Syslog Messages - Extension Fields
The extension portion of the syslog message contains additional predefined and custom fields. Predefined fields are defined in the HPE ArcSight Common Event Format extension dictionary. The custom fields are defined by Cybereason and include values such as the date a Malop was created, or a unique identifier for a Malop. The available extension fields for a message depend on the event that triggered the message.
In this topic:
Extension Field Format
Custom extension fields are formatted as key-value pairs with the following keys:
cs#Label – label for a string field
cs# - string value for cs#Label
cn#Label - label for a numeric field
cn# – number value for cn#Label
deviceCustomDate#Label – label for a date field
deviceCustomDate# - date value for deviceCustomDate#Label
For example, an extension field for a MalOp may look like this:
cs1Label=malopId cs1=11.1782255908759163334
Fields by event
The following tables list the extension fields available for each syslog event, organized by event class.
MALOP extension fields
Event name(s) |
Field key name |
Value |
|---|---|---|
Malop Created, MalOp Updated |
cs1Label |
malopID |
cs1 |
Unique identifier for the MalOp |
|
cn1Label |
affectedMachineCount |
|
cn1 |
Number of machines affected by the MalOp |
|
deviceCustomDate1Label |
malopCreationTime |
|
deviceCustomDate1 |
Timestamp for when the MalOp was created |
|
cs2Label |
malopDetectionType |
|
cs2 |
Description of what triggered the MalOp |
|
cn2Label |
affectedUsers |
|
cn2 |
Number of users affected by the MalOp |
|
deviceCustomDate2Label |
malopUpdateTime |
|
deviceCustomDate2 |
Timestamp for when the MalOp was updated |
|
cs3Label |
malopActivityType |
|
cs3 |
Type of activity the MalOp is attempting to execute |
|
deviceCustomDate3Label |
suspectCreationTime |
|
deviceCustomDate3 |
Timestamp for when the root cause process was created |
|
cs4Label |
malopSuspect |
|
cs4 |
The suspicious event that triggered the MalOp |
|
cs5Label |
malopKeySuspicion |
|
cs5 |
The reason the event was found to be suspicious. |
|
cs6Label |
linkToMalop |
|
cs6 |
Link to the MalOp in the Cybereason platform |
|
cs7Label |
socFederationID |
|
cs7 |
Unique identifier for the sensor group of the sensor associated with the Malop |
|
deviceCustomDate3Label |
suspectCreationTime |
|
Malop Machine Information |
cs1Label |
malopID |
cs1 |
Unique identifier for the MalOp |
|
cn1Label |
affectedMachinesCount |
|
cn1 |
Number of machines affected by the MalOp |
|
cs2Label |
affectedMachine |
|
cs2 |
Name of the machine |
|
cs3Label |
socFederationID |
|
cs3 |
Unique identifier for the sensor group of the sensor associated with the MalOp |
|
deviceCustomDate1Label |
malopUpdateTime |
|
deviceCustomDate1 |
Timestamp for when the MalOp was updated |
|
Malop Updated Machine Information |
cs1Label |
malopID |
cs1 |
Unique identifier for the Malop |
|
cn1Label |
affectedMachinesCount |
|
cn1 |
Number of machines affected by the MalOp |
|
cs2Label |
affectedMachine |
|
cs2 |
Name of the machine |
|
deviceUpdatedDate1Label |
machineUpdatedTime |
|
deviceUpdatedDate1 |
Timestamp for when the machine was added to the Malop |
MALWARE extension fields
Event name(s) |
Field key name |
Value |
|---|---|---|
Malware Created, Malware Updated |
eventId |
Unique identifier of this Malware alert |
dvchost |
Name of the device on which the malware was detected. |
|
cs1Label |
virusName |
|
cs1 |
|
|
cs2Label |
context |
|
cs2 |
Context of the specific alert:
|
|
cs3Label |
investigation |
|
cs3 |
Link to investigation of the alert. |
|
deviceCustomDate1Label |
malwareCreationTime |
|
deviceCustomDate1 |
Timestamp of the Malware alert |
USERACTION extension fields
All USER_ACTION syslog messages contain the following fields:
cs1Label: username
cs1: Username for the user performing the action
cn1Label: actionSuccess
cn1: 0 if the action failed, 1 if the action succeeded
deviceCustomDate1Label: userActionTime
deviceCustomDate1: Time the action occurred
cs6Label: userclassification
cs6: String value from the User classification field in the Users screen
In addition, each action group includes specific fields, as shown in the following tables.
CUSTOM RULES action group extension fields
Event name(s) |
Field key name |
Value |
|---|---|---|
RuleCreated |
cs2Label |
userRole |
cs2 |
String with the set of roles assigned for the user that created the custom detection rule |
|
cs3Label |
ruleName |
|
cs3 |
Name of the custom detection rule |
|
cs4Label |
active |
|
cs4 |
Specifies whether the rule is enabled (true) or disabled (false) |
|
RuleUpdated |
cs2Label |
userRole |
cs2 |
String with the set of roles assigned for the user that created the custom detection rule |
|
cs3Label |
ruleName |
|
cs3 |
The name of the custom detection rule |
|
cs4Label |
field |
|
cs4 |
The field in the rule that was updated |
|
cs5Label |
old |
|
cs5 |
The old value for the field that was updated |
|
cs7Label |
new |
|
cs7 |
The new value for the field that was updated |
DETECTION RULES action group extension fields
Event name(s) |
Field key name |
Value |
|---|---|---|
DecisionFeatureCreated/DecisionFeatureUpdated, SuspicionCreated/SuspicionUpdated |
cs2Label |
userRole |
cs2 |
String with the set of user roles for the user that created the custom rule |
|
cs3Label |
decisionFeatureName/suspicionName |
|
cs3 |
Name of the decision feature or suspicion created |
|
cs4Label |
action |
|
cs4 |
Details of the action taken |
|
c5Label |
Server |
|
c5 |
IP address of the Detection server |
GENERAL action group extension fields
Event name(s) |
Field key name |
Value |
|---|---|---|
Login |
cs2Label |
loginMethod |
cs2 |
The login method for the user |
|
cs3Label |
userRole |
|
cs3 |
String with the set of user roles for this user |
|
cs4Label |
machineName |
|
cs4 |
Name for the machine from which the user logged in |
|
cs5Label |
machineIP |
|
cs5 |
IP address for the machine from which the user logged in |
|
Logout |
cs2Label |
userRole |
cs2 |
String with the set of user roles for this user |
|
cs3Label |
machineName |
|
cs3 |
Name for the machine from which the user logged in |
|
cs4Label |
machineIP |
|
cs4 |
IP address for the machine from which the user logged in |
|
NotificationSettingChange |
cn2Label |
newState |
cn2 |
The new notification state (1 if notification setting is enabled, 0 if disabled) |
|
cn3Label |
oldState |
|
cn3 |
The old notification state (1 if notification setting is enabled, 0 if disabled) |
|
ChangePassword |
No additional fields |
N/A |
ChangeConfigurationSettings |
No additional fields |
N/A |
ChangeConfigurationDetails |
cs2Label |
propertyName |
cs2 |
Name of the property user configured |
|
cn2Label |
NewState |
|
cn2 |
The new collection state (1 if collection setting is enabled, 0 if disabled) |
|
cn3Label |
oldState |
|
cn3 |
The old collection state (1 if collection setting was enabled, 0 if disabled) |
|
CollectionConfigurationOverride |
No additional fields |
N/A |
CollectionConfigurationOverrideDetails |
cs2Label |
propertyName |
cs2 |
Name of the property user is overriding |
|
cn2Label |
state |
|
cn2 |
New override value (1 if enabled, 0 if disabled) |
|
CollectionConfigurationOverrideSensor |
cs2Label |
sensorId |
cs2 |
Unique identification for the sensor on which the user performed the override |
|
RegistryEventsInclusionAdd |
cs2Label |
key |
cs2 |
The registry key added in the inclusion list |
|
cn2Label |
approved |
|
cn2 |
Whether the update was verified as correctly formatted |
|
cn3Label |
depth |
|
cn3 |
Whether or not to collect specific values from all keys and subkeys of the specified registry key |
|
cs3Label |
values |
|
cs3 |
The specific values to collect from this registry key |
|
RegistryEventsInclusionModify |
cs2Label |
key |
cs2 |
The registry key modified |
|
cn2Label |
approved |
|
cn2 |
Whether the update was verified as correctly formatted |
|
cn3Label |
depth |
|
cn3 |
Whether or not to collect specific values from all keys and subkeys of the specified registry key |
|
cs3Label |
values |
|
cs3 |
The specific values to collect from this registry key |
|
cs4Label |
oldKey |
|
cs4 |
The registry key value used in this inclusion |
|
cn4Label |
oldapproved |
|
cn4 |
Whether the update was verified as correctly formatted |
|
cn5Label |
olddepth |
|
cn5 |
Whether or not to collect specific values from all keys and subkeys of the specified registry key |
|
cs5Label |
oldvalues |
|
cs5 |
The previously entered values to collect from this registry key |
|
RegistryEventsInclusionKeep |
cs2Label |
key |
cs2 |
The value of the registry |
|
cn2Label |
approved |
|
cn2 |
Whether the update was verified as correctly formatted |
|
cn3Label |
depth |
|
cn3 |
Whether or not to collect specific values from all keys and subkeys of the specified registry key |
|
cs3Label |
values |
|
cs3 |
The specific values to collect from this registry key |
|
RegistryEventsInclusionDelete |
cs2Label |
key |
cs2 |
The value of the registry key to delete |
|
cn2Label |
approved |
|
cn2 |
Whether the update was verified as correctly formatted |
|
cn3Label |
depth |
|
cn3 |
Whether or not to collect specific values from all keys and subkeys of the specified registry key |
|
cs3Label |
values |
|
cs3 |
The specific values to collect from this registry key |
|
IRToolsDownloadResults |
cs2Label |
packageName |
cs2 |
The unique name for the IR tool package |
|
cs3Label |
outputDirectory |
|
cs3 |
The directory to which to write the results for the tool execution |
|
IRToolsDownloadResultsSensor |
cs2Label |
sensorID |
cs2 |
The sensor ID for the sensor from which to download results from a IR tool execution |
|
IRToolsRunCommand |
cs2Label |
packageName |
cs2 |
The unique name for the IR tool package |
|
cs3Label |
commandLine |
|
cs3 |
The command line to use to run the tool |
|
cs4Label |
outputDirectory |
|
cs4 |
The directory to which to write the results for the tool execution |
|
IRToolsRunCommandSensor |
cs2Label |
sensorId |
cs2 |
The sensor ID for the sensor on which to run an IR tool |
INVESTIGATION action group extension fields
Event name(s) |
Field key name |
Value |
|---|---|---|
DeleteQuery, saveQuery, EditQuery |
cs2Label |
queryName |
cs2 |
The name of the saved query for the action |
|
cs3Label |
queryDescription |
|
cs3 |
The description of the saved query for the action |
|
Query |
cs2Label |
QueryDetails |
cs2 |
Details of the query run by a user |
|
cs3Label |
QueryParameters |
|
cs3 |
The parameters for the query when it was run |
|
FileSearchQuery |
cs2Label |
QueryDetails |
cs2 |
Details of the file search query |
|
cs3Label |
AffectedHosts |
|
cs3 |
The list of machines on which the file search query was run |
|
GetFile |
fileName |
File name |
fileName |
The name of the file downloaded |
|
BrowseFolder |
cs2Label |
FolderName |
cs2 |
The name of the folder where the user performed a file browse |
|
cs3Label |
MachineName |
|
cs3 |
The machine on which the user viewed the folder directories |
MALOP INVESTIGATION action group extension fields
Event name(s) |
Field key name |
Value |
|---|---|---|
ChangeMalopState |
cs2Label |
malopID |
cs2 |
Unique identifier the Cybereason platform uses for the MalOp on which the user took an action |
|
cs3Label |
linkToMalop |
|
cs3 |
Link to the MalOp in the Cybereason platform |
|
cs4Label |
oldState |
|
cs4 |
Old state of the MalOp |
|
cs5Label |
newState |
|
cs5 |
New state of the MalOp |
|
Remediation |
cs2Label |
malopId |
cs2 |
Unique identifier the Cybereason platform uses for the MalOp on which the user took an action |
|
cs3Label |
linkToMalop |
|
cs3 |
Link to the MalOp in the Cybereason platform |
|
cs4Label |
remediationType |
|
cs4 |
The type of remediation action performed (BLOCK_FILE, UNSUSPEND_PROCESS, KILL_PREVENT_UNSUSPEND, KILL_PROCESS, QUARANTINE_FILE, UNQUARANTINE_FILE, DELETE_REGISTRY_KEY, ISOLATE_MACHINE, or UNISOLATE_MACHINE) |
|
cn2Label |
affectedMachineCount |
|
cn2 |
Number of affected machines for this remediation action |
|
cn3Label |
affectedElementCount |
|
cn3Label |
Number of affected items for this remediation action |
|
RemediationDetails |
cs2Label |
malopID |
cs2 |
Unique identifier the Cybereason platform uses for the MalOp on which the user took an action |
|
cs3Label |
linkToMalop |
|
cs3 |
Link to the MalOp in the Cybereason platform |
|
cs4Label |
remediationType |
|
cs4 |
The type of remediation action performed (BLOCK_FILE, UNSUSPEND_PROCESS, KILL_PREVENT_UNSUSPEND, KILL_PROCESS, QUARANTINE_FILE, UNQUARANTINE_FILE, DELETE_REGISTRY_KEY, ISOLATE_MACHINE, or UNISOLATE_MACHINE) |
|
cs5Label |
affectedMachineName |
|
cs5 |
Name for the target machine for this remediation action |
|
cs6Label |
affectedElement |
|
cs6 |
Unique identifier for the target item for this remediation action |
|
deviceCustomDate2Label |
actionOccurranceTime |
|
deviceCustomDate2 |
Time when the actual remediation action occurred or failed for this affected machine |
|
MachineIsolation |
cs2Label |
malopId |
cs2 |
Unique identifier the Cybereason platform uses for the MalOp on which the user took an action |
|
cs3Label |
linkToMalop |
|
cs3 |
Link to the MalOp in the Cybereason platform |
|
cn2Label |
affectedMachineCount |
|
cn2 |
Number of affected machines for this machine isolation operation |
|
MachineIsolationDetails |
cs2Label |
malopId |
cs2 |
Unique identifier the Cybereason platform uses for the MalOp on which the user took an action |
|
cs3Label |
linkToMalop |
|
cs3 |
Link to the MalOp in the Cybereason platform |
|
cs4Label |
affectedMachineName |
|
cs4 |
Name for the target machine for the machine isolation operation |
|
cs5Label |
affectedMachineIP |
|
cs5 |
IP address for the target machine for the machine isolation operation |
|
cs6Label |
affectedMachinePylumId |
|
cs6 |
ID of the Cybereason sensor on the target machine |
|
deviceCustomDate2Label |
actionOccurranceTime |
|
deviceCustomDate2 |
Time when the actual machine isolation action occurred (or failed) for this affected machine |
|
AbortRemediation |
cs2Label |
malopId |
cs2 |
Unique identifier the Cybereason platform uses for the MalOp on which the user took an action |
|
cs3Label |
linkToMalop |
|
cs3 |
Link to the MalOp in the Cybereason platform |
|
cs4Label |
remediationType |
|
cs4 |
The type of remediation action performed (BLOCK_FILE, UNSUSPEND_PROCESS, KILL_PREVENT_UNSUSPEND, KILL_PROCESS, QUARANTINE_FILE, UNQUARANTINE_FILE, DELETE_REGISTRY_KEY, ISOLATE_MACHINE, or UNISOLATE_MACHINE) |
|
MalopComment |
cs2Label |
malopId |
cs2 |
Unique identifier the Cybereason platform uses for the MalOp on which the user took an action |
|
cs3Label |
Link to the MalOp in the Cybereason platform |
|
cs3 |
Link to the MalOp in the Cybereason platform |
|
ManualCustomReputations |
cs2Label |
malopGuid |
cs2 |
Unique identifier the Cybereason platform uses for the MalOp on which the user took an action |
|
cs3Label |
linkToMalop |
|
cs3 |
Link to the MalOp in the Cybereason platform |
|
cs4Label |
actionType |
|
cs4 |
Type of action for this reputation item (Add, Change, or Remove) |
|
cn2Label |
affectedIOCCount |
|
cn2 |
Number of IOCs affected |
|
CustomReputationsDetails |
cs2Label |
actionType |
cs2 |
Type of prevention action that occurred (Add, Change, or Remove) |
|
cs3Label |
IOCValue |
|
cs3 |
Value added for this item |
|
cs4Label |
IOCType |
|
cs4 |
Type of item affected (Hash, Domain, or IPAddress) |
|
cs5Label |
IOCReputation |
|
cs5 |
Reputation added for this item (Whitelist or Blacklist) |
|
cs6Label |
oldIOCReputation |
|
cs6 |
Previous value for this item (Whitelist or Blacklist) |
|
cn2Label |
IOCPreventionState |
|
cn2 |
Current prevention state for this item (1 if enabled and 0 if disabled) |
|
cn3Label |
oldIOCPreventionState |
|
cn3 |
Previous prevention state for this item (1 if enabled and 0 if disabled) if the action type was Change |
|
deviceCustomDate2Label |
actionOccurranceTime |
|
deviceCustomDate2 |
Time when the actual item update occurred |
|
StopMachineIsolation |
cs2Label |
malopId |
cs2 |
Unique identifier the Cybereason platform uses for the MalOp on which the user took an action |
|
cs3Label |
linkToMalop |
|
cs3 |
Link to the MalOp in the Cybereason platform |
|
cn2Label |
affectedMachineCount |
|
cn2 |
Number of affected machines for this operation |
|
StopMachineIsolationDetails |
cs2Label |
malopId |
cs2 |
Unique identifier the Cybereason platform uses for the MalOp on which the user took an action |
|
cs3Label |
linkToMalop |
|
cs3 |
Link to the MalOp in the Cybereason platform |
|
cs4Label |
affectedMachineName |
|
cs4 |
Name for the target machine for this operation |
|
cs5Label |
affectedMachineIP |
|
cs5 |
IP address for the target machine for this operation |
|
cs6Label |
pylumID |
|
cs6 |
ID of the Cybereason sensor on the target machine |
|
deviceCustomDate2Label |
actionOccurranceTime |
|
deviceCustomDate2 |
Time when the actual machine isolation action occurred (or failed) for this affected machine |
|
DeleteMalopComment |
cs2Label |
malopId |
cs2 |
Unique identifier the Cybereason platform uses for the MalOp on which the user took an action |
|
cs3Label |
linkToMalop |
|
cs3 |
Link to the MalOp in the Cybereason platform |
|
GenerateReport |
cs2Label |
exportType |
cs2 |
MalopReportPDF |
|
GetFile |
cs2Label |
malopId |
cs2 |
Unique identifier the Cybereason platform uses for the MalOp on which the user took an action |
|
cs3Label |
linkToMalop |
|
cs3 |
Link to the MalOp in the Cybereason platform |
|
cs4Label |
actionType |
|
cs4 |
Type of prevention action that occurred (Add, Change, or Remove) |
|
cn2Label |
affectedFileCount |
|
cn2 |
Number of files in this operation |
|
GetFileDetails |
cs2Label |
malopId |
cs2 |
Unique identifier the Cybereason platform uses for the MalOp on which the user took an action |
|
cs3Label |
linkToMalop |
|
cs3 |
Link to the MalOp in the Cybereason platform |
|
cs4Label |
actionType |
|
cs4 |
Type of prevention action that occurred (Add, Change, or Remove) |
|
cs5Label |
fileName |
|
cs5 |
Name of the file requested |
|
cs6Label |
fileHash |
|
cs6 |
Hash of the file requested |
|
deviceCustomDate2Label |
actionOccuranceTime |
|
deviceCustomDate2 |
Time when the action occurred or failed for this file |
|
MalopInboxAccess |
No additional fields |
N/A |
CreateMalopLabel |
cs2 |
createdLabel |
cs2 |
The label text |
|
AddMalopLabel |
cs2Label |
malopID |
cs2 |
Unique identifier the Cybereason platform uses for the MalOp on which the user took an action |
|
cs3Label |
createdLabel |
|
cs3 |
The label added to the specified MalOp |
|
RemoveMalopLabel |
cs2Label |
malopID |
cs2 |
Unique identifier the Cybereason platform uses for the MalOp on which the user took an action |
|
cs3Label |
createdLabel |
REMOTE SHELL action group extension fields
Event name(s) |
Field key name |
Value |
|---|---|---|
Connect/Disconnect |
cs2Label |
remote_shell_mode |
cs2 |
The mode for the Remote Shell utility. Possible values include:
|
|
User Input |
cs2Label |
input |
cs2 |
String with the command a user ran. |
|
cs3Label |
remote_shell_mode |
|
cs3 |
The mode for the Remote Shell utility. Possible values include:
|
|
act |
user_input |
|
dvchost |
Machine name for the target machine for the Remote shell utility session |
|
src |
IP address for the target machine |
SECURITY PROFILE action group extension fields
Event(s) |
Field |
Value |
|---|---|---|
PowerShellProtectionMode, PowerShellDownloadAndExecuteMode, PowerShellMaliciousDownloadsMode, PowerShellScriptAnalysisMode, DotNetFloatingModulesMode |
cs2Label |
oldMode |
cs2 |
Setting for the mode before user made a change |
|
cs3Label |
newMode |
|
cs3 |
New mode setting specified by user |
|
PowerShellProcessExclusions |
cs2Label |
ActionType |
cs2 |
Type of action user performed with regards to process exclusions |
|
cs3Label |
ProcessName |
|
cs3 |
Name of the process the user excluded from Fileless protection |
|
PowerShellScriptAnalysisExclusions |
cs2Label |
ActionType |
cs2 |
Type of action user performed with regards to script analysis exclusions |
|
cs3Label |
FunctionName |
|
cs3 |
Pattern the user excluded from Fileless protection script analysis |
SENSOR MANAGEMENT action group extension fields
Event name(s) |
Field key name |
Value |
|---|---|---|
ManualArchiveInvoked |
cn2Label |
totalSensorsArchived |
cn2 |
The number of sensors that were archived |
|
cs2Label |
previousStates |
|
cs2 |
The previous state for the sensors that were archived |
|
ManualUnarchiveInvoked |
cn2Label |
totalSensorsUnarchived |
cn2 |
The number of sensors that were unarchived |
|
SensorArchived |
cs2Label |
previousState |
cs2 |
The previous state for the sensor that was archived |
|
cs3Label |
sensorId |
|
cs3 |
Unique identifier the Cybereason platform used for the sensor |
|
SensorUnarchived |
cs2Label |
sensorId |
cs2 |
Unique identifier the Cybereason platform used for the sensor |
|
SensorDeleted |
cs2Label |
sensorId |
cs2 |
Unique identifier the Cybereason platform used for the sensor |
|
ManualDeleteInvoked |
cn2Label |
totalDeletedSensors |
cn2 |
The total number of sensors removed from the Sensors screen |
|
SensorDecommissioned |
cs2Label |
sensorId |
cs2 |
Unique identifier the Cybereason platform used for the sensor |
|
ManualDecommissionInvoked |
cn2Label |
totalDecommissionedSensors |
cn2 |
The total number of sensors that were decommissioned |
|
ManualRevertDecommissionInvoked |
cn2Label |
totalRevertedDecommissionedSensors |
cn2 |
The total number of sensors that were removed from Decommissioned status |
|
SensorRevertDecommission |
cs2Label |
sensorId |
cs2 |
Unique identifier the Cybereason platform used for the sensor |
|
SettingsChanged |
No fields |
N/A |
EntityTagsCsvUpload |
cn2 |
rowCount |
cn2 |
Number of rows in the sensor tags CSV file that was uploaded |
|
EntityTagsCsvSubmit |
cn2 |
rowCount |
cn2 |
Number of rows in the sensor tags CSV file that was uploaded |
|
EntityTagsApiCalled |
cn2 |
rowCount |
cn2 |
Number of rows in the sensor tags CSV file that was uploaded |
|
EntityTagsEvent |
cs2Label |
eventLine |
cs2 |
The tag that was updated |
|
ManualAntiMalwareModesInvoked |
cn2Label |
totalMachines |
cn2 |
Total number of sensors on which the Anti-Malware mode was manually updated |
|
cs2Label |
antiMalwareState |
|
cs2 |
The Anti-Malware mode that was set manually by the user |
|
cs3Label |
signatureAntivirusState |
|
cs3 |
The Anti-Malware > Signatures mode that was set manually be the user |
|
cs4Label |
staticAnalysisDetectState |
|
cs4 |
The Anti-Malware > Artificial Intelligence Detect mode that was set manually by the user |
|
cs5Label |
staticAnalysisPreventState |
|
cs5 |
The Anti-Malware > Artificial Intelligence Prevent mode that was set manually by the user |
|
SensorAntiMalwareModesPreview |
cs2Label |
previousAntiMalwareState |
cs2 |
The previous Anti-Malware mode |
|
cs3Label |
previousSignatureAntivirusState |
|
cs3 |
The previous setting for the Anti-Malware > Signatures modes |
|
cs4Label |
previousStaticAnalysisDetectState |
|
cs4 |
The previous setting for the Anti-Malware > Artificial Intelligence Detect mode |
|
cs5Label |
previousStaticAnalysisPreventState |
|
cs5 |
The previous setting for the Anti-Malware > Artificial Intelligence Prevent mode |
|
cs7Label |
sensorId |
|
cs7 |
Unique identifier the Cybereason platform used for the sensor |
|
CreatePolicy |
cs2Label |
configuration |
cs2 |
The policy configuration |
|
UpdatePolicy |
cs2Label |
configuration |
cs2 |
The policy configuration that was updated |
|
AssignPolicy |
cs2Label |
policyId |
cs2 |
The unique identifier for the policy that was assigned to a sensor |
|
cn2Label |
keepManualOverrides |
|
cn2 |
Whether or not to keep any manual sensor settings (1 to keep the manual overrides, 0 to override them) |
|
cn3Label |
numberOfSensors |
|
cn3 |
The number of sensors to which this policy was assigned |
|
DeletePolicy |
cs2Label |
policyId |
cs2 |
The unique identifier the Cybereason platform uses for the policy that was deleted |
|
cs3Label |
assignToPolicyId |
|
cs3 |
The policy to which to assign sensors that previously had the policy that was deleted |
|
CreateGroup |
cs2Label |
groupId |
cs2 |
The unique identifier the Cybereason platform uses for the sensor group |
|
cs2Label |
groupName |
|
cs2 |
The name for the sensor group |
|
EditGroup |
cs2Label |
groupId |
cs2 |
The unique identifier the Cybereason platform uses for the group |
|
cs3Label |
groupName |
|
cs3 |
The name for the sensor group |
|
EditGroupsPriority |
cs2Label |
groupId |
cs2 |
The unique identifier that the Cybereason platform uses for the group |
|
cs3Label |
priority |
|
cs3 |
The priority assigned for the group |
|
DeleteGroup |
cs2Label |
deletedGroupId |
cs2 |
The unique identifier the Cybereason platform uses for the group that was deleted |
|
cs3Label |
reassignedToGroupId |
|
cs3 |
The unique identifier the Cybereason platform uses for the group to which to assign sensors that were previously assigned to the deleted group |
|
AddSensorsToGroup |
cs2Label |
groupId |
cs2 |
Unique identifier the Cybereason platform uses for the sensor group |
|
cs3Label |
filter |
|
cs3 |
The filter used for automatic assignment of sensors to a group |
|
cn2Label |
totalSensorCount |
|
cn2 |
Number of sensors added to the group |
|
cn3Label |
failureSensorCount |
|
cn3 |
Number of sensors that could not be added to the group |
|
RemoveSensorsFromGroup |
cs2Label |
groupId |
cs2 |
Unique identifier the Cybereason platform uses for the sensor group |
|
cs3Label |
filter |
|
cs3 |
The filter used for automatic assignment of sensors to a group |
|
cn2Label |
totalSensorCount |
|
cn2 |
Number of sensors added to the group |
|
cn3Label |
failureSensorCount |
|
cn3 |
Number of sensors that could not be added to the group |
USER MANAGEMENT action group extension fields
Event name(s) |
Field key name |
Value |
|---|---|---|
Add user, Edit user, Delete user |
cs2Label |
userFields |
cs2 |
List of key-value pairs for information on:
|
IR TOOLS action group extension fields
Event name(s) |
Field key name |
Value |
|---|---|---|
DeliverPackage |
cs2Label |
packageName |
cs2 |
The unique name of the IR tool package that was deployed |
|
cs3Label |
packageSize |
|
cs3 |
The size of the package deployed |
|
cs4Label |
sensorContentType |
|
cs4 |
The version of the package |
|
cs5Label |
owner |
|
cs5 |
Owner of the tool package |
|
DeliverPackageDetails |
cs2Label |
packageName |
cs2 |
The unique name of the IR tools package to deploy |
|
cs3Label |
supportedOS |
|
cs3 |
The supported operating systems where the package was deployed |
|
DeletePackage |
cs2Label |
packageName |
cs2 |
The unique name of the IR tool package removed from endpoint machines |