Skip Navigation

Data source types

Syslog Events
The Syslog-based source types for the
CylancePROTECT
Application for
Splunk
provide real time information on threats, devices, threat classifications, memory protection, application control, and audit log (script control events are not yet supported). The Syslog source types below for this application adhere to the
Splunk
CIM and provide the ability to integrate with other
Splunk
enterprise applications.
Application Control
Syslog will report any events detected on devices with Application Control enabled, including denied attempts to create or modify applications, or to execute files from a network or external location.
Audit Log
Syslog will report all user actions performed on the
Cylance
Console by administrators, zone managers, and users.
Devices
Syslog will report devices that have been registered, modified, or removed.
Device Control
Syslog will report device control events like the device type, vendor ID, and product ID.
Memory Protection
Syslog will report any malicious processes and exploits that were detected and/or blocked by Memory Protection.
Script Control
Syslog will report all scripts that ran or attempted to run.
Threats
Syslog will report any newly found threats in your environment as well as any changes observed for existing threats.
Threat Classifications
Syslog will report any newly classified threats or changes to existing threat classifications (as made by the
Cylance
Threat Analysis Team).
Threat Data Report
The Threat Data source types for the
CylancePROTECT
 Application for
Splunk
are extracted from the
CylancePROTECT
Threat Data Report, which provides all details and information pertaining to threats and devices in your environments. The Threat Data source types below adhere to the
Splunk
Common Information Model (CIM).
Threats
The Threats script reports all threats that have been detected in your environment, along with relevant information such as file name, file hashes, file status,
Cylance
Score, classification, file path, device it was detected on, first and last found date, etc. Fields conform to the Malware data model in
Splunk
's CIM.
Devices
The Devices script reports all
CylancePROTECT
registered devices in your organization, along with each device’s operating system, agent version, device policy, zones it belongs to, MAC address, IP address, last reported user, date it was added, status (online or offline), total files analyzed, etc. Fields conform to the Inventory data model in
Splunk
's CIM.
Indicators
The Indicators script reports each threat (with a unique SHA256 hash) and all associated threat indicators that characterize the file.
See https://support.blackberry.com/community/s/article/66181 for more information on threat indicators.
Events
The Events script will report all threat events that occurred in your organization for the last 30 days. This information includes the file hash, the device name, file path, the date and time it was found, the threat status, and
Cylance
Score.