I'm currently trying to configure Cylance to point to our Splunk Cloud instance, and getting a bit stuck on actually adding it in.
Within Splunk, I've created a HTTP Event Collector, pointing to the index "cylance_protect", using the port 8088 (forced by default), with SSL enabled. I've also ensured to enable the token in Global Settings.
I've taken the tokens supplied through the HTTP Event Collector, and have configured Cylance with the below settings:
When attempting to test the connection in Cylance, I get a failure message. I believe this is due to having been configured incorrectly on either the Splunk side, or the Cylance side.
Splunk is not our usual SIEM of choice, so I'm not entirely sure where there might be issues occurring.
Any chance someone has performed this before and can tell me what might be going wrong?
I don't think cylance supports HEC as an output at this time. There's an existing enhancement request if you login to cylance's support portal. Upvote it and maybe that will help get some traction from their development team.