Cylance Protect

the cylance protect connector enables streamlined security management and threat response through ai driven prevention techniques cylance protect is an ai driven threat prevention solution that proactively stops malware, script based, fileless, memory, and external device based attacks this connector enables swimlane turbine users to automate and streamline security workflows by integrating with cylance protect's capabilities users can manage device policies, quarantine threats, and retrieve detailed threat intelligence, enhancing their security posture and reducing response times prerequisites to use the cylance protect integration, you must do the following open https //protect cylance com/integrations click "add application" set the appropriate permissions for all planned integrations these permissions can be changed later copy application id + secret this cannot be retrieved after closing modal create a new cylanceprotect asset in turbine with tenant id, application id, and application secret capabilities the cylance protect connector has the following capabilities manage devices note to update a device zone, the zone id, which is the id in the url of a zone, must be used the zone id is at the end of the url multiple zones should be entered as a comma separated list ex https //protect cylance com/zone/zonedetails/ 59008bce 42e9 4e6e a7a6 36eefdccc0eb manage device threats returns duplicates if a threat was quarantined but has since been cleared get agent installer link get devices get device by id get threats get threat devices get threat download url manage zones note unique zone id is required for most functions and can be found in the url of the zone ex https //protect cylance com/zone/zonedetails/ 59008bce 42e9 4e6e a7a6 36eefdccc0eb manage global lists get all policies configurations cylance protect client credentials auth authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host https //{subdomain} cylance com or https //protectapi cylance com string required token url the url to request the token from https //{subdomain} cylance com/auth/v2/token string optional client id the client id string required client secret the client secret string required tenant id the tenant id string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add global list add a convicted threat to the global quarantine or safe list for a specific tenant in cylance protect endpoint url /globallists/v2 method post input argument name type required description sha256 string optional parameter for add global list list type string optional type of the resource category string optional parameter for add global list reason string optional response reason phrase input example {"json body" {"sha256" "bf17366ee3bb8068a9ad70fc9e68496e7e311a055bf4ffeeff53cc5d29ccce52","list type" "globalsafe","category" "commercialsoftware","reason" "test"}} output parameter type description status code number http status code of the response reason string response reason phrase sha256 string output field sha256 list type string type of the resource category string output field category output example {"status code" 200,"response headers" {"content type" "application/json; charset=utf 8","date" "wed, 07 jun 2023 21 04 11 gmt","server" "openresty","content length" "72","connection" "keep alive"},"reason" "","json body" {"sha256" "bf17366ee3bb8068a9ad70fc9e68496e7e311a055bf4ffeeff53cc5d29ccce52","list type" "globalsafe","category" "commercialsoftware","reason" "test"}} add zone create a new zone within the cylance protect tenant to manage device policies and settings endpoint url /zones/v2 method post input argument name type required description name string optional name of the resource policy id string optional unique identifier criticality string optional parameter for add zone input example {"json body" {"name" "test zone","policy id" "d5c6d6a3 0599 4fb5 96bc 0fdc7eacb6ea","criticality" "normal"}} output parameter type description status code number http status code of the response reason string response reason phrase criticality string output field criticality date created string output field date created id string unique identifier name string name of the resource policy id string unique identifier output example {"status code" 200,"response headers" {"content type" "application/json; charset=utf 8","date" "wed, 07 jun 2023 21 04 11 gmt","server" "openresty","content length" "72","connection" "keep alive"},"reason" "","json body" {"criticality" "this is the value of the zone (low, normal, or high) ","date created" "this is the date and time (in utc) when the zone was created ","id" "this is the unique id for the zone ","name" "this is the name of the zone ","policy id" "this is the unique id for the zone delete devices remove specified devices from a cylance protect tenant, streamlining device management and maintaining system integrity endpoint url /devices/v2 method delete input argument name type required description device ids array optional unique identifier callback url string optional url endpoint for the request input example {"json body" {"device ids" \["e378dacb 9324 453a b8c6 5a8406952195","a358daac 2394 653a a9c2 8a8408972163","b248cbba 6367 821b a7a2 4a3200972163"],"callback url" "https //exampleurl com"}} output parameter type description status code number http status code of the response reason string response reason phrase request id string unique identifier output example {"status code" 200,"response headers" {"content type" "application/json; charset=utf 8","date" "wed, 07 jun 2023 21 04 11 gmt","server" "openresty","content length" "72","connection" "keep alive"},"reason" "","json body" {"request id" "bf17366ee3bb8068a9ad70fc9e68496e7e311a055bf4ffeeff53cc5d29ccce52"}} delete global list removes a threat from the global quarantine or safe list for a specified tenant in cylance protect endpoint url /globallists/v2 method delete input argument name type required description sha256 string optional parameter for delete global list list type string optional type of the resource input example {"json body" {"sha256" "bf17366ee3bb8068a9ad70fc9e68496e7e311a055bf4ffeeff53cc5d29ccce52","list type" "globalsafe"}} output parameter type description status code number http status code of the response reason string response reason phrase sha256 string output field sha256 list type string type of the resource output example {"status code" 200,"response headers" {"content type" "application/json; charset=utf 8","date" "wed, 07 jun 2023 21 04 11 gmt","server" "openresty","content length" "72","connection" "keep alive"},"reason" "","json body" {"sha256" "bf17366ee3bb8068a9ad70fc9e68496e7e311a055bf4ffeeff53cc5d29ccce52","list type" "globalsafe"}} delete zone deletes a specified zone within a cylance protect tenant using the unique identifier provided in the path parameters endpoint url /zones/v2/{{id}} method delete input argument name type required description path parameters id string required parameters for the delete zone action input example {"path parameters" {"id" "e378dacb 9324 453a b8c6 5a8406952195"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content type" "application/json; charset=utf 8","date" "wed, 07 jun 2023 21 04 11 gmt","server" "openresty","content length" "72","connection" "keep alive"},"reason" "","json body" {}} get agent installer link retrieve a secure download link for the cylance protect agent installer endpoint url /devices/v2/installer method get input argument name type required description parameters product string optional parameters for the get agent installer link action parameters os string optional parameters for the get agent installer link action parameters package string optional parameters for the get agent installer link action parameters architecture string optional parameters for the get agent installer link action parameters build string optional parameters for the get agent installer link action input example {"parameters" {"product" "cylanceprotect","os" "windows","package" "exe","architecture" "x86","build" "2 1 1590"}} output parameter type description status code number http status code of the response reason string response reason phrase url string url endpoint for the request output example {"status code" 200,"response headers" {"content type" "application/json; charset=utf 8","date" "wed, 07 jun 2023 21 04 11 gmt","server" "openresty","content length" "72","connection" "keep alive"},"reason" "","json body" {"url" "this is the url you can use to download the requested agent installer the api c "}} get device by id retrieves a specific device resource by id from cylance protect, providing detailed information about the device endpoint url /devices/v2/{{deviceid}} method get input argument name type required description path parameters deviceid string required id of the device to be fetched input example {"path parameters" {"deviceid" "112a9067 eb52 4617 abec a63efec2b4bd"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource host name string name of the resource os version string output field os version os kernel version string output field os kernel version state string output field state agent version string output field agent version products array output field products products name string name of the resource products version string output field products version products status string status value policy object output field policy policy id string unique identifier policy name string name of the resource last logged in user string output field last logged in user update type object type of the resource update available boolean output field update available background detection boolean output field background detection is safe boolean output field is safe date first registered string output field date first registered date offline string output field date offline date last modified string output field date last modified ip addresses array output field ip addresses output example {"status code" 200,"response headers" {"content encoding" "gzip","content type" "application/json; charset=utf 8","date" "thu, 06 jun 2024 10 57 00 gmt","server" "openresty","content length" "494","connection" "keep alive"},"reason" "ok","json body" {"id" "112a9067 eb52 4617 abec a63efec2b4bd","name" "jimmy's mac","host name" "openvpn client vpn 1 swimlane io","os version" "macos high sierra 10 13 6","os kernel version" "10 13 6 199506","state" "offline","agent version" "2 0 1490","products" \[{} get devices retrieves a list of devices associated with a tenant, providing a paginated collection of device resources endpoint url /devices/v2 method get input argument name type required description parameters page number optional page number to request parameters page size number optional number of device records to retrieve per page the maximum page size that can be specified is 10000 entries per page input example {"parameters" {"page" 1,"page size" 10}} output parameter type description status code number http status code of the response reason string response reason phrase page number number output field page number page size number output field page size total pages number output field total pages total number of items number output field total number of items page items array output field page items page items id string unique identifier page items name string name of the resource page items state string output field page items state page items agent version string output field page items agent version page items os kernel version string output field page items os kernel version page items products array output field page items products page items products name string name of the resource page items products version string output field page items products version page items products status string status value page items policy object output field page items policy page items policy id string unique identifier page items policy name string name of the resource page items date first registered string output field page items date first registered page items ip addresses array output field page items ip addresses page items mac addresses array output field page items mac addresses page items date offline string output field page items date offline page items dlcm status string status value page items days to deletion string output field page items days to deletion output example {"status code" 200,"response headers" {"content encoding" "gzip","content type" "application/json; charset=utf 8","date" "thu, 06 jun 2024 10 56 02 gmt","server" "openresty","content length" "1265","connection" "keep alive"},"reason" "ok","json body" {"page number" 1,"page size" 10,"total pages" 1,"total number of items" 9,"page items" \[{"id" "b9cb8833 fb0d 4b5a 849c 13714eacb0ba","name" "win t6fhvoqh2g1","state" "offline","agent version" "2 1 1550","os kernel version" "6 3 9600 0","products" \[{ get global list retrieve items from a specified global list type in cylance protect for tenant management endpoint url /globallists/v2 method get input argument name type required description parameters listtypeid string required parameters for the get global list action parameters pagenumber string optional parameters for the get global list action parameters pagesize string optional parameters for the get global list action parameters filterby string optional parameters for the get global list action input example {"parameters" {"listtypeid" "1","pagenumber" "n","pagesize" "t1","filterby" "t2"}} output parameter type description status code number http status code of the response reason string response reason phrase added string output field added avindustry object output field avindustry category object output field category classification object output field classification listtype object type of the resource md5 string output field md5 name string name of the resource pagenumber object output field pagenumber pagesize object output field pagesize sha256 string output field sha256 subclassification object output field subclassification totalnumberofitems object output field totalnumberofitems totalpages object output field totalpages output example {"status code" 200,"response headers" {"content type" "application/json; charset=utf 8","date" "wed, 07 jun 2023 21 04 11 gmt","server" "openresty","content length" "72","connection" "keep alive"},"reason" "","json body" {"added" "this is the date and time the global list item was added ","avindustry"\ null,"category"\ null,"classification"\ null,"listtype"\ null,"md5" "this is the md5 hash for the file ","name" "this is the name of the global list item ","pagenumber"\ null,"pagesize"\ null,"reason" " get policies obtain a sorted list of cylance protect console policies for a tenant, ordered by most recently modified endpoint url /policies/v2 method get input argument name type required description parameters page string optional parameters for the get policies action parameters page size string optional parameters for the get policies action input example {"parameters" {"page" "m","page size" "n"}} output parameter type description status code number http status code of the response reason string response reason phrase date added string output field date added date modified string output field date modified device count string count value id string unique identifier name string name of the resource page number string output field page number page size string output field page size total number of items string output field total number of items total pages string output field total pages zone count string count value output example {"status code" 200,"response headers" {"content type" "application/json; charset=utf 8","date" "wed, 07 jun 2023 21 04 11 gmt","server" "openresty","content length" "72","connection" "keep alive"},"reason" "","json body" {"date added" "this is the date and time (in utc) when the console policy resource was first cr ","date modified" "this is the date and time (in utc) when the console policy resource was last mod ","device count" "this is the number of devices assigned to this policy ","id" get threat devices retrieve a list of devices impacted by a specified threat using the sha256 hash as an identifier in cylance protect endpoint url /threats/v2/{{sha256}}/devices method get input argument name type required description path parameters sha256 string required parameters for the get threat devices action parameters page string optional parameters for the get threat devices action parameters page size string optional parameters for the get threat devices action input example {"parameters" {"page" "m","page size" "n"},"path parameters" {"sha256" "bf17366ee3bb8068a9ad70fc9e68496e7e311a055bf4ffeeff53cc5d29ccce52"}} output parameter type description status code number http status code of the response reason string response reason phrase agent version string output field agent version date found string output field date found file path string output field file path file status string status value id string unique identifier ip addresses string output field ip addresses mac addresses string output field mac addresses name string name of the resource page number string output field page number page size string output field page size policy id string unique identifier state string output field state total number of items string output field total number of items total pages string output field total pages output example {"status code" 200,"response headers" {"content type" "application/json; charset=utf 8","date" "wed, 07 jun 2023 21 04 11 gmt","server" "openresty","content length" "72","connection" "keep alive"},"reason" "","json body" {"agent version" "this is the cylanceprotect desktop agent version installed on the device ","date found" "this is the date and time (in utc) when the threat was found on the device ","file path" "this is the path where the file was found on the device only one file path is l get threat download url generates a download url for a file identified by its sha256 hash in cylance protect endpoint url /threats/v2/download/{{sha256}} method get input argument name type required description path parameters sha256 string required parameters for the get threat download url action input example {"path parameters" {"sha256" "bf17366ee3bb8068a9ad70fc9e68496e7e311a055bf4ffeeff53cc5d29ccce52"}} output parameter type description status code number http status code of the response reason string response reason phrase url string url endpoint for the request output example {"status code" 200,"response headers" {"content type" "application/json; charset=utf 8","date" "wed, 07 jun 2023 21 04 11 gmt","server" "openresty","content length" "72","connection" "keep alive"},"reason" "","json body" {"url" "this is the url you can use to download the file the api call only provides the "}} get threats retrieve detailed information for a specific threat within a cylance protect tenant endpoint url /threats/v2 method get input argument name type required description parameters page string optional parameters for the get threats action parameters page size string optional parameters for the get threats action parameters start time string optional parameters for the get threats action parameters end time string optional parameters for the get threats action input example {"parameters" {"page" "m","page size" "n","start time" "t1","end time" "t2"}} output parameter type description status code number http status code of the response reason string response reason phrase avindustry string output field avindustry certissuer string output field certissuer certpublisher string output field certpublisher certtimestamp string output field certtimestamp classification string output field classification datedetected string output field datedetected datefirstdetected string output field datefirstdetected detectedby string output field detectedby deviceid string unique identifier devicename string name of the resource end time string time value filesize string output field filesize globalquarantined object output field globalquarantined md5 string output field md5 mostrecentdetection string output field mostrecentdetection name string name of the resource page string output field page page size string output field page size safelisted object output field safelisted sha256 string output field sha256 signed object output field signed start time string time value subclassification object output field subclassification output example {"status code" 200,"response headers" {"content type" "application/json; charset=utf 8","date" "wed, 07 jun 2023 21 04 11 gmt","server" "openresty","content length" "72","connection" "keep alive"},"reason" "","json body" {"avindustry" "this is the threat data from the av industry ","certissuer" "this is the certificate issuer ","certpublisher" "this is the certificate publisher ","certtimestamp" "this is the date and time when the certificate was created ","classification" "this is the classific update device update device resource details for a specific tenant in cylance protect using the device id endpoint url /devices/v2/{{id}} method put input argument name type required description path parameters id string required parameters for the update device action name string optional name of the resource policy id string optional unique identifier add zone ids array optional unique identifier remove zone ids array optional unique identifier input example {"json body" {"name" "user laptop a123","policy id" "d5c6d6a3 0599 4fb5 96bc 0fdc7eacb6ea","add zone ids" \["d27ff5c4 5c0d 4f56 a00d a1fb297e440e"],"remove zone ids" \["639db7f7 c7f9 488d b834 41c4522b32b6"]},"path parameters" {"id" "e378dacb 9324 453a b8c6 5a8406952195"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content type" "application/json; charset=utf 8","date" "wed, 07 jun 2023 21 04 11 gmt","server" "openresty","content length" "72","connection" "keep alive"},"reason" "","json body" {}} update device threats updates the status of a convicted threat on a device within cylance protect, requiring 'modify' permission for threats endpoint url /devices/v2/{{id}}/threats method post input argument name type required description path parameters id string required parameters for the update device threats action threat id string optional unique identifier event string optional parameter for update device threats input example {"json body" {"threat id" "bf17366ee3bb8068a9ad70fc9e68496e7e311a055bf4ffeeff53cc5d29ccce52","event" "quarantine"},"path parameters" {"id" "e378dacb 9324 453a b8c6 5a8406952195"}} output parameter type description status code number http status code of the response reason string response reason phrase event string output field event threat id string unique identifier output example {"status code" 200,"response headers" {"content type" "application/json; charset=utf 8","date" "wed, 07 jun 2023 21 04 11 gmt","server" "openresty","content length" "72","connection" "keep alive"},"reason" "","json body" {"event" "this is the requested status update for the convicted threat, which can be eithe ","threat id" "this is the sha256 hash of the convicted threat"}} update zone updates a specified zone within a cylance protect tenant using the provided zone id endpoint url /zones/v2/{{id}} method put input argument name type required description path parameters id string required parameters for the update zone action name string optional name of the resource policy id string optional unique identifier criticality string optional parameter for update zone input example {"json body" {"name" "test policy","policy id" "d5c6d6a3 0599 4fb5 96bc 0fdc7eacb6ea","criticality" "normal"},"path parameters" {"id" "e378dacb 9324 453a b8c6 5a8406952195"}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource policy id string unique identifier criticality string output field criticality output example {"status code" 200,"response headers" {"content type" "application/json; charset=utf 8","date" "wed, 07 jun 2023 21 04 11 gmt","server" "openresty","content length" "72","connection" "keep alive"},"reason" "","json body" {"name" "test policy","policy id" "d5c6d6a3 0599 4fb5 96bc 0fdc7eacb6ea","criticality" "normal"}} response headers header description example connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 1265 content type the media type of the resource application/json; charset=utf 8 date the date and time at which the message was originated thu, 06 jun 2024 10 56 02 gmt server information about the software used by the origin server openresty