Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0 : Cylance Protect : Threat Events |
Base Rule |
General Threat Message |
Activity |
|
V 2.0 : Cylance Protect : Threat Found |
Sub Rule |
Detected Malware Activity |
Malware |
|
V 2.0 : Cylance Protect : Threat Cleared |
Sub Rule |
Failed Malware Activity |
Failed Malware |
|
V 2.0 : Cylance Protect : Threat Quarantined |
Sub Rule |
Failed Malware Activity |
Failed Malware |
|
V 2.0 : Cylance Protect : Threat Waived |
Sub Rule |
General Security |
Other Security |
|
V 2.0 : Cylance Protect : Threat Changed |
Sub Rule |
General Security |
Other Security |
|
V 2.0 : Cylance Protect : Corrupt File |
Sub Rule |
General Antivirus Error |
Error |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
N/A |
N/A |
N/A |
Device Product |
|
Auto Run |
N/A |
N/A |
Possible Values: False, True, and Unknown. |
|
Cylance Score |
<severity> |
Number |
Ranges from 1 to 100. |
|
Detected By |
N/A |
N/A |
Possible Values: ExecutionControl, BackgroundThreatDetection, FileWatcher, NotAvailable, and RunningModuleScan. |
|
Device Name |
<dname> |
Text/String |
The name of the device on which the threat was found. |
|
Drive Type |
N/A |
N/A |
The type of drive or storage device the threat originated from, if known. The drive type includes: CDROM, Fixed, Network, None, No Root Directory, RAM, and Removable. |
|
Event Name |
<action>, <tag1> |
Text/String |
threat_found, threat_cleared, threat_quarantined, threat_waived, threat_changed, corrupt_found |
|
Event Type |
<vmid> |
Text/String |
Threat |
|
File Name |
<object> |
Text/String |
The name of the threat (file). |
|
File type |
N/A |
N/A |
Archive, Executable, Linuxexe, MacOSExe, Ole, Pdf, Unknown |
|
Found Date |
N/A |
N/A |
The date and time the threat was found on the device. |
|
IP Address |
<dip> |
IP Address |
The IP address or IP addresses for the device. |
|
Is Malware |
N/A |
N/A |
Possible Values: False, True. |
|
Is Running |
N/A |
N/A |
Possible Values: False, True. |
|
Is Unique to Cylance |
N/A |
N/A |
Possible Values: False, True. |
|
MD5 |
N/A |
N/A |
The MD5 hash for the file. |
|
Path |
N/A |
N/A |
The path to the file. |
|
SHA256 |
<hash> |
Text/String
|
The SHA256 hash for the file. |
|
Status |
<status> |
Text/String
|
Possible Values: Abnormal, Cleared, Corrupt, Quarantined, Unsafe, and Waived. |
|
Threat Classification |
<threatname> |
Text/String |
Possible Values: File Unavailable, Malware, Possible PUP, PUP, Trusted, and Unclassified. |
|
Zone Names |
<subject> |
Text/String |
The names of the zones where the threat was found. |
|
Policy Name |
<policy> |
Text/String |
This is the name of the device policy. |