To investigate the information, the IDs of the event and the KATA/EDR process must go to certain fields of the normalized event. To build a process tree for events coming from KATA/EDR, you must configure the copying of data from the fields of the raw events to the fields of the normalized event in KUMA normalizers as follows:
EventType field of the KATA/EDR event must be copied to the DeviceEventCategory field of the normalized KUMA event.HostName field of the KATA/EDR event must be copied to the DeviceHostName field of the normalized KUMA event.DeviceProduct = 'KATA', normalization must be configured in accordance with the table below.Normalization of event fields from KATA/EDR
KATA/EDR event field |
Normalized event field |
|---|---|
IOATag
|
DeviceCustomIPv6Address2 |
IOATag |
|
IOAImportance
|
DeviceCustomIPv6Address1 |
IOAImportance |
|
FilePath |
FilePath |
FileName |
FileName |
Md5 |
FileHash |
FileSize |
FileSize |
Additional normalization with copying of event fields from KATA/EDR
Event |
Raw event field |
Normalized event field |
|---|---|---|
Process
|
UniqueParentPid |
FlexString1 |
UniquePid |
FlexString2 |
|
HostName |
DeviceHostName |
|
FileName |
FileName |
|
AppLock
|
UniquePid |
FlexString2 |
HostName |
DeviceHostName |
|
FileName |
FileName |
|
BlockedDocument
|
UniquePid |
FlexString2 |
HostName |
DeviceHostName |
|
FileName |
FileName |
|
Module
|
UniquePid |
FlexString2 |
HostName |
DeviceHostName |
|
FileName |
FileName |
|
FileChange
|
UniquePid |
FlexString2 |
HostName |
DeviceHostName |
|
FileName |
FileName |
|
Driver
|
HostName |
DeviceHostName |
FileName |
FileName |
|
ProductName
|
DeviceCustomString5, |
|
ProductName |
||
ProductVendor
|
DeviceCustomString6 |
|
ProductVendor |
||
Connection
|
UniquePid |
FlexString2 |
HostName |
DeviceHostName |
|
URI |
RequestURL |
|
RemoteIP |
DestinationAddress |
|
RemotePort |
DestinationPort |
|
PortListen
|
UniquePid |
FlexString2 |
HostName |
DeviceHostName |
|
LocalIP |
SourceAddress |
|
LocalPort |
SourcePort |
|
Registry
|
UniquePid |
FlexString2 |
HostName |
DeviceHostName |
|
ValueName
|
DeviceCustomString5 |
|
New Value Name |
||
KeyName
|
DeviceCustomString4 |
|
New Key Name |
||
PreviousKeyName
|
FlexString2 |
|
Old Key Name |
||
ValueData
|
DeviceCustomString6 |
|
New Value Data |
||
PreviousValueData
|
FlexString1 |
|
Old Value Data |
||
ValueType
|
FlexNumber1 |
|
Value Type |
||
PreviousValueType
|
FlexNumber2 |
|
Previous Value Type |
||
SystemEventLog
|
UniquePid |
FlexString2 |
HostName |
DeviceHostName |
|
OperationResult |
EventOutcome |
|
EventId
|
DeviceCustomNumber3 |
|
EventId |
||
EventRecordId
|
DeviceCustomNumber2 |
|
EventRecordId |
||
Channel
|
DeviceCustomString6 |
|
Channel |
||
ProviderName |
SourceUserID |
|
ThreatDetect
|
UniquePid |
FlexString2 |
HostName |
DeviceHostName |
|
VerdictName |
EventOutcome |
|
DetectedObjectType |
OldFileType |
|
isSilent
|
FlexString1 |
|
Is Silent |
||
RecordId
|
DeviceCustomString5 |
|
Record ID |
||
DatabaseTimestamp
|
DeviceCustomDate2 |
|
Database Timestamp |
||
ThreatDetectProcessingResult
|
UniquePid |
FlexString2 |
HostName |
DeviceHostName |
|
ThreatStatus
|
DeviceCustomString5 |
|
Threat Status |
||
PROCESS_INTERPRET_FILE_RUN
|
UniquePid |
FlexString2 |
HostName |
DeviceHostName |
|
FileName |
FileName |
|
InterpretedFilePath |
OldFilePath |
|
InterpretedFileSize |
OldFileSize |
|
InterpretedFileHash |
OldFileHash |
|
PROCESS_CONSOLE_INTERACTIVE_INPUT
|
UniquePid |
FlexString2 |
HostName |
DeviceHostName |
|
InteractiveInputText
|
DeviceCustomString4 |
|
Command Line |
||
AMSI SCAN
|
UniquePid |
FlexString2 |
HostName |
DeviceHostName |
|
ObjectContent
|
DeviceCustomString5 |
|
Object Content |