Skip to main content
Sign in

Creating workflows for CylancePROTECT assets

  • April 17, 2024 08:18
  • Updated

Let Oomnitza be your single source of truth!

You'll get complete visibility of your assets as data from CylancePROTECT is automatically transformed into consumable information and actionable insights.

Connect Oomnitza and CylancePROTECT in minutes

You'll get visibility of your CylancePROTECT assets by creating configurable workflows to automate tasks such as:

  • Managing devices, such as updating the device name, model, MAC Address, and Operating System
  • Managing the device life-cycle, from performing an agent installation to deleting devices
  • Managing device security, such as analyzing device threats and locking devices

Let Oomnitza be your single source of truth!

You'll get visibility of your devices as data from CylancePROTECT is automatically transformed into consumable information and actionable insights.

small_blue_link.svgBefore you start

small_blue_link.svgCreating workflows

Create asset workflows

CylancePROTECT

CylancePROTECT Get Asset Details

CylancePROTECT Get Asset Extended Details

CylancePROTECT Update Device

CylancePROTECT Get Device Threats

CylancePROTECT Update Device Threat

CylancePROTECT Delete Device

CylancePROTECT Get Agent Installer Link

CylanceOPTICS

CylanceOPTICS Request File Retrieval From Device

CylanceOPTICS Check File Retrieval Status On Device

CylanceOPTICS Lockdown Device

CylanceOPTICS Get Device Lockdown History

Before you start

Before you can create the integration with Oomnitza, you need to have added your CylancePROTECT credentials to Oomnitza and set your CylancePROTECT Endpoint Subdomain as a global variable. For further information, refer to Adding your CylancePROTECT credentials to Oomnitza.

We recommend that you also create the extended integration for CylancePROTECT assets. You can use the information retrieved in these integrations to trigger workflows that can get assets, update assets and delete assets.

Creating workflows

Create asset workflows

To create an asset workflow, you must complete these steps:  

  1. Click Configuration > Workflows 
  2. Click Add (+) and select Assets from the list.
  3. Drag and drop the API block onto the Sandbox.
  4. Click Edit on the API block and enter Cylance in the search field. 
  5. Select a preset:
  6. To choose a preset, click the forward arrow (>).
  7. Select the credentials that you created in Adding your CylancePROTECT credentials to Oomnitza.
  8. Your Subdomain should be derived from the global variable you created in Adding the CylancePROTECT API Domain as a global variable.
  9. Configure the API Block following the preset instructions below, and save your changes.
  10. Edit the Begin Block and add rules to trigger the workflow. For example, if you set the Actions to New you can trigger a workflow every time a new asset is created. Refer to Using the Begin block.
  11. Connect the Blocks. 
  12. Save, validate, and activate your workflow.

CylancePROTECT

Using the CylancePROTECT Get Asset Details preset

This CylancePROTECT Get Asset Details preset gets a list of device resources, by Device ID. You can configure the message payload by selecting Advanced Mode.

  1. In the API block window, click the Advanced Mode button located in the upper right of the window.
  2. Select the Information tab. You will notice that the CylancePROTECT Asset ID is referenced in the property {{cylance_device_id}}.Follow the mapping steps in Creating custom mappings so that this property exists in Oomnitza and is populated with information before you run this workflow.
  3. Select the Response tab. You can map the entire response by placing {{response}} in the Response field and mapping it to a custom long text Oomnitza field, such as API Response. Once you have the entire response, you can then parse the JSON response values to custom Oomnitza fields as per the example below.api_response.PNG

 

Using the CylancePROTECT Get Asset Extended Details preset

This CylancePROTECT Get Asset Extended Details preset gets a specific device resource by using the MAC address of the device. You can configure the message payload by selecting Advanced Mode.

  1. In the API block window, click the Advanced Mode button located in the upper right of the window.
  2. Select the Information tab. You will notice that the CylancePROTECT MAC Address is referenced in the property {{cylance_device_mac_address}}. Follow the mapping steps in Creating custom mappings so that this property exists in Oomnitza and is populated with information before you run this workflow.
  3. Select the Response tab. You can map the message response as per the example in the Get Asset Details preset.

Using the CylancePROTECT Update Device preset

This CylancePROTECT Update Device preset updates a specific device resource, by Device ID. When you select this preset you need to supply the following information:

  • New Name: Name of the Device.
  • New Policy ID: The unique identifier for the policy to assign to the device (specify as null or
    leave the string empty to remove the current policy from the device).
  • New Zone ID to Add: The list of zone identifiers to which the device is to be assigned.
  • New Zone ID to Remove: The list of zone identifiers from which the device is to be removed.

You can configure the message payload by selecting Advanced Mode similar to the Get Asset Details preset

Using the CylancePROTECT Get Device Threats preset 

The CylancePROTECT Get Device Threats preset a list of threats found on a specific device. You can configure the message payload by selecting Advanced Mode similar to the Get Asset Details preset

Using the CylancePROTECT Update Device Threat preset

This CylancePROTECT Update Device Threat preset updates the status (waive or quarantine) of a convicted threat. When you select this preset you need to supply the following information:

  • Threat ID: This is the SHA256 hash of the convicted threat
  • Event: This is the requested status update for the convicted threat, which can be either
    Quarantine or Waive

You can configure the message payload by selecting Advanced Mode similar to the Get Asset Details preset.

Using the CylancePROTECT Delete Device preset

This CylancePROTECT Delete Device preset deletes a device. This is an asynchronous operation and could take up to two hours to delete the devices.

You can configure the message payload by selecting Advanced Mode.

  1. In the API block window, click the Advanced Mode button located in the upper right of the window.
  2. Select the Body tab. You will notice that the CylancePROTECT Asset ID is referenced in the property {{cylance_device_id}}.Follow the mapping steps in Creating custom mappings so that this property exists in Oomnitza and is populated with information before you run this workflow.
  3. Select the Response tab. You can map the entire response similar to the Get Asset Details preset.

Using the Get Agent Installer Link preset

The Get Agent Installer Link preset gets a secured link to download the Agent installer. When you select this preset you need to enter the following information:

Field Name Suggested Values
Product
  • CylancePROTECT
  • CylanceOPTICS.

Note
CylanceOPTICS does not support Linux
OS
  • AmazonLinux1
  • AmazonLinux2
  • CentOS7
  • Linux. Use Linux as the OS family for CentOS6.
  • Mac
  • Rhel8
  • Suse11
  • Suse12
  • Ubuntu1404
  • Ubuntu1604
  • Ubuntu1804
  • Windows
Package
  • Exe (Windows only)
  • Msi (Windows only)
  • Dmg (macOS only)
  • Pkg (macOS only)
Architecture
  • X86
  • X64
  • AmazonLinux1
  • AmazonLinux2
  • CentOS6
  • CentOS6UI
  • CentOS7
  • CentOS7UI
  • RedHatEnterprise8
  • RedHatEnterprise8UI
  • Suse11
  • Suse11UI
  • Suse12
  • Suse12UI
  • Ubuntu1404
  • Ubuntu1404UI
  • Ubuntu1604
  • Ubuntu1604UI
  • Ubuntu1804
  • Ubuntu1804UI
Build The four digit number for the Agent. Example: 1530

Select Advanced Mode > Response to map the entire response similar to the Get Asset Details preset.

CylanceOPTICS

Using the CylanceOPTICS Request File Retrieval From Device preset

This CylanceOPTICS Request File Retrieval From Device preset requests that the specified file be retrieved from a specified device and stored in the management console for later analysis. When you select this preset you need to supply the path to the file you want to retrieve, for example: C:\path\to\file.txt.You can configure the message payload by selecting Advanced Mode similar to the Get Asset Details preset.

Using the CylanceOPTICS Check File Retrieval Status On Device preset

This CylanceOPTICS Check File Retrieval Status On Device preset checks the status of a previously requested file retrieval operation. When you select this preset you need to supply the path to the file you want to retrieve, for example: C:\path\to\file.txt.You can configure the message payload by selecting Advanced Mode similar to the Get Asset Details preset.

Using the CylanceOPTICS Lockdown Device preset

This CylanceOPTICS Lockdown Device preset creates a CylanceOPTICS device lockdown command resource for a specific device. When you select this preset you need to supply the following information:

  • Value: Select the checkbox to enable lockdown. 
  • Expires At: Enter the duration of the lockdown. The Format is 'd:hh:mm', where
    the maximum is 3 days and the minimum is 5 minutes.

You can configure the message payload by selecting Advanced Mode similar to the Get Asset Details preset.

Using the CylanceOPTICS Get Device Lockdown History preset

This CylanceOPTICS Get Device Lockdown History preset gets the current lockdown state and lockdown history for a specific device. You can configure the message payload by selecting Advanced Mode similar to the Get Asset Details preset.

articles_icon.svg Reference articles for workflows

CylancePROTECT API Documentation

Comments

0 comments

Please sign in to leave a comment.