Skip to content

Uptycs eXtended Detection and Response (XDR)

Uptycs eXtended Detection and Response

About

Meet the first cloud-native security analytics platform for endpoint and cloud. With Uptycs, modern defenders can prioritize, investigate and respond to threats across the entire attack surface—all from a common solution. The Uptycs platform is composed of telemetry sources across the cloud-native attack surface, a powerful analytics engine and data pipeline, and data summarizations and visualizations that solve for multiple security solutions.

Product Details

Vendor URL: Open Source Endpoint Detection & Response (XDR) | Uptycs

Product Type: EDR

Product Tier: Tier I

Integration Method: S3 Bucket

Log Guide: AWS Logging - osquery

Parser Details

Log Format: JSON, based on queries performed by Uptycs, which is built over osquery

Expected Normalization Rate: Near 100%

Data Label: UPTYCS_EDR

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
hard-coded: GENERIC_EVENT metadata.event_type
product_event metadata.product_event_type
product metadata.product_name
version metadata.product_version
vendor metadata.vendor_name
osquery_raw_data.answer network.dns.answers
osquery_raw_data.question and osquery_raw_data.type network.dns.questions
upt_asset_group_name principal.asset.category
upt_asset_id principal.asset.product_object_id
upt_group_name principal.group.group_display_name
upt_group_id principal.group.product_object_id
upt_hostname principal.hostname
upt_name principal.resource.name
upt_id principal.resource.product_object_id
not used currently security_result
osquery_raw_data.name src.process.file.full_path
osquery_raw_data.uid src.user.product_object_id
osquery_raw_data.uname src.user.userid
osquery_raw_data.container_id target.asset.product_object_id
osquery_raw_data.cmdline target.process.command_line
osquery_raw_data.path target.process.file.full_path
osquery_raw_data.exe_size target.process.file.size
osquery_raw_data.ppid target.process.parent_process.pid
osquery_raw_data.pid target.process.pid
osquery_raw_data.container_name target.resource.name
osquery_raw_data.container_image target.resource.parent
osquery_raw_data.auid target.user.product_object_id

Product Event Types

Description metadata.event_type
Default GENERIC_EVENT

Log Sample

{"upt_time":"2021-12-09T21:41:24.000Z","day":20211209,"upt_customer_name":"customer","upt_added":true,"upt_epoch":0,"upt_asset_id":"bbbbaabb-5566-11ec-bf63-0242ac130002","upt_hostname":"hostname.test01.domain.com","upt_asset_group_id":"AAAABBB1-593f-11ec-bf63-0242ac130002","upt_asset_group_name":"asset","upt_hash":"AAAABBB1-593e-11ec-bf63-0242ac130002","upt_gateway_time":"2021-12-09T21:41:28.834261367Z","upt_id":"AAAABBBB-5555-11ec-bf63-0242ac130002","upt_agent_id":"53fde29a-593f-11ec-bf63-0242ac130002","upt_agent_type":"asset","upt_resource":"asset","upt_asset_tags":{"all":"","ubuntu":"","uptycs_edr_linux_mitre":"","asset-group":"assets","uptk8s":""},"upt_ttl":1646870400,"upt_group_id": "AAAABBBB-5555-11ec-bf63-0242ac130002","upt_group_name":"assets","upt_name":"hostname1.test01.domain.com","upt_batch":21,"upt_resource_id":"","upt_server_time":"2021-12-09T21:43:04.377Z","osquery_raw_data":{"local":"127.0.0.1","port":"52467","question":"url.domain.com","remote":"127.0.0.1","time":"1639086084","type":"A","answer":"10.10.10.10"}}

Sample Parsing

metadata.event_timestamp.seconds: 1639086084
metadata.event_type: GENERIC_EVENT
metadata.vendor_name: "Uptycs"
metadata.product_name: "UPTYCS_EDR"
principal.hostname: "hostname.test01.domain.com"
principal.group.product_object_id: "AAAABBBB-5555-11ec-bf63-0242ac130002"
principal.group.group_display_name: "assets"
principal.asset.product_object_id: "AAAABBBB-5555-11ec-bf63-0242ac130002"
principal.asset.category: "asset"
principal.resource.name: "hostname1.test01.domain.com"
principal.resource.product_object_id: "AAAABBBB-5555-11ec-bf63-0242ac130002"
network.dns.questions.name: "url.domain.com"
network.dns.questions.type: 1
network.dns.answers.name: "10.10.10.10"

Parser Alerting

This product currently does not have any Parser-based Alerting