BlackBerry Optics DNS-based detection events
BlackBerry Optics
DNS-based detection eventsThese events occur when a Detection Event that includes a DNS-based artifact is triggered.
Field | Value | Description |
|---|---|---|
Description | [varies] | Name of the Detection Rule that was triggered |
Device Id | [varies] | Unique ID for the device |
Device Name | [varies] | Name of the device on which the Detection Event occurred |
Event Id | [varies] | Unique ID for the Detection Event |
Event Name | OpticsCaeDNSEvent | Detection Event involved a DNS-based connection |
Event Type | OpticsCaeDNSEvent | Detection Event involved a DNS-based connection |
Instigating Process ImageFileSha256 | [varies] | SHA256 hash of the process that instigated the action |
Instigating Process Name | [varies] | Name of the process that instigated the action |
Instigating Process Owner | [varies] | User who owns the process that instigated the action |
Resolved Address | [varies] | Resolved IP address for the domain |
Resolved Address Count | [varies] | Number of resolved IP addresses for the domain |
Severity | [varies] | Severity of the event:
|
Target Domain Name | [varies] | Target domain that was attempted to be resolved |
Zone Names | [varies] | Zones that the device belongs to |
Example message for DNS-based detection events
9/27/19 0:31:07 Syslog.Warning 10.6.27.126 1 2019-09-27T00:31:04.2540000Z sysloghost CylanceOPTICS - - [Optics2.4SyslogTesting] Event Type: OpticsCaeDnsEvent, Event Name: OpticsCaeDnsEvent, Device Name: DEV-01, Zone Names: (Windows 10,10.45.*), Event Id: 7cd37028-4cba-4a81-b9bb-c1ebbef9a0a3, Severity: Informational, Description: v1-dnsrequest_tld2, Instigating Process Name: ICreateDnsRequests.exe, Instigating Process Owner: DEV-01//DevUser, Instigating Process ImageFileSha256: 839459355BC41EA0F85F1D15868DD6576C510677DA7DF4DFC00E317FE4C2C7F5, Target Domain Name: test.test, Resolved Address: Unknown, Resolved Address Count: 0, Device Id: 340d587c-1bbe-41d0-a330-24b12584fadc