Document toolboxDocument toolbox

mdr.infocyte

Introduction

The tags beginning with mdr.infocyte identify events generated by Infocyte.

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as mdr.infocyte. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Infocyte platform

mdr.infocyte.alertdetails

mdr.infocyte.alertdetails

For more information, read more about Devo tags.

How is the data sent to Devo?

To send logs to these tables, Devo provides a collector that you can use to send the required events to your Devo domain. You can learn how to use it in Infocyte collector.

Table structure

These are the fields displayed in this table:

mdr.infocyte.alertdetails

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

machine

str

 

flagId

str

 

flagColor

str

 

flagName

str

 

flagWeight

int8

 

threatScore

int8

 

threatWeight

int8

 

threatName

str

 

avPositives

int8

 

avTotal

int8

 

hasAvScan

bool

 

synapse

str

 

dynamicAnalysis

bool

 

malicious

bool

 

suspicious

bool

 

staticAnalysis

bool

 

whitelist

bool

 

blacklist

bool

 

localBlacklist

bool

 

localWhitelist

bool

 

unknown

bool

 

notMalicious

bool

 

targetId

str

 

hostname

str

 

data_str

str

 

signature__type

str

 

signature__issuer_name

str

 

signature__subject_name

str

 

signature__serial_number

str

 

signature__timestamp_issuer

str

 

signature__timestamp_subject

str

 

size

int8

 

sourceId

str

 

sourceVersionId

str

 

sourceType

str

 

signal

bool

 

sourceText

str

 

severityLevel

int4

 

mitreId

str

 

mitreTactic

str

 

hostId

str

 

md5

str

 

sha1

str

 

sha256

str

 

scanName

str

 

extensionSuccess

str

 

agentId

str

 

sourceAuthor

str

 

id

str

 

name

str

 

type

str

 

description

str

 

severity

str

 

sourceName

str

 

search

str

 

itemId

str

 

hostScanId

str

 

scanId

str

 

batchId

str

 

fileRepId

str

 

signed

bool

 

managed

bool

 

createdOn

str

 

archived

bool

 

avRatio

float8

 

exportSequenceId

str

 

data_id

int8

 

pid

int4

 

uid

str

 

path

str

 

ppid

int4

 

owner

str

 

failed

bool

 

ssdeep

str

 

tenant

str

 

package

str

 

realtime

bool

 

accountid

str

 

device_id

str

 

item_type

str

 

processid

str

 

pprocessid

str

 

commandline

str

 

compromised

bool

 

filecreated

str

 

instance_id

str

 

processname

str

 

created_date

str

 

filemodified

str

 

hasinjection

int4

 

processstarted

str

 

decoded_payload

str

 

parentprocessname

str

 

grandparentprocessname

str

 

hostchain

str

 ✓

tag

str

 ✓

rawMessage

str

 ✓