Data source types
Syslog Events
The Syslog-based source types for the
CylancePROTECT Desktop
Application for Splunk
provide real time information on threats, devices, threat classifications, memory protection, application control, and audit log (script control events are not yet supported). The Syslog source types below for this application adhere to the Splunk
CIM and provide the ability to integrate with other Splunk
enterprise applications.Application Control | Syslog will report any events detected on devices with Application Control enabled, including denied attempts to create or modify applications, or to execute files from a network or external location. |
Audit Log | Syslog will report all user actions performed on the Cylance console by administrators, zone managers, and users. |
Devices | Syslog will report devices that have been registered, modified, or removed. |
Device Control | Syslog will report device control events like the device type, vendor ID, and product ID. |
Memory Protection | Syslog will report any malicious processes and exploits that were detected and/or blocked by Memory Protection. |
Script Control | Syslog will report all scripts that ran or attempted to run. |
Threats | Syslog will report any newly found threats in your environment as well as any changes observed for existing threats. |
Threat Classifications | Syslog will report any newly classified threats or changes to existing threat classifications (as made by the Threat Analysis Team). |
Threat Data Report
The Threat Data source types for the
CylancePROTECT Desktop
Application for Splunk
are extracted from the CylancePROTECT Desktop
Threat Data Report, which provides all details and information pertaining to threats and devices in your environments. The Threat Data source types below adhere to the Splunk
Common Information Model (CIM).Threats | The Threats script reports all threats that have been detected in your environment, along with relevant information such as file name, file hashes, file status, Cylance Score, classification, file path, device it was detected on, first and last found date, etc. Fields conform to the Malware data model in Splunk 's CIM. |
Devices | The Devices script reports all CylancePROTECT Desktop registered devices in your organization, along with each device’s operating system, agent version, device policy, zones it belongs to, MAC address, IP address, last reported user, date it was added, status (online or offline), total files analyzed, etc. Fields conform to the Inventory data model in Splunk 's CIM. |
Indicators | The Indicators script reports each threat (with a unique SHA256 hash) and all associated threat indicators that characterize the file. See https://support.blackberry.com/community/s/article/66181 for more information on threat indicators. |
Events | The Events script will report all threat events that occurred in your organization for the last 30 days. This information includes the file hash, the device name, file path, the date and time it was found, the threat status, and Cylance Score. |