This document explains the changes required to switch over and upgrade to the Syslog - Cylance Optics Detection\Protect Events log source type, and to enable new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project.
Prerequisites
-
Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.
-
Enable the new MPE rules in the LogRhythm System Monitor.
-
Select log source type Syslog - Cylance Optics Detection\Protect Events.
When you select the log source type Syslog - Cylance Optics Detection\Protect Events, the log processing policy LogRhythm Default v2.0 is automatically enabled.
-
Supported Log Messages
The following table lists the log message types supported in the current MPE rules. Each page contains detailed information on parsing changes and new log processing settings.
|
Log Message Type |
Event Type |
|---|---|
|
Add Device To Zone (Audit Event) |
Audit Event |
|
Add Device To Zone (Device Event) |
Device Event |
|
Application Control Messages |
AppControl Event |
|
Catch All : Level 1 |
N/A |
|
Catch All : Level 2 |
N/A |
|
CylanceOPTICS : File Events |
File Event |
|
CylanceOPTICS : Memory Events |
Memory Event |
|
CylanceOPTICS : Network Events |
Network Event |
|
CylanceOPTICS : Process Events |
Process Event |
|
CylanceOPTICS : Registry Events |
Registry Event |
|
Device Edit |
Audit Event |
|
Device Policy Assigned |
Device Event |
|
Device Policy Changed |
Device Event |
|
Device Registration |
Device Event |
|
Device Removed |
Device Event |
|
Exploit Attempt |
Memory Exploit Event |
|
Global Threat Quarantine |
Audit Event |
|
Last Message Repeated |
N/A |
|
Policy Edit |
Audit Event |
|
Scan Messages |
Threat Event |
|
Script Control Messages |
Script Control Event |
|
System Security Messages |
Device Event |
|
Test Connection Message |
N/A |
|
Threat Classification Messages |
Threat Classification Event |
|
Threat Data Report Download |
Audit Event |
|
Threat Messages |
Threat Event |
|
Threat Safe List |
Audit Event |
|
USB Device Blocked |
Device Control Event |
|
User Added |
Audit Event |
|
User Login |
Audit Event |
|
User Removed |
Audit Event |
|
Zone Edit |
Audit Event |
|
Zone Rule Edit |
Audit Event |
Log Processing Policy Updates
This section details log processing policy updates made to AIE Rules, system reports and templates, tails, and investigations as part of LSO.
Updates to AIE Rules
-
No changes
Updates to System Reports
-
No changes
Updates to System Investigations
-
No changes
Updates to System Report Templates
-
No changes
Updates to System Tails
-
No changes