Troubleshoot threat data report (TDR) consumption
If the TDR (non-syslog) dashboards do not populate
- If in a distributedSplunkenvironment, ensure that you are configuring TDR consumption on a Heavy Forwarder that is running the fullCylancePROTECT DesktopSplunkapplication (not just the TA), and that theSplunkenvironment is running 6.2 or higher.
- Ensure the latest version of the application is installed on theSplunkSearch Head. Ensure the matching version of the TA is installed on Indexers.
- Ensure the index name is eithercylance_protect(preferred) orprotectto match the inputs.conf file.
- Ensure eventtypes.conf has not been altered since this populates the dashboards. Then ensure that the macro cylance_index has not been altered as this needs to search the index that containsBlackBerrydata – usually cylance_protect or protect.
- Go toSplunksearch box, selectAll Time, then type:eventtype=cylance_index sourcetype=syslog*
- You should see JSON data, possibly with a sourcetype of device, threat_indicator, etc.If no data is returned (example: No results found for this particular query):
- From the command line: check the cylance_protect/ local directory for the presence of CSV and SHA files. For example: <TenantName>-event.csv or <TenantName>-indicators.sha.
If the CSV and SHA files are present:- Check defaults/inputs.conf for the index name that the scripted inputs are using.
- Ensure that index exists and search on just that index name from theSplunksearch bar.
If the CSV and SHA files are not present:- Is theSplunkinstance behind a proxy or firewall that could be blocking connectivity?
- If so, can you whitelist this host to theBlackBerryTenant URL?
- Run the test.py script using the instructions below.