Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- CylancePROTECT App for Splunk: Is there a way to c...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CylancePROTECT App for Splunk: Is there a way to create a search to filter out results by 1 field and create a table that shows only desired fields?
New to splunk. I've setup CylancePROTECT App for Splunk. You may be familiar with this, but Cylance has “Zones” that it uses to group and classify devices for a client. So we have one portal setup where each client has their own "Zone". I am needing to specify a particular zone in a search string that will filter only devices within that zone and then create a table that lists only these Cylance Fields – Device Name, Created, Is Online, Offline Date, User
I have been messing around and have found that these search strings are close to providing all of the information I need, but I don’t know how to filter or list only the fields that I want. These commands have every field and also lists every time the device comes up in the logs. I just need 1 row per device.
eventtype=cylance_index sourcetype=device | stats list by "Zones"
eventtype=cylance_index sourcetype=device | stats list by "Device Name"
I would also like to schedule a week/month report for every one of our zones so we’ll know the amount of devices, which are offline and for how long.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- what is the actual field name of "Zones"?
- define that in your base search
- replace the correct field name and value for "Zones" in the searches below
- for more help post a sample of the raw data
eventtype=cylance_index sourcetype=device "Zones"=<zone you want> | stats values(*) as * by "Zones"
eventtype=cylance_index sourcetype=device "Zones"=<zone you want> | stats values(*) as * by "Device Name"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to get a bit more granular as to which fields are displayed, you can specify it in your search. For example:
eventtype=cylance_index sourcetype=device | stats list("Agent Version"), list("Device Name"), list("OS Version"), list("Policy"), list("Files Analyzed") by Zones
Then, if you want to specify the particular zone you want to look at... add it to the start of the search (ex: test zone):
eventtype=cylance_index sourcetype=device zone=test | stats list("Agent Version"), list("Device Name"), list("OS Version"), list("Policy"), list("Files Analyzed") by Zones
You can also end the strings with a "| rename" to pretty up the column headers if desired. I hope that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Please refer to the README.md (which is part of the app which you downloaded). At the end of this file is a section about how to report issues or ask questions of support.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the advice. The app is configured and working properly. I would think my question would be more related to splunk search functions. I was hoping a splunk guru would be able to see this and assist. Is that not what this question/answer system is designed for?
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
