BlackBerry Optics process-based detection events
BlackBerry Optics
process-based detection eventsThese events occur when a Detection Event that includes a Target Process artifact is triggered.
Field | Value | Description |
|---|---|---|
Description | [varies] | Name of the Detection Rule that was triggered |
Device Id | [varies] | Unique ID for the device |
Device Name | [varies] | Name of the device on which the Detection Event occurred |
Event Id | [varies] | Unique ID for the Detection Event |
Event Name | OpticsCaeProcessEvent | Detection Event involved a Target Process |
Event Type | OpticsCaeProcessEvent | Detection Event involved a Target Process |
Instigating Process ImageFileSha256 | [varies] | SHA256 hash of the process that instigated the action |
Instigating Process Name | [varies] | Name of the process that instigated the action |
Instigating Process Owner | [varies] | User who owns the process that instigated the action |
Severity | [varies] | Severity of the event:
|
Target Process ImageFileSha256 | [varies] | SHA256 hash of the process that was started or terminated |
Target Process Name | [varies] | Name of the process that was started or terminated |
Target Process Owner | [varies] | User who owns the process that was started or terminated |
Zone Names | [varies] | Zones that the device belongs to |
Example message for process-based detection events
Event Type: OpticsCaeProcessEvent, Event Name: OpticsCaeProcessEvent, Device Name: OPTICS-DEMO-2, Zone Names: (Zone1, Zone2), Event Id: 471a31e0-1c94-4c69-8e71-687514f8adaf, Severity: Low, Description: Office DDE to Script Interpreter (MITRE), Instigating Process Name: POWERPNT.EXE, Instigating Process Owner: CYLANCE/mmorin, Instigating Process ImageFileSha256: AFFABA38032700FE50C70B352ACE10F1A07D170B07CDFED10ECF2C1706A9C8BC, Target Process Name: csc.exe, Target Process Owner: CYLANCE/mmorin, Target Process ImageFileSha256: 6E24B58A16510E2135EABCF181B43B0CBF215451ACA9BA8F8CB9A5B87C231908, Device Id: e378dacb-9324-453a-b8c6-5a8406952195