Table of Contents | ||||||
---|---|---|---|---|---|---|
|
Introduction
The tags begin with edr.blackberry
.cylance identify the events generated by Blackberry.
...
Tag structure
The full tag must have 4 levels. The first three two are fixed as edr.blackberry
. cylance. The fourth third level identifies the type of event sent
...
Technology
...
Brang
...
Type
...
Subtype
...
edr
...
blackberry
...
cylance
...
users
policies
threats
detections
detections_rules
detections_exceptions
devices
These are the valid tags and corresponding data tables that will receive the parsers' data:
...
Tag
...
events sent, and the fourth level indicates the event subtype.
Product / Services | Tags | Data tables |
---|---|---|
Blackberry |
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
...
|
For more information, read more about Devo tags.
Table structure
These are the fields displayed in these tables:
Rw ui tabs macro | ||||||
---|---|---|---|---|---|---|
Anchor | | edr.blackberry.cylance.users | edr.blackberry.cylance.users||||
Field | Type | Extra Label | ||||
eventdate |
| - | ||||
hostname |
| - | ||||
id |
| - | ||||
tenant_id |
| - | ||||
first_name |
| - | ||||
last_name |
| - | ||||
| - | |||||
cur_id |
| - | ||||
eeco_id |
| - | ||||
has_logged_in |
| - | ||||
role_type |
| - | ||||
role_name |
| - | ||||
default_zone_role_type |
| - | ||||
default_zone_role_name |
| - | ||||
date_last_login |
| - | ||||
date_email_confirmed |
| - | ||||
date_created |
| - | ||||
date_modified |
| - | ||||
related_zones |
| - | ||||
zone |
| - | ||||
zone_id |
| - | ||||
zone_role_type |
| - | ||||
zone_role_name |
| - | ||||
related_zone_count |
| - | ||||
at_devo_pulling_id |
| - | ||||
hostchain |
| ✓ | ||||
tag |
| ✓ | ||||
rawMessage |
| ✓ |
Anchor | ||
---|---|---|
|
|
|
devices
Field | Type |
---|
Field |
---|
transformation | Source field name | Extra fields |
---|---|---|
eventdate |
|
-
|
| |
hostname |
|
|
|
id |
|
-
|
|
name |
|
|
|
host_name |
|
|
|
os_version |
|
|
|
os_ |
kernel_version |
|
-
|
|
state |
|
-
|
|
agent_version |
|
|
|
checksum
str
-
policy_id |
|
-
|
|
policy_name
str
-
script_control_v2
str
last_logged_in_user |
|
|
|
update_type |
|
-
|
|
update_ |
available |
str
|
-
|
|
background_ |
detection |
str
|
-
|
|
is_ |
safe |
int4
|
-
|
|
date_first_ |
registered |
int4
|
-
|
| |
date_ |
offline |
timestamp
|
|
|
date_ |
date_added_str
last_modified |
|
|
date_modified_str
log_policy_retentiondays
str
|
parsedate(date_modified_str, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS", "UTC"))
distinguished_name |
|
|
|
dlcm_status |
|
-
|
|
days_ |
to_ |
deletion |
|
|
| ||
related_ |
products |
|
-
|
|
product |
|
-
|
|
related_policy_count
int4
-
ip |
|
|
|
related_mac |
|
-
|
|
policy_name |
|
✓
|
|
tag
str
related_ips |
|
|
|
rawMessage
str
✓
Field
Type
Extra Label
eventdate
timestamp
-
hostname
str
-
agent_version
str
-
auto_run
bool
-
av_industry
str
-
cert_issuer
str
-
cert_publisher
str
-
cert_timestamp
timestamp
-
classification
str
-
cylance_score
float8
-
date_found
timestamp
-
detected_by
str
-
device_id
str
-
device_name
str
-
file_path
str
-
file_size
int4
-
file_status
str
-
global_quarantined
bool
-
last_found
timestamp
-
md5
str
-
name
str
-
policy_id
str
-
running
bool
-
safelisted
bool
-
sha256
str
-
signed
bool
-
state
str
-
sub_classification
str
-
unique_to_cylance
bool
-
ip
str
-
mac
str
-
related_ips
int4
-
related_ip
ip4
-
related_ip_count
int4
-
related_macs
int4
-
related_mac
str
-
related_mac_count
int4
-
related_ip_count |
|
|
| |||
related_mac_count |
|
|
| |||
related_macs |
|
|
| |||
mac |
|
|
| |||
related_ip4 |
|
| related_ip_str | |||
related_ip6 |
|
| related_ip_str | |||
product_name |
|
|
| |||
product_version |
|
|
| |||
product_status |
|
|
| |||
at_devo_pulling_id |
|
|
| |||
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
|
Rw tab | ||
---|---|---|
|
| ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Extra |
---|
fields | |
---|---|
eventdate |
|
| |
hostname |
|
| |
Id |
|
| |
ActivationTime |
|
| |
AppliedExceptions |
|
| |
ArtifactsOfInterest__UnsignedProc |
|
| |
Detector__Name |
|
| |
Detector__Version |
|
| |
Device__CylanceId |
|
| |
Device__Name |
|
| |
Device__IpAddresses |
|
| |
Device__LoggedOnUsers |
|
| |
Name |
|
| |
ObjectType |
|
| |
OccurrenceTime |
|
| |
Product__Name |
|
| |
Product__Version |
|
| |
PhoneticId |
|
| |
ReceivedTime |
|
| |
SchemaVersion |
|
| |
Severity |
|
| |
SeveritySortLevel |
|
| |
Status |
|
| |
StatusSortLevel |
|
| |
TenantId |
|
| |
Trace |
|
| |
detection_rule_Name |
|
| |
detection_rule_Id |
|
| |
detection_rule_PolicyGroup |
|
| |
detection_rule_Version |
|
| |
detection_rule_ObjectType |
|
| |
detection_rule_Description |
|
| |
detection_rule_Category |
|
| |
related_zone_id |
|
| |
zone_id |
|
| |
AssociatedArtifacts |
|
| |
DetectionRule__Name |
|
| |
DetectionRule__Id |
|
| |
DetectionRule__PolicyGroup |
|
| |
DetectionRule__Version |
|
| |
DetectionRule__ObjectType |
|
| |
DetectionRule__Description |
|
| |
DetectionRule__Category |
|
| |
detector_Name |
|
| |
detector_Version |
|
| |
device_CylanceId |
|
| |
device_Name |
|
| |
device_IpAddresses |
|
| |
device_LoggedOnUsers |
|
| |
product_Name |
|
| |
product_Version |
|
| |
related_zone_ids |
|
| |
related_zone_id_count |
|
| |
at_devo_pulling_id |
|
| ||
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Extra |
---|
fields | |
---|---|
eventdate |
|
| |
hostname |
|
| |
MaximumConcurrentActivations |
|
| |
ActivationLifetimeLimit |
|
| |
TerminateActiveDfaIfActivatingProcessesEnd |
|
| |
ActivationCanUtilizeDeviceStateEvents |
|
| |
AllowMultipleActivationsPerContext |
|
| |
OperatingSystems |
|
| |
States |
|
| |
Paths |
|
| |
ObjectType |
|
| |
Name |
|
| |
Id |
|
| |
Version |
|
| |
SchemaVersion |
|
| |
Description |
|
| |
Tags |
|
| |
RuleSource |
|
| |
RuleSourceGrouping |
|
| |
Severity |
|
| |
Plugin__Name |
|
| |
NotValidBefore |
|
| |
NotValidAfter |
|
| |
RulesetCount |
|
| |
LastModified |
|
| |
Category |
|
| |
DeviceCount |
|
| |
ModifiedBy__login |
|
| |
ModifiedBy__id |
|
| |
product_Name |
|
| |
Product__Name |
|
| |
plugin_Name |
|
| |
at_devo_pulling_id |
|
| ||
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Extra |
---|
fields | |
---|---|
eventdate |
|
| |
hostname |
|
| |
ObjectType |
|
| |
Plugin__Name |
|
| |
Tags |
|
| |
OperatingSystems |
|
| |
SchemaVersion |
|
| |
States |
|
| |
Name |
|
| |
Description |
|
| |
Id |
|
| |
Version |
|
| |
RulesetCount |
|
| |
LastModified |
|
| |
PolicyCount |
|
| |
DeviceCount |
|
| |
ModifiedBy__login |
|
| |
ModifiedBy__id |
|
| |
product_Name |
|
| |
Product__Name |
|
| |
plugin_Name |
|
| |
at_devo_pulling_id |
|
| ||
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
Rw tab | ||
---|---|---|
|
Anchor | ||
---|---|---|
|
|
|
policies
Field | Type |
---|
Field |
---|
transformation | Source field name | Extra fields |
---|---|---|
eventdate |
|
|
| ||
hostname |
|
|
| ||
memoryviolation_actions__memory_violations_ext_v2 |
|
|
|
id
str
memoryviolation_actions__memory_violations |
|
|
| |
memoryviolation_actions__memory_violations_ext |
|
|
|
memoryviolation_actions__memory_exclusion_list |
|
-
|
|
memoryviolation_actions__memory_exclusion_list_v2 |
|
|
|
filetype_actions__suspicious_files |
|
|
|
filetype_actions__threat_files |
|
|
| ||
checksum |
|
|
|
file_exclusions |
|
|
| ||
policy_name |
|
|
|
script_control_ |
v2 |
|
|
| |||
policy |
|
|
| |
policy_id |
|
|
| |
policy_utctimestamp |
|
|
| |||
device_count |
|
|
| |
zone_count |
|
|
|
last_logged_in_user
str
-
update_type
str
date_added |
|
| date_added_str | |||
date_modified |
|
| date_modified_str | |||
log_policy_retentiondays |
|
|
| |||
log_policy_log_upload |
|
|
| |||
log_policy_maxlogsize |
|
|
|
related_ |
policys |
bool
|
-
|
|
policy_ |
value |
bool
|
-
|
|
related_policy_ |
count |
bool
|
-
|
|
at_devo_ |
timestamp
pulling_id |
|
|
| |
hostchain |
|
|
|
✓ | |
tag |
|
|
| ✓ | |
rawMessage |
|
|
|
date_last_modified
timestamp
-
distinguished_name
str
-
dlcm_status
str
-
days_to_deletion
str
-
related_products
int4
-
product
str
-
ip
str
-
related_mac
str
-
policy_name
str
-
✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Extra fields |
---|---|---|
eventdate |
|
|
hostname |
|
|
agent_version |
|
|
auto_run |
|
|
av_industry |
|
|
cert_issuer |
|
|
cert_publisher |
|
|
cert_timestamp |
|
|
classification |
|
|
cylance_score |
|
|
date_found |
|
|
detected_by |
|
|
device_id |
|
|
device_name |
|
|
file_path |
|
|
file_size |
|
|
file_status |
|
|
global_quarantined |
|
|
last_found |
|
|
md5 |
|
|
name |
|
|
policy_id |
|
|
running |
|
|
safelisted |
|
|
sha256 |
|
|
signed |
|
|
state |
|
|
sub_classification |
|
|
unique_to_cylance |
|
|
ip |
|
|
mac |
|
|
related_ips |
|
-
| ||
related_ip |
|
|
related_ip_count |
|
| ||
related_macs |
|
|
related_mac |
|
|
related_mac_count |
|
-
related_macs
int4
-
mac
str
-
related_ip4
ip4
-
Code Block |
---|
ip4(related_ip_str) |
related_ip_str
related_ip6
ip6
-
Code Block |
---|
ip6(related_ip_str) |
related_ip_str
product_name
str
-
product_version
str
-
product_status
str
-
| ||
at_devo_pulling_id |
|
|
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Extra fields |
---|---|---|
eventdate |
|
|
hostname |
|
|
id |
|
|
tenant_id |
|
|
first_name |
|
|
last_name |
|
|
|
| |
cur_id |
|
|
eeco_id |
|
|
has_logged_in |
|
|
role_type |
|
|
role_name |
|
|
default_zone_role_type |
|
|
default_zone_role_name |
|
|
date_last_login |
|
|
date_email_confirmed |
|
|
date_created |
|
|
date_modified |
|
|
related_zones |
|
|
zone |
|
|
zone_id |
|
|
zone_role_type |
|
|
zone_role_name |
|
|
related_zone_count |
|
|
at_devo_pulling_id |
|
-
|
hostchain |
|
|
tag |
|
✓
| |
rawMessage |
|
|