Document toolboxDocument toolbox

dlp.trellix

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Jul 23, 2024
2 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 Table structure ]

Introduction

The tags beginning with dlp.trellix identify events generated by Trellix.

Valid tags and data tables 

The full tag must have four levels. The first two are fixed as dlp.trellix. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Trellix Endpoint Security

dlp.trellix.epo.incident

dlp.trellix.epo.incident

Trellix Complete Data Protection

dlp.trellix.dpim.incident

dlp.trellix.dpim.incident

For more information, read more about Devo tags.

Table structure

These are the fields displayed in these tables:

dlp.trellix.epo.incident

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

detectedutc

timestamp

 

device_description

str

 

cancelled_action_reason

str

 

email

str

 

number_of_rules

int4

 

receivedutc

timestamp

 

source_display_name

str

 

eventtimelocal

timestamp

 

manager

str

 

total_matches

int4

 

connectivity_state

str

 

threatseverity

str

 

event_global_id

str

 

store_file

bool

 

number_of_classifications

int4

 

source_username

str

 

total_content_size

int4

 

threattype

str

 

threateventid

int4

 

usb_class

str

 

policy_revision

int4

 

cancelled_action

str

 

actual_action

str

 

instance_id

str

 

autoid

int4

 

analyzerversion

str

 

unplug_utc_time

timestamp

 

agentguid

str

 

sid

str

 

rawmac

str

 

time_zone

str

 

analyzeripv6

str

 

analyzeripv4

ip4

 

class_guid

str

 

total_unique

int4

 

policy_name

str

 

analyzerhostname

str

 

tenantguid

str

 

destination

str

 

bus_type

str

 

rule_names

str

 

device_id

str

 

vendor_id

str

 

reportingproduct

str

 

sourceipv4

ip4

 

dest_user_email

str

 

manager_manager

str

 

device_serial_number

str

 

volume_serial_number

str

 

analyzer

str

 

display_name

str

 

tenantid

int4

 

nodepath

str

 

evidence_count

int4

 

ou

str

 

rule_set_names

str

 

compatible_id

str

 

analyzerengineversion

str

 

volume_label

str

 

threatactiontaken

str

 

threat_name

str

 

analyzerdatversion

str

 

class_display_name

str

 

autoguid

str

 

file_system_type

str

 

plug_utc_time

timestamp

 

user_principal_name

str

 

targetipv4

ip4

 

policy_id

str

 

at_devo_environment

str

 

at_devo_pulling_id

str

 

hostchain

str

 ✓

tag

str

 ✓

rawMessage

str

 ✓

dlp.trellix.dpim.incident

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

machine

str

 

type

str

 

id

str

 

attributes_action_taken

str

 

attributes_agent_guid

str

 

attributes_agent_version_ip

str

 

attributes_agent_version_ipv4

ip4

 

attributes_agent_version_ipv6

ip6

 

attributes_connectivity

str

 

attributes_destination

str

 

attributes_event_global_id

str

 

attributes_evidence_storage_id

str

 

attributes_expected_action

str

 

attributes_failure_reason

str

 

attributes_incident_origin

str

 

attributes_incident_type

str

 

attributes_insertion_time

timestamp

 

attributes_last_update_time

timestamp

 

attributes_local_time

timestamp

 

attributes_match_url

str

 

attributes_severity

str

 

attributes_source

str

 

attributes_timezone

str

 

attributes_total_match_count

int4

 

attributes_utc_time

timestamp

 

attributes_workflow_id

str

 

relationships_application_data_type

str

 

relationships_application_data_id

str

 

relationships_application_file_access_data_type

str

 

relationships_application_file_access_data_id

str

 

relationships_capture_search_data_type

str

 

relationships_capture_search_data_id

str

 

relationships_classification_matches_data

str

 

relationships_clipboard_data_type

str

 

relationships_clipboard_data_id

str

 

relationships_cloud_data_type

str

 

relationships_cloud_data_id

str

 

relationships_collaboration_data_type

str

 

relationships_collaboration_data_id

str

 

relationships_comments_data

str

 

relationships_device_data_type

str

 

relationships_device_data_id

str

 

relationships_email_data_type

str

 

relationships_email_data_id

str

 

relationships_endpoint_data_type

str

 

relationships_endpoint_data_id

str

 

relationships_event_user_data_type

str

 

relationships_event_user_data_id

str

 

relationships_evidence_data

str

 

relationships_iam_role_reviewer_data_type

str

 

relationships_iam_role_reviewer_data_id

str

 

relationships_iam_user_reviewer_data_type

str

 

relationships_iam_user_reviewer_data_id

str

 

relationships_mobile_device_data_type

str

 

relationships_mobile_device_data_id

str

 

relationships_ndlp_appliance_data_type

str

 

relationships_ndlp_appliance_data_id

str

 

relationships_network_comm_data_type

str

 

relationships_network_comm_data_id

str

 

relationships_network_share_data_type

str

 

relationships_network_share_data_id

str

 

relationships_policy_data_type

str

 

relationships_policy_data_id

str

 

relationships_print_data_type

str

 

relationships_print_data_id

str

 

relationships_removable_storage_data_type

str

 

relationships_removable_storage_data_id

str

 

relationships_resolution_data_type

str

 

relationships_resolution_data_id

str

 

relationships_rules_data

str

 

relationships_scan_data_type

str

 

relationships_scan_data_id

str

 

relationships_screen_capture_data_type

str

 

relationships_screen_capture_data_id

str

 

relationships_status_data_type

str

 

relationships_status_data_id

str

 

relationships_web_post_data_type

str

 

relationships_web_post_data_id

str

 

links_self

str

 

at_devo_pulling_id

str

 

hostchain

str

 ✓

tag

str

 ✓

rawMessage

str

 ✓