Understanding EDR API output for SIEM
Last Modified: 2023-03-28 10:32:56 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Understanding EDR API output for SIEM
Technical Articles ID:
KB96428
Last Modified: 2023-03-28 10:32:56 Etc/GMT Environment
MVISION EDR - all versions Activity Feed All SIEM Products Summary
When we pull threat events from the backend of MVISION EDR using any integration tool, for example MVISION EDR - Activity Feed, the output contains the "Severity," "Rank," and "Score" details. Example: "severity": "s4," "rank": 270, "score": 70 While in the MV-EDR console, the same detection event is available under the "Low," "Medium," or "High" category. In most cases, the integration tools pass the data to the SIEM field for correlation with other data sources. This article helps understand how to map the EDR console detection and integration tools output for a specific detection. What's Score and Rank? Score is associated with the rule that's triggered on an event/activity on the EDR client. Rank indicates the EDR backend that's internally calculated based on Severity and Score to determine the highest ranking associated with a process.
Example: If the integration output shows '"severity": "s4," "rank": 270, "score": 70,' then it's shown as "High" severity in the EDR UI. Affected ProductsLanguages:This article is available in the following languages: |
|