View Source

Introduction

The tags begin with edr.blackberry identify the events generated by Blackberry.

Tag structure

The full tag must have 4 levels. The first two are fixed as edr.blackberry. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

Product / Services	Tags	Data tables
Blackberry	`edr.blackberry.cylance.devices`	`edr.blackberry.cylance.devices`
	`edr.blackberry.cylance.optics_detections`	`edr.blackberry.cylance.optics_detections`
	`edr.blackberry.cylance.optics_detections_rules`	`edr.blackberry.cylance.optics_detections_rules`
	`edr.blackberry.cylance.optics_detections_exceptions`	`edr.blackberry.cylance.optics_detections_exceptions`
	`edr.blackberry.cylance.policies`	`edr.blackberry.cylance.policies`
	`edr.blackberry.cylance.threats`	`edr.blackberry.cylance.threats`
	`edr.blackberry.cylance.users`	`edr.blackberry.cylance.users`

For more information, read more about Devo tags.

Table structure

These are the fields displayed in these tables:

edr.blackberry.cylance.devices
edr.blackberry.cylance.optics_detections
edr.blackberry.cylance.optics_detections_rules
edr.blackberry.cylance.optics_detections_exceptions

edr.blackberry.cylance.devices

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

id

str

name

str

host_name

str

os_version

str

os_kernel_version

str

state

str

agent_version

str

policy_id

str

last_logged_in_user

str

update_type

str

update_available

bool

background_detection

bool

is_safe

bool

date_first_registered

timestamp

date_offline

str

date_last_modified

timestamp

distinguished_name

str

dlcm_status

str

days_to_deletion

str

related_products

int4

product

str

ip

str

related_mac

str

policy_name

str

related_ips

int4

related_ip_count

int4

related_mac_count

int4

related_macs

int4

mac

str

related_ip4

ip4

ip4(related_ip_str)

related_ip_str

related_ip6

ip6

ip6(related_ip_str)

related_ip_str

product_name

str

product_version

str

product_status

str

at_devo_pulling_id

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

edr.blackberry.cylance.optics_detections

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
Id	`str`
ActivationTime	`timestamp`
AppliedExceptions	`str`
ArtifactsOfInterest__UnsignedProc	`str`
Detector__Name	`str`
Detector__Version	`str`
Device__CylanceId	`str`
Device__Name	`str`
Device__IpAddresses	`str`
Device__LoggedOnUsers	`str`
Name	`str`
ObjectType	`str`
OccurrenceTime	`timestamp`
Product__Name	`str`
Product__Version	`str`
PhoneticId	`str`
ReceivedTime	`timestamp`
SchemaVersion	`str`
Severity	`str`
SeveritySortLevel	`int4`
Status	`str`
StatusSortLevel	`int4`
TenantId	`str`
Trace	`str`
detection_rule_Name	`str`
detection_rule_Id	`str`
detection_rule_PolicyGroup	`str`
detection_rule_Version	`str`
detection_rule_ObjectType	`str`
detection_rule_Description	`str`
detection_rule_Category	`str`
related_zone_id	`str`
zone_id	`str`
AssociatedArtifacts	`str`
DetectionRule__Name	`str`
DetectionRule__Id	`str`
DetectionRule__PolicyGroup	`str`
DetectionRule__Version	`str`
DetectionRule__ObjectType	`str`
DetectionRule__Description	`str`
DetectionRule__Category	`str`
detector_Name	`str`
detector_Version	`str`
device_CylanceId	`str`
device_Name	`str`
device_IpAddresses	`str`
device_LoggedOnUsers	`str`
product_Name	`str`
product_Version	`str`
related_zone_ids	`int4`
related_zone_id_count	`int4`
at_devo_pulling_id	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

edr.blackberry.cylance.optics_detections_rules

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
MaximumConcurrentActivations	`int4`
ActivationLifetimeLimit	`str`
TerminateActiveDfaIfActivatingProcessesEnd	`bool`
ActivationCanUtilizeDeviceStateEvents	`bool`
AllowMultipleActivationsPerContext	`bool`
OperatingSystems	`str`
States	`str`
Paths	`str`
ObjectType	`str`
Name	`str`
Id	`str`
Version	`str`
SchemaVersion	`str`
Description	`str`
Tags	`str`
RuleSource	`str`
RuleSourceGrouping	`str`
Severity	`str`
Plugin__Name	`str`
NotValidBefore	`timestamp`
NotValidAfter	`timestamp`
RulesetCount	`int4`
LastModified	`timestamp`
Category	`str`
DeviceCount	`int4`
ModifiedBy__login	`str`
ModifiedBy__id	`str`
product_Name	`str`
Product__Name	`str`
plugin_Name	`str`
at_devo_pulling_id	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

edr.blackberry.cylance.optics_detections_exceptions

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
ObjectType	`str`
Plugin__Name	`str`
Tags	`str`
OperatingSystems	`str`
SchemaVersion	`str`
States	`str`
Name	`str`
Description	`str`
Id	`str`
Version	`str`
RulesetCount	`int4`
LastModified	`timestamp`
PolicyCount	`int4`
DeviceCount	`int4`
ModifiedBy__login	`str`
ModifiedBy__id	`str`
product_Name	`str`
Product__Name	`str`
plugin_Name	`str`
at_devo_pulling_id	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

edr.blackberry.cylance.policies
edr.blackberry.cylance.threats
edr.blackberry.cylance.users

edr.blackberry.cylance.policies

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

memoryviolation_actions__memory_violations_ext_v2

str

memoryviolation_actions__memory_violations

str

memoryviolation_actions__memory_violations_ext

str

memoryviolation_actions__memory_exclusion_list

str

memoryviolation_actions__memory_exclusion_list_v2

str

filetype_actions__suspicious_files

str

filetype_actions__threat_files

str

checksum

str

file_exclusions

str

policy_name

str

script_control_v2

str

policy

str

policy_id

str

policy_utctimestamp

str

device_count

int4

zone_count

int4

date_added

timestamp

parsedate(date_added_str, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS", "UTC"))

date_added_str

date_modified

timestamp

parsedate(date_modified_str, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS", "UTC"))

date_modified_str

log_policy_retentiondays

str

log_policy_log_upload

str

log_policy_maxlogsize

str

related_policys

int4

policy_value

str

related_policy_count

int4

at_devo_pulling_id

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

edr.blackberry.cylance.threats

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
agent_version	`str`
auto_run	`bool`
av_industry	`str`
cert_issuer	`str`
cert_publisher	`str`
cert_timestamp	`timestamp`
classification	`str`
cylance_score	`float8`
date_found	`timestamp`
detected_by	`str`
device_id	`str`
device_name	`str`
file_path	`str`
file_size	`int4`
file_status	`str`
global_quarantined	`bool`
last_found	`timestamp`
md5	`str`
name	`str`
policy_id	`str`
running	`bool`
safelisted	`bool`
sha256	`str`
signed	`bool`
state	`str`
sub_classification	`str`
unique_to_cylance	`bool`
ip	`str`
mac	`str`
related_ips	`int4`
related_ip	`ip4`
related_ip_count	`int4`
related_macs	`int4`
related_mac	`str`
related_mac_count	`int4`
at_devo_pulling_id	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

edr.blackberry.cylance.users

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
id	`str`
tenant_id	`str`
first_name	`str`
last_name	`str`
email	`str`
cur_id	`str`
eeco_id	`str`
has_logged_in	`bool`
role_type	`str`
role_name	`str`
default_zone_role_type	`str`
default_zone_role_name	`str`
date_last_login	`timestamp`
date_email_confirmed	`timestamp`
date_created	`timestamp`
date_modified	`timestamp`
related_zones	`int4`
zone	`str`
zone_id	`str`
zone_role_type	`str`
zone_role_name	`str`
related_zone_count	`int4`
at_devo_pulling_id	`str`
hostchain	`str`
tag	`str`
rawMessage	`str`