Sending

Cylance Endpoint Security

events to a SIEM solution or syslog server

You can configure

Cylance Endpoint Security

to forward events to a single SIEM solution or syslog server. The content of each event is Unicode plain text consisting of key-value pairs, separated by commas. If your organization requires events to be sent to multiple SIEM solutions or syslog servers, you may be able to configure a syslog forwarder. See the documentation for your Syslog or SIEM server for information about how to configure forwarding to multiple servers.

If the

Cylance Endpoint Security

integration cannot successfully deliver syslog messages to a syslog or SIEM server, an email notification will be sent to administrators (built-in role) with a confirmed email address within an organization.

The maximum number of undelivered messages before the integration is disabled is 400. The first warning email is sent after a third of the maximum number of undelivered messages are sent. Each message attempts to be sent ten times before it fails to forward to a syslog or SIEM server and then transitions to a dead-letter queue.

Due to various factors, there may be delays in the reporting of events to a SIEM solution or syslog server, so it should not be used for real-time or near real-time monitoring.