Uptycs eXtended Detection and Response (XDR)¶
About¶
Meet the first cloud-native security analytics platform for endpoint and cloud. With Uptycs, modern defenders can prioritize, investigate and respond to threats across the entire attack surface—all from a common solution. The Uptycs platform is composed of telemetry sources across the cloud-native attack surface, a powerful analytics engine and data pipeline, and data summarizations and visualizations that solve for multiple security solutions.
Product Details¶
Vendor URL: Open Source Endpoint Detection & Response (XDR) | Uptycs
Product Type: EDR
Product Tier: Tier I
Integration Method: S3 Bucket
Log Guide: AWS Logging - osquery
Parser Details¶
Log Format: JSON, based on queries performed by Uptycs, which is built over osquery
Expected Normalization Rate: Near 100%
Data Label: UPTYCS_EDR
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
hard-coded: GENERIC_EVENT | metadata.event_type |
product_event | metadata.product_event_type |
product | metadata.product_name |
version | metadata.product_version |
vendor | metadata.vendor_name |
osquery_raw_data.answer | network.dns.answers |
osquery_raw_data.question and osquery_raw_data.type | network.dns.questions |
upt_asset_group_name | principal.asset.category |
upt_asset_id | principal.asset.product_object_id |
upt_group_name | principal.group.group_display_name |
upt_group_id | principal.group.product_object_id |
upt_hostname | principal.hostname |
upt_name | principal.resource.name |
upt_id | principal.resource.product_object_id |
not used currently | security_result |
osquery_raw_data.name | src.process.file.full_path |
osquery_raw_data.uid | src.user.product_object_id |
osquery_raw_data.uname | src.user.userid |
osquery_raw_data.container_id | target.asset.product_object_id |
osquery_raw_data.cmdline | target.process.command_line |
osquery_raw_data.path | target.process.file.full_path |
osquery_raw_data.exe_size | target.process.file.size |
osquery_raw_data.ppid | target.process.parent_process.pid |
osquery_raw_data.pid | target.process.pid |
osquery_raw_data.container_name | target.resource.name |
osquery_raw_data.container_image | target.resource.parent |
osquery_raw_data.auid | target.user.product_object_id |
Product Event Types¶
Description | metadata.event_type |
---|---|
Default | GENERIC_EVENT |
Log Sample¶
{"upt_time":"2021-12-09T21:41:24.000Z","day":20211209,"upt_customer_name":"customer","upt_added":true,"upt_epoch":0,"upt_asset_id":"bbbbaabb-5566-11ec-bf63-0242ac130002","upt_hostname":"hostname.test01.domain.com","upt_asset_group_id":"AAAABBB1-593f-11ec-bf63-0242ac130002","upt_asset_group_name":"asset","upt_hash":"AAAABBB1-593e-11ec-bf63-0242ac130002","upt_gateway_time":"2021-12-09T21:41:28.834261367Z","upt_id":"AAAABBBB-5555-11ec-bf63-0242ac130002","upt_agent_id":"53fde29a-593f-11ec-bf63-0242ac130002","upt_agent_type":"asset","upt_resource":"asset","upt_asset_tags":{"all":"","ubuntu":"","uptycs_edr_linux_mitre":"","asset-group":"assets","uptk8s":""},"upt_ttl":1646870400,"upt_group_id": "AAAABBBB-5555-11ec-bf63-0242ac130002","upt_group_name":"assets","upt_name":"hostname1.test01.domain.com","upt_batch":21,"upt_resource_id":"","upt_server_time":"2021-12-09T21:43:04.377Z","osquery_raw_data":{"local":"127.0.0.1","port":"52467","question":"url.domain.com","remote":"127.0.0.1","time":"1639086084","type":"A","answer":"10.10.10.10"}}
Sample Parsing¶
metadata.event_timestamp.seconds: 1639086084
metadata.event_type: GENERIC_EVENT
metadata.vendor_name: "Uptycs"
metadata.product_name: "UPTYCS_EDR"
principal.hostname: "hostname.test01.domain.com"
principal.group.product_object_id: "AAAABBBB-5555-11ec-bf63-0242ac130002"
principal.group.group_display_name: "assets"
principal.asset.product_object_id: "AAAABBBB-5555-11ec-bf63-0242ac130002"
principal.asset.category: "asset"
principal.resource.name: "hostname1.test01.domain.com"
principal.resource.product_object_id: "AAAABBBB-5555-11ec-bf63-0242ac130002"
network.dns.questions.name: "url.domain.com"
network.dns.questions.type: 1
network.dns.answers.name: "10.10.10.10"
Parser Alerting¶
This product currently does not have any Parser-based Alerting