Threat Messages 1
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
| Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
| N/A | <severity> | N/A |
| Auto Run | N/A | N/A |
| Cylance Score | <amount> | <severity> |
| Detected By | <process> | N/A |
| Device Name | <dname> | <dname> |
| Drive Type | N/A | N/A |
| Event Name | <vmid> | <action>, <tag1> |
| Event Type | N/A | <vmid> |
| File Name | <object> | <object> |
| File Type | <subject> | N/A |
| Found Date | N/A | N/A |
| IP Address | <dip> | <dip> |
| Is Malware | <session> | N/A |
| Is Running | N/A | N/A |
| Is Unique to Cylance | N/A | N/A |
| MD5 | N/A | N/A |
| Path | <parentprocesspath> | N/A |
| SHA256 | <hash>, <objectname> | <hash> |
| Status | <status>, <command> | <status> |
| Threat Classification | <threatname> | <threatname> |
| Zone Names | <group> | <subject> |
| Policy Name | N/A | <policy> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
| Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|---|---|---|---|
| 1008204 | Threat Messages | Base Rule | General Threat Protection Event | Activity |
| Threat Changed | Sub Rule | Object Whitelisted | Other Security | |
| Threat Cleared | Sub Rule | Quarantine | Activity | |
| Threat Found | Sub Rule | Detected Malware Activity | Malware | |
| Threat Quarantined | Sub Rule | Quarantine | Activity | |
| Threat Waived | Sub Rule | Object Whitelisted | Other Security | |
| Threat Changed : Unsafe | Sub Rule | Possible Malware Activity | Malware | |
| Threat Changed : Quarantined | Sub Rule | Quarantine | Activity |
LogRhythm Default v2.0
| Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|---|---|---|---|
| 1011407 | V 2.0 : Cylance Protect : Threat Events | Base Rule | General Threat Message | Activity |
| V 2.0 : Cylance Protect : Threat Found | Sub Rule | Detected Malware Activity | Malware | |
| V 2.0 : Cylance Protect : Threat Cleared | Sub Rule | Failed Malware Activity | Failed Malware | |
| V 2.0 : Cylance Protect : Threat Quarantined | Sub Rule | Failed Malware Activity | Failed Malware | |
| V 2.0 : Cylance Protect : Threat Waived | Sub Rule | General Security | Other Security | |
| V 2.0 : Cylance Protect : Threat Changed | Sub Rule | General Security | Other Security | |
| V 2.0 : Cylance Protect : Corrupt File | Sub Rule | General Antivirus Error | Error |