Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Introduction

The tags beginning with dlp.trellix identify events generated by Trellix.

Valid tags and data tables 

The full tag must have four levels. The first two are fixed as dlp.trellix. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Trellix Endpoint Security

dlp.trellix.epo.incident

dlp.trellix.epo.incident

For more information, read more about Devo tags.

Table structure

These are the fields displayed in this table:

dlp.trellix.epo.incident

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

detectedutc

timestamp

 

device_description

str

 

cancelled_action_reason

str

 

email

str

 

number_of_rules

int4

 

receivedutc

timestamp

 

source_display_name

str

 

eventtimelocal

timestamp

 

manager

str

 

total_matches

int4

 

connectivity_state

str

 

threatseverity

str

 

event_global_id

str

 

store_file

bool

 

number_of_classifications

int4

 

source_username

str

 

total_content_size

int4

 

threattype

str

 

threateventid

int4

 

usb_class

str

 

policy_revision

int4

 

cancelled_action

str

 

actual_action

str

 

instance_id

str

 

autoid

int4

 

analyzerversion

str

 

unplug_utc_time

timestamp

 

agentguid

str

 

sid

str

 

rawmac

str

 

time_zone

str

 

analyzeripv6

str

 

analyzeripv4

ip4

 

class_guid

str

 

total_unique

int4

 

policy_name

str

 

analyzerhostname

str

 

tenantguid

str

 

destination

str

 

bus_type

str

 

rule_names

str

 

device_id

str

 

vendor_id

str

 

reportingproduct

str

 

sourceipv4

ip4

 

dest_user_email

str

 

manager_manager

str

 

device_serial_number

str

 

volume_serial_number

str

 

analyzer

str

 

display_name

str

 

tenantid

int4

 

nodepath

str

 

evidence_count

int4

 

ou

str

 

rule_set_names

str

 

compatible_id

str

 

analyzerengineversion

str

 

volume_label

str

 

threatactiontaken

str

 

threat_name

str

 

analyzerdatversion

str

 

class_display_name

str

 

autoguid

str

 

file_system_type

str

 

plug_utc_time

timestamp

 

user_principal_name

str

 

targetipv4

ip4

 

policy_id

str

 

at_devo_environment

str

 

at_devo_pulling_id

str

 

hostchain

str

 

tag

str

 

rawMessage

str

 

  • No labels