CylancePROTECT connector predicts, prevents, and protects threat in device
This document provides information about the CylancePROTECT connector, which facilitates automated interactions, with a CylancePROTECT server using FortiSOAR™ playbooks. Add the CylancePROTECT connector as a step in FortiSOAR™ playbooks and perform automated operations with CylancePROTECT.
Connector Version: 1.1.1
Authored By: Fortinet
Certified: No
Following enhancements have been made to the CylancePROTECT connector in version 1.1.1:
pyjwt and panda to be compatible with Python v3.9Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-cylance-protect
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the CylancePROTECT connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| API Server URL | URL of the CylancePROTECT API server to which you will connect and perform the automated operations. |
| Tenant ID | Tenant ID that you have been provided for your instance. |
| Application ID | CylancePROTECT API application has a unique API ID that is used to create an authentication token that you can use to access the API. |
| Application Secret | CylancePROTECT API application has a unique API Secret that is used to create an authentication token that you can use to access the API. |
| API Token Timeout (1-1800 Seconds) | Time in seconds after which the token for the CylancePROTECT API will timeout |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is selected, i.e., set to true. |
You can use the following automated operations in playbooks and also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Block Hash | Adds a filehash to the global quarantine list or the global safe list in CylancePROTECT. | block_hash Containment |
| Get Devices | Retrieves a list that contains the information about all the devices connected to CylancePROTECT. | get_endpoints Investigation |
| Get Device Information | Retrieves information about a device that you have specified using the device ID fromCylancePROTECT. | get_endpoint_info Investigation |
| Get Device Threats | Retrieves a list of threats associated with a device that you have specified using the device ID fromCylancePROTECT. | get_endpoint_threat Investigation |
| Get Policies | Retrieves a list of policies associated with devices connected to CylancePROTECT. | get_policy Investigation |
| Get Threat Details | Retrieves information about a threat that you have specified using the file hash (SHA256 only) value from CylancePROTECT. | get_threat_details Investigation |
| Get Threats | Retrieves a list of all threats detected on your organization's tenant(s) from CylancePROTECT. | get_threats Investigation |
| Get Threat Devices | Retrieves a list of devices on which the threat that you have specified using the file hash (SHA256 only) value is found in CylancePROTECT. | get_endpoint_threat Investigation |
| Get Global List | Retrieves a list of file hashes from the global quarantine list or the global safe list in CylancePROTECT. | get_files_details Investigation |
| Get Zones | Retrieves information about your organization's zones from CylancePROTECT. | |
| Get Device Zones | Retrieves a list of zones that are assigned to the device you have specified using device ID from CylancePROTECT. | Investigation |
| Update Device Information | Updates information of a device on CylancePROTECT based on the device ID and parameters that you have specified inCylancePROTECT. | update_endpoint Miscellaneous |
| Update Device Threat | Updates the status that you have set for a specified filehash on a specific device on CylancePROTECT based on the device ID that you have specified. You can set the status for the threat as either Quarantine or Waive. | update_threat_status Miscellaneous |
| Unblock Hash | Removes a filehash to the global quarantine list or the global safe list in CylancePROTECT. | unblock_hash Remediation |
| Parameter | Description |
|---|---|
| Filehash (Only SHA256) | Filehash of the threat that you want to add to the Global Quarantine List or the Global Safe List in CylancePROTECT. |
| List Type | The list type to which the threat belongs. Choose between Global Quarantine List or Global Safe List. |
| Reason | Reason why you want to add this file to the Global Quarantine List or the Global Safe List. |
| Category | (Optional) Required only if the list type is the Global Safe List. Choose one of the following categories:DriversNoneImportant: There are other categories, such as Admin Tool, Internal Application, etc, present in the Global Safe List, which are currently not supported. |
| File Name | (Optional) Name of the file that you want to add to the Global Quarantine List or the Global Safe List. |
The output contains the following populated JSON schema:
{
"status": ""
}
| Parameter | Description |
|---|---|
| Page Number (e.g 1-10) | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1. |
| Record Per Page (e.g 1-200) | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100. |
The output contains the following populated JSON schema:
{
"page_number": "",
"page_size": "",
"total_pages": "",
"total_number_of_items": "",
"page_items": [
{
"id": "",
"name": "",
"state": "",
"agent_version": "",
"policy": {
"id": "",
"name": ""
},
"date_first_registered": "",
"ip_addresses": [],
"mac_addresses": []
}
]
}
| Parameter | Description |
|---|---|
| Device ID | Unique ID of the device for which you want to retrieve information from CylancePROTECT. |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"state": "",
"agent_version": "",
"policy": {
"id": "",
"name": ""
},
"last_logged_in_user": "",
"update_type": "",
"update_available": "",
"background_detection": "",
"is_safe": "",
"date_first_registered": "",
"date_offline": " ",
"date_last_modified": "",
"ip_addresses": [],
"mac_addresses": []
}
| Parameter | Description |
|---|---|
| Device ID | Unique ID of the device for which you want to retrieve associated threats from CylancePROTECT. |
| Page Number (e.g 1-10) | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1. |
| Record Per Page (e.g 1-200) | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100. |
The output contains the following populated JSON schema:
{
"page_number": "",
"page_size": "",
"total_pages": "",
"total_number_of_items": "",
"page_items": [
{
"name": "",
"sha256": "",
"file_status": "",
"file_path": "",
"cylance_score": "",
"classification": "",
"sub_classification": "",
"date_found": ""
}
]
}
| Parameter | Description |
|---|---|
| Page Number (e.g 1-10) | (Optional) Page number from which you want to request for data |
| Record Per Page (e.g 1-200) | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100. |
The output contains the following populated JSON schema:
{
"page_number": "",
"page_size": "",
"total_pages": "",
"total_number_of_items": "",
"page_items": [
{
"id": "",
"name": "",
"device_count": "",
"zone_count": "",
"date_added": "",
"date_modified": ""
}
]
}
| Parameter | Description |
|---|---|
| Filehash (Only SHA256) | Filehash of the threat for which you want to retrieve information from CylancePROTECT. |
The output contains the following populated JSON schema:
{
"name": "",
"sha256": "",
"md5": "",
"signed": "",
"cylance_score": "",
"av_industry": "",
"classification": "",
"sub_classification": "",
"global_quarantine": "",
"safelisted": "",
"cert_publisher": "",
"cert_issuer": "",
"cert_timestamp": "",
"file_size": "",
"unique_to_cylance": "",
"running": "",
"auto_run": "",
"detected_by": ""
}
| Parameter | Description |
|---|---|
| Found Since | (Optional) Datetime from when you want to pull threats that are found in CylancePROTECT. |
| Page Number (e.g 1-10) | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1. |
| Record Per Page (e.g 1-200) | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100. |
The output contains the following populated JSON schema:
{
"page_number": "",
"page_size": "",
"total_pages": "",
"total_number_of_items": "",
"page_items": [
{
"name": "",
"sha256": "",
"md5": "",
"cylance_score": "",
"av_industry": "",
"classification": "",
"sub_classification": "",
"global_quarantined": "",
"safelisted": "",
"file_size": "",
"unique_to_cylance": "",
"last_found": ""
}
]
}
| Parameter | Description |
|---|---|
| Filehash (Only SHA256) | Filehash of the threat for which you want to retrieve associated device information from CylancePROTECT. |
| Page Number (e.g 1-10) | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1. |
| Record Per Page (e.g 1-200) | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100. |
The output contains the following populated JSON schema:
{
"page_number": "",
"page_size": "",
"total_pages": "",
"total_number_of_items": "",
"page_items": [
{
"id": "",
"name": "",
"state": "",
"agent_version": "",
"policy_id": "",
"date_found": "",
"file_status": "",
"file_path": "",
"ip_addresses": [],
"mac_addresses": []
}
]
}
| Parameter | Description |
|---|---|
| List Type | The list type to which the threat belongs. Choose between Global Quarantine List or Global Safe List. |
| Page Number (e.g 1-10) | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1. |
| Record Per Page (e.g 1-200) | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100. |
The output contains the following populated JSON schema:
{
"page_number": "",
"page_size": "",
"total_pages": "",
"total_number_of_items": "",
"page_items": [
{
"name": "",
"sha256": "",
"md5": "",
"cylance_score": "",
"av_industry": "",
"classification": "",
"sub_classification": "",
"list_type": "",
"category": "",
"added": "",
"added_by": "",
"reason": ""
}
]
}
| Parameter | Description |
|---|---|
| Page Number (e.g 1-10) | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1. |
| Record Per Page (e.g 1-200) | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100. |
The output contains the following populated JSON schema:
{
"page_number": "",
"page_size": "",
"total_pages": "",
"total_number_of_items": "",
"page_items": [
{
"id": "",
"name": "",
"criticality": "",
"zone_rule_id": "",
"policy_id": "",
"update_type": "",
"date_created": "",
"date_modified": ""
}
]
}
| Parameter | Description |
|---|---|
| Device ID | Unique ID of the device for which you want to retrieve zone information from CylancePROTECT. |
| Page Number (e.g 1-10) | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1. |
| Record Per Page (e.g 1-200) | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100. |
The output contains the following populated JSON schema:
{
"page_number": "",
"page_size": "",
"total_pages": "",
"total_number_of_items": "",
"page_items": [
{
"id": "",
"name": "",
"criticality": "",
"zone_rule_id": "",
"policy_id": "",
"update_type": "",
"date_created": "",
"date_modified": ""
}
]
}
| Parameter | Description |
|---|---|
| Device ID | Unique ID of the device for which you want to update information in CylancePROTECT. |
| Device Schema | This parameter must be in the dict format and contains a Key-Value pair. For more information, see the Working with the Field Value parameter section. |
The output contains the following populated JSON schema:
{
"status": ""
}
| Parameter | Description |
|---|---|
| Device ID | Unique ID of the device for which you want to update threat status in CylancePROTECT. |
| Filehash (Only SHA256) | Filehash of the threat whose status you want to update on the specific device in CylancePROTECT. |
| Event | Status of the threat that you want to set. Choose between Quarantine or Waive.Important: You cannot change the status of the threat if you set the status of the threat to Quarantine.For example, if you have set the status of the threat to Quarantine, then you cannot change the status of this threat to Waive. However, if you have set the status of the threat to Waive, then you can change the status of this threat to Quarantine. |
The output contains the following populated JSON schema:
{
"status": ""
}
| Parameter | Description |
|---|---|
| Filehash (Only SHA256) | Filehash of the threat that you want to remove from the Global Quarantine List or Global Safe List in CylancePROTECT. |
| List Type | The list type to which the threat belongs. Choose between Global Quarantine List or Global Safe List. |
The output contains the following populated JSON schema:
{
"status": ""
}
The Sample - CylancePROTECT - 1.1.1 playbook collection comes bundled with the CylancePROTECT connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CylancePROTECT connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
This section is optional and only required if you are going to perform the Update Device Information operation. The Update Device Information operation has the Field Value as an input parameter. The Field Value parameter requires to be in the dictionary (dict) format.
Following is the explanation of how the Field Value parameter works and how you must enter the value for this parameter in FortiSOAR™. A Field Value parameter contains a Key-Value pair.
Key: The Key contains the name of the device or the policy ID of the device or the add zone IDs or the remove zone IDs.
Value: The value of the fields are in the following value formats:
{
"name": "string",
"policy_id": "string:{policy guid}",
"add_zone_ids": [“string:{zone guid}" ],
"remove_zone_ids": [ “string:{zone guid}"]
}
The following is an example that you can enter in the Device Schema parameter of the Update Device Information operation as an input:
{
"name": "prod",
"policy_id": "0c9ca537-583f-406a-bf68-530421fadeee"
}
CylancePROTECT connector predicts, prevents, and protects threat in device
This document provides information about the CylancePROTECT connector, which facilitates automated interactions, with a CylancePROTECT server using FortiSOAR™ playbooks. Add the CylancePROTECT connector as a step in FortiSOAR™ playbooks and perform automated operations with CylancePROTECT.
Connector Version: 1.1.1
Authored By: Fortinet
Certified: No
Following enhancements have been made to the CylancePROTECT connector in version 1.1.1:
pyjwt and panda to be compatible with Python v3.9Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-cylance-protect
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the CylancePROTECT connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| API Server URL | URL of the CylancePROTECT API server to which you will connect and perform the automated operations. |
| Tenant ID | Tenant ID that you have been provided for your instance. |
| Application ID | CylancePROTECT API application has a unique API ID that is used to create an authentication token that you can use to access the API. |
| Application Secret | CylancePROTECT API application has a unique API Secret that is used to create an authentication token that you can use to access the API. |
| API Token Timeout (1-1800 Seconds) | Time in seconds after which the token for the CylancePROTECT API will timeout |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is selected, i.e., set to true. |
You can use the following automated operations in playbooks and also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Block Hash | Adds a filehash to the global quarantine list or the global safe list in CylancePROTECT. | block_hash Containment |
| Get Devices | Retrieves a list that contains the information about all the devices connected to CylancePROTECT. | get_endpoints Investigation |
| Get Device Information | Retrieves information about a device that you have specified using the device ID fromCylancePROTECT. | get_endpoint_info Investigation |
| Get Device Threats | Retrieves a list of threats associated with a device that you have specified using the device ID fromCylancePROTECT. | get_endpoint_threat Investigation |
| Get Policies | Retrieves a list of policies associated with devices connected to CylancePROTECT. | get_policy Investigation |
| Get Threat Details | Retrieves information about a threat that you have specified using the file hash (SHA256 only) value from CylancePROTECT. | get_threat_details Investigation |
| Get Threats | Retrieves a list of all threats detected on your organization's tenant(s) from CylancePROTECT. | get_threats Investigation |
| Get Threat Devices | Retrieves a list of devices on which the threat that you have specified using the file hash (SHA256 only) value is found in CylancePROTECT. | get_endpoint_threat Investigation |
| Get Global List | Retrieves a list of file hashes from the global quarantine list or the global safe list in CylancePROTECT. | get_files_details Investigation |
| Get Zones | Retrieves information about your organization's zones from CylancePROTECT. | |
| Get Device Zones | Retrieves a list of zones that are assigned to the device you have specified using device ID from CylancePROTECT. | Investigation |
| Update Device Information | Updates information of a device on CylancePROTECT based on the device ID and parameters that you have specified inCylancePROTECT. | update_endpoint Miscellaneous |
| Update Device Threat | Updates the status that you have set for a specified filehash on a specific device on CylancePROTECT based on the device ID that you have specified. You can set the status for the threat as either Quarantine or Waive. | update_threat_status Miscellaneous |
| Unblock Hash | Removes a filehash to the global quarantine list or the global safe list in CylancePROTECT. | unblock_hash Remediation |
| Parameter | Description |
|---|---|
| Filehash (Only SHA256) | Filehash of the threat that you want to add to the Global Quarantine List or the Global Safe List in CylancePROTECT. |
| List Type | The list type to which the threat belongs. Choose between Global Quarantine List or Global Safe List. |
| Reason | Reason why you want to add this file to the Global Quarantine List or the Global Safe List. |
| Category | (Optional) Required only if the list type is the Global Safe List. Choose one of the following categories:DriversNoneImportant: There are other categories, such as Admin Tool, Internal Application, etc, present in the Global Safe List, which are currently not supported. |
| File Name | (Optional) Name of the file that you want to add to the Global Quarantine List or the Global Safe List. |
The output contains the following populated JSON schema:
{
"status": ""
}
| Parameter | Description |
|---|---|
| Page Number (e.g 1-10) | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1. |
| Record Per Page (e.g 1-200) | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100. |
The output contains the following populated JSON schema:
{
"page_number": "",
"page_size": "",
"total_pages": "",
"total_number_of_items": "",
"page_items": [
{
"id": "",
"name": "",
"state": "",
"agent_version": "",
"policy": {
"id": "",
"name": ""
},
"date_first_registered": "",
"ip_addresses": [],
"mac_addresses": []
}
]
}
| Parameter | Description |
|---|---|
| Device ID | Unique ID of the device for which you want to retrieve information from CylancePROTECT. |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"state": "",
"agent_version": "",
"policy": {
"id": "",
"name": ""
},
"last_logged_in_user": "",
"update_type": "",
"update_available": "",
"background_detection": "",
"is_safe": "",
"date_first_registered": "",
"date_offline": " ",
"date_last_modified": "",
"ip_addresses": [],
"mac_addresses": []
}
| Parameter | Description |
|---|---|
| Device ID | Unique ID of the device for which you want to retrieve associated threats from CylancePROTECT. |
| Page Number (e.g 1-10) | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1. |
| Record Per Page (e.g 1-200) | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100. |
The output contains the following populated JSON schema:
{
"page_number": "",
"page_size": "",
"total_pages": "",
"total_number_of_items": "",
"page_items": [
{
"name": "",
"sha256": "",
"file_status": "",
"file_path": "",
"cylance_score": "",
"classification": "",
"sub_classification": "",
"date_found": ""
}
]
}
| Parameter | Description |
|---|---|
| Page Number (e.g 1-10) | (Optional) Page number from which you want to request for data |
| Record Per Page (e.g 1-200) | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100. |
The output contains the following populated JSON schema:
{
"page_number": "",
"page_size": "",
"total_pages": "",
"total_number_of_items": "",
"page_items": [
{
"id": "",
"name": "",
"device_count": "",
"zone_count": "",
"date_added": "",
"date_modified": ""
}
]
}
| Parameter | Description |
|---|---|
| Filehash (Only SHA256) | Filehash of the threat for which you want to retrieve information from CylancePROTECT. |
The output contains the following populated JSON schema:
{
"name": "",
"sha256": "",
"md5": "",
"signed": "",
"cylance_score": "",
"av_industry": "",
"classification": "",
"sub_classification": "",
"global_quarantine": "",
"safelisted": "",
"cert_publisher": "",
"cert_issuer": "",
"cert_timestamp": "",
"file_size": "",
"unique_to_cylance": "",
"running": "",
"auto_run": "",
"detected_by": ""
}
| Parameter | Description |
|---|---|
| Found Since | (Optional) Datetime from when you want to pull threats that are found in CylancePROTECT. |
| Page Number (e.g 1-10) | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1. |
| Record Per Page (e.g 1-200) | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100. |
The output contains the following populated JSON schema:
{
"page_number": "",
"page_size": "",
"total_pages": "",
"total_number_of_items": "",
"page_items": [
{
"name": "",
"sha256": "",
"md5": "",
"cylance_score": "",
"av_industry": "",
"classification": "",
"sub_classification": "",
"global_quarantined": "",
"safelisted": "",
"file_size": "",
"unique_to_cylance": "",
"last_found": ""
}
]
}
| Parameter | Description |
|---|---|
| Filehash (Only SHA256) | Filehash of the threat for which you want to retrieve associated device information from CylancePROTECT. |
| Page Number (e.g 1-10) | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1. |
| Record Per Page (e.g 1-200) | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100. |
The output contains the following populated JSON schema:
{
"page_number": "",
"page_size": "",
"total_pages": "",
"total_number_of_items": "",
"page_items": [
{
"id": "",
"name": "",
"state": "",
"agent_version": "",
"policy_id": "",
"date_found": "",
"file_status": "",
"file_path": "",
"ip_addresses": [],
"mac_addresses": []
}
]
}
| Parameter | Description |
|---|---|
| List Type | The list type to which the threat belongs. Choose between Global Quarantine List or Global Safe List. |
| Page Number (e.g 1-10) | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1. |
| Record Per Page (e.g 1-200) | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100. |
The output contains the following populated JSON schema:
{
"page_number": "",
"page_size": "",
"total_pages": "",
"total_number_of_items": "",
"page_items": [
{
"name": "",
"sha256": "",
"md5": "",
"cylance_score": "",
"av_industry": "",
"classification": "",
"sub_classification": "",
"list_type": "",
"category": "",
"added": "",
"added_by": "",
"reason": ""
}
]
}
| Parameter | Description |
|---|---|
| Page Number (e.g 1-10) | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1. |
| Record Per Page (e.g 1-200) | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100. |
The output contains the following populated JSON schema:
{
"page_number": "",
"page_size": "",
"total_pages": "",
"total_number_of_items": "",
"page_items": [
{
"id": "",
"name": "",
"criticality": "",
"zone_rule_id": "",
"policy_id": "",
"update_type": "",
"date_created": "",
"date_modified": ""
}
]
}
| Parameter | Description |
|---|---|
| Device ID | Unique ID of the device for which you want to retrieve zone information from CylancePROTECT. |
| Page Number (e.g 1-10) | (Optional) Page number from which you want to request for data. This is optional query string parameter and if you do not specify any value, then this defaults to 1. |
| Record Per Page (e.g 1-200) | (Optional) Number of records that you want to retrieve per page. This is optional query string parameter and if you do not specify any value, then this defaults to 100. |
The output contains the following populated JSON schema:
{
"page_number": "",
"page_size": "",
"total_pages": "",
"total_number_of_items": "",
"page_items": [
{
"id": "",
"name": "",
"criticality": "",
"zone_rule_id": "",
"policy_id": "",
"update_type": "",
"date_created": "",
"date_modified": ""
}
]
}
| Parameter | Description |
|---|---|
| Device ID | Unique ID of the device for which you want to update information in CylancePROTECT. |
| Device Schema | This parameter must be in the dict format and contains a Key-Value pair. For more information, see the Working with the Field Value parameter section. |
The output contains the following populated JSON schema:
{
"status": ""
}
| Parameter | Description |
|---|---|
| Device ID | Unique ID of the device for which you want to update threat status in CylancePROTECT. |
| Filehash (Only SHA256) | Filehash of the threat whose status you want to update on the specific device in CylancePROTECT. |
| Event | Status of the threat that you want to set. Choose between Quarantine or Waive.Important: You cannot change the status of the threat if you set the status of the threat to Quarantine.For example, if you have set the status of the threat to Quarantine, then you cannot change the status of this threat to Waive. However, if you have set the status of the threat to Waive, then you can change the status of this threat to Quarantine. |
The output contains the following populated JSON schema:
{
"status": ""
}
| Parameter | Description |
|---|---|
| Filehash (Only SHA256) | Filehash of the threat that you want to remove from the Global Quarantine List or Global Safe List in CylancePROTECT. |
| List Type | The list type to which the threat belongs. Choose between Global Quarantine List or Global Safe List. |
The output contains the following populated JSON schema:
{
"status": ""
}
The Sample - CylancePROTECT - 1.1.1 playbook collection comes bundled with the CylancePROTECT connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CylancePROTECT connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
This section is optional and only required if you are going to perform the Update Device Information operation. The Update Device Information operation has the Field Value as an input parameter. The Field Value parameter requires to be in the dictionary (dict) format.
Following is the explanation of how the Field Value parameter works and how you must enter the value for this parameter in FortiSOAR™. A Field Value parameter contains a Key-Value pair.
Key: The Key contains the name of the device or the policy ID of the device or the add zone IDs or the remove zone IDs.
Value: The value of the fields are in the following value formats:
{
"name": "string",
"policy_id": "string:{policy guid}",
"add_zone_ids": [“string:{zone guid}" ],
"remove_zone_ids": [ “string:{zone guid}"]
}
The following is an example that you can enter in the Device Schema parameter of the Update Device Information operation as an input:
{
"name": "prod",
"policy_id": "0c9ca537-583f-406a-bf68-530421fadeee"
}