edr.cybereasonField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| Code Block |
---|
split(hostchain, "=", 0) |
| hostchain | | type | str
| | vtype | | cefVersion | str
| | | | embDeviceVendor | str
| | | | embDeviceProduct | str
| | | | deviceVersion | str
| | | | signatureID | str
| | | | name | str
| | | | severity | str
| | | | cn1Label | str
| | | | cn1 | int8
| | | | cn2Label | str
| | | | cn2 | int8
| | | | cn3Label | str
| | | | cn3 | int8
| | | | cs1Label | str
| | | | cs1 | str
| | | | cs2Label | str
| | | | cs2 | str
| | | | cs3Label | str
| | | | cs3 | str
| | | | cs4Label | str
| | | | cs4 | str
| | | | cs5Label | str
| | | | cs5 | str
| | | | cs6Label | str
| | | | cs6 | str
| | | | deviceCustomDate1Label | str
| | | | deviceCustomDate1 | timestamp
| Code Block |
---|
parsedate(replace(deviceCustomDate1_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC") |
| deviceCustomDate1_tmp | | deviceCustomDate2Label | str
| | | | deviceCustomDate2 | timestamp
| Code Block |
---|
parsedate(replace(deviceCustomDate2_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC") |
| deviceCustomDate2_tmp | | deviceDnsDomain | str
| | | | dvc | ip4
| | | | reason | str
| | | | requestContext | str
| | | | rt | timestamp
| Code Block |
---|
parsedate(replace(rt_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC") |
| rt_tmp | | start | timestamp
| Code Block |
---|
parsedate(replace(start_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC") |
| start_tmp | | suser | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
edr.cybereason.api_malopField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | id | str
| | affectedMachines | str
| | affectedUsers | str
| | allRansomwareProcessesSuspended | str
| | closeTime | str
| | closerName | str
| | creationTime | timestamp
| | customClassification | str
| | decisionFeature | str
| | detectionType | str
| | elementDisplayName | str
| | hasRansomwareSuspendedProcesses | str
| | isBlocked | str
| | isMalicious | bool
| | malopActivityTypes | str
| | malopLastUpdateTime | timestamp
| | malopStartTime | timestamp
| | managementStatus | str
| | primaryRootCauseElements | str
| | rootCauseElementHashes | str
| | rootCauseElementNames | str
| | rootCauseElementTypes | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| |
edr.cybereason.api_malwareField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | detectionEngine | str
| | detectionValue | str
| | detectionValueType | str
| | elementType | str
| | guid | str
| | id__elementType | str
| | id__guid | str
| | id__malwareType | str
| | id__timestamp | timestamp
| | machineName | str
| | malwareDataModel__Class | str
| | malwareDataModel__description | str
| | malwareDataModel__detectionRule | str
| | malwareDataModel__detectionName | str
| | malwareDataModel__documentType | str
| | malwareDataModel__filePath | str
| | malwareDataModel__type | str
| | malwareDataModel__module | str
| | malwareDataModel__processName | str
| | malwareDataModel__url | str
| | name | str
| | needsAttention | bool
| | referenceElementType | str
| | referenceGuid | str
| | schedulerScan | bool
| | score | float8
| | status | str
| | timestamp | timestamp
| | type | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| |
edr.cybereason.malopField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| Code Block |
---|
split(hostchain, "=", 0) |
| hostchain | | cefVersion | str
| | | | embDeviceVendor | str
| | | | embDeviceProduct | str
| | | | deviceVersion | str
| | | | signatureID | str
| | | | name | str
| | | | severity | str
| | | | deviceDnsDomain | str
| | | | dvc | ip4
| | | | reason | str
| | | | requestContext | str
| | | | rt | timestamp
| Code Block |
---|
parsedate(replace(rt_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC") |
| rt_tmp | | start | timestamp
| Code Block |
---|
parsedate(replace(start_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC") |
| start_tmp | | suser | str
| | | | malopId | str
| | | | malopDetectionType | str
| | | | malopActivityType | str
| | | | malopSuspect | str
| | | | malopKeySuspicion | str
| | | | linkToMalop | str
| | | | affectedMachine | str
| | | | affectedMachinesCount | int8
| | | | affectedUsers | int8
| | | | malopCreationTime | timestamp
| Code Block |
---|
parsedate(replace(malopCreationTime_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC") |
| malopCreationTime_tmp | | malopUpdateTime | timestamp
| Code Block |
---|
parsedate(replace(malopUpdateTime_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC") |
| malopUpdateTime_tmp | | isSigned | int4
| | | | isOnline | int4
| | | | isOriginalMachine | int4
| | | | parentProcess | str
| | | | childrenProcess | str
| | | | OSandVersion | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
edr.cybereason.malwareField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| Code Block |
---|
split(hostchain, "=", 0) |
| hostchain | | cefVersion | str
| | | | embDeviceVendor | str
| | | | embDeviceProduct | str
| | | | deviceVersion | str
| | | | signatureID | str
| | | | name | str
| | | | severity | str
| | | | eventId | str
| | | | virusName | str
| | | | context | str
| | | | investigation | str
| | | | malwareCreationTime | timestamp
| Code Block |
---|
parsedate(replace(malwareCreationTime_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC") |
| malwareCreationTime_tmp | | dvchost | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
edr.cybereason.useractionsField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| Code Block |
---|
split(hostchain, "=", 0) |
| hostchain | | cefVersion | str
| | | | embDeviceVendor | str
| | | | embDeviceProduct | str
| | | | deviceVersion | str
| | | | signatureID | str
| | | | name | str
| | | | severity | str
| | | | username | str
| | | | actionSuccess | int4
| | | | userActionTime | timestamp
| Code Block |
---|
parsedate(replace(userActionTime_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC") |
| userActionTime_tmp | | actionOccuranceTime | timestamp
| Code Block |
---|
parsedate(replace(actionOccuranceTime_tmp, " UTC", ""), "MMM DD YYYY, HH:mm:ss", "UTC") |
| actionOccuranceTime_tmp | | cn2Label | str
| | | | cn2 | int8
| | | | cn3Label | str
| | | | cn3 | int8
| | | | cs2Label | str
| | | | cs2 | str
| | | | cs3Label | str
| | | | cs3 | str
| | | | cs4Label | str
| | | | cs4 | str
| | | | cs5Label | str
| | | | cs5 | str
| | | | cs6Label | str
| | | | cs6 | str
| | | | deviceCustomDate2Label | str
| | | | deviceCustomDate2 | timestamp
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
|