Articles in this section

See more

Adding CylanceProtect cloud Connector to SkyFormation platform

Avatar
Shira Ben-dor
  • Updated
Follow

If you're having trouble at any stage please contact us at support@skyformation.com

Preface

The goal of this guide is to add a new SkyFormation for CylanceProtect cloud connector to your SkyFormation Platform.

Prerequisites

To add the CylanceProtect connector to your SkyFormation app, you will need to have the following CylanceProtect account's information at hand:

  1. Application Id
  2. Application Secret
  3. Tenant ID
  4. Region

For information about how to retrieve these parameters, see How to obtain the CylanceProtect application ID/Secret and tenant ID.

Choose your region from one of these options:

Asia Pacific – North
Asia Pacific – Southeast
Europe – Central
Government
South America
North America

Keep the obtained values  for the next steps.

Steps

1. Logon to your SkyFormation Platform:

2. Navigate via left navigation panel to "Settings" section

3. Navigate via New Settings left navigation panel to "Accounts" section

4. Click the "Add Account" bottom

5. At the "SELECT SERVICE TO ADD" choose "Cylance". You will see the following screen:

6. Fill in the following information:

    - Account Name
        Give the Cylance connector a meaningful name for you. 
        This will become your cloud app connector name displayed in the application and the 
        events sent to external systems as SIEM/Log management. This is a mandatory field.

      e.g. "Corporate CylanceProtect"     

    - Description
      Add a text that describes the CylanceProtect service account for you.

     This is an optional field.

   - App ID
      The application ID from the prerequisite section

   - App Secret
      The application secret obtained in the prerequisite section

   - Tenant ID
      The tenant ID from the prerequisite section

  - Region
      Your tenant region

 

At this point you can click on "TEST CONNECTION" to make sure the connection is setup successfully, or just click on "DONE".

Start the CylanceProtect connector and make sure that the status becomes "OK" after a few seconds.

 

Troubleshooting test connection problems

If test connection returns error, please do the following to assist analysis:

Please run the following script from Cylance on the skyformation machine .

Before you can run the script you need to :

  1. replace tid_val, app_id,app_secretand AUTH_URL with the real values (tenant, app id, secret and URL)
  2. install python : apt install python
  3. install pip : apt install python-pip
  4. install pyjwt : pip install pyjwt
  5. install requests : pip install requests

 

Script:

 

import jwt # PyJWT version 1.5.3 as of the time of authoring.
import uuid
import requests # requests version 2.18.4 as of the time of authoring. import json
import json

from datetime import datetime, timedelta
# 30 minutes from now
timeout = 1800
now = datetime.utcnow()
timeout_datetime = now + timedelta(seconds=timeout)
epoch_time = int((now - datetime(1970, 1, 1)).total_seconds())
epoch_timeout = int((timeout_datetime - datetime(1970, 1, 1)).total_seconds())
jti_val = str(uuid.uuid4())
tid_val = "123" # The tenant's unique identifier.
app_id = "456" # The application's unique identifier.
app_secret = "789" # The application's secret to sign the auth token with.
AUTH_URL = "https://protectapi.cylance.com/auth/v2/token"
claims = {
"exp": epoch_timeout,
"iat": epoch_time,
"iss": "http:/cylance.com",
"sub": app_id,
"tid": tid_val,
"jti": jti_val

# The following is optional and is being noted here as an example on how one can restrict # the list of scopes being requested
# "scp": "policy:create, policy:list, policy:read, policy:update"
}

encoded = jwt.encode(claims, app_secret, algorithm='HS256')
print("auth_token:\n" + encoded.decode('utf-8') + "\n")
payload = {"auth_token": encoded.decode('utf-8')}
headers = {"Content-Type": "application/json; charset=utf-8"}
resp = requests.post(AUTH_URL, headers=headers, data=json.dumps(payload))
print("http_status_code: " + str(resp.status_code))
print("access_token:\n" + json.loads(resp.text)['access_token'] + "\n")

On a successful invocation you should see a token (string of characters and numbers) only. If you don’t see this or you see this and then an error like 401 / 403 or other, you should open a ticket with Cylance. If you do see the token and only the token, you should open a ticket with Exabeam.

DONE!

Related articles

Comments

0 comments

Please sign in to leave a comment.