Skip Navigation
  1. BlackBerry Docs
  2. Cylance products
  3. BlackBerry Syslog Guide
  4. BlackBerry Optics detection events
  5. BlackBerry Optics Powershell trace detection events

BlackBerry Optics
 Powershell trace detection events

These events occur when a Detection Event that includes a Powershell Trace artifact is triggered.
Field
Value
Description
Description
[varies]
Name of the Detection Rule that was triggered
Device Id
[varies]
Unique ID for the device
Device Name
[varies]
Name of the device on which the Detection Event occurred
Event Id
[varies]
Unique ID for the Detection Event
Event Name
OpticsCaePowershellTraceEvent
Detection Event involved a Powershell trace
Event Type
OpticsCaePowershellTraceEvent
Detection Event involved a Powershell trace
Instigating Process ImageFileSha256
[varies]
SHA256 hash of the process that instigated the action
Instigating Process Name
[varies]
Name of the process that instigated the action
Instigating Process Owner
[varies]
User who owns the process that instigated the action
Payload
[varies]
Powershell modules and/or arguments that were passed into the Powershell interpreter
Payload Length
[varies]
Length of the observed Powershell Payload field
Script Block Length
[varies]
Length of the observed Powershell Script Block Text field
Script Block Text
[varies]
Content of a Powershell script or module that was loaded or executed by the Powershell interpreter
Severity
[varies]
Severity of the event:
  • High: A malicious event that requires immediate attention.
  • Medium: A suspicious event that should be reviewed.
  • Low: An important event, but may not be malicious.
  • Info: An observed event.
Zone Names
[varies]
Zones that the device belongs to
Example message for Powershell trace detection events
9/27/19 0:31:10 Syslog.Warning 10.6.27.126 1 2019-09-27T00:31:06.3840000Z sysloghost CylanceOPTICS - - [Optics2.4SyslogTesting] Event Type: OpticsCaePowershellTraceEvent, Event Name: OpticsCaePowershellTraceEvent, Device Name: DEV-01, Zone Names: (Windows 10,10.45.*), Event Id: 11fbfe57-364d-48bb-a0c5-291d69e1b1c3, Severity: Informational, Description: Basic PowerShell ScreenShot Rule, Instigating Process Name: powershell.exe, Instigating Process Owner: DEVICE-01//DeviceUser, Instigating Process ImageFileSha256: D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677, Script Block Text: function screenshot([Drawing.Rectangle]$bounds, $path){ $bmp = New-Object Drawing.Bitmap $bounds, Script Block Length: 320, Payload: None, Payload Length: 0, Device Id: 340d587c-1bbe-41d0-a330-24b12584fadc