Skip Navigation

Configure
Cylance Endpoint Security
to send events to a SIEM solution or syslog server

The source IP addresses for your SIEM solution or syslog messages are sent from IP addresses based on the login URL for your region. For more information, see Source IP addresses for a SIEM solution or syslog messages.
  1. In the management console, on the menu bar, click
    Settings > Application
    .
  2. Click the
    Syslog/SIEM
    checkbox.
  3. Select the events that you want to send to your organization's SIEM solution or syslog server.
  4. Select or type in the information for your SIEM or syslog integration. The other sections in this guide provide details and descriptions for each option.
  5. In the
    SIEM
    drop-down list, click the appropriate SIEM solution or syslog server.
  6. In the
    Protocol
    drop-down list, click the appropriate protocol. If you choose TCP, it is a best practice to select the
    TLS/SSL
    check box to ensure that the syslog message is encrypted in transit. Verify that your SIEM solution or syslog server is configured to listen for messages, and that it supports TLS v1.2 or higher.
  7. If you want to include the full contents of fields with command line values, select the
    Allow messages over 2 KB
    check box to ensure that the full file path is populated in the Instigating Process Command Line field of
    CylanceOPTICS
    detection events. This setting is only available for
    CylanceOPTICS
    .
    If you do not select this option, the file path in the Instigating Process Command Line field in the
    CylanceOPTICS
    detection events are truncated at 120 characters to keep the size of messages under 2 KB.
  8. In the
    IP/Domain
    field, type the FQDN or IP address of the SIEM solution or syslog server.
  9. In the
    Port
    field, type the port number that you want the SIEM solution or syslog server to listen on for messages. The port number must be between 1 and 65535.
  10. In the
    Severity
    drop-down list, click the severity of the messages that should appear in the SIEM solution or syslog server. This value does not change the messages that are sent to the SIEM solution or syslog server.
  11. In the
    Facility
    drop-down list, click the type of application that is logging the message. This value is used to categorize the messages that are received by the SIEM solution or syslog server.
  12. If necessary, in the
    Custom Token
    field, type the custom token that your organization’s log management service (for example, SumoLogic) requires for SIEM or syslog messages.
  13. In the
    Include tenant identifiers
    drop-down list, specify whether the tenant ID, name, or both should be included in the syslog messages. This value allows you to easily identify the source tenant in a multiple tenant environment. By default, this option is disabled.
  14. Click
    Test Connection
    to verify that your settings are correct.
  15. Click
    Save
    .