edr.mcafee
Introduction
The tags begin with edr.mcafee
identify the events generated by McAfee MVISION Endpoint.
Tag structure
The full tag must have 4 levels. The first two are fixed as edr.mcafee
. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
Product / Services | Tags | Data tables |
---|---|---|
McAfee MVISION Endpoint |
|
|
For more information, read more about Devo tags.
Table structure
These are the fields displayed in this table:
edr.mcafee.mvision.threat
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
hostname |
| Â | Â | Â |
id |
| Â | Â | Â |
type |
| Â | Â | Â |
entity |
| Â | Â | Â |
origin |
| Â | Â | Â |
nature |
| Â | Â | Â |
user |
| Â | Â | Â |
timestamp |
| Â | Â | Â |
threat__id |
| Â | Â | Â |
threat__maGuid |
| Â | Â | Â |
threat__detectionDate |
| Â | Â | Â |
threat__eventType |
| Â | Â | Â |
threat__threatType |
| Â | Â | Â |
threat__threatAttrs__name |
| Â | Â | Â |
threat__threatAttrs__path |
| Â | Â | Â |
threat__threatAttrs__md5 |
| Â | Â | Â |
threat__threatAttrs__sha1 |
| Â | Â | Â |
threat__threatAttrs__sha256 |
| Â | Â | Â |
threat__interpreterFileAttrs__name |
| Â | Â | Â |
threat__interpreterFileAttrs__path |
| Â | Â | Â |
threat__interpreterFileAttrs__md5 |
| Â | Â | Â |
threat__interpreterFileAttrs__sha1 |
| Â | Â | Â |
threat__interpreterFileAttrs__sha256 |
| Â | Â | Â |
threat__severity |
| Â | Â | Â |
threat__rank |
| Â | Â | Â |
threat__score |
| Â | Â | Â |
threat__detectionTags_str |
| join(threat__detectionTags, ',') | threat__detectionTags | Â |
threat__contentVersion |
| Â | Â | Â |
tenant_id |
| Â | Â | Â |
transaction_id |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  |  | ✓ |