Data structures that

CylanceOPTICS

uses to identify threats

Events, artifacts, and facets are the three primary data structures that

CylanceOPTICS

uses to analyze, record, and investigate activities that occur on devices.

CylanceOPTICS

features rely on these data structures, including InstaQuery, focus data, and the Context Analysis Engine (CAE).

This section provides more information about how

CylanceOPTICS

interprets and interacts with activities on devices, to help you better understand and make use of detections, queries, and focus data.

The

CylanceOPTICS

agent uses the following data sources:

OS	Data sources
Windows	CyOpticsDrv kernel driver Event tracking Security audit log
macOS	CyOpticsDrvOSX kernel driver
Linux	ZeroMQ

For information about the types of network traffic that

CylanceOPTICS

excludes by default, see KB65604.

Events are the components that result in an observable change or action on a device. Events consist of two primary artifacts: the instigating artifact that initiates an action, and the target artifact that is acted on.

The following tables provide details about the types of events that

CylanceOPTICS

can detect and interact with.

Event type	Description
Any	All events record the process that generated them and the user that is associated with the action.

Event type	Description
Create Filter-Consumer Binding	A process used WMI persistence.
Create Temporary Consumer	A process subscribed to WMI events.
Execute Operation	A process performed a WMI operation.

Event type	Description
CBT	The SetWindowsHookEx API installed a hook to receive notifications that are useful to a CBT application.
DebugProc	The SetWindowsHookEx API installed a hook to debug other hook procedures.
Get Async Key State	A process called the Win32 GetAsyncKeyState API.
JournalPlayback	The SetWindowsHookEx API installed a hook to monitor messages previously recorded by a WH_JOURNALRECORD hook procedure.
JournalRecord	The SetWindowsHookEx API installed a hook to monitor input messages posted to the system message queue.
Keyboard	The SetWindowsHookEx API installed a hook to monitor keystroke messages.
LowLevel Keyboard	The SetWindowsHookEx API installed a hook to monitor low-level keyboard input events.
LowLevel Mouse	The SetWindowsHookEx API installed a hook to monitor low-level mouse input events.
Message	The SetWindowsHookEx API installed a hook to monitor messages posted to a message queue.
Mouse	The SetWindowsHookEx API installed a hook to monitor mouse messages.
Register Raw Input Devices	A process called the Win32 RegisterRawInputDevices API.
Set Windows Event Hook	A process called the Win32 SetWinEventHook API.
Set Windows Hook	The SetWindowsHookEx API installed an unlisted hook type value.
ShellProc	The SetWindowsHookEx API installed a hook to receive notifications that are useful to shell applications.
SysMsg	The SetWindowsHookEx API installed a hook to monitor messages that are generated as a result of an input event in a dialog box, message box, or scroll bar.
WindowProc	The SetWindowsHookEx API installed a hook to monitor Windows procedure messages.

Event type	Description
Function	A noteworthy function call has been made.

Event type	Description
Load	An application loaded a module.

Event type	Description
Created	A COM object was created.

Event type	Description
Mount	The device is connected to a machine or folders are mounted to specific network locations.

Event type	Description
Create	A file was created.
Delete	A file was deleted.
Overwrite	A file was overwritten.
Rename	A file was renamed.
Write	A file was modified.

Event type	Description
Open	A file was opened.

Event type	Description
Mmap	A region of memory was mapped for a specific purpose, typically allocated for a process.
MProtect	The metadata was changed for a region of memory, typically to change its status (for example, to make it executable).

Event type	Description
Connect	A network connection was opened. By default, local traffic is not collected.

Event type	Description
Connect	Connect events include local traffic.

Event type	Description
Request	A process made a network DNS request that was not cached.
Response	A process received a DNS response.

Event type	Description
Get	Windows used WinINet or WinHTTP to make an HTTP request.
Post	Windows used WinINet or WinHTTP to send data.

Event type	Platform	Description
Abnormal Exit	macOS Linux	Monitored by the preselect sensor, a process exited without completing (for example, an exception caused a process to exit).
Exit	Windows macOS Linux	A process exited.
Forced Exit	macOS Linux	Monitored by the preselect sensor, a process was forced to exit by another process.
PTrace	macOS Linux	This is a Unix system tool that allows one process to monitor and control another process.
Start	Windows macOS Linux	A process started.
Suspend	Linux	Monitored by the preselect sensor, a process was suspended.
Unknown Linux Process Event	macOS Linux	Monitored by the preselect sensor, an unknown event occurred with the process as a target. This can be a sign of malicious software masking its activity.

Event type	Description
SetThreadContext	A process called the SetThreadContext API.
Terminate	An instigating process terminated another target process.

Event type	Description
KeyCreated	A registry key was created.
KeyDeleting	A registry key was deleted.
ValueChanging	The value of a registry key was changed.
ValueDeleting	A registry key value was deleted.

Event type	Description
Execute Command	Windows PowerShell executed a command. The parameters are unknown.
Execute Script	Windows PowerShell executed a script.
Execute ScriptBlock	Windows PowerShell executed a script block.
Invoke Command	Windows PowerShell invoked a command with bound parameters.
Prevent Script	An AMSI ScanBuffer result indicated that a script was detected or blocked by an administrator.

Event type	Description
Batch Logoff	The following Windows event ID occurred: 4634 (type 4).
Batch Logon	The following Windows event ID occurred: 4624 (type 4).
CachedInteractive Logoff	The following Windows event ID occurred: 4634 (type 11).
CachedInteractive Logon	The following Windows event ID occurred: 4624 (type 11).
Interactive Logoff	The following Windows event ID occurred: 4634 (type 2).
Interactive Logon	The following Windows event ID occurred: 4624 (type 2).
Network Logoff	The following Windows event ID occurred: 4634 (type 3).
Network Logon	The following Windows event ID occurred: 4624 (type 3).
NetworkClearText Logoff	The following Windows event ID occurred: 4634 (type 8).
NetworkClearText Logon	The following Windows event ID occurred: 4624 (type 8).
NewCredentials Logoff	The following Windows event ID occurred: 4634 (type 9).
NewCredentials Logon	The following Windows event ID occurred: 4624 (type 9).
RemoteInteractive Logoff	The following Windows event ID occurred: 4634 (type 10).
RemoteInteractive Logon	The following Windows event ID occurred: 4624 (type 10).
Service Logoff	The following Windows event ID occurred: 4634 (type 5).
Service Logon	The following Windows event ID occurred: 4624 (type 5).
Unlock Logoff	The following Windows event ID occurred: 4634 (type 7).
Unlock Logon	The following Windows event ID occurred: 4624 (type 7).
User Logoff	The following Windows event ID occurred: 4634 (unlisted type value).
User Logon	The following Windows event ID occurred: 4624 (unlisted type value).

Artifacts are complex pieces of information that

CylanceOPTICS

can use. The Context Analysis Engine (CAE) can identify artifacts on devices and use them to trigger automatic incident response and remediation actions. InstaQueries use artifacts as the foundation of a query.

Facets are the attributes of an artifact that can be used to identify the traits of an artifact that is associated with an event. Facets are correlated and combined during analysis to identify potentially malicious activity. For example, a file named "explorer.exe" may not be inherently suspicious, but if the file is not signed by

Microsoft

, and resides in a temporary directory, it may be identified as suspicious in some environments.

CylanceOPTICS

uses the following artifacts and facets:

Artifact	Facets
API Call	Function DLL Parameters
DNS	Connection IsRecursionDesired IsUnsolicitedResponse Opcode RequestId Resolution ResponseOriginatedFromThisDevice Questions
Event	Occurrence time Registration time
File	Executable file record (binaries only) File creation time (reported by OS) File path File signature (binaries only) File size Last modified time (reported by OS) md5 hash (binaries only) Recent write location sha256 hash (binaries only) Suspected file type User
Network	Local address Local port Protocol Remote address Remote port
PowerShell trace	EventId Payload PayloadAnalysis ScriptBlockText ScriptBlockTextAnalysis
Process	Command line File the executable was run from Parent process Process ID Start time User
Registry	If the value references a file on the system Registry path Value
Users	Domain OS-specific identifier (for example, SID) Username User artifacts can contain any of the following values; however, the data is not available on most devices: AccountType BadPasswordCount Comment CountryCode FullName HasPasswordExpired HomeDirectory IsAccountDisabled IsLocalAccount IsLockedOut IsPasswordRequired LanguageCodePage LogonServer PasswordAge PasswordDoesNotExpire ProfilePath ScriptPath UserPrivilege Workstations
Windows event	Class Event ID ObjectServer PrivilegeList Process ID Process Name Provider Name Service SubjectDomainName SubjectLogonId SubjectUserName SubjectUserSid
WMI trace	ConsumerText ConsumerTextAnalysis EventId Namespace Operation OperationAnalysis OriginatingMachineName

CylanceOPTICS

monitors common persistence, process startup, and privilege escalation keys and values as well as the values shown in KB 66266.

To learn more about how

CylanceOPTICS

monitors persistence points in the registry, see KB 66357.