CylancePROTECT is an antivirus and application control solution for fixed-function devices that leverages artificial intelligence to detect and prevent malware from executing on endpoints in real time. CylanceV is a solution for local integration into network appliances, endpoint software, and services platforms.
This document provides information about the CylancePROTECT connector, which facilitates automated interactions, with a CylancePROTECT API server using FortiSOAR™ playbooks. Add the CylancePROTECT connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about devices connected to CylancePROTECT, retrieving a list of threats for a specific device from CylancePROTECT, and retrieving a list of device policies from CylancePROTECT.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.10.0 and later
Compatibility with CylancePROTECT Versions: v2 and later
For the procedure to install a connector, click here.
This section is optional and only required if you are going to perform the Update Device Information
operation. The Update Device Information
operation has the Field Value
as an input parameter. The Field Value
parameter requires to be in the dictionary (dict
) format. Following is the explanation of how the Field Value
parameter works and how you must enter the value for this parameter in FortiSOAR™. A Fields Value
parameter contains a Key-Value pair.
Key: The Key contains the name of the device or the policy ID of the device or the add zone IDs or the remove zone IDs.
Value: The value of the fields are in the following value formats:
{ "name": "string", "policy_id": "string:{policy guid}", "add_zone_ids": [“string:{zone guid}" ], "remove_zone_ids": [ “string:{zone guid}"] }
Example of what you can enter in the Device Schema
parameter in the Update Device Information
operation as an input:
{ "name": "prod", "policy_id": "0c9ca537-583f-406a-bf68-530421fadeee" }
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the CylancePROTECT connector and click Configureto configure the following parameters:
Parameter | Description |
---|---|
API Server URL | URL of the CylancePROTECT API server to which you will connect and perform the automated operations. |
Tenant ID | Tenant ID that you have been provided for your instance. |
Application ID | CylancePROTECT API application has a unique API ID that is used to create an authentication token that you can use to access the API. |
Application Secret | CylancePROTECT API application has a unique API Secret that is used to create an authentication token that you can use to access the API. |
API Token Timeout (1 - 1800 seconds) | Time in seconds after which the token for the CylancePROTECT API will timeout. For example, if you set this to 600 then after every 600 seconds the CylancePROTECT API will generate a new token. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Devices | Retrieves a list that contains the information about all the devices connected to CylancePROTECT. | get_endpoints Investigation |
Get Device Information | Retrieves information about a device that you have specified using the device ID. | get_endpoint_info Investigation |
Get Device Threats | Retrieves a list of threats associated with a device that you have specified using the device ID. | get_endpoint_threat Investigation |
Update Device Information | Updates information of a device on CylancePROTECT based on the device ID and parameters that you have specified. | update_endpoint Miscellaneous |
Update Device Threat | Updates the status that you have set for a specified filehash on a specific device on CylancePROTECT based on the device ID that you have specified. You can set the status for the threat as either Quarantine or Waive. | update_threat_status Miscellaneous |
Get Policies | Retrieves a list of policies associated with devices connected to CylancePROTECT. | get_policy Investigation |
Get Threat Details | Retrieves information about a threat that you have specified using the filehash (SHA256 only) value. | get_threat_details Investigation |
Get Threat Devices | Retrieves a list of devices on which the threat that you have specified using the filehash (SHA256 only) value is found. | get_endpoint_threat Investigation |
Get Threats | Retrieves a list of all threats detected on your organization's tenant(s) from CylancePROTECT. | get_threats Investigation |
Get Zones | Retrieves information about your organization's zones from CylancePROTECT. | |
Get Device Zones | Retrieves a list of zones that are assigned to the device you have specified using device ID. | |
Get Global List | Retrieves a list of of file hashes from the global quarantine list or the global safe list in CylancePROTECT. | get_files_details Investigation |
Block Hash | Adds a filehash to the global quarantine list or the global safe list in CylancePROTECT. | block_hash Containment |
Unblock Hash | Removes a filehash to the global quarantine list or the global safe list in CylancePROTECT. | unblock_hash Remediation |
Parameter | Description |
---|---|
Page Number | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1 . |
Record Per Page | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100 . |
The JSON output retrieves a list containing the information of all the devices connected to CylancePROTECT.
Following image displays a sample output:
Parameter | Description |
---|---|
Device ID | Unique ID of the device for which you want to retrieve information from CylancePROTECT. |
The JSON output retrieves information about a device connected to CylancePROTECT based on the device ID you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Device ID | Unique ID of the device for which you want to retrieve associated threats from CylancePROTECT. |
Page Number | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1 . |
Record Per Page | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100 . |
The JSON output retrieves a list of threats associated with a device based on the device ID you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Device ID | Unique ID of the device for which you want to update information in CylancePROTECT. |
Device Schema | This parameter must be in the dict format and contains a Key-Value pair. For more information, see the Working with the Field Value parameter section. |
The JSON output returns a Success
message if the specified device is updated with the specified inputs, or an Error
message containing the reason for failure.
Following image displays a sample output:
Parameter | Description |
---|---|
Device ID | Unique ID of the device for which you want to update threat status in CylancePROTECT. |
Filehash (Only SHA256) | Filehash of the threat whose status you want to update on the specific device in CylancePROTECT. |
Event | Status of the threat that you want to set. Choose between Quarantine or Waive. Important: You cannot change the status of the threat if you set the status of the threat to Quarantine. For example, if you have set the status of the threat to Quarantine, then you cannot change the status of this threat to Waive. However, if you have set the status of the threat to Waive, then you can change the status of this threat to Quarantine. |
The JSON output returns a Success
message if the specified device is updated with the status that you have set for the specified filehash, or an Error
message containing the reason for failure.
Following image displays a sample output:
Parameter | Description |
---|---|
Page Number | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1 . |
Record Per Page | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100 . |
The JSON output retrieves a list of policies associated with devices connected to CylancePROTECT.
Following image displays a sample output:
Parameter | Description |
---|---|
Filehash (Only SHA256) | Filehash of the threat for which you want to retrieve information from CylancePROTECT. |
The JSON output retrieves information about the threat from CylancePROTECT based on the Filehash you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Filehash (Only SHA256) | Filehash of the threat for which you want to retrieve associated device information from CylancePROTECT. |
Page Number | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1 . |
Record Per Page | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100 . |
The JSON output retrieves a list of all devices on which the specified threat (using the threat's Filehash value) is found.
Following image displays a sample output:
Parameter | Description |
---|---|
Page Number | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1 . |
Record Per Page | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100 . |
The JSON output retrieves a list of all threats detected on your organization's tenant(s) from CylancePROTECT.
Following image displays a sample output:
Parameter | Description |
---|---|
Page Number | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1 . |
Record Per Page | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100 . |
The JSON output retrieves information about your organization's zones from CylancePROTECT.
Following image displays a sample output:
Parameter | Description |
---|---|
Device ID | Unique ID of the device for which you want to retrieve zone information from CylancePROTECT. |
Page Number | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1 . |
Record Per Page | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100 . |
The JSON output retrieves a list of zones that are assigned to the device you have specified using device ID.
Following image displays a sample output:
Parameter | Description |
---|---|
List Type | The list type to which the threat belongs. Choose between Global Quarantine List or Global Safe List. |
Page Number | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1 . |
Record Per Page | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100 . |
The JSON output retrieves a list of file hashes from the Global Quarantine List or the Global Safe List in CylancePROTECT.
Following image displays a sample output:
Parameter | Description |
---|---|
Filehash (Only SHA256) | Filehash of the threat that you want to add to the Global Quarantine List or the Global Safe List in CylancePROTECT. |
List Type | The list type to which the threat belongs. Choose between Global Quarantine List or Global Safe List. |
Category | Required only if the list type is the Global Safe List. Choose one of the following categories: Drivers None Important: There are other categories, such as Admin Tool, Internal Application, etc, present in the Global Safe List, which are currently not supported. |
Reason | Reason why you want to add this file to the Global Quarantine List or the Global Safe List. |
File Name | (Optional) Name of the file that you want to add to the Global Quarantine List or the Global Safe List. |
The JSON output returns a Success
message if the filehash you have specified is successfully added to the Global Quarantine List or the Global Safe List in CylancePROTECT or an Error
message containing the reason for failure.
Following image displays a sample output:
Parameter | Description |
---|---|
Filehash (Only SHA256) | Filehash of the threat that you want to remove from the Global Quarantine List or Global Safe List in CylancePROTECT. |
List Type | The list type to which the threat belongs. Choose between Global Quarantine List or Global Safe List. |
The JSON output returns a Success
message if the filehash you have specified is successfully removed from the Global Quarantine List or the Global Safe List in CylancePROTECT or an Error
message containing the reason for failure.
Following image displays a sample output:
The Sample-CylancePROTECT-1.0.0
playbook collection comes bundled with the CylancePROTECT connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CylancePROTECT connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
CylancePROTECT is an antivirus and application control solution for fixed-function devices that leverages artificial intelligence to detect and prevent malware from executing on endpoints in real time. CylanceV is a solution for local integration into network appliances, endpoint software, and services platforms.
This document provides information about the CylancePROTECT connector, which facilitates automated interactions, with a CylancePROTECT API server using FortiSOAR™ playbooks. Add the CylancePROTECT connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving information about devices connected to CylancePROTECT, retrieving a list of threats for a specific device from CylancePROTECT, and retrieving a list of device policies from CylancePROTECT.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.10.0 and later
Compatibility with CylancePROTECT Versions: v2 and later
For the procedure to install a connector, click here.
This section is optional and only required if you are going to perform the Update Device Information
operation. The Update Device Information
operation has the Field Value
as an input parameter. The Field Value
parameter requires to be in the dictionary (dict
) format. Following is the explanation of how the Field Value
parameter works and how you must enter the value for this parameter in FortiSOAR™. A Fields Value
parameter contains a Key-Value pair.
Key: The Key contains the name of the device or the policy ID of the device or the add zone IDs or the remove zone IDs.
Value: The value of the fields are in the following value formats:
{ "name": "string", "policy_id": "string:{policy guid}", "add_zone_ids": [“string:{zone guid}" ], "remove_zone_ids": [ “string:{zone guid}"] }
Example of what you can enter in the Device Schema
parameter in the Update Device Information
operation as an input:
{ "name": "prod", "policy_id": "0c9ca537-583f-406a-bf68-530421fadeee" }
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the CylancePROTECT connector and click Configureto configure the following parameters:
Parameter | Description |
---|---|
API Server URL | URL of the CylancePROTECT API server to which you will connect and perform the automated operations. |
Tenant ID | Tenant ID that you have been provided for your instance. |
Application ID | CylancePROTECT API application has a unique API ID that is used to create an authentication token that you can use to access the API. |
Application Secret | CylancePROTECT API application has a unique API Secret that is used to create an authentication token that you can use to access the API. |
API Token Timeout (1 - 1800 seconds) | Time in seconds after which the token for the CylancePROTECT API will timeout. For example, if you set this to 600 then after every 600 seconds the CylancePROTECT API will generate a new token. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Devices | Retrieves a list that contains the information about all the devices connected to CylancePROTECT. | get_endpoints Investigation |
Get Device Information | Retrieves information about a device that you have specified using the device ID. | get_endpoint_info Investigation |
Get Device Threats | Retrieves a list of threats associated with a device that you have specified using the device ID. | get_endpoint_threat Investigation |
Update Device Information | Updates information of a device on CylancePROTECT based on the device ID and parameters that you have specified. | update_endpoint Miscellaneous |
Update Device Threat | Updates the status that you have set for a specified filehash on a specific device on CylancePROTECT based on the device ID that you have specified. You can set the status for the threat as either Quarantine or Waive. | update_threat_status Miscellaneous |
Get Policies | Retrieves a list of policies associated with devices connected to CylancePROTECT. | get_policy Investigation |
Get Threat Details | Retrieves information about a threat that you have specified using the filehash (SHA256 only) value. | get_threat_details Investigation |
Get Threat Devices | Retrieves a list of devices on which the threat that you have specified using the filehash (SHA256 only) value is found. | get_endpoint_threat Investigation |
Get Threats | Retrieves a list of all threats detected on your organization's tenant(s) from CylancePROTECT. | get_threats Investigation |
Get Zones | Retrieves information about your organization's zones from CylancePROTECT. | |
Get Device Zones | Retrieves a list of zones that are assigned to the device you have specified using device ID. | |
Get Global List | Retrieves a list of of file hashes from the global quarantine list or the global safe list in CylancePROTECT. | get_files_details Investigation |
Block Hash | Adds a filehash to the global quarantine list or the global safe list in CylancePROTECT. | block_hash Containment |
Unblock Hash | Removes a filehash to the global quarantine list or the global safe list in CylancePROTECT. | unblock_hash Remediation |
Parameter | Description |
---|---|
Page Number | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1 . |
Record Per Page | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100 . |
The JSON output retrieves a list containing the information of all the devices connected to CylancePROTECT.
Following image displays a sample output:
Parameter | Description |
---|---|
Device ID | Unique ID of the device for which you want to retrieve information from CylancePROTECT. |
The JSON output retrieves information about a device connected to CylancePROTECT based on the device ID you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Device ID | Unique ID of the device for which you want to retrieve associated threats from CylancePROTECT. |
Page Number | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1 . |
Record Per Page | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100 . |
The JSON output retrieves a list of threats associated with a device based on the device ID you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Device ID | Unique ID of the device for which you want to update information in CylancePROTECT. |
Device Schema | This parameter must be in the dict format and contains a Key-Value pair. For more information, see the Working with the Field Value parameter section. |
The JSON output returns a Success
message if the specified device is updated with the specified inputs, or an Error
message containing the reason for failure.
Following image displays a sample output:
Parameter | Description |
---|---|
Device ID | Unique ID of the device for which you want to update threat status in CylancePROTECT. |
Filehash (Only SHA256) | Filehash of the threat whose status you want to update on the specific device in CylancePROTECT. |
Event | Status of the threat that you want to set. Choose between Quarantine or Waive. Important: You cannot change the status of the threat if you set the status of the threat to Quarantine. For example, if you have set the status of the threat to Quarantine, then you cannot change the status of this threat to Waive. However, if you have set the status of the threat to Waive, then you can change the status of this threat to Quarantine. |
The JSON output returns a Success
message if the specified device is updated with the status that you have set for the specified filehash, or an Error
message containing the reason for failure.
Following image displays a sample output:
Parameter | Description |
---|---|
Page Number | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1 . |
Record Per Page | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100 . |
The JSON output retrieves a list of policies associated with devices connected to CylancePROTECT.
Following image displays a sample output:
Parameter | Description |
---|---|
Filehash (Only SHA256) | Filehash of the threat for which you want to retrieve information from CylancePROTECT. |
The JSON output retrieves information about the threat from CylancePROTECT based on the Filehash you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Filehash (Only SHA256) | Filehash of the threat for which you want to retrieve associated device information from CylancePROTECT. |
Page Number | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1 . |
Record Per Page | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100 . |
The JSON output retrieves a list of all devices on which the specified threat (using the threat's Filehash value) is found.
Following image displays a sample output:
Parameter | Description |
---|---|
Page Number | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1 . |
Record Per Page | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100 . |
The JSON output retrieves a list of all threats detected on your organization's tenant(s) from CylancePROTECT.
Following image displays a sample output:
Parameter | Description |
---|---|
Page Number | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1 . |
Record Per Page | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100 . |
The JSON output retrieves information about your organization's zones from CylancePROTECT.
Following image displays a sample output:
Parameter | Description |
---|---|
Device ID | Unique ID of the device for which you want to retrieve zone information from CylancePROTECT. |
Page Number | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1 . |
Record Per Page | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100 . |
The JSON output retrieves a list of zones that are assigned to the device you have specified using device ID.
Following image displays a sample output:
Parameter | Description |
---|---|
List Type | The list type to which the threat belongs. Choose between Global Quarantine List or Global Safe List. |
Page Number | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1 . |
Record Per Page | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100 . |
The JSON output retrieves a list of file hashes from the Global Quarantine List or the Global Safe List in CylancePROTECT.
Following image displays a sample output:
Parameter | Description |
---|---|
Filehash (Only SHA256) | Filehash of the threat that you want to add to the Global Quarantine List or the Global Safe List in CylancePROTECT. |
List Type | The list type to which the threat belongs. Choose between Global Quarantine List or Global Safe List. |
Category | Required only if the list type is the Global Safe List. Choose one of the following categories: Drivers None Important: There are other categories, such as Admin Tool, Internal Application, etc, present in the Global Safe List, which are currently not supported. |
Reason | Reason why you want to add this file to the Global Quarantine List or the Global Safe List. |
File Name | (Optional) Name of the file that you want to add to the Global Quarantine List or the Global Safe List. |
The JSON output returns a Success
message if the filehash you have specified is successfully added to the Global Quarantine List or the Global Safe List in CylancePROTECT or an Error
message containing the reason for failure.
Following image displays a sample output:
Parameter | Description |
---|---|
Filehash (Only SHA256) | Filehash of the threat that you want to remove from the Global Quarantine List or Global Safe List in CylancePROTECT. |
List Type | The list type to which the threat belongs. Choose between Global Quarantine List or Global Safe List. |
The JSON output returns a Success
message if the filehash you have specified is successfully removed from the Global Quarantine List or the Global Safe List in CylancePROTECT or an Error
message containing the reason for failure.
Following image displays a sample output:
The Sample-CylancePROTECT-1.0.0
playbook collection comes bundled with the CylancePROTECT connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CylancePROTECT connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.