Document toolboxDocument toolbox

edr.trellix

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Oct 24, 2023
1 min read
[ 1 Introduction ] [ 2 Tag structure ] [ 3 Table structure ]

Introduction

The tags begin with edr.trellix identify the events generated by Trellix.

Tag structure

The full tag must have 4 levels. The first two are fixed as edr.trellix. The third level identifies the type of events sent, and the fourth level indicates the event subtype. 

Product / Services

Tags

Data tables

Product / Services

Tags

Data tables

Trellix Endpoint Security

edr.trellix.epo.threat

edr.trellix.epo.threat

For more information, read more about Devo tags.

Table structure

These are the fields displayed in this table:

edr.trellix.epo.threat

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

detectedutc

timestamp

int8(detectedutc_str) = null ? parsedate(detectedutc_str, "YYYY-MM-DD[T]HH:mm:ss.SSSZZ") : timestamp(int8(detectedutc_str))

detectedutc_str

 

analyzermac

str

 

 

 

receivedutc

timestamp

int8(receivedutc_str) = null ? parsedate(receivedutc_str, "YYYY-MM-DD[T]HH:mm:ss.SSSZZ") : timestamp(int8(receivedutc_str))

receivedutc_str

 

eventtimelocal

timestamp

int8(eventtimelocal_str) = null ? parsedate(eventtimelocal_str, "YYYY-MM-DD[T]HH:mm:ss.SSSZZ") : timestamp(int8(eventtimelocal_str))

eventtimelocal_str

 

sourceipv6

str

 

 

 

sourceipv4

ip4

 

 

 

threatseverity

int4

 

 

 

analyzer

str

 

 

 

tenantid

int4

 

 

 

nodepath

str

 

 

 

threattype

str

 

 

 

threateventid

int4

 

 

 

analyzerversion

str

 

 

 

agentguid

str

 

 

 

threatactiontaken

str

 

 

 

threat_name

str

 

 

 

analyzername

str

 

 

 

threatcategory

str

 

 

 

autoguid

str

 

 

 

targetipv6

str

 

 

 

analyzeripv6

str

 

 

 

analyzeripv4

ip4

 

 

 

analyzerhostname

str

 

 

 

targetipv4

ip4

 

 

 

tenantguid

str

 

 

 

threathandled

bool

 

 

 

id

str

 

 

 

type

str

 

 

 

links__self

str

 

 

 

timestamp

timestamp

timestamp_str

 

analyzerdatversion

str

 

 

 

analyzerengineversion

str

 

 

 

analyzerdetectionmethod

str

 

 

 

sourcehostname

str

 

 

 

sourcemac

str

 

 

 

sourceusername

str

 

 

 

sourceprocessname

str

 

 

 

sourceurl

str

 

 

 

targethostname

str

 

 

 

targetmac

str

 

 

 

targetusername

str

 

 

 

targetport

str

 

 

 

targetprotocol

str

 

 

 

targetprocessname

str

 

 

 

targetfilename

str

 

 

 

targethash

str

 

 

 

sourceprocesshash

str

 

 

 

sourceprocesssigned

str

 

 

 

sourceprocesssigner

str

 

 

 

sourcefilepath

str

 

 

 

at_devo_environment

str

 

 

 

at_devo_pulling_id

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓