edr.symantec
- Juan Tomás Alonso Nieto (Deactivated)
Introduction
The tags begin with edr.symantec identify the events generated by Symantec.
Tag structure
The full tag must have 3 levels. The first two are fixed as edr.symantec. The third level identifies the type of events sent.
Product / Services | Tags | Data tables |
|---|---|---|
Symantec Endpoint Detection & Response |
|
|
For more information, read more about Devo tags.
Table structure
These are the fields displayed in this table:
edr.symantec.events
Field | Type | Field transformation | Source field name | Extra fields |
|---|---|---|---|---|
eventdate |
|
|
|
|
hostname |
| split(hostchain, "=", 0) | hostchain |
|
cefVersion |
|
|
|
|
embDeviceVendor |
|
|
|
|
embDeviceProduct |
|
|
|
|
deviceVersion |
|
|
|
|
signatureID |
|
|
|
|
name |
|
|
|
|
severity |
|
|
|
|
enviromentID |
|
|
|
|
userEmail |
|
|
|
|
securityIncidentFamily |
|
|
|
|
securityIncidentProperty |
|
|
|
|
deviceType |
|
|
|
|
deviceMDMStatus |
|
|
|
|
classification |
|
|
|
|
deviceExternalId |
|
|
|
|
end |
|
|
|
|
externalId |
|
|
|
|
msg |
|
|
|
|
shost |
|
|
|
|
src |
|
|
|
|
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
|
| ✓ |