Mapping of SEDR Events type_id to SYSLOG since version 4.8
Article ID: 279644
Updated On:
Products
Endpoint Detection and Response
Issue/Introduction
You want to know type_id mapping for events forwarded to the Syslog server
Resolution
Type_ids higher than 8000 are forwarded keeping original value.
Mapping of SEDR Events to ICD for type_id lower than 8000
|
SEDR Event Type Id
|
Description
|
Control Point
|
ICD Mapping
|
ICD Category
|
|---|---|---|---|---|
| 16 | Incident Create | Endpoint/Network | 8075 (Incident Creation) | 1 (Security) |
| 16 | Includes Incident update, Incident Comment change | Endpoint/Network | 8076 (Incident Update) | 1 (Security) |
| 16 | Incident Close | Endpoint/Network | 8077 (Incident Closure) | 1 (Security) |
| 16 | Incident Associate | Endpoint/Network | 8078 (Incident Associate) | 1 (Security) |
| 4096 | Reputation submission | Endpoint | 5 (File Reputation) | 3 (Application Activity) |
| 4098 | IPS Submission | Endpoint/Network | 8040 (Host Network Detection) | 1 (Security) |
| 4099 | Suspicious file | Endpoint | 8031 (File Detection) | 1 (Security) |
| 4100 | SONAR submission | Endpoint | 8027 (Process Detection) | 1 (Security) |
| 4102 | SDS/AV Ping submission | Endpoint | 8031 (File Detection) | 1 (Security) |
| 4112 | Deny List (IP/URL/Domain) | Network | 8050 (Network Detection) | 1 (Security) |
| 4113 | Vantage Detection | Network | 8050 (Network Detection) | 1 (Security) |
| 4117 | Sandbox detection | Endpoint/Network | 8031 (File Detection) | 1 (Security) |
| 4118 | Deny List (File) | Network | 8050 (Network Detection) | 1 (Security) |
| 4123 | Endpoint Detection (File) | Endpoint | 8031 (File Detection) | 1 (Security) |
| 4124 | Endpoint Detection (IP/URL/Domain) | Endpoint | 8040 (Host Network Detection) | 1 (Security) |
| 4125 | Email Detection | 8035 (Email Detection) | 1 (Security) | |
| 4353 | Antivirus Detection | Network | 8050 (Network Detection) | 1 (Security) |
Feedback
Yes
No
Powered by
