Versions Compared

Old Version 9

changes.mady.by.user Former user

Saved on

compared with

New Version 10

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel2
maxLevel2
typeflat

Introduction

The tags begin with edr.blackberry.cylance identify the events generated by Blackberry.

Valid tags and data tables

The full tag must have 4 levels. The first three are fixed as edr.blackberry.cylance. The fourth level identifies the type of event sent

...

Tag

Data table

edr.blackberry.cylance.users

edr.blackberry.cylance.users

edr.blackberry.cylance.policies

edr.blackberry.cylance.policies

edr.blackberry.cylance.threats

edr.blackberry.cylance.threats

edr.blackberry.cylance.optics_detections

edr.blackberry.cylance.optics_detections

edr.blackberry.cylance.optics_detections_rules

edr.blackberry.cylance.optics_detections_rules

edr.blackberry.cylance.optics_detections_exceptions

edr.blackberry.cylance.optics_detections_exceptions

edr.blackberry.cylance.devices

edr.blackberry.cylance.devices

Fields transformations

Rw ui tabs macro
Rw tab
titleTables 1-3

Anchor
edr.blackberry.cylance.users
edr.blackberry.cylance.users
edr.blackberry.cylance.users

Field

Type

Extra Label

eventdate

timestamp

-

hostname

str

-

id

str

-

tenant_id

str

-

first_name

str

-

last_name

str

-

email

str

-

cur_id

str

-

eeco_id

str

-

has_logged_in

bool

-

role_type

str

-

role_name

str

-

default_zone_role_type

str

-

default_zone_role_name

str

-

date_last_login

timestamp

-

date_email_confirmed

timestamp

-

date_created

timestamp

-

date_modified

timestamp

-

related_zones

int4

-

zone

str

-

zone_id

str

-

zone_role_type

str

-

zone_role_name

str

-

related_zone_count

int4

-

at_devo_pulling_id

str

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.blackberry.cylance.policies
edr.blackberry.cylance.policies
edr.blackberry.cylance.policies

Field

Type

Extra Label

Field Transformation

Source field name

eventdate

timestamp

-

 

 

hostname

str

-

 

 

memoryviolation_actions__memory_violations_ext_v2

str

-

 

 

memoryviolation_actions__memory_violations

str

-

 

 

memoryviolation_actions__memory_violations_ext

str

-

 

 

memoryviolation_actions__memory_exclusion_list

str

-

 

 

memoryviolation_actions__memory_exclusion_list_v2

str

-

 

 

filetype_actions__suspicious_files

str

-

 

 

filetype_actions__threat_files

str

-

 

 

checksum

str

-

 

 

file_exclusions

str

-

 

 

policy_name

str

-

 

 

script_control_v2

str

-

 

 

policy

str

-

 

 

policy_id

str

-

 

 

policy_utctimestamp

str

-

 

 

device_count

int4

-

 

 

zone_count

int4

-

 

 

date_added

timestamp

-

Code Block
parsedate(date_added_str, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS", "UTC"))

date_added_str

date_modified

timestamp

-

Code Block
parsedate(date_modified_str, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS", "UTC"))

date_modified_str

log_policy_retentiondays

str

-

 

 

log_policy_log_upload

str

-

 

 

log_policy_maxlogsize

str

-

 

 

related_policys

int4

-

 

 

policy_value

str

-

 

 

related_policy_count

int4

-

 

 

at_devo_pulling_id

str

-

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str

 

Anchor
edr.blackberry.cylance.threats
edr.blackberry.cylance.threats
edr.blackberry.cylance.threats

Field

Type

Extra Label

eventdate

timestamp

-

hostname

str

-

agent_version

str

-

auto_run

bool

-

av_industry

str

-

cert_issuer

str

-

cert_publisher

str

-

cert_timestamp

timestamp

-

classification

str

-

cylance_score

float8

-

date_found

timestamp

-

detected_by

str

-

device_id

str

-

device_name

str

-

file_path

str

-

file_size

int4

-

file_status

str

-

global_quarantined

bool

-

last_found

timestamp

-

md5

str

-

name

str

-

policy_id

str

-

running

bool

-

safelisted

bool

-

sha256

str

-

signed

bool

-

state

str

-

sub_classification

str

-

unique_to_cylance

bool

-

ip

str

-

mac

str

-

related_ips

int4

-

related_ip

ip4

-

related_ip_count

int4

-

related_macs

int4

-

related_mac

str

-

related_mac_count

int4

-

at_devo_pulling_id

str

-

hostchain

str

tag

str

rawMessage

str

Rw tab
titleTables 4-7

Anchor
edr.blackberry.cylance.optics_detections
edr.blackberry.cylance.optics_detections
edr.blackberry.cylance.optics_detections

Field

Type

Extra Label

eventdate

timestamp

-

hostname

str

-

Id

str

-

ActivationTime

timestamp

-

AppliedExceptions

str

-

ArtifactsOfInterest__UnsignedProc

str

-

Detector__Name

str

-

Detector__Version

str

-

Device__CylanceId

str

-

Device__Name

str

-

Device__IpAddresses

str

-

Device__LoggedOnUsers

str

-

Name

str

-

ObjectType

str

-

OccurrenceTime

timestamp

-

Product__Name

str

-

Product__Version

str

-

PhoneticId

str

-

ReceivedTime

timestamp

-

SchemaVersion

str

-

Severity

str

-

SeveritySortLevel

int4

-

Status

str

-

StatusSortLevel

int4

-

TenantId

str

-

Trace

str

-

detection_rule_Name

str

-

detection_rule_Id

str

-

detection_rule_PolicyGroup

str

-

detection_rule_Version

str

-

detection_rule_ObjectType

str

-

detection_rule_Description

str

-

detection_rule_Category

str

-

related_zone_id

str

-

zone_id

str

-

AssociatedArtifacts

str

-

DetectionRule__Name

str

-

DetectionRule__Id

str

-

DetectionRule__PolicyGroup

str

-

DetectionRule__Version

str

-

DetectionRule__ObjectType

str

-

DetectionRule__Description

str

-

DetectionRule__Category

str

-

detector_Name

str

-

detector_Version

str

-

device_CylanceId

str

-

device_Name

str

-

device_IpAddresses

str

-

device_LoggedOnUsers

str

-

product_Name

str

-

product_Version

str

-

related_zone_ids

int4

-

related_zone_id_count

int4

-

at_devo_pulling_id

str

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.blackberry.cylance.optics_detections_rules
edr.blackberry.cylance.optics_detections_rules
edr.blackberry.cylance.optics_detections_rules

Field

Type

Extra Label

eventdate

timestamp

-

hostname

str

-

MaximumConcurrentActivations

int4

-

ActivationLifetimeLimit

str

-

TerminateActiveDfaIfActivatingProcessesEnd

bool

-

ActivationCanUtilizeDeviceStateEvents

bool

-

AllowMultipleActivationsPerContext

bool

-

OperatingSystems

str

-

States

str

-

Paths

str

-

ObjectType

str

-

Name

str

-

Id

str

-

Version

str

-

SchemaVersion

str

-

Description

str

-

Tags

str

-

RuleSource

str

-

RuleSourceGrouping

str

-

Severity

str

-

Plugin__Name

str

-

NotValidBefore

timestamp

-

NotValidAfter

timestamp

-

RulesetCount

int4

-

LastModified

timestamp

-

Category

str

-

DeviceCount

int4

-

ModifiedBy__login

str

-

ModifiedBy__id

str

-

product_Name

str

-

Product__Name

str

-

plugin_Name

str

-

at_devo_pulling_id

str

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.blackberry.cylance.optics_detections_exceptions
edr.blackberry.cylance.optics_detections_exceptions
edr.blackberry.cylance.optics_detections_exceptions

Field

Type

Extra Label

eventdate

timestamp

-

hostname

str

-

ObjectType

str

-

Plugin__Name

str

-

Tags

str

-

OperatingSystems

str

-

SchemaVersion

str

-

States

str

-

Name

str

-

Description

str

-

Id

str

-

Version

str

-

RulesetCount

int4

-

LastModified

timestamp

-

PolicyCount

int4

-

DeviceCount

int4

-

ModifiedBy__login

str

-

ModifiedBy__id

str

-

product_Name

str

-

Product__Name

str

-

plugin_Name

str

-

at_devo_pulling_id

str

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.blackberry.cylance.devices
edr.blackberry.cylance.devices
edr.blackberry.cylance.devices

Field

Type

Extra Label

Field Transformation

Source field name

eventdate

timestamp

-

 

 

hostname

str

-

 

 

id

str

-

 

 

name

str

-

 

 

host_name

str

-

 

 

os_version

str

-

 

 

os_kernel_version

str

-

 

 

state

str

-

 

 

agent_version

str

-

 

 

policy_id

str

-

 

 

last_logged_in_user

str

-

 

 

update_type

str

-

 

 

update_available

bool

-

 

 

background_detection

bool

-

 

 

is_safe

bool

-

 

 

date_first_registered

timestamp

-

 

 

date_offline

str

-

 

 

date_last_modified

timestamp

-

 

 

distinguished_name

str

-

 

 

dlcm_status

str

-

 

 

days_to_deletion

str

-

 

 

related_products

int4

-

 

 

product

str

-

 

 

ip

str

-

 

 

related_mac

str

-

 

 

policy_name

str

-

 

 

related_ips

int4

-

 

 

related_ip_count

int4

-

 

 

related_mac_count

int4

-

 

 

related_macs

int4

-

 

 

mac

str

-

 

 

related_ip4

ip4

-

Code Block
ip4(related_ip_str)

related_ip_str

related_ip6

ip6

-

Code Block
ip6(related_ip_str)

related_ip_str

product_name

str

-

 

 

product_version

str

-

 

 

product_status

str

-

 

 

at_devo_pulling_id

str

-

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str