V 2.0 : Cylance Protect : Threat Classifi. Events

Vendor Documentation

https://docs.blackberry.com/content/dam/docs-blackberry-com/release-pdfs/en/cylance-products/syslog-guides/Cylance%20Syslog%20Guide%20v2.0%20rev12.pdf

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 : Cylance Protect : Threat Classifi. Events	Base Rule	General Threat Message	Activity

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
N/A	N/A	N/A	Device Product
Event Name	<action>	Text/String	Possible Values: ResearchSaved and ThreatUpdated.
Event Type	<vmid>	Text/String	ThreatClassification
MD5	N/A	N/A	The MD5 hash for the file.
SHA256	<hash>	Text/String	The SHA256 hash for the file.
Threat Classification	<threatname>	Text/String	A combination of Threat Class and Threat Subclass. Threat Class Possible Values: Dual Use, File Unavailable, Malware, Possible PUP, PUP, and Trusted. Threat Subclass Possible Values: Adware, Backdoor, Bot, Corrupt, Crack, Downloader, Dropper, Exploit, Fake Alert, Fake AV, Game, Generic, Hacking Tool, Infostealer, Keygen, Monitoring Tool, Other, Parasitic , Pass Crack , Portable Application, Ransom, Remnant, Remote Access, Rootkit, Scripting Tool, Tool, Toolbar, Trojan, Virus, and Worm.