V 2.0 : Cylance Protect : Device Events
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 : Cylance Protect : Device Events | Base Rule | General Information Log Message | Information |
| V 2.0 : Cylance Protect : Policy Assigned | Sub Rule | Policy Enabled : Object | Policy |
| V 2.0 : Cylance Protect : Device Removed | Sub Rule | Object Deleted/Removed | Access Success |
| V 2.0 : Cylance Protect : Device Updated | Sub Rule | Object Attribute Modified | Access Success |
| V 2.0 : Cylance Protect : Zone Assigned | Sub Rule | Object Attribute Modified | Access Success |
| V 2.0 : Cylance Protect : Device Registered | Sub Rule | Device Registered | Other Audit Success |
| V 2.0 : Cylance Protect : System Security | Sub Rule | General Authentication Event | Other Audit |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| N/A | N/A | N/A | Device Product |
| Agent Version | N/A | N/A | The version of the CylancePROTECT Agent installed on the device. |
| Device Message | <vendorinfo> | Text/String | The message is populated when the Device Details are changed by the user. This can include: name change, policy change, zone changes, log level change, and self-protection level change. |
| Device Name | N/A | N/A | The name of the device. |
| Event Type | <vmid> | Text/String | Device |
| Event Name | <action>, <tag1> | Text/String | Possible Values: Device Policy Assigned, Device Removed, Device Updated, Device Assigned to Zone, Registration, and System Security. |
| IP Address | <dip> | IP Address | The IP address for the device. |
| Logged on Users | <domainorigin>, <login> | Text/String | The users currently logged on to the device. This could be the email address and/or user’s name. |
| MAC Address | <dmac> | Text/String | The MAC addresses for the device |
| OS | N/A | N/A | The operating system used on the device. |
| Policy Change | N/A | N/A | The previous policy and the new policy assigned to the device. |
| Policy Name | N/A | N/A | The name of the policy assigned to the device. |
| Renamed | N/A | N/A | “device_name” to “device_name” |
| User | <login> | Text/String | The name of the user updating the device. |
| Zones Added | N/A | N/A | The zone names to which the device has been added. |
| Zone Name | N/A | N/A | The zone names to which the device is assigned. |