Configuring the data model of a normalized event from KATA EDR
To investigate the information, the IDs of the event and the KATA/EDR process must go to certain fields of the normalized event. To build a process tree for events coming from KATA/EDR, you must configure the copying of data from the fields of the raw events to the fields of the normalized event in KUMA normalizers as follows:
- For any KATA/EDR events, you must configure normalization with copying of the following fields:
- The
EventType
field of the KATA/EDR event must be copied to theDeviceEventCategory
field of the normalized KUMA event. - The
HostName
field of the KATA/EDR event must be copied to theDeviceHostName
field of the normalized KUMA event.
- The
- For any event where
DeviceProduct = 'KATA'
, normalization must be configured in accordance with the table below.Normalization of event fields from KATA/EDR
KATA/EDR event field
Normalized event field
IOATag
DeviceCustomIPv6Address2
IOATag
IOAImportance
DeviceCustomIPv6Address1
IOAImportance
FilePath
FilePath
FileName
FileName
Md5
FileHash
FileSize
FileSize
- For events listed in the table below, additional normalization with field copying must be configured in accordance with the table.
Additional normalization with copying of event fields from KATA/EDR
Event
Raw event field
Normalized event field
Process
UniqueParentPid
FlexString1
UniquePid
FlexString2
HostName
DeviceHostName
FileName
FileName
AppLock
UniquePid
FlexString2
HostName
DeviceHostName
FileName
FileName
BlockedDocument
UniquePid
FlexString2
HostName
DeviceHostName
FileName
FileName
Module
UniquePid
FlexString2
HostName
DeviceHostName
FileName
FileName
FileChange
UniquePid
FlexString2
HostName
DeviceHostName
FileName
FileName
Driver
HostName
DeviceHostName
FileName
FileName
ProductName
DeviceCustomString5,
ProductName
ProductVendor
DeviceCustomString6
ProductVendor
Connection
UniquePid
FlexString2
HostName
DeviceHostName
URI
RequestURL
RemoteIP
DestinationAddress
RemotePort
DestinationPort
PortListen
UniquePid
FlexString2
HostName
DeviceHostName
LocalIP
SourceAddress
LocalPort
SourcePort
Registry
UniquePid
FlexString2
HostName
DeviceHostName
ValueName
DeviceCustomString5
New Value Name
KeyName
DeviceCustomString4
New Key Name
PreviousKeyName
FlexString2
Old Key Name
ValueData
DeviceCustomString6
New Value Data
PreviousValueData
FlexString1
Old Value Data
ValueType
FlexNumber1
Value Type
PreviousValueType
FlexNumber2
Previous Value Type
SystemEventLog
UniquePid
FlexString2
HostName
DeviceHostName
OperationResult
EventOutcome
EventId
DeviceCustomNumber3
EventId
EventRecordId
DeviceCustomNumber2
EventRecordId
Channel
DeviceCustomString6
Channel
ProviderName
SourceUserID
ThreatDetect
UniquePid
FlexString2
HostName
DeviceHostName
VerdictName
EventOutcome
DetectedObjectType
OldFileType
isSilent
FlexString1
Is Silent
RecordId
DeviceCustomString5
Record ID
DatabaseTimestamp
DeviceCustomDate2
Database Timestamp
ThreatDetectProcessingResult
UniquePid
FlexString2
HostName
DeviceHostName
ThreatStatus
DeviceCustomString5
Threat Status
PROCESS_INTERPRET_FILE_RUN
UniquePid
FlexString2
HostName
DeviceHostName
FileName
FileName
InterpretedFilePath
OldFilePath
InterpretedFileSize
OldFileSize
InterpretedFileHash
OldFileHash
PROCESS_CONSOLE_INTERACTIVE_INPUT
UniquePid
FlexString2
HostName
DeviceHostName
InteractiveInputText
DeviceCustomString4
Command Line
AMSI SCAN
UniquePid
FlexString2
HostName
DeviceHostName
ObjectContent
DeviceCustomString5
Object Content