Syslog - Cylance (Mapping Doc)

This document explains the changes required to switch over and upgrade to the Syslog - Cylance Optics Detection\Protect Events log source type, and to enable new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project.

Prerequisites

Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.
Enable the new MPE rules in the LogRhythm System Monitor.
- Select log source type Syslog - Cylance Optics Detection\Protect Events.
  
  When you select the log source type Syslog - Cylance Optics Detection\Protect Events, the log processing policy LogRhythm Default v2.0 is automatically enabled.

Supported Log Messages

The following table lists the log message types supported in the current MPE rules. Each page contains detailed information on parsing changes and new log processing settings.

Log Message Type	Event Type
Add Device To Zone (Audit Event)	Audit Event
Add Device To Zone (Device Event)	Device Event
Application Control Messages	AppControl Event
Catch All : Level 1	N/A
Catch All : Level 2	N/A
CylanceOPTICS : File Events	File Event
CylanceOPTICS : Memory Events	Memory Event
CylanceOPTICS : Network Events	Network Event
CylanceOPTICS : Process Events	Process Event
CylanceOPTICS : Registry Events	Registry Event
Device Edit	Audit Event
Device Policy Assigned	Device Event
Device Policy Changed	Device Event
Device Registration	Device Event
Device Removed	Device Event
Exploit Attempt	Memory Exploit Event
Global Threat Quarantine	Audit Event
Last Message Repeated	N/A
Policy Edit	Audit Event
Scan Messages	Threat Event
Script Control Messages	Script Control Event
System Security Messages	Device Event
Test Connection Message	N/A
Threat Classification Messages	Threat Classification Event
Threat Data Report Download	Audit Event
Threat Messages	Threat Event
Threat Safe List	Audit Event
USB Device Blocked	Device Control Event
User Added	Audit Event
User Login	Audit Event
User Removed	Audit Event
Zone Edit	Audit Event
Zone Rule Edit	Audit Event

Log Processing Policy Updates

This section details log processing policy updates made to AIE Rules, system reports and templates, tails, and investigations as part of LSO.

Updates to AIE Rules

No changes

Updates to System Reports

No changes

Updates to System Investigations

No changes

Updates to System Report Templates

No changes

Updates to System Tails

No changes