Hello,
So I am working on a CS for Enterprise Security that -- when run manually -- it returns results; however, when its scheduled to run it does not return anything.
I've looked in the _internal index and found that:
I've looked in the notable's index and confirmed that 0 alerts are firing.
The CS is running as ADMIN within the application context of Enterprise Security.
This is the search:
index=cylance_protect sourcetype=threat
| eval FirstFound=split('First Found'," ")
| eval FirstFoundDate=mvindex(FirstFound,0)
| eval FirstFoundDate_epoch=strptime(FirstFoundDate, "%m/%d/%Y")
| eval currentTime=now()
| eval currentTime=strftime(currentTime, "%m/%d/%Y")
| eval currentTime_epoch=strptime(currentTime, "%m/%d/%Y")
| eval CreatedDaysAgo=(currentTime_epoch-FirstFoundDate_epoch)/86400
| eval CreatedDaysAgo=round(CreatedDaysAgo)
| search CreatedDaysAgo < 2
| table _time FirstFound CreatedDaysAgo DeviceName Tenant user action "Cylance Score" signature "Detected By" "Ever Run" "File Name" file_path file_hash
Are the eval statements causing this issue? I used the above logic to ONLY return 'new' Cylance detections within the last 1 day.
Hi @BrianKJr,
The problem may be the time range setting on your correlation search. Are you using the same time-range on manual testing? Maybe you should increase time-range on your correlation search.
If this reply helps you an upvote is appreciated.
Hi @BrianKJr,
The problem may be the time range setting on your correlation search. Are you using the same time-range on manual testing? Maybe you should increase time-range on your correlation search.
If this reply helps you an upvote is appreciated.
After further troubleshooting the time range WAS the issue due to API schedule for threats being forwarded to Splunk.. The API through Cylance / Splunk will need to be looked at because its not sending logs as often as it should be.
The solution for the interim is to extend the time range from 2 hours to 12 hours.
Thanks for responding 🙂
Hello @scelikok
Yes the search runs every 5 minutes, and looks back 1 hour. Today it should have generated three unique alerts.
Its been running for a couple days at this point, and the base search has matched 10 + events. We've received 0 though.