Configure Cylance Endpoint Security to send events to a SIEM solution or syslog server
Cylance Endpoint Securityto send events to a SIEM solution or syslog server
The source IP addresses for your SIEM solution or syslog messages are sent from IP addresses based on the login URL for your region. For more information, see Source IP addresses for a SIEM solution or syslog messages.
- In the management console, on the menu bar, clickSettings > Application.
- Click theSyslog/SIEMcheckbox.
- Select the events that you want to send to your organization's SIEM solution or syslog server.
- Select or type in the information for your SIEM or syslog integration. The other sections in this guide provide details and descriptions for each option.
- In theSIEMdrop-down list, click the appropriate SIEM solution or syslog server.
- In theProtocoldrop-down list, click the appropriate protocol. If you choose TCP, it is a best practice to select theTLS/SSLcheck box to ensure that the syslog message is encrypted in transit (verify that your SIEM solution or syslog server is configured to listen for messages).
- If you want to include the full contents of fields with command line values, select theAllow messages over 2 KBcheck box to ensure that the full file path is populated in the Instigating Process Command Line field ofCylanceOPTICSdetection events. This setting is only available forCylanceOPTICS.If you do not select this option, the file path in the Instigating Process Command Line field in theCylanceOPTICSdetection events are truncated at 120 characters to keep the size of messages under 2 KB.
- In theIP/Domainfield, type the FQDN or IP address of the SIEM solution or syslog server.
- In thePortfield, type the port number that you want the SIEM solution or syslog server to listen on for messages. The port number must be between 1 and 65535.
- In theSeveritydrop-down list, click the severity of the messages that should appear in the SIEM solution or syslog server. This value does not change the messages that are sent to the SIEM solution or syslog server.
- In theFacilitydrop-down list, click the type of application that is logging the message. This value is used to categorize the messages that are received by the SIEM solution or syslog server.
- If necessary, in theCustom Tokenfield, type the custom token that your organization’s log management service (for example, SumoLogic) requires for SIEM or syslog messages.
- In theInclude tenant identifiersdrop-down list, specify whether the tenant ID, name, or both should be included in the syslog messages. This value allows you to easily identify the source tenant in a multiple tenant environment. By default, this option is disabled.
- ClickTest Connectionto verify that your settings are correct.