CylanceOptics Administration Guide - BlackBerry
BlackBerry OpticsAdministration Guide2.5.3010
2022-02-09Z 2
ContentsWhat is CylanceOPTICS?.7Architecture overview.7How it works.8Agent requirements. 9Operating system requirements.10Hardware requirements. 12Virtual machines.12Browsers supported. 12Additional requirements.13Network. 13Firewall. 14Proxy. 14Access the Registry. 14Disable Proxy Bypass. 15Windows API and Signed Files.15Download CylanceOPTICS from the Application page. 16Windows Installation. 17Directory Locations - Windows. 17Windows Services. 17Windows Command Line Options. 17macOS Installation. 19Directory Locations - macOS. 19macOS Secure Kernel Extension Loading.19macOS Command Line Options.20Linux Installation.21Install RHEL/CentOS, SUSE, or Amazon Linux 2. 21Install Ubuntu.21Software Requirements - Linux.21Directory Locations - Linux.22Stop or Start the Linux Service. 22Things to Know About the Linux Agent. 22Uninstalling CylanceOPTICS.23Uninstall Windows using Add/Remove Programs.23Uninstall Windows using the Command Line. 23 iii
Uninstall macOS. 23Uninstall Linux. 24Upgrading to v2.5. 25Edit a Policy. 26Configurable Sensor Descriptions. 26Things to Know about the Optics Policy.27Devices. 28Device Drawer.28Export device list. 29Device export descriptions. 29Device details page. 29File Download History. 30Role Management. 31Using InstaQuery.32InstaQuery Capabilities Descriptions.32Start an InstaQuery. 33View InstaQuery Results and Previous Queries.34Global Quarantine.34Download File. 34Export InstaQuery list.35InstaQuery export descriptions. 35InstaQuery Facet Breakdown. 35InstaQuery Troubleshooting. 38InstaQuery Results Descriptions. 38Focus Data. 43About Focus Data. 43Threats and Activities. 43Export Historical List View. 44Pivot Queries.44Detections. 45Detection Environment Overview. 45First Time Using Detection Rule Sets.45Detection Tab. 46Detection Status Event. 46Delete Detection Events. 46Detection Details Page. 46View Artifacts of Interest. 47 iv
Create a Detection Note.47Lockdown a Device from Detection Details. 47Export Details to JSON.47Use Detection Rule Sets. 48Apply a Detection Rule Set to a Policy. 48Descriptions for Detection Rule Set Options. 48Custom Rules.49View Detection Rules.49Edit Clone Export and Delete Custom Rules. 49Custom Rule Editor.50Exclusion Rules and Performance Tuning.50Detection Exceptions. 51Create a Detection Exception from the Detection Details Page. 51Create a Detection Exception from the Detection Exceptions Page.52Add Exception to Detection Rule Set. 52False Positive Detections. 53Changing the Status on the Detections Page. 53Changing the Status on the Detection Details Page.53Detection Rule Set Best Practices. 53Package Playbook. 54About Package Playbooks. 54Create a Package Playbook. 54Clone a Package Playbook. 54Associate a Package Playbook with a Detection Rule. 55Package Playbook Execution Confirmation.55Package Playbook Endpoint Behavior. 55Locking Down an Endpoint. 56Lockdown an Endpoint. 56Unlock an Endpoint. 56Remote Response. 58Why Remote Response is not Available for a Device. 58Using Remote Response. 59Remote Response Terminal.59Reserved Commands.59Examples of Remote Response.60Download Remote Response Audit Logs. 61Remote Response Log Descriptions. 61Context Analysis Engine Custom Rule Builder.62States.63Functions.64Field Operators. 64Operands - Facet Value Extractors.69Artifacts of Interest. 72Paths.76Filters. 77 v
List of Responses. 79Configurable Sensors. 80Sensed events, artifacts, and facets. 83Legal notice. 96 vi
What is CylanceOPTICS?CylanceOPTICS operates by deploying sensors into the endpoint's operating system at various levels and againstvarious subsystems to collect a diverse set of information and then aggregates that information into a localizeddata store to track, alert upon, and respond to complex malicious situations as they unfold. CylanceOPTICSconnects to a cloud-based analytics backend infrastructure through a lightweight communications network thatenables users, using the Cylance Console, to command and query CylanceOPTICS in real time, against their localdata store of forensic data.CylanceOPTICS consists of the following components.ComponentDescriptionEndpoint Service - integratedwith the endpoint agent ofCylancePROTECTThe Endpoint Service is a .NET/Mono 4.5 service with native andmanaged sensors that observe, interpret, catalog, and provide interfacesinto endpoint events.Communication NetworkThe Communication Network is a mesh-like network bridging thousandsof endpoints together with a communication management framework,delivering real time interaction and awareness.Data Analytics BackendThe Data Analytics Backend is a highly scalable backend that deliversrich interpretations of endpoint data, as well as an API-first approach toendpoint management.CylanceOPTICS Microsite inManagement ConsoleThe CylanceOPTICS microsite is an ever-evolving front-end deliveringpowerful views and capabilities from inside endpoints directly to securityprofessionals.Architecture overviewArchitectureDescriptionEnterprise Endpoints andEndpoint ArchitectureWhen CylanceOPTICS is installed, sensors are deployed to collect system-levelevents that are transformed and stored locally on the endpoint. Any events thattake place after CylanceOPTICS is installed can have commands executed againstit (see below).Commands and PoliciesFrom the console, users can investigate and issue commands to perform actionson the endpoints. Examples of this include returning query results from theendpoint database through InstaQuery or Focus Views. Commands can also beissued to take actions on that endpoint, like returning a file to the console foranalysis or locking down a device from all network activity.CylanceOPTICS DataThe device sends requested data to the AI engine, which dynamically scales toperform aggregation, enrichment, and correlation. What is CylanceOPTICS? 7
How it worksCylanceOPTICS is installed alongside CylancePROTECT on each endpoint and is controlled and managed fromwithin the same console. CylanceOPTICS will store forensically pertinent data in a secure database on each endpoint locally.This data is retrieved on-demand through performing what is known as an InstaQuery (IQ) or uploadedautomatically when a CylancePROTECT event occurs, depending upon policy settings.The data is then correlated and ultimately presented as focus views within the console. Focus views containthe correlated chain of events displayed visually as well as in full detail.Additional remediation actions can be taken on endpoints based upon the results returned from an IQ or focusview.CylanceOPTICS stores, retrieves, correlates, and presents the following artifacts and supporting details.ArtifactDescriptionDNSWhen a domain resolution is requested and answeredFileWhen non-empty files are created, modified, deleted, or renamedNetworkInformation about IP addresses, ports, and associated eventsPowershellWhen a Powershell command or script is executedProcessWhen processes are created or modifiedRegistryAlterations to the Windows registry surrounding persistent eventsThreadWhen processes are injected or spawned from another processWindows EventsWhen specific security-relevant Windows Events occurWMIWhen the Windows Management Instrumentation (WMI) queries are executed What is CylanceOPTICS? 8
Agent requirementsItemRequirementCylanceOPTICS CylanceOPTICS version 2.3.2020 or later is required to configurecommunication through a proxy server only.CylanceOPTICS version 2.4.2100 or later is required to enable ConfigurableSensors in a device policy. CylancePROTECT For desktops and laptops, Configurable Sensors requires Windows 10 orlater.For servers, Configurable Sensors requires Windows Server 2016 or later.Note: See Configurable Sensors for recommendations and details for usingthis feature.CylanceOPTICS version 2.5.1100 or later is required for the Linux agent.CylancePROTECT version 1400 or laterCylancePROTECT version 1468 or later required for Custom EndpointNotificationsCylancePROTECT version 1560 or later required for the CylanceOPTICS Linuxagent Agent requirements 9
Operating system requirementsItemRequirementsWindows Desktop Windows 7 (32-bit and 64-bit) KB4054518 must be installed on Windows 7 (32-bit and 64-bit) systems. Formore information, read the KB article here.*Windows 7 Embedded (32-bit and 64-bit) KB4054518 must be installed on Windows 7 Embedded (32-bit and 64-bit)systems. For more information, read the KB article here.*Windows 8 and 8.1 (32-bit and 64-bit)Windows 10 (32-bit and 64-bit) Anniversary Update (v1607, Redstone)Creators Update (v1703, Redstone 2)Fall Creators Update (v1709, Redstone 3)April 2018 Update (v1803, Redstone 4), requires CylanceOPTICS version2.2.1012 or later October 2018 Update (v1809, Redstone 5), requires CylanceOPTICS version2.2.2021 or later May 2019 Update (v1903, Redstone 6), requires CylanceOPTICS version2.3.2060 or later November 2019 Update (v1909 - 19H2), requires CylanceOPTICS version2.5.1100 or later May 2020 Update (v2004 - 20H1), requires CylanceOPTICS version 2.5.1100or later October 2020 Update (20H2), requires CylanceOPTICS version 2.5.2100 orlater 21H1, requires CylanceOPTICS version 2.5.3010 21H2, requires CylanceOPTICS version 2.5.3010 Enterprise LTSC 2019, requires CylanceOPTICS version 2.5.3010Windows 11 Windows Server Requires CylanceOPTICS agent 2.5.3010Windows Server 2008 R2 (64-bit), requires CylanceOPTICS version 2.2 or later KB4054518 must be installed on Windows Server 2008 R2 (64-bit) systemsthat use CylanceOPTICS v2.2 or later. For more information, read the KBarticle here.*Windows Server 2012 (64-bit), requires CylanceOPTICS version 2.2 or laterWindows Server 2012 R2 (64-bit), requires CylanceOPTICS version 2.2 or laterWindows Server 2016 (64-bit), requires CylanceOPTICS version 2.2 or laterWindows Server 2019 (64-bit), requires CylanceOPTICS version 2.5.1100 orlater* BlackBerry Support does not provide assistance in searching andimplementation of any Microsoft related KBs or other third-party patches. For anyissues with finding or implementing Microsoft related KBs, please reach out toMicrosoft for assistance. Agent requirements 10
ItemRequirementsmacOS macOS High Sierra (10.13)macOS Mojave (10.14), requires CylancePROTECT Agent version 1510 or later,and CylanceOPTICS version 2.3.2021 or latermacOS Catalina (10.15) requires CylancePROTECT Agent version 1560 or later,and CylanceOPTICS version 2.4.2100.5401 or laterCylanceOPTICS for macOS requires CylancePROTECT Agent version 1480 or later. Linux CylanceOPTICS 2.5.3000 or later supports the Apple notarization service.macOS High Sierra (10.13) includes a new security feature that requires usersto approve new third-party kernel extensions. Read macOS Secure KernelExtension Loading for more information.If you are running macOS Mojave (10.14) or later, it is required that you enableFull Disk Access on your macOS system. If Full Disk Access is not enabled,BlackBerry products will be unable to process files secured by user dataprotection. Read the macOS - Full Disk Access Requirements article for moreinformation.Attempting to install CylancePROTECT on macOS Catalina or later with SystemIntegrity Protection (SIP) disabled may fail. Running CylancePROTECT with SIPdisabled has not been tested on these macOS versions.RHEL/CentOS 7.0 to 7.8RHEL/CentOS 8.0 and 8.1Ubuntu 16.04.03 to 16.04.06Ubuntu 18.04Amazon Linux 2SUSE Enterprise Linux 12 SP2, SP3, and SP4CylanceOPTICS for Linux requires CylancePROTECT Agent version 1560 or laterand CylanceOPTICS Agent version 2.5.2000 or later. The Linux Distro Kernel must be supported by the CylancePROTECT Agent.For more information, see the KB article Linux Distro Kernel List Supported byCylance.kernel-headers and kernel-devel are required. The version depends onthe kernel installed. This should be handled by the package manager oninstallation.libelf (ELF library) is required. This should be handled by the package manageron installation.Firewalld must be enabled. This is required for the lockdown device feature.Firewalld should be available by default with RHEL/CentOS. It must be installedmanually for Ubuntu and Amazon Linux. The lockdown device feature is notsupported on SUSE 12 (SLES 12). Agent requirements 11
Hardware requirementsItemRequirementsCPUIntel Core i5 processor or higher (or equivalent) isrecommended4 threads (2 cores hyper-threading) or 4 coresMemory4GBAvailable disk spaceAt least 1GB recommendedCylanceOPTICS data stored locally can be over100MB per day for business systemsVirtual machinesCylanceOPTICS is very resource intensive, and has a very specific set of Minimum Requirements to ensurefunctionality without negatively impacting performance. BlackBerry Engineering is in the process of deliveringthese Minimum VDI System Requirements to the support team. Until this is complete, support for CylanceOPTICSon VDI is Best Effort.WorkaroundsWhen using CylanceOPTICS on a virtual machine, use the following suggestions when attempting to resolveissues. Disable the WMI enhance introspection sensor. This can reduce the number of events being recorded.Try installing the latest version of the CylanceOPTICS agent.Browsers supportedBrowserVersionGoogle Chrome - recommendedLatest versionMozilla FirefoxLatest versionMicrosoft EdgeLatest versionMicrosoft Internet ExplorerVersion 11 with latest updates Agent requirements 12
Additional requirementsItemDescription.NET FrameworkVersion 4.5 SP1 or higherWindows onlykernel-headers and kernel-develVersion depends on the kernel installedLinux onlyInternet connectionTo register the productLocal administrator rightsTo install the productNetworkCylanceOPTICS communicates over secure websockets (WSS) and must be able to establish this connectiondirectly. For organizations that manage network traffic, like using a proxy, there are some Cylance hosts that theagent must be allowed to communicate with to properly display data in the Console.Note: See the CylancePROTECT Administrator Guide for hosts specific for CylancePROTECT communications.For CylanceOPTICS, allow the following domains (based on your region):RegionDomainsAsia-Pacific Northwest tent-apne1.cylance.comAsia-Pacific Southeast t-apse2.cylance.comEurope Central t-euc1.cylance.comNorth America com Agent requirements 13
RegionDomainsSouth America t-sae1.cylance.comCylanceOPTICS Domain DescriptionsThe following descriptions apply to all ons, InstaQuery, Focus View, RefractPackages, and Refract omInstaQuery resultsopticspolicy.cylance.comDownload CylanceOPTICS policy settingscontent.cylance.comDownload refract packagesFirewallNo on-premises software is required to manage endpoints. Agents are managed by and report to the console.Port 443 (HTTPS) is used for communication and must be open on the firewall in order for the agents tocommunicate with the console. The console is hosted by Amazon Web Services (AWS) and doesn’t have any fixedIP addresses. Alternatively, you can allow HTTPS traffic to *.cylance.com.Note: For the cylance-optics-files-use1.s3.amazonaws.com host (or similar host for other regions), itis recommended to allow that specific host. It is not recommended to allow *.amazonaws.com because it is notspecific to the CylanceOPTICS host
Windows Desktop Windows 7 (32-bit and 64-bit) KB4054518 must be installed on Windows 7 (32-bit and 64-bit) systems. For more information, read the KB article here.* Windows 7 Embedded (32-bit and 64-bit) KB4054518 must be installed on Windows 7 Embedded (32-bit and 64-bit) systems. For more information, read the KB article here.*
the BlackBerry Smart Card Reader BlackBerry Smart Card Reader version 1.0 Bluetooth-enabled BlackBerry devices that support Bluetooth specification version 1.1 and are running BlackBerry device software version 4.0.0 or later BlackBerry Enterprise Server version 4.0.2 or later (all platforms) Use the BlackBerry Smart Card Reader
enable additional features for BlackBerry UEM Cloud. The following components are included in the BlackBerry Connectivity Node. Component Purpose BlackBerry Cloud Connector The BlackBerry Cloud Connector allows BlackBerry UEM Cloud to access your organization's on-premises company directory. You can create directory
BlackBerry Follow-Me The BlackBerry Follow-Me service keeps the BlackBerry Dynamics Launcher synchronized across multiple devices. BlackBerry Certificate Lookup The BlackBerry Certificate Lookup service retrieves S/MIME digital certificates from the user's Microsoft Active Directory account and matches the requested key usage.
The optional BlackBerry Smart Card Reader also enables controlled access to BlackBerry smartphones using Common Access Cards (CAC). The BlackBerry Enterprise Solution, BlackBerry smartphones and BlackBerry Smart Card Reader have all received FIPS 140-2 validation. After all, in an ideal world the best solution for your business would
The optional BlackBerry Smart Card Reader also enables controlled access to BlackBerry devices using Common Access Cards (CAC). The BlackBerry Enterprise Solution, BlackBerry devices and BlackBerry Smart Card Reader have all received FIPS 140-2 validation. After all, in an ideal world the best solution for your business would
BlackBerry Classic Smartphone Version: 10.3.1 User Guide. Published: 2015-03-02 SWD-20150302130812893. . About the BlackBerry Assistant,220 User Guide Setup and basics 6. Learn what you can say or type in the BlackBerry Assistant,222 Things you can do with the BlackBerry Assistant,220
If you're running BlackBerry Device Software 5.0 or later on your BlackBerry smartphone, you can connect your BlackBerry PlayBook tablet to your smartphone to access email, calendars, BlackBerry Messenger, files, and other data directly from your tablet. Files and data must be stored on a media card to access them from your tablet.
BlackBerry Bold 9900/9930 Smartphones User Guide Version: 7.0 . BlackBerry ID, you can manage apps that you downloaded from the BlackBerry App World storefront and keep apps you downloaded when you switch smartphones. For more information, see About the BlackBerry ID, 7. . Lock Lock or
