What base_eventType values and baseType values says in openEDR logs in windows

immaculate · May 16, 2024, 2:00pm

Hello,
i have installed openEDR agent in windows endpoint and parsed the openEDR logs inside elk using filebeat and logstash plugin. Below are the fields.

_id: Unique identifier for the log entry.
_index: Index name where the log entry is stored.
_score: Score of the log entry (typically used in search results).
@timestamp: Timestamp of when the log entry was recorded.
@version: Version of the log entry.
agent.ephemeral_id: Ephemeral identifier for the agent responsible for collecting the log entry.
agent.id: Identifier for the agent responsible for collecting the log entry.
agent.name: Name of the agent responsible for collecting the log entry.
agent.type: Type of agent responsible for collecting the log entry.
agent.version: Version of the agent responsible for collecting the log entry.
ecs.version: Version of the ECS (Elastic Common Schema) used.
event.original: The original event data before parsing.
host.architecture: Architecture of the host system.
host.hostname: Hostname of the system where the event occurred.
host.id: Unique identifier for the host system.
host.ip: IP addresses associated with the host system.
host.mac: MAC address of the host system.
host.name: Name of the host system.
host.os.build: Build version of the operating system.
host.os.family: Family of the operating system (e.g., Windows).
host.os.kernel: Kernel version of the operating system.
host.os.name: Name of the operating system.
host.os.platform: Platform of the operating system (e.g., Windows).
host.os.type: Type of operating system (e.g., Windows).
host.os.version: Version of the operating system.
input.type: Type of input used to collect the log entry.
log.file.idxhi: High index of the log file.
log.file.idxlo: Low index of the log file.
log.file.path: Path of the log file.
log.file.vol: Volume of the log file.
log.offset: Offset within the log file where the entry was read.
parsed_json.baseEventType: Base event type.
parsed_json.baseType: Base type.
parsed_json.childProcess.*: Information about child processes.
parsed_json.customerId: Customer ID.
parsed_json.deviceName: Name of the device.
parsed_json.endpointId: Endpoint ID.
parsed_json.processes.*: Information about processes.
parsed_json.sessionUser: User associated with the session.
parsed_json.time: Time associated with the parsed JSON.
parsed_json.type: Type of parsed JSON.
parsed_json.version: Version of parsed JSON.
tags: Additional tags applied to the log entry.
these many fields i’m able to see in discover of openEDR logs

i have created a dashboard for these fields but it was not informative because

here it showing the base event and base in number how could we know that what it define. I also searched about those i’m not getting any information about that numbers.

as it showing the file path how can i detect the malware from it

please suggest!!! fast

nivedithab · May 16, 2024, 2:56pm

hi @immaculate

I will check with the internal team and back to you

thank you

immaculate · May 17, 2024, 4:23am

yes please!
thank you!

nivedithab · May 17, 2024, 9:11am

hi @immaculate

Please refer to the below links

github.com

ComodoSecurity/openedr/blob/release-2.5/edrav2/iprj/libcore/inc/events.hpp

//
// edrav2.libcore project
//
// Declaration of EDR events
//
// Author: Yury Kroshin (13.02.2019)
// Reviewer: Denis Bogdanov (14.02.2019)
//
#pragma once
#include "crypt.hpp"

// TODO: Move this file to separate EDR-related project

namespace cmd {

//
// LLE identifiers
//
enum class Event : uint64_t
{

This file has been truncated. show original

github.com

ComodoSecurity/openedr/blob/release-2.5/edrav2/iprj/edrdata/evm.act

{
  "scenario": {
    "$$proxy": "cachedObj",
    "clsid": 1638072916,
    "code": {
      "LLE_CLIPBOARD_READ": [
        {
          "$dst": "policy.rule.state",
          "$set": 255
        },
        {
          "$dst": "policy.rule.state",
          "$if": {
            "$$proxy": "cachedObj",
            "args": [
              {
                "$$proxy": "cachedObj",
                "args": [
                  {
                    "$default": 255,

This file has been truncated. show original

immaculate · May 20, 2024, 5:18am

hello thank you for your response
I have gone through the above things but IDK how i have to implement those for the below things:

" here it showing the base event and base in number how could we know that what it define. I also searched about those i’m not getting any information about that numbers.
and
as it showing the file path how can i detect the malware from it "

and
openedr/edrav2/iprj/libcore/inc/events.hpp at release-2.5 · ComodoSecurity/openedr · GitHub if this link is the explanation about what base_event field number means. Then what about base_type field numbers means

can you explain please !
i’m a newbie for openedr.

nivedithab · May 20, 2024, 5:54am

hi @immaculate

Thank you for writing to us, I have shared your query with the backend team to look into it

immaculate · May 23, 2024, 5:11am

hi, any response from backend team?

nivedithab · May 23, 2024, 8:32pm

hi @immaculate

team is looking into it , once received feedback , I shall let you know.

immaculate · May 28, 2024, 7:18am

its been 8 days any response from backend team!

nivedithab · May 28, 2024, 7:19am

hi @immaculate

apologies for the delay , i will get in touch with backend team and get back to you on update.