Data structures that CylanceOPTICS uses to identify threats
CylanceOPTICS
uses to identify threatsEvents, artifacts, and facets are the three primary data structures that
CylanceOPTICS
uses to analyze, record, and investigate activities that occur on devices. CylanceOPTICS
features rely on these data structures, including InstaQuery, focus data, and the Context Analysis Engine (CAE).This section provides more information about how
CylanceOPTICS
interprets and interacts with activities on devices, to help you better understand and make use of detections, queries, and focus data.Data sources by OS
The
CylanceOPTICS
agent uses the following data sources:OS | Data sources |
---|---|
Windows |
|
macOS | CyOpticsDrvOSX kernel driver |
Linux | ZeroMQ |
For information about the types of network traffic that
CylanceOPTICS
excludes by default, see KB65604.Events
Events are the components that result in an observable change or action on a device. Events consist of two primary artifacts: the instigating artifact that initiates an action, and the target artifact that is acted on.
The following tables provide details about the types of events that
CylanceOPTICS
can detect and interact with.Event: Any
- Device policy option to enable:CylanceOPTICScheck box
- Artifact type: Process, User
- Platform:Windows,macOS,Linux
Event type | Description |
---|---|
Any | All events record the process that generated them and the user that is associated with the action. |
Event: Application
- Device policy option to enable: Advanced WMI Visibility
- Artifact type: WMI trace
- Platform:Windows
Event type | Description |
---|---|
Create Filter-Consumer Binding | A process used WMI persistence. |
Create Temporary Consumer | A process subscribed to WMI events. |
Execute Operation | A process performed a WMI operation. |
- Device policy option to enable: Enhanced Process and Hooking Visibility
- Artifact type: File
- Platform:Windows
Event type | Description |
---|---|
CBT | The SetWindowsHookEx API installed a hook to receive notifications that are useful to a CBT application. |
DebugProc | The SetWindowsHookEx API installed a hook to debug other hook procedures. |
Get Async Key State | A process called the Win32 GetAsyncKeyState API. |
JournalPlayback | The SetWindowsHookEx API installed a hook to monitor messages previously recorded by a WH_JOURNALRECORD hook procedure. |
JournalRecord | The SetWindowsHookEx API installed a hook to monitor input messages posted to the system message queue. |
Keyboard | The SetWindowsHookEx API installed a hook to monitor keystroke messages. |
LowLevel Keyboard | The SetWindowsHookEx API installed a hook to monitor low-level keyboard input events. |
LowLevel Mouse | The SetWindowsHookEx API installed a hook to monitor low-level mouse input events. |
Message | The SetWindowsHookEx API installed a hook to monitor messages posted to a message queue. |
Mouse | The SetWindowsHookEx API installed a hook to monitor mouse messages. |
Register Raw Input Devices | A process called the Win32 RegisterRawInputDevices API. |
Set Windows Event Hook | A process called the Win32 SetWinEventHook API. |
Set Windows Hook | The SetWindowsHookEx API installed an unlisted hook type value. |
ShellProc | The SetWindowsHookEx API installed a hook to receive notifications that are useful to shell applications. |
SysMsg | The SetWindowsHookEx API installed a hook to monitor messages that are generated as a result of an input event in a dialog box, message box, or scroll bar. |
WindowProc | The SetWindowsHookEx API installed a hook to monitor Windows procedure messages. |
- Device policy option to enable: API Sensor
- Artifact type: API Call
- Platform:Windows
Event type | Description |
---|---|
Function | A noteworthy function call has been made. |
- Device policy option to enable: Module Load Visibility
- Artifact type: File
- Platform:Windows
Event type | Description |
---|---|
Load | An application loaded a module. |
- Device policy option to enable: COM Object Visibility
- Platform:Windows
Event type | Description |
---|---|
Created | A COM object was created. |
Event: Device
- Device policy option to enable:CylanceOPTICScheck box
- Artifact type: File
- Platform:macOS,Linux
Event type | Description |
---|---|
Mount | The device is connected to a machine or folders are mounted to specific network locations. |
Event: File
- Device policy option to enable:CylanceOPTICScheck box
- Artifact type: File
- Platform:Windows,macOS,Linux
Event type | Description |
---|---|
Create | A file was created. |
Delete | A file was deleted. |
Overwrite | A file was overwritten. |
Rename | A file was renamed. |
Write | A file was modified. |
- Device policy option to enable: Enhanced File Read Visibility
- Artifact type: File
- Platform:Windows
Event type | Description |
---|---|
Open | A file was opened. |
Event: Memory
- Device policy option to enable:CylanceOPTICScheck box
- Artifact type: Process
- Platform:macOS,Linux
Event type | Description |
---|---|
Mmap | A region of memory was mapped for a specific purpose, typically allocated for a process. |
MProtect | The metadata was changed for a region of memory, typically to change its status (for example, to make it executable). |
Event: Network
- Device policy option to enable:CylanceOPTICScheck box
- Artifact type: Network
- Platform:Windows,macOS,Linux
Event type | Description |
---|---|
Connect | A network connection was opened. By default, local traffic is not collected. |
- Device policy option to enable: Private Network Address Visibility
- Artifact type: Network
- Platform:Windows
Event type | Description |
---|---|
Connect | Connect events include local traffic. |
- Device policy option to enable: DNS Visibility
- Artifact type: DNS request
- Platform:Windows,Linux
Event type | Description |
---|---|
Request | A process made a network DNS request that was not cached. |
Response | A process received a DNS response. |
- Device policy option to enable: HTTP Visibility
- Artifact type: HTTP
- Platform:Windows
Event type | Description |
---|---|
Get | Windows used WinINet or WinHTTP to make an HTTP request. |
Post | Windows used WinINet or WinHTTP to send data. |
Event: Process
- Device policy option to enable:CylanceOPTICScheck box
- Artifact type: Process
Event type | Platform | Description |
---|---|---|
Abnormal Exit | macOS Linux | Monitored by the preselect sensor, a process exited without completing (for example, an exception caused a process to exit). |
Exit | Windows macOS Linux | A process exited. |
Forced Exit | macOS Linux | Monitored by the preselect sensor, a process was forced to exit by another process. |
PTrace | macOS Linux | This is a Unix system tool that allows one process to monitor and control another process. |
Start | Windows macOS Linux | A process started. |
Suspend | Linux | Monitored by the preselect sensor, a process was suspended. |
Unknown Linux Process Event | macOS Linux | Monitored by the preselect sensor, an unknown event occurred with the process as a target. This can be a sign of malicious software masking its activity. |
- Device policy option to enable: Enhanced Process and Hooking Visibility
- Artifact type: Process
- Platform:Windows
Event type | Description |
---|---|
SetThreadContext | A process called the SetThreadContext API. |
Terminate | An instigating process terminated another target process. |
Event: Registry
- Device policy option to enable:CylanceOPTICScheck box
- Artifact type: Registry, File (if the registry key references a specific file)
- Platform:Windows
Event type | Description |
---|---|
KeyCreated | A registry key was created. |
KeyDeleting | A registry key was deleted. |
ValueChanging | The value of a registry key was changed. |
ValueDeleting | A registry key value was deleted. |
Event: Scripting
- Device policy option to enable: Advanced Scripting Visibility
- Artifact type: Powershell Trace
- Platform:Windows
Event type | Description |
---|---|
Execute Command | Windows PowerShell executed a command. The parameters are unknown. |
Execute Script | Windows PowerShell executed a script. |
Execute ScriptBlock | Windows PowerShell executed a script block. |
Invoke Command | Windows PowerShell invoked a command with bound parameters. |
Prevent Script | An AMSI ScanBuffer result indicated that a script was detected or blocked by an administrator. |
Event: User
- Device policy option to enable: Advanced Scripting Visibility
- Artifact type:WindowsEvent
- Platform:Windows
Event type | Description |
---|---|
Batch Logoff | The following Windows event ID occurred: 4634 (type 4). |
Batch Logon | The following Windows event ID occurred: 4624 (type 4). |
CachedInteractive Logoff | The following Windows event ID occurred: 4634 (type 11). |
CachedInteractive Logon | The following Windows event ID occurred: 4624 (type 11). |
Interactive Logoff | The following Windows event ID occurred: 4634 (type 2). |
Interactive Logon | The following Windows event ID occurred: 4624 (type 2). |
Network Logoff | The following Windows event ID occurred: 4634 (type 3). |
Network Logon | The following Windows event ID occurred: 4624 (type 3). |
NetworkClearText Logoff | The following Windows event ID occurred: 4634 (type 8). |
NetworkClearText Logon | The following Windows event ID occurred: 4624 (type 8). |
NewCredentials Logoff | The following Windows event ID occurred: 4634 (type 9). |
NewCredentials Logon | The following Windows event ID occurred: 4624 (type 9). |
RemoteInteractive Logoff | The following Windows event ID occurred: 4634 (type 10). |
RemoteInteractive Logon | The following Windows event ID occurred: 4624 (type 10). |
Service Logoff | The following Windows event ID occurred: 4634 (type 5). |
Service Logon | The following Windows event ID occurred: 4624 (type 5). |
Unlock Logoff | The following Windows event ID occurred: 4634 (type 7). |
Unlock Logon | The following Windows event ID occurred: 4624 (type 7). |
User Logoff | The following Windows event ID occurred: 4634 (unlisted type value). |
User Logon | The following Windows event ID occurred: 4624 (unlisted type value). |
Artifacts and facets
Artifacts are complex pieces of information that
CylanceOPTICS
can use. The Context Analysis Engine (CAE) can identify artifacts on devices and use them to trigger automatic incident response and remediation actions. InstaQueries use artifacts as the foundation of a query.Facets are the attributes of an artifact that can be used to identify the traits of an artifact that is associated with an event. Facets are correlated and combined during analysis to identify potentially malicious activity. For example, a file named "explorer.exe" may not be inherently suspicious, but if the file is not signed by
Microsoft
, and resides in a temporary directory, it may be identified as suspicious in some environments.CylanceOPTICS
uses the following artifacts and facets:Artifact | Facets |
---|---|
API Call |
|
DNS |
|
Event |
|
File |
|
Network |
|
PowerShell trace |
|
Process |
|
Registry |
|
Users |
User artifacts can contain any of the following values; however, the data is not available on most devices:
|
Windows event |
|
WMI trace |
|