Querying Cylance Protect Api From Shell

We use Cylance as our AV type protection. They’re one of the better solutions I’ve seen, but theres some strange gaps in my opinion. There doesn’t seem to be a built in method for alerting. One of the things we’d like to be able to alert on is when a devices goes “offline”, and apparently this information is not provided through Cylance’s syslog output. It is however available from their API.

Since we use Elasticsearch at Bede, and use it for the basis of a lot of alerting, I wanted to get the device status records from Cylance, into Elasticsearch so I could alert our security team when Cylance agents stopped reporting in.

After a bit of reading, the Cylance API seemed simple enough so I whipped up a bit of shell using curl, jq, openssl, etc to authenticate/authorize, and be able to hit any of the API endpoints.

Hopefully someone else find it useful as well, the code can be found here: https://github.com/robrankin/bash-cylance-protect-api

Credit for some very helpful notes to: https://gist.github.com/indrayam/dd47bf6eef849a57c07016c0036f5207