This document explains the changes required to switch over and upgrade to the Syslog - Cylance Optics Detection\Protect Events log source type, and to enable new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project.
Prerequisites
-
Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.
-
Enable the new MPE rules in the LogRhythm System Monitor.Select log source type Syslog - Cylance Optics Detection\Protect Events.When you select the log source type Syslog - Cylance Optics Detection\Protect Events, the log processing policy LogRhythm Default v2.0 is automatically enabled.
Supported Log Messages
The following table lists the log message types supported in the current MPE rules. Each page contains detailed information on parsing changes and new log processing settings.
|
Log Message Type |
Event Type |
|---|---|
|
Add Device To Zone (Audit Event) |
Audit Event |
|
Add Device To Zone (Device Event) |
Device Event |
|
Application Control Messages |
AppControl Event |
|
Catch All : Level 1 |
N/A |
|
Catch All : Level 2 |
N/A |
|
CylanceOPTICS : File Events |
File Event |
|
CylanceOPTICS : Memory Events |
Memory Event |
|
CylanceOPTICS : Network Events |
Network Event |
|
CylanceOPTICS : Process Events |
Process Event |
|
CylanceOPTICS : Registry Events |
Registry Event |
|
Device Edit |
Audit Event |
|
Device Policy Assigned |
Device Event |
|
Device Policy Changed |
Device Event |
|
Device Registration |
Device Event |
|
Device Removed |
Device Event |
|
Exploit Attempt |
Memory Exploit Event |
|
Global Threat Quarantine |
Audit Event |
|
Last Message Repeated |
N/A |
|
Policy Edit |
Audit Event |
|
Scan Messages |
Threat Event |
|
Script Control Messages |
Script Control Event |
|
System Security Messages |
Device Event |
|
Test Connection Message |
N/A |
|
Threat Classification Messages |
Threat Classification Event |
|
Threat Data Report Download |
Audit Event |
|
Threat Messages |
Threat Event |
|
Threat Safe List |
Audit Event |
|
USB Device Blocked |
Device Control Event |
|
User Added |
Audit Event |
|
User Login |
Audit Event |
|
User Removed |
Audit Event |
|
Zone Edit |
Audit Event |
|
Zone Rule Edit |
Audit Event |
Log Processing Policy Updates
This section details log processing policy updates made to AIE Rules, system reports and templates, tails, and investigations as part of LSO.
Updates to AIE Rules
-
No changes
Updates to System Reports
-
No changes
Updates to System Investigations
-
No changes
Updates to System Report Templates
-
No changes
Updates to System Tails
-
No changes