V 2.0 : Cylance Protect : Memory Exploit Events
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
V 2.0 : Cylance Protect : Memory Exploit Events | Base Rule | General Threat Message | Activity |
V 2.0 : Cylance Protect : Exploit Allowed | Sub Rule | General Attack Activity | Attack |
V 2.0 : Cylance Protect : Exploit Blocked | Sub Rule | Failed General Attack Activity | Failed Attack |
V 2.0 : Cylance Protect : Exploit Alert | Sub Rule | General Attack Activity | Attack |
V 2.0 : Cylance Protect : Exploit Terminated | Sub Rule | Failed General Attack Activity | Failed Attack |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
N/A | N/A | N/A | Device Product |
Action | N/A | N/A | Possible Values: Allowed, Blocked, None, and Terminated. |
Device Name | <dname> | Text/String | The name of the device. |
Event Type | <vmid> | Text/String | ExploitAttempt |
Event Name | <action>, <tag1> | Text/String | Possible Values: Allowed, Blocked, None, and Terminated. |
IP Address | <dip> | IP Address | The IP address or IP addresses for the device. |
Process ID | <processid> | Number | The process ID for the event. |
Process Name | <process> | Text/String | The fully qualified path of the process. |
User Name | <login> | Text/String | The name of the user currently logged in to the device. |
Violation Type | <threatname> | Text/String | Possible Values: DyldInjection, LsassRead, MaliciousPayload, OutOfProcessAllocation, OutOfProcessApc, OutOfProcessCreateThread, OutOfProcessMap, OutOfProcessOverwriteCode, OutOfProcessUnmapMemory, OutOfProcessWrite, OutOfProcessWritePe, OverwriteCode, StackPivot, StackProject, TrackDataRead, and ZeroAllocate. |
Zone Names | N/A | N/A | The zone names to which the device belongs. |