|V 2.0 : Cylance Optics : Registry Threat Detected||Base Rule||General Threat Message||Activity|
Mapping with LogRhythm Schema
|Device Key in Log Message||LogRhythm Schema||Data Type||Schema Description|
|Description||<policy>||Text/String||The name of the Detection Rule that was triggered.|
|Device ID||<serialnumber>||Text/String||The unique ID for the device.|
|Device Name||<dname>||Text/String||The name of the device on which the Detection Event occurred.|
|Event ID||N/A||N/A||The unique ID for the Detection Event.|
|Event Name||N/A||N/A||The Detection Event involved a Target File.|
|Event Type||<vmid>||Text/String||The Detection Event involved a Target File.|
|Instigating Process Image File Sha256||<hash>||Text/String||The SHA256 hash of the process that instigated the action.|
|Instigating Process Name||<process>||Text/String||The name of the process that instigated the action.|
|Instigating Process Owner||<domainorigin>, <login>||Text/String||The user who owns the process that instigated the action.|
|Severity||<severity>||Text/String||The severity of the event.|
High: A malicious event that requires immediate attention.
Medium: A suspicious event that should be reviewed.
Low: An important event, but may not be malicious.
Info: An observed event.
|Target Registry KeyPath||<object>||Text/String||The path of the registry key that was acted upon (created, written, overwritten, or deleted).|
|Target Registry ValueName||<objectname>||Text/String||The value name of the registry item that was acted upon (created, written, overwritten, or deleted).|
|Zone Names||N/A||N/A||The zones to which the device belongs.|