|V 2.0 : Cylance Optics : WMI Threat Detected||Base Rule||General Threat Message||Activity|
Mapping with LogRhythm Schema
|Device Key in Log Message||LogRhythm Schema||Data Type||Schema Description|
|Description||<policy>||Text/String||The name of the Detection Rule that was triggered.|
|Device ID||<serialnumber>||Text/String||The unique ID for the device.|
|Device Name||<dname>||Text/String||The name of the device on which the Detection Event occurred.|
|Event ID||N/A||N/A||The unique ID for the Detection Event.|
|Event Name||N/A||N/A||The Detection Event involved a Target File.|
|Event Type||<vmid>||Text/String||The Detection Event involved a Target File.|
|Instigating Process Image File Sha256||<hash>||Text/String||The SHA256 hash of the process that instigated the action.|
|Instigating Process Name||<process>||Text/String||The name of the process that instigated the action.|
|Instigating Process Owner||<domainorigin>, <login>||Text/String||The user who owns the process that instigated the action.|
|Severity||<severity>||Text/String||The severity of the event.|
High: A malicious event that requires immediate attention.
Medium: A suspicious event that should be reviewed.
Low: An important event, but may not be malicious.
Info: An observed event.
|Operation||<action>||Text/String||The WMI operation that was executed. Commonly a binding creation, a filter creation, or a consumer creation.|
|Operation Length||<size>||Number||The length of the observed Operation field.|
|Consumer Text||<command>||Text/String||The text (commonly the command to be executed) associated with a WMI event.|
|Consumer Text Length||N/A||N/A||The length of the observed Consumer Text field.|
|Zone Names||N/A||N/A||The zones to which the device belongs.|