Tags beginning with edr.cylance identify log events generated by Cylance PROTECT endpoint protection.
The full tag has only three levels. The first two are fixed as edr and cylance. The third level of the tag identifies the supported Cylance log event type.
Therefore, the valid tags include:
All events sent with these tags are saved in tables with the same name. In addition there will be a table called simply edr.cylance that aggregates all events received with a tag beginning with edr.cylance.
For more information, read more about Devo tags.
In Cylance you need to set up a Syslog/SIEM integration in order to forward events to your Devo Relay.
On the relay, you need to define a series of rules that identify the event types by a string found in the source message, then apply the corresponding tag. To prevent further rule processing on events that match a rule, we make sure to select the Stop processing checkbox.
In the examples below, we use port 13003 but you should use any port that you can dedicate to these events. And this port should be the one you set up Cylance to send the events to.
Rule 1: AppControl events
Rule 2: AuditLog events
Rule 3: Device management events
Rule 4: Memory protection events
Rule 5: Script Execution control events
Rule 6: Threat and threat classification events