Configure adaptive response
Splunkis part of
Splunk's adaptive response program. This integration allows you to investigate malicious activities and respond in real-time to cyber threats detected by
Cylance Endpoint Securityin your organization’s
Splunkenvironment. To use adaptive response, you will need to set up an API connector in your
- Log in to theCylanceconsole as an administrator.
- On the menu bar, clickSettings>Integrations.
- ClickAdd Application.
- In theApplication Namefield, typeSplunk API Connector.
- In theGlobal Listsrow, select theRead, Write, and Deletecheck box.
- ClickSave. Record the Application ID, Application Secret, and Tenant ID.
- In theSplunkserver, on your desiredSplunksearch head, edit the api.py configuration file found inSPLUNK_HOME/etc/apps/cylance_protect/bin/api.py.
- In command lines 9-12, add the Application ID, Application Secret, and Tenant ID that your recorded.
- In theCylancePROTECTApplication forSplunk, clickTools>API Connector.
- In the drop-down list, select a function. For a list of the functions and their parameters, refer to theUsagechart on theAPI Connectorpage.
- In theParameterfield, type the file hash.
- Review the HTTP response result at the bottom of theAPI Connectorpage. To check the HTTP response results from theCylanceconsole. Refer to theHTTP Responseschart for a list of HTTP responses and their meanings.
If API calls fail after editing the api.py configuration file, the *.pyc files may need to be deleted from the
You can restrict access to the API connector. If an SOC of IR role exists within your
- InSplunk, clickSettings>Roles>Add New.
- In theRole Namefield, typeCylanceAPI.
- To set permissions for the role, clickSettings>All Configurations.
- In thefilterfield, search forapi_connector.
- In theSharingcolumn, clickPermissionsand confirm the following:
- For theEveryonerole, ensure thatReadandWriteare deselected.
- For theCylanceAPIrole, ensure thatReadis selected.