Document toolboxDocument toolbox

edr.mcafee

Introduction

The tags begin with edr.mcafee identify the events generated by McAfee MVISION Endpoint.

Tag structure

The full tag must have 4 levels. The first two are fixed as edr.mcafee. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

Product / Services

Tags

Data tables

Product / Services

Tags

Data tables

McAfee MVISION Endpoint

edr.mcafee.mvision.threat

edr.mcafee.mvision.threat

For more information, read more about Devo tags.

Table structure

These are the fields displayed in this table:

edr.mcafee.mvision.threat

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

id

str

 

 

 

type

str

 

 

 

entity

str

 

 

 

origin

str

 

 

 

nature

str

 

 

 

user

str

 

 

 

timestamp

timestamp

 

 

 

threat__id

str

 

 

 

threat__maGuid

str

 

 

 

threat__detectionDate

timestamp

 

 

 

threat__eventType

str

 

 

 

threat__threatType

str

 

 

 

threat__threatAttrs__name

str

 

 

 

threat__threatAttrs__path

str

 

 

 

threat__threatAttrs__md5

str

 

 

 

threat__threatAttrs__sha1

str

 

 

 

threat__threatAttrs__sha256

str

 

 

 

threat__interpreterFileAttrs__name

str

 

 

 

threat__interpreterFileAttrs__path

str

 

 

 

threat__interpreterFileAttrs__md5

str

 

 

 

threat__interpreterFileAttrs__sha1

str

 

 

 

threat__interpreterFileAttrs__sha256

str

 

 

 

threat__severity

str

 

 

 

threat__rank

str

 

 

 

threat__score

str

 

 

 

threat__detectionTags_str

str

join(threat__detectionTags, ',')

threat__detectionTags

 

threat__contentVersion

str

 

 

 

tenant_id

str

 

 

 

transaction_id

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓