Syslog - Cylance Optics Detection\Protect Events

BlackBerry Cylance develops artificial intelligence to deliver prevention-first, predictive security products, and smart, simple, secure solutions that change how organizations approach endpoint security. BlackBerry Cylance provides full-spectrum predictive threat prevention and visibility across the enterprise to combat the most notorious and advanced cybersecurity attacks, fortifying endpoints to promote security hygiene in the security operations centre, throughout global networks, and even on employees’ home networks. With AI-based malware prevention, threat hunting, automated detection and response, and expert security services, BlackBerry Cylance protects the endpoint without increasing staff workload or costs.

Device Details

Device Name	Cylance Syslog
Vendor	BlackBerry
Device Type	Endpoint Security & Threat Prevention
Supported Model Name/Number	N/A
Supported Software Version	All
Collection Method	Syslog
Configurable Log Output	N/A
Log Source Type	Syslog - Cylance Optics Detection\Protect Events
Log Processing Policy	LogRhythm Default v2.0
Exceptions	N/A
Additional Information	https://docs.blackberry.com/en/unified-endpoint-security/blackberry-ues/cylance-syslog-guide/CylancePROTECT_Event_Types

Supported Log Messages

(List of LR Tags used to parse the log information for each message type)

Type	Product Version	Supported Schema Fields
V 2.0: Cylance Optics: Process Threat Detected	N/A	<policy>, <serialnumber>, <dname>, <vmid>, <parentprocessname>, <domainorigin>, <login>, <severity>, <hash>, <process>, <domainimpacted>, <account>, <command>, <parentprocesspath>
V 2.0: Cylance Optics: File Threat Detected	N/A	<policy>, <serialnumber>, <dname>, <vmid>, <parentprocessname>, <domainorigin>, <login>, <severity>, <hash>, <object>, <domainimpacted>, <account>
V 2.0: Cylance Optics: Registry Threat Detected	N/A	<policy>, <serialnumber>, <dname>, <vmid>, <hash>, <process>, <domainorigin>, <login>, <severity>, <object>, <objectname>
V 2.0: Cylance Optics: Memory Threat Detected	N/A	<policy>, <serialnumber>, <dname>, <vmid>, <hash>, <process>, <domainorigin>, <login>, <severity>
V 2.0: Cylance Optics: Network Threat Detected	N/A	<policy>, <serialnumber>, <sname>, <vmid>, <hash>, <process>, <domainorigin>, <login>, <severity>, <dip>, <dport>
V 2.0: Cylance Optics: WMI Threat Detected	N/A	<policy>, <serialnumber>, <dname>, <vmid>, <hash>, <process>, <domainorigin>, <login>, <severity>, <action>, <size>, <command>
V 2.0: Cylance Optics: DNS Threat Detected	N/A	<policy>, <serialnumber>, <dname>, <vmid>, <hash>, <process>, <domainorigin>, <login>, <severity>, <dip>, <quantity>, <domainimpacted>
V 2.0: Cylance Optics: Log Threat Detected	N/A	<policy>, <serialnumber>, <dname>, <vmid>, <hash>, <process>, <domainorigin>, <login>, <severity>, <objecttype>, <object>
V 2.0: Cylance Optics: Powershell Threat Detect	N/A	<policy>, <serialnumber>, <dname>, <vmid>, <hash>, <process>, <domainorigin>, <login>, <severity>, <size>, <command>
V 2.0: Cylance Protect: AppControl Events	N/A	<result>, <tag1>, <dname>, <action>, <vmid>, <object>, <dip>, <hash>
V 2.0: Cylance Protect: Device Control Events	N/A	<dname>, <action>, <tag1>, <vmid>, <object>, <objectname>, <serialnumber>, <vendorinfo>
V 2.0: Cylance Protect: Device Events	N/A	<vendorinfo>, <action>, <tag1>, <vmid>, <dip>, <domainorigin>, <login>, <dmac>
V 2.0: Cylance Protect: Memory Exploit Events	N/A	<dname>, <action>, <tag1>, <vmid>, <dip>, <processid>, <process>, <login>, <threatname>
V 2.0: Cylance Protect: Script Control Events	N/A	<dname>, <action>, <tag1>, <vmid>, <object>
V 2.0: Cylance Protect: Threat Classifi. Events	N/A	<action>, <vmid>, <hash>, <threatname>
V 2.0: Cylance Protect: Threat Events	N/A	<severity>, <dname>, <action>, <tag1>, <vmid>, <object>, <dip>, <hash>, <status>, <threatname>, <policy>, <subject>
Catch-All: Level 2	N/A	<vmid>, <login>
Catch-All: Level 1	N/A	<severity>, <tag1>

Revision History

KB Version	Log Type	Change Type	Details
KB 7.1.643.0	Syslog - Cylance Optics Detection\Protect Events	Device Documentation	N/A