| Table of Contents | ||||||
|---|---|---|---|---|---|---|
|
Introduction
The tags begin with edr.blackberry.cylance identify the events generated by Blackberry.
...
Tag structure
The full tag must have 4 levels. The first three two are fixed as edr.blackberry. cylance. The fourth third level identifies the type of event sent
...
Technology
...
Brang
...
Type
...
Subtype
...
edr
...
blackberry
...
cylance
...
users
policies
threats
detections
detections_rules
detections_exceptions
devices
These are the valid tags and corresponding data tables that will receive the parsers' data:
...
Tag
...
events sent, and the fourth level indicates the event subtype.
Product / Services | Tags | Data tables |
|---|---|---|
Blackberry |
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
...
|
For more information, read more about Devo tags.
Table structure
These are the fields displayed in these tables:
| Rw ui tabs macro | ||||||
|---|---|---|---|---|---|---|
Anchor | | edr.blackberry.cylance.users | edr.blackberry.cylance.users||||
Field | Type | Extra Label | ||||
eventdate | timestamp | - | ||||
hostname | str | - | ||||
id | str | - | ||||
tenant_id | str | - | ||||
first_name | str | - | ||||
last_name | str | - | ||||
str | - | |||||
cur_id | str | - | ||||
eeco_id | str | - | ||||
has_logged_in | bool | - | ||||
role_type | str | - | ||||
role_name | str | - | ||||
default_zone_role_type | str | - | ||||
default_zone_role_name | str | - | ||||
date_last_login | timestamp | - | ||||
date_email_confirmed | timestamp | - | ||||
date_created | timestamp | - | ||||
date_modified | timestamp | - | ||||
related_zones | int4 | - | ||||
zone | str | - | ||||
zone_id | str | - | ||||
zone_role_type | str | - | ||||
zone_role_name | str | - | ||||
related_zone_count | int4 | - | ||||
at_devo_pulling_id | str | - | ||||
hostchain | str | ✓ | ||||
tag | str | ✓ | ||||
rawMessage | str | ✓ |
| Anchor | ||
|---|---|---|
|
|
|
devices
Field | Type |
|---|
Field |
|---|
transformation | Source field name | Extra fields |
|---|---|---|
eventdate |
|
-
|
| |
hostname |
|
|
|
id |
|
-
|
|
name |
|
|
|
host_name |
|
|
|
os_version |
|
|
|
os_ |
kernel_version |
|
-
|
|
state |
|
-
|
|
agent_version |
|
|
|
checksum
str
-
policy_id |
|
-
|
|
policy_name
str
-
script_control_v2
str
last_logged_in_user |
|
|
|
update_type |
|
-
|
|
update_ |
available |
|
-
|
|
background_ |
detection |
|
-
|
|
is_ |
safe |
|
-
|
|
date_first_ |
registered |
|
-
|
| |
date_ |
offline |
|
|
|
date_ |
date_added_str
last_modified |
|
|
date_modified_str
log_policy_retentiondays
str
|
parsedate(date_modified_str, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS", "UTC"))distinguished_name |
|
|
|
dlcm_status |
|
-
|
|
days_ |
to_ |
deletion |
|
|
| ||
related_ |
products |
|
-
|
|
product |
|
-
|
|
related_policy_count
int4
-
ip |
|
|
|
related_mac |
|
-
|
|
policy_name |
|
✓
|
|
tag
str
related_ips |
|
|
|
rawMessage
str
✓
Field
Type
Extra Label
eventdate
timestamp
-
hostname
str
-
agent_version
str
-
auto_run
bool
-
av_industry
str
-
cert_issuer
str
-
cert_publisher
str
-
cert_timestamp
timestamp
-
classification
str
-
cylance_score
float8
-
date_found
timestamp
-
detected_by
str
-
device_id
str
-
device_name
str
-
file_path
str
-
file_size
int4
-
file_status
str
-
global_quarantined
bool
-
last_found
timestamp
-
md5
str
-
name
str
-
policy_id
str
-
running
bool
-
safelisted
bool
-
sha256
str
-
signed
bool
-
state
str
-
sub_classification
str
-
unique_to_cylance
bool
-
ip
str
-
mac
str
-
related_ips
int4
-
related_ip
ip4
-
related_ip_count
int4
-
related_macs
int4
-
related_mac
str
-
related_mac_count
int4
-
related_ip_count |
|
|
| |||
related_mac_count |
|
|
| |||
related_macs |
|
|
| |||
mac |
|
|
| |||
related_ip4 |
|
| related_ip_str | |||
related_ip6 |
|
| related_ip_str | |||
product_name |
|
|
| |||
product_version |
|
|
| |||
product_status |
|
|
| |||
at_devo_pulling_id |
|
|
| |||
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
|
|
| title | Tables 4-7 |
|---|
✓ |
| Anchor | ||||
|---|---|---|---|---|
|
Field | Type | Extra |
|---|
fields | |
|---|---|
eventdate |
|
| |
hostname |
|
| |
Id |
|
| |
ActivationTime |
|
| |
AppliedExceptions |
|
| |
ArtifactsOfInterest__UnsignedProc |
|
| |
Detector__Name |
|
| |
Detector__Version |
|
| |
Device__CylanceId |
|
| |
Device__Name |
|
| |
Device__IpAddresses |
|
| |
Device__LoggedOnUsers |
|
| |
Name |
|
| |
ObjectType |
|
| |
OccurrenceTime |
|
| |
Product__Name |
|
| |
Product__Version |
|
| |
PhoneticId |
|
| |
ReceivedTime |
|
| |
SchemaVersion |
|
| |
Severity |
|
| |
SeveritySortLevel |
|
| |
Status |
|
| |
StatusSortLevel |
|
| |
TenantId |
|
| |
Trace |
|
| |
detection_rule_Name |
|
| |
detection_rule_Id |
|
| |
detection_rule_PolicyGroup |
|
| |
detection_rule_Version |
|
| |
detection_rule_ObjectType |
|
| |
detection_rule_Description |
|
| |
detection_rule_Category |
|
| |
related_zone_id |
|
| |
zone_id |
|
| |
AssociatedArtifacts |
|
| |
DetectionRule__Name |
|
| |
DetectionRule__Id |
|
| |
DetectionRule__PolicyGroup |
|
| |
DetectionRule__Version |
|
| |
DetectionRule__ObjectType |
|
| |
DetectionRule__Description |
|
| |
DetectionRule__Category |
|
| |
detector_Name |
|
| |
detector_Version |
|
| |
device_CylanceId |
|
| |
device_Name |
|
| |
device_IpAddresses |
|
| |
device_LoggedOnUsers |
|
| |
product_Name |
|
| |
product_Version |
|
| |
related_zone_ids |
|
| |
related_zone_id_count |
|
| |
at_devo_pulling_id |
|
| ||
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
| Anchor | ||||
|---|---|---|---|---|
|
Field | Type | Extra |
|---|
fields | |
|---|---|
eventdate |
|
| |
hostname |
|
| |
MaximumConcurrentActivations |
|
| |
ActivationLifetimeLimit |
|
| |
TerminateActiveDfaIfActivatingProcessesEnd |
|
| |
ActivationCanUtilizeDeviceStateEvents |
|
| |
AllowMultipleActivationsPerContext |
|
| |
OperatingSystems |
|
| |
States |
|
| |
Paths |
|
| |
ObjectType |
|
| |
Name |
|
| |
Id |
|
| |
Version |
|
| |
SchemaVersion |
|
| |
Description |
|
| |
Tags |
|
| |
RuleSource |
|
| |
RuleSourceGrouping |
|
| |
Severity |
|
| |
Plugin__Name |
|
| |
NotValidBefore |
|
| |
NotValidAfter |
|
| |
RulesetCount |
|
| |
LastModified |
|
| |
Category |
|
| |
DeviceCount |
|
| |
ModifiedBy__login |
|
| |
ModifiedBy__id |
|
| |
product_Name |
|
| |
Product__Name |
|
| |
plugin_Name |
|
| |
at_devo_pulling_id |
|
| ||
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
| Anchor | ||||
|---|---|---|---|---|
|
Field | Type | Extra |
|---|
fields | |
|---|---|
eventdate |
|
| |
hostname |
|
| |
ObjectType |
|
| |
Plugin__Name |
|
| |
Tags |
|
| |
OperatingSystems |
|
| |
SchemaVersion |
|
| |
States |
|
| |
Name |
|
| |
Description |
|
| |
Id |
|
| |
Version |
|
| |
RulesetCount |
|
| |
LastModified |
|
| |
PolicyCount |
|
| |
DeviceCount |
|
| |
ModifiedBy__login |
|
| |
ModifiedBy__id |
|
| |
product_Name |
|
| |
Product__Name |
|
| |
plugin_Name |
|
| |
at_devo_pulling_id |
|
| ||
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
| Rw tab | ||
|---|---|---|
|
| Anchor | ||
|---|---|---|
|
|
|
policies
Field | Type |
|---|
Field |
|---|
transformation | Source field name | Extra fields |
|---|---|---|
eventdate |
|
|
| ||
hostname |
|
|
| ||
memoryviolation_actions__memory_violations_ext_v2 |
|
|
|
id
str
memoryviolation_actions__memory_violations |
|
|
| |
memoryviolation_actions__memory_violations_ext |
|
|
|
memoryviolation_actions__memory_exclusion_list |
|
-
|
|
memoryviolation_actions__memory_exclusion_list_v2 |
|
|
|
filetype_actions__suspicious_files |
|
|
|
filetype_actions__threat_files |
|
|
| ||
checksum |
|
|
|
file_exclusions |
|
|
| ||
policy_name |
|
|
|
script_control_ |
v2 |
|
|
| |||
policy |
|
|
| |
policy_id |
|
|
| |
policy_utctimestamp |
|
|
| |||
device_count |
|
|
| |
zone_count |
|
|
|
last_logged_in_user
str
-
update_type
str
date_added |
|
| date_added_str | |||
date_modified |
|
| date_modified_str | |||
log_policy_retentiondays |
|
|
| |||
log_policy_log_upload |
|
|
| |||
log_policy_maxlogsize |
|
|
|
related_ |
policys |
|
-
|
|
policy_ |
value |
|
-
|
|
related_policy_ |
count |
|
-
|
|
at_devo_ |
timestamp
pulling_id |
|
|
| |
hostchain |
|
|
|
✓ | |
tag |
|
|
| ✓ | |
rawMessage |
|
|
|
date_last_modified
timestamp
-
distinguished_name
str
-
dlcm_status
str
-
days_to_deletion
str
-
related_products
int4
-
product
str
-
ip
str
-
related_mac
str
-
policy_name
str
-
✓ |
| Anchor | ||||
|---|---|---|---|---|
|
Field | Type | Extra fields |
|---|---|---|
eventdate |
|
|
hostname |
|
|
agent_version |
|
|
auto_run |
|
|
av_industry |
|
|
cert_issuer |
|
|
cert_publisher |
|
|
cert_timestamp |
|
|
classification |
|
|
cylance_score |
|
|
date_found |
|
|
detected_by |
|
|
device_id |
|
|
device_name |
|
|
file_path |
|
|
file_size |
|
|
file_status |
|
|
global_quarantined |
|
|
last_found |
|
|
md5 |
|
|
name |
|
|
policy_id |
|
|
running |
|
|
safelisted |
|
|
sha256 |
|
|
signed |
|
|
state |
|
|
sub_classification |
|
|
unique_to_cylance |
|
|
ip |
|
|
mac |
|
|
related_ips |
|
-
| ||
related_ip |
|
|
related_ip_count |
|
| ||
related_macs |
|
|
related_mac |
|
|
related_mac_count |
|
-
related_macs
int4
-
mac
str
-
related_ip4
ip4
-
| Code Block |
|---|
ip4(related_ip_str) |
related_ip_str
related_ip6
ip6
-
| Code Block |
|---|
ip6(related_ip_str) |
related_ip_str
product_name
str
-
product_version
str
-
product_status
str
-
| ||
at_devo_pulling_id |
|
|
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
| Anchor | ||||
|---|---|---|---|---|
|
Field | Type | Extra fields |
|---|---|---|
eventdate |
|
|
hostname |
|
|
id |
|
|
tenant_id |
|
|
first_name |
|
|
last_name |
|
|
|
| |
cur_id |
|
|
eeco_id |
|
|
has_logged_in |
|
|
role_type |
|
|
role_name |
|
|
default_zone_role_type |
|
|
default_zone_role_name |
|
|
date_last_login |
|
|
date_email_confirmed |
|
|
date_created |
|
|
date_modified |
|
|
related_zones |
|
|
zone |
|
|
zone_id |
|
|
zone_role_type |
|
|
zone_role_name |
|
|
related_zone_count |
|
|
at_devo_pulling_id |
|
-
|
hostchain |
|
|
tag |
|
✓
| |
rawMessage |
|
|