V 2.0 : Cylance Protect : AppControl Events

Vendor Documentation

https://docs.blackberry.com/content/dam/docs-blackberry-com/release-pdfs/en/cylance-products/syslog-guides/Cylance%20Syslog%20Guide%20v2.0%20rev12.pdf

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 : Cylance Protect : AppControl Events	Base Rule	Application Control Detection	Activity
V 2.0 : Cylance Protect : Application Allowed	Sub Rule	Application Control Detection	Activity
V 2.0 : Cylance Protect : Application Blocked	Sub Rule	Application Blocked	Failed Activity

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
N/A	N/A	N/A	Device Product
Action	<result>, <tag1>	Text/String	Possible Values: Allow, Deny.
Action Type	N/A	N/A	Possible Values: Execution, ExecutionFromExternalDrive, PEFileChange, Unknown (Unable to determine the action type).
Device Name	<dname>	Text/String	The name of the device.
Event Name	<action>	Text/String	Possible Values: Execution, ExecutionFromExternalDrive, PEFileChange, Unknown (Unable to determine the action type).
Event Type	<vmid>	Text/String	AppControl (This is an Application Control event.)
File Path	<object>	Text/String	The path to the file.
IP Address	<dip>	IP Address	The IP address for the device. Multiple IP addresses are comma-separated values.
SHA256	<hash>	Text/String	The SHA256 hash for the file.
Zone Names	N/A	N/A	The zones to which the device belongs.