Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0 : Cylance Optics: Process Threat Detected |
Base Rule |
General Threat Message |
Activity |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
Description |
<policy> |
Text/String |
The name of the Detection Rule that was triggered. |
|
Device ID |
<serialnumber> |
Text/String |
The unique ID for the device. |
|
Device Name |
<dname> |
Text/String |
The name of the device on which the Detection Event occurred. |
|
Event ID |
N/A |
N/A |
The unique ID for the Detection Event. |
|
Event Name |
N/A |
N/A |
The Detection Event involved a Target Process. |
|
Event Type |
<vmid> |
Text/String |
The Detection Event involved a Target Process. |
|
Instigating Process Image File Sha256 |
N/A |
N/A |
The SHA256 hash of the process that instigated the action. |
|
Instigating Process Name |
<parentprocessname> |
Text/String |
The name of the process that instigated the action. |
|
Instigating Process Owner |
<domainorigin>
|
Text/String |
The user who owns the process that instigated the action. |
|
Severity |
<severity> |
Text/String |
The severity of the event.
|
|
Target Process Image File Sha256 |
<hash> |
Text/String |
The SHA256 hash of the process that was started or terminated. |
|
Target Process Name |
<process> |
Text/String |
The name of the process that was started or
|
|
Target Process Owner |
<domainimpacted>,<account> |
Text/String |
The user who owns the process that was started or terminated. |
|
Zone Names |
N/A |
N/A |
The zones to which the device belongs. |
|
Target Process Command Line |
<command> |
Text/String |
This is the command line that was used to start the process of interest for the process event. |
|
Target Process File Path |
<parentprocesspath> |
Text/String |
This is the path of the target process executable. |