"Hello everyone, how are you? I am trying to perform a search in the Cylance Protect app, where I have the following event as an example:
2023-02-08T13:25:10.484000Z sysloghost CylancePROTECT - - -...
See more...
"Hello everyone, how are you? I am trying to perform a search in the Cylance Protect app, where I have the following event as an example:
2023-02-08T13:25:10.484000Z sysloghost CylancePROTECT - - - Event Type: Threat, Event Name: threat_changed, Device Name: NB-2071, IP Address: (172.47.102.56), File Name: main.exe, Path: C:\DIEF2023.2.0, Drive Type: Internal Hard Drive, File Owner: AUTORIDADE NT\SISTEMA, SHA256: 8B2F7F3120DD73B2C6C4FEA504E60E65886CC9804761F8F1CBE18F92CA20AC44, MD5: 70D778C4A1C17C2EFD2D7F911668E887, Status: Quarantined, Cylance Score: 100, Found Date: 2/8/2023 1:25:10 PM, File Type: Executable, Is Running: False, Auto Run: True, Detected By: FileWatcher, Zone Names: (HOMOLOGAÇÃO), Is Malware: False, Is Unique To Cylance: False, Threat Classification: PUP - Generic, Device Id: 6c4e6c22-bf96-4de4-897b-cea83b8989b4, Policy Name: Política de Proteção N3 - Bloqueio
In this case, note the SHA256 parameter, it is the basis of the Panel that I need to create. The thing is that I need to generate a chart that presents the number of different SHA256s that were detected month by month. Observing the following rules:
If an SHA256 was detected in January, the chart should count one
If the same SHA256 is detected again in February, the chart should count it again
However, if the same SHA256 was detected twice in the same month, the chart will only count as one.
I tried various different ways to perform this search. However, I was not successful. Here are some examples:
eventtype=cylance_index sourcetype=syslog_threat Tenant="$Tenant$" * Status=Quarantined | timechart span=1mon count as Total
this function works, but it's counting the number of monthly events, that is, the same SHA256 is being counted more than once
eventtype=cylance_index sourcetype=syslog_threat Tenant="$Tenant$" * Status=Quarantined | dedup SHA256 | stats count as Total by month | timechart span=1mon sum(Total) as Total
This time the error was "No Results Found"
eventtype=cylance_index sourcetype=syslog_threat Tenant="$Tenant$" * Status=Quarantined | stats count by SHA256, month | timechart span=1mon sum(count) as Total
Again the error of no results found
Thank you in advance."