BlackBerry Optics registry-based detection events
BlackBerry Optics
registry-based detection eventsThese events occur when a Detection Event that includes a Registry Process artifact is triggered.
Field | Value | Description |
|---|---|---|
Description | [varies] | Name of the detection rule that was triggered |
Device Id | [varies] | Unique ID for the device |
Device Name | [varies] | Name of the device on which the Detection Event occurred |
Event Id | [varies] | Unique ID for the Detection Event |
Event Name | OpticsCaeRegistryEvent | Detection Event involved a Target Registry item |
Event Type | OpticsCaeRegistryEvent | Detection Event involved a Target Registry item |
Instigating Process ImageFileSha256 | [varies] | SHA256 hash of the process that instigated the action |
Instigating Process Name | [varies] | Name of the process that instigated the action |
Instigating Process Owner | [varies] | User who owns the process that instigated the action |
Severity | [varies] | Severity of the event:
|
Target Registry KeyPath | [varies] | Path of the registry key that was acted upon (created, written, overwritten, or deleted) |
Target Registry ValueName | [varies] | Value name of the registry item that was acted upon (created, written, overwritten, or deleted) |
Zone Names | [varies] | Zones that the device belongs to |
Example message for registry-based detection events
Event Type: OpticsCaeRegistryEvent, Event Name: OpticsCaeRegistryEvent, Device Name: OPTICS-DEMO-2, Zone Names: (Zone1, Zone2), Event Id: b70da00c-78f4-400f-9b81-25aee339c4ed, Severity: Low, Description: Detect Suspect_Key Persistence, Instigating Process Name: reg.exe, Instigating Process Owner: CYLANCE/mmorin, Instigating Process ImageFileSha256: 4E66B857B7010DB8D4E4E28D73EB81A99BD6915350BB9A63CD86671051B22F0E, Target Registry KeyPath: HKLM\software\microsoft\windows\currentversion\run, Target Registry ValueName: suspect_key, Device Id: e378dacb-9324-453a-b8c6-5a8406952195