All Apps and Add-ons

CylancePROTECT App: How do we configure Cylance inputs.conf file?

amulay26
Path Finder

I am trying to install the Cylance app in a distributed environment. But I am not sure where the inputs.conf file should be. Should they be located on the search head or the indexer?

Any help is appreciated.

Thanks.

0 Karma
1 Solution

worshamn
Contributor

The inputs.conf will need to be on the collecting machine which sounds like in your case on the indexer (but more preferably a heavy forwarder if you have one).

However there are actually 2 different apps and it depends on whether you are planning on having Cylance send you syslog data or if you are going to pull the "Threat Daily Report" from Cylance's API.

If you are going the syslog route then you actually need to install this app https://splunkbase.splunk.com/app/3709/ on the forwarder or indexer otherwise if using the API method, then "CylancePROTECT App for Splunk" is the app you need on both search head and the indexer (or heavy forwarder). Note that the inputs.conf needs the rest of the app as it points to several scripts in the bin folder of the app.

View solution in original post

nih_jaygatsby27
New Member

Did this ever get resolved? im having the same issue and would love to know how the key exchange works.

0 Karma

amulay26
Path Finder

@worshamn Thank you very much.
Also, the does the inputs.conf stanza necessarily have to be [tcp-ssl://6514] ?

0 Karma

worshamn
Contributor

I only use the API, though I would assume that is upto Cylance when it is setup. But I do know that port is one of the standard ports for syslog over SSL and is also one that SE Linux already supports.

0 Karma

amulay26
Path Finder

@worshamn What type of ssl certificate does Cylance App require? Any insights will be appreciated.

Thank you.

0 Karma

worshamn
Contributor

Again I only use the API which is a pull model and doesn't involve a required SSL cert. I have done other SSL syslog setups (not with Cylance) and those would accept self-signed certs as the connection is only between you and them but it would be best to check with Cylance if they allow and you are going to do a syslog connection--if you are setting up syslog you will have to get them your cert anyhow.

0 Karma

worshamn
Contributor

The inputs.conf will need to be on the collecting machine which sounds like in your case on the indexer (but more preferably a heavy forwarder if you have one).

However there are actually 2 different apps and it depends on whether you are planning on having Cylance send you syslog data or if you are going to pull the "Threat Daily Report" from Cylance's API.

If you are going the syslog route then you actually need to install this app https://splunkbase.splunk.com/app/3709/ on the forwarder or indexer otherwise if using the API method, then "CylancePROTECT App for Splunk" is the app you need on both search head and the indexer (or heavy forwarder). Note that the inputs.conf needs the rest of the app as it points to several scripts in the bin folder of the app.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...