Tags beginning with edr.cylance identify log events generated by Cylance PROTECT endpoint protection.
Tag structure
The full tag has only three levels. The first two are fixed as edr and cylance. The third level of the tag identifies the supported Cylance log event type.
technology | brand | type | subtype |
---|---|---|---|
edr | cylance |
| Not used |
Therefore, the valid tags include:
- edr.cylance.app
- edr.cylance.audit
- edr.cylance.device
- edr.cylance.memory
- edr.cylance.script
- edr.cylance.threats
All events sent with these tags are saved in tables with the same name. In addition, a parent table called simply edr.cylance will be created automatically and contains all events that were received with a tag beginning with edr.cylance.
For more information, read more about Devo tags.
Configuration
In Cylance you need to set up a Syslog/SIEM integration in order to forward events to your Devo Relay.
On the relay, you need to define a series of rules that identify the event types by a string found in the source message, then apply the corresponding tag. To prevent further rule processing on events that match a rule, we make sure to select the Stop processing checkbox.
In the examples below, we use port 13003 but you should use any port that you can dedicate to these events. And this port should be the one you set up Cylance to send the events to.
Rule 1: AppControl events
| |
Rule 2: AuditLog events
| |
Rule 3: Device management events
| |
Rule 4: Memory protection events
| |
Rule 5: Script Execution control events
| |
Rule 6: Threat and threat classification events
|