Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: syslog_threat 'action' field lookup table retu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This applies to version 1.4.6 and 1.4.7 of the Cylance TA.
The [syslog_threat] stanza in default/props.conf has the following statement:
LOOKUP-action = protect_cim_status1_to_action_lookup "Status" OUTPUT action
The lookup file status1_to_action.csv contains the following:
"Status",action
threat_found,allowed
threat_removed,blocked
threat_quarantined,blocked
threat_waived,allowed
threat_changed,deferred
The issue is the values listed in the lookup table for the Status field do not match what's actually populated.
it looks like the EventName field should be used to generate to the action field
Here's an example of the what the syslog_threat sourcetype event looks like:
Mar 21 21:12:45 sysloghost CylancePROTECT Event Type: Threat, Event Name: threat_changed, Device Name: xxxxx, IP Address: (192.168.0.3), File Name: nnnnnn.exe, Path: C:\Program Files\bin\, Drive Type: Internal Hard Drive, SHA256: xxxx, MD5: xxxx, Status: Quarantined, Cylance Score: 54, Found Date: 3/20/2018 9:55:45 PM, File Type: Executable, Is Running: False, Auto Run: False, Detected By: ExecutionControl, Zone Names: (abc), Is Malware: False, Is Unique To Cylance: False, Threat Classification: UNCLASSIFIED#nnn
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I fixed it by creating a new lookup table, populated it with the values found in the Status field with the correct mapping to the action field. Then point to the new lookup file by overriding it in the local props.conf.
My new lookup file is as follows:
Status,action
Quarantined,blocked
Waived,allowed
Unsafe,deferred
Cleared,allowed
Abnormal,deferred
I suppose another workaround would be to just lookup the values from the EventNames field to create the action field.
Either way, I hope this helps anyone not able to correlate events using the action field from Cylance Threat logs.
-w
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I fixed it by creating a new lookup table, populated it with the values found in the Status field with the correct mapping to the action field. Then point to the new lookup file by overriding it in the local props.conf.
My new lookup file is as follows:
Status,action
Quarantined,blocked
Waived,allowed
Unsafe,deferred
Cleared,allowed
Abnormal,deferred
I suppose another workaround would be to just lookup the values from the EventNames field to create the action field.
Either way, I hope this helps anyone not able to correlate events using the action field from Cylance Threat logs.
-w
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
