Configure

Cylance Endpoint Security

to send events to a SIEM solution or syslog server

In the management console, on the menu bar, click

Settings > Application

.

Click the

Syslog/SIEM

checkbox.

Select the events that you want to send to your organization's SIEM solution or syslog server.

Select or type in the information for your SIEM or syslog integration. The other sections in this guide provide details and descriptions for each option.

In the

SIEM

drop-down list, click the appropriate SIEM solution or syslog server.

In the

Protocol

drop-down list, click the appropriate protocol. If you choose TCP, it is a best practice to select the

TLS/SSL

check box to ensure that the syslog message is encrypted in transit (verify that your SIEM solution or syslog server is configured to listen for messages).

If you want to include the full contents of fields with command line values, select the

Allow messages over 2 KB

check box. Currently this applies only to certain

CylanceOPTICS

message values.

In the

IP/Domain

field, type the FQDN or IP address of the SIEM solution or syslog server.

In the

Port

field, type the port number that you want the SIEM solution or syslog server to listen on for messages. The port number must be between 1 and 65535.

In the

Severity

drop-down list, click the severity of the messages that should appear in the SIEM solution or syslog server. This value does not change the messages that are sent to the SIEM solution or syslog server.

In the

Facility

drop-down list, click the type of application that is logging the message. This value is used to categorize the messages that are received by the SIEM solution or syslog server.

If necessary, in the

Custom Token

field, type the custom token that your organization’s log management service (for example, SumoLogic) requires for SIEM or syslog messages.

Click

Test Connection

to verify that your settings are correct.

Click

Save

.