The CylancePROTECT App for Splunk

The CylancePROTECT® App for Splunk makes real-time threat monitoring and analysis easy. We’ve combined the math-based capabilities of CylancePROTECT with the power of Splunk to provide you with all the tools you need to closely monitor and analyze threat data and malicious activity across your organization, in order to help secure your endpoints.

In this technical demonstration video, Tony Lee, Senior Technical Director of Professional Services at Cylance, demonstrates the freely available CylancePROTECT App for Splunk. This joint Cylance/ Splunk integration provides both a high-level overview for executives as well as the details needed by the analysts to investigate the incident.

We’ll walk you through the data feeds, dashboards, and workflows to show the value of enabling this capability within your organization.

VIDEO TRANSCRIPT:

Today, we'd like to show you the CylancePROTECT app for Splunk. You begin by downloading our free application from the app manager within Splunk, or directly from Splunkbase. When visiting our download page on Splunkbase, you will find an overview of the application, which includes a description, versioning information, and a link to our related technology add-on.

Clicking on the details tab provides high-level installation instructions, as well as a link to our detailed installation and configuration guide (Note: Cylance account creation required to view). This detailed guide includes important topics which include requirements, installation, configuration of multiple data sources, and uninstallation if that proves necessary at any point - as well as troubleshooting steps and contact information in case you need more support.

Here's an example of content showing the configuration of real time Syslog alerts. After the Cylance Splunk app is downloaded and configured to receive data, you will notice that the application has been designed for both managers and responding analysts. Managers can review the heads-up dashboards that provide statistical visibility across the entire environment. Analysts and responders can use those same dashboards to pivot into the details required to complete their investigation.

Syslog Overview Dashboard

The Syslog overview dashboard for example, is a heads-up awareness dashboard that provides information regarding each prevention component within the PROTECT agent, such as mathematical model convictions, memory exploit protection, script control, application control, device control, and even an indicator of any humans overriding mathematical convictions.

You will also notice that every dashboard contains useful filters to help with investigations. These include a time-range selector, a tenant selector (which is quite useful for multi-tenant organizations such as MSSPs), and a wildcard filter, which can be used to search over any data field. To illustrate these filters, we will create a wildcard filter for Mimikatz and select ‘all time.’ We can see that we have 43 events over five devices. Scrolling down will provide details on the devices and the file names. All data within the app is hyperlink-clickable, thus, clicking on the 43 will show us the threat event details.

Within this data, you will notice that all of the key fields are necessary for a responding analyst to complete their investigation, including host information, file path, filename, and the hash which can be used for identification and further research. Each prevention mechanism within the PROTECT agent has their own heads-up awareness dashboard, providing a statistical breakdown of the most critical fields. The example shown is for mathematically convicted threats. However, we also provide a heads-up dashboard for memory exploits, script control and device control.

Detailed Device Information

In addition to threat awareness, we also provide detailed device information which includes the number of hosts that are online versus offline, when they last communicated, the number of files analyzed, breakdowns for versions, policy zones, and even operating systems. Device details are shown at the bottom of the dashboard.

We also provide the ability to visually see and correlate attacker behavior using the indicator correlation dashboards. Taking our previous example for instances of Mimikatz within the environment, we will select the file name from the drop-down and search for Mimikatz over all time. This visually illustrates which file was found on each system. We can also change the left filter from device name to SHA-256 to see if any of the files have changed hashes during the attack.

Additionally, changing the left filter to file path shows where the files were discovered, which can help identify attacker TTPs, and also lead us to other tools or information that could be found in those directories.Cylance is part of Splunk's adaptive response framework, which allows users to take action across the enterprise without ever leaving Splunk. Currently, we provide users with the ability to retrieve information from the global whitelists and blacklists as well as modifying both lists by using the add and delete functions. For example, if a user would like to add a known bad hash to the global blacklist, they can do so by selecting that function and selecting a hash and pasting it in as a parameter. If they need to reverse that decision for any reason, they can simply select the ‘delete from global blacklist’ function and click, submit, again.

As you will see the HTTP status 200 code shows that it's successful. But there are also useful error messages that exist for instances where a user tries to add or delete hashes that already exist.

We hope that you enjoyed the video tour of the CylancePROTECT app for Splunk.

And we wish you happy Splunking.

About Splunk

The Splunk application provides powerful analytics by converting raw data into a valuable and searchable data repository that generates custom reports, alerts, and dashboards to assist with your organization’s business security operations.

This gives security professionals and IT administrators the ability to:

  • Quickly identify and respond to new threats detected in your environment
  • Identify patterns in threat data and user activity over configurable periods of time
  • Drill down into specific threat and device data to obtain detailed information for incident response and troubleshooting

Get the free CylancePROTECT app on Splunkbase at: https://splunkbase.splunk.com/app/3233/

Also see:
How the CylancePROTECT App for Splunk Works
Introducing Splunk: Real-Time Threat Monitoring and Analysis Made Easy