Cylance Protect

the cylance protect connector enables streamlined security management and threat response through ai driven prevention techniques cylance protect is an ai driven threat prevention solution that proactively stops malware, script based, fileless, memory, and external device based attacks this connector enables swimlane turbine users to automate and streamline security workflows by integrating with cylance protect's capabilities users can manage device policies, quarantine threats, and retrieve detailed threat intelligence, enhancing their security posture and reducing response times prerequisites to use the cylance protect integration, you must do the following open https //protect cylance com/integrations https //protect cylance com/integrations click "add application" set the appropriate permissions for all planned integrations these permissions can be changed later copy application id + secret this cannot be retrieved after closing modal create a new cylanceprotect asset in turbine with tenant id, application id, and application secret capabilities the cylance protect connector has the following capabilities manage devices note to update a device zone, the zone id, which is the id in the url of a zone, must be used the zone id is at the end of the url multiple zones should be entered as a comma separated list ex https //protect cylance com/zone/zonedetails/ 59008bce 42e9 4e6e a7a6 36eefdccc0eb https //protect cylance com/zone/zonedetails/ 59008bce 42e9 4e6e a7a6 36eefdccc0eb manage device threats returns duplicates if a threat was quarantined but has since been cleared get agent installer link get devices get device by id get threats get threat devices get threat download url manage zones note unique zone id is required for most functions and can be found in the url of the zone ex https //protect cylance com/zone/zonedetails/ 59008bce 42e9 4e6e a7a6 36eefdccc0eb https //protect cylance com/zone/zonedetails/ 59008bce 42e9 4e6e a7a6 36eefdccc0eb manage global lists get all policies configurations cylance protect client credentials auth authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host https //{subdomain} cylance com or https //protectapi cylance com https //protectapi cylance com string required token url the url to request the token from https //{subdomain} cylance com/auth/v2/token string optional client id the client id string required client secret the client secret string required tenant id the tenant id string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add global list add a convicted threat to the global quarantine or safe list for a specific tenant in cylance protect endpoint url /globallists/v2 method post input argument name type required description sha256 string optional parameter for add global list list type string optional type of the resource category string optional parameter for add global list reason string optional response reason phrase output parameter type description status code number http status code of the response reason string response reason phrase sha256 string output field sha256 list type string type of the resource category string output field category example \[ { "status code" 200, "response headers" { "content type" "application/json; charset=utf 8", "date" "wed, 07 jun 2023 21 04 11 gmt", "server" "openresty", "content length" "72", "connection" "keep alive" }, "reason" "", "json body" { "sha256" "bf17366ee3bb8068a9ad70fc9e68496e7e311a055bf4ffeeff53cc5d29ccce52", "list type" "globalsafe", "category" "commercialsoftware", "reason" "test" } } ] add zone create a new zone within the cylance protect tenant to manage device policies and settings endpoint url /zones/v2 method post input argument name type required description name string optional name of the resource policy id string optional unique identifier criticality string optional parameter for add zone output parameter type description status code number http status code of the response reason string response reason phrase criticality string output field criticality date created string output field date created id string unique identifier name string name of the resource policy id string unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/json; charset=utf 8", "date" "wed, 07 jun 2023 21 04 11 gmt", "server" "openresty", "content length" "72", "connection" "keep alive" }, "reason" "", "json body" { "criticality" "this is the value of the zone (low, normal, or high) ", "date created" "this is the date and time (in utc) when the zone was created ", "id" "this is the unique id for the zone ", "name" "this is the name of the zone ", "policy id" "this is the unique id for the zone rule created for the zone null is displayed " } } ] delete devices remove specified devices from a cylance protect tenant, streamlining device management and maintaining system integrity endpoint url /devices/v2 method delete input argument name type required description device ids array optional unique identifier callback url string optional url endpoint for the request output parameter type description status code number http status code of the response reason string response reason phrase request id string unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/json; charset=utf 8", "date" "wed, 07 jun 2023 21 04 11 gmt", "server" "openresty", "content length" "72", "connection" "keep alive" }, "reason" "", "json body" { "request id" "bf17366ee3bb8068a9ad70fc9e68496e7e311a055bf4ffeeff53cc5d29ccce52" } } ] delete global list removes a threat from the global quarantine or safe list for a specified tenant in cylance protect endpoint url /globallists/v2 method delete input argument name type required description sha256 string optional parameter for delete global list list type string optional type of the resource output parameter type description status code number http status code of the response reason string response reason phrase sha256 string output field sha256 list type string type of the resource example \[ { "status code" 200, "response headers" { "content type" "application/json; charset=utf 8", "date" "wed, 07 jun 2023 21 04 11 gmt", "server" "openresty", "content length" "72", "connection" "keep alive" }, "reason" "", "json body" { "sha256" "bf17366ee3bb8068a9ad70fc9e68496e7e311a055bf4ffeeff53cc5d29ccce52", "list type" "globalsafe" } } ] delete zone deletes a specified zone within a cylance protect tenant using the unique identifier provided in the path parameters endpoint url /zones/v2/{{id}} method delete input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json; charset=utf 8", "date" "wed, 07 jun 2023 21 04 11 gmt", "server" "openresty", "content length" "72", "connection" "keep alive" }, "reason" "", "json body" {} } ] get agent installer link retrieve a secure download link for the cylance protect agent installer endpoint url /devices/v2/installer method get input argument name type required description product string optional parameter for get agent installer link os string optional parameter for get agent installer link package string optional parameter for get agent installer link architecture string optional parameter for get agent installer link build string optional parameter for get agent installer link output parameter type description status code number http status code of the response reason string response reason phrase url string url endpoint for the request example \[ { "status code" 200, "response headers" { "content type" "application/json; charset=utf 8", "date" "wed, 07 jun 2023 21 04 11 gmt", "server" "openresty", "content length" "72", "connection" "keep alive" }, "reason" "", "json body" { "url" "this is the url you can use to download the requested agent installer the api c " } } ] get device by id retrieves a specific device resource by id from cylance protect, providing detailed information about the device endpoint url /devices/v2/{{deviceid}} method get input argument name type required description deviceid string required id of the device to be fetched output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource host name string name of the resource os version string output field os version os kernel version string output field os kernel version state string output field state agent version string output field agent version products array output field products name string name of the resource version string output field version status string status value policy object output field policy id string unique identifier name string name of the resource last logged in user string output field last logged in user update type object type of the resource update available boolean output field update available background detection boolean output field background detection is safe boolean output field is safe date first registered string output field date first registered date offline string output field date offline date last modified string output field date last modified ip addresses array output field ip addresses example \[ { "status code" 200, "response headers" { "content encoding" "gzip", "content type" "application/json; charset=utf 8", "date" "thu, 06 jun 2024 10 57 00 gmt", "server" "openresty", "content length" "494", "connection" "keep alive" }, "reason" "ok", "json body" { "id" "112a9067 eb52 4617 abec a63efec2b4bd", "name" "jimmy's mac", "host name" "openvpn client vpn 1 swimlane io", "os version" "macos high sierra 10 13 6", "os kernel version" "10 13 6 199506", "state" "offline", "agent version" "2 0 1490", "products" \[], "policy" {}, "last logged in user" "guest", "update type" null, "update available" false, "background detection" false, "is safe" true, "date first registered" "2018 07 24t15 39 25" } } ] get devices retrieves a list of devices associated with a tenant, providing a paginated collection of device resources endpoint url /devices/v2 method get input argument name type required description page number optional page number to request page size number optional number of device records to retrieve per page the maximum page size that can be specified is 10000 entries per page output parameter type description status code number http status code of the response reason string response reason phrase page number number output field page number page size number output field page size total pages number output field total pages total number of items number output field total number of items page items array output field page items id string unique identifier name string name of the resource state string output field state agent version string output field agent version os kernel version string output field os kernel version products array output field products name string name of the resource version string output field version status string status value policy object output field policy id string unique identifier name string name of the resource date first registered string output field date first registered ip addresses array output field ip addresses mac addresses array output field mac addresses date offline string output field date offline dlcm status string status value days to deletion string output field days to deletion example \[ { "status code" 200, "response headers" { "content encoding" "gzip", "content type" "application/json; charset=utf 8", "date" "thu, 06 jun 2024 10 56 02 gmt", "server" "openresty", "content length" "1265", "connection" "keep alive" }, "reason" "ok", "json body" { "page number" 1, "page size" 10, "total pages" 1, "total number of items" 9, "page items" \[] } } ] get global list retrieve items from a specified global list type in cylance protect for tenant management endpoint url /globallists/v2 method get input argument name type required description listtypeid string required unique identifier pagenumber string optional parameter for get global list pagesize string optional parameter for get global list filterby string optional parameter for get global list output parameter type description status code number http status code of the response reason string response reason phrase added string output field added avindustry object output field avindustry category object output field category classification object output field classification listtype object type of the resource md5 string output field md5 name string name of the resource pagenumber object output field pagenumber pagesize object output field pagesize sha256 string output field sha256 subclassification object output field subclassification totalnumberofitems object output field totalnumberofitems totalpages object output field totalpages example \[ { "status code" 200, "response headers" { "content type" "application/json; charset=utf 8", "date" "wed, 07 jun 2023 21 04 11 gmt", "server" "openresty", "content length" "72", "connection" "keep alive" }, "reason" "", "json body" { "added" "this is the date and time the global list item was added ", "avindustry" null, "category" null, "classification" null, "listtype" null, "md5" "this is the md5 hash for the file ", "name" "this is the name of the global list item ", "pagenumber" null, "pagesize" null, "reason" "this is the reason for adding the item to the global list ", "sha256" "this is the sha256 hash for the file ", "subclassification" null, "totalnumberofitems" null, "totalpages" null } } ] get policies obtain a sorted list of cylance protect console policies for a tenant, ordered by most recently modified endpoint url /policies/v2 method get input argument name type required description page string optional parameter for get policies page size string optional parameter for get policies output parameter type description status code number http status code of the response reason string response reason phrase date added string output field date added date modified string output field date modified device count string count value id string unique identifier name string name of the resource page number string output field page number page size string output field page size total number of items string output field total number of items total pages string output field total pages zone count string count value example \[ { "status code" 200, "response headers" { "content type" "application/json; charset=utf 8", "date" "wed, 07 jun 2023 21 04 11 gmt", "server" "openresty", "content length" "72", "connection" "keep alive" }, "reason" "", "json body" { "date added" "this is the date and time (in utc) when the console policy resource was first cr ", "date modified" "this is the date and time (in utc) when the console policy resource was last mod ", "device count" "this is the number of devices assigned to this policy ", "id" "this is the unique id for the policy resource ", "name" "this is the name of the policy ", "page number" "this is the page number requested ", "page size" "this is the page size requested ", "total number of items" "this is the total number of resources ", "total pages" "this is the total number of pages that can be retrieved based on the page size s ", "zone count" "this is the number of zones assigned to this policy " } } ] get threat devices retrieve a list of devices impacted by a specified threat using the sha256 hash as an identifier in cylance protect endpoint url /threats/v2/{{sha256}}/devices method get input argument name type required description sha256 string required parameter for get threat devices page string optional parameter for get threat devices page size string optional parameter for get threat devices output parameter type description status code number http status code of the response reason string response reason phrase agent version string output field agent version date found string output field date found file path string output field file path file status string status value id string unique identifier ip addresses string output field ip addresses mac addresses string output field mac addresses name string name of the resource page number string output field page number page size string output field page size policy id string unique identifier state string output field state total number of items string output field total number of items total pages string output field total pages example \[ { "status code" 200, "response headers" { "content type" "application/json; charset=utf 8", "date" "wed, 07 jun 2023 21 04 11 gmt", "server" "openresty", "content length" "72", "connection" "keep alive" }, "reason" "", "json body" { "agent version" "this is the cylanceprotect desktop agent version installed on the device ", "date found" "this is the date and time (in utc) when the threat was found on the device ", "file path" "this is the path where the file was found on the device only one file path is l ", "file status" "this is the current quarantine status of the file on the device default (unsafe ", "id" "this is the endpoint's unique identifier ", "ip addresses" "this is the list of ip addresses for the device ", "mac addresses" "this is the list of mac addresses for the device ", "name" "this is the name of the device ", "page number" "this is the page number requested ", "page size" "this is the page size requested ", "policy id" "this is the unique identifier for the policy assigned to the device, or null if ", "state" "this is the state of the device offline, online", "total number of items" "this is the total number of resources ", "total pages" "this is the total number of pages that can be retrieved, based on the page size " } } ] get threat download url generates a download url for a file identified by its sha256 hash in cylance protect endpoint url /threats/v2/download/{{sha256}} method get input argument name type required description sha256 string required parameter for get threat download url output parameter type description status code number http status code of the response reason string response reason phrase url string url endpoint for the request example \[ { "status code" 200, "response headers" { "content type" "application/json; charset=utf 8", "date" "wed, 07 jun 2023 21 04 11 gmt", "server" "openresty", "content length" "72", "connection" "keep alive" }, "reason" "", "json body" { "url" "this is the url you can use to download the file the api call only provides the " } } ] get threats retrieve detailed information for a specific threat within a cylance protect tenant endpoint url /threats/v2 method get input argument name type required description page string optional parameter for get threats page size string optional parameter for get threats start time string optional time value end time string optional time value output parameter type description status code number http status code of the response reason string response reason phrase avindustry string output field avindustry certissuer string output field certissuer certpublisher string output field certpublisher certtimestamp string output field certtimestamp classification string output field classification datedetected string output field datedetected datefirstdetected string output field datefirstdetected detectedby string output field detectedby deviceid string unique identifier devicename string name of the resource end time string time value filesize string output field filesize globalquarantined object output field globalquarantined md5 string output field md5 mostrecentdetection string output field mostrecentdetection name string name of the resource page string output field page page size string output field page size safelisted object output field safelisted sha256 string output field sha256 signed object output field signed start time string time value subclassification object output field subclassification example \[ { "status code" 200, "response headers" { "content type" "application/json; charset=utf 8", "date" "wed, 07 jun 2023 21 04 11 gmt", "server" "openresty", "content length" "72", "connection" "keep alive" }, "reason" "", "json body" { "avindustry" "this is the threat data from the av industry ", "certissuer" "this is the certificate issuer ", "certpublisher" "this is the certificate publisher ", "certtimestamp" "this is the date and time when the certificate was created ", "classification" "this is the classification of the threat (for example, pup indicates a potential ", "datedetected" "this is the date and time the threat was detected on the device note that the d ", "datefirstdetected" "this is the date and time when the threat was first detected ", "detectedby" "this is the product features that detected the threat ", "deviceid" "this is the unique id for the device ", "devicename" "this is the name of the device ", "end time" "the end of the time range in iso 8601 date/time format (optional) (default value ", "filesize" "this is the size of the file, in bytes (for example, 1000 is 1kb) ", "globalquarantined" null, "md5" "this is the md5 hash information for the threat ", "mostrecentdetection" "this is the date and time of the most recent detection of the threat " } } ] update device update device resource details for a specific tenant in cylance protect using the device id endpoint url /devices/v2/{{id}} method put input argument name type required description id string required unique identifier name string optional name of the resource policy id string optional unique identifier add zone ids array optional unique identifier remove zone ids array optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json; charset=utf 8", "date" "wed, 07 jun 2023 21 04 11 gmt", "server" "openresty", "content length" "72", "connection" "keep alive" }, "reason" "", "json body" {} } ] update device threats updates the status of a convicted threat on a device within cylance protect, requiring 'modify' permission for threats endpoint url /devices/v2/{{id}}/threats method post input argument name type required description id string required unique identifier threat id string optional unique identifier event string optional parameter for update device threats output parameter type description status code number http status code of the response reason string response reason phrase event string output field event threat id string unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/json; charset=utf 8", "date" "wed, 07 jun 2023 21 04 11 gmt", "server" "openresty", "content length" "72", "connection" "keep alive" }, "reason" "", "json body" { "event" "this is the requested status update for the convicted threat, which can be eithe ", "threat id" "this is the sha256 hash of the convicted threat" } } ] update zone updates a specified zone within a cylance protect tenant using the provided zone id endpoint url /zones/v2/{{id}} method put input argument name type required description id string required unique identifier name string optional name of the resource policy id string optional unique identifier criticality string optional parameter for update zone output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource policy id string unique identifier criticality string output field criticality example \[ { "status code" 200, "response headers" { "content type" "application/json; charset=utf 8", "date" "wed, 07 jun 2023 21 04 11 gmt", "server" "openresty", "content length" "72", "connection" "keep alive" }, "reason" "", "json body" { "name" "test policy", "policy id" "d5c6d6a3 0599 4fb5 96bc 0fdc7eacb6ea", "criticality" "normal" } } ] response headers header description example connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 1265 content type the media type of the resource application/json; charset=utf 8 date the date and time at which the message was originated thu, 06 jun 2024 10 57 00 gmt server information about the software used by the origin server openresty