Artifacts of interest
You can use the artifacts of interest (AOI) in the actions field to define a list of artifacts that
CylanceOPTICS
can perform automated response actions on. The AOI follow the same syntax as operands. Any artifact that is associated with an event or set of events that satisfy a state can be marked as an AOI. AOI do not need to be defined as an operand to be considered an AOI.If a filter is applied to a state, note that some AOI will not be available to take automatic response actions against. For example, if a file create filter is applied to a state, file and process related AOI would be available but would not have registry or network-related AOI. If an irrelevant AOI is provided in a state, the
CylanceOPTICS
agent will gracefully handle its exclusion. The table below outlines the applicable filter to AOI relationships.Category | Subcategory | Type | Applicable AOI |
---|---|---|---|
File | — | Create | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetFile TargetFileOwner |
File | — | Delete | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetFile TargetFileOwner |
File | — | Rename | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetFile TargetFileOwner |
File | — | Write | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetFile TargetFileOwner |
Network | IPv4 | Connect | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetNetworkConnection |
Network | IPv6 | Connect | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetNetworkConnection |
Network | TCP | Connect | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetNetworkConnection |
Network | UDP | Connect | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetNetworkConnection |
Process | — | Exit | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetProcess TargetProcessImageFile TargetProcessOwner |
Process | — | Start | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetProcess TargetProcessImageFile TargetProcessOwner |
Process | CylancePROTECT Desktop | AbnormalExit | TargetProcess TargetProcessImageFile TargetProcessOwner |
Registry | — | PersistencePoint: KeyCreating | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetRegistryKey |
Registry | — | PersistencePoint: KeyCreated | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetRegistryKey |
Registry | — | PersistencePoint: KeyDeleting | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetRegistryKey |
Registry | — | PersistencePoint: KeyDeleted | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetRegistryKey |
Registry | — | PersistencePoint: KeyRenaming | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetRegistryKey |
Registry | — | PersistencePoint: KeyRenamed | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetRegistryKey |
Registry | — | PersistencePoint: ValueChanging | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetRegistryKey |
Registry | — | PersistencePoint: ValueChanged | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetRegistryKey |
Registry | — | PersistencePoint: ValueDeleting | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetRegistryKey |
Registry | — | PersistencePoint: ValueDeleted | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetRegistryKey |
Thread | — | Create | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetProcess TargetProcessImageFile TargetProcessOwner |
Thread | — | Inject | InstigatingProcess InstigatingProcessImageFile InstigatingProcessOwner TargetProcess TargetProcessImageFile TargetProcessOwner |
Example:
"Actions": [ { "Type": "AOI", "ItemName": "InstigatingProcess", "Position": "PostActivation" }, { "Type": "AOI", "ItemName": "TargetProcess", "Position": "PostActivation" }, { "Type": "AOI", "ItemName": "InstigatingProcessOwner", "Position": "PostActivation" } ],