edr.cisco
Introduction
The tags begin with edr.cisco
identify the events generated by Cisco.
Tag structure
The full tag must have 3 levels. The first two are fixed as edr.cisco
. The third level identifies the type of events sent.
Product / Services | Tags | Data tables |
---|---|---|
Cisco Secure Endpoint (Formerly AMP for Endpoints) |
|
|
|
| |
|
|
For more information, read more about Devo tags.
Table structure
These are the fields displayed in these tables:
edr.cisco.amp.computers
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
connector_guid |
| Â |
hostname |
| Â |
active |
| Â |
links_computer |
| Â |
links_trajectory |
| Â |
links_group |
| Â |
connector_version |
| Â |
operating_system |
| Â |
internal_ips |
| Â |
external_ip |
| Â |
group_guid |
| Â |
install_date |
| Â |
network_addresses |
| Â |
policy_guid |
| Â |
policy_name |
| Â |
last_seen |
| Â |
faults |
| Â |
isolation_available |
| Â |
isolation_status |
| Â |
hostchain |
|  ✓ |
tag |
|  ✓ |
rawMessage |
|  ✓ |
edr.cisco.amp.events
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
id |
| Â | Â | Â |
timestamp |
| Â | Â | Â |
timestamp_nanoseconds |
| Â | Â | Â |
date |
| Â | Â | Â |
event_type |
| Â | Â | Â |
event_type_id |
| Â | Â | Â |
detection |
| Â | Â | Â |
detection_id |
| Â | Â | Â |
connector_guid |
| Â | Â | Â |
group_guids |
| Â | Â | Â |
severity |
| Â | Â | Â |
computer_connector_guid |
| Â | Â | Â |
computer_hostname |
| Â | Â | Â |
computer_external_ip |
| Â | Â | Â |
computer_user |
| Â | Â | Â |
computer_active |
| Â | Â | Â |
computer_network_addresses |
| Â | Â | Â |
computer_network_addresses_ip |
| Â | Â | Â |
computer_network_addresses_ip_str |
| join(computer_network_addresses_ip_values, ',') | computer_network_addresses_ip_values | Â |
computer_network_addresses_mac |
| Â | Â | Â |
computer_network_addresses_mac_str |
| join(computer_network_addresses_mac_values, ',') | computer_network_addresses_mac_values | Â |
computer_links_computer |
| Â | Â | Â |
computer_links_trajectory |
| Â | Â | Â |
computer_links_group |
| Â | Â | Â |
cloud_ioc_description |
| Â | Â | Â |
cloud_ioc_short_description |
| Â | Â | Â |
file_disposition |
| Â | Â | Â |
file_file_name |
| Â | Â | Â |
file_file_path |
| Â | Â | Â |
file_identity_sha256 |
| Â | Â | Â |
file_identity_sha1 |
| Â | Â | Â |
file_identity_md5 |
| Â | Â | Â |
file_parent_process_id |
| Â | Â | Â |
file_parent_disposition |
| Â | Â | Â |
file_parent_file_name |
| Â | Â | Â |
file_parent_identity_sha256 |
| Â | Â | Â |
file_parent_identity_sha1 |
| Â | Â | Â |
file_parent_identity_md5 |
| Â | Â | Â |
file_attack_details_application |
| Â | Â | Â |
file_attack_details_attacked_module |
| Â | Â | Â |
file_attack_details_base_address |
| Â | Â | Â |
file_attack_details_suspicious_files_str |
| join(file_attack_details_suspicious_files, ',') | file_attack_details_suspicious_files | Â |
file_attack_details_indicators |
| Â | Â | Â |
command_line_arguments |
| Â | Â | Â |
tactics_str |
| tactics | Â | |
techniques_str |
| techniques | Â | |
bp_data__id |
| Â | Â | Â |
bp_data__name |
| Â | Â | Â |
bp_data__type |
| Â | Â | Â |
bp_data__details__matched_activity__events__process_start__cmd_line_str |
| bp_data__details__matched_activity__events__process_start__cmd_line | Â | |
bp_data__details__matched_activity__events__process_start__parent_app__name_str |
| bp_data__details__matched_activity__events__process_start__parent_app__name | Â | |
bp_data__details__matched_activity__events__process_start__parent_app__path_str |
| bp_data__details__matched_activity__events__process_start__parent_app__path | Â | |
bp_data__details__matched_activity__events__process_start__parent_user__domain_str |
| bp_data__details__matched_activity__events__process_start__parent_user__domain | Â | |
bp_data__details__matched_activity__events__process_start__parent_user__name_str |
| bp_data__details__matched_activity__events__process_start__parent_user__name | Â | |
bp_data__details__matched_activity__events__process_start__parent_user__sid_str |
| bp_data__details__matched_activity__events__process_start__parent_user__sid | Â | |
hostchain |
|  |  |  ✓ |
tag |
|  |  |  ✓ |
rawMessage |
| Â | Â | Â |
edr.cisco.amp.vulnerabilities
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
application |
| Â |
version |
| Â |
file_filename |
| Â |
file_identity_sha256 |
| Â |
cves |
| Â |
latest_timestamp |
| Â |
latest_date |
| Â |
groups |
| Â |
computers_total_count |
| Â |
computers |
| Â |
hostchain |
|  ✓ |
tag |
|  ✓ |
rawMessage |
|  ✓ |