V 2.0 : Cylance Optics : DNS Threat Detected

https://docs.blackberry.com/content/dam/docs-blackberry-com/release-pdfs/en/cylance-products/syslog-guides/Cylance%20Syslog%20Guide%20v2.0%20rev12.pdf

Rule Name	Rule Type	Common Event	Classification
V 2.0 : Cylance Optics : DNS Threat Detected	Base Rule	General Threat Message	Activity

Rule Name

Rule Type

Common Event

Classification

V 2.0 : Cylance Optics : DNS Threat Detected

Base Rule

General Threat Message

Activity

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Description	<policy>	Text/String	The name of the Detection Rule that was triggered.
Device ID	<serialnumber>	Text/String	The unique ID for the device.
Device Name	<dname>	Text/String	The name of the device on which the Detection Event occurred.
Event ID	N/A	N/A	The unique ID for the Detection Event.
Event Name	N/A	N/A	The Detection Event involved a Target File.
Event Type	<vmid>	Text/String	The Detection Event involved a Target File.
Instigating Process Image File Sha256	<hash>	Text/String	The SHA256 hash of the process that instigated the action.
Instigating Process Name	<process>	Text/String	The name of the process that instigated the action.
Instigating Process Owner	<domainorigin>, <login>	Text/String	The user who owns the process that instigated the action.
Severity	<severity>	Text/String	The severity of the event. High: A malicious event that requires immediate attention. Medium: A suspicious event that should be reviewed. Low: An important event, but may not be malicious. Info: An observed event.
Resolved Address	<dip>	IP Address	The resolved IP address for the domain.
Resolved Address Count	<quantity>	Number	The number of resolved IP addresses for the domain.
Target Domain Name	<domainimpacted>	Text/String	The domain that was attempted to be resolved.
Zone Names	N/A	N/A	The zones to which the device belongs.

V 2.0 : Cylance Optics : DNS Threat Detected

Vendor Documentation

Classification

Mapping with LogRhythm Schema