Parse Cylance logs.
name: Windows.Applications.Cylance
author: "Matt Green - @mgreen27"
description: |
Parse Cylance logs.
parameters:
- name: FileGlob
default: C:\ProgramData\Cylance\Status\Status.json
sources:
- query: |
LET files = SELECT * FROM glob(globs=FileGlob)
LET parse_json_files = SELECT
FullPath,
parse_json(data=Data) as json
FROM read_file(filenames=FullPath)
LET results <= SELECT * FROM foreach(
row=files,
query=parse_json_files
)
SELECT
FullPath,
json.SnapshotTime as SnapshotTime,
json.ProductInfo as ProductInfo,
json.Policy as Policy,
json.ScanState as ScanState
FROM results
- name: Threats
queries:
- |
SELECT * FROM foreach(row={
SELECT json.Threats.Threat as Threats
FROM results
},
query={
SELECT * FROM foreach(row=Threats,
query={
SELECT
time_stamp,
file_hash_id,
file_md5,
file_path,
full_file_path,
is_running,
auto_run,
file_status,
file_type,
score,
file_size
FROM scope()
})
})
- name: Scripts
queries:
- |
SELECT * FROM foreach(row={
SELECT json.Scripts.Script as Scripts
FROM results
},
query={
SELECT * FROM foreach(row=Scripts,
query={
SELECT
EventDetail,
script_path,
script_name,
file_hash_id,
file_md5,
file_sha1,
drive_type,
last_modified,
interpreter,
username,
groups,
sid,
action
FROM scope()
})
})
- name: Exploits
queries:
- |
SELECT * FROM foreach(row={
SELECT json.Exploits.Exploit as Exploits
FROM results
},
query={
SELECT * FROM foreach(row=Exploits,
query={
SELECT
EventDetail,
ProcessId,
ProcessTag,
ImagePath,
ImageHash,
FileVersion,
Username,
Groups,
Sid,
ItemType,
State,
MemDefVersion,
Count
FROM scope()
})
})