Because CylancePROTECT is part of the Virus scanning category, information from this event source will provide information to Notable Behaviors and Virus alerts.
Before You Begin
You must configure CylancePROTECT to forward its logs to a syslog server. Additionally, you must change several settings for the events to be collected by a SIEM, or the InsightIDR collector.
To make these changes in CylancePROTECT:
- Go to the CylancePROTECT Admin console and navigate to the "Settings" panel.
- Check the Syslog/SIEM box to enable this configuration.
- Choose which events you want to send to syslog and for InsightIDR to collect.
- Configure the other mandatory options.
- By default, CylancePROTECT uses port 6514 for syslog forwarding. As per the IETF Specification (https://www.ietf.org/about/standards-process.html), the port supports TLS-enabled syslog on versions 1.1, and 1.2.
How to Configure This Event Source
- From your dashboard, select Data Collection on the left hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Security Data” section, click the Virus Scan icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unparsed logs.
- Configure your default domain and any Advanced Event Source Settings.
- Select a collection method and specify a port and a protocol.
- Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Click Save.
Not seeing log data?
InsightIDR only parses an event from your Virus Scan event source when a virus is found.