CylanceOPTICS

release notes

This release includes the new

CylanceOPTICS

agent for

Windows

version 3.3.2311.0.

For more information about supported operating systems, see the Cylance Endpoint Security compatibility matrix.

CylanceOPTICS

3.3 features significant enhancements to the underlying logic and methods that the

CylanceOPTICS

cloud services and the

CylanceOPTICS

agent use to identify security threats. These changes include:

Improvements to how the
CylanceOPTICS
agent collects context-relevant event data for a given detection.
Improved collection and identification of the processes and events that precede a given detection, and of the noteworthy processes and events that follow a given detection. This provides a more detailed and accurate picture of the factors that may have resulted in the detection and of the aftermath of that detection.
Improved data collection methodologies controlled by the
CylanceOPTICS
cloud services, enabling
CylanceOPTICS
to stay ahead of a threat landscape that is always evolving. These changes ensure that the agent can collect the most valuable telemetry while also tuning out data that is not relevant.

This release of the

CylanceOPTICS

agent adds three new optional sensors for

Windows

devices:

COM Object Visibility: Allows the
CylanceOPTICS
agent to monitor COM objects.
HTTP Visibility: Allows the
CylanceOPTICS
agent to track
Windows
HTTP transactions.
Module Load Visibility: Allows the
CylanceOPTICS
agent to monitor module loads.

These sensors require the

CylancePROTECT Desktop

agent version 3.2 or later.

For more information, see CylanceOPTICS optional sensors in the

Cylance Endpoint Security

Setup content.

Previously, the

CylanceOPTICS

agent collected the Provider Name, Class, and Event ID facets for Windows Event artifacts. This release adds significant data collection enhancements for

Windows

Events, with the agent collecting the data defined in the EventData facet of the artifact (for example, this can include ObjectServer, PrivilegeList, Process ID, Process Name, Service, or other facets).

For more information, see Data structures that CylanceOPTICS uses to identify threats in the

Cylance Endpoint Security

Setup content.

This release introduces the following enhancements to the advanced query feature in the management console:

As you type the EQL syntax for a query, syntax options and validation messages will display to help you build your query.
You can now schedule the execution of an advanced query for a specific date and time, and you can schedule a query to run on a regular interval.
When you set the scope of your query to specific devices, an icon displays indicating whether each device is online.
New options to filter query results.
When you select a result and open the fly-out menu, you can view additional event data and filter the query results to show matches for one or more facets.
Various UI improvements make it easier for you to add a query, copy a query, and apply and clear zones, devices, and filters for queries.
You can now export the results of a query to a CSV file.

For more information, see Create an advanced query in the

Cylance Endpoint Security

Administration content.

The April update of the

CylanceOPTICS

cloud services adds new event name values to audit log messages that can be reported to SIEM solutions and syslog servers. The new Event Name fields are associated with the lockdown configuration feature:

LockdownConfigurationAdd
LockdownConfigurationEdit
LockdownConfigurationDelete

For more information about audit log events, see the Cylance Syslog Guide.

The

Cylance

User API now includes the lockdown configurations API. You can use this API to perform actions on partially locked devices, including:

Getting a list of custom partial lockdown profiles
Creating a custom partial lockdown profile
Updating a custom partial lockdown profile
Deleting a custom partial lockdown profile

For more information, see the Cylance User API Guide.