Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log FieldLogRhythm Default

LogRhythm Default v2.0



Device IDN/A<serialnumber>
Device Name<dname><dname>
Event IDN/AN/A
Event Name<vmid>N/A
Event Type<objecttype><vmid> 
Instigating Process Image File Sha256N/AN/A
Instigating Process Name<parentprocessname><parentprocessname>
Instigating Process Owner<domainorigin>, <login><domainorigin>, <login>
Target File Sha256<hash><hash>
Target File Path<object><object>
Target File Owner<domainimpacted>, <account><domainimpacted>, <account>
Zone NamesN/AN/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex IDRule NameRule TypeCommon EventsClassifications
1010204CylanceOPTICS : File EventsBase RuleSuspicious ActivitySuspicious

LogRhythm Default v2.0

Regex IDRule NameRule TypeCommon EventsClassifications
1011383V 2.0 : Cylance Optics : File Threat DetectedBase RuleGeneral Threat MessageActivity