Document toolboxDocument toolbox

edr.cisco

Introduction

The tags begin with edr.cisco identify the events generated by Cisco.

Tag structure

The full tag must have 3 levels. The first two are fixed as edr.cisco. The third level identifies the type of events sent.

Product / Services

Tags

Data tables

Product / Services

Tags

Data tables

Cisco Secure Endpoint (Formerly AMP for Endpoints)

edr.cisco.amp.computers

edr.cisco.amp.computers

edr.cisco.amp.events

edr.cisco.amp.events

edr.cisco.amp.vulnerabilities

edr.cisco.amp.vulnerabilities

For more information, read more about Devo tags.

Table structure

These are the fields displayed in these tables:

edr.cisco.amp.computers

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

connector_guid

str

 

hostname

str

 

active

bool

 

links_computer

str

 

links_trajectory

str

 

links_group

str

 

connector_version

str

 

operating_system

str

 

internal_ips

str

 

external_ip

ip4

 

group_guid

str

 

install_date

timestamp

 

network_addresses

str

 

policy_guid

str

 

policy_name

str

 

last_seen

timestamp

 

faults

str

 

isolation_available

bool

 

isolation_status

str

 

hostchain

str

 ✓

tag

str

 ✓

rawMessage

str

 ✓

edr.cisco.amp.events

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

id

int8

 

 

 

timestamp

int8

 

 

 

timestamp_nanoseconds

int8

 

 

 

date

str

 

 

 

event_type

str

 

 

 

event_type_id

int8

 

 

 

detection

str

 

 

 

detection_id

str

 

 

 

connector_guid

str

 

 

 

group_guids

str

 

 

 

severity

str

 

 

 

computer_connector_guid

str

 

 

 

computer_hostname

str

 

 

 

computer_external_ip

ip4

 

 

 

computer_user

str

 

 

 

computer_active

bool

 

 

 

computer_network_addresses

str

 

 

 

computer_network_addresses_ip

ip4

 

 

 

computer_network_addresses_ip_str

str

join(computer_network_addresses_ip_values, ',')

computer_network_addresses_ip_values

 

computer_network_addresses_mac

str

 

 

 

computer_network_addresses_mac_str

str

join(computer_network_addresses_mac_values, ',')

computer_network_addresses_mac_values

 

computer_links_computer

str

 

 

 

computer_links_trajectory

str

 

 

 

computer_links_group

str

 

 

 

cloud_ioc_description

str

 

 

 

cloud_ioc_short_description

str

 

 

 

file_disposition

str

 

 

 

file_file_name

str

 

 

 

file_file_path

str

 

 

 

file_identity_sha256

str

 

 

 

file_identity_sha1

str

 

 

 

file_identity_md5

str

 

 

 

file_parent_process_id

int8

 

 

 

file_parent_disposition

str

 

 

 

file_parent_file_name

str

 

 

 

file_parent_identity_sha256

str

 

 

 

file_parent_identity_sha1

str

 

 

 

file_parent_identity_md5

str

 

 

 

file_attack_details_application

str

 

 

 

file_attack_details_attacked_module

str

 

 

 

file_attack_details_base_address

str

 

 

 

file_attack_details_suspicious_files_str

str

join(file_attack_details_suspicious_files, ',')

file_attack_details_suspicious_files

 

file_attack_details_indicators

json

 

 

 

command_line_arguments

str

 

 

 

tactics_str

str

tactics

 

techniques_str

str

techniques

 

bp_data__id

str

 

 

 

bp_data__name

str

 

 

 

bp_data__type

str

 

 

 

bp_data__details__matched_activity__events__process_start__cmd_line_str

str

bp_data__details__matched_activity__events__process_start__cmd_line

 

bp_data__details__matched_activity__events__process_start__parent_app__name_str

str

bp_data__details__matched_activity__events__process_start__parent_app__name

 

bp_data__details__matched_activity__events__process_start__parent_app__path_str

str

bp_data__details__matched_activity__events__process_start__parent_app__path

 

bp_data__details__matched_activity__events__process_start__parent_user__domain_str

str

bp_data__details__matched_activity__events__process_start__parent_user__domain

 

bp_data__details__matched_activity__events__process_start__parent_user__name_str

str

bp_data__details__matched_activity__events__process_start__parent_user__name

 

bp_data__details__matched_activity__events__process_start__parent_user__sid_str

str

bp_data__details__matched_activity__events__process_start__parent_user__sid

 

hostchain

str

 

 

 ✓

tag

str

 

 

 ✓

rawMessage

str

 

 

 

edr.cisco.amp.vulnerabilities

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

application

str

 

version

str

 

file_filename

str

 

file_identity_sha256

str

 

cves

str

 

latest_timestamp

int8

 

latest_date

str

 

groups

str

 

computers_total_count

int8

 

computers

str

 

hostchain

str

 ✓

tag

str

 ✓

rawMessage

str

 ✓