Cylance is an AI-driven endpoint detection and response (EDR) platform that allows companies to intelligently strengthen, automate, and streamline their overall endpoint security efforts 24/7/365.
Does this information look incorrect or out-of-date? Please contact us at support@socos.io.
- In the console, Select Settings > Application.
- Click the Syslog/SIEM checkbox.
- Select the Event Types for which you want to receive messaging.
- Select or type in the information for your Syslog or SIEM integration. The other sections in this guide provide details and descriptions for each Syslog/SIEM option.
- Click Test Connection to verify that your settings are correct.
- Click Save.
Syslog configuration is done on the Application page, on the Settings tab.
- Events: Select the Cylance event types you want to receive Syslog messaging for.
- Custom Token: Some log management services, might need a custom token included with syslog messages to help identify where those messages should go. The custom token is provided by your log management service.
Example Token: 4uOHzVv+ZKBheckRJouU3+XojMn02Yb0DOKlYwTZuDU1K+PsY27+ew==
The Custom Token field is available with all Syslog/SIEM options. It is possible to type any information as a custom tag to the syslog information.
- Facility: This is the type of application that is logging the message. The default is Internal (or Syslog). This is used to categorize the messages when they are received by the Syslog server.
- IP/Domain: This is the IP address or fully-qualified domain name of the Syslog server. Consult with your internal network experts to ensure firewall and domain settings are properly configured.
- Port: This is the port number on the machines that the Syslog server will listen to for messages. It must be a number between 1 and 65535. Typical values are: 512 for UDP, 1235 or 1468 for TCP, and 6514 for Secured TCP (example: TCP with TLS/SSL enabled). We'll use 514.
- Protocol: This must match what you have configured on your Syslog server. The choices are UDP or TCP. UDP is generally not recommended as it does not guarantee message delivery. You should use the default setting, TCP.
- Security Information and Event Management (SIEM): This is the type of Syslog server or SIEM to which events are to be sent.
- Severity: This is the severity of the messages that should appear in the Syslog server. This is a subjective field, and you may set it to whatever level you like. The value of severity does not change the messages that are forwarded to Syslog.
- TLS/SSl: This option is only available if the Protocol specified is TCP. TLS/SSL ensures the Syslog message is encrypted in transit from Cylance to the Syslog server. You should checkmark this option. Be sure your Syslog server is configured to listen for TLS/SSL messages.
https://docs.blackberry.com/content/dam/docs-blackberry-com/release-pdfs/en/cylance-syslog-guide/december-2020/Cylance Syslog Guide v2.0 rev15.pdf