Troubleshoot threat data report (TDR) consumption Skip Navigation

Troubleshoot threat data report (TDR) consumption

If the TDR (non-syslog) dashboards do not populate
  1. If in a distributed
    environment, ensure that you are configuring TDR consumption on a Heavy Forwarder that is running the full
    CylancePROTECT Desktop
    application (not just the TA), and that the
    environment is running 6.2 or higher.
  2. Ensure the latest version of the application is installed on the
    Search Head. Ensure the matching version of the TA is installed on Indexers.
  3. Ensure the index name is either
    (preferred) or
    to match the inputs.conf file.
  4. Ensure eventtypes.conf has not been altered since this populates the dashboards. Then ensure that the macro cylance_index has not been altered as this needs to search the index that contains
    data – usually cylance_protect or protect.
  5. Go to
    search box, select
    All Time
    , then type:
    eventtype=cylance_index sourcetype=syslog*
  6. You should see JSON data, possibly with a sourcetype of device, threat_indicator, etc.
    If no data is returned (example: No results found for this particular query):
    1. From the command line: check the cylance_protect/ local directory for the presence of CSV and SHA files. For example: <TenantName>-event.csv or <TenantName>-indicators.sha.
    If the CSV and SHA files are present:
    1. Check defaults/inputs.conf for the index name that the scripted inputs are using.
    2. Ensure that index exists and search on just that index name from the
      search bar.
    If the CSV and SHA files are not present:
    1. Is the
      instance behind a proxy or firewall that could be blocking connectivity?
    2. If so, can you whitelist this host to the
      Tenant URL?
    3. Run the script using the instructions below.