Versions Compared

Old Version 17

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version 18

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This group includes tags that start with the level edr. These tags identify data generated by Endpoint Detection and Response (EDR) systems.

Company

Product / Service

Data tables

-

-

  • edr.all.threats

Note

Union table - edr.all.threats

This is a union table that collects events from a set of tables for easy access and analysis.

Learn more about this union table in this article.

  • edr.all.processes

  • edr.all.netconns

Image Modified

BlackBerry Cylance

  • edr.blackberry.cylance.devices

  • edr.blackberry.cylance.optics_detections

  • edr.blackberry.cylance.optics_detections_rules

  • edr.blackberry.cylance.optics_detections_exceptions

  • edr.blackberry.cylance.policies

  • edr.blackberry.cylance.threats

  • edr.blackberry.cylance.users

More information

Image Modified

Carbon Black

  • edr.carbonblack

  • edr.carbonblack.all

Note

Union table - edr.carbonblack.all

This is a union table that collects events from a set of tables for easy access and analysis.

Learn more about this union table in this article.

  • edr.carbonblack.alert

  • edr.carbonblack.binary

  • edr.carbonblack.feed

  • edr.carbonblack.ingress

  • edr.carbonblack.protect

  • edr.carbonblack.watchlist

More information

Carbon Black Event Forwarder

  • edr.cbef

  • edr.cbef.alert

  • edr.cbef.alert.cb_analytics

  • edr.cbef.alert.watchlist

  • edr.cbef.endpoint_event

  • edr.cbef.endpoint_event.apicall

  • edr.cbef.endpoint_event.crossproc

  • edr.cbef.endpoint_event.filemod

  • edr.cbef.endpoint_event.moduleload

  • edr.cbef.endpoint_event.netconn

  • edr.cbef.endpoint_event.procend

  • edr.cbef.endpoint_event.procstart

  • edr.cbef.endpoint_event.regmod

More information

Image Modified

Cisco Secure Endpoint (Formerly AMP for Endpoints)

  • edr.cisco.amp.computers

  • edr.cisco.amp.events

  • edr.cisco.amp.vulnerabilities

More information

Image Modified

Cortex XDR

  • edr.cortex_xdr.alerts

  • edr.cortex_xdr.alerts_multi

  • edr.cortex_xdr.alerts_multi_event

  • edr.cortex_xdr.incidents

More information

Image Modified

CrowdStrike

  • edr.crowdstrike.cannon

  • edr.crowdstrike.cannon.additionalhostinfo

  • edr.crowdstrike.cannon.agentconnect

  • edr.crowdstrike.cannon.agentonline

  • edr.crowdstrike.cannon.arcfilewrtitten

  • edr.crowdstrike.cannon.asepkeyupdate

  • edr.crowdstrike.cannon.asepvalueupdate

  • edr.crowdstrike.cannon.associateindicator

  • edr.crowdstrike.cannon.associatetreeidwithroot

  • edr.crowdstrike.cannon.billinginfo

  • edr.crowdstrike.cannon.bitsjobcreated

  • edr.crowdstrike.cannon.bmpfilewritten

  • edr.crowdstrike.cannon.cabfilewritten

  • edr.crowdstrike.cannon.channeldatadownloadcomplete

  • edr.crowdstrike.cannon.channelversionrequired

  • edr.crowdstrike.cannon.commandhistory

  • edr.crowdstrike.cannon.configstateupdate

  • edr.crowdstrike.cannon.createservice

  • edr.crowdstrike.cannon.criticalenvironmentvariablechanged

  • edr.crowdstrike.cannon.criticalfileaccessed

  • edr.crowdstrike.cannon.currentsystemtags

  • edr.crowdstrike.cannon.dconline

  • edr.crowdstrike.cannon.dcstatus

  • edr.crowdstrike.cannon.dcsyncattempted

  • edr.crowdstrike.cannon.dcusbconfigurationdescriptor

  • edr.crowdstrike.cannon.dcusbdeviceblocked

  • edr.crowdstrike.cannon.dcusbdeviceconnected

  • edr.crowdstrike.cannon.dcusbdevicedisconnected

  • edr.crowdstrike.cannon.dcusbendpointdescriptor

  • edr.crowdstrike.cannon.dcusbhiddescriptor

  • edr.crowdstrike.cannon.dcusbinterfacedescriptor

  • edr.crowdstrike.cannon.deliverlocalfxtocloud

  • edr.crowdstrike.cannon.detectionexcluded

  • edr.crowdstrike.cannon.directorycreate

  • edr.crowdstrike.cannon.directorytraversaloversmb

  • edr.crowdstrike.cannon.diskcapacity

  • edr.crowdstrike.cannon.dllinjection

  • edr.crowdstrike.cannon.dmpfilewritten

  • edr.crowdstrike.cannon.dnsrequest

  • edr.crowdstrike.cannon.documentproograminjectedthread

  • edr.crowdstrike.cannon.driverload

  • edr.crowdstrike.cannon.dwgfilewritten

  • edr.crowdstrike.cannon.elffilewritten

  • edr.crowdstrike.cannon.endofprocess

  • edr.crowdstrike.cannon.errorevent

  • edr.crowdstrike.cannon.etwcomponentresponse

  • edr.crowdstrike.cannon.etwerrorevent

  • edr.crowdstrike.cannon.executabledeleted

  • edr.crowdstrike.cannon.falconservicestatus

  • edr.crowdstrike.cannon.filedeleted

  • edr.crowdstrike.cannon.filedeleteinfo

  • edr.crowdstrike.cannon.fileopeninfo

  • edr.crowdstrike.cannon.filerenameinfo

  • edr.crowdstrike.cannon.firewallchangeoption

  • edr.crowdstrike.cannon.firewalldeleterule

  • edr.crowdstrike.cannon.firewallsetrule

  • edr.crowdstrike.cannon.firmwareanalysishardwaredata

  • edr.crowdstrike.cannon.firmwareanalysisstatus

  • edr.crowdstrike.cannon.fspostopensnapshotfile

  • edr.crowdstrike.cannon.fsvolumemounted

  • edr.crowdstrike.cannon.fsvolumeunmounted

  • edr.crowdstrike.cannon.genericfilewritten

  • edr.crowdstrike.cannon.giffilewritten

  • edr.crowdstrike.cannon.giffilewritten

  • edr.crowdstrike.cannon.gzipfilewritten

  • edr.crowdstrike.cannon.hostedservicestarted

  • edr.crowdstrike.cannon.hostedservicesttoped

  • edr.crowdstrike.cannon.hostinfo

  • edr.crowdstrike.cannon.hostnamechanged

  • edr.crowdstrike.cannon.imagehash

  • edr.crowdstrike.cannon.injectedthread

  • edr.crowdstrike.cannon.installedapplication

  • edr.crowdstrike.cannon.installedupdates

  • edr.crowdstrike.cannon.invalid

  • edr.crowdstrike.cannon.iosessionconnected

  • edr.crowdstrike.cannon.iosessionloggedon

  • edr.crowdstrike.cannon.jarfilewritten

  • edr.crowdstrike.cannon.javaclassfilewritten

  • edr.crowdstrike.cannon.jpegfilewritten

  • edr.crowdstrike.cannon.kernelmodeloadimage

  • edr.crowdstrike.cannon.lfodownloadconfirmation

  • edr.crowdstrike.cannon.localipaddressip4

  • edr.crowdstrike.cannon.localipaddressip6

  • edr.crowdstrike.cannon.localipaddressremovedip4

  • edr.crowdstrike.cannon.localipaddressremovedip6

  • edr.crowdstrike.cannon.lsasshandlefromunisgnedmodule

  • edr.crowdstrike.cannon.manifestdownloadcomplete

  • edr.crowdstrike.cannon.modifyservicebinary

  • edr.crowdstrike.cannon.neighborlistip4

  • edr.crowdstrike.cannon.neighborlistip6

  • edr.crowdstrike.cannon.netshareadd

  • edr.crowdstrike.cannon.netsharesecuritymodify

  • edr.crowdstrike.cannon.networkcapableasepwrite

  • edr.crowdstrike.cannon.networkcloseip4

  • edr.crowdstrike.cannon.networkcloseip6

  • edr.crowdstrike.cannon.networkconnectip4

  • edr.crowdstrike.cannon.networkconnectip6

  • edr.crowdstrike.cannon.networklistenip4

  • edr.crowdstrike.cannon.networklistenip6

  • edr.crowdstrike.cannon.networkreceiveacceptip4

  • edr.crowdstrike.cannon.networkreceiveacceptip6

  • edr.crowdstrike.cannon.newexecutablerenamed

  • edr.crowdstrike.cannon.newexecutablewritten

  • edr.crowdstrike.cannon.newscriptwritten

  • edr.crowdstrike.cannon.olefilewritten

  • edr.crowdstrike.cannon.ooxmlfilewritten

  • edr.crowdstrike.cannon.osversioninfo

  • edr.crowdstrike.cannon.other

  • edr.crowdstrike.cannon.packedexecutablewritten

  • edr.crowdstrike.cannon.pdffilewritten

  • edr.crowdstrike.cannon.pefilewritten

  • edr.crowdstrike.cannon.peversioninfo

  • edr.crowdstrike.cannon.pngfilewritten

  • edr.crowdstrike.cannon.privilegedprocesshandledfromunisgnedmodule

  • edr.crowdstrike.cannon.processinjection

  • edr.crowdstrike.cannon.processrollup2

  • edr.crowdstrike.cannon.processrollup2stats

  • edr.crowdstrike.cannon.processelfdeleted

  • edr.crowdstrike.cannon.promiscuousbindip4

  • edr.crowdstrike.cannon.queueapcetw

  • edr.crowdstrike.cannon.ransomwareopenfile

  • edr.crowdstrike.cannon.rarfilewritten

  • edr.crowdstrike.cannon.rawbindip4

  • edr.crowdstrike.cannon.rawbindip6

  • edr.crowdstrike.cannon.reflectivedotnetmoduleload

  • edr.crowdstrike.cannon.reggenericvalueupdate

  • edr.crowdstrike.cannon.registerrawinputdevicesetw

  • edr.crowdstrike.cannon.regsystemconfigvalueupdate

  • edr.crowdstrike.cannon.removablemediavolumemounted

  • edr.crowdstrike.cannon.resourceutilization

  • edr.crowdstrike.cannon.rtffilewritten

  • edr.crowdstrike.cannon.samhashdumpfromunsignedmodule

  • edr.crowdstrike.cannon.scheduledtaskdeleted

  • edr.crowdstrike.cannon.scheduledtaskmodified

  • edr.crowdstrike.cannon.scheduledtaskregistered

  • edr.crowdstrike.cannon.screenshottakenetw

  • edr.crowdstrike.cannon.scriptcontroldetectinfo

  • edr.crowdstrike.cannon.scriptcontrolerrorevent

  • edr.crowdstrike.cannon.scriptcontrolscantelemetry

  • edr.crowdstrike.cannon.sensitivewmiquery

  • edr.crowdstrike.cannon.sensorheartbeat

  • edr.crowdstrike.cannon.servicestarted

  • edr.crowdstrike.cannon.setwineventhooketw

  • edr.crowdstrike.cannon.sevenzipfilewritten

  • edr.crowdstrike.cannon.signinfoerror

  • edr.crowdstrike.cannon.signinfowithcertandcontext

  • edr.crowdstrike.cannon.signinfowithcontext

  • edr.crowdstrike.cannon.smbclientshareclosedetw

  • edr.crowdstrike.cannon.smbclientshareopenedetw

  • edr.crowdstrike.cannon.smbservershareopenedetw

  • edr.crowdstrike.cannon.snapshotvolumemounted

  • edr.crowdstrike.cannon.suspectcreatethreadstack

  • edr.crowdstrike.cannon.suspiciouscreatesymboliclink

  • edr.crowdstrike.cannon.suspiciousslackofprocessrollupevents

  • edr.crowdstrike.cannon.suspiciousprivilegedprocesshandle

  • edr.crowdstrike.cannon.suspiciousregasepupdate

  • edr.crowdstrike.cannon.syntheticprocessrollup2

  • edr.crowdstrike.cannon.systemcapacity

  • edr.crowdstrike.cannon.tarfilewritten

  • edr.crowdstrike.cannon.tcgpcrinfo

  • edr.crowdstrike.cannon.terminateprocess

  • edr.crowdstrike.cannon.tifffilewritten

  • edr.crowdstrike.cannon.tokenimpersonated

  • edr.crowdstrike.cannon.umppaerrorevent

  • edr.crowdstrike.cannon.umppcbypasssuspected

  • edr.crowdstrike.cannon.updatemanifestdownloadcomplete

  • edr.crowdstrike.cannon.useraccountaddedtogroup

  • edr.crowdstrike.cannon.userexceptiondep

  • edr.crowdstrike.cannon.userfontload

  • edr.crowdstrike.cannon.useridentity

  • edr.crowdstrike.cannon.userinformationetw

  • edr.crowdstrike.cannon.userlogoff

  • edr.crowdstrike.cannon.userlogon

  • edr.crowdstrike.cannon.userlogonfailed

  • edr.crowdstrike.cannon.userlogonfailed2

  • edr.crowdstrike.cannon.volumesnapshotcreated

  • edr.crowdstrike.cannon.volumesnapshotdeleted

  • edr.crowdstrike.cannon.wfpfiltertamperingfilteradded

  • edr.crowdstrike.cannon.wfpfiltertamperingfilterdeleted

  • edr.crowdstrike.cannon.wmicreateprocess

  • edr.crowdstrike.cannon.wmifilterconsumerbindingetw

  • edr.crowdstrike.cannon.wmiproviderregistrationetw

  • edr.crowdstrike.cannon.wroteexeandgeneratedserviceevent

  • edr.crowdstrike.cannon.zipfilewriten

More information

CrowdStrike Falcon Discover

  • edr.crowdstrike.discover

  • edr.crowdstrike.discover.appinfo

  • edr.crowdstrike.discover.userinfo

More information

CrowdStrike Falcon

  • edr.crowdstrike.falcon

More information

CrowdStrike Falcon FileVantage

  • edr.crowdstrike.falcon_filevantage.change

More information

CrowdStrike Falcon Event Streams

  • edr.crowdstrike.falconstreaming

  • edr.crowdstrike.falconstreaming.agents

  • edr.crowdstrike.falconstreaming.auth_activity

  • edr.crowdstrike.falconstreaming.behaviors

  • edr.crowdstrike.falconstreaming.cspm_ioa_streaming

  • edr.crowdstrike.falconstreaming.cspm_search_streaming

  • edr.crowdstrike.falconstreaming.customer_ioc

  • edr.crowdstrike.falconstreaming.detection_summary

  • edr.crowdstrike.falconstreaming.external_api

  • edr.crowdstrike.falconstreaming.firewall_match

  • edr.crowdstrike.falconstreaming.identity_protection

  • edr.crowdstrike.falconstreaming.idp_detection_summary

  • edr.crowdstrike.falconstreaming.incident_summary

  • edr.crowdstrike.falconstreaming.incidents

  • edr.crowdstrike.falconstreaming.mobile_detection_summary

  • edr.crowdstrike.falconstreaming.other

  • edr.crowdstrike.falconstreaming.recon_notification_summary

  • edr.crowdstrike.falconstreaming.remote_response_session

  • edr.crowdstrike.falconstreaming.scheduled_report_notification

  • edr.crowdstrike.falconstreaming.user_activity_all

Note

Union table - edr.crowdstrike.falconstreaming.user_activity_all

This is a union table that collects events from a set of tables for easy access and analysis.

Learn more about this union table in this article.

  • edr.crowdstrike.falconstreaming.user_activity_detections

  • edr.crowdstrike.falconstreaming.user_activity_device_control_policy

  • edr.crowdstrike.falconstreaming.user_activity_devices

  • edr.crowdstrike.falconstreaming.user_activity_groups

  • edr.crowdstrike.falconstreaming.user_activity_ip_whitelist

  • edr.crowdstrike.falconstreaming.user_activity_other

  • edr.crowdstrike.falconstreaming.user_activity_prevention_policy

  • edr.crowdstrike.falconstreaming.user_quarantined_files

  • edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy

  • edr.crowdstrike.falconstreaming.vulnerabilities

More information

CrowdStrike Falcon Insight

  • edr.crowdstrike.insight

  • edr.crowdstrike.insight.aidmaster

  • edr.crowdstrike.insight.managedassets

  • edr.crowdstrike.insight.notmanaged

More information

Image Modified

Cybereason

  • edr.cybereason

  • edr.cybereason.api_malop

  • edr.cybereason.api_malware

  • edr.cybereason.malop

  • edr.cybereason.malware

  • edr.cybereason.useractions

More information

Image Modified

Cylance PROTECT

  • edr.cylance

  • edr.cylance.app

  • edr.cylance.audit

  • edr.cylance.device

  • edr.cylance.devicecontrol

  • edr.cylance.memory

  • edr.cylance.optics

  • edr.cylance.optics.dns

  • edr.cylance.optics.file

  • edr.cylance.optics.log

  • edr.cylance.optics.memory

  • edr.cylance.optics.network

  • edr.cylance.optics.powershell

  • edr.cylance.optics.process

  • edr.cylance.optics.registry

  • edr.cylance.optics.wmi

  • edr.cylance.protect

  • edr.cylance.protect.app

  • edr.cylance.protect.audit

  • edr.cylance.protect.device

  • edr.cylance.protect.devicecontrol

  • edr.cylance.protect.memory

  • edr.cylance.protect.script

  • edr.cylance.protect.threats

  • edr.cylance.protect

  • edr.cylance.script

  • edr.cylance.threats

More information

Image Modified

Darktrace RESPOND

  • edr.darktrace.respond.antigena

  • edr.darktrace.respond.incident_event

  • edr.darktrace.respond.model_breach

  • edr.darktrace.respond.status

  • edr.darktrace.respond.summary

More information

Image Modified

FireEye Endpoint Detection & Response

  • edr.fireeye.alerts

More information

Image Modified

Jamf Protect

  • edr.jamf.protect.alerts

More information

Image Modified

Malwarebytes Nebula

  • edr.malwarebytes.nebula.detection

  • edr.malwarebytes.nebula.dns_logdata

  • edr.malwarebytes.nebula.event

  • edr.malwarebytes.nebula.notification

  • edr.malwarebytes.nebula.suspicious_activity

  • edr.malwarebytes.nebula.vulnerability

More information

Image Modified

McAfee MVISION Endpoint

  • edr.mcafee.mvision.threat

More information

Image Modified

Microsoft Defender Endpoint

  • edr.microsoft_defender.advanced_hunting.device_process_events

  • edr.microsoft_defender.alerts.events

  • edr.microsoft_defender.endpoint.alerts

  • edr.microsoft_defender.endpoint.assesment_secure_configuration

  • edr.microsoft_defender.endpoint.assesment_software_inventory

  • edr.microsoft_defender.endpoint.assesment_software_vulnerabilities

  • edr.microsoft_defender.endpoint.investigations

  • edr.microsoft_defender.endpoint.machines

  • edr.microsoft_defender.endpoint.recommendations

  • edr.microsoft_defender.endpoint.software

  • edr.microsoft_defender.endpoint.vulnerabilities

  • edr.microsoft_defender.iot_security.alert

More information

Image Modified

Minerva Labs

  • edr.minervalabs

More information

Image Modified

ObserveIT Insider Threat Detection

  • edr.observeit.events

More information

Image Modified

Palo Alto Cortex XDR

  • edr.paloalto.cortex_xdr

  • edr.paloalto.cortex_xdr_agent

More information

Palo Alto Networks Traps

  • edr.paloalto.traps

More information

Image Modified

SentinelOne

  • edr.sentinelone.agent.agents

  • edr.sentinelone.agent.threats

  • edr.sentinelone.cloud_detection.alerts

  • edr.sentinelone.dv

  • edr.sentinelone.dv.cross_process

  • edr.sentinelone.dv.dns

  • edr.sentinelone.dv.driver

  • edr.sentinelone.dv.events

  • edr.sentinelone.dv.file

  • edr.sentinelone.dv.group

  • edr.sentinelone.dv.indicators

  • edr.sentinelone.dv.ip

  • edr.sentinelone.dv.logins

  • edr.sentinelone.dv.module

  • edr.sentinelone.dv.process

  • edr.sentinelone.dv.registry

  • edr.sentinelone.dv.scheduled_task

  • edr.sentinelone.management.activities

More information

Image Modified

Superna Eyeglass Ransomware Defender

  • edr.superna.ransomware_defender.alarms

  • edr.superna.ransomware_defender.events

More information

image2021-6-15_11-33-45.pngImage Modified

Symantec Endpoint Detection & Response

  • edr.symantec.events

More information

Image Modified

Tanium

  • edr.tanium.action_history

  • edr.tanium.all_assets

  • edr.tanium.applicable_patches

  • edr.tanium.asset_report

  • edr.tanium.audit

  • edr.tanium.basic_asset

  • edr.tanium.client_status

  • edr.tanium.crowdstrike

  • edr.tanium.detect

  • edr.tanium.discover

  • edr.tanium.discover_lost

  • edr.tanium.events

  • edr.tanium.installedapps

  • edr.tanium.patch_list

  • edr.tanium.question

  • edr.tanium.threat_response

  • edr.tanium.threats

More information

Image Added

Trellix Endpoint Security

  • edr.trellix.epo.threat

More information