mdr.infocyte
- Juan Tomás Alonso Nieto (Unlicensed)
Introduction
The tags beginning with mdr.infocyte identify events generated by Infocyte.
Valid tags and data tables
The full tag must have 3 levels. The first two are fixed as mdr.infocyte. The third level identifies the type of events sent.
Technology | Brand | Type |
|---|---|---|
mdr | infocyte | alertdetails |
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
|---|---|
mdr.infocyte.alertdetails | mdr.infocyte.alertdetails |
How is the data sent to Devo?
To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can download the collector and learn how to use it in Infocyte collector.
Log samples
The following are sample logs sent to each of the mdr.infocyte data tables. Also, find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
mdr.infocyte.alertdetails
2022-02-09 13:14:52.697 localhost=127.0.0.1 mdr.infocyte.alertdetails: {"flagId": "string", "flagColor": "string", "flagName": "string", "flagWeight": 0, "threatScore": 0, "threatWeight": 0, "threatName": "string", "avPositives": 0, "avTotal": 0, "hasAvScan": true, "synapse": "string", "dynamicAnalysis": true, "malicious": true, "suspicious": true, "staticAnalysis": true, "whitelist": true, "blacklist": true, "localBlacklist": true, "localWhitelist": true, "unknown": true, "notMalicious": true, "targetId": "string", "data": {}, "size": "123", "sourceId": "string", "sourceVersionId": "string", "sourceType": "string", "id": "string", "name": "string", "type": "string", "description": "string", "severity": "string", "sourceName": "string", "search": "string", "hostname": "string", "itemId": "string", "hostScanId": "string", "scanId": "string", "batchId": "string", "fileRepId": "string", "signed": true, "managed": true, "createdOn": "string", "archived": true}
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
|---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
flagId |
|
| |
flagColor |
|
| |
flagName |
|
| |
flagWeight |
|
| |
threatScore |
|
| |
threatWeight |
|
| |
threatName |
|
| |
avPositives |
|
| |
avTotal |
|
| |
hasAvScan |
|
| |
synapse |
|
| |
dynamicAnalysis |
|
| |
malicious |
|
| |
suspicious |
|
| |
staticAnalysis |
|
| |
whitelist |
|
| |
blacklist |
|
| |
localBlacklist |
|
| |
localWhitelist |
|
| |
unknown |
|
| |
notMalicious |
|
| |
targetId |
|
| |
data |
|
| |
size |
|
| |
sourceId |
|
| |
sourceVersionId |
|
| |
sourceType |
|
| |
id |
|
| |
name |
|
| |
type |
|
| |
description |
|
| |
severity |
|
| |
sourceName |
|
| |
search |
|
| |
hostname2 |
|
| |
itemId |
|
| |
hostScanId |
|
| |
scanId |
|
| |
batchId |
|
| |
fileRepId |
|
| |
signed |
|
| |
managed |
|
| |
createdOn |
|
| |
archived |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
|
| ✓ |