Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0
|
|---|---|---|
|
Description |
<vendorinfo>, <tag1> |
<policy> |
|
Device ID |
N/A |
<serialnumber> |
|
Device Name |
<dname> |
<dname> |
|
Event ID |
N/A |
N/A |
|
Event Name |
<vmid> |
N/A |
|
Event Type |
<objecttype> |
<vmid> |
|
Instigating Process Image File Sha256 |
N/A |
N/A |
|
Instigating Process Name |
<parentprocessname> |
<parentprocessname> |
|
Instigating Process Owner |
<domainorigin>, <login> |
<domainorigin>, <login> |
|
Severity |
<severity> |
<severity> |
|
Target Process Image File Sha256 |
<hash> |
<hash> |
|
Target Process Name |
<process> |
<process> |
|
Target Process Owner |
<domainimpacted>, <account> |
<domainimpacted>, <account> |
|
Zone Names |
<group> |
N/A |
|
Target Process Command Line |
N/A |
<command> |
|
Target Process File Path |
N/A |
<parentprocesspath> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Events |
Classifications |
|---|---|---|---|---|
|
1010202
|
CylanceOPTICS : Process Events |
Base Rule |
Suspicious Activity |
Suspicious |
|
File Name Confusion |
Sub Rule |
Active File Name Inquiry |
Other Audit Success |
|
|
Unsigned Process |
Sub Rule |
Suspicious Host Activity |
Suspicious |
|
|
Suspicious Parent Activity |
Sub Rule |
Suspicious Host Activity |
Suspicious |
|
|
Unsigned Process |
Sub Rule |
Suspicious Host Activity |
Suspicious |
|
|
Suspicious OS Process |
Sub Rule |
Suspicious Host Activity |
Suspicious |
|
|
Office DDE Activity |
Sub Rule |
Suspicious Host Activity |
Suspicious |
|
|
RegSvr32 Remote Activity |
Sub Rule |
Suspicious Host Activity |
Suspicious |
|
|
RegSvcs Activity |
Sub Rule |
Suspicious Host Activity |
Suspicious |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Events |
Classifications |
|---|---|---|---|---|
|
1011382 |
V 2.0: Cylance Optics: Process Threat Detected |
Base Rule |
General Threat Message |
Activity |