V 2.0 : Cylance Optics : Process Threat Detected
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 : Cylance Optics: Process Threat Detected | Base Rule | General Threat Message | Activity |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Description | <policy> | Text/String | The name of the Detection Rule that was triggered. |
| Device ID | <serialnumber> | Text/String | The unique ID for the device. |
| Device Name | <dname> | Text/String | The name of the device on which the Detection Event occurred. |
| Event ID | N/A | N/A | The unique ID for the Detection Event. |
| Event Name | N/A | N/A | The Detection Event involved a Target Process. |
| Event Type | <vmid> | Text/String | The Detection Event involved a Target Process. |
| Instigating Process Image File Sha256 | N/A | N/A | The SHA256 hash of the process that instigated the action. |
| Instigating Process Name | <parentprocessname> | Text/String | The name of the process that instigated the action. |
| Instigating Process Owner | <domainorigin> <login> | Text/String | The user who owns the process that instigated the action. |
| Severity | <severity> | Text/String | The severity of the event. High: A malicious event that requires immediate attention. Medium: A suspicious event that should be reviewed. Low: An important event, but may not be malicious. Info: An observed event. |
| Target Process Image File Sha256 | <hash> | Text/String | The SHA256 hash of the process that was started or terminated. |
| Target Process Name | <process> | Text/String | The name of the process that was started or terminated. |
| Target Process Owner | <domainimpacted>,<account> | Text/String | The user who owns the process that was started or terminated. |
| Zone Names | N/A | N/A | The zones to which the device belongs. |
| Target Process Command Line | <command> | Text/String | This is the command line that was used to start the process of interest for the process event. |
| Target Process File Path | <parentprocesspath> | Text/String | This is the path of the target process executable. |