Skip Navigation

BlackBerry Optics
Powershell trace detection events

These events occur when a Detection Event that includes a Powershell Trace artifact is triggered.
Field
Value
Description
Description
[varies]
Name of the Detection Rule that was triggered
Device Id
[varies]
Unique ID for the device
Device Name
[varies]
Name of the device on which the Detection Event occurred
Event Id
[varies]
Unique ID for the Detection Event
Event Name
OpticsCaePowershellTraceEvent
Detection Event involved a Powershell trace
Event Type
OpticsCaePowershellTraceEvent
Detection Event involved a Powershell trace
Instigating Process ImageFileSha256
[varies]
SHA256 hash of the process that instigated the action
Instigating Process Name
[varies]
Name of the process that instigated the action
Instigating Process Owner
[varies]
User who owns the process that instigated the action
Payload
[varies]
Powershell modules and/or arguments that were passed into the Powershell interpreter
Payload Length
[varies]
Length of the observed Powershell Payload field
Script Block Length
[varies]
Length of the observed Powershell Script Block Text field
Script Block Text
[varies]
Content of a Powershell script or module that was loaded or executed by the Powershell interpreter
Severity
[varies]
Severity of the event:
  • High: A malicious event that requires immediate attention.
  • Medium: A suspicious event that should be reviewed.
  • Low: An important event, but may not be malicious.
  • Info: An observed event.
Zone Names
[varies]
Zones that the device belongs to
Example message for Powershell trace detection events
9/27/19 0:31:10 Syslog.Warning 10.6.27.126 1 2019-09-27T00:31:06.3840000Z sysloghost CylanceOPTICS - - [Optics2.4SyslogTesting] Event Type: OpticsCaePowershellTraceEvent, Event Name: OpticsCaePowershellTraceEvent, Device Name: DEV-01, Zone Names: (Windows 10,10.45.*), Event Id: 11fbfe57-364d-48bb-a0c5-291d69e1b1c3, Severity: Informational, Description: Basic PowerShell ScreenShot Rule, Instigating Process Name: powershell.exe, Instigating Process Owner: DEVICE-01//DeviceUser, Instigating Process ImageFileSha256: D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677, Script Block Text: function screenshot([Drawing.Rectangle]$bounds, $path){ $bmp = New-Object Drawing.Bitmap $bounds, Script Block Length: 320, Payload: None, Payload Length: 0, Device Id: 340d587c-1bbe-41d0-a330-24b12584fadc