Skip Navigation

How Cylance Endpoint Security products collect and use data

How
CylanceOPTICS
collects and uses data

For complete information about this product, see the Cylance Endpoint Security docs.

Item	Data collection and use
Customer administration information	BlackBerry collects the following customer administration data to deliver customer support: First name Last name Email address Phone number
Collecting data to detect and respond to threats	CylanceOPTICS is an endpoint detection and response solution that collects and analyzes forensic data from devices to identify and resolve threats before they impact your organization’s users and data. You enable a Windows , macOS , or Linux device for CylanceOPTICS by installing the CylanceOPTICS agent alongside the CylancePROTECT Desktop agent. The CylanceOPTICS agent deploys sensors into the OS at various levels and subsystems to monitor and collect a diverse set of data that is aggregated and stored in the CylanceOPTICS cloud database. You can leverage CylanceOPTICS data in several ways to protect your organization’s environment: You can query device data to investigate security incidents and discover indicators of compromise. You can view visual representations of device data to analyze a chain of events. You can enable detection rules to specify the events that you want CylanceOPTICS to monitor and how you want CylanceOPTICS to respond to those events when they are detected. The CylanceOPTICS agent sends the device data that it collects to the CylanceOPTICS cloud services. The data is aggregated and stored in the secure CylanceOPTICS cloud database. The CylanceOPTICS data analytics services offer rich interpretations of device data that you can access using the management console. For devices with agent version 2.x and earlier, the CylanceOPTICS database is stored locally on the device. Version 3.0 and later automatically aggregates, stores, compresses, and sends the data to the CylanceOPTICS cloud database at regular intervals. CylanceOPTICS also offers features that enhance your ability to respond to potential threats. You can deploy packages that remotely and securely run processes to collect and store desired data, you can lock down devices temporarily to prevent the spread of malware, and you can use remote response sessions to execute device commands.
Collection of endpoint configuration data	BlackBerry collects the following on the configuration of a device endpoint to assess the impact of potentially malicious activity on customer endpoints: Hostname FQDN IP addresses MAC addresses OS information
Collection of endpoint process artifacts	BlackBerry collects the following information about endpoint process artifacts to assess the impact of potentially malicious activity on customer endpoints: Name ID Image file path Owner Command line parameters Description Start/end date and time Parent process Process attributes
Collection of endpoint file artifacts	BlackBerry collects the following information about endpoint file artifacts to assess the impact of potentially malicious activity on customer endpoints: Path Creation and last modified date and time Owner File hash (MD5 & SHA26) Alternate data stream information File attributes File type
Collection of endpoint user artifacts	BlackBerry collects the following information about endpoint user artifacts to assess the impact of potentially malicious activity on customer endpoints: Username Username unique ID Domain Local group memberships User privileges Home directory path Full name Account status Password age Password status Country code Account type Assigned workstations Failed login attempts Roaming configuration
Collection of endpoint registry artifacts (Windows OS only)	BlackBerry collects and processes the following information about endpoint registry artifacts to assess the impact of potentially malicious activity on customer endpoints: Key path Key values Referenced file
Collection of endpoint network artifacts	BlackBerry collects and processes the following information about endpoint network artifacts to assess the impact of potentially malicious activity on customer endpoints: DNS activity Source and destination IP address Source and destination port
Collection of endpoint event data	BlackBerry collects and processes the following information about endpoint event data to assess the impact of potentially malicious activity on customer endpoints: File hash (MD5/SHA-256) File read events Logon activity Windows event logs All WMI events (for example, trace) Removable media insertion events Removable media file copy events Script execution events (JScript, VBScript, VBA macro script, PowerShell) Name of the user most recently logged in PowerShell strings (for example, log/pass) CylancePROTECT Desktop events (threat protection, memory defense, script control)
Detections data	BlackBerry collects the following information on detection data to manage the resolution of detected events: Alert details Status Date and time Assigned user
Customer administrative login activity	BlackBerry collects and processes login activity from administrators or operators of a customer's tenant (includes date and time, a user's unique identifier, status, and account name) to manage authentication auditing and risk management.
Data storage	BlackBerry uses the data described above to facilitate the performance of the EULA under which BlackBerry ’s services and products are offered. The data is shared only with necessary third-party services that are needed to fulfill the intended purpose of the services. BlackBerry will not sell, lease, or otherwise distribute this information. In CylanceOPTICS agent 3.0 and later, the data that is collected by the CylanceOPTICS sensors is cached locally before it is sent to the cloud database. If the device is offline, the data is cached until the device can connect to the cloud database. A maximum of 1 GB of data can be stored locally. If more than 1 GB of data is stored before it can be uploaded, the lowest priority data will be deleted so that higher priority data can be cached. The endpoint data that is collected is stored in one of the following subprocessors: Amazon Web Services ; Asia Pacific (Australia), Europe (Germany), North America (United States). Databricks: Asia Pacific (Australia), Europe (Germany), North America (United States).

Data retention

Personal data processed	Data retention period
Customer administrator information	Personal data may be deleted upon request.
Endpoint configuration data	Data is removed 30 days after the end of the contract.
Endpoint artifacts and event data	Data is stored in the cloud and is accessible for 30 days by default. The customer can increase the data retention timeframe by purchasing a longer storage duration. Backup data is stored for up to 15 months or 30 days after the end of contract, whichever is less.
Alert data	Data is stored in the cloud and accessible for 37 days. Customer can increase the data retention timeframe by purchasing a longer storage duration.
Detections data	Data is stored in the cloud and accessible for 30 days. Customer can increase the data retention timeframe by purchasing a longer storage duration. Backup data is stored for up to 15 months or 30 days after the end of contract, whichever is less.
Focus view data	Data is stored for 30 days.
InstaQuery results data	Data is stored in the cloud and accessible for 60 days. The customer can increase the data retention timeframe by purchasing a longer storage duration.
Remote response transaction log	Data is stored for 30 days.
Customer administrative login activity	Data is stored for 1 year.

How Cylance Endpoint Security products collect and use data