Data source types
The syslog-based source types for the
Splunkprovide real time information on threats, devices, threat classifications, memory protection, application control, and audit log.
Syslog will report any events detected on devices, including denied attempts to create or modify applications, or to execute files from a network or external location.
Syslog will report all user actions performed on the
Cylanceconsole by administrators, zone managers, and users.
Syslog will report devices that have been registered, modified, or removed.
Syslog will report device control events like the device type, vendor ID, and product ID.
Syslog will report any malicious processes and exploits that were detected and/or blocked by this script.
Syslog will report all scripts that ran or attempted to run.
Syslog will report any newly found threats in your environment as well as any changes observed for existing threats.
Syslog will report any newly classified threats or changes to existing threat classifications.
Threat data report
The threat data report-based source types for the
Splunkare extracted from the
CylancePROTECTthreat data report, which list the threats and devices in your environments.
The Threats script reports all threats that are detected in your environment, along with relevant information such as file name, file hashes, file status, and
The Devices script reports all
CylancePROTECT Desktopregistered devices in your organization, along with information such as each device’s operating system, agent version, and MAC address.
The indicators script reports each threat with a unique SHA256 hash and all associated threat indicators that characterize the file.
For more information about threat indicators, see KB 66181.
The Events script will report all threat events that occurred in your organization for the last 30 days. This information includes the file hash, the device name, the file path, the date and time it was found, the threat status, and the