Index, Eventtypes, and Sourcetypes

The most important data classifiers are outlined below:

Index

Following

Splunk

best practices, this application is no longer bundled with a pre-specified index, however, we strongly recommend sending data to index=cylance_protect. If the index was previously specified as index=protect, this will also work as the dashboards are populated using an eventtype that will accept either. If a custom index name is used, then the eventtype=cylance_index must be modified to accept the custom index name.

Eventtypes

eventtype=cylance_index – eventtypes allows the index to either be protect or cylance_protect. If a custom index name is used, the eventtype must be modified for the dashboards to populate properly.

Sourcetypes

syslog sourcetypes

syslog_protect

syslog_app_control

syslog_audit_log

syslog_device

syslog_device_control

syslog_exploit

syslog_optics

syslog_script_control

syslog_threat

syslog_threat_classification

Syslog events will enter the app as syslog_protect and will be sorted into one of the other “syslog_” source types, based on content.

TDR sourcetypes

threat

device

threat_indicator

event

Section:

Introduction