BlackBerry CylancePROTECT

In the context of Fluency SIEM, this plugin integration is named as follows:

PLUGIN_NAME = Cylance

Platform_PluginLambda

The Platform_PluginLambda function is a built-in function that allows the FPL script to access and (remotely) call the corresponder vendor plugin(s) for the APIs listed below.

The CUSTOMER argument is used to specify one or more running instance(s) of the same type of plugin, in the case of multiple customer's data going into a single Fluency SIEM deployment.

Note: Wildcards * are accepted for this argument to facilitate selection

The LAMBDA_FUNCTION argument is a lambda that provides the actual logic that will be performed remotely on the selected plugin.

    Platform_PluginLambda(<PLUGIN_NAME>, <CUSTOMER>, <LAMBDA_FUNCTION>)

Example:

function main() {
    return Platform_PluginLambda("Cylance", "*", (customer) => {      
       let threats = Cylance_LoadThreat({start_time: "-7d"}, (obj) => {
          let {sha256, md5, name, global_quarantined,safelisted,  classification, sub_classification} = obj
          let ID = uuid()
              return {ID, sha256, name, global_quarantined, classification, safelisted, sub_classification, customer}
          })
        threats.NewColumns( ({sha256}) => {
           let devices = Cylance_GetThreatDevices(sha256)
           let filePaths = []
           for (let i = 0; i < len(devices); i++) {
             let device = devices[i]
             filePaths = append(filePaths, device.name + device.file_path) 
           }
           let info = Cylance_GetThreatInfo(sha256) 
           return {filePaths, detected_by: info.detected_by}
        })  
        return {threats}
    })
}

Cylance_LoadThreat

let threats = Cylance_LoadThreat({start_time: "-7d"}, (obj) => {
    let {sha256, md5, name, global_quarantined,safelisted,  classification, sub_classification} = obj
    let ID = uuid()
        return {ID, sha256, name, global_quarantined, classification, safelisted, sub_classification, customer}
    })

Cylance_LoadDevice

Cylance_LoadDevice()
- gets all cylance devices

Cylance_GetThreatDevices

Cylance_GetThreatDevices(sha256)
- gets all cylance threat devices with the sha256

let devices = Cylance_GetThreatDevice(sha256) 

Cylance_GetDevice

Cylance_GetDevice(id)
- gets the cylance device with the id

let device = Cylance_GetDevice(id) 

Cylance_GetThreatInfo

Cylance_GetThreatInfo(sha256)
- gets all the threat info with the sha256

let info = Cylance_GetThreatInfo(sha256) 

Cylance_GetThreatDownload

Cylance_GetThreatDownload(sha256)
- gets all the threat downloads with the sha256

Cylance_GetThreatDownload(sha256) 

Cylance_AddGlobalList

Cylance_AddGlobalList(sha256, list_type, category, reason)
- adds the entry with the sha256, list_type, category and reason to the global list

Cylance_AddGlobalList(sha256, list_type, category, reason)

BlackBerry CylancePROTECT

Platform_PluginLambda​

Cylance_LoadThreat​

Cylance_LoadDevice​

Cylance_GetThreatDevices​

Cylance_GetDevice​

Cylance_GetThreatInfo​

Cylance_GetThreatDownload​

Cylance_AddGlobalList​