|V 2.0 : Cylance Optics : Network Threat Detected||Base Rule||General Threat Message||Activity|
Mapping with LogRhythm Schema
|Device Key in Log Message||LogRhythm Schema||Data Type||Schema Description|
|Description||<policy>||Text/String||The name of the Detection Rule that was triggered.|
|Device ID||<serialnumber>||Text/String||The unique ID for the device.|
|Device Name||<sname>||Text/String||The name of the device on which the Detection Event occurred.|
|Event ID||N/A||N/A||The unique ID for the Detection Event.|
|Event Name||N/A||N/A||The Detection Event involved a Target File.|
|Event Type||<vmid>||Text/String||The Detection Event involved a Target File.|
|Instigating Process Image File Sha256||<hash>||Text/String||The SHA256 hash of the process that instigated the action.|
|Instigating Process Name||<process>||Text/String||The name of the process that instigated the action.|
|Instigating Process Owner||<domainorigin>, <login>||Text/String||The user who owns the process that instigated the action.|
|Severity||<severity>||Text/String||The severity of the event.|
High: A malicious event that requires immediate attention.
Medium: A suspicious event that should be reviewed.
Low: An important event, but may not be malicious.
Info: An observed event.
|Destination IP||<dip>||IP Address||The destination IP address involved with a|
Detection Event. This is typically a resource
external to your environment.
|Destination Port||<dport>||Number||The network port on the destination IP address|
involved with a Detection Event.
|Zone Names||N/A||N/A||The zones to which the device belongs.|