Versions Compared

Old Version 7

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version 8

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Carbon Black Endpoint Detection and Response

This group includes tags that start with the level edr. These tags identify data generated by Endpoint Detection and Response (EDR) systems.

Company

Product / Service

Data tables

Image Removed

-

-

  • edr.all.threats

  • edr.all.processes

  • edr.all.netconns

Image Added

BlackBerry Cylance

  • edr.blackberry.cylance.devices

  • edr.blackberry.cylance.optics_detections

  • edr.blackberry.cylance.optics_detections_rules

  • edr.blackberry.cylance.optics_detections_exceptions

  • edr.blackberry.cylance.policies

  • edr.blackberry.cylance.threats

  • edr.blackberry.cylance.users

More information

Image Added

Carbon Black

  • edr.carbonblack

  • edr.carbonblack.all

  • edr.carbonblack.alert

  • edr.carbonblack.binary

  • edr.carbonblack.feed

  • edr.carbonblack.ingress

  • edr.carbonblack.protect

  • edr.carbonblack.watchlist

More information

Image Removed
Crowdstrike Endpoint Detection & Response

Carbon Black Event Forwarder

  • edr.cbef

  • edr.cbef.alert

  • edr.cbef.alert.cb_analytics

  • edr.cbef.alert.watchlist

  • edr.cbef.endpoint_event

  • edr.cbef.endpoint_event.apicall

  • edr.cbef.endpoint_event.crossproc

  • edr.cbef.endpoint_event.filemod

  • edr.cbef.endpoint_event.moduleload

  • edr.cbef.endpoint_event.netconn

  • edr.cbef.endpoint_event.procend

  • edr.cbef.endpoint_event.procstart

  • edr.cbef.endpoint_event.regmod

Cisco Secure Endpoint (Formerly AMP for Endpoints)

  • edr.cisco.amp.computers

  • edr.cisco.amp.events

  • edr.cisco.amp.vulnerabilities

Cortex XDR

  • edr.cortex_xdr.alerts

  • edr.cortex_xdr.alerts_multi

  • edr.cortex_xdr.alerts_multi_event

  • edr.cortex_xdr.incidents

  • edr.crowdstrike.cannon

  • edr.crowdstrike.cannon.additionalhostinfo

  • edr.crowdstrike.cannon.agentconnect

  • edr.crowdstrike.cannon.agentonline

  • edr.crowdstrike.cannon.arcfilewrtitten

  • edr.crowdstrike.cannon.asepkeyupdate

  • edr.crowdstrike.cannon.asepvalueupdate

  • edr.crowdstrike.cannon.associateindicator

  • edr.crowdstrike.cannon.associatetreeidwithroot

  • edr.crowdstrike.cannon.billinginfo

  • edr.crowdstrike.cannon.bitsjobcreated

  • edr.crowdstrike.cannon

.asepvalueupdate

  • .bmpfilewritten

  • edr.crowdstrike.cannon.cabfilewritten

  • edr.crowdstrike.cannon.channeldatadownloadcomplete

  • edr.crowdstrike.cannon.channelversionrequired

  • edr.crowdstrike.cannon.commandhistory

  • edr.crowdstrike.cannon.configstateupdate

  • edr.crowdstrike.cannon.createservice

  • edr.crowdstrike.cannon.criticalenvironmentvariablechanged

  • edr.crowdstrike.cannon.criticalfileaccessed

  • edr.crowdstrike.cannon.currentsystemtags

  • edr.crowdstrike.cannon.dconline

  • edr.crowdstrike.cannon.dcstatus

  • edr.crowdstrike.cannon.dcsyncattempted

  • edr.crowdstrike.cannon.dcusbconfigurationdescriptor

  • edr.crowdstrike.cannon.dcusbdeviceblocked

  • edr.crowdstrike.cannon.dcusbdeviceconnected

  • edr.crowdstrike.cannon.dcusbdevicedisconnected

  • edr.crowdstrike.cannon.dcusbendpointdescriptor

  • edr.crowdstrike.cannon.dcusbhiddescriptor

  • edr.crowdstrike.cannon.dcusbinterfacedescriptor

  • edr.crowdstrike.cannon.deliverlocalfxtocloud

  • edr.crowdstrike.cannon.detectionexcluded

  • edr.crowdstrike.cannon.directorycreate

  • edr.crowdstrike.cannon.directorytraversaloversmb

  • edr.crowdstrike.cannon.diskcapacity

  • edr.crowdstrike.cannon.dllinjection

  • edr.crowdstrike.cannon.dmpfilewritten

  • edr.crowdstrike.cannon.dnsrequest

  • edr.crowdstrike.cannon.documentproograminjectedthread

  • edr.crowdstrike.cannon.driverload

  • edr.crowdstrike.cannon.dwgfilewritten

  • edr.crowdstrike.cannon.elffilewritten

  • edr.crowdstrike.cannon.endofprocess

  • edr.crowdstrike.cannon.errorevent

  • edr.crowdstrike.cannon.etwcomponentresponse

  • edr.crowdstrike.cannon.etwerrorevent

  • edr.crowdstrike.cannon.executabledeleted

  • edr.crowdstrike.cannon.falconservicestatus

  • edr.crowdstrike.cannon.filedeleted

  • edr.crowdstrike.cannon.filedeleteinfo

  • edr.crowdstrike.cannon.fileopeninfo

  • edr.crowdstrike.cannon.filerenameinfo

  • edr.crowdstrike.cannon.firewallchangeoption

  • edr.crowdstrike.cannon.firewalldeleterule

  • edr.crowdstrike.cannon.firewallsetrule

  • edr.crowdstrike.cannon.firmwareanalysishardwaredata

  • edr.crowdstrike.cannon.firmwareanalysisstatus

  • edr.crowdstrike.cannon.fspostopensnapshotfile

  • edr.crowdstrike.cannon.fsvolumemounted

  • edr.crowdstrike.cannon.fsvolumeunmounted

  • edr.crowdstrike.cannon.genericfilewritten

  • edr.crowdstrike.cannon.giffilewritten

  • edr.crowdstrike.cannon.giffilewritten

  • edr.crowdstrike.cannon.gzipfilewritten

  • edr.crowdstrike.cannon.hostedservicestarted

  • edr.crowdstrike.cannon.hostedservicesttoped

  • edr.crowdstrike.cannon.hostinfo

  • edr.crowdstrike.cannon.hostnamechanged

  • edr.crowdstrike.cannon.imagehash

  • edr.crowdstrike.cannon.injectedthread

  • edr.crowdstrike.cannon.installedapplication

  • edr.crowdstrike.cannon.installedupdates

  • edr.crowdstrike.cannon.invalid

  • edr.crowdstrike.cannon.iosessionconnected

  • edr.crowdstrike.cannon.iosessionloggedon

  • edr.crowdstrike.cannon.jarfilewritten

  • edr.crowdstrike.cannon.javaclassfilewritten

  • edr.crowdstrike.cannon.jpegfilewritten

  • edr.crowdstrike.cannon.kernelmodeloadimage

  • edr.crowdstrike.cannon.lfodownloadconfirmation

  • edr.crowdstrike.cannon.localipaddressip4

  • edr.crowdstrike.cannon.localipaddressip6

  • edr.crowdstrike.cannon.localipaddressremovedip4

  • edr.crowdstrike.cannon.localipaddressremovedip6

  • edr.crowdstrike.cannon.lsasshandlefromunisgnedmodule

  • edr.crowdstrike.cannon.manifestdownloadcomplete

  • edr.crowdstrike.cannon.modifyservicebinary

  • edr.crowdstrike.cannon.neighborlistip4

  • edr.crowdstrike.cannon.neighborlistip6

  • edr.crowdstrike.cannon.netshareadd

  • edr.crowdstrike.cannon.netsharesecuritymodify

  • edr.crowdstrike.cannon.networkcapableasepwrite

  • edr.crowdstrike.cannon.networkcloseip4

  • edr.crowdstrike.cannon.networkcloseip6

  • edr.crowdstrike.cannon.networkconnectip4

  • edr.crowdstrike.cannon.networkconnectip6

  • edr.crowdstrike.cannon.networklistenip4

  • edr.crowdstrike.cannon.networklistenip6

  • edr.crowdstrike.cannon.networkreceiveacceptip4

  • edr.crowdstrike.cannon.networkreceiveacceptip6

  • edr.crowdstrike.cannon.newexecutablerenamed

  • edr.crowdstrike.cannon.newexecutablewritten

  • edr.crowdstrike.cannon.newscriptwritten

  • edr.crowdstrike.cannon.olefilewritten

  • edr.crowdstrike.cannon.ooxmlfilewritten

  • edr.crowdstrike.cannon.osversioninfo

  • edr.crowdstrike.cannon.other

  • edr.crowdstrike.cannon.packedexecutablewritten

  • edr.crowdstrike.cannon.pdffilewritten

  • edr.crowdstrike.cannon.pefilewritten

  • edr.crowdstrike.cannon.peversioninfo

  • edr.crowdstrike.cannon.pngfilewritten

  • edr.crowdstrike.cannon.privilegedprocesshandledfromunisgnedmodule

  • edr.crowdstrike.cannon.processinjection

  • edr.crowdstrike.cannon.processrollup2

  • edr.crowdstrike.cannon.processrollup2stats

  • edr.crowdstrike.cannon.processelfdeleted

  • edr.crowdstrike.cannon.promiscuousbindip4

  • edr.crowdstrike.cannon.queueapcetw

  • edr.crowdstrike.cannon.ransomwareopenfile

  • edr.crowdstrike.cannon.rarfilewritten

  • edr.crowdstrike.cannon.rawbindip4

  • edr.crowdstrike.cannon.rawbindip6

  • edr.crowdstrike.cannon.reflectivedotnetmoduleload

  • edr.crowdstrike.cannon.reggenericvalueupdate

  • edr.crowdstrike.cannon.registerrawinputdevicesetw

  • edr.crowdstrike.cannon.regsystemconfigvalueupdate

  • edr.crowdstrike.cannon.removablemediavolumemounted

  • edr.crowdstrike.cannon.resourceutilization

  • edr.crowdstrike.cannon.rtffilewritten

  • edr.crowdstrike.cannon.samhashdumpfromunsignedmodule

  • edr.crowdstrike.cannon.scheduledtaskdeleted

  • edr.crowdstrike.cannon.scheduledtaskmodified

  • edr.crowdstrike.cannon.scheduledtaskregistered

  • edr.crowdstrike.cannon.screenshottakenetw

  • edr.crowdstrike.cannon.scriptcontroldetectinfo

  • edr.crowdstrike.cannon.scriptcontrolerrorevent

  • edr.crowdstrike.cannon.scriptcontrolscantelemetry

  • edr.crowdstrike.cannon.sensitivewmiquery

  • edr.crowdstrike.cannon.sensorheartbeat

  • edr.crowdstrike.cannon.servicestarted

  • edr.crowdstrike.cannon.setwineventhooketw

  • edr.crowdstrike.cannon.sevenzipfilewritten

  • edr.crowdstrike.cannon.signinfoerror

  • edr.crowdstrike.cannon.signinfowithcertandcontext

  • edr.crowdstrike.cannon.signinfowithcontext

  • edr.crowdstrike.cannon.smbclientshareclosedetw

  • edr.crowdstrike.cannon.smbclientshareopenedetw

  • edr.crowdstrike.cannon.smbservershareopenedetw

  • edr.crowdstrike.cannon.snapshotvolumemounted

  • edr.crowdstrike.cannon.suspectcreatethreadstack

  • edr.crowdstrike.cannon.suspiciouscreatesymboliclink

  • edr.crowdstrike.cannon.suspiciousslackofprocessrollupevents

  • edr.crowdstrike.cannon.suspiciousprivilegedprocesshandle

  • edr.crowdstrike.cannon.suspiciousregasepupdate

  • edr.crowdstrike.cannon.syntheticprocessrollup2

  • edr.crowdstrike.cannon.systemcapacity

  • edr.crowdstrike.cannon.tarfilewritten

  • edr.crowdstrike.cannon.tcgpcrinfo

  • edr.crowdstrike.cannon.terminateprocess

  • edr.crowdstrike.cannon.tifffilewritten

  • edr.crowdstrike.cannon.tokenimpersonated

  • edr.crowdstrike.cannon.umppaerrorevent

  • edr.crowdstrike.cannon.umppcbypasssuspected

  • edr.crowdstrike.cannon.updatemanifestdownloadcomplete

  • edr.crowdstrike.cannon.useraccountaddedtogroup

  • edr.crowdstrike.cannon.userexceptiondep

  • edr.crowdstrike.cannon.userfontload

  • edr.crowdstrike.cannon.useridentity

  • edr.crowdstrike.cannon.userinformationetw

  • edr.crowdstrike.cannon.userlogoff

  • edr.crowdstrike.cannon.userlogon

  • edr.crowdstrike.cannon.userlogonfailed

  • edr.crowdstrike.cannon.userlogonfailed2

  • edr.crowdstrike.cannon.volumesnapshotcreated

  • edr.crowdstrike.cannon.volumesnapshotdeleted

  • edr.crowdstrike.cannon.wfpfiltertamperingfilteradded

  • edr.crowdstrike.cannon.wfpfiltertamperingfilterdeleted

  • edr.crowdstrike.cannon.wmicreateprocess

  • edr.crowdstrike.cannon.wmifilterconsumerbindingetw

  • edr.crowdstrike.cannon.wmiproviderregistrationetw

  • edr.crowdstrike.cannon.wroteexeandgeneratedserviceevent

  • edr.crowdstrike.cannon.zipfilewriten

  • edr.crowdstrike.discover

  • edr.crowdstrike.discover.appinfo

  • edr.crowdstrike.discover.userinfo

  • edr.crowdstrike.falcon

  • edr.crowdstrike.falcon_filevantage.change

  • edr.crowdstrike.falconstreaming

  • edr.crowdstrike.falconstreaming.agents

  • edr.crowdstrike.falconstreaming.auth_activity

  • edr.crowdstrike.falconstreaming.behaviors

  • edr.crowdstrike.falconstreaming.cspm_ioa_streaming

  • edr.crowdstrike.falconstreaming.cspm_search_streaming

  • edr.crowdstrike.falconstreaming.customer_ioc

  • edr.crowdstrike.falconstreaming.detection_summary

  • edr.crowdstrike.falconstreaming.external_api

  • edr.crowdstrike.falconstreaming.firewall_match

  • edr.crowdstrike.falconstreaming.identity_protection

  • edr.crowdstrike.falconstreaming.idp_detection_summary

  • edr.crowdstrike.falconstreaming.

incidents

  • incident_summary

  • edr.crowdstrike.falconstreaming.

incident_summary

  • incidents

  • edr.crowdstrike.falconstreaming.mobile_detection_summary

  • edr.crowdstrike.falconstreaming.other

  • edr.crowdstrike.falconstreaming.recon_notification_summary

  • edr.crowdstrike.falconstreaming.remote_response_session

  • edr.crowdstrike.falconstreaming.scheduled_report_notification

  • edr.crowdstrike.falconstreaming.user_activity_

groups

  • all

  • edr.crowdstrike.falconstreaming.user_activity_

quarantined_files

  • detections

  • edr.crowdstrike.falconstreaming.user_activity_

sensor

  • device_

update

  • control_policy

  • edr.crowdstrike.falconstreaming.user_activity_

other

  • devices

  • edr.crowdstrike.falconstreaming.

recon

  • user_

notification

  • activity_

summary

  • groups

  • edr.crowdstrike.falconstreaming.user_activity_ip_

devices

  • whitelist

  • edr.crowdstrike.falconstreaming.user_activity_

detections

  • other

  • edr.crowdstrike.falconstreaming.user_activity_prevention_policy

  • edr.crowdstrike.falconstreaming.user_

activity

  • quarantined_

ip_whitelist

  • files

  • edr.crowdstrike.falconstreaming.

vulnerabilities

  • user_activity_sensor_update_policy

  • edr.crowdstrike.

falconedr.crowdstrike.cannon

  • falconstreaming.vulnerabilities

  • edr.crowdstrike.

cannon.associateindicator

  • insight

  • edr.crowdstrike.

cannon

  • insight.

associatetreeidwithroot

  • aidmaster

  • edr.crowdstrike.

cannon

  • insight.

asepvalueupdate

  • managedassets

  • edr.crowdstrike.

cannon

  • insight.

channelversionrequired

  • edr.crowdstrike.cannon.detectionexcluded

  • edr.crowdstrike.cannon.dnsrequest

  • edr.crowdstrike.cannon.endofprocess

  • edr.crowdstrike.cannon.neighborlistip4

  • edr.crowdstrike.cannon.networkconnectip4

  • edr.crowdstrike.cannon.other

  • edr.crowdstrike.cannon.processrollup2

  • edr.crowdstrike.cannon.processrollup2stats

  • edr.crowdstrike.cannon.sensorheartbeat

    • edr.crowdstrike.cannon.syntheticprocessrollup2
    More information

    • notmanaged

    Cylance PROTECT 

    • edr.cylance.app

    • edr.cylance.audit

    • edr.cylance.device

    • edr.cylance.memory

    • edr.cylance.script

    • edr.cylance.threats

      More information

    Fireeye Endpoint Detection & Response

    Microsoft Defender Endpoint

    • edr.microsoft_defender.endpoint.software

    • edr.microsoft_defender.endpoint.vulnerabilities

    • edr.microsoft_defender.endpoint.alerts

    • edr.microsoft_defender.endpoint.assessment_software_vulnerabilities

    • edr.microsoft_defender.endpoint.assessment_software_inventory

    • edr.microsoft_defender.endpoint.investigations

    • edr.microsoft_defender.endpoint.assessment_secure_configuration

    • edr.microsoft_defender.endpoint.machines

    • edr.microsoft_defender.endpoint.recommendations

    More information

    Minerva Labs

    Minerva Labs anti-evasion platform

    ObserveIT Insider Threat Detection

    • edr.observeit.events

    Palo Alto Cortex XDR

    image2021-6-15_11-33-45.png

    Symantec Endpoint Detection & Response

    • edr.symantec.events

    Image Removed

    Cylance Blackberry

    • edr.blackberry.cylance.users

    • edr.blackberry.cylance.policies

    • edr.blackberry.cylance.threats

    • edr.blackberry.cylance.optics_detections

    • edr.blackberry.cylance.optics_detections_rules

    • edr.blackberry.cylance.optics_detections_exceptions

    • edr.blackberry.cylance.devices

    More information