All Apps and Add-ons

syslog_threat 'action' field lookup table returns wrong value

williamche
Path Finder

This applies to version 1.4.6 and 1.4.7 of the Cylance TA.

The [syslog_threat] stanza in default/props.conf has the following statement:

LOOKUP-action = protect_cim_status1_to_action_lookup "Status" OUTPUT action

The lookup file status1_to_action.csv contains the following:

"Status",action
threat_found,allowed
threat_removed,blocked
threat_quarantined,blocked
threat_waived,allowed
threat_changed,deferred

The issue is the values listed in the lookup table for the Status field do not match what's actually populated.

it looks like the EventName field should be used to generate to the action field

Here's an example of the what the syslog_threat sourcetype event looks like:

Mar 21 21:12:45 sysloghost CylancePROTECT Event Type: Threat, Event Name: threat_changed, Device Name: xxxxx, IP Address: (192.168.0.3), File Name: nnnnnn.exe, Path: C:\Program Files\bin\, Drive Type: Internal Hard Drive, SHA256: xxxx, MD5: xxxx, Status: Quarantined, Cylance Score: 54, Found Date: 3/20/2018 9:55:45 PM, File Type: Executable, Is Running: False, Auto Run: False, Detected By: ExecutionControl, Zone Names: (abc), Is Malware: False, Is Unique To Cylance: False, Threat Classification: UNCLASSIFIED#nnn
0 Karma
1 Solution

williamche
Path Finder

I fixed it by creating a new lookup table, populated it with the values found in the Status field with the correct mapping to the action field. Then point to the new lookup file by overriding it in the local props.conf.

My new lookup file is as follows:

Status,action
Quarantined,blocked
Waived,allowed
Unsafe,deferred
Cleared,allowed
Abnormal,deferred

I suppose another workaround would be to just lookup the values from the EventNames field to create the action field.

Either way, I hope this helps anyone not able to correlate events using the action field from Cylance Threat logs.

-w

View solution in original post

0 Karma

williamche
Path Finder

I fixed it by creating a new lookup table, populated it with the values found in the Status field with the correct mapping to the action field. Then point to the new lookup file by overriding it in the local props.conf.

My new lookup file is as follows:

Status,action
Quarantined,blocked
Waived,allowed
Unsafe,deferred
Cleared,allowed
Abnormal,deferred

I suppose another workaround would be to just lookup the values from the EventNames field to create the action field.

Either way, I hope this helps anyone not able to correlate events using the action field from Cylance Threat logs.

-w

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...