Device Configuration: Cylance Syslog Forwarding

TABLE OF CONTENTS

• Overview
• Prerequisites
• Steps of Configuration
• Verification (MSSP Only)
  • On CCE Server
  • On ADR UI
• Reference

Overview

This document provides the steps to integrate Cylance (BlackBerry Protect/Firewall) with ADR SIEM using Syslog. The integration enables security logs from Cylance to be forwarded to the ADR Collection and Control Engine (CCE), where they are ingested and analyzed in the Analytics and Policy Engine (APE) for enhanced visibility and proactive threat detection.

Prerequisites

• Admin credentials for Cylance Console.

• ADR CCE IP address.

• Firewall rules must allow traffic from Cylance to CCE on UDP port 514.

Steps of Configuration

1. Login to the Cylance console with admin credentials.

2. Go to:
   Settings → Application.

3. In the Integrations section, activate the checkbox for Syslog/SIEM.

4. Under Event Types, enable checkboxes for all events you want forwarded.

5. Configure the remaining fields as follows:

   • SIEM → None

   • Protocol → UDP

   • TLS/SSL → Unchecked

   • IP/Domain → Enter the ADR CCE IP address

   • Port → 514

   • Severity → Alert (1)

   • Facility → Internal (5)

6. Click Save to apply the configuration.

Verification (MSSP Only)

On CCE Server

Run the following command to confirm logs are being received:

sudo tcpdump -i any port 514 and host <Cylance_IP> -s0 -AAA

On ADR UI

1. Log in with administrative rights.

2. Navigate to: System → Logs and Flows Collection Status.

3. Verify that the Cylance device IP appears under Source Device IP.

Reference

• BlackBerry Protect (Cylance) Documentation