This applies to version 1.4.6 and 1.4.7 of the Cylance TA.
The [syslog_threat] stanza in default/props.conf has the following statement:
LOOKUP-action = protect_cim_status1_to_action_lookup "Status" OUTPUT action
The lookup file status1_to_action.csv contains the following:
"Status",action
threat_found,allowed
threat_removed,blocked
threat_quarantined,blocked
threat_waived,allowed
threat_changed,deferred
The issue is the values listed in the lookup table for the Status field do not match what's actually populated.
it looks like the EventName field should be used to generate to the action field
Here's an example of the what the syslog_threat sourcetype event looks like:
Mar 21 21:12:45 sysloghost CylancePROTECT Event Type: Threat, Event Name: threat_changed, Device Name: xxxxx, IP Address: (192.168.0.3), File Name: nnnnnn.exe, Path: C:\Program Files\bin\, Drive Type: Internal Hard Drive, SHA256: xxxx, MD5: xxxx, Status: Quarantined, Cylance Score: 54, Found Date: 3/20/2018 9:55:45 PM, File Type: Executable, Is Running: False, Auto Run: False, Detected By: ExecutionControl, Zone Names: (abc), Is Malware: False, Is Unique To Cylance: False, Threat Classification: UNCLASSIFIED#nnn
... View more