Document toolboxDocument toolbox

mdr.infocyte

Introduction

The tags beginning with mdr.infocyte identify events generated by Infocyte.

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as mdr.infocyte. The third level identifies the type of events sent.

Technology

Brand

Type

Technology

Brand

Type

mdr

infocyte

alertdetails

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

Tag

Data table

mdr.infocyte.alertdetails

mdr.infocyte.alertdetails

Table structure

This is the set displayed by these tables.

Field

Type

Extra Label

Field

Type

Extra Label

eventdate

timestamp

-

machine

str

-

flagId

str

-

flagColor

str

-

flagName

str

-

flagWeight

int8

-

threatScore

int8

-

threatWeight

int8

-

threatName

str

-

avPositives

int8

-

avTotal

int8

-

hasAvScan

bool

-

synapse

str

-

dynamicAnalysis

bool

-

malicious

bool

-

suspicious

bool

-

staticAnalysis

bool

-

whitelist

bool

-

blacklist

bool

-

localBlacklist

bool

-

localWhitelist

bool

-

unknown

bool

-

notMalicious

bool

-

targetId

str

-

hostname

str

-

data_str

str

-

signature__type

str

-

signature__issuer_name

str

-

signature__subject_name

str

-

signature__serial_number

str

-

signature__timestamp_issuer

str

-

signature__timestamp_subject

str

-

size

int8

-

sourceId

str

-

sourceVersionId

str

-

sourceType

str

-

signal

bool

-

sourceText

str

-

severityLevel

int4

-

mitreId

str

-

mitreTactic

str

-

hostId

str

-

md5

str

-

sha1

str

-

sha256

str

-

scanName

str

-

extensionSuccess

str

-

agentId

str

-

sourceAuthor

str

-

id

str

-

name

str

-

type

str

-

description

str

-

severity

str

-

sourceName

str

-

search

str

-

itemId

str

-

hostScanId

str

-

scanId

str

-

batchId

str

-

fileRepId

str

-

signed

bool

-

managed

bool

-

createdOn

str

-

archived

bool

-

avRatio

float8

-

exportSequenceId

str

-

data_id

int8

-

pid

int4

-

uid

str

-

path

str

-

ppid

int4

-

owner

str

-

failed

bool

-

ssdeep

str

-

tenant

str

-

package

str

-

realtime

bool

-

accountid

str

-

device_id

str

-

item_type

str

-

processid

str

-

pprocessid

str

-

commandline

str

-

compromised

bool

-

filecreated

str

-

instance_id

str

-

processname

str

-

created_date

str

-

filemodified

str

-

hasinjection

int4

-

processstarted

str

-

decoded_payload

str

-

parentprocessname

str

-

grandparentprocessname

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

How is the data sent to Devo?

To send logs to these tables, Devo provides a collector that you can use to send the required events to your Devo domain. You can learn how to use it in Infocyte collector.