Sending Cylance Endpoint Security events to a SIEM solution or syslog server
Cylance Endpoint Security
events to a SIEM solution or syslog serverYou can configure
Cylance Endpoint Security
to forward events to a single SIEM solution or syslog server. The content of each event is Unicode plain text consisting of key-value pairs, separated by commas. If your organization requires events to be sent to multiple SIEM solutions or syslog servers, you may be able to configure a syslog forwarder. See the documentation for your Syslog or SIEM server for information about how to configure forwarding to multiple servers.If the
Cylance Endpoint Security
integration cannot successfully deliver syslog messages to a syslog or SIEM server, an email notification will be sent to administrators (built-in role) with a confirmed email address within an organization.The maximum number of undelivered messages before the integration is disabled is 400. The first warning email is sent after a third of the maximum number of undelivered messages are sent. Each message attempts to be sent ten times before it fails to forward to a syslog or SIEM server and then transitions to a dead-letter queue.
Due to various factors, there may be delays in the reporting of events to a SIEM solution or syslog server, so it should not be used for real-time or near real-time monitoring.