Sending Cylance Endpoint Security events to a SIEM solution or syslog server
Cylance Endpoint Securityevents to a SIEM solution or syslog server
You can configure
Cylance Endpoint Securityto forward events to a SIEM solution or syslog server. The content of each event is Unicode plain text consisting of key-value pairs, separated by commas. Due to the size limitations of most syslog servers, the details of each message are limited to 2048 characters.
Cylance Endpoint Securityintegration cannot successfully deliver syslog messages to a syslog or SIEM server, an email notification will be sent to administrators (built-in role) with a confirmed email address within an organization.
The maximum number of undelivered messages before the integration is disabled is 400. The first warning email is sent after a third of the maximum number of undelivered messages are sent. Each message attempts to be sent ten times before it fails to forward to a syslog or SIEM server and then transitions to a dead-letter queue.
Due to various factors, there may be delays in the reporting of events to a SIEM solution or syslog server, so it should not be used for real-time or near real-time monitoring.