Threat Messages 1
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
---|---|---|
N/A | <severity> | N/A |
Auto Run | N/A | N/A |
Cylance Score | <amount> | <severity> |
Detected By | <process> | N/A |
Device Name | <dname> | <dname> |
Drive Type | N/A | N/A |
Event Name | <vmid> | <action>, <tag1> |
Event Type | N/A | <vmid> |
File Name | <object> | <object> |
File Type | <subject> | N/A |
Found Date | N/A | N/A |
IP Address | <dip> | <dip> |
Is Malware | <session> | N/A |
Is Running | N/A | N/A |
Is Unique to Cylance | N/A | N/A |
MD5 | N/A | N/A |
Path | <parentprocesspath> | N/A |
SHA256 | <hash>, <objectname> | <hash> |
Status | <status>, <command> | <status> |
Threat Classification | <threatname> | <threatname> |
Zone Names | <group> | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Events | Classifications |
---|---|---|---|---|
1008204 | Threat Messages | Base Rule | General Threat Protection Event | Activity |
Threat Changed | Sub Rule | Object Whitelisted | Other Security | |
Threat Cleared | Sub Rule | Quarantine | Activity | |
Threat Found | Sub Rule | Detected Malware Activity | Malware | |
Threat Quarantined | Sub Rule | Quarantine | Activity | |
Threat Waived | Sub Rule | Object Whitelisted | Other Security | |
Threat Changed : Unsafe | Sub Rule | Possible Malware Activity | Malware | |
Threat Changed : Quarantined | Sub Rule | Quarantine | Activity |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Events | Classifications |
---|---|---|---|---|
1011407 | V 2.0 : Cylance Protect : Threat Events | Base Rule | General Threat Message | Activity |
V 2.0 : Cylance Protect : Threat Found | Sub Rule | Detected Malware Activity | Malware | |
V 2.0 : Cylance Protect : Threat Cleared | Sub Rule | Failed Malware Activity | Failed Malware | |
V 2.0 : Cylance Protect : Threat Quarantined | Sub Rule | Failed Malware Activity | Failed Malware | |
V 2.0 : Cylance Protect : Threat Waived | Sub Rule | General Security | Other Security | |
V 2.0 : Cylance Protect : Threat Changed | Sub Rule | General Security | Other Security | |
V 2.0 : Cylance Protect : Corrupt File | Sub Rule | General Antivirus Error | Error |