...
The tags begin with edr.blackberry.cylance identify the events generated by Blackberry.
...
The full tag must have 4 levels. The first three are fixed as edr.blackberry.cylance. The fourth level identifies the type of event sent:
TechnologyBrandTypeSubtypepoliciesTag | Data table |
|---|
threats
detections
detections_rules
detections_exceptions
devices
These are the valid tags and corresponding data tables that will receive the parsers' data:
userspolicies
edr.blackberry.cylance.
|
usersthreats
edr.blackberry.cylance.
|
policiesoptics_detections
edr.blackberry.cylance.
|
policiesoptics_detections_rules
edr.blackberry.cylance.
|
threatsoptics_detections_exceptions
edr.blackberry.cylance.
|
threatsdevices
| edr.blackberry.cylance.
|
optics_detectionsusers
edr.blackberry.cylance.
|
optics_detectionspolicies
edr.blackberry.cylance.
|
optics_detections_rulesthreats
edr.blackberry.cylance.optics_detections
|
_rulesedr.blackberry.cylance.optics_detections_
|
exceptionsrules
edr.blackberry.cylance.optics_detections_exceptions
edr.blackberry.cylance.devices
|
edr.blackberry.cylance.devices | ...
Table structure
These are the fields displayed in the table:
| Rw ui tabs macro |
|---|
[edr.blackberry.cylance.users ] [edr.blackberry.cylance.policies ] [edr.blackberry.cylance.threats] | Anchor |
|---|
| edr.blackberry.cylance.users |
|---|
| edr.blackberry.cylance.users |
|---|
|
edr.blackberry.cylance.usersField | Type | Extra Label Field |
|---|
eventdate | timestamp
| - | hostname | str
| - | id | str
| - | tenant_id | str
| - | first_name | str
| - | last_name | str
| - | email | str
| - | cur_id | str
| - | eeco_id | str
| - | has_logged_in | bool
| - | role_type | str
| - | role_name | str
| - | default_zone_role_type | str
| - | default_zone_role_name | str
| - | date_last_login | timestamp
| - | date_email_confirmed | timestamp
| - | date_created | timestamp
| - | date_modified | timestamp
| - | related_zones | int4
| - | zone | str
| - | zone_id | str
| - | zone_role_type | str
| - | zone_role_name | str
| - | related_zone_count | int4
| - | at_devo_pulling_id | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
| Anchor |
|---|
| edr.blackberry.cylance.policies |
|---|
| edr.blackberry.cylance.policies |
|---|
|
edr.blackberry.cylance.policiesField | Type | Extra Label Field Transformation | Source field name |
|---|
eventdate | timestamp
| - | | | hostname | str
| - | | | memoryviolation_actions__memory_violations_ext_v2 | str
| - | | | memoryviolation_actions__memory_violations | str
| - | | memoryviolation_actions__memory_violations_ext | str
| - | | | memoryviolation_actions__memory_exclusion_list | str
| - | | | memoryviolation_actions__memory_exclusion_list_v2 | str
| - | | | filetype_actions__suspicious_files | str
| - | | | filetype_actions__threat_files | str
| - | | | checksum | str
| - | | | file_exclusions | str
| - | | | policy_name | str
| - | | | script_control_v2 | str
| - | | policy | str
| - | | | policy_id | str
| - | | policy_utctimestamp | str
| - | | | device_count | int4
| - | | zone_count | int4
| - | | | date_added | timestamp-
| | Code Block |
|---|
parsedate(date_added_str, dateformat("YYYY-MM- DD[T]HH:mm:ss.SSSSSSS", "UTC"))date_added_str | date_modified | timestamp
| -code | parsedate(date_modified_str, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS", "UTC")) | date_modified_str | log_policy_retentiondays | str
| - | | | log_policy_log_upload | str
| - | | | log_policy_maxlogsize | str
| - | | | related_policys | int4
| - | | | policy_value | str
| - | | related_policy_count | int4
| - | | | at_devo_pulling_id | str
| - | | | hostchain | str
| ✓ | | | tag | str
| ✓ | | rawMessage | str
| ✓ |
| Anchor |
|---|
| edr.blackberry.cylance.threats |
|---|
| edr.blackberry.cylance.threats |
|---|
|
edr.blackberry.cylance.threatsField | Type | Extra Label Field |
|---|
eventdate | timestamp
| - | hostname | str
| - | agent_version | str
| - | auto_run | bool
| - | av_industry | str
| - | cert_issuer | str
| - | cert_publisher | str
| - | cert_timestamp | timestamp
| - | classification | str
| - | cylance_score | float8
| - | date_found | timestamp
| - | detected_by | str
| - | device_id | str
| - | device_name | str
| - | file_path | str
| - | file_size | int4
| - | file_status | str
| - | global_quarantined | bool
| - | last_found | timestamp
| - | md5 | str
| - | name | str
| - | policy_id | str
| - | running | bool
| - | safelisted | bool
| - | sha256 | str
| - | signed | bool
| - | state | str
| - | sub_classification | str
| - | unique_to_cylance | bool
| - | ip | str
| - | mac | str
| - | related_ips | int4
| - | related_ip | ip4
| - | related_ip_count | int4
| - | related_macs | int4
| - | related_mac | str
| - | related_mac_count | int4
| - | at_devo_pulling_id | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
[edr.blackberry.cylance.optics_detections ] [edr.blackberry.cylance.optics_detections_rules ] [edr.blackberry.cylance.optics_detections_exceptions ] [edr.blackberry.cylance.devices] | Anchor |
|---|
| edr.blackberry.cylance.optics_detections |
|---|
| edr.blackberry.cylance.optics_detections |
|---|
|
edr.blackberry.cylance.optics_detectionsField | Type | Extra Label Field |
|---|
eventdate | timestamp
| - | hostname | str
| - | Id | str
| - | ActivationTime | timestamp
| - | AppliedExceptions | str
| - | ArtifactsOfInterest__UnsignedProc | str
| - | Detector__Name | str
| - | Detector__Version | str
| - | Device__CylanceId | str
| - | Device__Name | str
| - | Device__IpAddresses | str
| - | Device__LoggedOnUsers | str
| - | Name | str
| - | ObjectType | str
| - | OccurrenceTime | timestamp
| - | Product__Name | str
| - | Product__Version | str
| - | PhoneticId | str
| - | ReceivedTime | timestamp
| - | SchemaVersion | str
| - | Severity | str
| - | SeveritySortLevel | int4
| - | Status | str
| - | StatusSortLevel | int4
| - | TenantId | str
| - | Trace | str
| - | detection_rule_Name | str
| - | detection_rule_Id | str
| - | detection_rule_PolicyGroup | str
| - | detection_rule_Version | str
| - | detection_rule_ObjectType | str
| - | detection_rule_Description | str
| - | detection_rule_Category | str
| - | related_zone_id | str
| - | zone_id | str
| - | AssociatedArtifacts | str
| - | DetectionRule__Name | str
| - | DetectionRule__Id | str
| - | DetectionRule__PolicyGroup | str
| - | DetectionRule__Version | str
| - | DetectionRule__ObjectType | str
| - | DetectionRule__Description | str
| - | DetectionRule__Category | str
| - | detector_Name | str
| - | detector_Version | str
| - | device_CylanceId | str
| - | device_Name | str
| - | device_IpAddresses | str
| - | device_LoggedOnUsers | str
| - | product_Name | str
| - | product_Version | str
| - | related_zone_ids | int4
| - | related_zone_id_count | int4
| - | at_devo_pulling_id | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
| Anchor |
|---|
| edr.blackberry.cylance.optics_detections_rules |
|---|
| edr.blackberry.cylance.optics_detections_rules |
|---|
|
edr.blackberry.cylance.optics_detections_rulesField | Type | Extra Label Field |
|---|
eventdate | timestamp
| - | hostname | str
| - | MaximumConcurrentActivations | int4
| - | ActivationLifetimeLimit | str
| - | TerminateActiveDfaIfActivatingProcessesEnd | bool
| - | ActivationCanUtilizeDeviceStateEvents | bool
| - | AllowMultipleActivationsPerContext | bool
| - | OperatingSystems | str
| - | States | str
| - | Paths | str
| - | ObjectType | str
| - | Name | str
| - | Id | str
| - | Version | str
| - | SchemaVersion | str
| - | Description | str
| - | Tags | str
| - | RuleSource | str
| - | RuleSourceGrouping | str
| - | Severity | str
| - | Plugin__Name | str
| - | NotValidBefore | timestamp
| - | NotValidAfter | timestamp
| - | RulesetCount | int4
| - | LastModified | timestamp
| - | Category | str
| - | DeviceCount | int4
| - | ModifiedBy__login | str
| - | ModifiedBy__id | str
| - | product_Name | str
| - | Product__Name | str
| - | plugin_Name | str
| - | at_devo_pulling_id | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
| Anchor |
|---|
| edr.blackberry.cylance.optics_detections_exceptions |
|---|
| edr.blackberry.cylance.optics_detections_exceptions |
|---|
|
edr.blackberry.cylance.optics_detections_exceptionsField | Type | Extra Label Field |
|---|
eventdate | timestamp
| - | hostname | str
| - | ObjectType | str
| - | Plugin__Name | str
| - | Tags | str
| - | OperatingSystems | str
| - | SchemaVersion | str
| - | States | str
| - | Name | str
| - | Description | str
| - | Id | str
| - | Version | str
| - | RulesetCount | int4
| - | LastModified | timestamp
| - | PolicyCount | int4
| - | DeviceCount | int4
| - | ModifiedBy__login | str
| - | ModifiedBy__id | str
| - | product_Name | str
| - | Product__Name | str
| - | plugin_Name | str
| - | at_devo_pulling_id | str
| - | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
| Anchor |
|---|
| edr.blackberry.cylance.devices |
|---|
| edr.blackberry.cylance.devices |
|---|
|
edr.blackberry.cylance.devicesField | Type | Extra Label Field Transformation | Source field name |
|---|
eventdate | timestamp
| - | | | hostname | str
| - | | | id | str
| - | | | name | str
| - | | host_name | str
| - | | | os_version | str
| - | | os_kernel_version | str
| - | | | state | str
| - | | | agent_version | str
| - | | | policy_id | str
| - | | last_logged_in_user | str
| - | | | update_type | str
| - | | | update_available | bool
| - | | | background_detection | bool
| - | | | is_safe | bool
| - | | date_first_registered | timestamp
| - | | | date_offline | str
| - | | | date_last_modified | timestamp
| - | | | distinguished_name | str
| - | | dlcm_status | str
| - | | | days_to_deletion | str
| - | | related_products | int4
| - | | | product | str
| - | | ip | str
| - | | | related_mac | str
| - | | | policy_name | str
| - | | | related_ips | int4
| - | | | related_ip_count | int4
| - | | | related_mac_count | int4
| - | | | related_macs | int4
| - | | | mac | str
| - | | | related_ip4 | ip4
| - | Code Block |
|---|
ip4(related_ip_str) | related_ip_strrelated_ip6 | ip6
| - | Code Block |
|---|
ip6(related_ip_str) | related_ip_str | product_name | str
| - | | | product_version | str
| - | | | product_status | str
| - | | at_devo_pulling_id | str
| - | | | hostchain | str
| ✓ | | tag | str
| ✓ | | | rawMessage | str
| ✓ |
|
