V 2.0 : Cylance Protect : Threat Events
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 : Cylance Protect : Threat Events | Base Rule | General Threat Message | Activity |
| V 2.0 : Cylance Protect : Threat Found | Sub Rule | Detected Malware Activity | Malware |
| V 2.0 : Cylance Protect : Threat Cleared | Sub Rule | Failed Malware Activity | Failed Malware |
| V 2.0 : Cylance Protect : Threat Quarantined | Sub Rule | Failed Malware Activity | Failed Malware |
| V 2.0 : Cylance Protect : Threat Waived | Sub Rule | General Security | Other Security |
| V 2.0 : Cylance Protect : Threat Changed | Sub Rule | General Security | Other Security |
| V 2.0 : Cylance Protect : Corrupt File | Sub Rule | General Antivirus Error | Error |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| N/A | N/A | N/A | Device Product |
| Auto Run | N/A | N/A | Possible Values: False, True, and Unknown. |
| Cylance Score | <severity> | Number | Ranges from 1 to 100. |
| Detected By | N/A | N/A | Possible Values: ExecutionControl, BackgroundThreatDetection, FileWatcher, NotAvailable, and RunningModuleScan. |
| Device Name | <dname> | Text/String | The name of the device on which the threat was found. |
| Drive Type | N/A | N/A | The type of drive or storage device the threat originated from, if known. The drive type includes: CDROM, Fixed, Network, None, No Root Directory, RAM, and Removable. |
| Event Name | <action>, <tag1> | Text/String | threat_found, threat_cleared, threat_quarantined, threat_waived, threat_changed, corrupt_found |
| Event Type | <vmid> | Text/String | Threat |
| File Name | <object> | Text/String | The name of the threat (file). |
| File type | N/A | N/A | Archive, Executable, Linuxexe, MacOSExe, Ole, Pdf, Unknown |
| Found Date | N/A | N/A | The date and time the threat was found on the device. |
| IP Address | <dip> | IP Address | The IP address or IP addresses for the device. |
| Is Malware | N/A | N/A | Possible Values: False, True. |
| Is Running | N/A | N/A | Possible Values: False, True. |
| Is Unique to Cylance | N/A | N/A | Possible Values: False, True. |
| MD5 | N/A | N/A | The MD5 hash for the file. |
| Path | N/A | N/A | The path to the file. |
| SHA256 | <hash> | Text/String | The SHA256 hash for the file. |
| Status | <status> | Text/String | Possible Values: Abnormal, Cleared, Corrupt, Quarantined, Unsafe, and Waived. |
| Threat Classification | <threatname> | Text/String | Possible Values: File Unavailable, Malware, Possible PUP, PUP, Trusted, and Unclassified. |
| Zone Names | <subject> | Text/String | The names of the zones where the threat was found. |
| Policy Name | <policy> | Text/String | This is the name of the device policy. |