Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0 : Cylance Protect : Device Events |
Base Rule |
General Information Log Message |
Information |
|
V 2.0 : Cylance Protect : Policy Assigned |
Sub Rule |
Policy Enabled : Object |
Policy |
|
V 2.0 : Cylance Protect : Device Removed |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
V 2.0 : Cylance Protect : Device Updated |
Sub Rule |
Object Attribute Modified |
Access Success |
|
V 2.0 : Cylance Protect : Zone Assigned |
Sub Rule |
Object Attribute Modified |
Access Success |
|
V 2.0 : Cylance Protect : Device Registered |
Sub Rule |
Device Registered |
Other Audit Success |
|
V 2.0 : Cylance Protect : System Security |
Sub Rule |
General Authentication Event |
Other Audit |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
N/A |
N/A |
N/A |
Device Product |
|
Agent Version |
N/A |
N/A |
The version of the CylancePROTECT Agent installed on the device. |
|
Device Message |
<vendorinfo> |
Text/String |
The message is populated when the Device Details are changed by the user. This can include: name change, policy change, zone changes, log level change, and self-protection level change. |
|
Device Name |
N/A |
N/A |
The name of the device. |
|
Event Type |
<vmid> |
Text/String |
Device |
|
Event Name |
<action>, <tag1> |
Text/String |
Possible Values: Device Policy Assigned, Device Removed, Device Updated, Device Assigned to Zone, Registration, and System Security. |
|
IP Address |
<dip> |
IP Address |
The IP address for the device. |
|
Logged on Users |
<domainorigin>, <login> |
Text/String |
The users currently logged on to the device. This could be the email address and/or user’s name. |
|
MAC Address |
<dmac> |
Text/String |
The MAC addresses for the device |
|
OS |
N/A |
N/A |
The operating system used on the device. |
|
Policy Change |
N/A |
N/A |
The previous policy and the new policy assigned to the device. |
|
Policy Name |
N/A |
N/A |
The name of the policy assigned to the device. |
|
Renamed |
N/A |
N/A |
“device_name” to “device_name” |
|
User |
<login> |
Text/String |
The name of the user updating the device. |
|
Zones Added |
N/A |
N/A |
The zone names to which the device has been added. |
|
Zone Name |
N/A |
N/A |
The zone names to which the device is assigned. |