Troubleshoot threat data reporting

If data does not populate in the report dashboard, do the following:

If your organization uses a distributed

Splunk

environment, verify that threat data report consumption is configured on a heavy forwarder that is running the

CylancePROTECT

Application for

Splunk

(not just the technology add-on) and that the

Splunk

environment is running on version 7.2 or later.

Verify that the latest version of the application is installed on the

Splunk

search head and that the matching version of the technology add-on is installed on the indexers.

Confirm that the index name is either

cylance_protect

protect

to match the inputs.conf file.

Confirm that the eventtypes.conf file, which populates the dashboards, has not been altered.

Verify that the macro

cylance_index

, which searches for

Cylance

data, has not been altered.

On the

Splunk

homepage, on the vertical menu bar, click

Search & Reporting

. Set the time preset to

All Time (real-time)

, then search for the

eventtype=cylance_index sourcetype=syslog*

command.

From the command line, check the cylance_protect/local directory for the presence of CSV and SHA files (for example,

<TenantName>-event.csv

<TenantName>-indicators.sha

Outcome	Actions to resolve
The CSV and SHA files are present.	Check the $SPLUNK_HOME/etc/apps/cylance_protect/defaults/inputs.conf file for the index name that the scripted inputs are using. Verify that the index exists. Use the index name to search on the Splunk search bar.
The CSV and SHA files are not present.	Verify that your Splunk environment is not behind a proxy or firewall that could be blocking the connection. If a proxy or firewall is blocking the connection, configure it to allow connections to the Cylance console. Run the cy_test.py script from the command line.