If you're having trouble at any stage please contact us at support@skyformation.com.
Preface
The goal of this guide is to add a new SkyFormation for CylanceProtect cloud connector to your SkyFormation Platform.
Prerequisites
To add the CylanceProtect connector to your SkyFormation app, you will need to have the following CylanceProtect account's information at hand:
- Application Id
- Application Secret
- Tenant ID
- Region
For information about how to retrieve these parameters, see How to obtain the CylanceProtect application ID/Secret and tenant ID.
Choose your region from one of these options:
Asia Pacific – North
Asia Pacific – Southeast
Europe – Central
Government
South America
North America
Keep the obtained values for the next steps.
Steps
1. Logon to your SkyFormation Platform:
2. Navigate via left navigation panel to "Settings" section
3. Navigate via New Settings left navigation panel to "Accounts" section
4. Click the "Add Account" bottom
5. At the "SELECT SERVICE TO ADD" choose "Cylance". You will see the following screen:
6. Fill in the following information:
- Account Name
Give the Cylance connector a meaningful name for you.
This will become your cloud app connector name displayed in the application and the
events sent to external systems as SIEM/Log management. This is a mandatory field.
e.g. "Corporate CylanceProtect"
- Description
Add a text that describes the CylanceProtect service account for you.
This is an optional field.
- App ID
The application ID from the prerequisite section
- App Secret
The application secret obtained in the prerequisite section
- Tenant ID
The tenant ID from the prerequisite section
- Region
Your tenant region
At this point you can click on "TEST CONNECTION" to make sure the connection is setup successfully, or just click on "DONE".
Start the CylanceProtect connector and make sure that the status becomes "OK" after a few seconds.
Troubleshooting test connection problems
If test connection returns error, please do the following to assist analysis:
Please run the following script from Cylance on the skyformation machine .
Before you can run the script you need to :
- replace tid_val, app_id,app_secretand AUTH_URL with the real values (tenant, app id, secret and URL)
- install python : apt install python
- install pip : apt install python-pip
- install pyjwt : pip install pyjwt
- install requests : pip install requests
Script:
import jwt # PyJWT version 1.5.3 as of the time of authoring.
import uuid
import requests # requests version 2.18.4 as of the time of authoring. import json
import json
from datetime import datetime, timedelta
# 30 minutes from now
timeout = 1800
now = datetime.utcnow()
timeout_datetime = now + timedelta(seconds=timeout)
epoch_time = int((now - datetime(1970, 1, 1)).total_seconds())
epoch_timeout = int((timeout_datetime - datetime(1970, 1, 1)).total_seconds())
jti_val = str(uuid.uuid4())
tid_val = "123" # The tenant's unique identifier.
app_id = "456" # The application's unique identifier.
app_secret = "789" # The application's secret to sign the auth token with.
AUTH_URL = "https://protectapi.cylance.com/auth/v2/token"
claims = {
"exp": epoch_timeout,
"iat": epoch_time,
"iss": "http:/cylance.com",
"sub": app_id,
"tid": tid_val,
"jti": jti_val
# The following is optional and is being noted here as an example on how one can restrict # the list of scopes being requested
# "scp": "policy:create, policy:list, policy:read, policy:update"
}
encoded = jwt.encode(claims, app_secret, algorithm='HS256')
print("auth_token:\n" + encoded.decode('utf-8') + "\n")
payload = {"auth_token": encoded.decode('utf-8')}
headers = {"Content-Type": "application/json; charset=utf-8"}
resp = requests.post(AUTH_URL, headers=headers, data=json.dumps(payload))
print("http_status_code: " + str(resp.status_code))
print("access_token:\n" + json.loads(resp.text)['access_token'] + "\n")
On a successful invocation you should see a token (string of characters and numbers) only. If you don’t see this or you see this and then an error like 401 / 403 or other, you should open a ticket with Cylance. If you do see the token and only the token, you should open a ticket with Exabeam.
Comments
0 comments
Please sign in to leave a comment.