edr.mcafee

[ 1 Introduction ] [ 2 Tag structure ] [ 3 Table structure ]

Introduction

The tags begin with edr.mcafee identify the events generated by McAfee MVISION Endpoint.

Tag structure

The full tag must have 4 levels. The first two are fixed as edr.mcafee. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

Product / Services	Tags	Data tables

Product / Services	Tags	Data tables
McAfee MVISION Endpoint	`edr.mcafee.mvision.threat`	`edr.mcafee.mvision.threat`

For more information, read more about Devo tags.

Table structure

These are the fields displayed in this table:

edr.mcafee.mvision.threat

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Field transformation	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`
id	`str`
type	`str`
entity	`str`
origin	`str`
nature	`str`
user	`str`
timestamp	`timestamp`
threat__id	`str`
threat__maGuid	`str`
threat__detectionDate	`timestamp`
threat__eventType	`str`
threat__threatType	`str`
threat__threatAttrs__name	`str`
threat__threatAttrs__path	`str`
threat__threatAttrs__md5	`str`
threat__threatAttrs__sha1	`str`
threat__threatAttrs__sha256	`str`
threat__interpreterFileAttrs__name	`str`
threat__interpreterFileAttrs__path	`str`
threat__interpreterFileAttrs__md5	`str`
threat__interpreterFileAttrs__sha1	`str`
threat__interpreterFileAttrs__sha256	`str`
threat__severity	`str`
threat__rank	`str`
threat__score	`str`
threat__detectionTags_str	`str`	`join(threat__detectionTags, ',')`	threat__detectionTags
threat__contentVersion	`str`
tenant_id	`str`
transaction_id	`str`
hostchain	`str`			✓
tag	`str`			✓
rawMessage	`str`			✓