Global Threat Quarantine
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
| Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
| N/A | N/A | N/A |
| Event Type | N/A | <vmid> |
| Event Name | <vmid> | <action>, <tag1> |
| Message | N/A | <vendorinfo> |
| SHA256 | <objectname>, <hash> | <hash> |
| FileName | N/A | <object> |
| Added to | N/A | <subject> |
| Category | N/A | <objecttype> |
| Reason | <subject>, <reason> | <reason> |
| User | <login> | <domainorigin>, <login> |
| Devices/Device | N/A | <dname> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
| Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|---|---|---|---|
| 1008351 | Global Threat Quarantine | Base Rule | Quarantine | Activity |
LogRhythm Default v2.0
| Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|---|---|---|---|
| 1011399 | V 2.0 : Cylance Protect : Audit Event | Base Rule | General Auditing Message | Other Audit |
| V 2.0 : Cylance Protect : Agent Updated | Sub Rule | Software Updated | Configuration | |
| V 2.0 : Cylance Protect : App Added | Sub Rule | Object Added | Access Success | |
| V 2.0 : Cylance Protect : App Modified | Sub Rule | Object Modified | Access Success | |
| V 2.0 : Cylance Protect : App Removed | Sub Rule | Object Deleted/Removed | Access Success | |
| V 2.0 : Cylance Protect : Cert Added | Sub Rule | Object Added | Access Success | |
| V 2.0 : Cylance Protect : Cert Deleted | Sub Rule | Object Deleted/Removed | Access Success | |
| V 2.0 : Cylance Protect : Cert Modified | Sub Rule | Object Modified | Access Success | |
| V 2.0 : Cylance Protect : Cert Added To Safe List | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : Cylance Protect : Cert Rem. From Safe List | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : Cylance Protect : Custom Auth Disabled | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : Cylance Protect : Custom Auth Saved | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : Cylance Protect : Device Added | Sub Rule | Object Added | Access Success | |
| V 2.0 : Cylance Protect : Device Modified | Sub Rule | Object Modified | Access Success | |
| V 2.0 : Cylance Protect : Device Removed | Sub Rule | Object Deleted/Removed | Access Success | |
| V 2.0 : Cylance Protect : Support Login Modified | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : Cylance Protect : File Added To Global Lis | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : Cylance Protect : File Rem. From Global Li | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : Cylance Protect : User Logon Failure | Sub Rule | User Logon Failure | Authentication Failure | |
| V 2.0 : Cylance Protect : User Logon Success | Sub Rule | User Logon | Authentication Success | |
| V 2.0 : Cylance Protect : Policy Added | Sub Rule | Object Added | Access Success | |
| V 2.0 : Cylance Protect : Policy Modified | Sub Rule | Object Modified | Access Success | |
| V 2.0 : Cylance Protect : Policy Removed | Sub Rule | Object Deleted/Removed | Access Success | |
| V 2.0 : Cylance Protect : File Added To Safe List | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : Cylance Protect : File Rem. From Safe List | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : Cylance Protect : Script Added To Safe Lis | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : Cylance Protect : Script Rem. From Safe Li | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : Cylance Protect : Syslog Disabled | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : Cylance Protect : Syslog Settings Modified | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : Cylance Protect : File Added To Quarantine | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : Cylance Protect : User Quarantined File | Sub Rule | Quarantined Message | Failed Activity | |
| V 2.0 : Cylance Protect : File Added To Safe List | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : Cylance Protect : User Waived File Threat | Sub Rule | General Security | Other Security | |
| V 2.0 : Cylance Protect : User Account Created | Sub Rule | User Account Created | Account Created | |
| V 2.0 : Cylance Protect : User Account Modified | Sub Rule | User Account Attribute Modified | Account Modified | |
| V 2.0 : Cylance Protect : User Account Removed | Sub Rule | User Account Deleted | Account Deleted | |
| V 2.0 : Cylance Protect : Zone Added | Sub Rule | Object Added | Access Success | |
| V 2.0 : Cylance Protect : Device Added To Zone | Sub Rule | Configuration Modified : Security | Configuration | |
| V 2.0 : Cylance Protect : Zone Modified | Sub Rule | Object Modified | Access Success | |
| V 2.0 : Cylance Protect : Zone Removed | Sub Rule | Production | Object Deleted/Removed | |
| V 2.0 : Cylance Protect : Device Removed From Zone | Sub Rule | Production | Configuration Modified : Security | |
| V 2.0 : Cylance Protect : Zone Rule Added | Sub Rule | Production | Object Added | |
| V 2.0 : Cylance Protect : Zone Rule Modified | Sub Rule | Production | Object Modified | |
| V 2.0 : Cylance Protect : Zone Rule Removed | Sub Rule | Production | Object Deleted/Removed |