Document toolboxDocument toolbox

siem.trellix

Owned by Juan Tomás Alonso Nieto (Deactivated), created
Nov 03, 2023
2 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 Table structure ]

Introduction

The tags beginning with siem.trellix identify events generated by Trellix.

Valid tags and data tables 

The full tag must have 4 levels. The first two are fixed as siem.trellix. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Trellix Helix

siem.trellix.helix.alerts

siem.trellix.helix.alerts

For more information, read more About Devo tags.

Table structure

These are the fields displayed in this table:

siem.trellix.helix.alerts

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

assigned_at

str

 

_assigned_to__id

str

 

_assigned_to__avatar

str

 

_assigned_to__name

str

 

_assigned_to__username

str

 

_assigned_to__primary_email

str

 

_created_by__id

str

 

_created_by__avatar

str

 

_created_by__name

str

 

_created_by__username

str

 

_created_by__primary_email

str

 

_updated_by__id

str

 

_updated_by__avatar

str

 

_updated_by__name

str

 

_updated_by__username

str

 

_updated_by__primary_email

str

 

alert_threat

str

 

alert_type

str

 

alert_type_details__detail__msg

str

 

alert_type_details__detail__eventid

str

 

alert_type_details__detail__meta_ts

timestamp

 

alert_type_details__detail__hostname

str

 

alert_type_details__detail__severity

str

 

alert_type_details__detail__uri

str

 

alert_type_details__detail__class

str

 

alert_type_details__detail__domain

str

 

alert_type_details__detail__dstipv4

ip4

 

alert_type_details__detail__dstport

int4

 

alert_type_details__detail__srcipv4

ip4

 

alert_type_details__detail__referrer

str

 

alert_type_details__detail__useragent

str

 

alert_type_details__detail__httpmethod

str

 

alert_type_details__detail__statuscode

int4

 

alert_type_details__detail__rcvdmimetype

str

 

alert_type_details__source

str

 

alert_type_details__summary__eventid

str

 

alert_type_details__summary__severity

str

 

alert_type_details__summary__domain

str

 

alert_type_details__summary__httpmethod

str

 

alert_type_details__destination

str

 

classification

int4

 

closed_state

str

 

confidence

str

 

create_date

timestamp

 

customer_id

str

 

description

str

 

display_id

int4

 

distinguisher_key

str

 

distinguishers__hostname

str

 

distinguishers__username

str

 

distinguishers__srcipv4

ip4

 

distinguishers__srcipv6

str

 

distinguishers__xfwdforip

str

 

emailed_at

int4

 

event_count

int4

 

events_threshold

int4

 

first_event_at

timestamp

 

last_event_at

timestamp

 

external

str

 

external_count

int4

 

external_id

str

 

id

str

 

info_links

str

 

internal

str

 

internal_count

int4

 

is_threat

bool

 

is_tuned

bool

 

kill_chain

str

 

last_sync_ms

timestamp

 

message

str

 

notes

str

 

notes_count

int4

 

organization

str

 

origin_id

str

 

queues

str

 

revision

int4

 

revision_notes

str

 

risk

str

 

risk_order

int4

 

risk_score

str

 

search

str

 

seconds_threshold

int4

 

severity

str

 

source_revision

int4

 

state

str

 

suppressed

bool

 

tags

str

 

threat_changed_at

str

 

threat_type

int4

 

trigger_id

str

 

trigger_revision

int4

 

tuning_search

str

 

update_date

timestamp

 

at_devo_pulling_id

str

 

hostchain

str

 ✓

tag

str

 ✓

rawMessage

str

 ✓