Cylance Monitoring

Updated Sep 27, 2023

Configure Cylance monitoring

This document describes how to retrieve the credentials that Arctic Wolf® needs to monitor Cylance. After you complete this configuration, Arctic Wolf can monitor logs from your Cylance® environment.

Note: We currently support the CylancePROTECT and CylanceOPTICS products. We integrate with the Threats, Detection, and MemoryProtection API endpoints.

As part of this configuration, you must provide this information about your Cylance application to Arctic Wolf using the Arctic Wolf Portal:

Before you begin

This process requires you to have administrator access to the Cylance console.

Create an API application

  1. Sign in to the Cylance console as an administrator.

  2. Click Settings > Integrations.

  3. Click Add Application.

  4. Enter a memorable name for the application in the Application Name field.

  5. Select READ for Access Privilege for all console data types.

  6. Click Save. A dialog opens that displays the Application ID and the Application Secret.

  7. Copy both the Application ID and the Application Secret values to a secure location. You need to provide these values to Arctic Wolf as part of Provide credentials to Arctic Wolf.

  8. Click OK to close the dialog.

  9. Click Settings > Integrations.

  10. Copy the Tenant ID, located near the Application list, to a secure location. You need to provide this value to Arctic Wolf as part of Provide credentials to Arctic Wolf.

  11. Proceed to Provide credentials to Arctic Wolf.

Provide credentials to Arctic Wolf

Note: If API credentials fail, for example, due to expired credentials, Arctic Wolf will notify you and request a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to ensure complete data polling and coverage. See MDR polling frequency for more information.

  1. Sign in to the Arctic Wolf Unified Portal.

  2. In the menu bar, click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, from the Account Type list, select Cloud Detection and Response.

  5. From the list of cloud services, select Cylance.

  6. On the Add Account page, complete these steps:

    1. Account Name — Enter a unique and descriptive name for the account.

    2. For each of these fields, paste the appropriate value from Create an API application:

      • Tenant ID
      • Application ID
      • Application Secret
    3. From the API Hostname list, select a service endpoint for your location.

    4. Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.

  7. Click Test and Submit Credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

MDR polling frequency

Arctic Wolf® Managed Detection and Response (MDR) polls third-party API integrations at regular intervals. Time-based events are polled with a delay to make sure data is available within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, Arctic Wolf begins polling and reviewing activity from approximately 1 hour prior to configuration success.