Skip Navigation

Troubleshoot threat data report (TDR) consumption

If the TDR (non-syslog) dashboards do not populate:
  1. If in a distributed
    Splunk
    environment, ensure that you are configuring TDR consumption on a Heavy Forwarder that is running the full
    BlackBerry Protect Desktop
    Splunk
    application (not just the TA), and that the
    Splunk
    environment is running 6.2 or higher.
  2. Ensure the latest version of the application is installed on the
    Splunk
    Search Head. Ensure the matching version of the TA is installed on Indexers.
  3. Ensure the index name is either
    cylance_protect
    (preferred) or
    protect
    to match the inputs.conf file.
  4. Ensure eventtypes.conf has not been altered since this populates the dashboards. Then ensure that the macro cylance_index has not been altered as this needs to search the index that contains
    BlackBerry
    data – usually cylance_protect or protect.
  5. Go to
    Splunk
    search box, select
    All Time
    , then type:
    eventtype=cylance_index sourcetype=syslog*
  6. You should see JSON data, possibly with a sourcetype of device, threat_indicator, etc.
    If no data is returned (example: No results found for this particular query):
    1. From the command line: check the cylance_protect/ local directory for the presence of CSV and SHA files. For example: <TenantName>-event.csv or <TenantName>-indicators.sha.
    If the CSV and SHA files are present:
    1. Check defaults/inputs.conf for the index name that the scripted inputs are using.
    2. Ensure that index exists and search on just that index name from the
      Splunk
      search bar.
    If the CSV and SHA files are not present:
    1. Is the
      Splunk
      instance behind a proxy or firewall that could be blocking connectivity?
    2. If so, can you whitelist this host to the
      BlackBerry
      Tenant URL?
    3. Run the test.py script using the instructions below.