Cylance Protect v2
This Integration is part of the Cylance Protect Pack.#
Overview
Use the Cylance Protect v2 integration to manage endpoints, streamline remediation, and response from Cortex XSOAR.
This integration was integrated and tested with version 2.0.5 rev6 of Cylance Protect and Optics.
Prerequisites
Before you integrate Cylance Protect on Cortex XSOAR, you need to obtain a Cylance token.
- In Cylance, navigate to Settings > Integrations .
- Click Add Application .
- Enter an Application Name, and select the necessary privileges.
- Click Save .
- Record the Application ID and Application Secret for later use. You will not be able to access these later.
- Locate the Tenant ID at the top right side of the Integrations page and record it for later use.
Configure the Cylance Protect v2 Integration on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for Cylance Protect v2.
-
Click
Add instance
to create and configure a new integration instance.
- Name : A textual name for the integration instance.
- Server URL : URL of Cylance server.
- Application ID
- Application Secret
- Tenant API Key
- Use system proxy settings
- File Threshold : Default is -59
- Fetch Incidents
- Trust any certificate (not secure)
- Click Test to validate the URLs and connection.
Understanding the Cylance Score
The Cylance score ranges from -100 to 100, and is translated as follows.
Score translation
| Score Range | Color | Severity Level |
| -100 to -60 | Red | Malicious |
| -59 to 0 | Red | Supsicious |
| 1-100 | Green | Good |
Use Cases
- Retrieve and update threats and devices.
- Produce threat data report of indicators.
- Retrieve and create policies and zones.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- List console device resources for a tenant: cylance-protect-get-devices
- Get a console device resource for a tenant: cylance-protect-get-device
- Update a device: cylance-protect-update-device
- Get information for device threats: cylance-protect-get-device-threats
- Get information for console policy resources: cylance-protect-get-policies
- Create a zone: cylance-protect-create-zone
- Get information for multiple zones: cylance-protect-get-zones
- Get information for a single zone: cylance-protect-get-zone
- Update a zone: cylance-protect-update-zone
- Get information for a threat: cylance-protect-get-threat
- Get information for a threat device: cylance-protect-get-threat-devices
- Generate a report for indicators: cylance-protect-get-indicators-report
- Get information for threats: cylance-protect-get-threats
- Update device threats: cylance-protect-update-device-threats
- Get a list for hashes: cylance-protect-get-list
- Download a threat: cylance-protect-download-threat
- Add a hash to a list: cylance-protect-add-hash-to-list
- Delete a hash from a list: cylance-protect-delete-hash-from-lists
- Get details of a policy: cylance-protect-get-policy-details
- Delete devices: cylance-protect-delete-devices
- Create a new Instaquery: cylance-optics-create-instaquery
- Get Instaquery result: cylance-optics-get-instaquery-result
- List current Instaquery: cylance-optics-list-instaquery
1. List console device resources for a tenant
Returns a list of console device resources that belong to a tenant. The list is sorted by registration created date, with the most recent at the top of the list.
Base Command
cylance-protect-get-devices
Input
| Input Parameter | Description |
| pageNumber | Page number, default is 1 |
| pageSize | Specifies if the command polls for the result of the analysis, default is 100, maximum is 200 |
Context Output
| Path | Description |
| CylanceProtect.Device.AgentVersion | CylancePROTECT Agent version installed on the device |
| CylanceProtect.Device.DateFirstRegistered | Date and time (in UTC) when the device record was created |
| CylanceProtect.Device.ID | Device’s unique identifier |
| Endpoint.IPAddress | List of IP addresses for the device |
| Endpoint.MACAddress | List of MAC addresses for the device |
| Endpoint.Hostname | Device name |
| CylanceProtect.Device.Policy.ID | Device policy ID |
| CylanceProtect.Device.State | Machine state |
| CylanceProtect.Device.Policy.Name | Device policy name |
| CylanceProtect.Device.Hostname | Device name |
| CylanceProtect.Device.MACAddress | List of MAC addresses for the device |
| CylanceProtect.Device.IPAddress | List of IP addresses for the device |
Command Example
!cylance-protect-get-devices pageNumber=2 pageSize=75
Raw Output
{
"agent_version":"2.0.1440",
"date_first_registered":"2018-01-21T15:45:42",
"id":"652bbfa9-cf74-4e24-90f7-d01b16429701",
"ip_addresses":[
"172.31.31.110"
],
"mac_addresses":[
"06-F8-13-8B-16-C9"
],
"name":"WIN-0VJ9RO3P33Q",
"policy":{
"id":null,
"name":"Default"
},
"state":"Online"
}
2. Get a console device resource for a tenant
Returns a single device resource that belongs to a tenant.
Base Command
cylance-protect-get-device
Input
| Input Parameter | Description |
| id | Device ID |
Context Output
| Path | Description |
| CylanceProtect.Device.AgentVersion | CylancePROTECT Agent version installed on the device |
| CylanceProtect.Device.DateFirstRegistered | Date and time (in UTC) when the device record was created |
| CylanceProtect.Device.BackgroundDetection | If true , the agent is running |
| CylanceProtect.Device.DateLastModified | Date and time (in UTC) when the device record was last modified |
| CylanceProtect.Device.DateOffline | Date and time (in UTC) when the device last communicated with the console |
| CylanceProtect.Device.Hostname | Hostname for the device |
| CylanceProtect.Device.ID | Unique identifier for the device |
| CylanceProtect.Device.IPAddress | List of IP addresses for the device |
| CylanceProtect.Device.MACAddress | List of MAC addresses for the device |
| CylanceProtect.Device.IsSafe | If true , there are no outstanding threats |
| CylanceProtect.Device.UpdateAvailable | If true , there is available update for the device |
| CylanceProtect.Device.State | Machine state |
| Endpoint.Hostname | Device hostname |
| Endpoint.MACAddress | List of MAC addresses for the device |
| Endpoint.IPAddress | List of IP addresses for the device |
| Endpoint.OSVersion | Device OS version |
| CylanceProtect.Device.OSVersion | Device OS version |
| CylanceProtect.Device.Name | Device name |
Command Example
!cylance-protect-get-devices pageNumber=2 pageSize=75
Raw Output
{
"agent_version":"2.0.1440",
"date_first_registered":"2018-01-21T15:45:42",
"id":"652bbfa9-cf74-4e24-90f7-d01b16429701",
"ip_addresses":[
"172.31.31.110"
],
"mac_addresses":[
"06-F8-13-8B-16-C9"
],
"name":"WIN-0VJ9RO3P33Q",
"policy":{
"id":null,
"name":"Default"
},
"state":"Online"
}
3. Update a device
Updates a specified device.
Base Command
cylance-protect-update-device
Input
| Input Parameter | Description |
| id | Device ID |
| name | Device name |
| policyId | Policy ID |
| addZones | Zones IDs to add |
| removeZones | Zones IDs to remove |
Context Output
There is no context output for this command.
Command Example
!cylance-protect-update-device id=652bbfa9-cf74-4e24-90f7-d01b16429701
Raw Output
{
"Name":"TestName",
"PolicyID":"7bcb0817-e9c9-444d-96e2-be9b59f429cb",
"id":"6033f7a1-e66c-4aef-9c7d-ed454457d071"
}
4. Get information for device threats
Returns information about threats to devices, including classification, threat score, and more.
Base Command
cylance-protect-get-device-threats
Input
| Input Parameter | Description |
| id | Device ID |
| pageNumber | Page number, default is 1 |
| pageSize | Specifies if the command polls for the result of the analysis, default is 100, maximum is 200 |
Context Output
| Path | Description |
| File.Classification | Cylance threat classification assigned to the threat |
| File.CylanceScore | Cylance score assigned to the threat |
| File.DateFound | Date and time (in UTC) when the threat was found on the device |
| File.FilePath | File path where the threat was found on the device |
| File.FileStatus |
Current status of the file on the device.
|
| File.Name | Threat name |
| File.Sha256 | SHA-256 has for the threat |
| File.SubClassification | Cylance threat sub-classification assigned to the threat |
| DBotScore.Indicator | Tested indicator |
| DBotScore.Type | Indicator type |
| DBotScore.Vendor | Vendor used to calculate the score |
| DbotScore.Score | Actual score |
Command Example
!cylance-protect-get-device-threats id=6033f7a1-e66c-4aef-9c7d-ed454457d071 pageNumber=2 pageSize=75
Raw Output
{
"classification":"Malware",
"cylance_score":-1,
"date_found":"2017-11-21T17:34:51",
"file_path":"C:\\$Recycle.Bin\\S-1-5-21-3378384064-522475393-1698893855-1001\\$RPJNCM8\\artifacts\\2017-08-12-Trickbot-binary-from-usdata.estoreseller.com.exe",
"file_status":"Default",
"name":"2017-08-12-Trickbot-binary-from-usdata.estoreseller.com.exe",
"sha256":"5DA547E87D6EF12349FB4DBBA9CF3146A358E284F72361DD07BBABFC95B0BAC3",
"sub_classification":"Trojan"
}
5. Get information for console policy resources
Returns information for console policy resources.
Base Command
cylance-protect-get-policies
Input
| Input Parameter | Description |
| pageNumber | Page number, default is 1 |
| pageItems | Number of items on a page, default is 100 |
Context Output
| Path | Description |
| CylanceProtect.Policies.DateAdded | Date and time (in UTC) when the Console policy resource was first created |
| CylanceProtect.Policies.DateModified | Date and time (in UTC) when the Console policy resource was last modified |
| CylanceProtect.Policies.DeviceCount | Number of devices assigned to this policy |
| CylanceProtect.Policies.Id | Unique ID for the policy resource |
| CylanceProtect.Policies.Name | Policy name |
| CylanceProtect.Policies.ZoneCount | Number of zones assigned to this policy |
Command Example
!cylance-protect-get-policies id=6033f7a1-e66c-4aef-9c7d-ed454457d071 pageNumber=2 pageSize=75
Raw Output
{
"date_added":"2018-03-05T12:29:02",
"date_modified":"2018-03-05T12:29:02",
"device_count":0,
"id":"7bcb0817-e9c9-444d-96e2-be9b59f429cb",
"name":"Test_Policy",
"zone_count":4
}
6. Create a zone
Creates a zone with a policy ID and criticality level.
Base Command
cylance-protect-create-zone
Input
| Input Parameter | Description |
| name | Zone name |
| policy_id | Unique ID for the policy assigned to the zone |
| criticality | Criticality value of the zone |
Context Output
There is no context output for this command.
Command Example
!cylance-protect-create-zone name=TestingZone3 criticality=High
Raw Output
{
"criticality":"High",
"date_created":"2018-03-13T11:38:52.2065082Z",
"id":"f15b2f79-c100-4146-b056-a8005c13b2de",
"name":"TestingZone3",
"policy_id":"7bcb0817-e9c9-444d-96e2-be9b59f429cb"
}
7. Get information for multiple zones
Returns information for multiple zones.
Base Command
cylance-protect-get-zones
Input
| Input Parameter | Description |
| pageNumber | Page number to request |
| pageItems | Number of zone records to retrieve for each page |
Context Output
| Path | Description |
| CylanceProtect.Zones.Criticality |
Zone value.
|
| CylanceProtect.Zones.DateCreated | Date and time (in UTC) when the zone was created |
| CylanceProtect.Zones.DateModified | Date and time (in UTC) when the zone was last modified |
| CylanceProtect.Zones.Id | Zone unique ID |
| CylanceProtect.Zones.Name | Zone name |
| CylanceProtect.Zones.PolicyId | Unique ID of the policy assigned to the zone |
| CylanceProtect.Zones.UpdateType | Update type for the zone |
| CylanceProtect.Zones.ZoneRuleId | Unique ID for the zone rule created for the zone |
Command Example
!cylance-protect-get-zones pageNumber=2 pageItems=10
Raw Output
{
"criticality":"High",
"date_created":"2018-03-13T11:38:52",
"date_modified":"2018-03-13T11:38:52",
"id":"f15b2f79-c100-4146-b056-a8005c13b2de",
"name":"TestingZone3",
"policy_id":"7bcb0817-e9c9-444d-96e2-be9b59f429cb",
"update_type":"Production",
"zone_rule_id":null
}
8. Get information for a single zone
Returns information for a single zone.
Base Command
cylance-protect-get-zone
Input
| Input Parameter | Description |
| id | Zone ID |
Context Output
| Path | Description |
| CylanceProtect.Zones.Criticality |
Zone value.
|
| CylanceProtect.Zones.DateCreated | Date and time (in UTC) when the zone was created |
| CylanceProtect.Zones.DateModified | Date and time (in UTC) when the zone was last modified |
| CylanceProtect.Zones.Id | Zone unique ID |
| CylanceProtect.Zones.Name | Zone name |
| CylanceProtect.Zones.PolicyId | Unique ID of the policy assigned to the zone |
| CylanceProtect.Zones.UpdateType | Update type for the zone |
| CylanceProtect.Zones.ZoneRuleId | Unique ID for the zone rule created for the zone |
Command Example
!cylance-protect-get-zone id=f15b2f79-c100-4146-b056-a8005c13b2de
Raw Output
{
"criticality":"High",
"date_created":"2018-03-13T11:38:52",
"date_modified":"2018-03-13T11:38:52",
"id":"f15b2f79-c100-4146-b056-a8005c13b2de",
"name":"TestingZone3",
"policy_id":"7bcb0817-e9c9-444d-96e2-be9b59f429cb",
"update_type":"Production",
"zone_rule_id":null
}
9. Update a zone
Updates a specified zone.
Base Command
cylance-protect-update-zone
Input
| Input Parameter | Description |
| id | Zone ID |
| name | Zone name |
| policyId | Unique ID for the policy assigned to the Zone |
| criticality | Criticality value of the zone |
Context Output
There is no context output for this command.
Command Example
!cylance-protect-update-zone id=f15b2f79-c100-4146-b056-a8005c13b2de
Raw Output
true
10. Get information for a threat
Returns information for a threat.
Base Command
cylance-protect-get-threat
Input
| Input Parameter | Description |
| sha256 | SHA-256 hash of the threat |
| theshold | Threat threshold |
Context Output
| Path | Description |
| File.AutoRun | Indicates if the file is set to automatically run on system startup |
| File.AvIndustry | The score provided by the Anti-Virus industry |
| File.CertIssuer | ID for the certificate issuer |
| File.CertPublisher | ID for the certificate publisher |
| File.CertTimestamp | Date and time (in UTC) when the file was signed using the certificate |
| File.Classification | Threat classification for the threat |
| File.CylanceScore | Cylance Score assigned to the threat |
| File.DetectedBy | Name of the Cylance module that detected the threat |
| File.FileSize | Size of the file |
| File.GlobalQuarantine | Identifies if the threat is on the Global Quarantine list |
| File.Md5 | MD5 hash for the threat |
| File.Name | Threat name |
| File.Running | Identifies if the threat is executing, or another executable loaded or called it |
| File.Safelisted | Identifies if the threat is on the Safe List |
| File.Sha256 | SHA-256 hash for the threat |
| File.Signed | Identifies the file as signed or not signed |
| File.SubClassification | The threat sub-classification for the threat |
| File.UniqueToCylance | The threat was identified by Cylance but not by other anti-virus sources |
| DBotScore.Indicator | The tested indicator |
| DBotScore.Type | Indicator type |
| DBotScore.Vendor | Vendor used to calculate the score |
| DBotScore.Score | The actual score |
Command Example
!cylance-protect-get-threat sha256=ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA
Raw Output
{
"auto_run":false,
"av_industry":null,
"cert_issuer":"",
"cert_publisher":"",
"cert_timestamp":"0001-01-01T00:00:00",
"classification":"Malware",
"cylance_score":-1,
"detected_by":"File Watcher",
"file_size":3514368,
"global_quarantined":true,
"md5":"84C82835A5D21BBCF75A61706D8AB549",
"name":"wanncry.exe",
"running":false,
"safelisted":false,
"sha256":"ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA",
"signed":false,
"sub_classification":"Ransom",
"unique_to_cylance":false
}
11. Get information for a threat device
Returns information for a threat device.
Base Command
cylance-protect-get-threat-devices
Input
| Input Parameter | Description |
| sha256 | SHA-256 hash of the threat |
Context Output
| Path | Description |
| CylanceProtect.Threat.Devices.ID | Device ID |
| CylanceProtect.Threat.Devices.DateFound | Date and time (in UTC) when the threat was found on the device |
| CylanceProtect.Threat.Devices.AgentVersion | Agent version installed on the device |
| CylanceProtect.Threat.Devices.FileStatus |
Current quarantine status of the file on the device.
|
| Endpoint.IPAddress | List of IP addresses for the device |
| Endpoint.MACAddress | List of MAC addresses for the device |
| Endpoint.Hostname | Device name for the device |
| CylanceProtect.Threat.Devices.PolicyID | Unique identifier of the policy assigned to the device, or null if no policy is assigned |
| CylanceProtect.Threat.Devices.State |
Device state.
|
| File.SHA256 | SHA-256 hash of the threat |
| File.Path | Path where the file was found on the device |
| CylanceProtect.Threat.Devices.Hostname | Device name for the device |
| CylanceProtect.Threat.Devices.IPAddress | List of IP addresses for the device |
| CylanceProtect.Threat.Devices.MACAddress | List of MAC addresses for the device |
Command Example
!cylance-protect-get-threat-devices sha256=ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA
Raw Output
{
"agent_version":"2.0.1440",
"date_found":"2018-01-21T15:45:46",
"file_status":"Whitelisted",
"id":"652bbfa9-cf74-4e24-90f7-d01b16429701",
"ip_addresses":"172.31.31.110",
"mac_addresses":"06-F8-13-8B-16-C9",
"name":"WIN-0VJ9RO3P33Q",
"policy_id":null,
"state":"Online"
}
12. Generate a report for indicators
Generates a report for indicators.
Base Command
cylance-protect-get-indicators-report
Input
| Input Parameter | Description |
| token | Threat data report token |
Context Output
There is not context output for this command.
Command Example
cylance-protect-get-indicators-report token=As3424$%
Raw Output
There is no raw output for this command.
13. Get information for threats
Returns information for threats.
Base Command
cylance-protect-get-threats
Input
| Input Parameter | Description |
| page_size | Number of device records to retrieve for each page |
| page | Page number to request |
| threshold | Threat threshold |
Context Output
| Path | Description |
| File.Classification | Threat classification for the threat |
| File.SubClassification | Threat sub-classification for the threat |
| File.Sha256 | SHA-256 hash for the threat |
| File.Safelisted | Identifies if the threat is on the Safe List |
| File.Name | Threat name |
| File.LastFound | Date and time (in UTC) when the file was last found |
| File.CylanceScore | The Cylance Score assigned to the threat |
| File.GlobalQuarantine | Identifies if the threat is on the Global Quarantine list |
| File.UniqueToCylance | The threat was identified by Cylance but not by other anti-virus sources |
| File.FileSize | File size |
| File.Md5 | MD5 hash for the threat |
| DBotScore.Indicator | The tested indicator |
| DBotScore.Type | Indicator type |
| DBotScore.Vendor | Vendor used to calculate the score |
| DBotScore.Score | The actual score |
Command Example
!cylance-protect-get-threats page_size=4
Raw Output
{
"av_industry":null,
"classification":"Malware",
"cylance_score":-1,
"file_size":3514368,
"global_quarantined":true,
"last_found":"2018-01-21T15:45:46",
"md5":"84C82835A5D21BBCF75A61706D8AB549",
"name":"wanncry.exe",
"safelisted":false,
"sha256":"ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA",
"sub_classification":"Ransom",
"unique_to_cylance":false
}
14. Update device threats
Updates multiple device threats.
Base Command
cylance-protect-update-device-threats
Input
| Input Parameter | Description |
| threat_id | SHA-256 of the convicted threat |
| event | Requested status update for the convicted threat |
| device_id | ID of the device to update |
Context Output
There is no context output for this command.
Command Example
!cylance-protect-update-device-threats threat_id=ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA
Raw Output
true
15. Get a list for hashes
Returns a list for hashes.
Base Command
cylance-protect-get-list
Input
| Input Parameter | Description |
| listTypeId |
Type of list to retrieve hashes for.
|
| page_size | Number of device records to retrieve for each page |
| page | Page number to request |
| threshold | Threat threshold |
Context Output
| Path | Description |
| File.Added | Timestamp when the file was added to the list |
| File.AddedBy | Tenant user ID who added the file to the list |
| File.AvIndustry | The score provided by the Anti-Virus industry |
| File.Category | The category for the list specified (for the Global Safe list only) |
| File.Classification | Threat classification assigned by Cylance |
| File.CylanceScore | The Cylance score assigned to the threat |
| File.ListType | list type that the threat belongs to |
| File.Md5 | MD5 of the threat |
| File.Sha256 | SHA-256 of the threat |
| File.Name | Threat name |
| DBotScore.Indicator | The tested indicator |
| DBotScore.Type | Indicator type |
| DBotScore.Vendor | Vendor used to calculate the score |
| DBotScore.Score | The actual score |
Command Example
!cylance-protect-get-list listTypeId=0 page_size=4
Raw Output
{
"added":"2017-11-07T04:30:04",
"added_by":"3ff9b11e-b64e-4350-97ba-aeb0a099b8ee",
"av_industry":null,
"category":"",
"classification":"Malware",
"cylance_score":-1,
"list_type":"GlobalQuarantine",
"md5":"84C82835A5D21BBCF75A61706D8AB549",
"name":"wanncry.exe",
"reason":"Malicious File Found",
"sha256":"ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA",
"sub_classification":"Ransom"
}
16. Download a threat
Downloads a threat attached to a specific SHA-256 hash.
Base Command
cylance-protect-download-threatInput
| Argument Name | Description | Required |
|---|---|---|
| sha256 | The SHA-256 hash for the file you want to download | Required |
| threshold | File threshold to determine reputation | Optional |
| unzip | Check to return the file unzipped to the War Room | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | SHA-256 of the file |
| File.Name | string | File name |
| File.Size | number | File size |
| File.Safelisted | boolean | Safelisted |
| File.Timestamp | string | Timestamp |
| File.Md5 | string | MD5 |
| DBotScore.Indicator | string | The Indicator |
| DBotScore.Score | number | The DBot score |
| DBotScore.Type | string | The Indicator type |
| DBotScore.Vendor | string | The DBot score vendor |
| File.Malicious.Vendor | string | For malicious files, the vendor that made the decision |
| File.Malicious.Description | string | For malicious files, the reason that the vendor made the decision |
Command Example
!cylance-protect-download-threat sha256="0f427b33b824110427b2ba7be20740b45ea4da41bc1416dd55771edfb0c18f09" unzip="yes"
Context Example
DBotScore
{
 "Indicator": "AutoitLocker.exe",
 "Score": 3,
 "Type": "file",
 "Vendor": "Cylance Protect"
}
File
{
 "DownloadURL":    "https://cylanceephemeralfilestore.s3.amazonaws.com/0F/42/7B/33/0F427B33B824110427B2BA7BE20740B45EA4DA41BC1416DD55771EDFB0C18F09.zip? Signature=98kI7a19I2q%2BeE7Ef1un4BjSolQ%3D&Expires=1541875473&AWSAccessKeyId=AKIAIAD6JC2YTYVBFRFA",
 "MD5": "2FC103D0D52466B63D44444CE12A5901",
 "Malicious": {
 "Description": "Score determined by get threat command",
 "Vendor": "Cylance Protect"
},
 "Name": "AutoitLocker.exe",
 "SHA256": "0F427B33B824110427B2BA7BE20740B45EA4DA41BC1416DD55771EDFB0C18F09",
 "Safelisted": false,
 "Size": 405345,
 "Timestamp": "0001-01-01T00:00:00"
}
Human Readable Output
17. Add a hash to a list
Adds an identified threat to either the Global Quarantine list or the Global Safe list for a particular Tenant.
Base Command
cylance-protect-add-hash-to-listInput
| Argument Name | Description | Required |
|---|---|---|
| sha256 | SHA-256 hash to add to the Global Safe list | Required |
| listType | The list type the threat belongs to (GlobalQuarantine or GlobalSafe) | Required |
| reason | The reason why the file was added to the list | Optional |
| category | This field is required only if the list_type value is Global Safe. The value can be one ofthe following:• Admin Tool• Commercial Software• Drivers• Internal Application• Operating System• Security Software• None | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | The SHA-256 hash for the threat |
| File.Cylance.ListType | string | The list type the threat belongs to (GlobalQuarantine or GlobalSafe) |
| File.Cylance.Category | string | This field is required only if the list_type value is Global Safe. The value can be one of the following: • Admin Tool • Commercial Software • Drivers • Internal Application • Operating System • Security Software • None |
Command Example
!cylance-protect-add-hash-to-list sha256="9ACD45F5F3F2C7629E51FE3123D31296EF763F6ABC1F895CDD1BF1AFB9A7453B" listType="GlobalQuarantine"
Human Readable Output
18. Remove a threat from a list
Removes an identified threat from either the Global Quarantine list or the Global Safe list for a particular Tenant.
Base Command
cylance-protect-delete-hash-from-listsInput
| Argument Name | Description | Required |
|---|---|---|
| sha256 | The SHA-256 hash for the threat | True |
| listType | The list type the threat belongs to (GlobalQuarantine or GlobalSafe) | True |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | SHA-256 of the file |
| File.Cylance.ListType | string | The list type the threat belongs to (GlobalQuarantine or GlobalSafe) |
Command Example
!cylance-protect-delete-hash-from-lists sha256="9ACD45F5F3F2C7629E51FE3123D31296EF763F6ABC1F895CDD1BF1AFB9A7453B" listType="GlobalQuarantine"
Human Readable Output
19. Get details for a policy
Gets details for a single policy.
Base Command
cylance-protect-get-policy-detailsInput
| Argument Name | Description | Required |
|---|---|---|
| policyID | The Tenant policy ID to the service endpoint. | True |
Context Output
| Path | Type | Description |
|---|---|---|
| Cylance.Policy.ID | string | Policy ID |
| Cylance.Policy.Name | string | Policy name |
| Cylance.Policy.Timestamp | string | The date and time the policy was created, in UTC. |
20. Delete devices
Deletes one or more devices from an organization.
Base Command
cylance-protect-delete-devicesInput
| Argument Name | Description | Required |
|---|---|---|
| deviceIds | The unique identifiers for the devices to delete. The maximum number of Device IDs per request is 20. | Required |
| batch_size | The number of devices to delete per request (batch) | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Cylance.Device.Id | string | The unique identifier of the deletion request |
| Cylance.Device.Name | string | Device name |
| Cylance.Device.Deleted | string | Checks if the device was deleted (boolean) |
Command Example
!cylance-protect-get-policy-details policyID="7bcb0817-e9c9-444d-96e2-be9b59f429cb"
Context Example
Cylance
{
 "Policy": {
 "ID": "7bcb0817-e9c9-444d-96e2-be9b59f429cb",
 "Name": "Test_Policy",
 "Timestamp": "2018-03-05T12:29:03.000000+00:00"
        }
}
Human Readable Output
