Link Search Menu Expand Document

CylanceThreatAlert

ID: 100010

Description:

Cylance Threat Alert

Repository: Group: Cylance Type: event

Default Status:

Enabled

Tags:
Cylance
 

Selector:

Query:

Filters:

Field MUST hit
@cylance.EventType Threat
@event_type @cylance
Field MUST NOT hit
@cylance.ThreatClassification Trusted - Local

Behavior Rule:

Key Type Behavior Category
@cylance.DeviceName asset security alert

Risks:

Risks Base Score Dimension
ALERT_END_POINT 800 alert
ALERT_HIGH_CONFIDENCE 2000 alert

Attributes:

Alias Key
Hostname @cylance.DeviceName
DeviceID @cylance.DeviceId
FileName @cylance.FileName
FilePath @cylance.Path
Status @cylance.Status
CylanceScore @cylance.CylanceScore
Classification @cylance.ThreatClassification
IPAddress @cylance.IPAddress
FileType @cylance.FileType
MD5 @cylance.MD5
SHA256 @cylance.SHA256
Policy @cylance.PolicyName
DetectedBy @cylance.DetectedBy
EventName @cylance.EventName
Customer @facility

Correlation Rules:

First Occurrence:

Name Window Fields
NewAlert 10 days @cylance.ThreatClassification
  Risks: ML_NEW_ALERT
NewAsset 10 days @cylance.DeviceId
  Risks: ML_NEW_ASSET

History:

User Date
je*y@fortify24x7.com 2021 Mar 8 12:05:04 EST

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)