edr.all.threats
- Former user (Deleted)
- Laszlo Frazer
- Former user (Deleted)
Introduction
This union table collects events generated by Endpoint Detection and Response (EDR) systems from different technologies to address possible threats.
Source tables
The information displayed is extracted from the following tables:
av.sentinelone.rfc_5424cef0.bit9CarbonblackJson.cbResponsecef0.paloAltoNetworks.cortexXdrcef0.paloAltoNetworks.cortexXdrAgentcloud.sophos.central.alertscloud.sophos.central.eventsedr.carbonblack.alertedr.carbonblack.protectedr.cbef.alert.cb_analyticsedr.cbef.alert.watchlistedr.cortex_xdr.alertsedr.cortex_xdr.incident_alertedr.crowdstrike.cannonedr.crowdstrike.falconedr.crowdstrike.falconstreaming.detection_summaryedr.crowdstrike.falconstreaming.epp_detection_summaryedr.cylance.deviceedr.cylance.threatsedr.fireeye.alertsedr.microsoft_defender.endpoint.alertsedr.minervalabs.eventsedr.sentinelone.agent.threatsedr.symantec.eventsedr.tanium.eventsedr.tanium.threatsendpoint.carbonblack.protectionxdr.cynet.alerts.events
Table structure
This is the set of columns displayed by this union table, which is the result of the collection of columns present in all source tables:
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
|
|
source |
|
|
|
ip |
|
|
|
mac |
|
|
|
sha256 |
| sha256hash |
|
sha1 |
| SHA1Hash |
|
md5 |
| MD5Hash |
|
file_name |
| filename |
|
file_path |
| path |
|
message |
|
|
|
status |
|
|
|
rule |
|
|
|
hostname |
| host |
|
threat_name |
| threat |
|
severity |
| severityuser |
|
user |
|
|
|
threat_type |
| type |
|
pid |
| processIDstr |
|
parent_pid |
| parentProcessID |
|
rawMessage |
| rawSource | ✓ |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
Special Sophos Information
The Sophos source cloud.sophos.central.alerts does not contain sha256. If the SHA 256 hash is required, use source cloud.sophos.central.events. Otherwise, the alerts source is suitable.