Index, Eventtypes, and Sourcetypes
The most important data classifiers are outlined below:
Index
- FollowingSplunkbest practices, this application is no longer bundled with a pre-specified index, however, we strongly recommend sending data to index=cylance_protect. If the index was previously specified as index=protect, this will also work as the dashboards are populated using an eventtype that will accept either. If a custom index name is used, then the eventtype=cylance_index must be modified to accept the custom index name.
Eventtypes
- eventtype=cylance_index – eventtypes allows the index to either be protect or cylance_protect. If a custom index name is used, the eventtype must be modified for the dashboards to populate properly.
Sourcetypes
- syslog sourcetypes
- syslog_protect
- syslog_app_control
- syslog_audit_log
- syslog_device
- syslog_device_control
- syslog_exploit
- syslog_optics
- syslog_script_control
- syslog_threat
- syslog_threat_classification
Syslog events will enter the app as syslog_protect and will be sorted into one of the other “syslog_” source types, based on content.
- TDR sourcetypes
- threat
- device
- threat_indicator
- event