Skip Navigation

BlackBerry Optics
registry-based detection events

These events occur when a Detection Event that includes a Registry Process artifact is triggered.
Field
Value
Description
Description
[varies]
Name of the detection rule that was triggered
Device Id
[varies]
Unique ID for the device
Device Name
[varies]
Name of the device on which the Detection Event occurred
Event Id
[varies]
Unique ID for the Detection Event
Event Name
OpticsCaeRegistryEvent
Detection Event involved a Target Registry item
Event Type
OpticsCaeRegistryEvent
Detection Event involved a Target Registry item
Instigating Process ImageFileSha256
[varies]
SHA256 hash of the process that instigated the action
Instigating Process Name
[varies]
Name of the process that instigated the action
Instigating Process Owner
[varies]
User who owns the process that instigated the action
Severity
[varies]
Severity of the event:
  • High: A malicious event that requires immediate attention.
  • Medium: A suspicious event that should be reviewed.
  • Low: An important event, but may not be malicious.
  • Info: An observed event.
Target Registry KeyPath
[varies]
Path of the registry key that was acted upon (created, written, overwritten, or deleted)
Target Registry ValueName
[varies]
Value name of the registry item that was acted upon (created, written, overwritten, or deleted)
Zone Names
[varies]
Zones that the device belongs to
Example message for registry-based detection events
Event Type: OpticsCaeRegistryEvent, Event Name: OpticsCaeRegistryEvent, Device Name: OPTICS-DEMO-2, Zone Names: (Zone1, Zone2), Event Id: b70da00c-78f4-400f-9b81-25aee339c4ed, Severity: Low, Description: Detect Suspect_Key Persistence, Instigating Process Name: reg.exe, Instigating Process Owner: CYLANCE/mmorin, Instigating Process ImageFileSha256: 4E66B857B7010DB8D4E4E28D73EB81A99BD6915350BB9A63CD86671051B22F0E, Target Registry KeyPath: HKLM\software\microsoft\windows\currentversion\run, Target Registry ValueName: suspect_key, Device Id: e378dacb-9324-453a-b8c6-5a8406952195