Setting Up Integrations

Cylance Integration Guide for SecurityCoach

In this article, you will learn how to integrate Cylance's endpoint protection platform (EPP) with SecurityCoach. Once you set up this integration, data provided by Cylance will be available under the SecurityCoach tab of your KMSAT console. This data can be viewed in SecurityCoach reports and used to create detection rules for real-time coaching campaigns. For general information about SecurityCoach, see our SecurityCoach Product Manual.

Important: To configure the Cylance integration, you'll need access to a CylancePROTECT Administrator account.

Copy Your Organization Key

Before you can set up this integration in your CylancePROTECT platform, you will need to authorize the configuration and copy your organization key from the SecurityCoach tab of your KMSAT console. You will need this key in the Set Up the Integration in Your CylancePROTECT Platform section below.To locate and copy your organization key, follow the steps below:

  1. Log in to your KMSAT console and navigate to SecurityCoach Setup > Security Vendor Integrations.
  2. Locate Cylance and click Configure.
  3. Click AuthorizeSecurity Coach Integration Authorize button
  4. In the pop-up window that opens, click OK.
  5. In the Organization Key field, copy your key.  Security Coach Integration Organization Key

Set Up the Integration in Your CylancePROTECT Platform

Before you can set up this integration in your CylancePROTECT platform, you will need to authorize the configuration and copy your organization key from the SecurityCoach tab of your KMSAT console.To set up the integration in your KMSAT console, follow the steps below:

  1.  Log in to your CylancePROTECT platform, and navigate to Settings > Application.
    Important: You will need to log in as a user with an Administrator role.
  2. Scroll down to the Integrations section of the page.
  3. Select the Syslog/SIEM check box. Selecting this check box will prompt Cylance to stream events to SecurityCoach.
  4. Fill out the remaining fields. For more information, see the screenshot and list below: Cylance Configuration
    1. Event Types: Select all check boxes except for the >Audit Log check box.
    2. SIEM: Leave this field blank.
    3. Protocol: From the drop-down menu, select the protocol that you prefer.
    4. TLS/SSL: Leave this check box unchecked to disable TLS/SSL.
      Note: This field will only display if you selected TCP in the Protocol field.
    5. IP/Domain: Enter the domain for your KnowBe4 instance into the field. To find the domain for your KnowBe4 instance, see the table below:
      KnowBe4 Instance Domain
      United States syslog.training.knowbe4.com
      European Union syslog.eu.knowbe4.com
      Canada syslog.ca.knowbe4.com
      Germany syslog.de.knowbe4.com
      United Kingdom syslog.uk.knowbe4.com
    6. Port: Enter "4514" into the field.
    7. Severity: From the drop-down menu, select Notice (5).
    8. Facility: From the drop-down menu, select Internal (5).
    9. Custom Token: Enter "org_key=x,vendor_code_name=cylance,log_type=endpoint", but replace "x" with your organization key
  5. Click Test Connection to confirm that Cylance is able to connect to SecurityCoach.
  6. Click SAVE.

Map Your Users

After you’ve finished integrating Cylance, you can map your users either through mapping rules (recommended) or through a CSV file upload. For more information about user mapping, see our Mapping Users in SecurityCoach article.

Once you’ve successfully completed this integration, you can manage detection rules for Cylance on the Detection Rules subtab of SecurityCoach. For a full list of available system detection rules for this vendor, see our Which Detection Rules Can I Use with My Vendors? article.

Delete the Integration in Your CylancePROTECT Platform

To delete the Cylance integration from your SecurityCoach platform, follow the steps below.

  1. Log in to your CylancePROTECT platform.
  2. Click the gear icon, and then click Application.
  3. Scroll down to the Integrations section of the page.
  4. Deselect the Syslog/SIEM check box.

Can't find what you're looking for?

Contact Support
circle-arrow-up