V 2.0 : Cylance Protect : Memory Exploit Events
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 : Cylance Protect : Memory Exploit Events | Base Rule | General Threat Message | Activity |
| V 2.0 : Cylance Protect : Exploit Allowed | Sub Rule | General Attack Activity | Attack |
| V 2.0 : Cylance Protect : Exploit Blocked | Sub Rule | Failed General Attack Activity | Failed Attack |
| V 2.0 : Cylance Protect : Exploit Alert | Sub Rule | General Attack Activity | Attack |
| V 2.0 : Cylance Protect : Exploit Terminated | Sub Rule | Failed General Attack Activity | Failed Attack |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| N/A | N/A | N/A | Device Product |
| Action | N/A | N/A | Possible Values: Allowed, Blocked, None, and Terminated. |
| Device Name | <dname> | Text/String | The name of the device. |
| Event Type | <vmid> | Text/String | ExploitAttempt |
| Event Name | <action>, <tag1> | Text/String | Possible Values: Allowed, Blocked, None, and Terminated. |
| IP Address | <dip> | IP Address | The IP address or IP addresses for the device. |
| Process ID | <processid> | Number | The process ID for the event. |
| Process Name | <process> | Text/String | The fully qualified path of the process. |
| User Name | <login> | Text/String | The name of the user currently logged in to the device. |
| Violation Type | <threatname> | Text/String | Possible Values: DyldInjection, LsassRead, MaliciousPayload, OutOfProcessAllocation, OutOfProcessApc, OutOfProcessCreateThread, OutOfProcessMap, OutOfProcessOverwriteCode, OutOfProcessUnmapMemory, OutOfProcessWrite, OutOfProcessWritePe, OverwriteCode, StackPivot, StackProject, TrackDataRead, and ZeroAllocate. |
| Zone Names | N/A | N/A | The zone names to which the device belongs. |