edr.trellix
Introduction
The tags begin with edr.trellix
identify the events generated by Trellix.
Tag structure
The full tag must have 4 levels. The first two are fixed as edr.trellix
. The third level identifies the type of events sent, and the fourth level indicates the event subtype.Â
Product / Services | Tags | Data tables |
---|---|---|
Trellix Endpoint Security |
|
|
For more information, read more about Devo tags.
Table structure
These are the fields displayed in this table:
edr.trellix.epo.threat
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
hostname |
| Â | Â | Â |
detectedutc |
| int8(detectedutc_str) = null ? parsedate(detectedutc_str, "YYYY-MM-DD[T]HH:mm:ss.SSSZZ") : timestamp(int8(detectedutc_str)) | detectedutc_str | Â |
analyzermac |
| Â | Â | Â |
receivedutc |
| int8(receivedutc_str) = null ? parsedate(receivedutc_str, "YYYY-MM-DD[T]HH:mm:ss.SSSZZ") : timestamp(int8(receivedutc_str)) | receivedutc_str | Â |
eventtimelocal |
| int8(eventtimelocal_str) = null ? parsedate(eventtimelocal_str, "YYYY-MM-DD[T]HH:mm:ss.SSSZZ") : timestamp(int8(eventtimelocal_str)) | eventtimelocal_str | Â |
sourceipv6 |
| Â | Â | Â |
sourceipv4 |
| Â | Â | Â |
threatseverity |
| Â | Â | Â |
analyzer |
| Â | Â | Â |
tenantid |
| Â | Â | Â |
nodepath |
| Â | Â | Â |
threattype |
| Â | Â | Â |
threateventid |
| Â | Â | Â |
analyzerversion |
| Â | Â | Â |
agentguid |
| Â | Â | Â |
threatactiontaken |
| Â | Â | Â |
threat_name |
| Â | Â | Â |
analyzername |
| Â | Â | Â |
threatcategory |
| Â | Â | Â |
autoguid |
| Â | Â | Â |
targetipv6 |
| Â | Â | Â |
analyzeripv6 |
| Â | Â | Â |
analyzeripv4 |
| Â | Â | Â |
analyzerhostname |
| Â | Â | Â |
targetipv4 |
| Â | Â | Â |
tenantguid |
| Â | Â | Â |
threathandled |
| Â | Â | Â |
id |
| Â | Â | Â |
type |
| Â | Â | Â |
links__self |
| Â | Â | Â |
timestamp |
| timestamp_str | Â | |
analyzerdatversion |
| Â | Â | Â |
analyzerengineversion |
| Â | Â | Â |
analyzerdetectionmethod |
| Â | Â | Â |
sourcehostname |
| Â | Â | Â |
sourcemac |
| Â | Â | Â |
sourceusername |
| Â | Â | Â |
sourceprocessname |
| Â | Â | Â |
sourceurl |
| Â | Â | Â |
targethostname |
| Â | Â | Â |
targetmac |
| Â | Â | Â |
targetusername |
| Â | Â | Â |
targetport |
| Â | Â | Â |
targetprotocol |
| Â | Â | Â |
targetprocessname |
| Â | Â | Â |
targetfilename |
| Â | Â | Â |
targethash |
| Â | Â | Â |
sourceprocesshash |
| Â | Â | Â |
sourceprocesssigned |
| Â | Â | Â |
sourceprocesssigner |
| Â | Â | Â |
sourcefilepath |
| Â | Â | Â |
at_devo_environment |
| Â | Â | Â |
at_devo_pulling_id |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  |  | ✓ |