icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading CylancePROTECT App for Splunk
SHA256 checksum (cylanceprotect-app-for-splunk_154.tgz) b5410aa78b6f956975fb3c6bc099e5a7db6fa5f1570a068863ac3ba60c117f48 SHA256 checksum (cylanceprotect-app-for-splunk_150.tgz) 744916c8ccf4a8bd9cbba5cb3dcf740782978acff478ad20e581661c23556804 SHA256 checksum (cylanceprotect-app-for-splunk_149.tgz) 13b1f6b24d48f7190ac8db4417c17fc316f3729b2b3b3507d444f469ead977ee SHA256 checksum (cylanceprotect-app-for-splunk_148.tgz) 0c5ca3e3c9e6e1a5107d36508364be5691b14fb1f6bef6cff3e049e6fbbb90f5 SHA256 checksum (cylanceprotect-app-for-splunk_147.tgz) a04a0e26f8f3f32fc159cef1362e916e0a7cc248d129e38b5d2e4b1d09d906e5 SHA256 checksum (cylanceprotect-app-for-splunk_146.tgz) be7dbd3a013713023e4796802de1c0f2537f24a4a358ab0d50c44d156ceccdfa SHA256 checksum (cylanceprotect-app-for-splunk_145.tgz) ef4afc6c4691555dd1b5e337408a1e1492f8a15cbe67b35d8d88fadacea7f164 SHA256 checksum (cylanceprotect-app-for-splunk_144.tgz) 1d2c67896a7e4fe6063ac14b5228c8ae455f380fd63435e9798273c5e623d9ef SHA256 checksum (cylanceprotect-app-for-splunk_143.tgz) 8ca9f1cf84ba99d71ccd18f32505edc54e88499ab210c2e8f5103867cd26debd SHA256 checksum (cylanceprotect-app-for-splunk_142.tgz) 0de7212eed185ccdd51dc8d1d73b738cafc7d315d5605fdae988430a79f4c5dd SHA256 checksum (cylanceprotect-app-for-splunk_141.tgz) f56a0e271bf29f619fe8de1d4589fbdfdadfad59733de0e68ffb2212fec33e64
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

CylancePROTECT App for Splunk

Splunk AppInspect Passed
Overview
Details
The Cylance PROTECT Application for Splunk enables security professionals and administrators to monitor for high risk threats in their organization by driving custom searches, reports, and alerts using the Cylance PROTECT data. This application provides the ability for users to monitor, track, and analyze threat data and activity across their environment effectively using pre-set dashboards views and reports for Threat and Device Management. The dashboards, reports, and searches can be further customized and provide drill down capability for all data in order for users to perform in-depth analysis and investigation. The application can be configured with Cylance Syslog and/or the Cylance Threat Data Report.

Read the details tab on where to place the app and TA:
- Matching TA (for Indexers and Forwarders) found here: https://splunkbase.splunk.com/app/3709/

Installation guide found here: https://support.cylance.com/s/article/ka044000000XoqLAAS/CylancePROTECT-Application-for-Splunk59

Note: Installation guide requires authentication to the support portal.

Final note:
1) This app should be installed on your search heads

If only using syslog data feed:
2) Our TA (Found here: https://splunkbase.splunk.com/app/3709/) should be installed on indexers and forwarders

If using optional TDR data:
2) Our full app should be used on the heavy forwarder to enable easier configuration of TDR ingestion

Release Notes

Version 1.5.4
April 23, 2019

ADDITIONS
- Added Wildcard search to Auditing dashboard
- Syslog Overview -> Correlation search to add Zone information to Audit Log Threats Waived panel
- Syslog Optics parsing in props and transforms
- Syslog Optics Overview dashboard
- Syslog Optics File, Process, Memory, Network, and Registry dashboards

REMOVALS
- Syslog Overview - Submit button removed to keep consistent
- Syslog Overview - actions field from Threats - always shows unknown
- Syslog Threats - actions field from Threats - always shows unknown

FIXES
- Syslog Overview - Unique Devices query fix - added NOT "Device Names" NOT AuditLog
- Syslog Device Summary Count fix - NOT sourcetype="syslog_audit_log"
- Corrected typo in API connector usage table (api_connector)
- APP and TA - OS parsing issue
[syslog_device]: EXTRACT-OS = OS:\s(?P<OS>.*) --> EXTRACT-OS=OS:\s(?P<OS>.*)?,
- Bug in source populating search on audit dashboard changed to syslog* - | tstats count where `cylance_index` AND sourcetype=syslog* by source | table source
...

Version 1.5.0
June 5, 2018

ADDITIONS
- Searches and Reports -> Unique Threats: Added Cylance Score
- Searches and Reports -> New Threats: Added DeviceName and Score
- Operation Center -> Syslog Device Summary: Added sort 0 to Devices Online and Devices Offline
- Added framework for APIv2 communication - dashboard and bin

REMOVALS
-N/A

CHANGES
- Decoupled the cylance_index macro from eventtypes.conf - https://answers.splunk.com/answers/354859/why-does-an-eventtype-calling-a-macro-only-fails-i.html
- This was causing issues in distributed environments

FIXES
- N/A

Version 1.4.9
March 23, 2018

ADDITIONS
- Searches and Reports -> Unique Threats: Added Cylance Score
- Searches and Reports -> New Threats: Added DeviceName and Score
- Operation Center -> Syslog Device Summary: Added sort 0 to Devices Online and Devices Offline
- Added framework for APIv2 communication - dashboard and bin

REMOVALS
-N/A

CHANGES
- Decoupled the cylance_index macro from eventtypes.conf - https://answers.splunk.com/answers/354859/why-does-an-eventtype-calling-a-macro-only-fails-i.html
- This was causing issues in distributed environments

FIXES
- N/A

Version 1.4.8
March 22, 2018

ADDITIONS
- Searches and Reports -> Unique Threats: Added Cylance Score
- Searches and Reports -> New Threats: Added DeviceName and Score
- Operation Center -> Syslog Device Summary: Added sort 0 to Devices Online and Devices Offline
- Added framework for APIv2 communication - dashboard and bin

REMOVALS
- None

CHANGES
- Decoupled the cylance_index macro from eventtypes.conf - https://answers.splunk.com/answers/354859/why-does-an-eventtype-calling-a-macro-only-fails-i.html
- This was causing issues in distributed environments

FIXES
- None

Version 1.4.7
Jan. 18, 2018

ADDITIONS
- macros.conf file created to specify the `cylance_index`: definition = index=protect OR index=cylance_protect
- props/transforms.conf added TRANSFORMS-devicehostname_ns = protecthostname_ns to rename host field for threat.py events
- eventtype and tag permissions set in default.meta to better expose data to Splunk ES
- Added syslog indicator correlation (tools -> Syslog Indicator Correlation)
- Added top policy and top zone to TDR device summary
- Added wildcard search to the indicator correlation dashboards
- Added top devicename w/ zonename to syslog exploits
- Added top devicename w/ zonename to syslog script control
- Added syslog threat detail dashboard (Threat Center -> Syslog Threat Detail)
- Added FilePath to Syslog Overview Top Script Control Interpreter Panel Drilldown

CHANGES
- eventtype=cylance_index now uses a macro: `cylance_index`
- All syslog dashboards now use the `cylance_index` macro to populate the Tenant dropdown
- TDR Device Summary - improved drilldown of third row

Version 1.4.6
Oct. 18, 2017

Version 1.4.6 Released 2017-10-18

ADDITIONS
- Added ZoneNames parsing to syslog_device to accommodate new tenant field
- Added ZoneNames to Overview dashboard under Script Control Panel
- Auditing dashboard panels all operate based on time range picker
- Protection Center tab added
- Syslog Threats (syslog_threats) Dashboard added under Threat Center Menu
- Syslog Exploits (syslog_exploits) Dashboard added under Protection Center Menu
- Syslog Script Control (syslog_script_control) Dashboard added under Protection Center Menu
- Syslog App Control (syslog_app_control) Dashboard added under Protection Center Menu
- Syslog Device Control (syslog_device_control) Dashboard added under Protection Center Menu
- Improved CIM compliance using Alias tagging for syslog exploits, script control, app control, and device control
- Syslog Overview Total Device
- Syslog Overview dashboard - Top Threat FileType panel drilldown now displayed in a table
-- snip --

Version 1.4.5
Oct. 18, 2017

Version 1.4.5 Released 2017-10-18

ADDITIONS
- Added ZoneNames parsing to syslog_device to accommodate new tenant field
- Added ZoneNames to Overview dashboard under Script Control Panel
- Auditing dashboard panels all operate based on time range picker
- Protection Center tab added
- Syslog Threats (syslog_threats) Dashboard added under Threat Center Menu
- Syslog Exploits (syslog_exploits) Dashboard added under Protection Center Menu
- Syslog Script Control (syslog_script_control) Dashboard added under Protection Center Menu
- Syslog App Control (syslog_app_control) Dashboard added under Protection Center Menu
- Syslog Device Control (syslog_device_control) Dashboard added under Protection Center Menu
- Improved CIM compliance using Alias tagging for syslog exploits, script control, app control, and device control
- Syslog Overview Total Device
- Syslog Overview dashboard - Top Threat FileType panel drilldown now displayed in a table
-- snip --

Version 1.4.4
July 13, 2017

Version 1.4.4

ADDITIONS
- Now officially parsing and displaying real-time syslog data
- Updated default props from index=protect to index=cylance_protect
- Updated eventtype=cylance_index to now include index=cylance_protect (backward and forward compatible)
- Replaced Tenant populating searches with faster tstats search
- Updated URL in About.html - SPL-167
- Added wildcard searches to dashboards
- Removed sdkjavascript from the app since the path was too long for Windows installations
- New dashboards:
- Syslog Overview
- Syslog Threats
- Syslog Device Summary
- Auditing
- Indicator Correlation
- Data Sources
- sourcetype=syslog_audit_log:
- sourcetype=syslog_device_control:

REMOVALS
- None

CHANGES
- Navigation menu

FIXES:
- Improved backwards compatibility by converting About dashboard to not use "Convert to HTML" Splunk Libraries - SPL-155
- Date sorting fixed for First Found/Last Found in New Threats - Last 30 days panel - SPL-166
- local.meta and props
--snip--

Version 1.4.3
July 11, 2017

Version 1.4.3

ADDITIONS
- Now officially parsing and displaying real-time syslog data
- Updated default props from index=protect to index=cylance_protect
- Updated eventtype=cylance_index to now include index=cylance_protect (backward and forward compatible)
- Replaced Tenant populating searches with faster tstats search
- Updated URL in About.html - SPL-167
- Added wildcard searches to dashboards
- Removed sdkjavascript from the app since the path was too long for Windows installations
- New dashboards:
- Syslog Overview
- Syslog Threats
- Syslog Device Summary
- Auditing
- Indicator Correlation
- Data Sources
- sourcetype=syslog_audit_log:
- sourcetype=syslog_device_control:

REMOVALS
- None

CHANGES
- Navigation menu

FIXES:
- Improved backwards compatibility by converting About dashboard to not use "Convert to HTML" Splunk Libraries - SPL-155
- Date sorting fixed for First Found/Last Found in New Threats - Last 30 days panel - SPL-166
- local.meta and props
--snip--

Version 1.4.2
July 10, 2017

Version 1.4.2 Released 2017-07-05

ADDITIONS
- Now officially parsing and displaying real-time syslog data
- Updated default props from index=protect to index=cylance_protect
- Updated eventtype=cylance_index to now include index=cylance_protect (backward and forward compatible)
- Replaced Tenant populating searches with faster tstats search
- Updated URL in About.html - SPL-167
- Added wildcard searches to dashboards
- Removed sdkjavascript from the app since the path was too long for Windows installations
- New dashboards:
- Syslog Overview
- Syslog Threats
- Syslog Device Summary
- Auditing
- Indicator Correlation
- Data Sources
- sourcetype=syslog_audit_log:
- sourcetype=syslog_device_control:

REMOVALS
- None

CHANGES
- Navigation menu

FIXES:
- Improved backwards compatibility by converting About dashboard to not use "Convert to HTML" Splunk Libraries - SPL-155
- Date sorting fixed for First Found/Last Found in New Threats - Last 30 days panel - SPL-166
--snip--

Version 1.4.1
Jan. 13, 2017

# CylancePROTECT App for Splunk - Release Notes

Note: before deleting a tenant, read the information on the ConfigureTenants page - the 'can_delete' role needs to be configured.

----------------------------------------
Version 1.4.1 Released 2017-01-13

ADDITIONS
-

REMOVALS
-

CHANGES
-

FIXES
- Prefix tenant entries with tag in conf file (used for internal distinction made between tenant and non-tenant entries) [#156]

472
Installs
3,625
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.