Introduction
The tags begin with edr.symantec identify the events generated by Symantec.
Tag structure
The full tag must have 3 levels. The first two are fixed as edr.symantec. The third level identifies the type of events sent.
Product / Services | Tags | Data tables |
|---|---|---|
Symantec Endpoint Detection & Response |
|
|
For more information, read more about Devo tags.
Table structure
These are the fields displayed in this table:
edr.symantec.events
Field | Type | Field transformation | Source field name | Extra fields |
|---|---|---|---|---|
eventdate |
|
|
| |
hostname |
| split(hostchain, "=", 0) | hostchain | |
cefVersion |
|
|
| |
embDeviceVendor |
|
|
| |
embDeviceProduct |
|
|
| |
deviceVersion |
|
|
| |
signatureID |
|
|
| |
name |
|
|
| |
severity |
|
|
| |
enviromentID |
|
|
| |
userEmail |
|
|
| |
securityIncidentFamily |
|
|
| |
securityIncidentProperty |
|
|
| |
deviceType |
|
|
| |
deviceMDMStatus |
|
|
| |
classification |
|
|
| |
deviceExternalId |
|
|
| |
end |
|
|
| |
externalId |
|
|
| |
msg |
|
|
| |
shost |
|
|
| |
src |
|
|
| |
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
|
| ✓ |