Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0 : Cylance Protect : Memory Exploit Events |
Base Rule |
General Threat Message |
Activity |
|
V 2.0 : Cylance Protect : Exploit Allowed |
Sub Rule |
General Attack Activity |
Attack |
|
V 2.0 : Cylance Protect : Exploit Blocked |
Sub Rule |
Failed General Attack Activity |
Failed Attack |
|
V 2.0 : Cylance Protect : Exploit Alert |
Sub Rule |
General Attack Activity |
Attack |
|
V 2.0 : Cylance Protect : Exploit Terminated |
Sub Rule |
Failed General Attack Activity |
Failed Attack |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
N/A |
N/A |
N/A |
Device Product |
|
Action |
N/A |
N/A |
Possible Values: Allowed, Blocked, None, and Terminated. |
|
Device Name |
<dname> |
Text/String |
The name of the device. |
|
Event Type |
<vmid> |
Text/String
|
ExploitAttempt |
|
Event Name |
<action>, <tag1> |
Text/String
|
Possible Values: Allowed, Blocked, None, and Terminated. |
|
IP Address |
<dip> |
IP Address |
The IP address or IP addresses for the device. |
|
Process ID |
<processid> |
Number |
The process ID for the event. |
|
Process Name |
<process> |
Text/String
|
The fully qualified path of the process. |
|
User Name |
<login> |
Text/String
|
The name of the user currently logged in to the device. |
|
Violation Type |
<threatname> |
Text/String |
Possible Values: DyldInjection, LsassRead, MaliciousPayload, OutOfProcessAllocation, OutOfProcessApc, OutOfProcessCreateThread, OutOfProcessMap, OutOfProcessOverwriteCode, OutOfProcessUnmapMemory, OutOfProcessWrite, OutOfProcessWritePe, OverwriteCode, StackPivot, StackProject, TrackDataRead, and ZeroAllocate. |
|
Zone Names |
N/A |
N/A |
The zone names to which the device belongs. |