Sending Cylance Endpoint Security events to a SIEM solution or syslog server
Cylance Endpoint Securityevents to a SIEM solution or syslog server
You can configure
Cylance Endpoint Securityto forward events to a single SIEM solution or syslog server. The content of each event is Unicode plain text consisting of key-value pairs, separated by commas. If your organization requires events to be sent to multiple SIEM solutions or syslog servers, you may be able to configure a syslog forwarder. See the documentation for your Syslog or SIEM server for information about how to configure forwarding to multiple servers.
Cylance Endpoint Securityintegration cannot successfully deliver syslog messages to a syslog or SIEM server, an email notification will be sent to administrators (built-in role) with a confirmed email address within an organization.
The maximum number of undelivered messages before the integration is disabled is 400. The first warning email is sent after a third of the maximum number of undelivered messages are sent. Each message attempts to be sent ten times before it fails to forward to a syslog or SIEM server and then transitions to a dead-letter queue.
Due to various factors, there may be delays in the reporting of events to a SIEM solution or syslog server, so it should not be used for real-time or near real-time monitoring.