Cylance Protect

Overview

Because CylancePROTECT is part of the Virus scanning category, information from this event source will provide information to Notable Behaviors and Virus alerts.

Before You Begin

CylancePROTECT logs will be forwarded from the CylancePROTECT cloud infrastructure to InsightOps, so the appropriate network configurations and routing will need to be in place for CylancePROTECT to communicate to the internal InsightOps Collector.

  1. Go to the CylancePROTECT Admin console and navigate to the "Settings" panel
  2. Enable SIEM/Syslog integration by checking the box, as seen below. Different events can be shipped to your device.
  • By default, CylancePROTECT uses port 6514 for syslog forwarding, though this can be changed. As per the IETF Specification, the port supports TLS-enabled syslog on versions 1.1, and 1.2.

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu
  2. At the top right of the page, select Add Data
  3. Select the Virus scan icon from the Security Data section
  4. Select your collector, and from the list of options, choose CylancePROTECT
  5. Choose a timezone, or optionally display only US timezones
  6. Optionally choose to send unfiltered logs
  7. Configure any Advanced Event Source Settings.
  8. Select either Listen for Syslog, TCP protocol, and enter port 6514 (or your custom-selected port if you configured a different port in the CylancePROTECT admin console)
  9. Select the "Encrypted" box to send Secure Syslog.
  10. If you are choosing to encrypt, select the button "Download Certificate" which will download Rapid7's certificate. This file will be called Rapid7CA.pem and will allow InsightOps and CylancePROTECT to "trust" each other during log forwarding.

Advanced Event Source Settings

Inactivity Timeout Threshold: specify in minutes how long the event source should be inactive before it enters an error state. Fallback Domain(s): If you have event sources running in a multi-domain environment, Rapid7 recommends having a fallback domain in order to resolve any issues with user accounts.

For instance, if your company is the US and in Canada, but both locations have a user named "John Smith" and your main domain is company.com, your fallback domain could be company.ca, which would allow InsightOps to more accurately attribute data to the correct user.

What is Secure Syslog?

Secure Syslog sends encrypted data using TLS (Transport Layer Security) over the TCP protocol.