P-CylancePROTECT Product Package

CylancePROTECT is an integrated threat prevention solution that combines the

power of artificial intelligence (AI) to block malware infections with additional security

controls that safeguard against script-based, fileless, memory, and external device-

based attacks.. This package focuses on the AntiVirus component of the CylancePROTECT solution. CylancePROTECT version 2.0 is supported by this package.

Authors:

Beirne Konarski (Micro Focus Professional Services)

Main Use Cases - User stories

This package supports Use Cases and User Stories for the following Activate Framework Packages:

L1 Malware Monitoring User Stories

  • Resolved Malware Events

  • Quarantined Malware Events

  • Unresolved Malware Events

  • Same Malware Infected Multiple Times a Host

  • Multiple Different Malware Infections in Host

L2 Malware Monitoring User Stories

  • Malware Outbreak ( per malware )

  • Malware Outbreak in Zone

  • Malware Outbreak in DMZ Zone

  • Same Malware Infected Multiple Times a Critical Host

  • Same Malware Infected Several Hosts in Zone

  • Same Malware Infected Several Hosts in DMZ Zone

  • Several Different Malware Infection detected in Critical Host

  • Several Different Malware Infection detected in DMZ Zone

  • Unresolved Malware on Critical Host

  • Unresolved Malware on DMZ Host

L1 Entity Monitoring Use Cases

  • Entity Authentication
  • Entity Management - Future use case. The FlexConnector does not yet handle these events.

L2 Entity Monitoring Use Cases

  • Privileged User Account Authentication - Future use case. The FlexConnector does not yet handle these events.
  • Privileged User Account Management - Future use case. The FlexConnector does not yet handle these events.

L1 Data Security Monitoring - DLP

  • Removable Device Block Tracking

Supported Log Sources

Here are the log source types supported by this package as delivered:

Vendor Product Version(s) Comments
Cylance CylancePROTECT 2.0  

Package Download Instructions

The latest package can be downloaded from the ArcSight Marketplace website.

Package Installation

Prerequisites

Ensure that following steps are completed:
  • The FlexConnector guide in the Marketplace contains the procedure to set up the connector for CylancePROTECT.

  • Activate Base package version 2.5.1.0 or newer is installed (required package)

  • Ensure that the ESM is setup to sort packages by their IDs:

    - Open ESM server.properties (<ARCSIGHT_HOME>/manager/config)

    - Add following line:

    export.archive.reference.sort.order=id

  • For ESM in Compact Mode: Restart the ESM Manager

    or For ESM in Distributed Mode: Restart the ESM Manager, Aggregator(s), and Correlator(s)

Package Install

1. Download and extract P-CylancePROTECT_X.X.X.X.zip file into your ArcSight console's home directory.
2. Open a command prompt and navigate to ARCSIGHT_HOME.
3. Execute the P-CylancePROTECTX.X.X.X.bat file to install the package.
4. You will be prompted to enter the manager hostname and port, username and password. The password is displayed in cleartext, please be aware of your environment.

5. After the package installation, your packages in ArcSight ESM will look like the screenshot to the right.

If you run into any issues, the errors will be displayed in the command prompt window
5. Within the ArcSight Console on the Navigator Panel - Packages Tab, you will find the P-CylancePROTECT package installed.

6. You can now delete the files from ARCSIGHT_HOME
  • P-CylancePROTECT_X.X.X.X.arb
  • P-CylancePROTECTX.X.X.X.bat

Content Hooks for Product Packages

As a guideline, please follow the below procedure to configure your Product filters. The below example demonstrates how to configure multiple Product filters with the "All Quarantined Malware Events" filter.

1. Within the Navigator panel select Filters and expand the tree up to /All Filters/ArcSight Activate/Solutions/Malware Monitoring/Indicators and Warnings/All Quarantined Malware Events Filter SEP-Config1.jpg
2. Double click the filter to open the Inspect/Edit panel that will display the filter attributes; Select the Filter tab and from there select the event1 node and click on Filters. From the window select CylancePROTECT All Quarantined Malware, click OK to close the window.
3. The CylancePROTECT All Quarantined Malware filter appears selected in the filter Tab. If there are multiple AV products in the environment, add them joined within an OR statement.
4. For L1 Filters that will have more than 1 nested filter is necessary, the first step is to click on the OR for the OR condition to appear in the Conditions window. In this case we double click the /All Filters/ArcSight Activate/Solutions/Malware Monitoring/Indicators and Warnings/All Quarantined Malware Events, and on the conditions tab, click the OR icon.
5. Then we click on the Filters icon and from the opened window we select the /All Filters/ArcSight Activate/Core/Product Filters/CylancePROTECT/Suspicious Events/AV Suspcious Events/CylancePROTECT All Quarantined Malware and /All Filters/ArcSight Activate/Core/Product Filters/McAfee ePO - Endpoint Security/Product Specific/AV Suspicious Events/McAfee All ENS Quarantined Malware filters. We click OK
6. Now the 2 Device Product Package filters appeared OR'ed in the L1 Level Filter.

Use the above-mentioned steps (steps to add filters to host monitoring filters) to configure the corresponding filter of L1-Malware Monitoring - Indicators and Warnings as well as the L1-Entity Monitoring - Indicators and Warnings and L1-Host Monitoring - Indicators and Warnings packages.

L1-Malware Monitoring Resource URI: L1-Malware Monitoring URI: P-CylancePROTECT
All Resolved Malware Events
  • /All Filters/ArcSight Activate/Solutions/Malware Monitoring/Indicators and Warnings/All Resolved Malware Events
  • /All Filters/ArcSight Activate/Core/Product Filters/CylancePROTECT/Suspicious Events/CylancePROTECT All Resolved Malware Events
All Unresolved Malware Events
  • /All Filters/ArcSight Activate/Solutions/Malware Monitoring/Indicators and Warnings/All Unresolved Malware Events
  • /All Filters/ArcSight Activate/Core/Product Filters/CylancePROTECT/Suspicious Events/CylancePROTECT All Unresolved Malware Events
All Quarantined Malware Events
  • /All Filters/ArcSight Activate/Solutions/Malware Monitoring/Indicators and Warnings/All Quarantined Malware Events
  • /All Filters/ArcSight Activate/Core/Product Filters/CylancePROTECT/Suspicious Events/CylancePROTECT All Quarantined Malware

Note that the User Account Logon filter detects users logging into devices monitored by CylancePROTECT and not administrators logging into the CylancePROTECT console. Also, Cylance does not provide a logoff event, so only assign this filter if you want to use the terminated user use case and do not mind having session tracking terminated by timeout rather than an actual logoff.
L1-Entity Monitoring Resource URI: L1-Entity Monitoring URI: P-CylancePROTECT
User Account Logon
  • /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Logon
  • /All Filters/ArcSight Activate/Core/Product Filters/Product Filters/CylancePROTECT/Entity Authentication/CylancePROTECT User Logs into Device

L1 Data Security Monitoring - DLP URI: L1-Host Monitoring URI: P-CylancePROTECT
Removable Storage Device Blocked
  • /All Filters/ArcSight Activate/Solutions/Data Security/Indicators and Warnings/Data Loss Prevention/Removable Storage Device Blocked
  • /All Filters/ArcSight Activate/Core/Product Filters/Product Filters/CylancePROTECT/Data Security Suspicious Events/CylancePROTECT USB Device Blocked

Package Uninstallation

NOTE: When Uninstalling this package make sure you un-configure any filter configurations made on L1 Packages to AVOID ANY BROKEN RESOURCES that depend on the P-CylancePROTECT resources ( filters ).

1. In Packages tab right click on P-CylancePROTECT package

2. Click Delete Package

3. Click Delete
4. Click OK
5. Click OK
6. Click OK
7. Now there should be no P-Symantec Endpoint Protection package listed

Test Plan

PCylancePROTECTTestPlan describes CylancePROTECT package testing.

Extensibility

Resources

The link below contains a table of all resources included in this package:

-- BeirneKonarski - 27 Sep 2018
Topic attachments
I Attachment Action Size Date Who Comment
12_x.sdkibdatabase.propertiesproperties 12_x.sdkibdatabase.properties manage 6.4 K 27 Apr 2016 - 14:26 JanStodola SEP Parser Override
Package_Import.pngpng Package_Import.png manage 13.6 K 27 Apr 2016 - 14:51 JanStodola Package Install
Package_Import_1.jpgjpg Package_Import_1.jpg manage 39.2 K 27 Apr 2016 - 15:31 JanStodola  
Package_Import_2.jpgjpg Package_Import_2.jpg manage 36.6 K 27 Apr 2016 - 15:37 JanStodola  
Package_Import_3.jpgjpg Package_Import_3.jpg manage 53.4 K 27 Apr 2016 - 15:38 JanStodola  
Package_Uninstall_1.jpgjpg Package_Uninstall_1.jpg manage 113.3 K 27 Apr 2016 - 15:40 JanStodola  
Package_Uninstall_2.jpgjpg Package_Uninstall_2.jpg manage 14.5 K 27 Apr 2016 - 15:40 JanStodola  
Package_Uninstall_3.jpgjpg Package_Uninstall_3.jpg manage 18.0 K 27 Apr 2016 - 15:41 JanStodola  
Package_Uninstall_4.jpgjpg Package_Uninstall_4.jpg manage 30.5 K 27 Apr 2016 - 15:41 JanStodola  
Package_Uninstall_5.jpgjpg Package_Uninstall_5.jpg manage 38.5 K 27 Apr 2016 - 15:42 JanStodola  
Package_Uninstall_6.jpgjpg Package_Uninstall_6.jpg manage 107.8 K 27 Apr 2016 - 15:42 JanStodola  
SymantecEndpointProtectionConnectorConfiguration.docxdocx SymantecEndpointProtectionConnectorConfiguration.docx manage 797.6 K 27 Apr 2016 - 14:19 JanStodola SEP Connector Configuration
Topic revision: r5 - 27 Sep 2018, BeirneKonarski


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback