CylanceOPTICS file-based detection events
CylanceOPTICS
file-based detection eventsThese events occur when a detection event that includes a target-file artifact is triggered. Note that some fields will include command line values that can include commas and colons.
BlackBerry
recommends that you review and test the parsing of these values by your SIEM or syslog server.Field | Value | Description |
---|---|---|
Description | [varies] | This is the name of the detection rule that was triggered. |
Detection Rule Id | [varies] | This is the unique detection rule ID. |
Device Id | [varies] | This is the unique ID of the device. |
Device Last Reported Users | [varies] | These are the last reported device users. |
Device Name | [varies] | This is the name of the device that the detection event occurred on. |
Event Id | [varies] | This is the unique ID of the detection event. |
Event Name | OpticsCaeFileEvent | This is the detection event involved in a target file. |
Event Received Timestamp | [varies] | This is the timestamp of when the event was received by CylanceOPTICS . |
Event Timestamp | [varies] | This is the timestamp of the event that occurred on the device. |
Event Type | OpticsCaeFileEvent | This is the detection event involved a target file. |
Instigating Process Command Line | [varies] | This is the command line that was used to start the process of interest for the process event. |
Instigating Process File Path | [varies] | This is the path of the target process executable. |
Instigating Process ImageFileSha256 | [varies] | This is the SHA256 hash of the process that instigated the action. |
Instigating Process Name | [varies] | This is the name of the process that instigated the action. |
Instigating Process Owner | [varies] | This is the user that owns the process that instigated the action. |
Severity | [varies] | Severity of the event:
|
Target File Sha256 | [varies] | This is the SHA256 hash of the file that was acted on (created, written, overwritten, or deleted). SHA256 hashes are not available for all file types |
Target File Path | [varies] | This is the path of the file that was acted on (created, written, overwritten, or deleted). |
Target File Owner | [varies] | This is the owner of the file that was acted on (created, written, overwritten, or deleted). |
Zone Ids | [varies] | This is a list of zone IDs that the device belonged to at the time of the event. |
Zone Names | [varies] | These are the zones that the device belongs to. |
Example message for file-based detection events
Event Type: OpticsCaeFileEvent, Event Name: OpticsCaeFileEvent, Device Name: SECURITYSERVER3, Zone Names: (JeffTesting,JeffSecurityServer), Event Id: f4739af7-9c8b-4dc0-aeb7-2d4533445d49, Severity: Medium, Description: SYSLOG detections - Looking for a created file cylancetest.txt, Instigating Process Name: cmd.exe, Instigating Process Owner: PENTEST//Administrator, Instigating Process ImageFileSha256: BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527, Event Timestamp: 2022-06-28T18:09:32.693Z, Event Received Timestamp: 2022-06-28T18:09:36Z, Device Last Reported Users: (PENTEST\Administrator), Zone Ids: (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA), Detection Rule Id: 74bd0e7e-281a-4d7b-9f84-d0f51346782c, Instigating Process Command Line: "C:\Windows\system32\cmd.exe" , Instigating Process File Path: c:\windows\system32\cmd.exe, Target File Path: c:\users\administrator.pentest\downloads\syslog_test_cae_rules\cylancetest.txt, Target File Owner: BUILTIN//Administrators, Target File Sha256: , Device Id: c7b79f9f-4fbe-4f90-9658-ec7e17af1954