Skip Navigation
  1. BlackBerry Docs
  2. Cylance Endpoint Security
  3. Administration
  4. Cylance Endpoint Security Administration Guide
  5. Using CylanceOPTICS to detect and respond to events
  6. Creating custom detection rules
  7. Create and manage detection rules and exclusions
  8. Operands (facet value extractors)

Operands (facet value extractors)

The
CylanceOPTICS
 CAE uses facet value extractors to identify an individual property (facet) of a single artifact that is associated with an event that
CylanceOPTICS
 observed. While facet value extractors are narrowly scoped by themselves, they can be strung together in a logical way to analyze complex behaviors that are occurring on a device, and to trigger a detection event.
Extractor name
Description
Supported facets
InstigatingProcess
This extractor extracts a facet from the instigating process of an event, and is commonly used to inspect the name or command line arguments of a process that is initiating an action (for example, starting another process, initiating a network connection, or writing a file).
Name (as String)
CommandLine (as String)
InstigatingProcessImageFile
This extractor extracts a facet from the image file that is associated with the instigating process of an event. It is commonly used to inspect various attributes of the image file (for example, name, path, hash, signature status).
Path (as String)
Size (as Integer)
Md5Hash (as String)
Sha256Hash (as String)
IsHidden (as Boolean)
IsReadOnly (as Boolean)
Directory (as String)
SuspectedFileType (as String)
SignatureStatus (as String)
IsSelfSigned (as Boolean)
LeafDNSString (as String)
LeafThumbprint (as String)
LeafSignatureAlgorithm (as String)
LeafCN (as String)
LeafDN (as String)
LeafOU (as String)
LeafO (as String)
LeafL (as String)
LeafC (as String)
IssuerDNString (as String)
IssuerThumbprint (as String)
IssuerSignatureAlgorithm (as String)
IssuerCN (as String)
IssuerDN (as String)
IssuerOU (as String)
IssuerO (as String)
IssuerL (as String)
IssuerC (as String)
RootDNString (as String)
RootThumbprint (as String)
RootSignatureAlgorithm (as String)
RootCN (as String)
RootDN (as String)
RootOU (as String)
RootO (as String)
RootL (as String)
RootC (as String)
InstigatingProcessOwner
This extractor extracts a facet from the owner associated with the instigating process of an event. It is commonly used to inspect the user who owns the process.
Name (as String)
Domain (as String)
TargetFile
This extractor extracts a facet from a file on which an event occurred. It is commonly used to inspect various attributes of the file (for example, name, path, hash, or signature status).
See InstigatingProcessImageFile above.
TargetFileOwner
This extractor extracts a facet from the owner that is associated with the file on which an event occurred. It is commonly used to inspect the user who owns the file.
See InstigatingProcessOwner above.
TargetNetworkConnection
This extractor extracts a facet from the network connection on which an event occurred. It is commonly used to inspect the network IP address or the port that is acted on.
SourceAddress (as IPAddress)
SourcePort (as Integer)
DestinationAddress (as IPAddress)
DestinationPort (as Integer)
TargetProcess
This extractor extracts a facet from the process on which an event occurred. It is commonly used to inspect the name or command line arguments of a process that is acted on.
See InstigatingProcess above.
TargetProcessImageFile
This extractor extracts a facet from the image file that is associated with a process on which an event occurred. It is commonly used to inspect the attributes of the image file (for example, name, path, hash, or signature status).
See InstigatingProcessImageFile above.
TargetProcessOwner
This extractor extracts a facet from the owner that is associated with a process on which an event occurred. It is commonly used to inspect the user who owns the process that is acted on.
See InstigatingProcessOwner above.
TargetRegistryKey
This extractor extracts a facet from the registry key on which an event occurred. It is commonly used to inspect the registry key or value that is acted on.
Path (as String)
ValueName (as String)

Path value extractors

Extractor name
Description
EnvVar
EnvVar extracts an environment variable from the OS.
LiteralWithEnvVar
LiteralWithEnvVar expands a path that contains an environment variable.
Literal
Literal represents a literal value and is the most common extractor and operand.