Integrating Cylance with SecurityCoach

In this article, you will learn how to integrate Cylance's endpoint protection platform (EPP) with SecurityCoach. Once you set up this integration, data provided by Cylance will be available under the SecurityCoach tab of your KMSAT console. This data can be viewed in SecurityCoach reports and used to create detection rules for real-time coaching campaigns. For general information about SecurityCoach, see our SecurityCoach Product Manual.

Click the links below to learn how to integrate Cylance with SecurityCoach.

Jump to:

Copy Your Organization Key
Set Up the Integration in Your CylancePROTECT Platform

Copy Your Organization Key

Before you can set up this integration in your CylancePROTECT platform, you will need to authorize the configuration and copy your organization key from the SecurityCoach tab of your KMSAT console. You will need this key in the Set Up the Integration in Your CylancePROTECT Platform section below.
To locate and copy your organization key, follow the steps below:

1. Log in to your KMSAT console and navigate to SecurityCoach > Setup > Security Vendor Integrations.
2. Locate Cylance and click Configure.
   
3. Click Authorize. 
4. In the pop-up window that opens, click OK.
5. In the Organization Key field, copy your key. 

Back to top

Set Up the Integration in Your CylancePROTECT Platform

Before you can set up this integration in your CylancePROTECT platform, you will need to authorize the configuration and copy your organization key from the SecurityCoach tab of your KMSAT console.
To set up the integration in your KMSAT console, follow the steps below:

1.  Log in to your CylancePROTECT platform, and navigate to Settings > Application.
   
   Note: You will need to log in as a user with an Administrator role.
2. Scroll down to the Integrations section of the page.
3. Select the Syslog/SIEM check box. Selecting this check box will prompt Cylance to stream events to SecurityCoach.
4. Fill out the remaining fields. For more information, see the screenshot and list below:
   1. Event Types: Select all check boxes except for the >Audit Log check box.
   2. SIEM: Leave this field blank.
   3. Protocol: From the drop-down menu, select the protocol that you prefer.
   4. TLS/SSL: Leave this check box unchecked to disable TLS/SSL.
      Note: This field will only display if you selected TCP in the Protocol field.
   5. IP/Domain: Enter the domain for your KnowBe4 instance into the field. To find the domain for your KnowBe4 instance, see the table below:
      

      KnowBe4 Instance	Domain
      United States	syslog.training.knowbe4.com
      European Union	syslog.eu.knowbe4.com
      Canada	syslog.ca.knowbe4.com
      Germany	syslog.de.knowbe4.com
      United Kingdom	syslog.uk.knowbe4.com

   6. Port: Enter "4514" into the field.
   7. Severity: From the drop-down menu, select Notice (5).
   8. Facility: From the drop-down menu, select Internal (5).
   9. Custom Token: Enter "org_key=x,vendor_code_name=cylance,log_type=endpoint", but replace "x" with your organization key. 
5. Click Test Connection to confirm that Cylance is able to connect to SecurityCoach.
6. Click SAVE.

Once you’ve successfully completed this integration, you can manage detection rules for Cylance on the Detection Rules subtab of SecurityCoach. For a full list of available system detection rules for this vendor, see our Which Detection Rules Can I Use with My Vendors? article.

Back to top