BlackBerry Optics log-based detection events
BlackBerry Optics
log-based detection eventsThese events occur when a detection event that includes a log-based artifact is triggered.
Field | Value | Description |
|---|---|---|
Description | [varies] | Name of the Detection Rule that was triggered |
Device Id | [varies] | Unique ID for the device |
Device Name | [varies] | Name of the device on which the Detection Event occurred |
Event Id | [varies] | Unique ID for the Detection Event |
Event Name | OpticsCaeLogEvent | Detection Event involved a Log-based connection |
Event Type | OpticsCaeLogEvent | Detection Event involved a Log-based connection |
Instigating Process ImageFileSha256 | [varies] | SHA256 hash of the process that instigated the action |
Instigating Process Name | [varies] | Name of the process that instigated the action |
Instigating Process Owner | [varies] | User who owns the process that instigated the action |
Security Provider | [varies] | Name of the service which generated the Windows Event Log message |
Severity | [varies] | Severity of the event:
|
Windows Event ID | [varies] | Numerical Windows Event ID associated with the Windows Event |
Zone Names | [varies] | Zones that the device belongs to |
Example message for log-based detection events
9/27/19 0:30:29 Syslog.Warning 10.6.27.126 1 2019-09-27T00:30:26.9950000Z sysloghost CylanceOPTICS - - [Optics2.4SyslogTesting] Event Type: OpticsCaeLogEvent, Event Name: OpticsCaeLogEvent, Device Name: DEV-01, Zone Names: (Windows 10,10.45.*), Event Id: 3b53b1d1-f23b-46b3-a6b4-b1547a4461c7, Severity: Informational, Description: WindowsEvent Rule - Logon, Instigating Process Name: services.exe, Instigating Process Owner: NT AUTHORITY//SYSTEM, Instigating Process ImageFileSha256: BE42E4A901D6AC8885882D2CD9372A64023794428E0AC8CC87EE3121DD5DC402, Windows Event Id: 4624, Security Provider: SecurityAuditProvider, Device Id: 340d587c-1bbe-41d0-a330-24b12584fadc