Get the PDF

Collect logs from third-party sources using API connectors

You can allow

CylanceMDR

to collect logs from various sources by providing the necessary information to the

CylanceMDR

onboarding team to configure it in your tenant.

The following table lists some example log sources that can use API connectors. For more information, contact the

CylanceMDR

onboarding team.

Log source	Required information
Cato Networks	Provide the following information to the CylanceMDR team: Your Cato Networks account ID. A Cato Networks API key that you created for CylanceMDR . Make sure that you enable events integration for your Cato Networks account. To obtain this information: Log in to your Cato Networks account. In your user profile ( profile icon > My Profile ), verify that you have the Editor role. Obtain the account ID from the URL on the browser address bar. For example, if the URL is https://myorganization.cc.catonetworks.com/#/account/1234/topology , the account ID is 1234. To create an API key, navigate to Administration > API Management . Click New key . Type a name to easily identify this key, for example, " CylanceMDR Pro". Click Apply . The API key is created and a dialog appears with the option to copy it. Click Copy to copy the API key from the dialog and save it to a secure location. Click OK to close the dialog. To enable events integration, navigate to Administration > API & Integrations . In the Events Integration tab, turn on the Enable integration with Cato events option.
HIBUN	Provide the following information (obtained from Hitachi Solutions) to the CylanceMDR team: Customer Code Username Password The password should not contain non-ASCII special characters.
Microsoft Active Directory	Provide the following information to the CylanceMDR team: The Active Directory domain to be monitored The fully qualified domain name (FQDN) or IP address for an Active Directory Server configured as a Domain Controller The protocol type (LDAP, LDAPS, or LDAPS with certificate validation disabled) Active Directory username and passwords with appropriate permissions If you want to collect Active Directory logs from the Modular Sensor, you need to add the Active Directory server domain and domain controller to the same DNS where the Modular Sensor is installed. For Collect only configurations, the username and password needs to be a standard Active Directory user who is a member of the domain to be monitored. The password should not include non-ASCII special characters. For Respond configurations (if you want to also allow CylanceMDR to respond to a detected threat by disabling an Active Directory user account), do the following: Launch Active Directory Users and Computers with administrative credentials. Right-click on the Organizational Unit with the user account for which you want to enable the respond action authority, and select Delegate Control . Select the user or group to which you want to delegate the authority, then click Next . Select Create Custom Task to Delegate and click Next . In the Delegation of Control Wizard , select the Only the following objects in the folder radio button. Select User objects and click Next . In the Show these permissions section, select only the Property-specific option. Deselect the General and Creation/Deletion of specific child objects options. In the specific permissions section, select the checkboxes for Read userAccountControl and Write userAccountControl . Click Next . Click Finish .
Microsoft Azure Active Directory / Entra ID	Provide the following information to the CylanceMDR team: Application (client) ID Directory (tenant) ID Secret Key (password) To obtain this information for configuring CylanceMDR , you need to: In the Azure AD portal, register the CylanceMDR application. In the AD manifest, set allowPublicClient to "true". Create a new client secret (password) for CylanceMDR . Set the API permissions (application permissions) for Microsoft Graph and specify the logs that you want to collect. A super admin must grant admin consent. For more information, see the Microsoft documentation.
Microsoft Azure Event Hub	Event Hub Name: The name of the Event Hub Connection String: Find the connection string in Azure. You must use a unique connection string for each instance Consumer Group: The consumer group for the Event Hub Event Source: The source of the events you want to collect from Event Hub. You must configure log sources to send data to the Event Hub. AzureActivityLog AzureBastion AzureFirewall AzureKeyVault AzureSecurityCenter AzureSecurityGroups AzureSQLServer (includes AuditEvent log ) AzureStorage AzureSynapseWorkspace AzureWebApplicationFirewall
Netskope	Provide an API token from the Netskope Admin Console to the CylanceMDR team. To obtain the API token, do the following: Log in to the Netskope Admin Console as an administrative user. Navigate to Settings > Tools . Click Rest API v2 > New Token . Click Add Endpoint and select the API endpoints to use with the token. /api/v2/events/data/alert (supports data types: policy, dlp, watchlist) /api/v2/events/data/application (supports data type: application) /api/v2/events/data/page (supports data type: page) /api/v2/steering/ipsec/pops (supports data type: pops) /api/v2/steering/ipsec/tunnels (supports data type: tunnels) Select the privileges for each of the endpoints. You must select Read at a minimum. Click Save . The API key is created and a dialog appears with the option to copy it. Click COPY TOKEN to copy the API token and save it to a secure location. When you are done, click OK .