Skip Navigation

BlackBerry Optics
file-based detection events

These events occur when a Detection Event that includes a target-file artifact is triggered.
Field
Value
Description
Description
[varies]
Name of the Detection Rule that was triggered
Device Id
[varies]
Unique ID for the device
Device Name
[varies]
Name of the device on which the Detection Event occurred
Event Id
[varies]
Unique ID for the Detection Event
Event Name
OpticsCaeFileEvent
Detection Event involved a Target File
Event Type
OpticsCaeFileEvent
Detection Event involved a Target File
Instigating Process ImageFileSha256
[varies]
SHA256 hash of the process that instigated the action
Instigating Process Name
[varies]
Name of the process that instigated the action
Instigating Process Owner
[varies]
User who owns the process that instigated the action
Severity
[varies]
Severity of the event.:
  • High: A malicious event that requires immediate attention.
  • Medium: A suspicious event that should be reviewed.
  • Low: An important event, but may not be malicious.
  • Info: An observed event.
Target File Sha256
[varies]
SHA256 hash of the file that was acted upon (created, written, overwritten, or deleted)
SHA256 hashes are not available for all file types
Target File Path
[varies]
Path of the file that was acted upon (created, written, overwritten, or deleted)
Target File Owner
[varies]
Owner of the file that was acted upon (created, written, overwritten, or deleted)
Zone Names
[varies]
Zones that the device belongs to
Example message for file-based detection events
Event Type: OpticsCaeFileEvent, Event Name: OpticsCaeFileEvent, Device Name: OPTICS-DEMO-2, Zone Names: (Zone1, Zone2), Event Id: b401cb01-ee5e-44af-b094-fa9777c2975a, Severity: Low, Description: Microsoft Office WLL/XLL RCE, Instigating Process Name: WINWORD.EXE, Instigating Process Owner: CYLANCE/mmorin, Instigating Process ImageFileSha256: 5BBCF5C59544169FB1C199525BBF57A5BBD827202EA2C68D3143130AB2D60A88, Target File Path: c:\users\mmorin\appdata\local\microsoft\office\suspect.wll, Target File Owner: CYLANCE/mmorin, Target File Sha256: 5BBCF5C59544169FB1C199525BBF57A5BBD827202EA2C68D3143130AB2D60A88, Device Id: e378dacb-9324-453a-b8c6-5a8406952195