Skip Navigation

BlackBerry Optics
log-based detection events

These events occur when a detection event that includes a log-based artifact is triggered.
Field
Value
Description
Description
[varies]
Name of the Detection Rule that was triggered
Device Id
[varies]
Unique ID for the device
Device Name
[varies]
Name of the device on which the Detection Event occurred
Event Id
[varies]
Unique ID for the Detection Event
Event Name
OpticsCaeLogEvent
Detection Event involved a Log-based connection
Event Type
OpticsCaeLogEvent
Detection Event involved a Log-based connection
Instigating Process ImageFileSha256
[varies]
SHA256 hash of the process that instigated the action
Instigating Process Name
[varies]
Name of the process that instigated the action
Instigating Process Owner
[varies]
User who owns the process that instigated the action
Security Provider
[varies]
Name of the service which generated the Windows Event Log message
Severity
[varies]
Severity of the event:
  • High: A malicious event that requires immediate attention.
  • Medium: A suspicious event that should be reviewed.
  • Low: An important event, but may not be malicious.
  • Info: An observed event.
Windows Event ID
[varies]
Numerical Windows Event ID associated with the Windows Event
Zone Names
[varies]
Zones that the device belongs to
Example message for log-based detection events
9/27/19 0:30:29 Syslog.Warning 10.6.27.126 1 2019-09-27T00:30:26.9950000Z sysloghost CylanceOPTICS - - [Optics2.4SyslogTesting] Event Type: OpticsCaeLogEvent, Event Name: OpticsCaeLogEvent, Device Name: DEV-01, Zone Names: (Windows 10,10.45.*), Event Id: 3b53b1d1-f23b-46b3-a6b4-b1547a4461c7, Severity: Informational, Description: WindowsEvent Rule - Logon, Instigating Process Name: services.exe, Instigating Process Owner: NT AUTHORITY//SYSTEM, Instigating Process ImageFileSha256: BE42E4A901D6AC8885882D2CD9372A64023794428E0AC8CC87EE3121DD5DC402, Windows Event Id: 4624, Security Provider: SecurityAuditProvider, Device Id: 340d587c-1bbe-41d0-a330-24b12584fadc