Skip Navigation
  1. BlackBerry Docs
  2. Cylance products
  3. CylancePROTECT Application for Splunk Administration Guide
  4. Configure adaptive response

Configure adaptive response

The
CylancePROTECT
 Application for
Splunk
 is part of
Splunk
's adaptive response program. This integration allows you to investigate malicious activities and respond in real-time to cyber threats detected by
Cylance Endpoint Security
 in your organization’s
Splunk
 environment. To use adaptive response, you will need to set up an API connector in your
Cylance
 console and
Splunk
 environment.
  1. Log in to the
    Cylance
     console as an administrator.
  2. On the menu bar, click
    Settings
     >
    Integrations
    .
  3. Click
    Add Application
    .
  4. In the
    Application Name
     field, type
    Splunk API Connector
    .
  5. In the
    Global Lists
     row, select the
    Read, Write, and Delete
     check box.
  6. Click
    Save
    . Record the Application ID, Application Secret, and Tenant ID.
  7. In the
    Splunk
     server, on your desired
    Splunk
     search head, edit the api.py configuration file found in
    SPLUNK_HOME/etc/apps/cylance_protect/bin/api.py
    .
  8. In command lines 9-12, add the Application ID, Application Secret, and Tenant ID that your recorded.
  9. In the
    CylancePROTECT
     Application for
    Splunk
    , click
    Tools
     >
    API Connector
    .
  10. In the drop-down list, select a function. For a list of the functions and their parameters, refer to the
    Usage
     chart on the
    API Connector
     page.
  11. In the
    Parameter
     field, type the file hash.
  12. Click
    Submit
    .
  13. Review the HTTP response result at the bottom of the
    API Connector
     page. To check the HTTP response results from the
    Cylance
     console. Refer to the
    HTTP Responses
     chart for a list of HTTP responses and their meanings.
If API calls fail after editing the api.py configuration file, the *.pyc files may need to be deleted from the
$SPLUNK_HOME/etc/apps/cylance_protect/bin/
 directory.
You can restrict access to the API connector. If an SOC of IR role exists within your
Splunk
  1. In
    Splunk
    , click
    Settings
     >
    Roles
     >
    Add New
    .
  2. In the
    Role Name
     field, type
    CylanceAPI
    .
  3. Click
    Save
    .
  4. To set permissions for the role, click
    Settings
     >
    All Configurations
    .
  5. In the
    filter
     field, search for
    api_connector
    .
  6. In the
    Sharing
     column, click
    Permissions
     and confirm the following:
    • For the
      Everyone
       role, ensure that
      Read
       and
      Write
       are deselected.
    • For the
      CylanceAPI
       role, ensure that
      Read
       is selected.