V 2.0 : Cylance Protect : Threat Events
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
V 2.0 : Cylance Protect : Threat Events | Base Rule | General Threat Message | Activity |
V 2.0 : Cylance Protect : Threat Found | Sub Rule | Detected Malware Activity | Malware |
V 2.0 : Cylance Protect : Threat Cleared | Sub Rule | Failed Malware Activity | Failed Malware |
V 2.0 : Cylance Protect : Threat Quarantined | Sub Rule | Failed Malware Activity | Failed Malware |
V 2.0 : Cylance Protect : Threat Waived | Sub Rule | General Security | Other Security |
V 2.0 : Cylance Protect : Threat Changed | Sub Rule | General Security | Other Security |
V 2.0 : Cylance Protect : Corrupt File | Sub Rule | General Antivirus Error | Error |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
N/A | N/A | N/A | Device Product |
Auto Run | N/A | N/A | Possible Values: False, True, and Unknown. |
Cylance Score | <severity> | Number | Ranges from 1 to 100. |
Detected By | N/A | N/A | Possible Values: ExecutionControl, BackgroundThreatDetection, FileWatcher, NotAvailable, and RunningModuleScan. |
Device Name | <dname> | Text/String | The name of the device on which the threat was found. |
Drive Type | N/A | N/A | The type of drive or storage device the threat originated from, if known. The drive type includes: CDROM, Fixed, Network, None, No Root Directory, RAM, and Removable. |
Event Name | <action>, <tag1> | Text/String | threat_found, threat_cleared, threat_quarantined, threat_waived, threat_changed, corrupt_found |
Event Type | <vmid> | Text/String | Threat |
File Name | <object> | Text/String | The name of the threat (file). |
File type | N/A | N/A | Archive, Executable, Linuxexe, MacOSExe, Ole, Pdf, Unknown |
Found Date | N/A | N/A | The date and time the threat was found on the device. |
IP Address | <dip> | IP Address | The IP address or IP addresses for the device. |
Is Malware | N/A | N/A | Possible Values: False, True. |
Is Running | N/A | N/A | Possible Values: False, True. |
Is Unique to Cylance | N/A | N/A | Possible Values: False, True. |
MD5 | N/A | N/A | The MD5 hash for the file. |
Path | N/A | N/A | The path to the file. |
SHA256 | <hash> | Text/String | The SHA256 hash for the file. |
Status | <status> | Text/String | Possible Values: Abnormal, Cleared, Corrupt, Quarantined, Unsafe, and Waived. |
Threat Classification | <threatname> | Text/String | Possible Values: File Unavailable, Malware, Possible PUP, PUP, Trusted, and Unclassified. |
Zone Names | N/A | N/A | The names of the zones where the threat was found. |