]Action: Get List of Global Lists
This action retrieves all the global white/black lists.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page Number | Enter the page number to get the list. Example: "3" | Integer | Optional | Default value:
|
Page Size | Enter the page size between the range 1-200 to list the result. Example: "8" | Integer | Optional | Default value:
|
List Type ID | Enter the type ID to get the list. | Integer | Optional |
Example Input
[
{
"page_number": "3",
"page_size": "8",
"list_type_id": "Example List ID"
}
]Action: Get List of Threat Devices
This action retrieves a list of devices affected by a specific threat.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
SHA256 Hash | Enter the hash value to get the list of threat devices. | Text | Required | |
Page Number | Enter the page number to get the list. Example: "3" | Integer | Optional | Default value:
|
Page Size | Enter the page size between the range 1-200 to list the result. Example: "8" | Integer | Optional. | Default value:
|
Example Input
[
{
"sha256": "A8450E281F26963CB916566118578D9360F8653",
"page_number": "3",
"page_size": "8"
}
]Action: Get Device Threats
This action retrieves a list of threats found on a specific device.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device ID | Enter the device ID to retrieve the list of device threats. | Text | Required | |
Page Number | Enter the page to number to get the list of device zones. Example: "2" | Integer | Optional | Default value:
|
Page Size | Enter the page size between the range 1-200 to list the result. Example: "8" | Integer | Optional | Default value:
|
Example Input
[
{
"device_id": "a5686a0e-da01-499e-9611-ef054d0a54cf"
}
]Action: Get List of Devices
This action retrieves a list of devices.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page Number | Enter the page number to get the list. Example: "2" | Integer | Optional | Default value:
|
Page Size | Enter the page size between the range 1-200 to list the result. Example: "8" | Integer | Optional | Default value:
|
Example Input
[
{
"page_number": "3",
"page_size": "8"
}
]Action: Get Device Details
This action retrieves the details of a particular device.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device ID | Enter the device's unique ID to get the details. | Text | Required |
Example Input
[
{
"device_id": "a5686a0e-da01-499e-9611-ef054d0a54cf"
}
]Action: Get List of Users
This action retrieves a list of users.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page Number | Enter the page number to get the list. Example: "3" | Integer | Optional | Default value:
|
Page Size | Enter the page size between the range 1-200 to list the result. Example: "8" | Integer | Optional | Default value:
|
Example Input
[
{
"page_number": "3",
"page_size": "8"
}
]Action: Get User Details
This action retrieves the details of a particular user.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
User ID | Enter the user ID or user email address. | Text | Required |
Example Input
[
{
"user_id": "fd992536-62b5-4a9e-bf6c-6d7033450f9d"
}
]Action: Get List of Policies
This action retrieves a list of policies.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page Number | Enter the page number to get the list. Example: "3" | Integer | Optional | Default value:
|
Page Size | Enter the page size between the range 1-200 to list the result. Example: "8" | Integer | Optional | Default value:
|
Example Input
[
{
"page_number": "3",
"page_size": "8",
}
]Action: Get Policy Details
This action retrieves the details of a particular policy.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Policy ID | Enter the policy ID to get the details. | Text | Required |
Example Input
[
{
"policy_id": "2e47e80d-d6d9-4c60-8869-3b5566a82619"
}
]Action: Get List of Threats
This action retrieves a list of threats.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Page Number | Enter the page number to get the list. Example: "3" | Integer | Optional | |
Page Size | Enter the page size between the range 1-200 to list the result. Example: "8" | Integer | Optional | Default value: |
You can also pass additional parameters such as Start time and End time.
Example Input
[
{
"page_number": "3",
"page_size": "8"
}
]Action: Add Hash to Global List
This action adds a SHA256 hash to the global list.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
SHA256 Hash | Enter the hash value to add to the list. | Text | Required | |
List Type | Enter the list type to add the hash value. Example: "GlobalQuarantine" | Text | Required | Allowed values:
|
Reason | Enter the reason for adding the hash value. Example: "malicious hash" | Text | Required | |
Category | Enter the category to add the hash value. This field is required only if the 'list_type' value is 'GlobalSafe'. Example: "AdminTool" | Text | Optional | Allowed values:
|
Example Input
[
{
"reason": "Malicious Hash Value",
"sha256": "A8450E281F2B71026E8578D9360F8653",
"list_type": "GlobalQuarantine",
"category": "None"
}
]