Skip Navigation
  1. BlackBerry Docs
  2. Cylance Endpoint Security
  3. Cylance Syslog Guide
  4. CylanceOPTICS detection events
  5. CylanceOPTICS HTTP visibility detection events

CylanceOPTICS
 HTTP visibility detection events

These events occur when the
CylanceOPTICS
 agent detects a potentially malicious
Windows
 HTTP transaction. Note that some fields will include command line values that can include commas and colons.
BlackBerry
 recommends that you review and test the parsing of these values by your SIEM or syslog server.
Field
Value
Description
Description
[varies]
This is the name of the detection rule that was triggered.
Detection Rule Id
[varies]
This is the unique detection rule ID.
Device Last Reported Users
[varies]
These are the last reported device users.
Device Name
[varies]
This is the name of the device that the detection event occurred on.
Event Id
[varies]
This is the unique ID of the detection event.
Event Name
OpticsCaeHttpEvent
This is the name of HTTP visibility detection event.
Event Received Timestamp
[varies]
This is the timestamp of when the event was received by
CylanceOPTICS
.
Event Timestamp
[varies]
This is the timestamp of the event that occurred on the device.
Event Type
OpticsCaeHttpEvent
This is the type of HTTP visibility detection events.
Instigating Process Command Line
[varies]
This is the command line that was used to start the instigating process.
Instigating Process File Path
[varies]
This is the file path of the instigating process executable.
Instigating Process ImageFileSha256
[varies]
This is the SHA256 hash of the process that instigated the action.
Instigating Process Name
[varies]
This is the name of the process that instigated the action.
Instigating Process Owner
[varies]
This is the user who owns the process that instigated the action.
Request Domain
[varies]
This is the domain that the request came from.
Request Headers
[varies]
This provides information about the headers in the request.
Request Length
[varies]
This specifies the length of the request.
Request Method
[varies]
This is the method of the request (for example, GET).
Request Path
[varies]
This is the path of the request.
Request Port
[varies]
This is the port that the request came from.
Request Version
[varies]
This is the version of the request (for example, HTTP/1.1).
Response Headers
[varies]
This provides information about the headers in the response.
Response Length
[varies]
This specifies the length of the response.
Response Status
[varies]
This is the status of the response.
Severity
[varies]
The severity of the event:
  • High: A malicious event that requires immediate attention
  • Medium: A suspicious event that should be reviewed
  • Low: An important event that may not be malicious
  • Info: An observed event
User Agent
[varies]
These are string values that can include characteristics like the app, operating system, vendor, and version.
Zone Ids
[varies]
This is a list of zone IDs that the device belonged to at the time of the event.
Zone Names
[varies]
These are the zones that the device belongs to.

Example message for log-based detection events

2023-08-23T15:48:52.992000Z sysloghost CylanceOPTICS - - [f2204973-ddee-4d97-9cac-1f45fcb0fee6] Event Type: OpticsCaeHttpEvent, Event Name: OpticsCaeHttpEvent, Device Name: DEVICE-W19, Zone Names: (Zone_3.x), Event Id: 41ea5ce4-6501-4c13-a7a2-80f9afec9eee, Severity: High, Description: DEVICE - Trigger on ANY http sensor event, Instigating Process Name: svchost.exe, Instigating Process Owner: NT AUTHORITY//SYSTEM, Instigating Process ImageFileSha256: 2B105FB153B1BCD619B95028612B3A93C60B953EEF6837D3BB0099E4207AAF6B, Event Timestamp: 2023-08-23T15:48:52.992Z, Event Received Timestamp: 2023-08-23T15:48:57Z, Device Last Reported Users: (RIMNET\adminuser,Window Manager\DWM-1,Window Manager\DWM-2), Zone Ids: (D215191148D64DEE826768B62D64B244), Detection Rule Id: 9a82a2d3-e6b0-4177-9bac-80ba5b1ef982, Instigating Process Command Line: C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc, Instigating Process File Path: c:\windows\system32\svchost.exe, Device Id: 744ac660-9704-4edb-a8d0-ae13a343f3bf, User Agent: Microsoft-CryptoAPI/10.0, Request Domain: ocsp.digicert.com, Request Path: /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D, Request Method: GET, Request Port: 80, Request Version: HTTP/1.1, Request Headers: 0, Request Length: 0, Response Status: 0, Response Headers: 0, Response Length: 0