CylanceOPTICS : Process Events

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field	LogRhythm Default	LogRhythm Default v2.0
Description	<vendorinfo>, <tag1>	<policy>
Device ID	N/A	<serialnumber>
Device Name	<dname>	<dname>
Event ID	N/A	N/A
Event Name	<vmid>	N/A
Event Type	<objecttype>	<vmid>
Instigating Process Image File Sha256	N/A	N/A
Instigating Process Name	<parentprocessname>	<parentprocessname>
Instigating Process Owner	<domainorigin>, <login>	<domainorigin>, <login>
Severity	<severity>	<severity>
Target Process Image File Sha256	<hash>	<hash>
Target Process Name	<process>	<process>
Target Process Owner	<domainimpacted>, <account>	<domainimpacted>, <account>
Zone Names	<group>	N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID	Rule Name	Rule Type	Common Events	Classifications
1010202	CylanceOPTICS : Process Events	Base Rule	Suspicious Activity	Suspicious
	File Name Confusion	Sub Rule	Active File Name Inquiry	Other Audit Success
	Unsigned Process	Sub Rule	Suspicious Host Activity	Suspicious
	Suspicious Parent Activity	Sub Rule	Suspicious Host Activity	Suspicious
	Unsigned Process	Sub Rule	Suspicious Host Activity	Suspicious
	Suspicious OS Process	Sub Rule	Suspicious Host Activity	Suspicious
	Office DDE Activity	Sub Rule	Suspicious Host Activity	Suspicious
	RegSvr32 Remote Activity	Sub Rule	Suspicious Host Activity	Suspicious
	RegSvcs Activity	Sub Rule	Suspicious Host Activity	Suspicious

LogRhythm Default v2.0

Regex ID	Rule Name	Rule Type	Common Events	Classifications
1011382	V 2.0 : Cylance Optics : Process Threat Detected	Base Rule	General Threat Message	Activity