|V 2.0 : Cylance Optics : Process Threat Detected||Base Rule||General Threat Message||Activity|
Mapping with LogRhythm Schema
|Device Key in Log Message||LogRhythm Schema||Data Type||Schema Description|
|Description||<policy>||Text/String||The name of the Detection Rule that was triggered.|
|Device ID||<serialnumber>||Text/String||The unique ID for the device.|
|Device Name||<dname>||Text/String||The name of the device on which the Detection Event occurred.|
|Event ID||N/A||N/A||The unique ID for the Detection Event.|
|Event Name||N/A||N/A||The Detection Event involved a Target Process.|
|Event Type||<vmid>||Text/String||The Detection Event involved a Target Process.|
|Instigating Process Image File Sha256||N/A||N/A||The SHA256 hash of the process that instigated the action.|
|Instigating Process Name||<parentprocessname>||Text/String||The name of the process that instigated the action.|
|Instigating Process Owner||<domainorigin>|
|Text/String||The user who owns the process that instigated the action.|
|Severity||<severity>||Text/String||The severity of the event.|
High: A malicious event that requires immediate attention.
Medium: A suspicious event that should be reviewed.
Low: An important event, but may not be malicious.
Info: An observed event.
|Target Process Image File Sha256||<hash>||Text/String||The SHA256 hash of the process that was started or terminated.|
|Target Process Name||<process>||Text/String||The name of the process that was started or|
|Target Process Owner||<domainimpacted>,<account>||Text/String||The user who owns the process that was started or terminated.|
|Zone Names||N/A||N/A||The zones to which the device belongs.|