Versions Compared

Old Version 12

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Introduction

The tags begin with edr.blackberry.cylance identify the events generated by Blackberry.

...

The full tag must have 4 levels. The first three two are fixed as edr.blackberry. cylance. The fourth third level identifies the type of event sent:events sent, and the fourth level indicates the event subtype.

Product / Services

Tags

Data tables

Blackberry

edr.blackberry.cylance.usersdevices

edr.blackberry.cylance.policiesdevices

edr.blackberry.cylance.threatsoptics_detections

edr.blackberry.cylance.optics_detections

edr.blackberry.cylance.optics_detections_rules

edr.blackberry.cylance.optics_detections_exceptionsrules

edr.blackberry.cylance.devicesoptics_detections_exceptions

edr.blackberry.cylance.usersoptics_detections_exceptions

edr.blackberry.cylance.policies

edr.blackberry.cylance.threatspolicies

edr.blackberry.cylance.optics_detectionsthreats

edr.blackberry.cylance.optics_detections_rulesthreats

edr.blackberry.cylance.optics_detections_exceptionsusers

edr.blackberry.cylance.devices.users

For more information, read more about Devo tags.

Table structure

These are the fields displayed in the tablethese tables:

tenant_last_
Rw ui tabs macro
Rw tab
titleTables 1-3
[
4
users] [policies] [threats]

Anchor
edr.blackberry.cylance.

users

devices
edr.blackberry.cylance.

users

devices
edr.blackberry.cylance.

users

devices

Field

Type

Field transformation

Source field name

Extra

Field

fields

eventdate

timestamp

 

-

 

hostname

str

-

id

str

-

first_name

str

-

 

 

id

str

-

 

 

name

str

-

 

email

str

-

cur_id

 

host_name

str

-
Anchoredr.blackberry.cylance.threatsedr.blackberry.cylance.threatsedr.blackberry.cylance.threats

Field

Type

Extra Field

eventdate

timestamp

-

hostname

str

-

agent_version

str

-

auto_run

bool

-

av_industry

str

-

cert_issuer

str

-

cert_publisher

str

-

cert_timestamp

timestamp

-

classification

str

-

cylance_score

float8

-

date_found

timestamp

-

detected_by

str

-

device_id

str

-

device_name

str

-

file_path

str

-

file_size

int4

-

file_status

str

-

global_quarantined

bool

-

last_found

timestamp

-

md5

str

-

name

str

-

policy_id

str

-

running

bool

-

safelisted

bool

-

sha256

str

-

signed

bool

-

state

str

-

sub_classification

str

-

unique_to_cylance

bool

-

ip

str

-

mac

str

-

related_ips

int4

-

related_ip

ip4

-

related_ip_count

int4

-

related_macs

int4

-

related_mac

str

-

related_mac_count

int4

-

 

eeco_id

str

-

has_logged_in

bool

-

role_type

str

-

role_name

str

-

default_zone_role_type

str

-

default_zone_role_name

str

-

date_last_login

timestamp

-

date_email_confirmed

timestamp

-

date_created

timestamp

-

date_modified

timestamp

-

related_zones

int4

-

zone

str

-

zone_id

str

-

zone_role_type

str

-

zone_role_name

str

-

related_zone_count

int4

-

at_devo_pulling_id

str

-

hostchain

str

tag

str

rawMessage

str

Anchoredr.blackberry.cylance.policiesedr.blackberry.cylance.policiesedr.blackberry.cylance.policies

Field

Type

Extra Field

eventdate

timestamp

-

hostname

str

-

memoryviolation_actions__memory_violations_ext_v2

str

-

memoryviolation_actions__memory_violations

str

-

memoryviolation_actions__memory_violations_ext

str

-

memoryviolation_actions__memory_exclusion_list

str

-

memoryviolation_actions__memory_exclusion_list_v2

str

-

filetype_actions__suspicious_files

str

-

filetype_actions__threat_files

str

-

checksum

str

-

file_exclusions

str

-

policy_name

str

-

script_control_v2

str

-

policy

str

-

policy_id

str

-

policy_utctimestamp

str

-

device_count

int4

-

zone_count

int4

-

date_added

timestamp

-

date_modified

timestamp

-

log_policy_retentiondays

str

-

log_policy_log_upload

str

-

log_policy_maxlogsize

str

-

related_policys

int4

-

policy_value

str

-

related_policy_count

int4

-

at_devo_pulling_id

str

-

hostchain

str

tag

str

rawMessage

str

 

os_version

str

 

 

os_kernel_version

str

 

 

state

str

 

 

agent_version

str

 

 

policy_id

str

 

 

last_logged_in_user

str

 

 

update_type

str

 

 

update_available

bool

 

 

background_detection

bool

 

 

is_safe

bool

 

 

date_first_registered

timestamp

 

 

date_offline

str

 

 

date_last_modified

timestamp

 

 

distinguished_name

str

 

 

dlcm_status

str

 

 

days_to_deletion

str

 

 

related_products

int4

 

 

product

str

 

 

ip

str

 

 

related_mac

str

 

 

policy_name

str

 

 

related_ips

int4

 

 

related_ip_count

int4

 

 

related_mac_count

int4

 

 

related_macs

int4

 

 

mac

str

 

 

related_ip4

ip4

Code Block
ip4(related_ip_str)

related_ip_str

related_ip6

ip6

Code Block
ip6(related_ip_str)

related_ip_str

product_name

str

 

 

product_version

str

 

 

product_status

str

 

 

at_devo_pulling_id

str

-

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str

 

rw-tab

 

titleTables 4-7

[edr.blackberry.cylance.optics_detections] [edr.blackberry.cylance.optics_detections_rules] [edr.blackberry.cylance.optics_detections_exceptions] [edr.blackberry.cylance.devices]

Anchor
edr.blackberry.cylance.optics_detections
edr.blackberry.cylance.optics_detections
edr.blackberry.cylance.optics_detections

Field

Type

Extra

Field

fields

eventdate

timestamp

-

 

hostname

str

-

 

Id

str

-

 

ActivationTime

timestamp

-

 

AppliedExceptions

str

-

 

ArtifactsOfInterest__UnsignedProc

str

-

 

Detector__Name

str

-

 

Detector__Version

str

-

 

Device__CylanceId

str

-

 

Device__Name

str

-

 

Device__IpAddresses

str

-

 

Device__LoggedOnUsers

str

-

 

Name

str

-

 

ObjectType

str

-

 

OccurrenceTime

timestamp

-

 

Product__Name

str

-

 

Product__Version

str

-

 

PhoneticId

str

-

 

ReceivedTime

timestamp

-

 

SchemaVersion

str

-

 

Severity

str

-

 

SeveritySortLevel

int4

-

 

Status

str

-

 

StatusSortLevel

int4

-

 

TenantId

str

-

 

Trace

str

-

 

detection_rule_Name

str

-

 

detection_rule_Id

str

-

 

detection_rule_PolicyGroup

str

-

 

detection_rule_Version

str

-

 

detection_rule_ObjectType

str

-

 

detection_rule_Description

str

-

 

detection_rule_Category

str

-

 

related_zone_id

str

-

 

zone_id

str

-

 

AssociatedArtifacts

str

-

 

DetectionRule__Name

str

-

 

DetectionRule__Id

str

-

 

DetectionRule__PolicyGroup

str

-

 

DetectionRule__Version

str

-

 

DetectionRule__ObjectType

str

-

 

DetectionRule__Description

str

-

 

DetectionRule__Category

str

-

 

detector_Name

str

-

 

detector_Version

str

-

 

device_CylanceId

str

-

 

device_Name

str

-

 

device_IpAddresses

str

-

 

device_LoggedOnUsers

str

-

 

product_Name

str

-

 

product_Version

str

-

 

related_zone_ids

int4

-

 

related_zone_id_count

int4

-

 

at_devo_pulling_id

str

-

 

hostchain

str

tag

str

rawMessage

str

Anchor
edr.blackberry.cylance.optics_detections_rules
edr.blackberry.cylance.optics_detections_rules
edr.blackberry.cylance.optics_detections_rules

Field

Type

Extra

Field

fields

eventdate

timestamp

-

 

hostname

str

-

 

MaximumConcurrentActivations

int4

-

 

ActivationLifetimeLimit

str

-

 

TerminateActiveDfaIfActivatingProcessesEnd

bool

-

 

ActivationCanUtilizeDeviceStateEvents

bool

-

 

AllowMultipleActivationsPerContext

bool

-

 

OperatingSystems

str

-

 

States

str

-

 

Paths

str

-

 

ObjectType

str

-

 

Name

str

-

 

Id

str

-

 

Version

str

-

 

SchemaVersion

str

-

 

Description

str

-

 

Tags

str

-

 

RuleSource

str

-

 

RuleSourceGrouping

str

-

 

Severity

str

-

 

Plugin__Name

str

-

 

NotValidBefore

timestamp

-

 

NotValidAfter

timestamp

-

 

RulesetCount

int4

-

 

LastModified

timestamp

-

 

Category

str

-

 

DeviceCount

int4

-

 

ModifiedBy__login

str

-

 

ModifiedBy__id

str

-

 

product_Name

str

-

 

Product__Name

str

-

 

plugin_Name

str

-

 

at_devo_pulling_id

str

-

 

hostchain

str

tag

str

rawMessage

str

Anchor
edr.blackberry.cylance.optics_detections_exceptions
edr.blackberry.cylance.optics_detections_exceptions
edr.blackberry.cylance.optics_detections_exceptions

Field

Type

Extra

Field

fields

eventdate

timestamp

-

 

hostname

str

-

 

ObjectType

str

-

 

Plugin__Name

str

-

 

Tags

str

-

 

OperatingSystems

str

-

 

SchemaVersion

str

-

 

States

str

-

 

Name

str

-

 

Description

str

-

 

Id

str

-

 

Version

str

-

 

RulesetCount

int4

-

 

LastModified

timestamp

-

 

PolicyCount

int4

-

 

DeviceCount

int4

-

 

ModifiedBy__login

str

-

 

ModifiedBy__id

str

-

 

product_Name

str

-

 

Product__Name

str

-

 

plugin_Name

str

-

 

at_devo_pulling_id

str

-

 

hostchain

str

tag

str

rawMessage

str

Rw tab
titleTables 5-7

Anchor
edr.blackberry.cylance.

devices

policies
edr.blackberry.cylance.

devices

policies
edr.blackberry.cylance.

devices

policies

Field

Type

Field transformation

Source field name

Extra

Field

fields

eventdate

timestamp

 

-

hostname

 

hostname

str

 

 

memoryviolation_actions__memory_violations_ext_v2

str

 

 

memoryviolation_actions__memory_violations

str

-

id

str

-

name

str

-

host_name

str

-

os_version

str

-

os_kernel_version

str

-

state

str

-

agent_version

str

-

policy_id

str

-

last_logged_in_user

str

-

update_type

str

-

update_available

bool

-

background_detection

bool

-

is_safe

bool

-

date_first_registered

timestamp

-

date_offline

str

-

date_last_modified

timestamp

-

distinguished_name

str

-

dlcm_status

str

-

days_to_deletion

str

-

related_products

int4

-

product

str

-

ip

str

-

related_mac

str

-

policy_name

str

-

related_ips

int4

-

related_ip_count

int4

-

related_mac_count

int4

-

related_macs

int4

-

mac

str

-

related_ip4

ip4

-

related_ip6

ip6

-

product_name

str

-

product_version

str

-

product_status

str

-

 

 

memoryviolation_actions__memory_violations_ext

str

 

 

memoryviolation_actions__memory_exclusion_list

str

 

 

memoryviolation_actions__memory_exclusion_list_v2

str

 

 

filetype_actions__suspicious_files

str

 

 

filetype_actions__threat_files

str

 

 

checksum

str

 

 

file_exclusions

str

 

 

policy_name

str

 

 

script_control_v2

str

 

 

policy

str

 

 

policy_id

str

 

 

policy_utctimestamp

str

 

 

device_count

int4

 

 

zone_count

int4

 

 

date_added

timestamp

Code Block
parsedate(date_added_str, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS", "UTC"))

date_added_str

date_modified

timestamp

Code Block
parsedate(date_modified_str, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS", "UTC"))

date_modified_str

log_policy_retentiondays

str

 

 

log_policy_log_upload

str

 

 

log_policy_maxlogsize

str

 

 

related_policys

int4

 

 

policy_value

str

 

 

related_policy_count

int4

 

 

at_devo_pulling_id

str

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str

 

 

Anchor
edr.blackberry.cylance.threats
edr.blackberry.cylance.threats
edr.blackberry.cylance.threats

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

agent_version

str

 

auto_run

bool

 

av_industry

str

 

cert_issuer

str

 

cert_publisher

str

 

cert_timestamp

timestamp

 

classification

str

 

cylance_score

float8

 

date_found

timestamp

 

detected_by

str

 

device_id

str

 

device_name

str

 

file_path

str

 

file_size

int4

 

file_status

str

 

global_quarantined

bool

 

last_found

timestamp

 

md5

str

 

name

str

 

policy_id

str

 

running

bool

 

safelisted

bool

 

sha256

str

 

signed

bool

 

state

str

 

sub_classification

str

 

unique_to_cylance

bool

 

ip

str

 

mac

str

 

related_ips

int4

 

related_ip

ip4

 

related_ip_count

int4

 

related_macs

int4

 

related_mac

str

 

related_mac_count

int4

 

at_devo_pulling_id

str

 

hostchain

str

tag

str

rawMessage

str

Anchor
edr.blackberry.cylance.users
edr.blackberry.cylance.users
edr.blackberry.cylance.users

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

id

str

 

tenant_id

str

 

first_name

str

 

last_name

str

 

email

str

 

cur_id

str

 

eeco_id

str

 

has_logged_in

bool

 

role_type

str

 

role_name

str

 

default_zone_role_type

str

 

default_zone_role_name

str

 

date_last_login

timestamp

 

date_email_confirmed

timestamp

 

date_created

timestamp

 

date_modified

timestamp

 

related_zones

int4

 

zone

str

 

zone_id

str

 

zone_role_type

str

 

zone_role_name

str

 

related_zone_count

int4

 

at_devo_pulling_id

str

-

 

hostchain

str

 

tag

str

 

rawMessage

str