V 2.0 : Cylance Protect : Device Control Events

Vendor Documentation

https://docs.blackberry.com/content/dam/docs-blackberry-com/release-pdfs/en/cylance-products/syslog-guides/Cylance%20Syslog%20Guide%20v2.0%20rev12.pdf

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 : Cylance Protect : Device Control Events	Production	General Antivirus Information	Information
V 2.0 : Cylance Protect : Device Blocked	Production	Storage Device Detected	Activity
V 2.0 : Cylance Protect : Device Allowed	Production	Threat Blocked	Failed Activity

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
N/A	N/A	N/A	Device Product
Device Name	<dname>	Text/String	The name of the device associated with the Device Control event.
Event Type	<vmid>	Text/String	DeviceControl
Event Name	<action>, <tag1>	Text/String	Possible values: Block, Fullaccess.
External Device Type	<object>	Text/String	Possible values: AndroidUSB, iOS, StillImage, USBCDDVDRW, USBDrive, VMWareMount, WPD.
External Device Name	<objectname>	Text/String	The name given to the external device.
External Device Product ID	N/A	N/A	Varies by manufacturer.
External Device Serial Number	<serialnumber>	Number	Varies by manufacturer.
External Device Vendor ID	N/A	N/A	Varies by manufacturer.
Zone Names	N/A	N/A	The zones to which the device belongs.