Page Comparison

Table of Contents

minLevel	2
maxLevel	2
outline	false
type	flat
separator	brackets
printable	false

Introduction

The tags begin with edr.cybereasonidentify the events generated by Cybereason.

Tag structure

The full tag must have at least 2 levels. The first two are fixed as edr.cybereason. The third level identifies the type of events sent.

Product / Services	Tags	Data tables
Cybereason	`edr.cybereason.malop`	`edr.cybereason`
	`edr.cybereason.api_malop`	`edr.cybereason.api_malop`
	`edr.cybereason.api_malware`	`edr.cybereason.api_malware`
	`edr.cybereason.malop`	`edr.cybereason.malop`
	`edr.cybereason.malware`	`edr.cybereason.malware`
	`edr.cybereason.useractions`	`edr.cybereason.useractions`

For more information, read more about Devo tags.

Table structure

These are the fields displayed in these tables:

Rw ui tabs macro

Rw tab

title	1-3

edr.cybereason
edr.cybereason.api_malop
edr.cybereason.api_malware

Anchor
tag1
tag1
edr.cybereason

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

Code Block
split(hostchain, "=", 0)

hostchain

type

str

vtype

cefVersion

str

embDeviceVendor

str

embDeviceProduct

str

deviceVersion

str

signatureID

str

name

str

severity

str

cn1Label

str

cn1

int8

cn2Label

str

cn2

int8

cn3Label

str

cn3

int8

cs1Label

str

cs1

str

cs2Label

str

cs2

str

cs3Label

str

cs3

str

cs4Label

str

cs4

str

cs5Label

str

cs5

str

cs6Label

str

cs6

str

deviceCustomDate1Label

str

deviceCustomDate1

timestamp

Code Block
parsedate(replace(deviceCustomDate1_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC")

deviceCustomDate1_tmp

deviceCustomDate2Label

str

deviceCustomDate2

timestamp

Code Block
parsedate(replace(deviceCustomDate2_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC")

deviceCustomDate2_tmp

deviceDnsDomain

str

dvc

ip4

reason

str

requestContext

str

rt

timestamp

Code Block
parsedate(replace(rt_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC")

rt_tmp

start

timestamp

Code Block
parsedate(replace(start_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC")

start_tmp

suser

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag2
tag2
edr.cybereason.api_malop

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
id	`str`
affectedMachines	`str`
affectedUsers	`str`
allRansomwareProcessesSuspended	`str`
closeTime	`str`
closerName	`str`
creationTime	`timestamp`
customClassification	`str`
decisionFeature	`str`
detectionType	`str`
elementDisplayName	`str`
hasRansomwareSuspendedProcesses	`str`
isBlocked	`str`
isMalicious	`bool`
malopActivityTypes	`str`
malopLastUpdateTime	`timestamp`
malopStartTime	`timestamp`
managementStatus	`str`
primaryRootCauseElements	`str`
rootCauseElementHashes	`str`
rootCauseElementNames	`str`
rootCauseElementTypes	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`

Anchor
tag3
tag3
edr.cybereason.api_malware

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
detectionEngine	`str`
detectionValue	`str`
detectionValueType	`str`
elementType	`str`
guid	`str`
id__elementType	`str`
id__guid	`str`
id__malwareType	`str`
id__timestamp	`timestamp`
machineName	`str`
malwareDataModel__Class	`str`
malwareDataModel__description	`str`
malwareDataModel__detectionRule	`str`
malwareDataModel__detectionName	`str`
malwareDataModel__documentType	`str`
malwareDataModel__filePath	`str`
malwareDataModel__type	`str`
malwareDataModel__module	`str`
malwareDataModel__processName	`str`
malwareDataModel__url	`str`
name	`str`
needsAttention	`bool`
referenceElementType	`str`
referenceGuid	`str`
schedulerScan	`bool`
score	`float8`
status	`str`
timestamp	`timestamp`
type	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`

Rw tab

title	4-6

edr.cybereason.malop
edr.cybereason.malware
edr.cybereason.useractions

Anchor
tag4
tag4
edr.cybereason.malop

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

Code Block
split(hostchain, "=", 0)

hostchain

cefVersion

str

embDeviceVendor

str

embDeviceProduct

str

deviceVersion

str

signatureID

str

name

str

severity

str

deviceDnsDomain

str

dvc

ip4

reason

str

requestContext

str

rt

timestamp

Code Block
parsedate(replace(rt_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC")

rt_tmp

start

timestamp

Code Block
parsedate(replace(start_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC")

start_tmp

suser

str

malopId

str

malopDetectionType

str

malopActivityType

str

malopSuspect

str

malopKeySuspicion

str

linkToMalop

str

affectedMachine

str

affectedMachinesCount

int8

affectedUsers

int8

malopCreationTime

timestamp

Code Block
parsedate(replace(malopCreationTime_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC")

malopCreationTime_tmp

malopUpdateTime

timestamp

Code Block
parsedate(replace(malopUpdateTime_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC")

malopUpdateTime_tmp

isSigned

int4

isOnline

int4

isOriginalMachine

int4

parentProcess

str

childrenProcess

str

OSandVersion

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag5
tag5
edr.cybereason.malware

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

Code Block
split(hostchain, "=", 0)

hostchain

cefVersion

str

embDeviceVendor

str

embDeviceProduct

str

deviceVersion

str

signatureID

str

name

str

severity

str

eventId

str

virusName

str

context

str

investigation

str

malwareCreationTime

timestamp

Code Block
parsedate(replace(malwareCreationTime_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC")

malwareCreationTime_tmp

dvchost

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag6
tag6
edr.cybereason.useractions

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

Code Block
split(hostchain, "=", 0)

hostchain

cefVersion

str

embDeviceVendor

str

embDeviceProduct

str

deviceVersion

str

signatureID

str

name

str

severity

str

username

str

actionSuccess

int4

userActionTime

timestamp

Code Block
parsedate(replace(userActionTime_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC")

userActionTime_tmp

actionOccuranceTime

timestamp

Code Block
parsedate(replace(actionOccuranceTime_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC")

actionOccuranceTime_tmp

cn2Label

str

cn2

int8

cn3Label

str

cn3

int8

cs2Label

str

cs2

str

cs3Label

str

cs3

str

cs4Label

str

cs4

str

cs5Label

str

cs5

str

cs6Label

str

cs6

str

deviceCustomDate2Label

str

deviceCustomDate2

timestamp

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Versions Compared

Old Version 1

New Version Current

Key

Introduction

Tag structure

Table structure

Anchor
tag1
tag1
edr.cybereason

Anchor
tag2
tag2
edr.cybereason.api_malop

Anchor
tag3
tag3
edr.cybereason.api_malware

Anchor
tag4
tag4
edr.cybereason.malop

Anchor
tag5
tag5
edr.cybereason.malware

Anchor
tag6
tag6
edr.cybereason.useractions

Page Comparison

Versions Compared

Old Version 1

New Version Current

Key

Introduction

Tag structure

Table structure

Anchortag1tag1edr.cybereason

Anchortag2tag2edr.cybereason.api_malop

Anchortag3tag3edr.cybereason.api_malware

Anchortag4tag4edr.cybereason.malop

Anchortag5tag5edr.cybereason.malware

Anchortag6tag6edr.cybereason.useractions

Anchor
tag1
tag1
edr.cybereason

Anchor
tag2
tag2
edr.cybereason.api_malop

Anchor
tag3
tag3
edr.cybereason.api_malware

Anchor
tag4
tag4
edr.cybereason.malop

Anchor
tag5
tag5
edr.cybereason.malware

Anchor
tag6
tag6
edr.cybereason.useractions