Providing Cylance Credentials to Arctic Wolf

Configuration Guide

Overview

This document describes how to retrieve the credentials that Arctic Wolf® needs to monitor Cylance. After you complete this configuration, Arctic Wolf can monitor logs from your Cylance environment.

Note: We currently support the CylancePROTECT and CylanceOPTICS products. We integrate with the Threats, Detection, and MemoryProtection API endpoints.

As part of this configuration, you must provide the following information about your Cylance application to Arctic Wolf using the Arctic Wolf Portal:

Before you begin

This process requires you to have administrator access to the Cylance console.

Creating an API application

To create an API application:

  1. Sign in to the Cylance console as an administrator.

  2. Select Settings > Integrations.

  3. Click Add Application.

  4. Enter a memorable name for the application in the Application Name text box.

  5. Select READ for Access Privilege for all console data types.

  6. Click Save. A dialog box opens that displays the Application ID and the Application Secret.

  7. Copy both the Application ID and the Application Secret values to a secure location. You need to provide these values to Arctic Wolf as part of Providing credentials to Arctic Wolf.

  8. Click OK to dismiss the dialog box.

  9. Go to Settings > Integrations.

  10. Copy the Tenant ID, located near the Application list, to a secure location. You need to provide this value to Arctic Wolf as part of Providing credentials to Arctic Wolf.

Providing credentials to Arctic Wolf

To provide your cloud application details to Arctic Wolf on the Arctic Wolf Portal:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select + Add Account to open the Add Account form.

  4. Select Cloud Threat Detection as the Account Type.

  5. Select Cylance from the list of cloud services, and then:

    1. Enter a descriptive name for the credentials.

    2. Paste these values from Creating an API application:

      • Tenant ID

      • Application ID

      • Application Secret

    3. Select a service endpoint for your location from the list.

  6. Click Submit to CST.

  7. When prompted with the confirmation message, review your submission and then click Done. This returns you to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team (CST) provisions security monitoring for your cloud application, the status of your account changes to Connected.

All third-party API integrations that are part of the Arctic Wolf® Managed Detection and Response (MDR) offering are designed with a polling frequency of approximately 15 minutes. Time-based events are polled with a 5-to-40-minute delay to ensure data availability within the third-party API endpoint. For new deployments, after the API integration is successfully configured with the necessary credentials, we begin polling and reviewing activity from approximately 1 hour prior to configuration success.

If credentials fail, for example due to expired credentials, we notify you and request a new set of API credentials. After a polling failure, we only replay data for a period of 12 hours starting from when the refreshed credentials are provided.