Thank you!

Just a follow-up based on observations of the eventtypes.conf , props.conf and transforms.conf --

The eventtypes.conf refer to sourcetype names that are slightly different from those that are being set by transforms.conf. Could this be a bug ?

transforms.conf derives these sourcetype names (below) which are used by props.conf -
syslog_audit_log, syslog_threat_classification, syslog_exploit, syslog_app_control, syslog_threat, syslog_device, syslog_device_control, syslog_script_control

eventtypes.conf refer to these sourcetype names (below)-
audit_log, console_syslog, threat, exploit, device

Not a bug.. look in the props.conf entry for syslog_protect sourcetype for example...

[syslog_protect]
TRANSFORMS-changesourcetype = set_auditlog_sourcetype
TRANSFORMS-changesourcetype2 = set_threatclassification_sourcetype
TRANSFORMS-changesourcetype3 = set_exploit_sourcetype
TRANSFORMS-changesourcetype4 = set_appcontrol_sourcetype
TRANSFORMS-changesourcetype5 = set_threat_sourcetype
TRANSFORMS-changesourcetype6 = set_device_sourcetype
TRANSFORMS-changesourcetype7 = set_devicecontrol_sourcetype
TRANSFORMS-changesourcetype8 = set_scriptcontrol_sourcetype

looking in the transforms.conf... set_auditlog_sourcetype looks like this:

[set_auditlog_sourcetype]
REGEX = Event\sType:\s+AuditLog
FORMAT = sourcetype::syslog_audit_log
DEST_KEY = MetaData:Sourcetype

So , they reroute the syslog_* sourcetypes to others based on regex matching.

I'm trying to dry run this ...

based on the log excerpt below ... (redacted IPs and usernames)
"Oct 3 09:18:00 ec2-xx-xx-xxx-xx.compute-1.amazonaws.com 1 2017-10-03T14:17:59.8346483Z sysloghost CylancePROTECT - - - Event Type: AuditLog, Event Name: LoginSuccess, Message: Provider: CylancePROTECT, Source IP: yyy.yyy.yy.yyy, User: John Doe (jdoe@foo.com)"

... the transforms.conf will set the sourcetype to syslog_audit_log , right ?
But the eventtypes.conf definition refers to it as "audit_log". Correct me if I'm wrong.
[protect_alert]
priority = 5
search = eventtype=cylance_index sourcetype=audit_log

OK... I took a deeper look at the app and you're correct, something doesn't jive.

eventtypes has this:

[cylance_index]
search = index=protect OR index=cylance_protect

[protect_alert]
priority = 5
search = eventtype=cylance_index sourcetype=audit_log

[protect_malware]
priority = 5
search = eventtype=cylance_index (sourcetype=console_syslog AND EventType=Threat) OR sourcetype=threat OR sourcetype=exploit

[protect_inventory]
priority = 5
search = eventtype=cylance_index (sourcetype=console_syslog AND EventType=Device) OR sourcetype=device

on each of the protect_* searches, it has all of them looking at sourcetype=console_syslog, with eventtype, or looking at (exploit|device) by themselves.. not looking at syslog_exploit or syslog_device.. etc.

you're gonna have to do some minor surgery to fix this,. (Be a peach & advise the dev as well. )

I'm working around this bug/glitch/typo in the Cylance TA with modifying the eventtypes.conf with a copy in the local dir.

The bigger change will be in the Cylance App which has queries using with mixed sourcetypes - i.e. audit_log and syslog_autid_log etc. I'm going to inform the App developer.