Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- syslog_threat 'action' field lookup table returns ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This applies to version 1.4.6 and 1.4.7 of the Cylance TA.
The [syslog_threat] stanza in default/props.conf has the following statement:
LOOKUP-action = protect_cim_status1_to_action_lookup "Status" OUTPUT action
The lookup file status1_to_action.csv contains the following:
"Status",action
threat_found,allowed
threat_removed,blocked
threat_quarantined,blocked
threat_waived,allowed
threat_changed,deferred
The issue is the values listed in the lookup table for the Status field do not match what's actually populated.
it looks like the EventName field should be used to generate to the action field
Here's an example of the what the syslog_threat sourcetype event looks like:
Mar 21 21:12:45 sysloghost CylancePROTECT Event Type: Threat, Event Name: threat_changed, Device Name: xxxxx, IP Address: (192.168.0.3), File Name: nnnnnn.exe, Path: C:\Program Files\bin\, Drive Type: Internal Hard Drive, SHA256: xxxx, MD5: xxxx, Status: Quarantined, Cylance Score: 54, Found Date: 3/20/2018 9:55:45 PM, File Type: Executable, Is Running: False, Auto Run: False, Detected By: ExecutionControl, Zone Names: (abc), Is Malware: False, Is Unique To Cylance: False, Threat Classification: UNCLASSIFIED#nnn
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I fixed it by creating a new lookup table, populated it with the values found in the Status field with the correct mapping to the action field. Then point to the new lookup file by overriding it in the local props.conf.
My new lookup file is as follows:
Status,action
Quarantined,blocked
Waived,allowed
Unsafe,deferred
Cleared,allowed
Abnormal,deferred
I suppose another workaround would be to just lookup the values from the EventNames field to create the action field.
Either way, I hope this helps anyone not able to correlate events using the action field from Cylance Threat logs.
-w
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I fixed it by creating a new lookup table, populated it with the values found in the Status field with the correct mapping to the action field. Then point to the new lookup file by overriding it in the local props.conf.
My new lookup file is as follows:
Status,action
Quarantined,blocked
Waived,allowed
Unsafe,deferred
Cleared,allowed
Abnormal,deferred
I suppose another workaround would be to just lookup the values from the EventNames field to create the action field.
Either way, I hope this helps anyone not able to correlate events using the action field from Cylance Threat logs.
-w
Observe and Secure All Apps with Splunk
Splunk Decoded: Business Transactions vs Business IQ
Fastest way to demo Observability
