Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search By month in Cylance Protect app?

Dukkeee
New Member
‎02-10-2023 01:56 PM

"Hello everyone, how are you? I am trying to perform a search in the Cylance Protect app, where I have the following event as an example:

2023-02-08T13:25:10.484000Z sysloghost CylancePROTECT - - - Event Type: Threat, Event Name: threat_changed, Device Name: NB-2071, IP Address: (172.47.102.56), File Name: main.exe, Path: C:\DIEF2023.2.0, Drive Type: Internal Hard Drive, File Owner: AUTORIDADE NT\SISTEMA, SHA256: 8B2F7F3120DD73B2C6C4FEA504E60E65886CC9804761F8F1CBE18F92CA20AC44, MD5: 70D778C4A1C17C2EFD2D7F911668E887, Status: Quarantined, Cylance Score: 100, Found Date: 2/8/2023 1:25:10 PM, File Type: Executable, Is Running: False, Auto Run: True, Detected By: FileWatcher, Zone Names: (HOMOLOGAÇÃO), Is Malware: False, Is Unique To Cylance: False, Threat Classification: PUP - Generic, Device Id: 6c4e6c22-bf96-4de4-897b-cea83b8989b4, Policy Name: Política de Proteção N3 - Bloqueio

In this case, note the SHA256 parameter, it is the basis of the Panel that I need to create. The thing is that I need to generate a chart that presents the number of different SHA256s that were detected month by month. Observing the following rules:

  • If an SHA256 was detected in January, the chart should count one
  • If the same SHA256 is detected again in February, the chart should count it again
  • However, if the same SHA256 was detected twice in the same month, the chart will only count as one.

I tried various different ways to perform this search. However, I was not successful. Here are some examples:

eventtype=cylance_index sourcetype=syslog_threat Tenant="$Tenant$" * Status=Quarantined | timechart span=1mon count as Total

 

this function works, but it's counting the number of monthly events, that is, the same SHA256 is being counted more than once

eventtype=cylance_index sourcetype=syslog_threat Tenant="$Tenant$" * Status=Quarantined | dedup SHA256 | stats count as Total by month | timechart span=1mon sum(Total) as Total

This time the error was "No Results Found"

eventtype=cylance_index sourcetype=syslog_threat Tenant="$Tenant$" * Status=Quarantined | stats count by SHA256, month | timechart span=1mon sum(count) as Total 

Again the error of no results found

Thank you in advance."

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-12-2023 02:31 PM

Observations on your attempts:

You can't run timechart after stats UNLESS you carry through the _time field. timchart works only if there is a _time field. Your stats effectively discards _time

Note that you can bucket time with stats., e.g.

| bin _time span=1mon
| stats count by _time

which will count events by month.

However, the simple solution for your problem is

eventtype=cylance_index sourcetype=syslog_threat Tenant="$Tenant$" * Status=Quarantined 
| timechart span=1mon dc(SHA256)

dc() is distinct count, so it's just calculating the number of different SHA256 values per month.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...