V 2.0 : Cylance Protect : Audit Event
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0: Cylance Protect: Audit Event | Base Rule | General Auditing Message | Other Audit |
| V 2.0: Cylance Protect: Agent Updated | Sub Rule | Software Updated | Configuration |
| V 2.0: Cylance Protect: App Added | Sub Rule | Object Added | Access Success |
| V 2.0: Cylance Protect: App Modified | Sub Rule | Object Modified | Access Success |
| V 2.0: Cylance Protect: App Removed | Sub Rule | Object Deleted/Removed | Access Success |
| V 2.0: Cylance Protect: Cert Added | Sub Rule | Object Added | Access Success |
| V 2.0: Cylance Protect: Cert Deleted | Sub Rule | Object Deleted/Removed | Access Success |
| V 2.0: Cylance Protect: Cert Modified | Sub Rule | Object Modified | Access Success |
| V 2.0: Cylance Protect: Cert Added To Safe List | Sub Rule | Configuration Modified: Security | Configuration |
| V 2.0: Cylance Protect: Cert Rem. From Safe List | Sub Rule | Configuration Modified: Security | Configuration |
| V 2.0: Cylance Protect: Custom Auth Disabled | Sub Rule | Configuration Modified: Security | Configuration |
| V 2.0: Cylance Protect: Custom Auth Saved | Sub Rule | Configuration Modified: Security | Configuration |
| V 2.0: Cylance Protect: Device Added | Sub Rule | Object Added | Access Success |
| V 2.0: Cylance Protect: Device Modified | Sub Rule | Object Modified | Access Success |
| V 2.0: Cylance Protect: Device Removed | Sub Rule | Object Deleted/Removed | Access Success |
| V 2.0: Cylance Protect: Support Login Modified | Sub Rule | Configuration Modified: Security | Configuration |
| V 2.0: Cylance Protect: File Added To Global Lis | Sub Rule | Configuration Modified: Security | Configuration |
| V 2.0: Cylance Protect: File Rem. From Global Li | Sub Rule | Configuration Modified: Security | Configuration |
| V 2.0: Cylance Protect: User Logon Failure | Sub Rule | User Logon Failure | Authentication Failure |
| V 2.0: Cylance Protect: User Logon Success | Sub Rule | User Logon | Authentication Success |
| V 2.0: Cylance Protect: Policy Added | Sub Rule | Object Added | Access Success |
| V 2.0: Cylance Protect: Policy Modified | Sub Rule | Object Modified | Access Success |
| V 2.0: Cylance Protect: Policy Removed | Sub Rule | Object Deleted/Removed | Access Success |
| V 2.0: Cylance Protect: File Added To Safe List | Sub Rule | Configuration Modified: Security | Configuration |
| V 2.0: Cylance Protect: File Rem. From Safe List | Sub Rule | Configuration Modified: Security | Configuration |
| V 2.0: Cylance Protect: Script Added To Safe Lis | Sub Rule | Configuration Modified: Security | Configuration |
| V 2.0: Cylance Protect: Script Rem. From Safe Li | Sub Rule | Configuration Modified: Security | Configuration |
| V 2.0: Cylance Protect: Syslog Disabled | Sub Rule | Configuration Modified: Security | Configuration |
| V 2.0: Cylance Protect: Syslog Settings Modified | Sub Rule | Configuration Modified: Security | Configuration |
| V 2.0: Cylance Protect: File Added To Quarantine | Sub Rule | Configuration Modified: Security | Configuration |
| V 2.0: Cylance Protect: User Quarantined File | Sub Rule | Quarantined Message | Failed Activity |
| V 2.0: Cylance Protect: File Added To Safe List | Sub Rule | Configuration Modified: Security | Configuration |
| V 2.0: Cylance Protect: User Waived File Threat | Sub Rule | General Security | Other Security |
| V 2.0: Cylance Protect: User Account Created | Sub Rule | User Account Created | Account Created |
| V 2.0: Cylance Protect: User Account Modified | Sub Rule | User Account Attribute Modified | Account Modified |
| V 2.0: Cylance Protect: User Account Removed | Sub Rule | User Account Deleted | Account Deleted |
| V 2.0: Cylance Protect: Zone Added | Sub Rule | Object Added | Access Success |
| V 2.0: Cylance Protect: Device Added To Zone | Sub Rule | Configuration Modified: Security | Configuration |
| V 2.0: Cylance Protect: Zone Modified | Sub Rule | Object Modified | Access Success |
| V 2.0: Cylance Protect: Zone Removed | Sub Rule | Object Deleted/Removed | Access Success |
| V 2.0: Cylance Protect: Device Removed From Zone | Sub Rule | Configuration Modified: Security | Configuration |
| V 2.0: Cylance Protect: Zone Rule Added | Sub Rule | Object Added | Access Success |
| V 2.0: Cylance Protect: Zone Rule Modified | Sub Rule | Object Modified | Access Success |
| V 2.0: Cylance Protect: Zone Rule Removed | Sub Rule | Object Deleted/Removed | Access Success |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| N/A | N/A | N/A | Device Product |
| Event Type | <vmid> | Text/String | N/A |
| Event Name | <action>, <tag1> | Text/String | Possible Values: AuditLog, AcceptEula, AgentUpdate, ApplicationAdd, ApplicationEdit (User updated the Custom Application name), ApplicationEdit (User changed the permissions for a Custom Application), ApplicationEdit (User regenerated the credentials for the Custom Application), ApplicationRemove, CertificateRepositoryAddItem, CertificateRepositoryDeleteItem, CertificateRepositoryEditItem, CertificateSafelistAddItem, CertificateSafelistDeleteItem, CustomAuthenticationDisable, CustomAuthenticationSave, DeleteAllQuarantinedFiles, DeleteTokenThreatDataReport, DeviceAdd, DeviceEdit, DeviceRemove, DownloadThreatDataReport, GenerateTokenThreatDataReport, GhostLoginSettingChange, GlobalListAdd, GlobalListRemove, InstallationTokenDelete, InstallationTokenRegenerate, InvitationUrlGenerate, LoginFailure, LoginSuccess, NightlyThreatDataReportChange, PolicyAdd, PolicyEdit, PolicyRemove, PolicySafeListAdd, PolicySafeListRemove, RequestToGenerateThreatDataReport, ScriptControlExclusionListAdd, ScriptControlExclusionListRemove, SyslogDisable, SyslogSettingSave, ThreatGlobalQuarantine, ThreatQuarantine, ThreatSafeList, ThreatWaive, UninstallAgentPasswordSave, UninstallAgentRequirePasswordDisable, UserAdd, UserEdit, UserRemove, ZoneAdd, ZoneAddDevice, ZoneEdit, ZoneRemove, ZoneRemoveDevice, ZoneRuleAdd, ZoneRuleEdit, and ZoneRuleRemove. |
| Message | <vendorinfo> | Text/String | The message contains information related to the action. Example: When a file is added to the Global Quarantine List, the message might include the file hash and the reason given for adding it to the Global List. |
| SHA256 | <hash> | Text/String | N/A |
| FileName | <object> | Text/String | N/A |
| Reason | <reason> | Text/String | N/A |
| Added to | <subject> | Text/String | N/A |
| Category | <objecttype> | Text/String | N/A |
| User | <domainorigin>, <login> | Text/String | The user who logged in and triggered this audit log event. |
| Devices/Device | <dname> | Text/String | N/A |