This applies to version 1.4.6 and 1.4.7 of the Cylance TA.
The [syslog_threat]
stanza in default/props.conf has the following statement:
LOOKUP-action = protect_cim_status1_to_action_lookup "Status" OUTPUT action
The lookup file status1_to_action.csv
contains the following:
"Status",action
threat_found,allowed
threat_removed,blocked
threat_quarantined,blocked
threat_waived,allowed
threat_changed,deferred
The issue is the values listed in the lookup table for the Status
field do not match what's actually populated.
it looks like the EventName
field should be used to generate to the action
field
Here's an example of the what the syslog_threat sourcetype event looks like:
Mar 21 21:12:45 sysloghost CylancePROTECT Event Type: Threat, Event Name: threat_changed, Device Name: xxxxx, IP Address: (192.168.0.3), File Name: nnnnnn.exe, Path: C:\Program Files\bin\, Drive Type: Internal Hard Drive, SHA256: xxxx, MD5: xxxx, Status: Quarantined, Cylance Score: 54, Found Date: 3/20/2018 9:55:45 PM, File Type: Executable, Is Running: False, Auto Run: False, Detected By: ExecutionControl, Zone Names: (abc), Is Malware: False, Is Unique To Cylance: False, Threat Classification: UNCLASSIFIED#nnn
I fixed it by creating a new lookup table, populated it with the values found in the Status
field with the correct mapping to the action
field. Then point to the new lookup file by overriding it in the local props.conf.
My new lookup file is as follows:
Status,action
Quarantined,blocked
Waived,allowed
Unsafe,deferred
Cleared,allowed
Abnormal,deferred
I suppose another workaround would be to just lookup the values from the EventNames field to create the action field.
Either way, I hope this helps anyone not able to correlate events using the action
field from Cylance Threat logs.
-w
I fixed it by creating a new lookup table, populated it with the values found in the Status
field with the correct mapping to the action
field. Then point to the new lookup file by overriding it in the local props.conf.
My new lookup file is as follows:
Status,action
Quarantined,blocked
Waived,allowed
Unsafe,deferred
Cleared,allowed
Abnormal,deferred
I suppose another workaround would be to just lookup the values from the EventNames field to create the action field.
Either way, I hope this helps anyone not able to correlate events using the action
field from Cylance Threat logs.
-w