Skip Navigation

Data structures that
Optics
uses to identify threats

Events, artifacts, and facets are the three primary data structures that
Optics
uses to analyze, record, and investigate activities that occur on devices.
Optics
features rely on these data structures, including InstaQuery, focus data, and the Context Analysis Engine (CAE).
This section provides more information about how
Optics
interprets and interacts with activities on devices, to help you better understand and make use of detections, queries, and focus data.

Data sources by OS

The
Optics
agent uses the following data sources:
OS
Data sources
Windows
  • CyOpticsDrv kernel driver
  • Event tracking
  • Security audit log
macOS
CyOpticsDrvOSX kernel driver
Linux
ZeroMQ

Events

Events are the components that result in an observable change or action on a device. Events consist of two primary artifacts: the instigating artifact that initiates an action, and the target artifact that is acted on.
The following tables provide details about the types of events that
Optics
can detect and interact with.
Event: Any
  • Device policy option to enable: CylanceOPTICS check box
  • Artifact type: Process, User
  • Platform:
    Windows
    ,
    macOS
    ,
    Linux
Event type
Description
Any
All events record the process that generated them and the user that is associated with the action.
Event: Application
  • Device policy option to enable: Advanced WMI Visibility
  • Artifact type: WMI trace
  • Platform:
    Windows
Event type
Description
Create filter – consumer binding
A process used WMI persistence.
Create temporary consumer
A process subscribed to WMI events.
Execute operation
A process performed a WMI operation.
  • Device policy option to enable: Enhanced Process and Hooking Visibility
  • Artifact type:
    Windows
    event
  • Platform:
    Windows
Event type
Description
CBT
The SetWindowsHookEx API installed a hook to receive notifications that are useful to a CBT application.
DebugProc
The SetWindowsHookEx API installed a hook to debug other hook procedures.
Get async key state
A process called the Win32 GetAsyncKeyState API.
JournalPlayback
The SetWindowsHookEx API installed a hook to monitor messages previously recorded by a WH_JOURNALRECORD hook procedure.
JournalRecord
The SetWindowsHookEx API installed a hook to monitor input messages posted to the system message queue.
Keyboard
The SetWindowsHookEx API installed a hook to monitor keystroke messages.
LowLevel keyboard
The SetWindowsHookEx API installed a hook to monitor low-level keyboard input events.
LowLevel mouse
The SetWindowsHookEx API installed a hook to monitor low-level mouse input events.
Message
The SetWindowsHookEx API installed a hook to monitor messages posted to a message queue.
Mouse
The SetWindowsHookEx API installed a hook to monitor mouse messages.
Register raw input devices
A process called the Win32 RegisterRawInputDevices API.
Set
Windows
event hook
A process called the Win32 SetWinEventHook API.
Set
Windows
hook
The SetWindowsHookEx API installed an unlisted hook type value.
ShellProc
The SetWindowsHookEx API installed a hook to receive notifications that are useful to shell applications.
SysMsg
The SetWindowsHookEx API installed a hook to monitor messages that are generated as a result of an input event in a dialog box, message box, or scroll bar.
WindowProc
The SetWindowsHookEx API installed a hook to monitor
Windows
procedure messages.
Event: Device
  • Device policy option to enable: CylanceOPTICS check box
  • Artifact type: File
  • Platform:
    macOS
    ,
    Linux
Event type
Description
Mount
The device is connected to a machine or folders are mounted to specific network locations.
Event: File
  • Device policy option to enable: CylanceOPTICS check box
  • Artifact type: File
  • Platform:
    Windows
    ,
    macOS
    ,
    Linux
Event type
Description
Create
A file was created.
Delete
A file was deleted.
Overwrite
A file was overwritten.
Rename
A file was renamed.
Write
A file was modified.
  • Device policy option to enable: Enhanced File Read Visibility
  • Artifact type: File
  • Platform:
    Windows
Event type
Description
Open
A file was opened.
Event: Memory
  • Device policy option to enable: CylanceOPTICS check box
  • Artifact type: Process
  • Platform:
    macOS
    ,
    Linux
Event type
Description
Mmap
A region of memory was mapped for a specific purpose, typically allocated for a process.
MProtect
The metadata was changed for a region of memory, typically to change its status (for example, to make it executable).
Event: Network
  • Device policy option to enable: CylanceOPTICS check box
  • Artifact type: Network
  • Platform:
    Windows
    ,
    macOS
Event type
Description
Connect
A network connection was opened. By default, local traffic is not collected.
  • Device policy option to enable: Private Network Address Visibility
  • Artifact type: Network
  • Platform:
    Windows
Event type
Description
Connect
Connect events include local traffic.
  • Device policy option to enable: DNS Visibility
  • Artifact type: DNS request
  • Platform:
    Windows
Event type
Description
Request
A process made a network DNS request that was not cached.
Response
A process received a DNS response.
Event: Process
  • Device policy option to enable: CylanceOPTICS check box
  • Artifact type: Process
Event type
Platform
Description
Abnormal exit
macOS
Linux
Monitored by the preselect sensor, a process exited without completing (for example, an exception caused a process to exit).
Exit
Windows
macOS
Linux
A process exited.
Forced exit
macOS
Linux
Monitored by the preselect sensor, a process was forced to exit by another process.
PTrace
macOS
Linux
This is a Unix system tool that allows one process to monitor and control another process.
Start
Windows
macOS
Linux
A process started.
Suspend
Linux
Monitored by the preselect sensor, a process was suspended.
Unknown
Linux
process event
macOS
Linux
Monitored by the preselect sensor, an unknown event occurred with the process as a target. This can be a sign of malicious software masking its activity.
  • Device policy option to enable: Enhanced Process and Hooking Visibility
  • Artifact type: Process
  • Platform:
    Windows
Event type
Description
SetThreadContext
A process called the SetThreadContext API.
Terminate
An instigating process terminated another target process.
Event: Registry
  • Device policy option to enable: CylanceOPTICS check box
  • Artifact type: Registry, File (if the registry key references a specific file)
  • Platform:
    Windows
Event type
Description
Key created
A registry key was created.
Key deleted
A registry key was deleted.
Value created
A registry key value was created.
Value deleted
A registry key value was deleted.
Value modified
A registry key value was changed.
Event: Scripting
  • Device policy option to enable: Advanced Scripting Visibility
  • Artifact type: File, Powershell Trace (Prevent script is Powershell trace only)
  • Platform:
    Windows
Event type
Description
Execute command
Windows
PowerShell executed a command. The parameters are unknown.
Execute script
An AMSI ScanBuffer result indicated that a script was executed.
Execute ScriptBlock
Windows
PowerShell executed a script block.
Invoke command
Windows
PowerShell invoked a command with bound parameters.
Prevent script
An AMSI ScanBuffer result indicated that a script was detected or blocked by an administrator.
Event: User
  • Device policy option to enable: Advanced Scripting Visibility
  • Artifact type:
    Windows
    event
  • Platform:
    Windows
Event type
Description
Batch logoff
The following
Windows
event ID occurred: 4634 (type 4).
Batch logon
The following
Windows
event ID occurred: 4624 (type 4).
CacheInteractive logoff
The following
Windows
event ID occurred: 4634 (type 11).
CacheInteractive logon
The following
Windows
event ID occurred: 4624 (type 11).
Interactive logoff
The following
Windows
event ID occurred: 4634 (type 2).
Interactive logon
The following
Windows
event ID occurred: 4624 (type 2).
Network logoff
The following
Windows
event ID occurred: 4634 (type 3).
Network logon
The following
Windows
event ID occurred: 4624 (type 3).
NetworkClearText logoff
The following
Windows
event ID occurred: 4634 (type 8).
NetworkClearText logon
The following
Windows
event ID occurred: 4624 (type 8).
NewCredentials logoff
The following
Windows
event ID occurred: 4634 (type 9).
NewCredentials logon
The following
Windows
event ID occurred: 4624 (type 9).
RemoteInteraction logoff
The following
Windows
event ID occurred: 4634 (type 10).
RemoteInteraction logon
The following
Windows
event ID occurred: 4624 (type 10).
Service logoff
The following
Windows
event ID occurred: 4634 (type 5).
Service logon
The following
Windows
event ID occurred: 4624 (type 5).
Unlock logoff
The following
Windows
event ID occurred: 4634 (type 7).
Unlock logon
The following
Windows
event ID occurred: 4624 (type 7).
User logoff
The following
Windows
event ID occurred: 4634 (unlisted type value).
User logon
The following
Windows
event ID occurred: 4624 (unlisted type value).

Artifacts and facets

Artifacts are complex pieces of information that
Optics
can use. The Context Analysis Engine (CAE) can identify artifacts on devices and use them to trigger automatic incident response and remediation actions. InstaQueries use artifacts as the foundation of a query.
Facets are the attributes of an artifact that can be used to identify the traits of an artifact that is associated with an event. Facets are correlated and combined during analysis to identify potentially malicious activity. For example, a file named "explorer.exe" may not be inherently suspicious, but if the file is not signed by
Microsoft
, and resides in a temporary directory, it may be identified as suspicious in some environments.
Optics
uses the following artifacts and facets:
Artifact
Facets
DNS
  • Connection
  • IsRecursionDesired
  • IsUnsolicitedResponse
  • Opcode
  • RequestId
  • Resolution
  • ResponseOriginatedFromThisDevice
  • Questions
Event
  • Occurrence time
  • Registration time
File
  • Executable file record (binaries only)
  • File creation time (reported by OS)
  • File path
  • File signature (binaries only)
  • File size
  • Last modified time (reported by OS)
  • md5 hash (binaries only)
  • Recent write location
  • sha256 hash (binaries only)
  • Suspected file type
  • User
Network
  • Local address
  • Local port
  • Protocol
  • Remote address
  • Remote port
PowerShell trace
  • EventId
  • Payload
  • PayloadAnalysis
  • ScriptBlockText
  • ScriptBlockTextAnalysis
Process
  • Command line
  • File the executable was run from
  • Parent process
  • Process ID
  • Start time
  • User
Registry
  • If the value references a file on the system
  • Registry path
  • Value
Users
  • Domain
  • OS-specific identifier (for example, SID)
  • Username
User artifacts can contain any of the following values; however, the data is not available on most devices:
  • AccountType
  • BadPasswordCount
  • Comment
  • CountryCode
  • FullName
  • HasPasswordExpired
  • HomeDirectory
  • IsAccountDisabled
  • IsLocalAccount
  • IsLockedOut
  • IsPasswordRequired
  • LanguageCodePage
  • LogonServer
  • PasswordAge
  • PasswordDoesNotExpire
  • ProfilePath
  • ScriptPath
  • UserPrivilege
  • Workstations
Windows
event
  • Class
  • Event ID
  • Provider
WMI trace
  • ConsumerText
  • ConsumerTextAnalysis
  • EventId
  • Namespace
  • Operation
  • OperationAnalysis
  • OriginatingMachineName