| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| act | +dynamic | +- | +The actions taken to mitigate the event | +
+
|
+
+
|
+
| azId | +string | +- | +The virtual machine Availability Zone ID | +
+
|
+ Agentless Vulnerability & Threat Detection | +
| cloudAccountId | +string | +- | +The AWS cloud account ID, Google Cloud product ID, or Azure subscription ID | +
+
|
+
+
|
+
| cloudMachineImageId | +string | +- | +The cloud machine image ID | +
+
|
+ Agentless Vulnerability & Threat Detection | +
| cloudMachineImageName | +string | +- | +The cloud machine image name | +
+
|
+ Agentless Vulnerability & Threat Detection | +
| cloudProvider | +string | +- | +The service provider of the cloud asset | +
+
|
+
+
|
+
| cloudResourceDigest | +string | +- | +The cloud resource digest | +
+
|
+ Agentless Vulnerability & Threat Detection | +
| cloudResourceId | +string | +- | +The cloud resource ID | +
+
|
+ Agentless Vulnerability & Threat Detection | +
| cloudResourceTags | +string | +- | +The cloud resource tags | +
+
|
+ Agentless Vulnerability & Threat Detection | +
| cloudResourceType | +string | +- | +The cloud resource type | +
+
|
+ Agentless Vulnerability & Threat Detection | +
| cloudResourceVersion | +string | +- | +The cloud resource version | +113 | +Agentless Vulnerability & Threat Detection | +
| compressedFileHash | +string | +FileSHA1 | +The SHA-1 of the decompressed archive | +
+
|
+
+
|
+
| compressedFileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the compressed suspicious file | +
+
|
+
+
|
+
| compressedFileName | +string | +FileName | +The file name of the compressed file | +
+
|
+
+
|
+
| compressedFileType | +string | +- | +The file type of the decompressed archive file | +
+
|
+
+
|
+
| diskPartitionId | +string | +- | +The cloud volume partition ID | +
+
|
+ Agentless Vulnerability & Threat Detection | +
| endpointHostName | +string | +EndpointName | +The endpoint hostname or node where the event was detected | +
+
|
+
+
|
+
| endpointIp | +dynamic | +
+
|
+ The IP address of the endpoint on which the event was detected | +10.10.10.10 | +
+
|
+
| eventId | +string | +- | +The event ID from the logs of each product | +
+
|
+
+
|
+
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| eventSubName | +string | +- | +The event type sub-name | +
+
|
+
+
|
+
| fileHash | +string | +FileSHA1 | +The SHA-1 of the file that triggered the rule or policy | +
+
|
+
+
|
+
| fileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the file (fileName) | +
+
|
+
+
|
+
| fileName | +dynamic | +FileName | +The file name | +
+
|
+
+
|
+
| fileSize | +string | +- | +The file size of the suspicious file | +
+
|
+
+
|
+
| fileSystemUuid | +string | +- | +The file system UUID | +
+
|
+ Agentless Vulnerability & Threat Detection | +
| fileType | +string | +- | +The file type of the suspicious file | +
+
|
+
+
|
+
| fullPath | +string | +FileFullPath | +The combination of the file path and the file name | +
+
|
+
+
|
+
| instanceId | +string | +- | +The ID of the instance that indicates the meta-cloud or data center VM | +
+
|
+
+
|
+
| malName | +string | +- | +The name of the detected malware | +
+
|
+
+
|
+
| osName | +string | +- | +The host OS name | +
+
|
+
+
|
+
| pver | +string | +- | +The product version | +
+
|
+
+
|
+
| regionCode | +string | +- | +The cloud provider region code | +us-east-1 | +
+
|
+
| remarks | +string | +- | +The additional information | +
+
|
+
+
|
+
| scanType | +string | +- | +The scan type | +
+
|
+
+
|
+
| threatType | +string | +- | +The log threat type | +
+
|
+
+
|
+
| vpcId | +string | +- | +The virtual private cloud that contains the cloud asset | +
+
|
+
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| awsResourceArn | +string | +- | +The Amazon Resource Name | +
+
|
+ File Security Storage | +
| cloudAccountId | +string | +- | +The AWS cloud account ID, Google Cloud product ID, or Azure subscription ID | +
+
|
+
+
|
+
| cloudProvider | +string | +- | +The service provider of the cloud asset | +
+
|
+
+
|
+
| cloudStorageName | +string | +- | +The cloud storage name | +my-bucket | +File Security Storage | +
| compressedFileHash | +string | +FileSHA1 | +The SHA-1 of the decompressed archive | +
+
|
+
+
|
+
| compressedFileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the compressed suspicious file | +
+
|
+
+
|
+
| compressedFileName | +string | +FileName | +The file name of the compressed file | +
+
|
+
+
|
+
| compressedFileSize | +string | +- | +The file size of the decompressed archive file | +
+
|
+
+
|
+
| compressedFileType | +string | +- | +The file type of the decompressed archive file | +
+
|
+
+
|
+
| eventId | +string | +- | +The event ID from the logs of each product | +
+
|
+
+
|
+
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| fileHash | +string | +FileSHA1 | +The SHA-1 of the file that triggered the rule or policy | +
+
|
+
+
|
+
| fileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the file (fileName) | +
+
|
+
+
|
+
| fileName | +dynamic | +FileName | +The file name | +
+
|
+
+
|
+
| filePath | +string | +FileFullPath | +The file path without the file name | +
+
|
+
+
|
+
| fileSize | +string | +- | +The file size of the suspicious file | +
+
|
+
+
|
+
| fileType | +string | +- | +The file type of the suspicious file | +
+
|
+
+
|
+
| fullPath | +string | +FileFullPath | +The combination of the file path and the file name | +
+
|
+
+
|
+
| majorVirusType | +string | +- | +The virus type | +
+
|
+
+
|
+
| malName | +string | +- | +The name of the detected malware | +
+
|
+
+
|
+
| pver | +string | +- | +The product version | +
+
|
+
+
|
+
| regionCode | +string | +- | +The cloud provider region code | +us-east-1 | +
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| compressedFileHash | +string | +FileSHA1 | +The SHA-1 of the decompressed archive | +
+
|
+
+
|
+
| compressedFileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the compressed suspicious file | +
+
|
+
+
|
+
| compressedFileName | +string | +FileName | +The file name of the compressed file | +
+
|
+
+
|
+
| compressedFileSize | +string | +- | +The file size of the decompressed archive file | +
+
|
+
+
|
+
| compressedFileType | +string | +- | +The file type of the decompressed archive file | +
+
|
+
+
|
+
| confidence | +int | +- | +The confidence rating returned from TrendX Hybrid Model (predictive machine learning). Values from 1-99. | +94 | +
+
|
+
| customTags | +dynamic | +- | +The event tags | +
+
|
+
+
|
+
| engType | +string | +- | +The engine type | +
+
|
+
+
|
+
| engVer | +string | +- | +The engine version | +
+
|
+
+
|
+
| eventId | +string | +- | +The event ID from the logs of each product | +
+
|
+
+
|
+
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| fileHash | +string | +FileSHA1 | +The SHA-1 of the file that triggered the rule or policy | +
+
|
+
+
|
+
| fileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the file (fileName) | +
+
|
+
+
|
+
| fileName | +dynamic | +FileName | +The file name | +
+
|
+
+
|
+
| filePath | +string | +FileFullPath | +The file path without the file name | +
+
|
+
+
|
+
| fileSize | +string | +- | +The file size of the suspicious file | +
+
|
+
+
|
+
| fileType | +string | +- | +The file type of the suspicious file | +
+
|
+
+
|
+
| fullPath | +string | +FileFullPath | +The combination of the file path and the file name | +
+
|
+
+
|
+
| malFamily | +string | +- | +The threat family | +
+
|
+
+
|
+
| malName | +string | +- | +The name of the detected malware | +
+
|
+
+
|
+
| malSubType | +string | +- | +The subsidiary virus type | +Unknown | +
+
|
+
| malType | +string | +- | +The risk type for Network Content Correlation Engine rules | +
+
|
+
+
|
+
| malTypeGroup | +string | +- | +The risk type group for NCCE (Network Content Correlation Engine) rules. This field comes from NCCP (Network Content Correlation Pattern) rule type definitions. | +
+
|
+
+
|
+
| objectType | +string | +- | +The object type | +
+
|
+
+
|
+
| pver | +string | +- | +The product version | +
+
|
+
+
|
+
| remarks | +string | +- | +The additional information | +
+
|
+
+
|
+
| reportGUID | +string | +- | +The GUID for Workbench to request report page data | +
+
|
+
+
|
+
| scanType | +string | +- | +The scan type | +
+
|
+
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| act | +dynamic | +- | +The actions taken to mitigate the event | +
+
|
+
+
|
+
| clusterId | +string | +- | +The cluster ID of the container | +TestCluster-2HJdImvH6eO1fgTnCBK3xYA7Sph | +Trend Vision One Container Security | +
| clusterId | +string | +- | +The cluster ID of the container | +ben_eks_test-20k90A3jGa4d3YMYfrdGIgs7g9u | +Trend Vision One Container Security | +
| clusterName | +string | +- | +The cluster name of the container | +TestCluster | +Trend Vision One Container Security | +
| clusterName | +string | +- | +The cluster name of the container | +ben_eks_test | +Trend Vision One Container Security | +
| compressedFileName | +string | +FileName | +The file name of the compressed file | +
+
|
+
+
|
+
| containerId | +string | +- | +The Kubernetes container ID | +7d1e00176d78 | +Trend Vision One Container Security | +
| containerId | +string | +- | +The Kubernetes container ID | +4102001853b8 | +Trend Vision One Container Security | +
| containerImage | +string | +- | +The Kubernetes container image | +debian:latest | +Trend Vision One Container Security | +
| containerImage | +string | +- | +The Kubernetes container image | +dockerhub.io/ubuntu:latest | +Trend Vision One Container Security | +
| containerImageDigest | +string | +- | +The Kubernetes container image digest | +sha256:bfe6615d017d1eebe19f349669de58cda36c668ef916e618be78071513c690e5 | +Trend Vision One Container Security | +
| containerImageDigest | +string | +- | +The Kubernetes container image digest | +sha256:626ffe58f6e7566e00254b638eb7e0f3b11d4da9675088f4781a50ae288f3322 | +Trend Vision One Container Security | +
| containerName | +string | +- | +The Kubernetes container name | +k8s_democon_longrunl_default_11111111-1111-1111-1111-111111111111_0 | +Trend Vision One Container Security | +
| containerName | +string | +- | +The Kubernetes container name | +k8s_ubuntu_ubuntu-ds-fp2jk_default_00000000-0000-0000-0000-000000000000_2 | +Trend Vision One Container Security | +
| customAssetTags | +dynamic | +- | +The list of custom asset tags | +{"os":["linux", "windows"], "org":["bu1"]} | +Trend Vision One Container Security | +
| customAssetTags | +dynamic | +- | +The list of custom asset tags | +{"os":["linux", "windows"], "org":["bu1"]} | +
+
|
+
| customTags | +dynamic | +- | +The event tags | +
+
|
+
+
|
+
| detectionType | +string | +- | +The detection type | +
+
|
+
+
|
+
| dpt | +int | +Port | +The destination port number | +- | +Trend Vision One Container Security | +
| dpt | +int | +Port | +The destination port | +
+
|
+
+
|
+
| dst | +string | +
+
|
+ The destination IP address | +
+
|
+ Trend Vision One Container Security | +
| dst | +dynamic | +
+
|
+ The destination IP | +10.10.10.10 | +
+
|
+
| endpointGUID | +string | +EndpointID | +The GUID of the agent which reported the detection | +
+
|
+
+
|
+
| endpointHostName | +string | +- | +The host name of the container or node | +
+
|
+ Trend Vision One Container Security | +
| endpointHostName | +string | +EndpointName | +The endpoint hostname or node where the event was detected | +
+
|
+
+
|
+
| eventId | +int | +- | +Event type | +- | +Trend Vision One Container Security | +
| eventId | +string | +- | +The event ID from the logs of each product | +
+
|
+
+
|
+
| eventSubId | +int | +- | +The access type | +
+
|
+ Trend Vision One Container Security | +
| eventTime | +real | +- | +The time the agent detected the event | +1657781088000 | +Trend Vision One Container Security | +
| fileDesc | +string | +- | +The file description | +
+
|
+
+
|
+
| fileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the file (fileName) | +
+
|
+
+
|
+
| fileType | +string | +- | +The file type of the suspicious file | +
+
|
+
+
|
+
| fullPath | +string | +FileFullPath | +The combination of the file path and the file name | +
+
|
+
+
|
+
| k8sNamespace | +string | +- | +The Kubernetes namespace of the container | +default | +Trend Vision One Container Security | +
| k8sNamespace | +string | +- | +The Kubernetes namespace of the container | +default | +Trend Vision One Container Security | +
| k8sPodId | +string | +- | +The Kubernetes pod ID of the container | +11111111-1111-1111-1111-111111111111 | +Trend Vision One Container Security | +
| k8sPodId | +string | +- | +The Kubernetes pod ID of the container | +
+
|
+ Trend Vision One Container Security | +
| k8sPodName | +string | +- | +The Kubernetes pod name of the container | +longrunl | +Trend Vision One Container Security | +
| k8sPodName | +string | +- | +The Kubernetes pod name of the container | +ubuntu-ds-fp2jk | +Trend Vision One Container Security | +
| malName | +string | +- | +The name of the detected malware | +
+
|
+
+
|
+
| malType | +string | +- | +The risk type for Network Content Correlation Engine rules | +
+
|
+
+
|
+
| objectFileName | +string | +FileName | +The object file name | +
+
|
+
+
|
+
| objectFilePath | +string | +
+
|
+ The file path of the target process image or target file | +
+
|
+ Trend Vision One Container Security | +
| objectFilePath | +string | +FileFullPath | +The file path of the target process image or target file | +
+
|
+
+
|
+
| objectUser | +string | +UserAccount | +The owner name of the target process or the login user name | +
+
|
+ Trend Vision One Container Security | +
| osName | +string | +- | +The host operating system name | +Linux | +Trend Vision One Container Security | +
| parentCmd | +string | +CLICommand | +The command line entry of the parent process | +
+
|
+ Trend Vision One Container Security | +
| parentCmd | +string | +CLICommand | +The command line of the subject parent process | +
+
|
+
+
|
+
| parentFilePath | +string | +
+
|
+ The file path of the parent process | +
+
|
+ Trend Vision One Container Security | +
| parentLaunchTime | +real | +- | +The time when the parent process was launched | +
+
|
+ Trend Vision One Container Security | +
| parentName | +string | +- | +The image name of the parent process | +
+
|
+ Trend Vision One Container Security | +
| parentName | +string | +- | +The image name of the parent process | +
+
|
+
+
|
+
| parentPid | +int | +- | +The PID of the parent process | +
+
|
+ Trend Vision One Container Security | +
| parentPid | +int | +- | +The PID of the parent process | +- | +
+
|
+
| platformAssetTags | +dynamic | +- | +The list of platform custom asset tags | +{"Asset group":["finance"], "some.ip": ["10.1.0.1"]} | +Trend Vision One Container Security | +
| platformAssetTags | +dynamic | +- | +The list of platform custom asset tags | +{"Asset group":["finance"], "some.ip": ["10.1.0.1"]} | +
+
|
+
| pname | +string | +- | +The internal product ID | +
+
|
+
+
|
+
| policyId | +string | +- | +The policy ID | +TestPolicy-2HJe25H4GY4upSuNNAG1pci2BIm | +Trend Vision One Container Security | +
| policyId | +string | +- | +The policy ID of which the event was detected | +
+
|
+
+
|
+
| policyName | +string | +- | +The name of the triggered policy | +TestPolicy | +Trend Vision One Container Security | +
| policyName | +string | +- | +The name of the triggered policy | +
+
|
+
+
|
+
| processCmd | +string | +CLICommand | +Command line entry of subject process | +
+
|
+ Trend Vision One Container Security | +
| processCmd | +string | +CLICommand | +The subject process command line | +
+
|
+
+
|
+
| processFilePath | +string | +ProcessFullPath | +The file path of the subject process | +
+
|
+ Trend Vision One Container Security | +
| processImagePath | +string | +- | +The process triggered by the file event | +
+
|
+
+
|
+
| processLaunchTime | +real | +- | +The time the subject process was launched | +
+
|
+ Trend Vision One Container Security | +
| processName | +string | +ProcessName | +The image name of the process that triggered the event | +
+
|
+ Trend Vision One Container Security | +
| processName | +string | +ProcessName | +The image name of the process that triggered the event | +
+
|
+
+
|
+
| processPid | +int | +- | +The PID of the subject process | +
+
|
+ Trend Vision One Container Security | +
| processPid | +int | +- | +The PID of the subject process | +- | +
+
|
+
| proto | +string | +- | +The protocol type | +
+
|
+ Trend Vision One Container Security | +
| proto | +string | +- | +The exploited layer network protocol | +
+
|
+
+
|
+
| pver | +string | +- | +The product version | +
+
|
+ Trend Vision One Container Security | +
| pver | +string | +- | +The product version | +
+
|
+
+
|
+
| rawDataStr | +string | +- | +The JSON string that contains additional information | +
+
|
+
+
|
+
| ruleIdStr | +string | +- | +The rule ID | +TM-00000036 | +Trend Vision One Container Security | +
| ruleIdStr | +string | +- | +The rule ID | +TM-00000043 | +Trend Vision One Container Security | +
| ruleName | +string | +- | +The name of the rule that triggered the event | +
+
|
+
+
|
+
| ruleSetId | +string | +- | +The rule set ID | +AllRules-1zSSZPsDqfqkcOt5vNsD6f383HN | +Trend Vision One Container Security | +
| ruleSetName | +string | +- | +The rule set name | +AllRules | +
+
|
+
| scanType | +string | +- | +The scan type | +
+
|
+
+
|
+
| severity | +int | +- | +The severity of the event | +
+
|
+
+
|
+
| sourceType | +string | +- | +The source type | +
+
|
+
+
|
+
| spt | +int | +Port | +The source port number | +
+
|
+ Trend Vision One Container Security | +
| spt | +int | +Port | +The source port | +
+
|
+
+
|
+
| src | +string | +
+
|
+ The source address | +
+
|
+ Trend Vision One Container Security | +
| src | +dynamic | +
+
|
+ The source IP | +10.10.10.10 | +
+
|
+
| srcFilePath | +string | +
+
|
+ The source file path | +
+
|
+ Trend Vision One Container Security | +
| tags | +dynamic | +
+
|
+ The detected ID based on the alert filter | +
+
|
+
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| action | +string | +- | +The traffic processing action | +
+
|
+ XDR for Cloud - AWS VPC Flow Logs | +
| azId | +string | +- | +The Availability Zone ID | +apse2-az3 | +XDR for Cloud - AWS VPC Flow Logs | +
| bytes | +string | +- | +The number of transmitted data bytes | +15044 | +XDR for Cloud - AWS VPC Flow Logs | +
| dpt | +int | +Port | +The service destination port of the private application server (dstport) | +443 | +
+
|
+
| dst | +string | +
+
|
+ The destination IP address (dstaddr) | +10.10.10.10 | +
+
|
+
| end | +long | +- | +The time when the last data packet was received (in Unix seconds) | +1616729349 | +XDR for Cloud - AWS VPC Flow Logs | +
| eventId | +string | +- | +The event ID | +
+
|
+
+
|
+
| eventName | +string | +- | +The name of the log event | +
+
|
+
+
|
+
| eventTime | +real | +- | +The time the agent or product detected the event | +1657135700000 | +
+
|
+
| flowDirection | +string | +- | +The network interface traffic direction | +
+
|
+
+
|
+
| flowType | +string | +- | +The type of traffic (type) | +
+
|
+ XDR for Cloud - AWS VPC Flow Logs | +
| instanceId | +string | +- | +The instance ID | +i-01234567890abcdef | +XDR for Cloud - AWS VPC Flow Logs | +
| logStatus | +string | +- | +The VPC Flow Log status | +
+
|
+ XDR for Cloud - AWS VPC Flow Logs | +
| packets | +string | +- | +The number of transmitted data packets | +14 | +XDR for Cloud - AWS VPC Flow Logs | +
| pktDstAddr | +string | +
+
|
+ The packet level destination IP | +10.10.10.10 | +XDR for Cloud - AWS VPC Flow Logs | +
| pktDstCloudServiceName | +string | +- | +The subset IP address range name for cloud service destination IP (pkt-dst-aws-service) | +
+
|
+ XDR for Cloud - AWS VPC Flow Logs | +
| pktSrcAddr | +string | +
+
|
+ The packet level source IP | +10.10.10.10 | +XDR for Cloud - AWS VPC Flow Logs | +
| pktSrcCloudServiceName | +string | +- | +The subset IP address range name for cloud service source IP (pkt-src-aws-service) | +
+
|
+ XDR for Cloud - AWS VPC Flow Logs | +
| pname | +string | +- | +The product name | +
+
|
+
+
|
+
| spt | +int | +Port | +The virtual port of the source assigned to the Secure Access Module (srcport) | +57763 | +
+
|
+
| src | +string | +
+
|
+ The source IP address (srcaddr) | +10.10.10.10 | +
+
|
+
| start | +real | +- | +The time when the first data packet was received (in Unix seconds) | +1616729292 | +XDR for Cloud - AWS VPC Flow Logs | +
| subLocationId | +string | +- | +The sublocation ID | +
+
|
+ XDR for Cloud - AWS VPC Flow Logs | +
| subLocationType | +string | +- | +The sublocation type | +
+
|
+ XDR for Cloud - AWS VPC Flow Logs | +
| subnetId | +string | +- | +The subnet ID | +subnet-01234567890abcdef | +XDR for Cloud - AWS VPC Flow Logs | +
| tcpFlags | +int | +- | +The bitmask value of the FIN/SYN/RST/SYN-ACK TCP flags | +
+
|
+ XDR for Cloud - AWS VPC Flow Logs | +
| trafficPath | +int | +- | +The egress traffic path number | +
+
|
+ XDR for Cloud - AWS VPC Flow Logs | +
| vpcFlowLogsVersion | +int | +- | +The VPC Flow Logs version (version) | +
+
|
+
+
|
+
| vpcId | +string | +- | +The VPC ID | +vpc-01234567890abcdef | +XDR for Cloud - AWS VPC Flow Logs | +
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| actionName | +string | +- | +The user or service action | +UserLoggedIn | +Collaboration sensor | +
| actResult | +dynamic | +- | +The action result | +Success | +Collaboration sensor | +
| applicationId | +string | +- | +The application ID | +11111111-1111-1111-1111-111111111111 | +Collaboration sensor | +
| clientIp | +string | +
+
|
+ The client IP | +10.10.10.10 | +Collaboration sensor | +
| cloudStorageId | +string | +- | +The file or folder location ID | +11111111-1111-1111-1111-111111111111 | +Collaboration sensor | +
| cloudStorageName | +string | +- | +The file or folder URL | +https://test.trendmicro.com/sites/123 | +Collaboration sensor | +
| correlationId | +string | +- | +The correlation ID | +11111111-1111-1111-1111-111111111111 | +Collaboration sensor | +
| eventId | +int | +- | +The event ID | +
+
|
+
+
|
+
| eventName | +string | +- | +The event type | +COLLABORATION_ACTIVITY | +Collaboration sensor | +
| eventSubName | +string | +- | +The event type sub-name | +
+
|
+ Collaboration sensor | +
| extraInfo | +dynamic | +- | +The additional information about the sharing action | +<ClientType>SPHomePagesWeb</ClientType> | +Collaboration sensor | +
| fileExt | +string | +- | +The file extension (If the object is a folder, there is no value for this field.) | +jpg | +Collaboration sensor | +
| fileName | +string | +FileName | +The file or folder name | +test.pdf | +Collaboration sensor | +
| isExternalAccess | +bool | +- | +Whether the cmdlet was run by an external user (True=external user, False=internal user in your organization) | +True | +Collaboration sensor | +
| isSensitiveInfo | +bool | +- | +Whether the event contains sensitive information | +True | +Collaboration sensor | +
| orgName | +string | +- | +The tenant name | +test.trendmicro.com | +Collaboration sensor | +
| originatingServer | +string | +- | +The server where the operation originated | +TY0PR03MB6449 (15.20.5746.023) | +Collaboration sensor | +
| parameters | +string | +- | +The names and values of all parameters used in the cmdlet identified in the Operations property | +[{"Name": "AlwaysDeleteOutlookRulesBlob","Value": "False"},{"Name" : "Force","Value": "False"}] | +Collaboration sensor | +
| principalName | +string | +UserAccount | +The User Principal Name | +sample_email@trendmicro.com | +Collaboration sensor | +
| recordType | +int | +- | +The operation type | +
+
|
+ Collaboration sensor | +
| service | +string | +- | +The Microsoft 365 service where the activity occurred | +
+
|
+ Collaboration sensor | +
| target | +string | +- | +The object accessed by a user or application | +
+
|
+ Collaboration sensor | +
| targetType | +string | +- | +The type of object that was accessed or modified | +File | +Collaboration sensor | +
| userAgent | +string | +- | +The user agent | +Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 | +Collaboration sensor | +
| userSessionId | +string | +- | +The user session ID | +11111111-1111-1111-1111-111111111111 | +Collaboration sensor | +
| userType | +string | +- | +The user type | +
+
|
+ Collaboration sensor | +
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| act | +dynamic | +- | +The actions taken to mitigate the event | +
+
|
+
+
|
+
| attachment | +dynamic | +- | +The information about the email attachment | +{"attachmentFileTlsh": "", "attachmentFileName": "testfile.txt","attachmentFileHash": "","attachmentFileSize": "-1"} | +
+
|
+
| attachmentFileHash | +string | +FileSHA1 | +The SHA-1 of the email attachment | +
+
|
+
+
|
+
| attachmentFileHashes | +dynamic | +- | +The SHA-1 of the email attachment | +
+
|
+
+
|
+
| attachmentFileHashes | +dynamic | +FileSHA1 | +SHA-1 hash of the email attachment | +
+
|
+
+
|
+
| attachmentFileHashs | +dynamic | +- | +The SHA-1 hash value of the attachment file | +
+
|
+
+
|
+
| attachmentFileHashSha256s | +dynamic | +FileSHA2 | +SHA-256 hash of the email attachment | +
+
|
+
+
|
+
| attachmentFileName | +dynamic | +FileName | +The file name of an attachment | +
+
|
+
+
|
+
| attachmentFileName | +dynamic | +FileName | +File name of the email attachment | +
+
|
+
+
|
+
| attachmentFileSize | +string | +- | +The file size of the email attachment | +
+
|
+
+
|
+
| attachmentFileSizes | +dynamic | +- | +The file size of email attachments | +
+
|
+ Email Sensor | +
| attachmentFileTlshes | +dynamic | +- | +The TLSH of the email attachment | +
+
|
+
+
|
+
| attachmentFileTlshes | +dynamic | +- | +The TLSH hash detected by Trend Micro Anti-Spam Engine | +- | +
+
|
+
| attachmentFileTlshs | +dynamic | +- | +The TLSH hash value of the attachment file | +
+
|
+
+
|
+
| attachmentMd5 | +dynamic | +FileMD5 | +MD5 hash of the email attachment | +
+
|
+
+
|
+
| attachmentSha1 | +dynamic | +FileSHA1 | +SHA-1 hash of the email attachment | +
+
|
+
+
|
+
| attachmentSha256 | +dynamic | +FileSHA2 | +SHA-256 hash of the email attachment | +
+
|
+
+
|
+
| attachmentSize | +dynamic | +- | +The attachment file size | +- | +
+
|
+
| attachmentSource | +dynamic | +- | +The attachment source | +
+
|
+
+
|
+
| attachmentTlsh | +dynamic | +- | +The TLSH hash detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| attachmentUrls | +dynamic | +- | +The URLs and URL sources extracted from the email attachment | +- | +
+
|
+
| correlatedIntelligence | +dynamic | +- | +The Correlated Intelligence detection | +{"risk_type": "Anomaly","matched_rules": [{"threat_type": "Possibly Unwanted Email","matched_filters": [{"id":"FIL013", "name": "Marketing Email Traits"},{"id":"FIL098", "name": "Infrequent Sender Email Domain"}],"name": "Possibly Unwanted Marketing Email","id": "AN004"}]} | +
+
|
+
| duser | +dynamic | +EmailRecipient | +The email recipient | +
+
|
+
+
|
+
| eventId | +string | +- | +The event ID from the logs of each product | +
+
|
+
+
|
+
| eventId | +int | +- | +The event ID | +
+
|
+
+
|
+
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| eventTime | +real | +- | +The time the agent detected the event | +1657135700000 | +
+
|
+
| groupId | +string | +- | +The group ID for the management scope filter | +11111111-1111-1111-1111-111111111111 | +
+
|
+
| highlightedFileHashes | +dynamic | +FileSHA1 | +The SHA-1 hashes of the highlighted file | +
+
|
+
+
|
+
| highlightedFileName | +dynamic | +- | +The file names of suspicious attachments | +
+
|
+
+
|
+
| mailAttachmentHash | +string | +FileMD5 | +Hash value of the email attachment | +
+
|
+
+
|
+
| mailBccAddresses | +dynamic | +EmailRecipient | +Mail BCC address in the email header | +sample_email@trendmicro.com | +
+
|
+
| mailbox | +string | +- | +The mailbox that is protected by Trend Micro | +sample_email@trendmicro.com | +
+
|
+
| mailbox | +string | +- | +Primary email address | +sample_email@trendmicro.com | +
+
|
+
| mailCacheId | +string | +- | +The internal email cache ID to identify emails in the same group mails | +<sample_email@trendmicro.com> | +
+
|
+
| mailCcAddresses | +dynamic | +EmailRecipient | +Mail CC address in the email header | +
+
|
+
+
|
+
| mailDirection | +int | +- | +Email traffic direction | +
+
|
+
+
|
+
| mailDirection | +int | +- | +Email traffic direction | +
+
|
+
+
|
+
| mailEurekaRuleIds | +dynamic | +- | +The list of rule IDs scanned by Eureka and detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailFeatureId | +dynamic | +- | +The email protocol detected by Trend Micro Anti-Spam Engine | +- | +
+
|
+
| mailFolder | +string | +- | +The email folder name | +
+
|
+
+
|
+
| mailFromAddresses | +dynamic | +EmailSender | +Mail from address in email header | +sample_email@trendmicro.com | +
+
|
+
| mailHeaderHash | +string | +- | +The email header hash detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailHelo | +string | +- | +The HELO command detected by Trend Micro Anti-Spam Engine | +HELO inpost.tmes.trendmicro.com | +
+
|
+
| mailMetaText | +string | +- | +The postman meta text detected by Trend Micro Anti-Spam Engine | ++ |
+
|
+
| mailMetaTraceId | +string | +- | +The trace ID generated by Trend Micro Feedback Engine | ++ |
+
|
+
| mailMsgDirection | +int | +- | +The direction of the email message | +1 | +
+
|
+
| mailMsgId | +string | +EmailMessageID | +Email ID | +<sample-id@trendmicro.com> | +
+
|
+
| mailMsgSubject | +string | +EmailSubject | +The email subject | +
+
|
+
+
|
+
| mailMsgSubject | +string | +EmailSubject | +Email subject | +
+
|
+
+
|
+
| mailReplyToAddresses | +dynamic | +- | +The Reply To address detected by Trend Micro Anti-Spam Engine | +sample_email@trendmicro.com | +
+
|
+
| mailReturnPath | +dynamic | +- | +The hidden email header that indicates where bounced messages are sent | +sample_email@trendmicro.com | +
+
|
+
| mailRuleId | +dynamic | +- | +The rule ID of the matched rule detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailScore | +string | +- | +The score assigned to the email by Trend Micro Anti-Spam Engine | +- | +
+
|
+
| mailSenderIp | +string | +- | +Email sender IP address | +10.10.10.10 | +
+
|
+
| mailSmtpFromAddresses | +dynamic | +- | +The sender email address | +sample_email@trendmicro.com | +
+
|
+
| mailSmtpOriginalRecipients | +dynamic | +- | +Original email recipients in the SMTP envelope | +sample_email@trendmicro.com | +
+
|
+
| mailSmtpRecipients | +dynamic | +- | +Email recipients in the SMTP envelope after scanning | +sample_email@trendmicro.com | +
+
|
+
| mailSmtpTls | +string | +- | +The SMTP TLS version number | +
+
|
+
+
|
+
| mailSourceDomain | +string | +- | +Email domain of the sender | +example.com | +
+
|
+
| mailTagHash | +string | +- | +The email tag hash detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailTagHashRawSignature | +string | +- | +The raw signature hash of the email | +
+
|
+
+
|
+
| mailTextHash | +string | +- | +The email text hash detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailThreatType | +string | +- | +The type of email detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailToAddresses | +dynamic | +EmailRecipient | +Mail To address in the email header | +sample_email@trendmicro.com | +
+
|
+
| mailUrlHash | +string | +- | +The email URL hash detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailUrlsOriginalLink | +dynamic | +- | +The original URL extracted from the email content | +
+
|
+
+
|
+
| mailUrlsRealLink | +dynamic | +URL | +URL extracted from the email content | +
+
|
+
+
|
+
| mailUrlsVisibleLink | +dynamic | +URL | +URL extracted from the email content | +
+
|
+
+
|
+
| mailUserAgent | +string | +- | +The user agent | +
+
|
+
+
|
+
| mailWantedHeaderName | +dynamic | +- | +The WantedHeader key name detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailWantedHeaderValue | +dynamic | +- | +The WantedHeader key value detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailWholeHeader | +dynamic | +- | +The name and email address of the sender in the From header detected by Trend Micro Anti-Spam Engine | +<sample_email@trendmicro.com> | +
+
|
+
| mailXMailer | +string | +- | +The X-Mailer header of the email | +
+
|
+
+
|
+
| malName | +string | +- | +The name of the detected malware | +
+
|
+
+
|
+
| mExternalUid | +string | +- | +The unique ID of the email | +11111111-1111-1111-1111-111111111111 | +
+
|
+
| msgId | +string | +EmailMessageID | +The internet message ID | +
+
|
+
+
|
+
| msgUuid | +string | +- | +The unique email ID | +
+
|
+
+
|
+
| msgUuid | +string | +- | +Internal email UUID to identify each email message | +11111111-1111-1111-1111-111111111111 | +
+
|
+
| msgUuidChain | +string | +- | +The internal UUID chain for each email in Trend Micro Feedback Engine | +11111111-1111-1111-1111-111111111111;00000000-0000-0000-0000-000000000000 | +
+
|
+
| orgId | +string | +- | +The organization ID | +
+
|
+
+
|
+
| orgId | +string | +- | +The organization ID | +11111111-1111-1111-1111-111111111111 | +
+
|
+
| pname | +string | +- | +The internal product ID | +
+
|
+
+
|
+
| pname | +string | +- | +Internal product code (depricated) | +
+
|
+
+
|
+
| remarks | +string | +- | +The additional information | +
+
|
+
+
|
+
| rt | +string | +- | +The Unix time of the log generation | +1656324260000 | +
+
|
+
| ruleName | +string | +- | +The name of the rule that triggered the event | +
+
|
+
+
|
+
| ruleVer | +string | +- | +The rule version | +
+
|
+
+
|
+
| scanTs | +string | +- | +The time the email was scanned | +1657135700000 | +
+
|
+
| scanType | +string | +- | +The scan type | +
+
|
+
+
|
+
| scanType | +string | +- | +Manual or real-time scan | +
+
|
+
+
|
+
| subRuleName | +string | +- | +The subrule name | +
+
|
+
+
|
+
| suser | +dynamic | +EmailSender | +The email sender | +sample_email@trendmicro.com | +
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| act | +dynamic | +- | +The actions taken to mitigate the event | +
+
|
+
+
|
+
| actResult | +dynamic | +- | +The result of an action | +
+
|
+
+
|
+
| attachment | +dynamic | +- | +The information about the email attachment | +{"attachmentFileTlsh": "", "attachmentFileName": "testfile.txt","attachmentFileHash": "","attachmentFileSize": "-1"} | +
+
|
+
| attachmentFileHashes | +dynamic | +- | +The SHA-1 of the email attachment | +
+
|
+
+
|
+
| attachmentFileHashes | +dynamic | +FileSHA1 | +SHA-1 hash of the email attachment | +
+
|
+
+
|
+
| attachmentFileHashMd5 | +string | +FileMD5 | +The MD5 of the attached file (attachementFileName) | +
+
|
+ Trend Micro Cloud App Security | +
| attachmentFileHashs | +dynamic | +- | +The SHA-1 hash value of the attachment file | +
+
|
+
+
|
+
| attachmentFileHashSha1 | +string | +FileSHA1 | +The SHA-1 of the attached file (attachementFileName) | +
+
|
+
+
|
+
| attachmentFileHashSha256s | +dynamic | +FileSHA2 | +SHA-256 hash of the email attachment | +
+
|
+
+
|
+
| attachmentFileName | +dynamic | +FileName | +The file name of an attachment | +
+
|
+
+
|
+
| attachmentFileName | +dynamic | +FileName | +File name of the email attachment | +
+
|
+
+
|
+
| attachmentFileTlshes | +dynamic | +- | +The TLSH of the email attachment | +
+
|
+
+
|
+
| attachmentFileTlshes | +dynamic | +- | +The TLSH hash detected by Trend Micro Anti-Spam Engine | +- | +
+
|
+
| attachmentFileTlshs | +dynamic | +- | +The TLSH hash value of the attachment file | +
+
|
+
+
|
+
| attachmentMd5 | +dynamic | +FileMD5 | +MD5 hash of the email attachment | +
+
|
+
+
|
+
| attachmentSha1 | +dynamic | +FileSHA1 | +SHA-1 hash of the email attachment | +
+
|
+
+
|
+
| attachmentSha256 | +dynamic | +FileSHA2 | +SHA-256 hash of the email attachment | +
+
|
+
+
|
+
| attachmentSize | +dynamic | +- | +The attachment file size | +- | +
+
|
+
| attachmentSource | +dynamic | +- | +The attachment source | +
+
|
+
+
|
+
| attachmentTlsh | +dynamic | +- | +The TLSH hash detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| cloudAppName | +string | +- | +The cloud app name | +
+
|
+ Trend Micro Cloud App Security | +
| detectionType | +string | +- | +The detection type | +
+
|
+
+
|
+
| domainName | +string | +DomainName | +The detected domain name | +
+
|
+
+
|
+
| duser | +dynamic | +EmailRecipient | +The email recipient | +
+
|
+
+
|
+
| engVer | +string | +- | +The engine version | +
+
|
+
+
|
+
| eventId | +string | +- | +The event ID from the logs of each product | +
+
|
+
+
|
+
| eventId | +int | +- | +The event ID | +
+
|
+
+
|
+
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| eventSubName | +string | +- | +The event type sub-name | +
+
|
+
+
|
+
| eventTime | +real | +- | +The time the agent detected the event | +1657135700000 | +
+
|
+
| filterName | +string | +- | +The filter name | +
+
|
+
+
|
+
| firstSeen | +string | +- | +The first time the XDR log appeared | +1657195233000 | +
+
|
+
| groupId | +string | +- | +The group ID for the management scope filter | +11111111-1111-1111-1111-111111111111 | +
+
|
+
| highlightedFileHashes | +dynamic | +FileSHA1 | +The SHA-1 hashes of the highlighted file | +
+
|
+
+
|
+
| highlightedFileName | +dynamic | +- | +The file names of suspicious attachments | +
+
|
+
+
|
+
| indicatorCount | +int | +- | +The number of report indicators | +2 | +Trend Micro Cloud App Security | +
| lastSeen | +string | +- | +The last time the XDR log appeared | +1657195233000 | +
+
|
+
| logKey | +string | +- | +The unique key of the event | +
+
|
+
+
|
+
| mailAttachmentHash | +string | +FileMD5 | +Hash value of the email attachment | +
+
|
+
+
|
+
| mailBccAddresses | +dynamic | +EmailRecipient | +Mail BCC address in the email header | +sample_email@trendmicro.com | +
+
|
+
| mailbox | +string | +- | +The mailbox that is protected by Trend Micro | +sample_email@trendmicro.com | +
+
|
+
| mailbox | +string | +- | +Primary email address | +sample_email@trendmicro.com | +
+
|
+
| mailCacheId | +string | +- | +The internal email cache ID to identify emails in the same group mails | +<sample_email@trendmicro.com> | +
+
|
+
| mailCcAddresses | +dynamic | +EmailRecipient | +Mail CC address in the email header | +
+
|
+
+
|
+
| mailDirection | +int | +- | +Email traffic direction | +
+
|
+
+
|
+
| mailDirection | +int | +- | +Email traffic direction | +
+
|
+
+
|
+
| mailEurekaRuleIds | +dynamic | +- | +The list of rule IDs scanned by Eureka and detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailFeatureId | +dynamic | +- | +The email protocol detected by Trend Micro Anti-Spam Engine | +- | +
+
|
+
| mailFolder | +string | +- | +The email folder name | +
+
|
+ Trend Micro Cloud App Security | +
| mailFolder | +string | +- | +The email folder name | +
+
|
+
+
|
+
| mailFromAddresses | +dynamic | +EmailSender | +Mail from address in email header | +sample_email@trendmicro.com | +
+
|
+
| mailHeaderHash | +string | +- | +The email header hash detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailHelo | +string | +- | +The HELO command detected by Trend Micro Anti-Spam Engine | +HELO inpost.tmes.trendmicro.com | +
+
|
+
| mailMsgDirection | +int | +- | +The direction of the email message | +1 | +
+
|
+
| mailMsgId | +string | +- | +The internet message ID of the email | +<sample_email@trendmicro.com> | +Trend Micro Cloud App Security | +
| mailMsgId | +string | +EmailMessageID | +Email ID | +<sample-id@trendmicro.com> | +
+
|
+
| mailMsgSubject | +string | +EmailSubject | +The email subject | +
+
|
+
+
|
+
| mailMsgSubject | +string | +EmailSubject | +Email subject | +
+
|
+
+
|
+
| mailReceivedTime | +string | +- | +The mail received timestamp | +- | +
+
|
+
| mailReplyToAddresses | +dynamic | +- | +The Reply To address detected by Trend Micro Anti-Spam Engine | +sample_email@trendmicro.com | +
+
|
+
| mailReturnPath | +dynamic | +- | +The hidden email header that indicates where bounced messages are sent | +sample_email@trendmicro.com | +
+
|
+
| mailRuleId | +dynamic | +- | +The rule ID of the matched rule detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailScore | +string | +- | +The score assigned to the email by Trend Micro Anti-Spam Engine | +- | +
+
|
+
| mailSenderIp | +string | +- | +Email sender IP address | +10.10.10.10 | +
+
|
+
| mailSourceDomain | +string | +- | +Email domain of the sender | +example.com | +
+
|
+
| mailTagHash | +string | +- | +The email tag hash detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailTagHashRawSignature | +string | +- | +The raw signature hash of the email | +
+
|
+
+
|
+
| mailTextHash | +string | +- | +The email text hash detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailThreatType | +string | +- | +The type of email detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailToAddresses | +dynamic | +EmailRecipient | +Mail To address in the email header | +sample_email@trendmicro.com | +
+
|
+
| mailUniqueId | +string | +- | +The unique ID of the email | +
+
|
+ Trend Micro Cloud App Security | +
| mailUrlHash | +string | +- | +The email URL hash detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailUrlsOriginalLink | +dynamic | +- | +The original URL extracted from the email content | +
+
|
+
+
|
+
| mailUrlsRealLink | +dynamic | +URL | +URL extracted from the email content | +
+
|
+
+
|
+
| mailUrlsVisibleLink | +dynamic | +URL | +URL extracted from the email content | +
+
|
+
+
|
+
| mailUserAgent | +string | +- | +The user agent | +
+
|
+
+
|
+
| mailWantedHeaderName | +dynamic | +- | +The WantedHeader key name detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailWantedHeaderValue | +dynamic | +- | +The WantedHeader key value detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailWholeHeader | +dynamic | +- | +The name and email address of the sender in the From header detected by Trend Micro Anti-Spam Engine | +<sample_email@trendmicro.com> | +
+
|
+
| mailXMailer | +string | +- | +The X-Mailer header of the email | +
+
|
+
+
|
+
| mExternalUid | +string | +- | +The unique ID of the email | +11111111-1111-1111-1111-111111111111 | +
+
|
+
| msgId | +string | +EmailMessageID | +The internet message ID | +
+
|
+
+
|
+
| msgTOCUuid | +string | +- | +The email unique ID | +
+
|
+
+
|
+
| msgUuid | +string | +- | +The unique email ID | +
+
|
+
+
|
+
| msgUuid | +string | +- | +Internal email UUID to identify each email message | +11111111-1111-1111-1111-111111111111 | +
+
|
+
| objectSubType | +string | +- | +The sub-types of the policy event (Displayed when a policy event has sub-types) | +
+
|
+
+
|
+
| objectType | +string | +- | +The object type | +
+
|
+
+
|
+
| orgId | +string | +- | +The organization ID | +
+
|
+
+
|
+
| orgId | +string | +- | +The organization ID | +11111111-1111-1111-1111-111111111111 | +
+
|
+
| patVer | +string | +- | +The version of the behavior pattern | +
+
|
+
+
|
+
| pname | +string | +- | +The internal product ID | +
+
|
+
+
|
+
| pname | +string | +- | +Internal product code (depricated) | +
+
|
+
+
|
+
| policyName | +string | +- | +The name of the triggered policy | +
+
|
+
+
|
+
| policyTemplate | +dynamic | +- | +The one-to-many data structure | +
+
|
+
+
|
+
| principalName | +string | +- | +The user principal name used to sign in to the proxy | +sample_email@trendmicro.com | +
+
|
+
| remarks | +string | +- | +The additional information | +
+
|
+
+
|
+
| reportGUID | +string | +- | +The GUID for Workbench to request report page data | +
+
|
+
+
|
+
| request | +string | +URL | +The notable URLs | +
+
|
+
+
|
+
| respCode | +string | +- | +The network protocol response code | +
+
|
+
+
|
+
| rewrittenUrl | +string | +- | +The rewritten URL | +https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fexample.io%2 | +
+
|
+
| riskConfidenceLevel | +string | +- | +The risk confidence level | +
+
|
+
+
|
+
| riskLevel | +string | +- | +The risk level | +
+
|
+
+
|
+
| rt | +string | +- | +The Unix time of the log generation | +1656324260000 | +
+
|
+
| ruleName | +string | +- | +The name of the rule that triggered the event | +
+
|
+
+
|
+
| ruleType | +string | +- | +The access rule type | +
+
|
+
+
|
+
| ruleUuid | +string | +- | +The signature UUID from the DV (Digital Vaccine) | +
+
|
+
+
|
+
| ruleVer | +string | +- | +The rule version | +
+
|
+
+
|
+
| scanTs | +string | +- | +The mail scan time | +- | +
+
|
+
| scanTs | +string | +- | +The time the email was scanned | +1657135700000 | +
+
|
+
| scanType | +string | +- | +The scan type | +
+
|
+
+
|
+
| scanType | +string | +- | +Manual or real-time scan | +
+
|
+
+
|
+
| schemaVersion | +string | +- | +The schema version | +1.0 | +Trend Micro Cloud App Security | +
| score | +int | +- | +The Web Reputation Services URL rating | +
+
|
+
+
|
+
| signInCountries | +dynamic | +- | +The countries from which a user signed in | +
+
|
+
+
|
+
| subRuleName | +string | +- | +The subrule name | +
+
|
+
+
|
+
| suid | +string | +UserAccount | +User name or mailbox | +
+
|
+
+
|
+
| suser | +dynamic | +EmailSender | +The email sender | +sample_email@trendmicro.com | +
+
|
+
| threatName | +string | +- | +The threat name | +
+
|
+
+
|
+
| urlCat | +dynamic | +- | +The requested URL category | +
+
|
+
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| act | +dynamic | +- | +The actions taken to mitigate the event | +
+
|
+
+
|
+
| attachmentFileHashes | +dynamic | +- | +The SHA-1 of the email attachment | +
+
|
+
+
|
+
| attachmentFileHashes | +dynamic | +FileSHA1 | +SHA-1 hash of the email attachment | +
+
|
+
+
|
+
| attachmentFileHashs | +dynamic | +- | +The SHA-1 hash value of the attachment file | +
+
|
+
+
|
+
| attachmentFileHashSha1 | +string | +FileSHA1 | +The SHA-1 of the attached file (attachementFileName) | +
+
|
+
+
|
+
| attachmentFileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the attached file (attachementFileName) | +
+
|
+
+
|
+
| attachmentFileHashSha256s | +dynamic | +FileSHA2 | +SHA-256 hash of the email attachment | +
+
|
+
+
|
+
| attachmentFileName | +dynamic | +FileName | +The file name of an attachment | +
+
|
+
+
|
+
| attachmentFileName | +dynamic | +FileName | +File name of the email attachment | +
+
|
+
+
|
+
| attachmentFileTlshes | +dynamic | +- | +The TLSH of the email attachment | +
+
|
+
+
|
+
| attachmentFileTlshes | +dynamic | +- | +The TLSH hash detected by Trend Micro Anti-Spam Engine | +- | +
+
|
+
| attachmentFileTlshs | +dynamic | +- | +The TLSH hash value of the attachment file | +
+
|
+
+
|
+
| attachmentMd5 | +dynamic | +FileMD5 | +MD5 hash of the email attachment | +
+
|
+
+
|
+
| attachmentSha1 | +dynamic | +FileSHA1 | +SHA-1 hash of the email attachment | +
+
|
+
+
|
+
| attachmentSha256 | +dynamic | +FileSHA2 | +SHA-256 hash of the email attachment | +
+
|
+
+
|
+
| attachmentSize | +dynamic | +- | +The attachment file size | +- | +
+
|
+
| attachmentSource | +dynamic | +- | +The attachment source | +
+
|
+
+
|
+
| attachmentTlsh | +dynamic | +- | +The TLSH hash detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| attachmentUrls | +dynamic | +- | +The URLs and URL sources extracted from the email attachment | +- | +
+
|
+
| correlatedIntelligence | +dynamic | +- | +The Correlated Intelligence detection | +{"risk_type": "Anomaly","matched_rules": [{"threat_type": "Possibly Unwanted Email","matched_filters": [{"id":"FIL013", "name": "Marketing Email Traits"},{"id":"FIL098", "name": "Infrequent Sender Email Domain"}],"name": "Possibly Unwanted Marketing Email","id": "AN004"}]} | +
+
|
+
| detectionDetail | +string | +- | +The details about each event type | +
+
|
+ Trend Micro Email Security | +
| detectionType | +string | +- | +The detection type | +
+
|
+
+
|
+
| duser | +dynamic | +EmailRecipient | +The email recipient | +
+
|
+
+
|
+
| eventId | +string | +- | +The event ID from the logs of each product | +
+
|
+
+
|
+
| eventId | +int | +- | +The event ID | +
+
|
+
+
|
+
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| eventSubName | +string | +- | +The event type sub-name | +
+
|
+
+
|
+
| eventTime | +real | +- | +The time the agent detected the event | +1657135700000 | +
+
|
+
| filterName | +string | +- | +The filter name | +
+
|
+
+
|
+
| groupId | +string | +- | +The group ID for the management scope filter | +11111111-1111-1111-1111-111111111111 | +
+
|
+
| highlightedFileHashes | +dynamic | +FileSHA1 | +The SHA-1 hashes of the highlighted file | +
+
|
+
+
|
+
| highlightMailMsgSubject | +string | +- | +The email subject | +
+
|
+ Trend Micro Email Security | +
| logKey | +string | +- | +The unique key of the event | +
+
|
+
+
|
+
| mailAttachmentHash | +string | +FileMD5 | +Hash value of the email attachment | +
+
|
+
+
|
+
| mailBccAddresses | +dynamic | +EmailRecipient | +Mail BCC address in the email header | +sample_email@trendmicro.com | +
+
|
+
| mailbox | +string | +- | +The mailbox that is protected by Trend Micro | +sample_email@trendmicro.com | +
+
|
+
| mailCcAddresses | +dynamic | +EmailRecipient | +Mail CC address in the email header | +
+
|
+
+
|
+
| mailDirection | +int | +- | +Email traffic direction | +
+
|
+
+
|
+
| mailDirection | +int | +- | +Email traffic direction | +
+
|
+
+
|
+
| mailEurekaRuleIds | +dynamic | +- | +The list of rule IDs scanned by Eureka and detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailFeatureId | +dynamic | +- | +The email protocol detected by Trend Micro Anti-Spam Engine | +- | +
+
|
+
| mailFromAddresses | +dynamic | +EmailSender | +Mail from address in email header | +sample_email@trendmicro.com | +
+
|
+
| mailHeaderHash | +string | +- | +The email header hash detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailHelo | +string | +- | +The HELO command detected by Trend Micro Anti-Spam Engine | +HELO inpost.tmes.trendmicro.com | +
+
|
+
| mailMetaText | +string | +- | +The postman meta text detected by Trend Micro Anti-Spam Engine | ++ |
+
|
+
| mailMetaTraceId | +string | +- | +The trace ID generated by Trend Micro Feedback Engine | ++ |
+
|
+
| mailMsgDirection | +int | +- | +The direction of the email message | +1 | +
+
|
+
| mailMsgId | +string | +EmailMessageID | +Email ID | +<sample-id@trendmicro.com> | +
+
|
+
| mailMsgSubject | +string | +EmailSubject | +The email subject | +
+
|
+
+
|
+
| mailMsgSubject | +string | +EmailSubject | +Email subject | +
+
|
+
+
|
+
| mailReceivedTime | +string | +- | +The mail received timestamp | +- | +
+
|
+
| mailReplyToAddresses | +dynamic | +- | +The Reply To address detected by Trend Micro Anti-Spam Engine | +sample_email@trendmicro.com | +
+
|
+
| mailRuleId | +dynamic | +- | +The rule ID of the matched rule detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailScore | +string | +- | +The score assigned to the email by Trend Micro Anti-Spam Engine | +- | +
+
|
+
| mailSenderIp | +string | +- | +Email sender IP address | +10.10.10.10 | +
+
|
+
| mailSmtpFromAddresses | +dynamic | +- | +The envelope address of the sender | +sample_email@trendmicro.com | +Trend Micro Email Security | +
| mailSmtpFromAddresses | +dynamic | +- | +The sender email address | +sample_email@trendmicro.com | +
+
|
+
| mailSmtpHelo | +string | +- | +The domain name of the email server by using the SMTP HELO command | +example.com | +Trend Micro Email Security | +
| mailSmtpOriginalRecipients | +dynamic | +- | +The envelope addresses of the original recipients | +sample_email@trendmicro.com | +Trend Micro Email Security | +
| mailSmtpOriginalRecipients | +dynamic | +- | +Original email recipients in the SMTP envelope | +sample_email@trendmicro.com | +
+
|
+
| mailSmtpRecipients | +dynamic | +- | +The envelope addresses of the current recipients | +sample_email@trendmicro.com | +Trend Micro Email Security | +
| mailSmtpRecipients | +dynamic | +- | +Email recipients in the SMTP envelope after scanning | +sample_email@trendmicro.com | +
+
|
+
| mailSmtpTls | +string | +- | +The SMTP TLS version, for example, TLS 1.2 | +
+
|
+ Trend Micro Email Security | +
| mailSmtpTls | +string | +- | +The SMTP TLS version number | +
+
|
+
+
|
+
| mailTagHash | +string | +- | +The email tag hash detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailTagHashRawSignature | +string | +- | +The raw signature hash of the email | +
+
|
+
+
|
+
| mailTextHash | +string | +- | +The email text hash detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailThreatType | +string | +- | +The type of email detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailToAddresses | +dynamic | +EmailRecipient | +Mail To address in the email header | +sample_email@trendmicro.com | +
+
|
+
| mailUrlHash | +string | +- | +The email URL hash detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailUrlsOriginalLink | +dynamic | +- | +The original URL extracted from the email content | +
+
|
+
+
|
+
| mailUrlsRealLink | +dynamic | +URL | +URL extracted from the email content | +
+
|
+
+
|
+
| mailUrlsVisibleLink | +dynamic | +URL | +URL extracted from the email content | +
+
|
+
+
|
+
| mailUserAgent | +string | +- | +The user agent | +
+
|
+
+
|
+
| mailWantedHeaderName | +dynamic | +- | +The WantedHeader key name detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailWantedHeaderValue | +dynamic | +- | +The WantedHeader key value detected by Trend Micro Anti-Spam Engine | +
+
|
+
+
|
+
| mailWholeHeader | +dynamic | +- | +The name and email address of the sender in the From header detected by Trend Micro Anti-Spam Engine | +<sample_email@trendmicro.com> | +
+
|
+
| mailXMailer | +string | +- | +The X-Mailer header of the email | +
+
|
+
+
|
+
| msgId | +string | +EmailMessageID | +The internet message ID | +
+
|
+
+
|
+
| msgTOCUuid | +string | +- | +The email unique ID | +
+
|
+
+
|
+
| msgUuid | +string | +- | +The unique email ID | +
+
|
+
+
|
+
| msgUuid | +string | +- | +Internal email UUID to identify each email message | +11111111-1111-1111-1111-111111111111 | +
+
|
+
| msgUuidChain | +string | +- | +The message UUID chain | +
+
|
+ Trend Micro Email Security | +
| msgUuidChain | +string | +- | +The internal UUID chain for each email in Trend Micro Feedback Engine | +11111111-1111-1111-1111-111111111111;00000000-0000-0000-0000-000000000000 | +
+
|
+
| objectSubType | +string | +- | +The sub-types of the policy event (Displayed when a policy event has sub-types) | +
+
|
+
+
|
+
| objectType | +string | +- | +The object type | +
+
|
+
+
|
+
| pname | +string | +- | +The internal product ID | +
+
|
+
+
|
+
| pname | +string | +- | +Internal product code (depricated) | +
+
|
+
+
|
+
| policyName | +string | +- | +The name of the triggered policy | +
+
|
+
+
|
+
| remarks | +string | +- | +The additional information | +
+
|
+
+
|
+
| request | +string | +URL | +The notable URLs | +
+
|
+
+
|
+
| respCode | +string | +- | +The network protocol response code | +
+
|
+
+
|
+
| rewrittenUrl | +string | +- | +The rewritten URL | +https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fexample.io%2 | +
+
|
+
| rt | +string | +- | +The Unix time of the log generation | +1656324260000 | +
+
|
+
| ruleName | +string | +- | +The name of the rule that triggered the event | +
+
|
+
+
|
+
| ruleVer | +string | +- | +The rule version | +
+
|
+
+
|
+
| scanTs | +string | +- | +The mail scan time | +- | +
+
|
+
| scanTs | +string | +- | +The time the email was scanned | +1657135700000 | +
+
|
+
| scanType | +string | +- | +The scan type | +
+
|
+
+
|
+
| scanType | +string | +- | +Manual or real-time scan | +
+
|
+
+
|
+
| senderIp | +dynamic | +- | +The sender IP | +10.10.10.10 | +
+
|
+
| subRuleName | +string | +- | +The subrule name | +
+
|
+
+
|
+
| suser | +dynamic | +EmailSender | +The email sender | +sample_email@trendmicro.com | +
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| aggregatedCount | +string | +- | +The number of aggregated events | +
+
|
+
+
|
+
| aggregateFunction | +int | +- | +The metric aggregator | +
+
|
+ Data Detection and Response | +
| aggregateUnit | +string | +- | +The metric unit | +file | +Data Detection and Response | +
| detectionFileList | +dynamic | +- | +The information about the related files | +{"fileName": "sample.txt", "edgeId": "00000000-0000-0000-0000-000000000000"} | +Data Detection and Response | +
| dpt | +int | +Port | +The destination port number | +- | +
+
|
+
| dst | +string | +
+
|
+ The destination IP address | +
+
|
+
+
|
+
| duration | +string | +- | +The detection interval (in milliseconds) | +300000 | +Data Detection and Response | +
| endpointGUID | +string | +EndpointID | +The GUID of the agent which reported the detection | +
+
|
+
+
|
+
| endpointHostName | +string | +EndpointName | +The endpoint hostname or node where the event was detected | +
+
|
+
+
|
+
| endpointIp | +dynamic | +
+
|
+ The IP address of the endpoint on which the event was detected | +10.10.10.10 | +
+
|
+
| eventId | +string | +- | +The event ID from the logs of each product | +
+
|
+
+
|
+
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| fileHash | +string | +FileSHA1 | +The SHA-1 of the file that triggered the rule or policy | +
+
|
+
+
|
+
| firstSeen | +string | +- | +The first time the XDR log appeared | +1657195233000 | +
+
|
+
| lastSeen | +string | +- | +The last time the XDR log appeared | +1657195233000 | +
+
|
+
| lineageId | +string | +- | +The lineage ID | +
+
|
+ Data Detection and Response | +
| logonUsers | +dynamic | +- | +The telemetry events that match the Security Analytics Engine filter, and logonUsers stores the logonUsers value of the original events | +BHBShortJ | +
+
|
+
| matchedPolicies | +dynamic | +- | +The matched policies of detection records | +['00000000-0000-0000-0000-000000000000'] | +Data Detection and Response | +
| metaSrcExtra | +string | +- | +The meta for identifying the source of events | +[{'metaSrcUri': ...] | +Data Detection and Response | +
| objectFileHash | +string | +- | +The cryptographic hash of the target process image or file, with the specific hash algorithm to be determined | +1ca71017d2fa4775253670e1e55e26912bfdc156 | +Data Detection and Response | +
| objectFileSize | +string | +- | +The file size of the object file | +
+
|
+
+
|
+
| objectServiceType | +string | +- | +Type of target file | +
+
|
+ Data Detection and Response | +
| objectUri | +string | +- | +Path of target file | +C://path/of/file.txt | +Data Detection and Response | +
| objectUser | +string | +UserAccount | +The owner name of the target process or the login user name | +
+
|
+
+
|
+
| osName | +string | +- | +The host OS name | +
+
|
+
+
|
+
| osVer | +string | +- | +The OS version | +11 | +
+
|
+
| policyIds | +string | +- | +The Ids of DDR’s data policy | +11111111-1111-1111-1111-111111111111 | +Data Detection and Response | +
| ruleIdStr | +string | +- | +The rule ID | +0000000-0000-0000-0000-000000000000 | +Data Detection and Response | +
| ruleName | +string | +- | +The name of the rule that triggered the event | +
+
|
+
+
|
+
| spt | +int | +Port | +The source port number | +
+
|
+
+
|
+
| src | +string | +
+
|
+ The source address | +
+
|
+
+
|
+
| srcFileHash | +string | +- | +The cryptographic hash of the source process image or file, with the specific hash algorithm to be determined. | +1ca71017d2fa4775253670e1e55e26912bfdc156 | +Data Detection and Response | +
| srcFileSize | +string | +- | +The file size of the source file | +
+
|
+
+
|
+
| srcServiceType | +string | +- | +Type of source file | +
+
|
+ Data Detection and Response | +
| srcUri | +string | +- | +Path of source file | +C://path/of/file.txt | +Data Detection and Response | +
| srcUser | +string | +- | +The owner name of the source process or the login user name | +
+
|
+ Data Detection and Response | +
| uuids | +dynamic | +- | +The UUIDs of detection records | +['00000000-0000-0000-0000-000000000000'] | +Data Detection and Response | +
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| act | +dynamic | +- | +The actions taken to mitigate the event | +
+
|
+
+
|
+
| additionalInfo | +string | +- | +The filter rule info | +Default | +
+
|
+
| app | +string | +- | +The layer-7 network protocol being exploited protocol | +SMB | +Endpoint Sensor | +
| authId | +string | +- | +The authorization ID | +
+
|
+
+
|
+
| azId | +string | +- | +The Avaliability Zone ID of the virtual machine that made the request | +
+
|
+ Endpoint Sensor | +
| behaviorCat | +string | +- | +The matched policy category | +
+
|
+
+
|
+
| channel | +string | +- | +The Windows event channel | +
+
|
+
+
|
+
| cloudIdentityAccountId | +string | +- | +The Cloud Identity account ID used for authorization | +111111111111 | +Endpoint Sensor | +
| cloudIdentityId | +string | +- | +The Cloud Identity ID used for authorization | +arn:aws:sts::111111111111:assumed-role/eksctl-aws-test-nodegroup-ng-21d38-NodeInstanceRole-3wPxVEo4zHlK/i-01234567890abcdef | +Endpoint Sensor | +
| cloudIdentityName | +string | +- | +The Cloud Identity name used for authorization | +AWSsampleToken | +Endpoint Sensor | +
| cloudProvider | +string | +- | +The service provider of the cloud asset | +
+
|
+
+
|
+
| cloudServiceApiName | +string | +- | +The cloud service API | +
+
|
+ Endpoint Sensor | +
| cloudServiceName | +string | +- | +The cloud service | +
+
|
+ Endpoint Sensor | +
| codeIntegrityOptionEnabled | +bool | +- | +Whether the system enforced signed kernel loading according to DSE(driver signature enforcement) | +
+
|
+ Endpoint Sensor | +
| codeIntegrityOptionTestsign | +bool | +- | +Whether the system bypassed DSE(driver signature enforcement) checks and permitted loading of test-signed drivers | +
+
|
+ Endpoint Sensor | +
| correlationData | +dynamic | +- | +The data for correlation | +- | +
+
|
+
| customAssetTags | +dynamic | +- | +The list of custom asset tags | +{"os":["linux", "windows"], "org":["bu1"]} | +
+
|
+
| customAssetTags | +dynamic | +- | +The list of custom asset tags | +{"os":["linux", "windows"], "org":["bu1"]} | +
+
|
+
| detectedBackupFolder | +string | +- | +The folder path for detected backup folders | +C:\\Program Files (x86)\\Trend Micro\\artifact\\DCE | +
+
|
+
| detectionAggregationId | +string | +- | +The correlation key for detection logs and artifacts | +
+
|
+ Endpoint Sensor | +
| detectionAggressivenessLevel | +int | +- | +The detection aggressiveness level | +
+
|
+
+
|
+
| deviceGUID | +string | +- | +The GUID of the agent which reported the detection | +
+
|
+
+
|
+
| deviceType | +int | +- | +The disk drive type | +
+
|
+ Endpoint Sensor | +
| dpt | +int | +Port | +The destination port | +
+
|
+
+
|
+
| dpt | +int | +Port | +The destination port number | +- | +
+
|
+
| dst | +dynamic | +
+
|
+ The destination IP | +10.10.10.10 | +
+
|
+
| dst | +string | +
+
|
+ The destination IP address | +
+
|
+
+
|
+
| endpointGUID | +string | +EndpointID | +The GUID of the agent which reported the detection | +
+
|
+
+
|
+
| endpointGuid | +string | +EndpointID | +Host GUID of the endpoint on which the event was detected | +11111111-1111-1111-1111-111111111111 | +
+
|
+
| endpointHostName | +string | +EndpointName | +The endpoint hostname or node where the event was detected | +
+
|
+
+
|
+
| endpointHostName | +string | +EndpointName | +The host name of the endpoint on which the event was detected | +
+
|
+
+
|
+
| endpointIp | +dynamic | +
+
|
+ IP address of the endpoint on which the event was detected | +
+
|
+
+
|
+
| endpointMacAddress | +dynamic | +- | +The host MAC address | +
+
|
+
+
|
+
| engineOperation | +string | +- | +The operation of the engine event | +
+
|
+
+
|
+
| engVer | +string | +- | +The engine version | +
+
|
+
+
|
+
| eventDataAccessList | +string | +- | +The list of requested access rights | +
+
|
+
+
|
+
| eventDataAccessMask | +string | +- | +The hexadecimal value of the requested or used permissions during an access attempt | +
+
|
+
+
|
+
| eventDataActionName | +string | +- | +The action performed | +
+
|
+
+
|
+
| eventDataAuthenticationPackageName | +string | +- | +The authentication package name of the Windows event data | +
+
|
+
+
|
+
| eventDataConsumer | +string | +- | +The recipient of the reported event | +
+
|
+ Endpoint Sensor | +
| eventDataElevatedToken | +string | +- | +Whether the session is elevated and has administrator privileges | +
+
|
+
+
|
+
| eventDataFullyQualifiedAssemblyName | +string | +- | +The fully qualified .NET assembly name | +
+
|
+
+
|
+
| eventDataImpersonationLevel | +string | +- | +The sign-in session impersonation level | +
+
|
+
+
|
+
| eventDataIpAddress | +string | +- | +The IP address for Windows event 4624 which is "An account was successfully logged on" | +
+
|
+
+
|
+
| eventDataLogonProcessName | +string | +- | +The name of the Windows event sign in process name | +
+
|
+
+
|
+
| eventDataLogonType | +string | +- | +The logon type for Windows event 4624 which is "An account was successfully logged on" | +
+
|
+
+
|
+
| eventDataModuleILPath | +string | +- | +The CIL image path of the module or the dynamic module name | +
+
|
+
+
|
+
| eventDataObjectName | +string | +- | +The identifying information about the object for which access was requested | +
+
|
+
+
|
+
| eventDataObjectType | +string | +- | +The object type | +
+
|
+
+
|
+
| eventDataOperation | +string | +- | +Windows event 11 | +
+
|
+
+
|
+
| eventDataPath | +string | +- | +The path of the Windows event data | +
+
|
+
+
|
+
| eventDataProviderName | +string | +- | +The name of the Windows event data provider | +
+
|
+ Endpoint Sensor | +
| eventDataProviderPath | +string | +- | +The file path of the Windows event data provider | +
+
|
+ Endpoint Sensor | +
| eventDataServiceFileName | +string | +- | +The full file path of the service executable file | +
+
|
+ Endpoint Sensor | +
| eventDataServiceName | +string | +- | +The service name | +
+
|
+ Endpoint Sensor | +
| eventDataStatus | +string | +- | +The Windows event data status | +
+
|
+
+
|
+
| eventDataSubjectUserName | +string | +- | +The account name | +
+
|
+
+
|
+
| eventDataSubStatus | +string | +- | +The Windows event data sub status | +
+
|
+
+
|
+
| eventDataTargetDomainName | +string | +- | +The target sign-in account domain or computer name | +
+
|
+
+
|
+
| eventDataTargetName | +string | +- | +The service, application, or network resource name | +
+
|
+
+
|
+
| eventDataTaskName | +string | +- | +The task name logged by the Windows event | +
+
|
+
+
|
+
| eventDataTicketEncryptionType | +string | +- | +The cryptographic suite used for the Kerberos TGS | +
+
|
+
+
|
+
| eventDataTicketOptions | +string | +- | +The authentication request Kerberos ticket behavior and permissions flags | +
+
|
+
+
|
+
| eventDataUserContext | +string | +- | +The user context of the Windows event data | +
+
|
+
+
|
+
| eventDataWorkstationName | +string | +- | +The name of the computer used in the sign-in attempt | +
+
|
+
+
|
+
| eventHashId | +string | +- | +The event hash ID | +
+
|
+
+
|
+
| eventId | +string | +- | +The event ID from the logs of each product | +
+
|
+
+
|
+
| eventId | +int | +- | +Event type | +- | +
+
|
+
| eventMessage | +string | +- | +The event message | +[0x13bb4e2a0] activating connection: mach=true listener=false peer=false name=com.apple.airportd | +
+
|
+
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| eventSubId | +int | +- | +The access type | +
+
|
+
+
|
+
| eventSubName | +string | +- | +The event type sub-name | +
+
|
+
+
|
+
| eventTime | +real | +- | +The time the agent detected the event | +1657781088000 | +
+
|
+
| firstSeen | +real | +- | +The first time the event was seen | +1656355418449 | +
+
|
+
| hostName | +string | +
+
|
+ The domain name | +
+
|
+
+
|
+
| httpReferer | +string | +URL | +The HTTP header referer | +
+
|
+
+
|
+
| importTable | +dynamic | +- | +The imported table information | +- | +Endpoint Sensor | +
| importTableFileName | +dynamic | +- | +The library file name which has imported functions | +
+
|
+ Endpoint Sensor | +
| importTableFunctionName | +dynamic | +- | +The imported function file name | +
+
|
+ Endpoint Sensor | +
| instanceAccountId | +string | +- | +The cloud account ID of the virtual machine that made the request | +111111111111 | +Endpoint Sensor | +
| instanceId | +string | +- | +The ID of the instance that indicates the meta-cloud or data center VM | +
+
|
+
+
|
+
| instanceId | +string | +- | +The virtual machine instance ID on the cloud platform | +i-01234567890abcdef | +
+
|
+
| instanceName | +string | +- | +The virtual machine that made the request | +ec2-123-124-0-12.us-west-2.compute.amazonaws.com | +Endpoint Sensor | +
| integrityLevel | +int | +- | +The integrity level of a process | +16384 | +Endpoint Sensor | +
| integrityLevel | +int | +- | +The integrity level of a process | +- | +
+
|
+
| lastSeen | +real | +- | +The last time the event was seen | +1656355418449 | +
+
|
+
| logKey | +string | +- | +The unique key of the event | +
+
|
+
+
|
+
| logonUser | +dynamic | +UserAccount | +The logon user name | +
+
|
+
+
|
+
| messageType | +string | +- | +The message type | +Default | +
+
|
+
| mpname | +string | +- | +The management product name | +
+
|
+
+
|
+
| mpver | +string | +- | +The product version | +
+
|
+
+
|
+
| nativeDeviceCharacteristics | +int | +- | +Additional driver device information | +
+
|
+ Endpoint Sensor | +
| nativeDeviceType | +int | +- | +The underlying hardware type of the driver | +
+
|
+ Endpoint Sensor | +
| nativeStorageDeviceBusType | +int | +- | +The bus type to which the device is connected | +
+
|
+ Endpoint Sensor | +
| networkInterfaceId | +string | +- | +The network interface of the virtual machine that made the request | +eni-01234567890abcdef | +Endpoint Sensor | +
| objectActions | +dynamic | +- | +The object process actions | +
+
|
+ Endpoint Sensor | +
| objectApiHookNum | +int | +- | +The API hook number of the object | +1 | +Endpoint Sensor | +
| objectApiName | +string | +- | +The API name | +GetIpNetTable | +Endpoint Sensor | +
| objectApiName | +string | +- | +The name of the executed API | +GetIpNetTable | +Endpoint Sensor | +
| objectApiRvInNum | +string | +- | +The API telemetry return value | +0 | +Endpoint Sensor | +
| objectAppName | +string | +- | +Name of the app involved in the AMSI event | +
+
|
+
+
|
+
| objectArtifactIds | +dynamic | +- | +The artifact IDs generated by objectAction | +
+
|
+
+
|
+
| objectAuthId | +string | +- | +The object authorization ID | +
+
|
+
+
|
+
| objectBmData | +string | +- | +The data of BM event | +
+
|
+
+
|
+
| objectCmd | +dynamic | +CLICommand | +The object process command line | +
+
|
+
+
|
+
| objectCmd | +string | +CLICommand | +Command line entry of target process | +
+
|
+
+
|
+
| objectContentName | +string | +- | +The AMSI object content name | +
+
|
+
+
|
+
| objectCreateDispositions | +int | +- | +The disposition of CreateFile | +- | +Endpoint Sensor | +
| objectCurrentFileSize | +long | +- | +Previous size of modified object file | +
+
|
+
+
|
+
| objectDesiredAccess | +int | +- | +The desired access of the event | +- | +Endpoint Sensor | +
| objectFileAttributes | +int | +- | +The new file attributes | +
+
|
+ Endpoint Sensor | +
| objectFileAttributesHashId | +string | +- | +The hash ID of the file attribute meta information | +
+
|
+ Endpoint Sensor | +
| objectFileCreation | +string | +- | +The time the object file was created | +
+
|
+
+
|
+
| objectFileCurrentAttributes | +int | +- | +The original file attributes | +
+
|
+ Endpoint Sensor | +
| objectFileCurrentOwnerName | +string | +- | +The current owner name of the object file | +
+
|
+
+
|
+
| objectFileCurrentOwnerSid | +string | +- | +The current security identifier owner of the object file | +
+
|
+
+
|
+
| objectFileDaclString | +string | +- | +The discretionary access control list of the object file | +
+
|
+
+
|
+
| objectFileExtendedAttribute | +string | +- | +The extended attributes of the file | +
+
|
+
+
|
+
| objectFileGroupName | +string | +- | +The object file user group name | +
+
|
+
+
|
+
| objectFileGroupSid | +string | +- | +The security identifier of the object file group | +
+
|
+
+
|
+
| objectFileHashId | +string | +- | +The object file hash ID | +
+
|
+
+
|
+
| objectFileHashMd5 | +string | +FileMD5 | +The MD5 of the object | +
+
|
+
+
|
+
| objectFileHashMd5 | +string | +FileMD5 | +The md5 hash of target process image or target file | +
+
|
+
+
|
+
| objectFileHashSha1 | +string | +FileSHA1 | +The SHA-1 of the objectFilePath object | +
+
|
+
+
|
+
| objectFileHashSha1 | +string | +FileSHA1 | +The SHA1 hash of target process image or target file | +
+
|
+
+
|
+
| objectFileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the object (objectFilePath) | +
+
|
+
+
|
+
| objectFileHashSha256 | +string | +FileSHA2 | +The SHA256 hash of target process image or target file | +
+
|
+
+
|
+
| objectFileIsRemoteAccess | +bool | +- | +The remote access to the object file | +- | +
+
|
+
| objectFileModifiedTime | +string | +- | +The time the object file was modified | +
+
|
+
+
|
+
| objectFileOriginalName | +string | +FileName | +The original file name of the object image | +
+
|
+
+
|
+
| objectFileOwnerName | +string | +- | +The object file owner name | +
+
|
+
+
|
+
| objectFileOwnerSid | +string | +- | +The security identifier of the object file owner | +
+
|
+
+
|
+
| objectFilePath | +string | +FileFullPath | +The file path of the target process image or target file | +
+
|
+
+
|
+
| objectFilePath | +string | +
+
|
+ The file path of the target process image or target file | +
+
|
+
+
|
+
| objectFileRemoteAccess | +bool | +- | +The remote access for the object file | +- | +
+
|
+
| objectFileSaclString | +string | +- | +The system access control list of the object file | +
+
|
+
+
|
+
| objectFileSize | +string | +- | +The file size of the object file | +
+
|
+
+
|
+
| objectFirstSeen | +string | +- | +The first time the object was seen | +
+
|
+
+
|
+
| objectHashId | +long | +- | +The object hash ID | +
+
|
+
+
|
+
| objectHostName | +string | +DomainName | +Server name where Internet event was detected | +
+
|
+
+
|
+
| objectIntegrityLevel | +int | +- | +Integrity level of target process | +- | +
+
|
+
| objectIp | +string | +
+
|
+ IP address of internet event | +10.10.10.10 | +
+
|
+
| objectIps | +dynamic | +
+
|
+ IP address list of internet event | +
+
|
+
+
|
+
| objectLastSeen | +string | +- | +The last time the object was seen | +
+
|
+
+
|
+
| objectLaunchTime | +string | +- | +The object launch time of the Windows event | +
+
|
+
+
|
+
| objectLoginOutFailureMessage | +string | +- | +The sign-in/sign-out error message | +Login incorrect | +
+
|
+
| objectLoginOutFirstSeen | +long | +- | +The first time the object sign-in/sign-out was seen | +1713903612 | +
+
|
+
| objectLoginOutHashId | +long | +- | +The FNV of the object sign-in/sign-out meta | +-8981232070268295229 | +
+
|
+
| objectLoginOutLastSeen | +long | +- | +The last time the object sign-in/sign-out was seen | +1713903612 | +
+
|
+
| objectLoginOutMetaType | +int | +- | +The sign-in/sign-out meta | +1 - LOGIN_OUT_META_TYPE_OPENSSH | +
+
|
+
| objectLoginOutSessionId | +long | +- | +The sign-in/sign-out session ID | +260 | +
+
|
+
| objectLoginOutSourceAddress | +string | +- | +The sign-in/sign-out source IP | +10.10.10.10 | +
+
|
+
| objectLoginOutStatus | +int | +- | +The sign-in/sign-out status | +-1 | +
+
|
+
| objectName | +string | +- | +The base name of the object file or process | +net.exe | +
+
|
+
| objectName | +string | +- | +The object name | +
+
|
+
+
|
+
| objectPid | +int | +- | +The object process PID | +
+
|
+
+
|
+
| objectPid | +int | +- | +The PID of target process | +- | +
+
|
+
| objectPipeName | +string | +- | +The object pipe name | +\\.\pipe\F451F406BD | +Endpoint Sensor | +
| objectPipeName | +string | +- | +The named pipe of the event | +
+
|
+ Endpoint Sensor | +
| objectPort | +int | +Port | +The port number used by internet event | +- | +
+
|
+
| objectProcessHashId | +long | +- | +FNV of target process | +
+
|
+
+
|
+
| objectRawDataSize | +dynamic | +- | +The raw data size of the Windows event object | +
+
|
+
+
|
+
| objectRawDataStr | +dynamic | +- | +The data contents of the AMSI event | +
+
|
+
+
|
+
| objectRegistryData | +string | +RegistryValueData | +The registry data contents | +C:\Program Files\AlertMedia\AlertMedia Desktop Notifications\AlertMedia.exe | +
+
|
+
| objectRegistryData | +string | +RegistryValueData | +The registry value data | +
+
|
+
+
|
+
| objectRegistryKeyHandle | +string | +RegistryKey | +The registry key path | +
+
|
+
+
|
+
| objectRegistryKeyHandle | +string | +RegistryKey | +The registry key | +
+
|
+
+
|
+
| objectRegistryRoot | +string | +- | +The name of the object registry root key | +
+
|
+
+
|
+
| objectRegistryRoot | +int | +- | +The Windows Registry Root ID | +
+
|
+
+
|
+
| objectRegistryValue | +string | +RegistryValue | +The registry value name | +
+
|
+
+
|
+
| objectRegistryValue | +string | +RegistryValue | +Registry value name | +
+
|
+
+
|
+
| objectRegType | +int | +- | +The registry value type | +- | +Endpoint Sensor | +
| objectRegType | +int | +- | +The Windows Registry Type ID | +
+
|
+
+
|
+
| objectRunAsLocalAccount | +bool | +- | +The "runas" command uses a local account | +
+
|
+
+
|
+
| objectSessionId | +string | +- | +The object session ID | +
+
|
+
+
|
+
| objectSigner | +dynamic | +- | +The list of object process signers | +
+
|
+
+
|
+
| objectSigner | +dynamic | +- | +Certificate signer of object process or file | +
+
|
+
+
|
+
| objectSignerFlagsAdhoc | +dynamic | +- | +The list of object process signature adhoc flags | +- | +
+
|
+
| objectSignerFlagsAdhoc | +dynamic | +- | +The list of object process or file signature adhoc flags | +- | +
+
|
+
| objectSignerFlagsLibValid | +dynamic | +- | +The list of object process signature library validation flags | +- | +
+
|
+
| objectSignerFlagsLibValid | +dynamic | +- | +The list of object process or file signature library validation flags | +- | +
+
|
+
| objectSignerFlagsRuntime | +dynamic | +- | +The list of object process signature runtime flags | +- | +
+
|
+
| objectSignerFlagsRuntime | +dynamic | +- | +The list of object process or file signature runtime flags | +- | +
+
|
+
| objectSignerValid | +dynamic | +- | +Whether each signer of the object process is valid | +- | +Endpoint Sensor | +
| objectSignerValid | +dynamic | +- | +Validity of certificate signer | +
+
|
+
+
|
+
| objectSubTrueType | +int | +- | +File object's true sub-type | +
+
|
+
+
|
+
| objectTrueType | +int | +- | +File object's true major type | +
+
|
+
+
|
+
| objectType | +string | +- | +The object type | +
+
|
+
+
|
+
| objectUser | +string | +UserAccount | +The owner name of the target process or the login user name | +
+
|
+
+
|
+
| objectUserDomain | +string | +- | +The object user domain | +
+
|
+
+
|
+
| objectUserGroup | +string | +- | +The user group name | +
+
|
+
+
|
+
| objectUserGroupSids | +dynamic | +- | +The user group SIDs of the object | +
+
|
+ Endpoint Sensor | +
| osDescription | +string | +- | +The OS version | +
+
|
+
+
|
+
| osName | +string | +- | +The host operating system name | +
+
|
+
+
|
+
| osType | +string | +- | +The host operating system type | +
+
|
+
+
|
+
| osVer | +string | +- | +The version of the host operating system | +
+
|
+
+
|
+
| parentAuthId | +string | +- | +The parent authorization ID | +
+
|
+
+
|
+
| parentCmd | +string | +CLICommand | +The command line of the subject parent process | +
+
|
+
+
|
+
| parentCmd | +string | +CLICommand | +The command line entry of the parent process | +
+
|
+
+
|
+
| parentFileCreation | +string | +- | +The time the parent file was created | +
+
|
+
+
|
+
| parentFileCurrentOwnerName | +string | +- | +The current owner name of the parent file | +
+
|
+
+
|
+
| parentFileCurrentOwnerSid | +string | +- | +The current security identifier owner of the parent file | +
+
|
+
+
|
+
| parentFileDaclString | +string | +- | +The discretionary access control list of the parent file | +
+
|
+
+
|
+
| parentFileGroupName | +string | +- | +The name of the parent file user group | +
+
|
+
+
|
+
| parentFileGroupSid | +string | +- | +The security identifier of the parent process file group | +
+
|
+
+
|
+
| parentFileHashId | +long | +- | +The parent file hash ID | +
+
|
+
+
|
+
| parentFileHashMd5 | +string | +FileMD5 | +The MD5 of the subject parent process | +
+
|
+ Endpoint Sensor | +
| parentFileHashMd5 | +string | +FileMD5 | +The md5 hash of parent process | +
+
|
+
+
|
+
| parentFileHashSha1 | +string | +FileSHA1 | +The SHA-1 of the subject parent process | +
+
|
+ Endpoint Sensor | +
| parentFileHashSha1 | +string | +FileSHA1 | +The SHA1 hash of parent process | +
+
|
+
+
|
+
| parentFileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the subject parent process | +
+
|
+
+
|
+
| parentFileHashSha256 | +string | +FileSHA2 | +The SHA256 hash of parent process | +
+
|
+
+
|
+
| parentFileModifiedTime | +string | +- | +The time the parent file was modified | +
+
|
+
+
|
+
| parentFileOriginalName | +string | +FileName | +The original file name of the parent image | +
+
|
+
+
|
+
| parentFileOwnerName | +string | +- | +The owner name of the parent file | +
+
|
+
+
|
+
| parentFileOwnerSid | +string | +- | +The security identifier of the parent file owner | +
+
|
+
+
|
+
| parentFilePath | +string | +FileFullPath | +The full file path of the parent process | +
+
|
+ Endpoint Sensor | +
| parentFilePath | +string | +
+
|
+ The file path of the parent process | +
+
|
+
+
|
+
| parentFileRemoteAccess | +bool | +- | +The remote access to the parent file | +- | +
+
|
+
| parentFileSaclString | +string | +- | +The system access control list of the parent file | +
+
|
+
+
|
+
| parentFileSize | +string | +- | +The file size of the parent file | +
+
|
+
+
|
+
| parentHashId | +string | +- | +The FNV of the parent process | +
+
|
+ Endpoint Sensor | +
| parentHashId | +long | +- | +The parent hash ID | +
+
|
+
+
|
+
| parentIntegrityLevel | +int | +- | +The integrity level of a parent | +16384 | +Endpoint Sensor | +
| parentIntegrityLevel | +int | +- | +The integrity level of a parent | +- | +
+
|
+
| parentLaunchTime | +real | +- | +The time when the parent process was launched | +
+
|
+
+
|
+
| parentName | +string | +- | +The image name of the parent process | +
+
|
+
+
|
+
| parentName | +string | +- | +The image name of the parent process | +
+
|
+
+
|
+
| parentPayloadSigner | +dynamic | +- | +The signer name list of the parent process payload | +
+
|
+ Endpoint Sensor | +
| parentPayloadSignerFlagsAdhoc | +dynamic | +- | +The list of parent process payload signature adhoc flags | +- | +Endpoint Sensor | +
| parentPayloadSignerFlagsLibValid | +dynamic | +- | +The list of parent process payload signature library validation flags | +- | +Endpoint Sensor | +
| parentPayloadSignerFlagsRuntime | +dynamic | +- | +The list of parent process payload signature runtime flags | +- | +Endpoint Sensor | +
| parentPayloadSignerValid | +dynamic | +- | +Whether each signer of the parent process payload is valid | +- | +Endpoint Sensor | +
| parentPid | +int | +- | +The PID of the parent process | +- | +
+
|
+
| parentPid | +int | +- | +The PID of the parent process | +
+
|
+
+
|
+
| parentSessionId | +int | +- | +The parent session ID | +- | +
+
|
+
| parentSigner | +dynamic | +- | +The signers of the parent process | +
+
|
+ Endpoint Sensor | +
| parentSigner | +dynamic | +- | +The signer of the parent file | +
+
|
+
+
|
+
| parentSignerFlagsAdhoc | +dynamic | +- | +The list of parent process signature adhoc flags | +- | +
+
|
+
| parentSignerFlagsAdhoc | +dynamic | +- | +The list of parent process signature adhoc flags | +- | +
+
|
+
| parentSignerFlagsLibValid | +dynamic | +- | +The list of parent process signature library validation flags | +- | +
+
|
+
| parentSignerFlagsLibValid | +dynamic | +- | +The list of parent process signature library validation flags | +- | +
+
|
+
| parentSignerFlagsRuntime | +dynamic | +- | +The list of parent process signature runtime flags | +- | +
+
|
+
| parentSignerFlagsRuntime | +dynamic | +- | +The list of parent process signature runtime flags | +- | +
+
|
+
| parentSignerValid | +dynamic | +- | +Whether each signer of the parent process is valid | +- | +Endpoint Sensor | +
| parentSignerValid | +dynamic | +- | +The validity of the parent signer | +- | +
+
|
+
| parentSubTrueType | +int | +- | +The true file subtype of the parent file | +- | +
+
|
+
| parentTrueType | +int | +- | +The true file type of the parent file | +- | +
+
|
+
| parentUser | +string | +- | +The type of user that executed the parent process | +
+
|
+
+
|
+
| parentUserDomain | +string | +- | +The user domain of the parent process | +
+
|
+
+
|
+
| parentUserGroupSids | +dynamic | +- | +The SIDs of the parent user group | +
+
|
+ Endpoint Sensor | +
| patVer | +string | +- | +The version of the behavior pattern | +
+
|
+
+
|
+
| plang | +int | +- | +The product language | +
+
|
+
+
|
+
| platformAssetTags | +dynamic | +- | +The list of platform custom asset tags | +{"Asset group":["finance"], "some.ip": ["10.1.0.1"]} | +
+
|
+
| platformAssetTags | +dynamic | +- | +The list of platform custom asset tags | +{"Asset group":["finance"], "some.ip": ["10.1.0.1"]} | +
+
|
+
| pname | +string | +- | +The internal product ID | +
+
|
+
+
|
+
| pname | +string | +- | +Internal product ID (Deprecated, use productCode) | +
+
|
+
+
|
+
| policyId | +string | +- | +The policy ID of which the event was detected | +
+
|
+
+
|
+
| pplat | +int | +- | +The product platform | +
+
|
+
+
|
+
| processActions | +dynamic | +- | +The process actions | +
+
|
+ Endpoint Sensor | +
| processArtifactIds | +dynamic | +- | +The artifact IDs generated by processAction | +
+
|
+
+
|
+
| processCmd | +string | +CLICommand | +The subject process command line | +
+
|
+
+
|
+
| processCmd | +string | +CLICommand | +The command line entry of the subject process | +
+
|
+
+
|
+
| processFileCreation | +string | +- | +The time the process file was created | +
+
|
+
+
|
+
| processFileCurrentOwnerName | +string | +- | +The current owner name of the process file | +
+
|
+
+
|
+
| processFileCurrentOwnerSid | +string | +- | +The owner of the process file current security identifier | +
+
|
+
+
|
+
| processFileDaclString | +string | +- | +The discretionary access control list of the process file | +
+
|
+
+
|
+
| processFileGroupName | +string | +- | +The name of the process file user group | +
+
|
+
+
|
+
| processFileGroupSid | +string | +- | +The security identifier of the process file group | +
+
|
+
+
|
+
| processFileHashId | +long | +- | +The file hash of the process | +
+
|
+
+
|
+
| processFileHashMd5 | +string | +FileMD5 | +The MD5 of the subject process | +
+
|
+
+
|
+
| processFileHashMd5 | +string | +FileMD5 | +The MD5 hash of the subject process image | +
+
|
+
+
|
+
| processFileHashSha1 | +string | +FileSHA1 | +The SHA-1 of the subject process | +
+
|
+
+
|
+
| processFileHashSha1 | +string | +FileSHA1 | +The SHA1 hash of subject process image | +
+
|
+
+
|
+
| processFileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the subject process | +
+
|
+
+
|
+
| processFileHashSha256 | +string | +FileSHA2 | +The SHA256 hash of subject process image | +
+
|
+
+
|
+
| processFileModifiedTime | +string | +- | +The time the process file was modified | +
+
|
+
+
|
+
| processFileOriginalName | +string | +FileName | +The original file name of the process image | +
+
|
+
+
|
+
| processFileOwnerName | +string | +- | +The process file owner name | +
+
|
+
+
|
+
| processFileOwnerSid | +string | +- | +The security identifier of the process file owner | +
+
|
+
+
|
+
| processFilePath | +string | +
+
|
+ The file path of the subject process | +
+
|
+
+
|
+
| processFilePath | +string | +
+
|
+ The file path of the subject process | +
+
|
+
+
|
+
| processFileRemoteAccess | +bool | +- | +The remote access to the process file | +- | +
+
|
+
| processFileSaclString | +string | +- | +The system access control list of the process file | +
+
|
+
+
|
+
| processFileSize | +string | +- | +The file size of the process file | +
+
|
+
+
|
+
| processHashId | +string | +- | +The FNV of the subject process | +
+
|
+ Endpoint Sensor | +
| processHashId | +long | +- | +The FNV of subject process | +
+
|
+
+
|
+
| processImagePath | +string | +- | +The process triggered by the file event | +
+
|
+
+
|
+
| processLaunchTime | +real | +- | +The time the subject process was launched | +
+
|
+
+
|
+
| processName | +string | +ProcessName | +The image name of the process that triggered the event | +
+
|
+
+
|
+
| processName | +string | +ProcessName | +The image name of the process that triggered the event | +
+
|
+
+
|
+
| processPayloadSigner | +dynamic | +- | +The signer name list of the process payload | +
+
|
+ Endpoint Sensor | +
| processPayloadSignerFlagsAdhoc | +dynamic | +- | +The list of process payload signature adhoc flags | +- | +Endpoint Sensor | +
| processPayloadSignerFlagsLibValid | +dynamic | +- | +The list of process payload signature library validation flags | +- | +Endpoint Sensor | +
| processPayloadSignerFlagsRuntime | +dynamic | +- | +The list of process payload signature runtime flags | +- | +Endpoint Sensor | +
| processPayloadSignerValid | +dynamic | +- | +Whether each signer of the process payload is valid | +- | +Endpoint Sensor | +
| processPid | +int | +- | +The PID of the subject process | +- | +
+
|
+
| processPid | +int | +- | +The PID of the subject process | +
+
|
+
+
|
+
| processPkgName | +string | +- | +The process package name | +
+
|
+ Endpoint Sensor | +
| processSigner | +dynamic | +- | +The signer name list of the subject process | +
+
|
+
+
|
+
| processSigner | +dynamic | +- | +The process file signer | +
+
|
+
+
|
+
| processSignerFlagsAdhoc | +dynamic | +- | +The list of process signature adhoc flags | +- | +
+
|
+
| processSignerFlagsAdhoc | +dynamic | +- | +The list of process signature adhoc flags | +- | +
+
|
+
| processSignerFlagsLibValid | +dynamic | +- | +The list of process signature library validation flags | +- | +
+
|
+
| processSignerFlagsLibValid | +dynamic | +- | +The list of process signature library validation flags | +- | +
+
|
+
| processSignerFlagsRuntime | +dynamic | +- | +The list of process signature runtime flags | +- | +
+
|
+
| processSignerFlagsRuntime | +dynamic | +- | +The list of process signature runtime flags | +- | +
+
|
+
| processSignerValid | +dynamic | +- | +The validity of the process signer | +
+
|
+
+
|
+
| processStackTrace | +string | +- | +The process stack trace of the telemetry event | +C:\Windows\System32\ntdll.dll?NtCreateUserProcess|ZwCreateUserProcess, C:\Windows\System32\kernelbase.dll!CreateProcessInternalW | +Endpoint Sensor | +
| processSubTrueType | +int | +- | +The true file subtype of the process | +- | +
+
|
+
| processTrueType | +int | +- | +The true file type of the process | +- | +
+
|
+
| processUser | +string | +UserAccount | +The owner name of subject process image | +
+
|
+
+
|
+
| processUserDomain | +string | +- | +The process user domain | +
+
|
+
+
|
+
| processUserGroupSids | +dynamic | +- | +The user group SIDs of the process | +
+
|
+ Endpoint Sensor | +
| proto | +int | +- | +The protocol type | +
+
|
+
+
|
+
| providerGUID | +string | +- | +The GUID of the Windows event provider | +{11111111-1111-1111-1111-111111111111} | +
+
|
+
| providerName | +string | +- | +The name of the Windows event provider | +
+
|
+
+
|
+
| proxy | +string | +- | +The proxy address | +
+
|
+
+
|
+
| publicSpt | +int | +Port | +The public port of the endpoint making the request | +57163 | +Endpoint Sensor | +
| publicSrc | +string | +
+
|
+ The public ip of the endpoint making the request | +10.10.10.10 | +Endpoint Sensor | +
| pver | +string | +- | +The product version | +
+
|
+
+
|
+
| rawDataSize | +string | +- | +The size of the Windows event log | +
+
|
+
+
|
+
| rawDataStr | +string | +- | +Windows event raw contents | +
+
|
+
+
|
+
| regionId | +string | +- | +The cloud asset region | +
+
|
+
+
|
+
| request | +string | +URL | +Request URL | +
+
|
+
+
|
+
| requestMethod | +string | +- | +The network protocol request method | +
+
|
+
+
|
+
| riskLevel | +string | +- | +The risk level | +
+
|
+
+
|
+
| rt | +string | +- | +The Unix time of the log generation | +1656324260000 | +
+
|
+
| rt | +string | +- | +The event time | +1657781088000 | +
+
|
+
| ruleId | +int | +- | +The rule ID | +1005566 | +
+
|
+
| ruleName | +string | +- | +The name of the rule that triggered the event | +
+
|
+
+
|
+
| sessionId | +int | +- | +The session ID | +
+
|
+
+
|
+
| smbSharedName | +string | +- | +The shared folder name for the server that contains the files to be opened | +C:\sharedfolder | +Endpoint Sensor | +
| smbSharedName | +string | +- | +The shared folder name for the server that contains the files | +sharedfolder | +Endpoint Sensor | +
| sourceType | +string | +- | +The source type | +
+
|
+
+
|
+
| spt | +int | +Port | +The source port | +
+
|
+
+
|
+
| spt | +int | +Port | +The source port number | +
+
|
+
+
|
+
| src | +dynamic | +
+
|
+ The source IP | +10.10.10.10 | +
+
|
+
| src | +string | +
+
|
+ The source address | +
+
|
+
+
|
+
| srcFileCreation | +string | +- | +The time the source file was created | +
+
|
+
+
|
+
| srcFileCurrentOwnerName | +string | +- | +The current owner name of the source file | +
+
|
+
+
|
+
| srcFileCurrentOwnerSid | +string | +- | +The current security identifier owner of the source file | +
+
|
+
+
|
+
| srcFileDaclString | +string | +- | +The discretionary access control list of the source file | +
+
|
+
+
|
+
| srcFileGroupName | +string | +- | +The source file user group name | +
+
|
+
+
|
+
| srcFileGroupSid | +string | +- | +The security identifier of the source file group | +
+
|
+
+
|
+
| srcFileHashId | +long | +- | +The source file hash ID | +
+
|
+
+
|
+
| srcFileHashMd5 | +string | +FileMD5 | +The md5 hash of source file | +
+
|
+
+
|
+
| srcFileHashSha1 | +string | +FileSHA1 | +The SHA1 hash of source file | +
+
|
+
+
|
+
| srcFileHashSha256 | +string | +FileSHA2 | +The SHA256 hash of source file | +
+
|
+
+
|
+
| srcFileIsRemoteAccess | +bool | +- | +The remote access of the source file | +- | +
+
|
+
| srcFileModifiedTime | +string | +- | +The time the source file was modified | +
+
|
+
+
|
+
| srcFileOwnerName | +string | +- | +The source file owner name | +
+
|
+
+
|
+
| srcFileOwnerSid | +string | +- | +The security identifier of the source file owner | +
+
|
+
+
|
+
| srcFilePath | +string | +
+
|
+ The source file path | +
+
|
+
+
|
+
| srcFileSaclString | +string | +- | +The system access control list of the source file | +
+
|
+
+
|
+
| srcFileSize | +string | +- | +The file size of the source file | +
+
|
+
+
|
+
| srcFirstSeen | +string | +- | +The first time the source file was seen | +
+
|
+
+
|
+
| srcHashId | +long | +- | +The source hash ID | +
+
|
+
+
|
+
| srcLastSeen | +string | +- | +The last time the source file was seen | +
+
|
+
+
|
+
| srcSigner | +dynamic | +- | +The signer of the source file | +
+
|
+
+
|
+
| srcSignerFlagsAdhoc | +dynamic | +- | +The list of source file signature adhoc flags | +- | +
+
|
+
| srcSignerFlagsLibValid | +dynamic | +- | +The list of source file signature library validation flags | +- | +
+
|
+
| srcSignerFlagsRuntime | +dynamic | +- | +The list of source file signature runtime flags | +- | +
+
|
+
| srcSignerValid | +dynamic | +- | +The validity of the source file signer | +- | +
+
|
+
| srcSubTrueType | +int | +- | +The true file subtype of the source file | +- | +
+
|
+
| srcTrueType | +int | +- | +The true file type of the source file | +- | +
+
|
+
| status | +string | +- | +The HTTP response status code | +
+
|
+
+
|
+
| subnetId | +string | +- | +The subnet ID of the virtual machine that made the request | +subnet-01234567890abcdef | +Endpoint Sensor | +
| subSystem | +string | +- | +The sub system information | +com.apple.xpc | +
+
|
+
| suspiciousObject | +string | +- | +The matched suspicious object | +36ba9de3da9e6f8abfffdda7787ab0ecc16724bb | +Endpoint Sensor | +
| suspiciousObjectType | +string | +- | +The matched suspicious object type | +sha1 | +Endpoint Sensor | +
| tacticId | +dynamic | +Tactic | +The list of MITRE tactic IDs | +
+
|
+
+
|
+
| timezone | +string | +- | +The host time zone | +
+
|
+
+
|
+
| triggerReason | +string | +- | +The cause of the triggered action | +
+
|
+
+
|
+
| userDomain | +dynamic | +- | +The user domain name | +
+
|
+
+
|
+
| vpcId | +string | +- | +The virtual private cloud that contains the cloud asset | +vpc-01234567890abcdef | +
+
|
+
| winEventId | +int | +- | +Event ID of Windows event | +
+
|
+
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| act | +dynamic | +- | +The actions taken to mitigate the event | +
+
|
+
+
|
+
| actResult | +dynamic | +- | +The result of an action | +
+
|
+
+
|
+
| aggregatedCount | +string | +- | +The number of aggregated events | +
+
|
+
+
|
+
| behaviorCat | +string | +- | +The matched policy category | +
+
|
+
+
|
+
| cat | +int | +- | +The weighted priority of the incident | +
+
|
+
+
|
+
| category | +string | +- | +The event category | +
+
|
+
+
|
+
| censusMaturityValue | +int | +- | +The CENSUS maturity value | +
+
|
+
+
|
+
| censusPrevalenceValue | +int | +- | +The CENSUS prevalence value | +
+
|
+
+
|
+
| cloudProvider | +string | +- | +The service provider of the cloud asset | +
+
|
+
+
|
+
| cloudProvider | +string | +- | +The service provider of the cloud asset | +
+
|
+
+
|
+
| compressedFileHash | +string | +FileSHA1 | +The SHA-1 of the decompressed archive | +
+
|
+
+
|
+
| compressedFileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the compressed suspicious file | +
+
|
+
+
|
+
| compressedFileName | +string | +FileName | +The file name of the compressed file | +
+
|
+
+
|
+
| customAssetTags | +dynamic | +- | +The list of custom asset tags | +{"os":["linux", "windows"], "org":["bu1"]} | +
+
|
+
| customAssetTags | +dynamic | +- | +The list of custom asset tags | +{"os":["linux", "windows"], "org":["bu1"]} | +
+
|
+
| cves | +dynamic | +- | +The CVEs associated with this filter | +
+
|
+
+
|
+
| dceArtifactActions | +dynamic | +- | +The actions performed on Damage Cleanup Engine artifacts | +
+
|
+
+
|
+
| detectedActions | +dynamic | +- | +The actions performed on detected artifacts | +
+
|
+
+
|
+
| detectedBackupArtifacts | +dynamic | +- | +The information about detected artifacts | +{"objectArtifactId": "025d9f2a-ac9c-4cdf-b9e4-cf20c6e40281_0.dmp", "action": "object_process_dump", "status": 0, "processCreationTime": "1627574338077", "processImageFileName": "C:\Program Files\aaa\bbb\objprocess.exe"} | +
+
|
+
| detectedBackupArtifactsStatus | +dynamic | +- | +The backup status of detected artifacts | +['0', '-67'] | +
+
|
+
| detectedBackupFolder | +string | +- | +The folder path for detected backup folders | +C:\\Program Files (x86)\\Trend Micro\\artifact\\DCE | +
+
|
+
| detectedPattern | +string | +- | +The detected pattern | +dct.virus | +
+
|
+
| detectionAggregationIds | +dynamic | +- | +The list of detection aggregation IDs | +['11111111-1111-1111-1111-111111111111'] | +
+
|
+
| detectionAggressivenessLevel | +int | +- | +The detection aggressiveness level | +
+
|
+
+
|
+
| detectionEngineVersion | +string | +- | +The detection engine version | +7.6.0 | +
+
|
+
| detectionMeta | +dynamic | +- | +The descriptions of the detected techniques | +['T1204 some description about this technique', 'T1573.001_AES another description about this technique'] | +
+
|
+
| detectionNames | +dynamic | +- | +The rules that triggered the event | +['HS_EMOTET.SMAA', 'HM_AVEDOWN.SMZTIG-A', 'HE_DOCQRPHISH.SM'] | +
+
|
+
| detectionType | +string | +- | +The detection type | +
+
|
+
+
|
+
| dmac | +string | +- | +The MAC address of the destination IP (dest_ip) | +
+
|
+
+
|
+
| dpt | +int | +Port | +The destination port | +
+
|
+
+
|
+
| dpt | +int | +Port | +The destination port number | +- | +
+
|
+
| dst | +dynamic | +
+
|
+ The destination IP | +10.10.10.10 | +
+
|
+
| dst | +string | +
+
|
+ The destination IP address | +
+
|
+
+
|
+
| duser | +dynamic | +EmailRecipient | +The email recipient | +
+
|
+
+
|
+
| endpointGUID | +string | +EndpointID | +The GUID of the agent which reported the detection | +
+
|
+
+
|
+
| endpointGuid | +string | +EndpointID | +Host GUID of the endpoint on which the event was detected | +11111111-1111-1111-1111-111111111111 | +
+
|
+
| endpointHostName | +string | +EndpointName | +The endpoint hostname or node where the event was detected | +
+
|
+
+
|
+
| endpointHostName | +string | +EndpointName | +The host name of the endpoint on which the event was detected | +
+
|
+
+
|
+
| endpointIp | +dynamic | +
+
|
+ The IP address of the endpoint on which the event was detected | +10.10.10.10 | +
+
|
+
| endpointIp | +dynamic | +
+
|
+ IP address of the endpoint on which the event was detected | +
+
|
+
+
|
+
| endpointMacAddress | +dynamic | +- | +The host MAC address | +
+
|
+
+
|
+
| endTime | +long | +- | +The time when the last event was received (in Unix milliseconds) | +1750983926000 | +Trend Cloud One - Endpoint & Workload Security | +
| eventHashId | +string | +- | +The event hash ID | +
+
|
+
+
|
+
| eventId | +string | +- | +The event ID from the logs of each product | +
+
|
+
+
|
+
| eventId | +int | +- | +Event type | +- | +
+
|
+
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| eventSubId | +int | +- | +The access type | +
+
|
+
+
|
+
| eventSubId | +int | +- | +The access type | +
+
|
+
+
|
+
| eventSubName | +string | +- | +The event type sub-name | +
+
|
+
+
|
+
| eventTime | +real | +- | +The time the agent detected the event | +1657781088000 | +
+
|
+
| fileHash | +string | +FileSHA1 | +The SHA-1 of the file that triggered the rule or policy | +
+
|
+
+
|
+
| fileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the file (fileName) | +
+
|
+
+
|
+
| fileName | +dynamic | +FileName | +The file name | +
+
|
+
+
|
+
| fileOperation | +string | +- | +The operation of the file | +
+
|
+
+
|
+
| filePath | +string | +FileFullPath | +The file path without the file name | +
+
|
+
+
|
+
| filePathName | +string | +FileFullPath | +The file path with the file name | +
+
|
+
+
|
+
| firstAct | +string | +- | +The first scan action | +
+
|
+
+
|
+
| firstActResult | +string | +- | +The first scan action result | +
+
|
+
+
|
+
| firstSeen | +real | +- | +The first time the event was seen | +1656355418449 | +
+
|
+
| fullPath | +string | +FileFullPath | +The combination of the file path and the file name | +
+
|
+
+
|
+
| groups | +string | +- | +The OSSEC rule group names | +
+
|
+
+
|
+
| hostId | +int | +- | +The host ID | +
+
|
+
+
|
+
| hostName | +string | +
+
|
+ The computer name of the client host (The hostname from the suspicious URL detected by Deep Discovery Inspector) | +
+
|
+
+
|
+
| hostName | +string | +
+
|
+ The domain name | +
+
|
+
+
|
+
| httpReferer | +string | +URL | +The HTTP referer | +
+
|
+
+
|
+
| instanceId | +string | +- | +The ID of the instance that indicates the meta-cloud or data center VM | +
+
|
+
+
|
+
| instanceId | +string | +- | +The virtual machine instance ID on the cloud platform | +i-01234567890abcdef | +
+
|
+
| interestedHost | +string | +DomainName | +The endpoint hostname (For example, if an intranet host accesses a suspicious internet host, the intranet host is the "peerHost" and the internet host is the "interestedHost") | +
+
|
+
+
|
+
| interestedIp | +dynamic | +
+
|
+ The IP of the interestedHost | +10.10.10.10 | +
+
|
+
| isEntity | +string | +- | +The current entity (or after change/modification) | +
+
|
+
+
|
+
| isProxy | +bool | +- | +Whether something is a proxy | +False | +
+
|
+
| lastSeen | +real | +- | +The last time the event was seen | +1656355418449 | +
+
|
+
| logKey | +string | +- | +The unique key of the event | +
+
|
+
+
|
+
| logonUser | +dynamic | +UserAccount | +The logon user name | +
+
|
+
+
|
+
| majorVirusType | +string | +- | +The virus type | +
+
|
+
+
|
+
| malFamily | +string | +- | +The threat family | +
+
|
+
+
|
+
| malName | +string | +- | +The name of the detected malware | +
+
|
+
+
|
+
| malType | +string | +- | +The risk type for Network Content Correlation Engine rules | +
+
|
+
+
|
+
| mDeviceGUID | +string | +- | +The GUID of the agent host | +
+
|
+
+
|
+
| mitreVersion | +string | +- | +The MITRE version | +
+
|
+
+
|
+
| moduleScanType | +string | +- | +The module scan type | +traditional | +
+
|
+
| mpname | +string | +- | +The management product name | +
+
|
+
+
|
+
| mpver | +string | +- | +The product version | +
+
|
+
+
|
+
| objectAppName | +string | +- | +Name of the app involved in the AMSI event | +
+
|
+
+
|
+
| objectArtifactIds | +dynamic | +- | +The artifact IDs generated by objectAction | +
+
|
+
+
|
+
| objectAttributes | +string | +- | +The object attributes | +attribute | +
+
|
+
| objectBmData | +string | +- | +The data of BM event | +
+
|
+
+
|
+
| objectCmd | +dynamic | +CLICommand | +The object process command line | +
+
|
+
+
|
+
| objectCmd | +string | +CLICommand | +Command line entry of target process | +
+
|
+
+
|
+
| objectContentName | +string | +- | +The AMSI object content name | +
+
|
+
+
|
+
| objectCurrentFileSize | +long | +- | +Previous size of modified object file | +
+
|
+
+
|
+
| objectCurrentPosixPermission | +string | +- | +The new POSIX permission file used in file events and CHMOD events | +1050180 | +Trend Cloud One - Endpoint & Workload Security | +
| objectFileAccess | +string | +- | +The object file access details | +1717658631000 | +
+
|
+
| objectFileCreation | +string | +- | +The UTC time that the object was created | +
+
|
+
+
|
+
| objectFileCreation | +string | +- | +The time the object file was created | +
+
|
+
+
|
+
| objectFileGroupName | +string | +- | +The object file user group name | +
+
|
+
+
|
+
| objectFileHashId | +string | +- | +The object file hash ID | +
+
|
+
+
|
+
| objectFileHashMd5 | +string | +FileMD5 | +The MD5 of the object | +
+
|
+
+
|
+
| objectFileHashMd5 | +string | +FileMD5 | +The md5 hash of target process image or target file | +
+
|
+
+
|
+
| objectFileHashSha1 | +string | +FileSHA1 | +The SHA-1 of the objectFilePath object | +
+
|
+
+
|
+
| objectFileHashSha1 | +string | +FileSHA1 | +The SHA1 hash of target process image or target file | +
+
|
+
+
|
+
| objectFileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the object (objectFilePath) | +
+
|
+
+
|
+
| objectFileHashSha256 | +string | +FileSHA2 | +The SHA256 hash of target process image or target file | +
+
|
+
+
|
+
| objectFileIsRemoteAccess | +bool | +- | +The remote access to the object file | +- | +
+
|
+
| objectFileModified | +string | +- | +The UTC time that the object was modified | +
+
|
+
+
|
+
| objectFileModifiedTime | +string | +- | +The time the object file was modified | +
+
|
+
+
|
+
| objectFileName | +string | +FileName | +The object file name | +
+
|
+
+
|
+
| objectFileOriginalName | +string | +FileName | +The original file name of the object image | +
+
|
+
+
|
+
| objectFileOwnerName | +string | +- | +The object file owner name | +
+
|
+
+
|
+
| objectFilePath | +string | +FileFullPath | +The file path of the target process image or target file | +
+
|
+
+
|
+
| objectFilePath | +string | +
+
|
+ The file path of the target process image or target file | +
+
|
+
+
|
+
| objectFileSize | +long | +- | +The object file size | +
+
|
+ Trend Cloud One - Endpoint & Workload Security | +
| objectFileSize | +string | +- | +The file size of the object file | +
+
|
+
+
|
+
| objectFirstSeen | +string | +- | +The first time the object was seen | +
+
|
+
+
|
+
| objectHashId | +long | +- | +The object hash ID | +
+
|
+
+
|
+
| objectIp | +dynamic | +
+
|
+ The IP address of the domain | +10.10.10.10 | +Trend Cloud One - Endpoint & Workload Security | +
| objectIps | +dynamic | +
+
|
+ IP address list of internet event | +
+
|
+
+
|
+
| objectLastSeen | +string | +- | +The last time the object was seen | +
+
|
+
+
|
+
| objectLaunchTime | +string | +- | +The object launch time of the Windows event | +
+
|
+
+
|
+
| objectName | +string | +- | +The base name of the object file or process | +net.exe | +
+
|
+
| objectName | +string | +- | +The object name | +
+
|
+
+
|
+
| objectPid | +int | +- | +The object process PID | +
+
|
+
+
|
+
| objectPid | +int | +- | +The PID of target process | +- | +
+
|
+
| objectPosixPermission | +string | +- | +The current POSIX permission for the file | +1050112 | +Trend Cloud One - Endpoint & Workload Security | +
| objectPosixPermissionHashId | +string | +- | +The POSIX permission hash ID | +-8931783023607715387 | +Trend Cloud One - Endpoint & Workload Security | +
| objectProcessHashId | +long | +- | +FNV of target process | +
+
|
+
+
|
+
| objectRawDataSize | +dynamic | +- | +The raw data size of the Windows event object | +
+
|
+
+
|
+
| objectRawDataStr | +dynamic | +- | +The data contents of the AMSI event | +
+
|
+
+
|
+
| objectRegistryData | +string | +RegistryValueData | +The registry data contents | +C:\Program Files\AlertMedia\AlertMedia Desktop Notifications\AlertMedia.exe | +
+
|
+
| objectRegistryData | +string | +RegistryValueData | +The registry value data | +
+
|
+
+
|
+
| objectRegistryKeyHandle | +string | +RegistryKey | +The registry key path | +
+
|
+
+
|
+
| objectRegistryKeyHandle | +string | +RegistryKey | +The registry key | +
+
|
+
+
|
+
| objectRegistryRoot | +string | +- | +The name of the object registry root key | +
+
|
+
+
|
+
| objectRegistryRoot | +int | +- | +The Windows Registry Root ID | +
+
|
+
+
|
+
| objectRegistryValue | +string | +RegistryValue | +The registry value name | +
+
|
+
+
|
+
| objectRegistryValue | +string | +RegistryValue | +Registry value name | +
+
|
+
+
|
+
| objectRegType | +int | +- | +The Windows Registry Type ID | +
+
|
+
+
|
+
| objectRunAsLocalAccount | +bool | +- | +The "runas" command uses a local account | +
+
|
+
+
|
+
| objectSessionId | +string | +- | +The object session ID | +
+
|
+
+
|
+
| objectSigner | +dynamic | +- | +Certificate signer of object process or file | +
+
|
+
+
|
+
| objectSignerValid | +dynamic | +- | +Validity of certificate signer | +
+
|
+
+
|
+
| objectSubTrueType | +int | +- | +File object's true sub-type | +
+
|
+
+
|
+
| objectTrueType | +int | +- | +File object's true major type | +
+
|
+
+
|
+
| objectType | +string | +- | +The object type | +
+
|
+
+
|
+
| objectUser | +string | +UserAccount | +The owner name of the target process or the login user name | +
+
|
+
+
|
+
| objectUser | +string | +UserAccount | +The owner name of the target process or the login user name | +
+
|
+
+
|
+
| objectUserDomain | +string | +- | +The owner domain of the target process | +
+
|
+
+
|
+
| objectUserDomain | +string | +- | +The object user domain | +
+
|
+
+
|
+
| objectUserGroup | +string | +- | +The user group name | +
+
|
+
+
|
+
| oldFileHash | +string | +FileSHA1 | +The SHA-1 of the target process image or target file (wasEntity from an IM event) | +
+
|
+
+
|
+
| originalFileHashes | +dynamic | +FileSHA1 | +The hashes of the original file | +
+
|
+
+
|
+
| originalFilePaths | +dynamic | +
+
|
+ The paths of the original file | +C:\\Users\\user_name\\Downloads\\run.exe | +
+
|
+
| osDescription | +string | +- | +The OS version | +
+
|
+
+
|
+
| osName | +string | +- | +The host operating system name | +
+
|
+
+
|
+
| osType | +string | +- | +The host operating system type | +
+
|
+
+
|
+
| osVer | +string | +- | +The version of the host operating system | +
+
|
+
+
|
+
| out | +string | +- | +The IP datagram length (in bytes) | +
+
|
+
+
|
+
| parentCmd | +string | +CLICommand | +The command line entry of the parent process | +
+
|
+
+
|
+
| parentFileCreation | +string | +- | +The time the parent file was created | +
+
|
+
+
|
+
| parentFileGroupName | +string | +- | +The name of the parent file user group | +
+
|
+
+
|
+
| parentFileHashId | +long | +- | +The parent file hash ID | +
+
|
+
+
|
+
| parentFileHashMd5 | +string | +FileMD5 | +The md5 hash of parent process | +
+
|
+
+
|
+
| parentFileHashSha1 | +string | +FileSHA1 | +The SHA1 hash of parent process | +
+
|
+
+
|
+
| parentFileHashSha256 | +string | +FileSHA2 | +The SHA256 hash of parent process | +
+
|
+
+
|
+
| parentFileModifiedTime | +string | +- | +The time the parent file was modified | +
+
|
+
+
|
+
| parentFileOriginalName | +string | +FileName | +The original file name of the parent image | +
+
|
+
+
|
+
| parentFileOwnerName | +string | +- | +The owner name of the parent file | +
+
|
+
+
|
+
| parentFilePath | +string | +
+
|
+ The file path of the parent process | +
+
|
+
+
|
+
| parentFileSize | +string | +- | +The file size of the parent file | +
+
|
+
+
|
+
| parentHashId | +long | +- | +The parent hash ID | +
+
|
+
+
|
+
| parentLaunchTime | +real | +- | +The time when the parent process was launched | +
+
|
+
+
|
+
| parentName | +string | +- | +The image name of the parent process | +
+
|
+
+
|
+
| parentPid | +int | +- | +The PID of the parent process | +- | +
+
|
+
| parentPid | +int | +- | +The PID of the parent process | +
+
|
+
+
|
+
| parentSessionId | +int | +- | +The parent session ID | +- | +
+
|
+
| parentSigner | +dynamic | +- | +The signer of the parent file | +
+
|
+
+
|
+
| parentSignerValid | +dynamic | +- | +The validity of the parent signer | +- | +
+
|
+
| parentSubTrueType | +int | +- | +The true file subtype of the parent file | +- | +
+
|
+
| parentTrueType | +int | +- | +The true file type of the parent file | +- | +
+
|
+
| parentUser | +string | +- | +The account name of the parent process | +Administrator | +Trend Cloud One - Endpoint & Workload Security | +
| parentUser | +string | +- | +The type of user that executed the parent process | +
+
|
+
+
|
+
| parentUserDomain | +string | +- | +The domain name of the parent process | +builtindomain | +Trend Cloud One - Endpoint & Workload Security | +
| parentUserDomain | +string | +- | +The user domain of the parent process | +
+
|
+
+
|
+
| plang | +int | +- | +The product language | +
+
|
+
+
|
+
| platformAssetTags | +dynamic | +- | +The list of platform custom asset tags | +{"Asset group":["finance"], "some.ip": ["10.1.0.1"]} | +
+
|
+
| platformAssetTags | +dynamic | +- | +The list of platform custom asset tags | +{"Asset group":["finance"], "some.ip": ["10.1.0.1"]} | +
+
|
+
| pname | +string | +- | +The internal product ID | +
+
|
+
+
|
+
| pname | +string | +- | +Internal product ID (Deprecated, use productCode) | +
+
|
+
+
|
+
| policyId | +string | +- | +The policy ID of which the event was detected | +
+
|
+
+
|
+
| pplat | +int | +- | +The product platform | +
+
|
+
+
|
+
| processArtifactIds | +dynamic | +- | +The artifact IDs generated by processAction | +
+
|
+
+
|
+
| processCmd | +string | +CLICommand | +The subject process command line | +
+
|
+
+
|
+
| processCmd | +string | +CLICommand | +The command line entry of the subject process | +
+
|
+
+
|
+
| processFileCreation | +string | +- | +The Unix time of object creation | +
+
|
+ Trend Cloud One - Endpoint & Workload Security | +
| processFileCreation | +string | +- | +The time the process file was created | +
+
|
+
+
|
+
| processFileGroupName | +string | +- | +The name of the process file user group | +
+
|
+
+
|
+
| processFileHashId | +long | +- | +The file hash of the process | +
+
|
+
+
|
+
| processFileHashMd5 | +string | +FileMD5 | +The MD5 of the subject process | +
+
|
+
+
|
+
| processFileHashMd5 | +string | +FileMD5 | +The MD5 hash of the subject process image | +
+
|
+
+
|
+
| processFileHashSha1 | +string | +FileSHA1 | +The SHA-1 of the subject process | +
+
|
+
+
|
+
| processFileHashSha1 | +string | +FileSHA1 | +The SHA1 hash of subject process image | +
+
|
+
+
|
+
| processFileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the subject process | +
+
|
+
+
|
+
| processFileHashSha256 | +string | +FileSHA2 | +The SHA256 hash of subject process image | +
+
|
+
+
|
+
| processFileModifiedTime | +string | +- | +The time the process file was modified | +
+
|
+
+
|
+
| processFileOriginalName | +string | +FileName | +The original file name of the process image | +
+
|
+
+
|
+
| processFileOwnerName | +string | +- | +The process file owner name | +
+
|
+
+
|
+
| processFilePath | +string | +
+
|
+ The file path of the subject process | +
+
|
+
+
|
+
| processFilePath | +string | +
+
|
+ The file path of the subject process | +
+
|
+
+
|
+
| processFileSize | +string | +- | +The file size of the process file | +
+
|
+
+
|
+
| processHashId | +long | +- | +The FNV of subject process | +
+
|
+
+
|
+
| processImageFileNames | +dynamic | +- | +The process image file names of detected backup artifacts | +
+
|
+
+
|
+
| processImagePath | +string | +- | +The process triggered by the file event | +
+
|
+
+
|
+
| processLaunchTime | +string | +- | +The time the subject process was launched | +
+
|
+ Trend Cloud One - Endpoint & Workload Security | +
| processLaunchTime | +real | +- | +The time the subject process was launched | +
+
|
+
+
|
+
| processName | +string | +ProcessName | +The image name of the process that triggered the event | +
+
|
+
+
|
+
| processName | +string | +ProcessName | +The image name of the process that triggered the event | +
+
|
+
+
|
+
| processPid | +int | +- | +The PID of the subject process | +- | +
+
|
+
| processPid | +int | +- | +The PID of the subject process | +
+
|
+
+
|
+
| processSigner | +dynamic | +- | +The signer name list of the subject process | +
+
|
+
+
|
+
| processSigner | +dynamic | +- | +The process file signer | +
+
|
+
+
|
+
| processSignerValid | +dynamic | +- | +The validity of the process signer | +
+
|
+
+
|
+
| processSubTrueType | +int | +- | +The true file subtype of the process | +- | +
+
|
+
| processTrueType | +int | +- | +The true file type of the process | +- | +
+
|
+
| processUser | +string | +UserAccount | +The user name of the process or the file creator | +
+
|
+
+
|
+
| processUser | +string | +UserAccount | +The owner name of subject process image | +
+
|
+
+
|
+
| processUserDomain | +string | +- | +The owner domain of the subject process image | +
+
|
+ Trend Cloud One - Endpoint & Workload Security | +
| processUserDomain | +string | +- | +The process user domain | +
+
|
+
+
|
+
| processUserGroupId | +string | +- | +The process user group ID or file creator | +
+
|
+ Trend Cloud One - Endpoint & Workload Security | +
| processUserGroupName | +string | +- | +The process user group name or file creator | +
+
|
+ Trend Cloud One - Endpoint & Workload Security | +
| processUserId | +string | +- | +The process user ID or file creator | +
+
|
+ Trend Cloud One - Endpoint & Workload Security | +
| proto | +string | +- | +The exploited layer network protocol | +
+
|
+
+
|
+
| proto | +int | +- | +The protocol type | +
+
|
+
+
|
+
| protoFlag | +string | +- | +The data flags | +
+
|
+
+
|
+
| pver | +string | +- | +The product version | +
+
|
+
+
|
+
| pver | +string | +- | +The product version | +
+
|
+
+
|
+
| quarantineFileId | +string | +- | +The unique identifier of the quarantined object | +ASLUMVS0.4FC | +
+
|
+
| quarantineFilePath | +string | +FileFullPath | +The file path of the quarantined object | +C:\ProgramData\Trend Micro\AMSP\quarantine\ASLUMVS0.4FC | +
+
|
+
| quarantineFileSha256 | +string | +FileSHA2 | +The SHA-256 of the quarantined object | +84B2FA19B05EA88D6E785B4ADB528120485AA3F72F3E5E114DE6D3696B0D151F | +
+
|
+
| regionId | +string | +- | +The cloud asset region | +
+
|
+ Trend Cloud One - Endpoint & Workload Security | +
| regionId | +string | +- | +The cloud asset region | +
+
|
+
+
|
+
| remarks | +string | +- | +The additional information | +
+
|
+
+
|
+
| request | +string | +URL | +The notable URLs | +
+
|
+
+
|
+
| requestClientApplication | +string | +- | +The protocol user agent information | +
+
|
+
+
|
+
| requestMethod | +string | +- | +The network protocol request method | +
+
|
+
+
|
+
| riskLevel | +string | +- | +The risk level | +
+
|
+
+
|
+
| rt | +string | +- | +The Unix time of the log generation | +1656324260000 | +
+
|
+
| rtDate | +string | +- | +The date of the log generation | +1655337600000 | +
+
|
+
| rtHour | +int | +- | +The hour of the log generation | +
+
|
+
+
|
+
| rtWeekDay | +string | +- | +The weekday of the log generation | +
+
|
+
+
|
+
| ruleId | +int | +- | +The rule ID | +
+
|
+
+
|
+
| ruleName | +string | +- | +The name of the rule that triggered the event | +
+
|
+
+
|
+
| ruleSetName | +string | +- | +The rule set name | +AllRules | +
+
|
+
| ruleType | +string | +- | +The access rule type | +
+
|
+
+
|
+
| ruleVer | +string | +- | +The rule version | +
+
|
+
+
|
+
| scanType | +string | +- | +The scan type | +
+
|
+
+
|
+
| score | +int | +- | +The Web Reputation Services URL rating | +
+
|
+
+
|
+
| secondAct | +string | +- | +The second scan action | +
+
|
+
+
|
+
| secondActResult | +string | +- | +The result of the second scan action | +
+
|
+
+
|
+
| senderGUID | +string | +- | +The sender GUID | +
+
|
+
+
|
+
| sessionId | +int | +- | +The session ID | +
+
|
+
+
|
+
| severity | +int | +- | +The severity of the event | +
+
|
+
+
|
+
| shost | +string | +DomainName | +The source hostname | +
+
|
+
+
|
+
| smac | +string | +- | +The source MAC address | +
+
|
+
+
|
+
| sproc | +string | +- | +The OSSEC program name | +
+
|
+
+
|
+
| spt | +int | +Port | +The source port | +
+
|
+
+
|
+
| spt | +int | +Port | +The source port number | +
+
|
+
+
|
+
| src | +dynamic | +
+
|
+ The source IP | +10.10.10.10 | +
+
|
+
| src | +string | +
+
|
+ The source address | +
+
|
+
+
|
+
| srcFileCreation | +string | +- | +The time the source file was created | +
+
|
+
+
|
+
| srcFileGroupName | +string | +- | +The source file user group name | +
+
|
+
+
|
+
| srcFileHashId | +long | +- | +The source file hash ID | +
+
|
+
+
|
+
| srcFileIsRemoteAccess | +bool | +- | +The remote access of the source file | +- | +
+
|
+
| srcFileModifiedTime | +string | +- | +The time the source file was modified | +
+
|
+
+
|
+
| srcFileOwnerName | +string | +- | +The source file owner name | +
+
|
+
+
|
+
| srcFilePath | +string | +
+
|
+ The source file path | +
+
|
+
+
|
+
| srcFileSize | +string | +- | +The file size of the source file | +
+
|
+
+
|
+
| srcFirstSeen | +string | +- | +The first time the source file was seen | +
+
|
+
+
|
+
| srcHashId | +long | +- | +The source hash ID | +
+
|
+
+
|
+
| srcLastSeen | +string | +- | +The last time the source file was seen | +
+
|
+
+
|
+
| srcSubTrueType | +int | +- | +The true file subtype of the source file | +- | +
+
|
+
| srcTrueType | +int | +- | +The true file type of the source file | +- | +
+
|
+
| startTime | +long | +- | +The time when the first event was received (in Unix milliseconds) | +1750983848000 | +Trend Cloud One - Endpoint & Workload Security | +
| status | +string | +- | +The HTTP response status code | +
+
|
+
+
|
+
| subRuleId | +string | +- | +ID of a subordinate rule | +
+
|
+
+
|
+
| subRuleName | +string | +- | +The subrule name | +
+
|
+
+
|
+
| suid | +string | +UserAccount | +User name or mailbox | +
+
|
+
+
|
+
| tags | +dynamic | +
+
|
+ The detected technique ID based on the alert filter | +
+
|
+
+
|
+
| target | +string | +- | +The target object for the behavior | +
+
|
+
+
|
+
| targetType | +string | +- | +The target object type | +
+
|
+
+
|
+
| timezone | +string | +- | +The host time zone | +
+
|
+
+
|
+
| trigger | +string | +- | +The action trigger | +
+
|
+
+
|
+
| triggerInfo | +dynamic | +- | +The trigger information | +[{'triggerModule': 'ODS', 'triggerReason': 'System Schedule Scan'}] | +
+
|
+
| triggerReason | +string | +- | +The cause of the triggered action | +
+
|
+
+
|
+
| urlCat | +dynamic | +- | +The requested URL category | +
+
|
+
+
|
+
| userDomain | +dynamic | +- | +The user domain name | +
+
|
+
+
|
+
| vpcId | +string | +- | +The virtual private cloud that contains the cloud asset | +
+
|
+
+
|
+
| vpcId | +string | +- | +The virtual private cloud that contains the cloud asset | +vpc-01234567890abcdef | +
+
|
+
| wasEntity | +string | +- | +The entity before change/modification | +
+
|
+
+
|
+
| winEventId | +int | +- | +The Windows Event ID | +
+
|
+
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| detectionMeta | +dynamic | +- | +The descriptions of the detected techniques | +['T1204 some description about this technique', 'T1573.001_AES another description about this technique'] | +
+
|
+
| detectionNames | +dynamic | +- | +The rules that triggered the event | +['HS_EMOTET.SMAA', 'HM_AVEDOWN.SMZTIG-A', 'HE_DOCQRPHISH.SM'] | +
+
|
+
| objectSignerFlagsAdhoc | +dynamic | +- | +The list of object process signature adhoc flags | +- | +
+
|
+
| objectSignerFlagsLibValid | +dynamic | +- | +The list of object process signature library validation flags | +- | +
+
|
+
| objectSignerFlagsRuntime | +dynamic | +- | +The list of object process signature runtime flags | +- | +
+
|
+
| parentSignerFlagsAdhoc | +dynamic | +- | +The list of parent process signature adhoc flags | +- | +
+
|
+
| parentSignerFlagsLibValid | +dynamic | +- | +The list of parent process signature library validation flags | +- | +
+
|
+
| parentSignerFlagsRuntime | +dynamic | +- | +The list of parent process signature runtime flags | +- | +
+
|
+
| processSignerFlagsAdhoc | +dynamic | +- | +The list of process signature adhoc flags | +- | +
+
|
+
| processSignerFlagsLibValid | +dynamic | +- | +The list of process signature library validation flags | +- | +
+
|
+
| processSignerFlagsRuntime | +dynamic | +- | +The list of process signature runtime flags | +- | +
+
|
+
| quarantineFileId | +string | +- | +The unique identifier of the quarantined object | +ASLUMVS0.4FC | +
+
|
+
| quarantineFilePath | +string | +FileFullPath | +The file path of the quarantined object | +C:\ProgramData\Trend Micro\AMSP\quarantine\ASLUMVS0.4FC | +
+
|
+
| quarantineFileSha256 | +string | +FileSHA2 | +The SHA-256 of the quarantined object | +84B2FA19B05EA88D6E785B4ADB528120485AA3F72F3E5E114DE6D3696B0D151F | +
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| accessPermission | +string | +- | +The access permission type | +
+
|
+ Trend Micro Apex One as a Service | +
| act | +dynamic | +- | +The actions taken to mitigate the event | +
+
|
+
+
|
+
| actResult | +dynamic | +- | +The result of an action | +
+
|
+
+
|
+
| additionalInfo | +string | +- | +The filter rule info | +Default | +
+
|
+
| aggregatedCount | +string | +- | +The number of aggregated events | +
+
|
+
+
|
+
| application | +string | +- | +The name of the requested application | +
+
|
+
+
|
+
| authId | +string | +- | +The authorization ID | +
+
|
+
+
|
+
| behaviorCat | +string | +- | +The matched policy category | +
+
|
+
+
|
+
| blocking | +string | +- | +The blocking type | +
+
|
+ Trend Micro Apex One as a Service | +
| bmGroup | +string | +- | +The one-to-many data structure | +logGenLocalDatetime:2022-07-08T09:21:11+00:00, act:Assessment, behaviorType:Registry, riskConfidenceLevel:1, ruleId:7, ruleName:New Service, behaviorCategory:Policy Enforcement, processFilePath:C:\Windows\SysWOW64\srts\wmipr.exe, aegisOperation:Set Key, objectFilePath:HKLM\SYSTEM\CurrentControlSet\Services\DpsiBSvc\Start, policyId:007, objectFileHashSha1:null, objectCmd:null, processFileHashSha1:null, processCmd:null, objectRegistryData:null, objectRegistryKeyHandle:null, objectRegistryValue:null | +Trend Micro Apex One as a Service | +
| cat | +int | +- | +The weighted priority of the incident | +
+
|
+
+
|
+
| cccaDetection | +string | +- | +Is this log identified as a C&C callback address detection | +Yes | +
+
|
+
| cccaDetectionSource | +string | +- | +Which list defines this CCCA detection rule | +
+
|
+
+
|
+
| cccaRiskLevel | +int | +- | +The severity level of the threat actors associated with the C&C servers | +
+
|
+
+
|
+
| censusMaturityValue | +int | +- | +The CENSUS maturity value | +
+
|
+
+
|
+
| censusPrevalenceValue | +int | +- | +The CENSUS prevalence value | +
+
|
+
+
|
+
| channel | +string | +- | +The channel through which the demanded WinEvent is delivered | +
+
|
+ Trend Micro Apex One as a Service | +
| channel | +string | +- | +The Windows event channel | +
+
|
+
+
|
+
| clientStatus | +string | +- | +The client status when the event occurred | +
+
|
+ Trend Micro Apex One as a Service | +
| compressedFileHash | +string | +FileSHA1 | +The SHA-1 of the decompressed archive | +
+
|
+
+
|
+
| compressedFileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the compressed suspicious file | +
+
|
+
+
|
+
| compressedFileName | +string | +FileName | +The file name of the compressed file | +
+
|
+
+
|
+
| computerDomain | +string | +- | +The computer domain | +
+
|
+ Trend Micro Apex One as a Service | +
| confidence | +int | +- | +The confidence rating returned from TrendX Hybrid Model (predictive machine learning). Values from 1-99. | +94 | +
+
|
+
| correlationData | +dynamic | +- | +The data for correlation | +- | +
+
|
+
| customAssetTags | +dynamic | +- | +The list of custom asset tags | +{"os":["linux", "windows"], "org":["bu1"]} | +
+
|
+
| customAssetTags | +dynamic | +- | +The list of custom asset tags | +{"os":["linux", "windows"], "org":["bu1"]} | +
+
|
+
| dacDeviceType | +string | +- | +The device type | +
+
|
+ Trend Micro Apex One as a Service | +
| dceArtifactActions | +dynamic | +- | +The actions performed on Damage Cleanup Engine artifacts | +
+
|
+
+
|
+
| destinationPath | +string | +- | +The intended destination of the file containing the digital asset or channel | +
+
|
+ Trend Micro Apex One as a Service | +
| detailTrace | +int | +- | +Whether the detection comes with a detailed trace footprint | +- | +Trend Micro Apex One as a Service | +
| detectedActions | +dynamic | +- | +The actions performed on detected artifacts | +
+
|
+
+
|
+
| detectedBackupArtifacts | +dynamic | +- | +The information about detected artifacts | +{"objectArtifactId": "025d9f2a-ac9c-4cdf-b9e4-cf20c6e40281_0.dmp", "action": "object_process_dump", "status": 0, "processCreationTime": "1627574338077", "processImageFileName": "C:\Program Files\aaa\bbb\objprocess.exe"} | +
+
|
+
| detectedBackupArtifactsStatus | +dynamic | +- | +The backup status of detected artifacts | +['0', '-67'] | +
+
|
+
| detectedBackupFolder | +string | +- | +The folder path for detected backup folders | +C:\\Program Files (x86)\\Trend Micro\\artifact\\DCE | +
+
|
+
| detectedPattern | +string | +- | +The detected pattern | +dct.virus | +
+
|
+
| detectionAggregationIds | +dynamic | +- | +The list of detection aggregation IDs | +['11111111-1111-1111-1111-111111111111'] | +
+
|
+
| detectionAggressivenessLevel | +int | +- | +The detection aggressiveness level | +
+
|
+
+
|
+
| detectionEngineVersion | +string | +- | +The detection engine version | +7.6.0 | +
+
|
+
| detectionMeta | +dynamic | +- | +The descriptions of the detected techniques | +['T1204 some description about this technique', 'T1573.001_AES another description about this technique'] | +
+
|
+
| detectionName | +string | +- | +The general name for the detection | +
+
|
+
+
|
+
| detectionNames | +dynamic | +- | +The rules that triggered the event | +['HS_EMOTET.SMAA', 'HM_AVEDOWN.SMZTIG-A', 'HE_DOCQRPHISH.SM'] | +
+
|
+
| detectionType | +string | +- | +The detection type | +
+
|
+
+
|
+
| deviceGUID | +string | +- | +The GUID of the agent which reported the detection | +
+
|
+
+
|
+
| deviceModel | +string | +- | +The device model number | +c96a | +Trend Micro Apex One as a Service | +
| deviceSerial | +string | +- | +The device serial ID | +000000063a2e8f | +Trend Micro Apex One as a Service | +
| direction | +string | +- | +The direction | +
+
|
+
+
|
+
| dmac | +string | +- | +The MAC address of the destination IP (dest_ip) | +
+
|
+
+
|
+
| domainName | +string | +DomainName | +The detected domain name | +
+
|
+
+
|
+
| dpt | +int | +Port | +The destination port | +
+
|
+
+
|
+
| dpt | +int | +Port | +The destination port number | +- | +
+
|
+
| dst | +dynamic | +
+
|
+ The destination IP | +10.10.10.10 | +
+
|
+
| dst | +string | +
+
|
+ The destination IP address | +
+
|
+
+
|
+
| duser | +dynamic | +EmailRecipient | +The email recipient | +
+
|
+
+
|
+
| dvchost | +string | +- | +The computer which installed the Trend Micro product | +
+
|
+
+
|
+
| endpointGUID | +string | +EndpointID | +The GUID of the agent which reported the detection | +
+
|
+
+
|
+
| endpointGuid | +string | +EndpointID | +Host GUID of the endpoint on which the event was detected | +11111111-1111-1111-1111-111111111111 | +
+
|
+
| endpointHostName | +string | +EndpointName | +The endpoint hostname or node where the event was detected | +
+
|
+
+
|
+
| endpointHostName | +string | +EndpointName | +The host name of the endpoint on which the event was detected | +
+
|
+
+
|
+
| endpointIp | +dynamic | +
+
|
+ The IP address of the endpoint on which the event was detected | +10.10.10.10 | +
+
|
+
| endpointIp | +dynamic | +
+
|
+ IP address of the endpoint on which the event was detected | +
+
|
+
+
|
+
| endpointMacAddress | +string | +- | +The MAC address of endpoint | +
+
|
+
+
|
+
| endpointMacAddress | +dynamic | +- | +The host MAC address | +
+
|
+
+
|
+
| engineOperation | +string | +- | +The operation of the engine event | +
+
|
+
+
|
+
| engType | +string | +- | +The engine type | +
+
|
+
+
|
+
| engVer | +string | +- | +The engine version | +
+
|
+
+
|
+
| eventDataAccessList | +string | +- | +The list of requested access rights | +
+
|
+
+
|
+
| eventDataAccessMask | +string | +- | +The hexadecimal value of the requested or used permissions during an access attempt | +
+
|
+
+
|
+
| eventDataActionName | +string | +- | +The action performed | +
+
|
+
+
|
+
| eventDataAuthenticationPackageName | +string | +- | +The authentication package name of the Windows event data | +
+
|
+
+
|
+
| eventDataElevatedToken | +string | +- | +Whether the session is elevated and has administrator privileges | +
+
|
+
+
|
+
| eventDataFullyQualifiedAssemblyName | +string | +- | +The fully qualified .NET assembly name | +
+
|
+
+
|
+
| eventDataImpersonationLevel | +string | +- | +The sign-in session impersonation level | +
+
|
+
+
|
+
| eventDataIpAddress | +string | +- | +The IP address for Windows event 4624 which is "An account was successfully logged on" | +
+
|
+
+
|
+
| eventDataJobOwner | +string | +- | +The name of the account that initiated the event | +
+
|
+ Trend Micro Apex One as a Service | +
| eventDataLogonProcessName | +string | +- | +The name of the Windows event sign in process name | +
+
|
+
+
|
+
| eventDataLogonType | +string | +- | +The logon type for Windows event 4624 which is "An account was successfully logged on" | +
+
|
+
+
|
+
| eventDataModuleILPath | +string | +- | +The CIL image path of the module or the dynamic module name | +
+
|
+
+
|
+
| eventDataObjectName | +string | +- | +The identifying information about the object for which access was requested | +
+
|
+
+
|
+
| eventDataObjectType | +string | +- | +The object type | +
+
|
+
+
|
+
| eventDataOperation | +string | +- | +Windows event 11 | +
+
|
+
+
|
+
| eventDataPath | +string | +- | +The path of the Windows event data | +
+
|
+
+
|
+
| eventDataProcessPath | +string | +- | +The process path that initiated the event | +
+
|
+ Trend Micro Apex One as a Service | +
| eventDataScriptBlockText | +string | +- | +Windows event 4104, Creating Scriptblock text | +
+
|
+ Trend Micro Apex One as a Service | +
| eventDataStatus | +string | +- | +The Windows event data status | +
+
|
+
+
|
+
| eventDataSubjectUserName | +string | +- | +The account name | +
+
|
+
+
|
+
| eventDataSubStatus | +string | +- | +The Windows event data sub status | +
+
|
+
+
|
+
| eventDataTargetDomainName | +string | +- | +The target sign-in account domain or computer name | +
+
|
+
+
|
+
| eventDataTargetName | +string | +- | +The service, application, or network resource name | +
+
|
+
+
|
+
| eventDataTargetUserName | +string | +- | +The user name of the Windows event data target | +
+
|
+ Trend Micro Apex One as a Service | +
| eventDataTaskName | +string | +- | +The task name logged by the Windows event | +
+
|
+
+
|
+
| eventDataTicketEncryptionType | +string | +- | +The cryptographic suite used for the Kerberos TGS | +
+
|
+
+
|
+
| eventDataTicketOptions | +string | +- | +The authentication request Kerberos ticket behavior and permissions flags | +
+
|
+
+
|
+
| eventDataUserContext | +string | +- | +The user context of the Windows event data | +
+
|
+
+
|
+
| eventDataWorkstationName | +string | +- | +The name of the computer used in the sign-in attempt | +
+
|
+
+
|
+
| eventHashId | +string | +- | +The event hash ID | +
+
|
+
+
|
+
| eventId | +string | +- | +The event ID from the logs of each product | +
+
|
+
+
|
+
| eventId | +int | +- | +Event type | +- | +
+
|
+
| eventMessage | +string | +- | +The event message | +[0x13bb4e2a0] activating connection: mach=true listener=false peer=false name=com.apple.airportd | +
+
|
+
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| eventSubId | +int | +- | +The access type | +
+
|
+
+
|
+
| eventSubName | +string | +- | +The event type sub-name | +
+
|
+
+
|
+
| eventTime | +real | +- | +The time the agent detected the event | +1657781088000 | +
+
|
+
| extraInfo | +dynamic | +- | +The network application name | +
+
|
+ Trend Micro Apex One as a Service | +
| fileCreation | +string | +- | +The file creation date | +1595918517000 | +Trend Micro Apex One as a Service | +
| fileDesc | +string | +- | +The file description | +
+
|
+
+
|
+
| fileHash | +string | +FileSHA1 | +The SHA-1 of the file that triggered the rule or policy | +
+
|
+
+
|
+
| fileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the file (fileName) | +
+
|
+
+
|
+
| fileName | +dynamic | +FileName | +The file name | +
+
|
+
+
|
+
| filePath | +string | +FileFullPath | +The file path without the file name | +
+
|
+
+
|
+
| fileSize | +string | +- | +The file size of the suspicious file | +
+
|
+
+
|
+
| fileVer | +string | +- | +The file version | +
+
|
+ Trend Micro Apex One as a Service | +
| filterName | +string | +- | +The filter name | +
+
|
+
+
|
+
| filterType | +string | +- | +The filter type | +
+
|
+
+
|
+
| firstAct | +string | +- | +The first scan action | +
+
|
+
+
|
+
| firstActResult | +string | +- | +The first scan action result | +
+
|
+
+
|
+
| firstSeen | +real | +- | +The first time the event was seen | +1656355418449 | +
+
|
+
| forensicFileHash | +string | +- | +The hash value of the forensic data file | +
+
|
+ Trend Micro Apex One as a Service | +
| forensicFilePath | +string | +- | +The file path of the forensic file (When a Data Loss Prevention policy is triggered, the file is encrypted and copied to the OfficeScan server for post-mortem analysis) | +
+
|
+ Trend Micro Apex One as a Service | +
| ftpUser | +string | +- | +The FTP login user name | +
+
|
+ Trend Micro Apex One as a Service | +
| fullPath | +string | +FileFullPath | +The combination of the file path and the file name | +
+
|
+
+
|
+
| hookId | +string | +- | +The hook ID | +
+
|
+ Trend Micro Apex One as a Service | +
| hostName | +string | +
+
|
+ The domain name | +
+
|
+
+
|
+
| httpReferer | +string | +URL | +The HTTP referer | +
+
|
+
+
|
+
| httpReferer | +string | +URL | +The HTTP header referer | +
+
|
+
+
|
+
| instanceId | +string | +- | +The ID of the instance that indicates the meta-cloud or data center VM | +
+
|
+
+
|
+
| integrityLevel | +int | +- | +The integrity level of a process | +- | +
+
|
+
| interestedHost | +string | +DomainName | +The endpoint hostname (For example, if an intranet host accesses a suspicious internet host, the intranet host is the "peerHost" and the internet host is the "interestedHost") | +
+
|
+
+
|
+
| interestedIp | +dynamic | +
+
|
+ The IP of the interestedHost | +10.10.10.10 | +
+
|
+
| interestedMacAddress | +string | +- | +The MAC address identified as the log owner's | +
+
|
+
+
|
+
| isHidden | +string | +- | +Whether the detection log generated a grey rule match | +Yes | +
+
|
+
| isProxy | +bool | +- | +Whether something is a proxy | +False | +
+
|
+
| lastSeen | +real | +- | +The last time the event was seen | +1656355418449 | +
+
|
+
| logKey | +string | +- | +The unique key of the event | +
+
|
+
+
|
+
| logonUser | +dynamic | +UserAccount | +The logon user name | +
+
|
+
+
|
+
| mailDeliveryTime | +string | +- | +The mail delivery time | +1900-1-1 00:00:00 | +Trend Micro Apex One as a Service | +
| mailMsgSubject | +string | +EmailSubject | +The email subject | +
+
|
+
+
|
+
| malDst | +string | +- | +The malware infection destination | +
+
|
+ Trend Micro Apex One as a Service | +
| malFamily | +string | +- | +The threat family | +
+
|
+
+
|
+
| malName | +string | +- | +The name of the detected malware | +
+
|
+
+
|
+
| malSrc | +string | +FileFullPath | +The malware infection source | +
+
|
+
+
|
+
| malSubType | +string | +- | +The subsidiary virus type | +Unknown | +
+
|
+
| malType | +string | +- | +The risk type for Network Content Correlation Engine rules | +
+
|
+
+
|
+
| matchedContent | +dynamic | +- | +The one-to-many data structure | +
+
|
+ Trend Micro Apex One as a Service | +
| mDevice | +dynamic | +- | +IP of the source | +
+
|
+ Trend Micro Apex One as a Service | +
| mDeviceGUID | +string | +- | +The GUID of the agent host | +
+
|
+
+
|
+
| messageType | +string | +- | +The message type | +Default | +
+
|
+
| moduleName | +string | +- | +The module where a hook procedure was set up | +
+
|
+ Trend Micro Apex One as a Service | +
| moduleScanType | +string | +- | +The module scan type | +traditional | +
+
|
+
| mpname | +string | +- | +The management product name | +
+
|
+
+
|
+
| mpver | +string | +- | +The product version | +
+
|
+
+
|
+
| msgAct | +string | +- | +The message action | +
+
|
+ Trend Micro Apex One as a Service | +
| msgId | +string | +EmailMessageID | +The internet message ID | +
+
|
+
+
|
+
| objectAppName | +string | +- | +Name of the app involved in the AMSI event | +
+
|
+
+
|
+
| objectArtifactIds | +dynamic | +- | +The artifact IDs generated by objectAction | +
+
|
+
+
|
+
| objectAttributes | +string | +- | +The object attributes | +attribute | +
+
|
+
| objectAuthId | +string | +- | +The object authorization ID | +
+
|
+
+
|
+
| objectCmd | +dynamic | +CLICommand | +The object process command line | +
+
|
+
+
|
+
| objectCmd | +string | +CLICommand | +Command line entry of target process | +
+
|
+
+
|
+
| objectContentName | +string | +- | +The AMSI object content name | +
+
|
+
+
|
+
| objectCurrentFileSize | +long | +- | +Previous size of modified object file | +
+
|
+
+
|
+
| objectEntityName | +string | +- | +The object entity name | +
+
|
+ Trend Micro Apex One as a Service | +
| objectFileAccess | +string | +- | +The object file access details | +1717658631000 | +
+
|
+
| objectFileCreation | +string | +- | +The UTC time that the object was created | +
+
|
+
+
|
+
| objectFileCreation | +string | +- | +The time the object file was created | +
+
|
+
+
|
+
| objectFileCurrentOwnerName | +string | +- | +The current owner name of the object file | +
+
|
+
+
|
+
| objectFileCurrentOwnerSid | +string | +- | +The current security identifier owner of the object file | +
+
|
+
+
|
+
| objectFileDaclString | +string | +- | +The discretionary access control list of the object file | +
+
|
+
+
|
+
| objectFileExtendedAttribute | +string | +- | +The extended attributes of the file | +
+
|
+
+
|
+
| objectFileGroupName | +string | +- | +The object file user group name | +
+
|
+
+
|
+
| objectFileGroupSid | +string | +- | +The security identifier of the object file group | +
+
|
+
+
|
+
| objectFileHashId | +string | +- | +The object file hash ID | +
+
|
+
+
|
+
| objectFileHashMd5 | +string | +FileMD5 | +The MD5 of the object | +
+
|
+
+
|
+
| objectFileHashMd5 | +string | +FileMD5 | +The md5 hash of target process image or target file | +
+
|
+
+
|
+
| objectFileHashSha1 | +string | +FileSHA1 | +The SHA-1 of the objectFilePath object | +
+
|
+
+
|
+
| objectFileHashSha1 | +string | +FileSHA1 | +The SHA1 hash of target process image or target file | +
+
|
+
+
|
+
| objectFileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the object (objectFilePath) | +
+
|
+
+
|
+
| objectFileHashSha256 | +string | +FileSHA2 | +The SHA256 hash of target process image or target file | +
+
|
+
+
|
+
| objectFileIsRemoteAccess | +bool | +- | +The remote access to the object file | +- | +
+
|
+
| objectFileModified | +string | +- | +The UTC time that the object was modified | +
+
|
+
+
|
+
| objectFileModifiedTime | +string | +- | +The time the object file was modified | +
+
|
+
+
|
+
| objectFileName | +string | +FileName | +The object file name | +
+
|
+
+
|
+
| objectFileOriginalName | +string | +FileName | +The original file name of the object image | +
+
|
+
+
|
+
| objectFileOwnerName | +string | +- | +The object file owner name | +
+
|
+
+
|
+
| objectFileOwnerSid | +string | +- | +The security identifier of the object file owner | +
+
|
+
+
|
+
| objectFilePath | +string | +FileFullPath | +The file path of the target process image or target file | +
+
|
+
+
|
+
| objectFilePath | +string | +
+
|
+ The file path of the target process image or target file | +
+
|
+
+
|
+
| objectFileRemoteAccess | +bool | +- | +The remote access for the object file | +- | +
+
|
+
| objectFileSaclString | +string | +- | +The system access control list of the object file | +
+
|
+
+
|
+
| objectFileSize | +string | +- | +The file size of the object file | +
+
|
+
+
|
+
| objectFirstRecorded | +string | +- | +The first time that the object appeared | +- | +Trend Micro Apex One as a Service | +
| objectFirstSeen | +string | +- | +The first time the object was seen | +
+
|
+
+
|
+
| objectHashId | +long | +- | +The object hash ID | +
+
|
+
+
|
+
| objectHostName | +string | +DomainName | +Server name where Internet event was detected | +
+
|
+
+
|
+
| objectId | +string | +- | +The UUID of the object | +
+
|
+
+
|
+
| objectIntegrityLevel | +int | +- | +Integrity level of target process | +- | +
+
|
+
| objectIp | +string | +
+
|
+ IP address of internet event | +10.10.10.10 | +
+
|
+
| objectIps | +dynamic | +
+
|
+ IP address list of internet event | +
+
|
+
+
|
+
| objectLastSeen | +string | +- | +The last time the object was seen | +
+
|
+
+
|
+
| objectLaunchTime | +string | +- | +The object launch time of the Windows event | +
+
|
+
+
|
+
| objectLoginOutFailureMessage | +string | +- | +The sign-in/sign-out error message | +Login incorrect | +
+
|
+
| objectLoginOutFirstSeen | +long | +- | +The first time the object sign-in/sign-out was seen | +1713903612 | +
+
|
+
| objectLoginOutHashId | +long | +- | +The FNV of the object sign-in/sign-out meta | +-8981232070268295229 | +
+
|
+
| objectLoginOutLastSeen | +long | +- | +The last time the object sign-in/sign-out was seen | +1713903612 | +
+
|
+
| objectLoginOutMetaType | +int | +- | +The sign-in/sign-out meta | +1 - LOGIN_OUT_META_TYPE_OPENSSH | +
+
|
+
| objectLoginOutSessionId | +long | +- | +The sign-in/sign-out session ID | +260 | +
+
|
+
| objectLoginOutSourceAddress | +string | +- | +The sign-in/sign-out source IP | +10.10.10.10 | +
+
|
+
| objectLoginOutStatus | +int | +- | +The sign-in/sign-out status | +-1 | +
+
|
+
| objectName | +string | +- | +The base name of the object file or process | +net.exe | +
+
|
+
| objectName | +string | +- | +The object name | +
+
|
+
+
|
+
| objectPid | +int | +- | +The object process PID | +
+
|
+
+
|
+
| objectPid | +int | +- | +The PID of target process | +- | +
+
|
+
| objectPort | +int | +Port | +The port number used by internet event | +- | +
+
|
+
| objectProcessHashId | +long | +- | +FNV of target process | +
+
|
+
+
|
+
| objectRawDataSize | +dynamic | +- | +The raw data size of the Windows event object | +
+
|
+
+
|
+
| objectRawDataStr | +dynamic | +- | +The data contents of the AMSI event | +
+
|
+
+
|
+
| objectRegistryData | +string | +RegistryValueData | +The registry data contents | +C:\Program Files\AlertMedia\AlertMedia Desktop Notifications\AlertMedia.exe | +
+
|
+
| objectRegistryData | +string | +RegistryValueData | +The registry value data | +
+
|
+
+
|
+
| objectRegistryKeyHandle | +string | +RegistryKey | +The registry key path | +
+
|
+
+
|
+
| objectRegistryKeyHandle | +string | +RegistryKey | +The registry key | +
+
|
+
+
|
+
| objectRegistryRoot | +int | +- | +The Windows Registry Root ID | +
+
|
+
+
|
+
| objectRegistryValue | +string | +RegistryValue | +The registry value name | +
+
|
+
+
|
+
| objectRegistryValue | +string | +RegistryValue | +Registry value name | +
+
|
+
+
|
+
| objectRegType | +int | +- | +The Windows Registry Type ID | +
+
|
+
+
|
+
| objectRunAsLocalAccount | +bool | +- | +The "runas" command uses a local account | +
+
|
+
+
|
+
| objectSessionId | +string | +- | +The object session ID | +
+
|
+
+
|
+
| objectSigner | +dynamic | +- | +The list of object process signers | +
+
|
+
+
|
+
| objectSigner | +dynamic | +- | +Certificate signer of object process or file | +
+
|
+
+
|
+
| objectSignerFlagsAdhoc | +dynamic | +- | +The list of object process signature adhoc flags | +- | +
+
|
+
| objectSignerFlagsAdhoc | +dynamic | +- | +The list of object process or file signature adhoc flags | +- | +
+
|
+
| objectSignerFlagsLibValid | +dynamic | +- | +The list of object process signature library validation flags | +- | +
+
|
+
| objectSignerFlagsLibValid | +dynamic | +- | +The list of object process or file signature library validation flags | +- | +
+
|
+
| objectSignerFlagsRuntime | +dynamic | +- | +The list of object process signature runtime flags | +- | +
+
|
+
| objectSignerFlagsRuntime | +dynamic | +- | +The list of object process or file signature runtime flags | +- | +
+
|
+
| objectSignerValid | +dynamic | +- | +Validity of certificate signer | +
+
|
+
+
|
+
| objectSubTrueType | +int | +- | +File object's true sub-type | +
+
|
+
+
|
+
| objectThreadId | +string | +- | +The object process thread ID | +
+
|
+ Trend Micro Apex One as a Service | +
| objectTrueType | +int | +- | +File object's true major type | +
+
|
+
+
|
+
| objectType | +string | +- | +The object type | +
+
|
+
+
|
+
| objectUser | +string | +UserAccount | +The owner name of the target process or the login user name | +
+
|
+
+
|
+
| objectUser | +string | +UserAccount | +The owner name of the target process or the login user name | +
+
|
+
+
|
+
| objectUserDomain | +string | +- | +The owner domain of the target process | +
+
|
+
+
|
+
| objectUserDomain | +string | +- | +The object user domain | +
+
|
+
+
|
+
| objectUserGroup | +string | +- | +The user group name | +
+
|
+
+
|
+
| online | +string | +- | +The flag to identify whether the endpoint is online | +
+
|
+ Trend Micro Apex One as a Service | +
| operationLevel | +int | +- | +The level that is used to indicate the handler layer at SOC | +
+
|
+ Trend Micro Apex One as a Service | +
| originalFileHashes | +dynamic | +FileSHA1 | +The hashes of the original file | +
+
|
+
+
|
+
| originalFilePaths | +dynamic | +
+
|
+ The paths of the original file | +C:\\Users\\user_name\\Downloads\\run.exe | +
+
|
+
| osDescription | +string | +- | +The OS version | +
+
|
+
+
|
+
| osName | +string | +- | +The host operating system name | +
+
|
+
+
|
+
| osType | +string | +- | +The host operating system type | +
+
|
+
+
|
+
| osVer | +string | +- | +The version of the host operating system | +
+
|
+
+
|
+
| parentAuthId | +string | +- | +The parent authorization ID | +
+
|
+
+
|
+
| parentCmd | +string | +CLICommand | +The command line entry of the parent process | +
+
|
+
+
|
+
| parentFileCreation | +string | +- | +The time the parent file was created | +
+
|
+
+
|
+
| parentFileCurrentOwnerName | +string | +- | +The current owner name of the parent file | +
+
|
+
+
|
+
| parentFileCurrentOwnerSid | +string | +- | +The current security identifier owner of the parent file | +
+
|
+
+
|
+
| parentFileDaclString | +string | +- | +The discretionary access control list of the parent file | +
+
|
+
+
|
+
| parentFileGroupName | +string | +- | +The name of the parent file user group | +
+
|
+
+
|
+
| parentFileGroupSid | +string | +- | +The security identifier of the parent process file group | +
+
|
+
+
|
+
| parentFileHashId | +long | +- | +The parent file hash ID | +
+
|
+
+
|
+
| parentFileHashMd5 | +string | +FileMD5 | +The md5 hash of parent process | +
+
|
+
+
|
+
| parentFileHashSha1 | +string | +FileSHA1 | +The SHA1 hash of parent process | +
+
|
+
+
|
+
| parentFileHashSha256 | +string | +FileSHA2 | +The SHA256 hash of parent process | +
+
|
+
+
|
+
| parentFileModifiedTime | +string | +- | +The time the parent file was modified | +
+
|
+
+
|
+
| parentFileOriginalName | +string | +FileName | +The original file name of the parent image | +
+
|
+
+
|
+
| parentFileOwnerName | +string | +- | +The owner name of the parent file | +
+
|
+
+
|
+
| parentFileOwnerSid | +string | +- | +The security identifier of the parent file owner | +
+
|
+
+
|
+
| parentFilePath | +string | +
+
|
+ The file path of the parent process | +
+
|
+
+
|
+
| parentFileRemoteAccess | +bool | +- | +The remote access to the parent file | +- | +
+
|
+
| parentFileSaclString | +string | +- | +The system access control list of the parent file | +
+
|
+
+
|
+
| parentFileSize | +string | +- | +The file size of the parent file | +
+
|
+
+
|
+
| parentHashId | +long | +- | +The parent hash ID | +
+
|
+
+
|
+
| parentIntegrityLevel | +int | +- | +The integrity level of a parent | +- | +
+
|
+
| parentLaunchTime | +real | +- | +The time when the parent process was launched | +
+
|
+
+
|
+
| parentName | +string | +- | +The image name of the parent process | +
+
|
+
+
|
+
| parentPid | +int | +- | +The PID of the parent process | +
+
|
+
+
|
+
| parentSessionId | +int | +- | +The parent session ID | +- | +
+
|
+
| parentSigner | +dynamic | +- | +The signer of the parent file | +
+
|
+
+
|
+
| parentSignerFlagsAdhoc | +dynamic | +- | +The list of parent process signature adhoc flags | +- | +
+
|
+
| parentSignerFlagsAdhoc | +dynamic | +- | +The list of parent process signature adhoc flags | +- | +
+
|
+
| parentSignerFlagsLibValid | +dynamic | +- | +The list of parent process signature library validation flags | +- | +
+
|
+
| parentSignerFlagsLibValid | +dynamic | +- | +The list of parent process signature library validation flags | +- | +
+
|
+
| parentSignerFlagsRuntime | +dynamic | +- | +The list of parent process signature runtime flags | +- | +
+
|
+
| parentSignerFlagsRuntime | +dynamic | +- | +The list of parent process signature runtime flags | +- | +
+
|
+
| parentSignerValid | +dynamic | +- | +The validity of the parent signer | +- | +
+
|
+
| parentSubTrueType | +int | +- | +The true file subtype of the parent file | +- | +
+
|
+
| parentTrueType | +int | +- | +The true file type of the parent file | +- | +
+
|
+
| parentUser | +string | +- | +The type of user that executed the parent process | +
+
|
+
+
|
+
| parentUserDomain | +string | +- | +The user domain of the parent process | +
+
|
+
+
|
+
| patType | +string | +- | +The pattern type | +
+
|
+ Trend Micro Apex One as a Service | +
| patVer | +string | +- | +The version of the behavior pattern | +
+
|
+
+
|
+
| pComp | +string | +- | +The component that made the detection | +
+
|
+
+
|
+
| peerIp | +dynamic | +
+
|
+ The IP of peerHost | +10.10.10.10 | +
+
|
+
| plang | +int | +- | +The product language | +
+
|
+
+
|
+
| platformAssetTags | +dynamic | +- | +The list of platform custom asset tags | +{"Asset group":["finance"], "some.ip": ["10.1.0.1"]} | +
+
|
+
| platformAssetTags | +dynamic | +- | +The list of platform custom asset tags | +{"Asset group":["finance"], "some.ip": ["10.1.0.1"]} | +
+
|
+
| pname | +string | +- | +The internal product ID | +
+
|
+
+
|
+
| pname | +string | +- | +Internal product ID (Deprecated, use productCode) | +
+
|
+
+
|
+
| policyId | +string | +- | +The policy ID of which the event was detected | +
+
|
+
+
|
+
| policyName | +string | +- | +The name of the triggered policy | +
+
|
+
+
|
+
| policyTemplate | +dynamic | +- | +The one-to-many data structure | +
+
|
+
+
|
+
| pplat | +int | +- | +The product platform | +
+
|
+
+
|
+
| processArtifactIds | +dynamic | +- | +The artifact IDs generated by processAction | +
+
|
+
+
|
+
| processCmd | +string | +CLICommand | +The subject process command line | +
+
|
+
+
|
+
| processCmd | +string | +CLICommand | +The command line entry of the subject process | +
+
|
+
+
|
+
| processFileCreation | +string | +- | +The time the process file was created | +
+
|
+
+
|
+
| processFileCurrentOwnerName | +string | +- | +The current owner name of the process file | +
+
|
+
+
|
+
| processFileCurrentOwnerSid | +string | +- | +The owner of the process file current security identifier | +
+
|
+
+
|
+
| processFileDaclString | +string | +- | +The discretionary access control list of the process file | +
+
|
+
+
|
+
| processFileGroupName | +string | +- | +The name of the process file user group | +
+
|
+
+
|
+
| processFileGroupSid | +string | +- | +The security identifier of the process file group | +
+
|
+
+
|
+
| processFileHashId | +long | +- | +The file hash of the process | +
+
|
+
+
|
+
| processFileHashMd5 | +string | +FileMD5 | +The MD5 hash of the subject process image | +
+
|
+
+
|
+
| processFileHashSha1 | +string | +FileSHA1 | +The SHA-1 of the subject process | +
+
|
+
+
|
+
| processFileHashSha1 | +string | +FileSHA1 | +The SHA1 hash of subject process image | +
+
|
+
+
|
+
| processFileHashSha256 | +string | +FileSHA2 | +The SHA256 hash of subject process image | +
+
|
+
+
|
+
| processFileModifiedTime | +string | +- | +The time the process file was modified | +
+
|
+
+
|
+
| processFileOriginalName | +string | +FileName | +The original file name of the process image | +
+
|
+
+
|
+
| processFileOwnerName | +string | +- | +The process file owner name | +
+
|
+
+
|
+
| processFileOwnerSid | +string | +- | +The security identifier of the process file owner | +
+
|
+
+
|
+
| processFilePath | +string | +
+
|
+ The file path of the subject process | +
+
|
+
+
|
+
| processFilePath | +string | +
+
|
+ The file path of the subject process | +
+
|
+
+
|
+
| processFileRemoteAccess | +bool | +- | +The remote access to the process file | +- | +
+
|
+
| processFileSaclString | +string | +- | +The system access control list of the process file | +
+
|
+
+
|
+
| processFileSize | +string | +- | +The file size of the process file | +
+
|
+
+
|
+
| processHashId | +long | +- | +The FNV of subject process | +
+
|
+
+
|
+
| processImageFileNames | +dynamic | +- | +The process image file names of detected backup artifacts | +
+
|
+
+
|
+
| processLaunchTime | +real | +- | +The time the subject process was launched | +
+
|
+
+
|
+
| processName | +string | +ProcessName | +The image name of the process that triggered the event | +
+
|
+
+
|
+
| processName | +string | +ProcessName | +The image name of the process that triggered the event | +
+
|
+
+
|
+
| processPid | +int | +- | +The PID of the subject process | +
+
|
+
+
|
+
| processSigner | +dynamic | +- | +The process file signer | +
+
|
+
+
|
+
| processSignerFlagsAdhoc | +dynamic | +- | +The list of process signature adhoc flags | +- | +
+
|
+
| processSignerFlagsAdhoc | +dynamic | +- | +The list of process signature adhoc flags | +- | +
+
|
+
| processSignerFlagsLibValid | +dynamic | +- | +The list of process signature library validation flags | +- | +
+
|
+
| processSignerFlagsLibValid | +dynamic | +- | +The list of process signature library validation flags | +- | +
+
|
+
| processSignerFlagsRuntime | +dynamic | +- | +The list of process signature runtime flags | +- | +
+
|
+
| processSignerFlagsRuntime | +dynamic | +- | +The list of process signature runtime flags | +- | +
+
|
+
| processSignerValid | +dynamic | +- | +The validity of the process signer | +
+
|
+
+
|
+
| processSubTrueType | +int | +- | +The true file subtype of the process | +- | +
+
|
+
| processTrueType | +int | +- | +The true file type of the process | +- | +
+
|
+
| processUser | +string | +UserAccount | +The user name of the process or the file creator | +
+
|
+
+
|
+
| processUser | +string | +UserAccount | +The owner name of subject process image | +
+
|
+
+
|
+
| processUserDomain | +string | +- | +The process user domain | +
+
|
+
+
|
+
| proto | +int | +- | +The protocol type | +
+
|
+
+
|
+
| providerGUID | +string | +- | +The GUID of the Windows event provider | +{11111111-1111-1111-1111-111111111111} | +
+
|
+
| providerName | +string | +- | +The name of the Windows event provider | +
+
|
+
+
|
+
| proxy | +string | +- | +The proxy address | +
+
|
+
+
|
+
| pver | +string | +- | +The product version | +
+
|
+
+
|
+
| pver | +string | +- | +The product version | +
+
|
+
+
|
+
| quarantineFileId | +string | +- | +The unique identifier of the quarantined object | +ASLUMVS0.4FC | +
+
|
+
| quarantineFilePath | +string | +FileFullPath | +The file path of the quarantined object | +C:\ProgramData\Trend Micro\AMSP\quarantine\ASLUMVS0.4FC | +
+
|
+
| quarantineFileSha256 | +string | +FileSHA2 | +The SHA-256 of the quarantined object | +84B2FA19B05EA88D6E785B4ADB528120485AA3F72F3E5E114DE6D3696B0D151F | +
+
|
+
| quarantineType | +string | +- | +The descriptive name for the quarantine area | +
+
|
+ Trend Micro Apex One as a Service | +
| rating | +string | +- | +The credibility level | +
+
|
+
+
|
+
| rawDataSize | +string | +- | +The size of the Windows event log | +
+
|
+
+
|
+
| rawDataStr | +string | +- | +Windows event raw contents | +
+
|
+
+
|
+
| remarks | +string | +- | +The additional information | +
+
|
+
+
|
+
| request | +string | +URL | +The notable URLs | +
+
|
+
+
|
+
| request | +string | +URL | +Request URL | +
+
|
+
+
|
+
| requestClientApplication | +string | +- | +The protocol user agent information | +
+
|
+
+
|
+
| requestMethod | +string | +- | +The network protocol request method | +
+
|
+
+
|
+
| riskConfidenceLevel | +string | +- | +The risk confidence level | +
+
|
+
+
|
+
| riskLevel | +string | +- | +The risk level | +
+
|
+
+
|
+
| rt | +string | +- | +The Unix time of the log generation | +1656324260000 | +
+
|
+
| rt | +string | +- | +The event time | +1657781088000 | +
+
|
+
| rtDate | +string | +- | +The date of the log generation | +1655337600000 | +
+
|
+
| rtHour | +int | +- | +The hour of the log generation | +
+
|
+
+
|
+
| rtWeekDay | +string | +- | +The weekday of the log generation | +
+
|
+
+
|
+
| ruleId | +int | +- | +The rule ID | +
+
|
+
+
|
+
| ruleId | +int | +- | +The rule ID | +1005566 | +
+
|
+
| ruleName | +string | +- | +The name of the rule that triggered the event | +
+
|
+
+
|
+
| ruleType | +string | +- | +The access rule type | +
+
|
+
+
|
+
| scanType | +string | +- | +The scan type | +
+
|
+
+
|
+
| score | +int | +- | +The Web Reputation Services URL rating | +
+
|
+
+
|
+
| secondAct | +string | +- | +The second scan action | +
+
|
+
+
|
+
| secondActResult | +string | +- | +The result of the second scan action | +
+
|
+
+
|
+
| senderGUID | +string | +- | +The sender GUID | +
+
|
+
+
|
+
| senderIp | +dynamic | +- | +The sender IP | +10.10.10.10 | +
+
|
+
| sessionId | +int | +- | +The session ID | +
+
|
+
+
|
+
| severity | +int | +- | +The severity of the event | +
+
|
+
+
|
+
| signer | +string | +- | +The signer of the file | +Shenzhen Smartspace Software technology Co.,Limited;Symantec Class 3 SHA256 Code Signing CA;1429491600;1492649999 | +Trend Micro Apex One as a Service | +
| smac | +string | +- | +The source MAC address | +
+
|
+
+
|
+
| sourceType | +string | +- | +The source type | +
+
|
+
+
|
+
| spt | +int | +Port | +The source port | +
+
|
+
+
|
+
| spt | +int | +Port | +The source port number | +
+
|
+
+
|
+
| src | +dynamic | +
+
|
+ The source IP | +10.10.10.10 | +
+
|
+
| src | +string | +
+
|
+ The source address | +
+
|
+
+
|
+
| srcFileCreation | +string | +- | +The time the source file was created | +
+
|
+
+
|
+
| srcFileCurrentOwnerName | +string | +- | +The current owner name of the source file | +
+
|
+
+
|
+
| srcFileCurrentOwnerSid | +string | +- | +The current security identifier owner of the source file | +
+
|
+
+
|
+
| srcFileDaclString | +string | +- | +The discretionary access control list of the source file | +
+
|
+
+
|
+
| srcFileGroupName | +string | +- | +The source file user group name | +
+
|
+
+
|
+
| srcFileGroupSid | +string | +- | +The security identifier of the source file group | +
+
|
+
+
|
+
| srcFileHashId | +long | +- | +The source file hash ID | +
+
|
+
+
|
+
| srcFileHashMd5 | +string | +FileMD5 | +The md5 hash of source file | +
+
|
+
+
|
+
| srcFileHashSha1 | +string | +FileSHA1 | +The SHA1 hash of source file | +
+
|
+
+
|
+
| srcFileHashSha256 | +string | +FileSHA2 | +The SHA256 hash of source file | +
+
|
+
+
|
+
| srcFileIsRemoteAccess | +bool | +- | +The remote access of the source file | +- | +
+
|
+
| srcFileModifiedTime | +string | +- | +The time the source file was modified | +
+
|
+
+
|
+
| srcFileOwnerName | +string | +- | +The source file owner name | +
+
|
+
+
|
+
| srcFileOwnerSid | +string | +- | +The security identifier of the source file owner | +
+
|
+
+
|
+
| srcFilePath | +string | +
+
|
+ The source file path | +
+
|
+
+
|
+
| srcFileSaclString | +string | +- | +The system access control list of the source file | +
+
|
+
+
|
+
| srcFileSize | +string | +- | +The file size of the source file | +
+
|
+
+
|
+
| srcFirstSeen | +string | +- | +The first time the source file was seen | +
+
|
+
+
|
+
| srcHashId | +long | +- | +The source hash ID | +
+
|
+
+
|
+
| srcLastSeen | +string | +- | +The last time the source file was seen | +
+
|
+
+
|
+
| srcSigner | +dynamic | +- | +The signer of the source file | +
+
|
+
+
|
+
| srcSignerFlagsAdhoc | +dynamic | +- | +The list of source file signature adhoc flags | +- | +
+
|
+
| srcSignerFlagsLibValid | +dynamic | +- | +The list of source file signature library validation flags | +- | +
+
|
+
| srcSignerFlagsRuntime | +dynamic | +- | +The list of source file signature runtime flags | +- | +
+
|
+
| srcSignerValid | +dynamic | +- | +The validity of the source file signer | +- | +
+
|
+
| srcSubTrueType | +int | +- | +The true file subtype of the source file | +- | +
+
|
+
| srcTrueType | +int | +- | +The true file type of the source file | +- | +
+
|
+
| status | +string | +- | +The HTTP response status code | +
+
|
+
+
|
+
| subSystem | +string | +- | +The sub system information | +com.apple.xpc | +
+
|
+
| suid | +string | +UserAccount | +User name or mailbox | +
+
|
+
+
|
+
| suser | +dynamic | +EmailSender | +The email sender | +sample_email@trendmicro.com | +
+
|
+
| tacticId | +dynamic | +Tactic | +The list of MITRE tactic IDs | +
+
|
+
+
|
+
| tags | +dynamic | +
+
|
+ The detected technique ID based on the alert filter | +
+
|
+
+
|
+
| threatName | +string | +- | +The threat name | +
+
|
+
+
|
+
| threatType | +string | +- | +The log threat type | +
+
|
+
+
|
+
| timezone | +string | +- | +The host time zone | +
+
|
+
+
|
+
| trigger | +string | +- | +The action trigger | +
+
|
+
+
|
+
| triggerInfo | +dynamic | +- | +The trigger information | +[{'triggerModule': 'ODS', 'triggerReason': 'System Schedule Scan'}] | +
+
|
+
| triggerReason | +string | +- | +The cause of the triggered action | +
+
|
+
+
|
+
| urlCat | +dynamic | +- | +The requested URL category | +
+
|
+
+
|
+
| userDomain | +string | +
+
|
+ The user domain | +
+
|
+
+
|
+
| userDomain | +dynamic | +- | +The user domain name | +
+
|
+
+
|
+
| vendor | +string | +- | +The device vendor | +adata | +Trend Micro Apex One as a Service | +
| winEventId | +int | +- | +Event ID of Windows event | +
+
|
+
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| act | +dynamic | +- | +The actions taken to mitigate the event | +
+
|
+
+
|
+
| actResult | +dynamic | +- | +The result of an action | +
+
|
+
+
|
+
| behaviorCat | +string | +- | +The matched policy category | +
+
|
+
+
|
+
| cat | +int | +- | +The weighted priority of the incident | +
+
|
+
+
|
+
| detectionMeta | +dynamic | +- | +The descriptions of the detected techniques | +['T1204 some description about this technique', 'T1573.001_AES another description about this technique'] | +
+
|
+
| detectionNames | +dynamic | +- | +The rules that triggered the event | +['HS_EMOTET.SMAA', 'HM_AVEDOWN.SMZTIG-A', 'HE_DOCQRPHISH.SM'] | +
+
|
+
| detectionType | +string | +- | +The detection type | +
+
|
+
+
|
+
| deviceDirection | +string | +- | +Device Direction. If the source IP is in the internal network (the network monitored by Deep Discovery Inspector) it is tagged as outbound. All other cases are inbound. Internal-to-internal is also tagged as outbound. | +
+
|
+
+
|
+
| dmac | +string | +- | +The MAC address of the destination IP (dest_ip) | +
+
|
+
+
|
+
| dpt | +int | +Port | +The destination port | +
+
|
+
+
|
+
| dst | +dynamic | +
+
|
+ The destination IP | +10.10.10.10 | +
+
|
+
| duser | +dynamic | +EmailRecipient | +The email recipient | +
+
|
+
+
|
+
| endpointGUID | +string | +EndpointID | +The GUID of the agent which reported the detection | +
+
|
+
+
|
+
| endpointHostName | +string | +EndpointName | +The endpoint hostname or node where the event was detected | +
+
|
+
+
|
+
| endpointIp | +dynamic | +
+
|
+ The IP address of the endpoint on which the event was detected | +10.10.10.10 | +
+
|
+
| eventId | +string | +- | +The event ID from the logs of each product | +
+
|
+
+
|
+
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| fileHash | +string | +FileSHA1 | +The SHA-1 of the file that triggered the rule or policy | +
+
|
+
+
|
+
| fileName | +dynamic | +FileName | +The file name | +
+
|
+
+
|
+
| fileOperation | +string | +- | +The operation of the file | +
+
|
+
+
|
+
| filePath | +string | +FileFullPath | +The file path without the file name | +
+
|
+
+
|
+
| filePathName | +string | +FileFullPath | +The file path with the file name | +
+
|
+
+
|
+
| firstAct | +string | +- | +The first scan action | +
+
|
+
+
|
+
| firstActResult | +string | +- | +The first scan action result | +
+
|
+
+
|
+
| fullPath | +string | +FileFullPath | +The combination of the file path and the file name | +
+
|
+
+
|
+
| groups | +string | +- | +The OSSEC rule group names | +
+
|
+
+
|
+
| hostId | +int | +- | +The host ID | +
+
|
+
+
|
+
| hostName | +string | +
+
|
+ The computer name of the client host (The hostname from the suspicious URL detected by Deep Discovery Inspector) | +
+
|
+
+
|
+
| interestedHost | +string | +DomainName | +The endpoint hostname (For example, if an intranet host accesses a suspicious internet host, the intranet host is the "peerHost" and the internet host is the "interestedHost") | +
+
|
+
+
|
+
| interestedIp | +dynamic | +
+
|
+ The IP of the interestedHost | +10.10.10.10 | +
+
|
+
| isEntity | +string | +- | +The current entity (or after change/modification) | +
+
|
+
+
|
+
| logKey | +string | +- | +The unique key of the event | +
+
|
+
+
|
+
| majorVirusType | +string | +- | +The virus type | +
+
|
+
+
|
+
| malName | +string | +- | +The name of the detected malware | +
+
|
+
+
|
+
| malType | +string | +- | +The risk type for Network Content Correlation Engine rules | +
+
|
+
+
|
+
| mDeviceGUID | +string | +- | +The GUID of the agent host | +
+
|
+
+
|
+
| mitreVersion | +string | +- | +The MITRE version | +
+
|
+
+
|
+
| mpname | +string | +- | +The management product name | +
+
|
+
+
|
+
| mpver | +string | +- | +The product version | +
+
|
+
+
|
+
| oldFileHash | +string | +FileSHA1 | +The SHA-1 of the target process image or target file (wasEntity from an IM event) | +
+
|
+
+
|
+
| out | +string | +- | +The IP datagram length (in bytes) | +
+
|
+
+
|
+
| parentPid | +int | +- | +The PID of the parent process | +- | +
+
|
+
| pname | +string | +- | +The internal product ID | +
+
|
+
+
|
+
| policyId | +string | +- | +The policy ID of which the event was detected | +
+
|
+
+
|
+
| processCmd | +string | +CLICommand | +The subject process command line | +
+
|
+
+
|
+
| processImagePath | +string | +- | +The process triggered by the file event | +
+
|
+
+
|
+
| processName | +string | +ProcessName | +The image name of the process that triggered the event | +
+
|
+
+
|
+
| proto | +string | +- | +The exploited layer network protocol | +
+
|
+
+
|
+
| protoFlag | +string | +- | +The data flags | +
+
|
+
+
|
+
| pTags | +string | +- | +The event tagging system | +
+
|
+ Trend Micro Deep Security | +
| pver | +string | +- | +The product version | +
+
|
+
+
|
+
| quarantineFileId | +string | +- | +The unique identifier of the quarantined object | +ASLUMVS0.4FC | +
+
|
+
| quarantineFilePath | +string | +FileFullPath | +The file path of the quarantined object | +C:\ProgramData\Trend Micro\AMSP\quarantine\ASLUMVS0.4FC | +
+
|
+
| quarantineFileSha256 | +string | +FileSHA2 | +The SHA-256 of the quarantined object | +84B2FA19B05EA88D6E785B4ADB528120485AA3F72F3E5E114DE6D3696B0D151F | +
+
|
+
| remarks | +string | +- | +The additional information | +
+
|
+
+
|
+
| request | +string | +URL | +The notable URLs | +
+
|
+
+
|
+
| rt | +string | +- | +The Unix time of the log generation | +1656324260000 | +
+
|
+
| rtDate | +string | +- | +The date of the log generation | +1655337600000 | +
+
|
+
| rtHour | +int | +- | +The hour of the log generation | +
+
|
+
+
|
+
| rtWeekDay | +string | +- | +The weekday of the log generation | +
+
|
+
+
|
+
| ruleId | +int | +- | +The rule ID | +
+
|
+
+
|
+
| ruleName | +string | +- | +The name of the rule that triggered the event | +
+
|
+
+
|
+
| scanType | +string | +- | +The scan type | +
+
|
+
+
|
+
| secondAct | +string | +- | +The second scan action | +
+
|
+
+
|
+
| secondActResult | +string | +- | +The result of the second scan action | +
+
|
+
+
|
+
| senderGUID | +string | +- | +The sender GUID | +
+
|
+
+
|
+
| severity | +int | +- | +The severity of the event | +
+
|
+
+
|
+
| shost | +string | +DomainName | +The source hostname | +
+
|
+
+
|
+
| smac | +string | +- | +The source MAC address | +
+
|
+
+
|
+
| sproc | +string | +- | +The OSSEC program name | +
+
|
+
+
|
+
| spt | +int | +Port | +The source port | +
+
|
+
+
|
+
| src | +dynamic | +
+
|
+ The source IP | +10.10.10.10 | +
+
|
+
| subRuleId | +string | +- | +ID of a subordinate rule | +
+
|
+
+
|
+
| subRuleName | +string | +- | +The subrule name | +
+
|
+
+
|
+
| suid | +string | +UserAccount | +User name or mailbox | +
+
|
+
+
|
+
| target | +string | +- | +The target object for the behavior | +
+
|
+
+
|
+
| targetType | +string | +- | +The target object type | +
+
|
+
+
|
+
| wasEntity | +string | +- | +The entity before change/modification | +
+
|
+
+
|
+
| winEventId | +int | +- | +The Windows Event ID | +
+
|
+
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| netBiosDomainName | +string | +DomainName | +The NetBIOS domain name | +TREND | +Active Directory (on-premises) | +
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| actionName | +string | +- | +The user or service action | +
+
|
+ Microsoft Entra ID | +
| application | +string | +- | +The displayed application name | +app01 | +Microsoft Entra ID | +
| applicationId | +string | +- | +The Microsoft Entra ID application ID | +11111111-1111-1111-1111-111111111111 | +Microsoft Entra ID | +
| authenticationProtocol | +string | +- | +The authentication protocol or grant type | +
+
|
+ Microsoft Entra ID | +
| autonomousSystemNumber | +int | +- | +The network Autonomous System Number | +1023 | +Microsoft Entra ID | +
| clientApp | +string | +- | +The app that the client accessed | +
+
|
+ Microsoft Entra ID | +
| clientBrowser | +string | +- | +The client browser | +Chrome 119.0.0 | +Microsoft Entra ID | +
| clientCredentialType | +string | +- | +The user client or service principal credential type | +
+
|
+ Microsoft Entra ID | +
| clientDisplayName | +string | +EndpointName | +The client display name | +DESKTOP-TKOS222 | +Microsoft Entra ID | +
| clientId | +string | +- | +The unique client device ID | +11111111-1111-1111-1111-111111111111 | +Microsoft Entra ID | +
| clientOS | +string | +- | +The client OS | +Windows | +Microsoft Entra ID | +
| conditionalAccessStatus | +string | +- | +The conditional access policy status | +
+
|
+ Microsoft Entra ID | +
| correlationId | +string | +- | +The correlation id | +11111111-1111-1111-1111-111111111111 | +Microsoft Entra ID | +
| crossTenantAccessType | +string | +- | +The cross-tenant access type | +
+
|
+ Microsoft Entra ID | +
| eventAdditionalDetails | +dynamic | +- | +The raw data string that contains additional information | +[{"key": "<example>","value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)"}] | +Microsoft Entra ID | +
| eventCategory | +string | +- | +The resource category targeted by the event | +
+
|
+ Microsoft Entra ID | +
| eventId | +string | +- | +The identity provider event ID | +
+
|
+ Microsoft Entra ID | +
| eventName | +string | +- | +The identity provider event name | +
+
|
+ Microsoft Entra ID | +
| eventTime | +real | +- | +The time the identity provider detected the event | +1657781088000 | +Microsoft Entra ID | +
| idpId | +string | +- | +The internal product code of the identity provider | +
+
|
+ Microsoft Entra ID | +
| idpIssuerName | +string | +- | +The identity provider that issued the token | +sts.microsoft.com | +Microsoft Entra ID | +
| idpName | +string | +- | +The identity provider | +
+
|
+ Microsoft Entra ID | +
| incomingTokentype | +string | +- | +The authentication token types | +
+
|
+ Microsoft Entra ID | +
| initiatedByAppDisplayName | +string | +- | +The application display name | +Microsoft Intune | +Microsoft Entra ID | +
| initiatedByAppId | +string | +- | +The resource category targeted by the event | +11111111-1111-1111-1111-111111111111 | +Microsoft Entra ID | +
| initiatedByServicePrincipalId | +string | +- | +The unique ID of the service principal | +11111111-1111-1111-1111-111111111111 | +Microsoft Entra ID | +
| initiatedByServicePrincipalName | +string | +- | +The unique ID of the service principal | +
+
|
+ Microsoft Entra ID | +
| initiatedByUserDisplayName | +string | +UserAccount | +The user display name | +Sample User | +Microsoft Entra ID | +
| initiatedByUserHomeTenantId | +string | +- | +The tenant ID of the user | ++ | Microsoft Entra ID | +
| initiatedByUserHomeTenantName | +string | +- | +The tenant ID of the user | ++ | Microsoft Entra ID | +
| initiatedByUserId | +string | +UserAccount | +The unique ID of the user who initiated the event | ++ | Microsoft Entra ID | +
| initiatedByUserIpAddress | +string | +
+
|
+ The client IP of the user | +10.10.10.10 | +Microsoft Entra ID | +
| initiatedByUserPrincipalName | +string | +UserAccount | +The User Principal Name of the user | +sample_email@trendmicro.com | +Microsoft Entra ID | +
| ipAddress | +string | +
+
|
+ The client IP | +10.10.10.10 | +Microsoft Entra ID | +
| locationCity | +string | +- | +The city where the event happened | +Singapore | +Microsoft Entra ID | +
| locationCountry | +string | +- | +The country where the event happened | +
+
|
+ Microsoft Entra ID | +
| locationLatitude | +string | +- | +The latitude of the event location | +121.568 | +Microsoft Entra ID | +
| locationLongitude | +string | +- | +The longitude of the event location | +121.568 | +Microsoft Entra ID | +
| locationState | +string | +- | +The state where the event happened | +Central Singapore | +Microsoft Entra ID | +
| logBatchId | +string | +- | +The batch data retrieval process ID | +11111111-1111-1111-1111-111111111111 | +Microsoft Entra ID | +
| loggedByService | +string | +- | +The service that initiated the event | +Core Directory | +Microsoft Entra ID | +
| operationType | +string | +- | +The operation performed in the event | +
+
|
+ Microsoft Entra ID | +
| orgId | +string | +- | +The organization ID | +11111111-1111-1111-1111-111111111111 | +Microsoft Entra ID | +
| pname | +string | +- | +The internal product ID | +
+
|
+ Microsoft Entra ID | +
| principalName | +string | +UserAccount | +The User Principal Name | +sample_email@trendmicro.com | +Microsoft Entra ID | +
| productCode | +string | +- | +The internal product code of the identity provider (aad=Microsoft Entra ID, opa=Microsoft Active Directory) | +
+
|
+
+
|
+
| requestMethod | +string | +- | +The sign-in authentication method | +[{"authenticationStepDateTime": "2023-11-28T03:44:05Z","authenticationMethod": "Previously satisfied","authenticationMethodDetail": null,"succeeded" : true,"authenticationStepResultDetail": "MFA requirement satisfied by claim in the Token","authenticationStepRequirement": ""}] | +Microsoft Entra ID | +
| result | +string | +- | +The event result | +
+
|
+ Microsoft Entra ID | +
| resultReason | +string | +- | +The cause of event failure or timeout | +
+
|
+ Microsoft Entra ID | +
| riskEventTypes | +dynamic | +- | +The associated sign-in risk event types | +['unlikelyTravel', 'anonymizedIPAddress'] | +Microsoft Entra ID | +
| servicePrincipalId | +string | +- | +The service principal ID | +11111111-1111-1111-1111-111111111111 | +Microsoft Entra ID | +
| servicePrincipalName | +string | +- | +The service principal name | +Service_01 | +Microsoft Entra ID | +
| signInCountries | +dynamic | +- | +The countries from which a user signed in | +
+
|
+
+
|
+
| signInEventTypes | +dynamic | +- | +The sign-in event type | +['interactiveUser', 'nonInteractiveUser'] | +Microsoft Entra ID | +
| signInIdentifierType | +string | +- | +The sign-in ID type | +
+
|
+ Microsoft Entra ID | +
| status | +string | +- | +The sign-in status result | +
+
|
+ Microsoft Entra ID | +
| statusDetail | +string | +- | +The additional information about sign-in status | +MFA requirement satisfied by claim in the token | +Microsoft Entra ID | +
| statusReason | +string | +- | +The sign-in status | +
+
|
+ Microsoft Entra ID | +
| targetResourceDisplayName | +string | +- | +The target resource display name | +Microsoft Graph | +Microsoft Entra ID | +
| targetResourceId | +string | +- | +The target resource ID | +11111111-1111-1111-1111-111111111111 | +Microsoft Entra ID | +
| targetResources | +dynamic | +- | +The targeted resource of the event | ++ | Microsoft Entra ID | +
| tenantId | +string | +- | +The Microsoft Entra ID Tenant ID of the organization | +11111111-1111-1111-1111-111111111111 | +Microsoft Entra ID | +
| userAgent | +string | +- | +The user agent | +
+
|
+ Microsoft Entra ID | +
| userDisplayName | +string | +UserAccount | +The user display name | +Test User(RD-TW) | +Microsoft Entra ID | +
| userId | +string | +UserAccount | +The user ID | +11111111-1111-1111-1111-111111111111 | +Microsoft Entra ID | +
| userSessionId | +string | +- | +The session ID | +11111111-1111-1111-1111-111111111111 | +Microsoft Entra ID | +
| userType | +string | +- | +The tenant user type | +
+
|
+ Microsoft Entra ID | +
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| act | +dynamic | +- | +The actions taken to mitigate the event | +
+
|
+
+
|
+
| category | +string | +- | +The event category | +
+
|
+
+
|
+
| cnt | +string | +- | +The total number of logs | +
+
|
+
+
|
+
| dhost | +string | +DomainName | +The destination hostname | +10.10.10.10 | +
+
|
+
| dOSClass | +string | +- | +The destination device OS class | +Linux | +Mobile Network Security | +
| dOSName | +string | +- | +The destination host OS | +
+
|
+
+
|
+
| dOSVendor | +string | +- | +The destination device OS vendor | +Others | +Mobile Network Security | +
| dpt | +int | +Port | +The destination port | +
+
|
+
+
|
+
| dst | +dynamic | +
+
|
+ The destination IP | +10.10.10.10 | +
+
|
+
| dstEquipmentId | +string | +- | +The destination IMEI | +350548054087659 | +Mobile Network Security | +
| dstFamily | +string | +- | +The destination device family | +Computer | +Mobile Network Security | +
| dstGroup | +string | +- | +The group name defined by the administrator of the destination | +
+
|
+
+
|
+
| dstSubscriberDirNum | +string | +- | +The destination MSISDN | +8618687654321 | +Mobile Network Security | +
| dstSubscriberId | +string | +- | +The destination IMSI | +466686007810478 | +Mobile Network Security | +
| dstType | +string | +- | +The destination device type | +Desktop/Laptop | +Mobile Network Security | +
| eventId | +string | +- | +The event ID from the logs of each product | +
+
|
+
+
|
+
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| icmpCode | +int | +- | +The ICMP protocol code field | +0 | +Mobile Network Security | +
| icmpType | +int | +- | +The ICMP protocol type | +
+
|
+ Mobile Network Security | +
| instanceId | +string | +- | +The ID of the instance that indicates the meta-cloud or data center VM | +
+
|
+
+
|
+
| instanceName | +string | +- | +The name of the instance that indicates the meta-cloud or data center VM | +instapecot-1 | +Mobile Network Security | +
| malSrc | +string | +FileFullPath | +The malware infection source | +
+
|
+
+
|
+
| policyName | +string | +- | +The name of the triggered policy | +
+
|
+
+
|
+
| proto | +string | +- | +The exploited layer network protocol | +
+
|
+
+
|
+
| ruleId | +int | +- | +The rule ID | +
+
|
+
+
|
+
| ruleId64 | +long | +- | +The IPS rule ID | +
+
|
+
+
|
+
| ruleName | +string | +- | +The name of the rule that triggered the event | +
+
|
+
+
|
+
| severity | +int | +- | +The severity of the event | +
+
|
+
+
|
+
| shost | +string | +DomainName | +The source hostname | +
+
|
+
+
|
+
| sOSClass | +string | +- | +The source device OS class | +Linux | +Mobile Network Security | +
| sOSName | +string | +- | +The source OS | +
+
|
+
+
|
+
| sOSVendor | +string | +- | +The source device OS vendor | +Others | +Mobile Network Security | +
| spt | +int | +Port | +The source port | +
+
|
+
+
|
+
| src | +dynamic | +
+
|
+ The source IP | +10.10.10.10 | +
+
|
+
| srcEquipmentId | +string | +- | +The source IMEI | +350548054087659 | +Mobile Network Security | +
| srcFamily | +string | +- | +The source device family | +Computer | +Mobile Network Security | +
| srcGroup | +string | +- | +The group named defined by the source administrator | +
+
|
+
+
|
+
| srcSubscriberDirNum | +string | +- | +The source MSISDN | +8618687654321 | +Mobile Network Security | +
| srcSubscriberId | +string | +- | +The source IMSI | +466686007810478 | +Mobile Network Security | +
| srcType | +string | +- | +The source device type | +Desktop/Laptop | +Mobile Network Security | +
| vLANId | +int | +- | +The virtual LAN ID | +- | +
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| act | +dynamic | +- | +The actions taken to mitigate the event | +
+
|
+
+
|
+
| aggregatedCount | +string | +- | +The number of aggregated events | +
+
|
+
+
|
+
| app | +string | +- | +The network protocol | +HTTP | +
+
|
+
| appGroup | +string | +- | +The app category of the event | +
+
|
+
+
|
+
| aptCampaigns | +dynamic | +- | +The related APT campaigns | +
+
|
+
+
|
+
| aptRelated | +string | +- | +The event is related to an APT | +
+
|
+
+
|
+
| archFiles | +dynamic | +- | +The file information extracted from detected files | +None | +
+
|
+
| attachmentFileHash | +string | +FileSHA1 | +The SHA-1 of the email attachment | +
+
|
+
+
|
+
| attachmentFileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the attached file (attachementFileName) | +
+
|
+
+
|
+
| attachmentFileName | +dynamic | +FileName | +The file name of an attachment | +
+
|
+
+
|
+
| attachmentFileSize | +string | +- | +The file size of the email attachment | +
+
|
+
+
|
+
| attachmentFileType | +string | +- | +The file type of the email attachment | +
+
|
+
+
|
+
| botCmd | +string | +CLICommand | +The bot command | +
+
|
+
+
|
+
| botUrl | +string | +URL | +The bot URL | +
+
|
+
+
|
+
| cccaDestination | +string | +URL | +The destination domain, IP, URL, or recipient | +
+
|
+
+
|
+
| cccaDestinationFormat | +string | +- | +C&C server access format | +
+
|
+
+
|
+
| cccaDetection | +string | +- | +Is this log identified as a C&C callback address detection | +Yes | +
+
|
+
| cccaDetectionSource | +string | +- | +Which list defines this CCCA detection rule | +
+
|
+
+
|
+
| cccaRiskLevel | +int | +- | +The severity level of the threat actors associated with the C&C servers | +
+
|
+
+
|
+
| clientFlag | +string | +- | +Whether the client is a source or destination | +
+
|
+
+
|
+
| clientGroup | +string | +- | +The client IP network group | +
+
|
+
+
|
+
| clientHost | +string | +- | +The client IP host name | +
+
|
+ Network Sensor | +
| clientIp | +string | +
+
|
+ The endpoint IP address | +10.10.10.10 | +
+
|
+
| clientMAC | +string | +- | +The client MAC address | +00-00-00-ff-ff-ff | +
+
|
+
| clientPort | +int | +Port | +The client port number | +5566 | +
+
|
+
| cnt | +string | +- | +The total number of logs | +
+
|
+
+
|
+
| compressedFileHash | +string | +FileSHA1 | +The SHA-1 of the decompressed archive | +
+
|
+
+
|
+
| compressedFileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the compressed suspicious file | +
+
|
+
+
|
+
| compressedFileName | +string | +FileName | +The file name of the compressed file | +
+
|
+
+
|
+
| compressedFileSize | +string | +- | +The file size of the decompressed archive file | +
+
|
+
+
|
+
| compressedFileType | +string | +- | +The file type of the decompressed archive file | +
+
|
+
+
|
+
| correlationCat | +string | +- | +The correlation category | +
+
|
+
+
|
+
| cve | +string | +- | +The CVE identifier | +
+
|
+
+
|
+
| cves | +dynamic | +- | +The CVEs associated with this filter | +
+
|
+
+
|
+
| data0 | +string | +- | +The value of the DDI Correlation log | +
+
|
+
+
|
+
| data0Name | +string | +- | +The name of the DDI Correlation log | +
+
|
+
+
|
+
| data1 | +string | +- | +The Deep Discover Inspector correlation log metadata | +10.10.10.10 | +
+
|
+
| data1Name | +string | +- | +The name of the DDI Correlation log | +
+
|
+
+
|
+
| data2 | +string | +- | +The value of the DDI Correlation log | +
+
|
+
+
|
+
| data2Name | +string | +- | +The name of the DDI Correlation log | +
+
|
+
+
|
+
| data3 | +string | +- | +The value of the DDI Correlation log | +
+
|
+
+
|
+
| data4 | +string | +- | +The value of the DDI Correlation log | +10.10.10.10 | +
+
|
+
| dceHash1 | +string | +- | +The Trend Micro Threat Mitigation Server requires the log, but the Trend Micro Threat Mitigation Server is EOL. | +0 | +
+
|
+
| dceHash2 | +string | +- | +The Trend Micro Threat Mitigation Server requires the log, but the Trend Micro Threat Mitigation Server is EOL. | +0 | +
+
|
+
| denyListFileHash | +string | +FileSHA1 | +The SHA-1 of the Virtual Analyzer Suspicious Object | +
+
|
+
+
|
+
| denyListFileHashSha256 | +string | +- | +The SHA-256 of User-Defined Suspicious Object | +757E5C8823CAA7406030A7E26AED2A2C95D16F69C5A14C884C8CAA72A0C001C3 | +
+
|
+
| denyListHost | +string | +DomainName | +The domain of the Virtual Analyzer Suspicious Object | +
+
|
+
+
|
+
| denyListIp | +dynamic | +
+
|
+ The IP of the Virtual Analyzer Suspicious Object | +10.10.10.10 | +
+
|
+
| denyListRequest | +string | +- | +Block list event request | +
+
|
+
+
|
+
| denyListType | +string | +- | +Block list type | +
+
|
+
+
|
+
| detectionType | +string | +- | +The detection type | +
+
|
+
+
|
+
| deviceDirection | +string | +- | +Device Direction. If the source IP is in the internal network (the network monitored by Deep Discovery Inspector) it is tagged as outbound. All other cases are inbound. Internal-to-internal is also tagged as outbound. | +
+
|
+
+
|
+
| deviceGUID | +string | +- | +The GUID of the agent which reported the detection | +
+
|
+
+
|
+
| deviceGUID | +string | +- | +The non-endpoint object such as a network appliance | +11111111-1111-1111-1111-111111111111 | +
+
|
+
| deviceMacAddress | +string | +- | +The device mac address | +
+
|
+
+
|
+
| devicePayloadId | +string | +- | +The device payload ID | +
+
|
+
+
|
+
| deviceRiskConfidenceLevel | +int | +- | +The confidence level of device risk | +- | +
+
|
+
| dhost | +string | +DomainName | +The destination hostname | +10.10.10.10 | +
+
|
+
| direction | +string | +- | +The object transfer direction | +Download | +
+
|
+
| dmac | +string | +- | +The MAC address of the destination IP (dest_ip) | +
+
|
+
+
|
+
| dnsQueryType | +string | +- | +The record type requested by the DNS protocol | +A | +
+
|
+
| domainName | +string | +DomainName | +The detected domain name | +
+
|
+
+
|
+
| dOSName | +string | +- | +The destination host OS | +
+
|
+
+
|
+
| dpt | +int | +Port | +The destination port | +
+
|
+
+
|
+
| dst | +dynamic | +
+
|
+ The destination IP | +10.10.10.10 | +
+
|
+
| dstGroup | +string | +- | +The group name defined by the administrator of the destination | +
+
|
+
+
|
+
| dstZone | +string | +- | +The network zone defined by the destination administrator | +
+
|
+
+
|
+
| duser | +dynamic | +EmailRecipient | +The email recipient | +
+
|
+
+
|
+
| duser | +dynamic | +EmailRecipient | +The email recipient | +sample_email@trendmicro.com | +
+
|
+
| dUser1 | +string | +UserAccount | +The latest sign-in user of the destination | +user\example | +
+
|
+
| dvc | +dynamic | +- | +The IP address of the Deep Discover Inspector appliance | +10.10.10.10 | +
+
|
+
| dvc | +dynamic | +- | +The IP address of the Deep Discovery Inspector or Virtual Network Sensor appliance | +10.10.10.10 | +
+
|
+
| dvchost | +string | +- | +The computer which installed the Trend Micro product | +
+
|
+
+
|
+
| dvchost | +string | +- | +The network device hostname | +
+
|
+
+
|
+
| eventClass | +string | +- | +The event category | +
+
|
+
+
|
+
| eventId | +string | +- | +The event ID from the logs of each product | +
+
|
+
+
|
+
| eventId | +string | +- | +The event ID | +
+
|
+
+
|
+
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| eventName | +string | +- | +The name of the log event | +
+
|
+
+
|
+
| eventSubClass | +string | +- | +The category of sub-event class | +
+
|
+
+
|
+
| eventTime | +real | +- | +The time the agent or product detected the event | +1657135700000 | +
+
|
+
| fileExt | +string | +- | +The file extension of the suspicious file | +
+
|
+
+
|
+
| fileHash | +string | +FileSHA1 | +The SHA-1 of the file that triggered the rule or policy | +
+
|
+
+
|
+
| fileHash | +string | +FileSHA1 | +The SHA-1 of the file that violated the policy | +1e15bf99022a9164708cebb3eace8fd61ad45cba | +
+
|
+
| fileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the file (fileName) | +
+
|
+
+
|
+
| fileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the file that violated the policy | +ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93 | +
+
|
+
| fileName | +dynamic | +FileName | +The file name | +
+
|
+
+
|
+
| fileName | +string | +
+
|
+ The name of the file that violated the policy | +word.doc | +
+
|
+
| filePath | +string | +FileFullPath | +The file path without the file name | +
+
|
+
+
|
+
| filePathName | +string | +FileFullPath | +The file path with the file name | +
+
|
+
+
|
+
| fileSize | +string | +- | +The file size of the suspicious file | +
+
|
+
+
|
+
| fileSize | +string | +- | +The size of the file that is violating the policy | +12134 | +
+
|
+
| fileType | +string | +- | +The file type of the suspicious file | +
+
|
+
+
|
+
| fileType | +string | +- | +The type of file which is violating the policy | +Microsoft Words | +
+
|
+
| filterRiskLevel | +string | +- | +The top level filter risk of the event | +
+
|
+
+
|
+
| firmalware | +dynamic | +- | +The firmware version of Deep Discover Inspector | +
+
|
+
+
|
+
| flowId | +string | +- | +The network analysis flow ID | +6837014561409730558 | +
+
|
+
| ftpTrans | +dynamic | +- | +The transaction information of the FTP protocol | +None | +
+
|
+
| fullPath | +string | +FileFullPath | +The combination of the file path and the file name | +
+
|
+
+
|
+
| hasdtasres | +string | +- | +Whether the log contains a report from Virtual Analyzer | +
+
|
+
+
|
+
| heurFlag | +int | +- | +Whether it has an Advanced Threat Scan Engine detection | +
+
|
+
+
|
+
| hostName | +string | +
+
|
+ The computer name of the client host (The hostname from the suspicious URL detected by Deep Discovery Inspector) | +
+
|
+
+
|
+
| hostName | +string | +
+
|
+ The host name | +NJ-EFFY-ZHAO1 | +
+
|
+
| hostSeverity | +int | +- | +The severity of the threat (specific to the interestedIp) | +
+
|
+
+
|
+
| hotFix | +dynamic | +- | +The applied Deep Discover Inspector hotfix version | +
+
|
+
+
|
+
| httpLocation | +string | +URL | +The HTTP location header | +www.google.com.tw | +
+
|
+
| httpReferer | +string | +URL | +The HTTP referer | +
+
|
+
+
|
+
| httpReferer | +string | +URL | +The HTTP referrer header | +www.google.com.tw | +
+
|
+
| httpXForwardedFor | +string | +- | +The HTTP X-Forwarded-For header | +10.10.10.10, 10.10.10.11, 10.10.10.12 | +
+
|
+
| httpXForwardedForGroup | +string | +- | +The X-Forwarded-For IP network group | +
+
|
+
+
|
+
| httpXForwardedForHost | +string | +- | +The X-Forwarded-For IP host name | +
+
|
+ Network Sensor | +
| httpXForwardedForIp | +string | +
+
|
+ The x-forwarded-for IP used by the network appliance | +10.10.10.10 | +
+
|
+
| httpXForwardedForPort | +int | +- | +The patched HTTP server port when the network appliance selects an x-forwarded-for IP address to use | +65535 | +
+
|
+
| interestedGroup | +string | +- | +The network group associated with the user-defined source IP or destination IP | +
+
|
+
+
|
+
| interestedHost | +string | +DomainName | +The endpoint hostname (For example, if an intranet host accesses a suspicious internet host, the intranet host is the "peerHost" and the internet host is the "interestedHost") | +
+
|
+
+
|
+
| interestedIp | +dynamic | +
+
|
+ The IP of the interestedHost | +10.10.10.10 | +
+
|
+
| interestedMacAddress | +string | +- | +The MAC address identified as the log owner's | +
+
|
+
+
|
+
| ircChannelName | +string | +- | +The IRC channel name | +
+
|
+
+
|
+
| ircUserName | +string | +- | +The IRC user name | +
+
|
+
+
|
+
| isHidden | +string | +- | +Whether the detection log generated a grey rule match | +Yes | +
+
|
+
| ja3Hash | +string | +- | +The fingerprint of an SSL/TLS client application as detected via a network sensor or device | +
+
|
+
+
|
+
| ja3Hash | +string | +- | +The JA3 hash | +478e74fad764c966f19c5232c7cdfc5a | +
+
|
+
| ja3sHash | +string | +- | +The fingerprint of an SSL/TLS server application as detected via a network sensor or device | +
+
|
+
+
|
+
| ja3sHash | +string | +- | +The JA3S hash | +6d37fb1b3306d6e9f875650d8eb74b4f | +
+
|
+
| logKey | +string | +- | +The unique key of the event | +
+
|
+
+
|
+
| mailMsgSubject | +string | +EmailSubject | +The email subject | +
+
|
+
+
|
+
| mailMsgSubject | +string | +EmailSubject | +The email subject | +test | +
+
|
+
| malFamily | +string | +- | +The threat family | +
+
|
+
+
|
+
| malName | +string | +- | +The name of the detected malware | +
+
|
+
+
|
+
| malType | +string | +- | +The risk type for Network Content Correlation Engine rules | +
+
|
+
+
|
+
| malTypeGroup | +string | +- | +The risk type group for NCCE (Network Content Correlation Engine) rules. This field comes from NCCP (Network Content Correlation Pattern) rule type definitions. | +
+
|
+
+
|
+
| mimeType | +string | +- | +The MIME type or content type of the response body | +text/html | +
+
|
+
| mitigationTaskId | +string | +- | +The unique ID to identify the mitigation request | +
+
|
+
+
|
+
| mitreMapping | +dynamic | +- | +The MITRE tags | +
+
|
+
+
|
+
| mitreVersion | +string | +- | +The MITRE version | +
+
|
+
+
|
+
| msgId | +string | +EmailMessageID | +The internet message ID | +
+
|
+
+
|
+
| msgId | +string | +EmailMessageID | +The service provider message ID | +<sample_email@trendmicro.com> | +
+
|
+
| objectIps | +dynamic | +
+
|
+ The IP address resolved by the DNS protocol | +10.10.10.10 | +
+
|
+
| overSsl | +string | +- | +Whether the event was triggered by an SSL decryption stream (Displayed only when SSL Inspection is supported) | +
+
|
+
+
|
+
| overSsl | +string | +- | +SSL protocol connection | +YES | +
+
|
+
| pAttackPhase | +string | +- | +The category of the primary Attack Phase | +
+
|
+
+
|
+
| pcapUUID | +string | +- | +The PCAP file UUID | +
+
|
+
+
|
+
| pComp | +string | +- | +The component that made the detection | +
+
|
+
+
|
+
| peerEndpointGUID | +string | +- | +The endpoint GUID of the agent peer host | +
+
|
+
+
|
+
| peerGroup | +string | +- | +The peer IP group | +
+
|
+
+
|
+
| peerHost | +string | +DomainName | +The hostname of peerIp | +
+
|
+
+
|
+
| peerIp | +dynamic | +
+
|
+ The IP of peerHost | +10.10.10.10 | +
+
|
+
| pname | +string | +- | +The internal product ID | +
+
|
+
+
|
+
| pname | +string | +- | +The product name | +
+
|
+
+
|
+
| potentialRisk | +string | +- | +The tag if it's a potential risk according to heuristics | +
+
|
+
+
|
+
| pver | +string | +- | +The product version | +
+
|
+
+
|
+
| rating | +string | +- | +The credibility level | +
+
|
+
+
|
+
| rawDataStr | +string | +- | +The JSON string that contains additional information | +
+
|
+
+
|
+
| rawDataStr | +string | +- | +The JSON string that contains additional information | +
+
|
+
+
|
+
| rawDataStr | +string | +- | +The raw data string that contains additional information | +[{ "oid": "1.2.3.4", "value_type": 4, "value": "MANUFACTURER:SAMPLE\ nMODEL:SAMPLE C1234", "parse": 1}] | +
+
|
+
| rawDstIp | +string | +
+
|
+ The destination IP without replacement | +10.10.10.10 | +
+
|
+
| rawDstPort | +int | +Port | +The destination port number without replacement | +33186 | +
+
|
+
| rawSrcIp | +string | +
+
|
+ The source IP without replacement | +10.10.10.10 | +
+
|
+
| rawSrcPort | +int | +Port | +The source port number without replacement | +80 | +
+
|
+
| remarks | +string | +- | +The additional information | +
+
|
+
+
|
+
| reportGUID | +string | +- | +The GUID for Workbench to request report page data | +
+
|
+
+
|
+
| reqAppVersion | +string | +- | +The client application version number | +SSH-2.0-OPENSSH_9.0 | +
+
|
+
| reqDataSize | +string | +- | +The data volume transmitted over the transport layer by the client (in bytes) | +15688 | +
+
|
+
| reqScannedBytes | +string | +- | +The data volume transmitted by the client (in bytes) | +4655 | +
+
|
+
| request | +string | +URL | +The notable URLs | +
+
|
+
+
|
+
| request | +string | +URL | +The destination URL that the user is accessing | +
+
|
+
+
|
+
| requestClientApplication | +string | +- | +The protocol user agent information | +
+
|
+
+
|
+
| requestClientApplication | +string | +- | +The HTTP user agent | +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 | +
+
|
+
| requestDate | +string | +- | +The HTTP date header | +Fri, 20 Oct 2017 06:02:09 GMT | +
+
|
+
| requestHeaders | +string | +- | +All HTTP headers without sensitive information | +Host: 10.10.10.10:8080 +User-Agent: curl/7.78.0 +Accept: */* + | +
+
|
+
| requestMethod | +string | +- | +The network protocol request method | +POST | +
+
|
+
| requestMimeType | +string | +- | +The type of request content | +application/json; charset=utf-8 | +
+
|
+
| requests | +dynamic | +URL | +The URLs of the request | +www.google.com.tw | +
+
|
+
| resolvedUrlGroup | +string | +- | +The IP address FQDN network group | +
+
|
+
+
|
+
| resolvedUrlIp | +string | +
+
|
+ The IP address of the FQDN | +10.10.10.10 | +
+
|
+
| resolvedUrlPort | +int | +Port | +The HTTP server port | +443 | +
+
|
+
| respAppVersion | +string | +- | +The server application version number | +SSH-2.0-OPENSSH_8.7 | +
+
|
+
| respArchFiles | +dynamic | +- | +The file information extracted from files detected in response direction | +None | +
+
|
+
| respCode | +string | +- | +The network protocol response code | +
+
|
+
+
|
+
| respDataSize | +string | +- | +The data volume transmitted over the transport layer by the server (in bytes) | +7856 | +
+
|
+
| respDate | +string | +- | +The HTTP response date header | +Fri, 20 Oct 2017 06:02:09 GMT | +
+
|
+
| respFileHash | +string | +FileSHA1 | +The SHA-1 of the file detected in the response direction | +f17d9c55dea88f9aec8f74363f01e918cffb4142 | +
+
|
+
| respFileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the file detected in the response direction | +5ad4396d67f0c9d54572f051e28e9e62f4010c269a953d25259b17ad5fab4fd5 | +
+
|
+
| respFileType | +string | +- | +The file type detected in the response direction | +PKZIP | +
+
|
+
| respHeaders | +string | +- | +All HTTP response headers without sensitive information | +Accept-Ranges: bytes +Content-Length: 68 +Content-Type: - text/plain; charset=utf-8 +Last-Modified: Thu, 19 Aug 2021 06:23:54 GMT +Date: Thu, 19 Aug 2021 06:24:00 GMT + | +
+
|
+
| respMethod | +string | +- | +The response method | +
+
|
+
+
|
+
| respScannedBytes | +string | +- | +The data volume transmitted by the server (in bytes) | +6654 | +
+
|
+
| riskLevel | +string | +- | +The risk level | +
+
|
+
+
|
+
| rozRating | +string | +- | +The VA overall rating | +
+
|
+
+
|
+
| rt | +string | +- | +The Unix time of the log generation | +1656324260000 | +
+
|
+
| rtDate | +string | +- | +The date of the log generation | +1655337600000 | +
+
|
+
| rtHour | +int | +- | +The hour of the log generation | +
+
|
+
+
|
+
| rtWeekDay | +string | +- | +The weekday of the log generation | +
+
|
+
+
|
+
| ruleId | +int | +- | +The rule ID | +
+
|
+
+
|
+
| ruleName | +string | +- | +The name of the rule that triggered the event | +
+
|
+
+
|
+
| sAttackPhase | +string | +- | +The category of the second Attack Phase | +
+
|
+
+
|
+
| scanTs | +string | +- | +The mail scan time | +- | +
+
|
+
| score | +int | +- | +The Web Reputation Services URL rating | +
+
|
+
+
|
+
| senderGUID | +string | +- | +The sender GUID | +
+
|
+
+
|
+
| senderIp | +dynamic | +- | +The sender IP | +10.10.10.10 | +
+
|
+
| serverGroup | +string | +- | +The server IP network group | +
+
|
+
+
|
+
| serverHost | +string | +- | +The server IP host name | +
+
|
+ Network Sensor | +
| serverIp | +string | +
+
|
+ The server IP address | +10.10.10.10 | +
+
|
+
| serverMAC | +string | +- | +The server MAC address | +00-00-00-ff-ff-ff | +
+
|
+
| serverPort | +int | +Port | +The server port number | +443 | +
+
|
+
| sessionEnd | +string | +- | +The session end time, in seconds | +1575462989 | +
+
|
+
| sessionEndReason | +string | +- | +The reason why a session was terminated | +
+
|
+
+
|
+
| sessionStart | +string | +- | +The session start time (in seconds) | +1575462989 | +
+
|
+
| severity | +int | +- | +The severity of the event | +
+
|
+
+
|
+
| shost | +string | +DomainName | +The source hostname | +
+
|
+
+
|
+
| smac | +string | +- | +The source MAC address | +
+
|
+
+
|
+
| sOSName | +string | +- | +The source OS | +
+
|
+
+
|
+
| spt | +int | +Port | +The source port | +
+
|
+
+
|
+
| src | +dynamic | +
+
|
+ The source IP | +10.10.10.10 | +
+
|
+
| srcGroup | +string | +- | +The group named defined by the source administrator | +
+
|
+
+
|
+
| srcZone | +string | +- | +The network zone defined by the source administrator | +
+
|
+
+
|
+
| sslCertCommonName | +string | +
+
|
+ The subject common name | +settings-win.data.microsoft.com | +
+
|
+
| sslCertCommonName | +string | +
+
|
+ The certificate common name | +*.www.sample.com | +
+
|
+
| sslCertFingerprint | +string | +- | +The certificate fingerprint | +3914af80223c833f26df001cbf342eff8a31aba1 | +
+
|
+
| sslCertIssuer | +string | +- | +The issuer of the certificate | +/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA | +
+
|
+
| sslCertIssuerCommonName | +string | +- | +The issuer common name | +Microsoft Azure TLS Issuing CA 05 | +
+
|
+
| sslCertIssuerOrgName | +string | +- | +The issuer organization name | +Microsoft Corporation | +
+
|
+
| sslCertOrgName | +string | +- | +The subject organization name | +Microsoft | +
+
|
+
| sslCertSANs | +dynamic | +- | +The Subject Alternative Name of the certificate | +
+
|
+
+
|
+
| sslCertSerialNumber | +string | +- | +The certificate serial number | +0888b1ad2a593310593f47565a5a5a4a | +
+
|
+
| sslCertValidFrom | +string | +- | +The certificate validity start time | +2014-11-21T02:43:28 | +
+
|
+
| sslCertValidUntil | +string | +- | +The certificate validity end time | +2018-11-21T02:43:28 | +
+
|
+
| status | +string | +- | +The network analysis flow session status | +2 | +
+
|
+
| suid | +string | +UserAccount | +User name or mailbox | +
+
|
+
+
|
+
| suid | +string | +UserAccount | +The user name or IP address (IPv4) | +
+
|
+
+
|
+
| suser | +dynamic | +EmailSender | +The email sender | +sample_email@trendmicro.com | +
+
|
+
| suser | +string | +EmailSender | +The email sender | +sample_email@trendmicro.com | +
+
|
+
| sUser1 | +string | +UserAccount | +The latest sign-in user of the source | +
+
|
+
+
|
+
| tacticId | +dynamic | +Tactic | +The list of MITRE tactic IDs | +
+
|
+
+
|
+
| tags | +dynamic | +
+
|
+ The detected technique ID based on the alert filter | +
+
|
+
+
|
+
| targetShare | +string | +FileFullPath | +For HTTPS protocol: Subject State or Province Name; For SMB protocol: Shared folder | +
+
|
+
+
|
+
| techniqueId | +dynamic | +Technique | +Technique ID detected by the product agent base on a detection rule | +- | +
+
|
+
| threatName | +string | +- | +The threat name | +
+
|
+
+
|
+
| threatNames | +dynamic | +- | +The associated threats | +
+
|
+
+
|
+
| threatType | +string | +- | +The log threat type | +
+
|
+
+
|
+
| tlsJA3Fingerprint | +string | +- | +The JA3 fingerprint | +- | +
+
|
+
| tlsJA3SFingerprint | +string | +- | +The raw JA3S | +771,157,65281-15 | +
+
|
+
| tlsSelectedCipher | +string | +- | +The selected cipher of the TLS protocol | +c02f | +
+
|
+
| urlCat | +dynamic | +- | +The requested URL category | +
+
|
+
+
|
+
| userDomain | +string | +
+
|
+ Active directory domain, domain of username for logging in TMAS adminportal adminportal | +trendmicro.com | +
+
|
+
| vLANId | +int | +- | +The virtual LAN ID | +- | +
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| dhost | +string | +DomainName | +The destination hostname | +
+
|
+ Palo Alto Firewall | +
| dUser1 | +string | +UserAccount | +The latest logon user of the destination | +
+
|
+ Palo Alto Firewall | +
| fileHashMd5 | +string | +FileMD5 | +The MD5 of the file | +d5120786925038601a77c2e1eB9a3a0a | +Palo Alto Firewall | +
| requestMethod | +string | +- | +The network protocol request method | +POST | +Palo Alto Firewall | +
| shost | +string | +DomainName | +The source hostname | +
+
|
+ Palo Alto Firewall | +
| sUser1 | +string | +UserAccount | +The latest sign-in user of the source | +
+
|
+ Palo Alto Firewall | +
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| act | +dynamic | +- | +The actions taken to mitigate the event | +
+
|
+
+
|
+
| aggregatedCount | +string | +- | +The number of aggregated events | +
+
|
+
+
|
+
| category | +string | +- | +The event category | +
+
|
+
+
|
+
| cves | +dynamic | +- | +The CVEs associated with this filter | +
+
|
+
+
|
+
| deviceGUID | +string | +- | +The GUID of the agent which reported the detection | +
+
|
+
+
|
+
| dpt | +int | +Port | +The destination port | +
+
|
+
+
|
+
| dst | +dynamic | +
+
|
+ The destination IP | +10.10.10.10 | +
+
|
+
| endpointIp | +dynamic | +
+
|
+ The IP address of the endpoint on which the event was detected | +10.10.10.10 | +
+
|
+
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| interestedIp | +dynamic | +
+
|
+ The IP of the interestedHost | +10.10.10.10 | +
+
|
+
| logKey | +string | +- | +The unique key of the event | +
+
|
+
+
|
+
| mpname | +string | +- | +The management product name | +
+
|
+
+
|
+
| overSsl | +string | +- | +Whether the event was triggered by an SSL decryption stream (Displayed only when SSL Inspection is supported) | +
+
|
+
+
|
+
| peerEndpointGUID | +string | +- | +The endpoint GUID of the agent peer host | +
+
|
+
+
|
+
| pname | +string | +- | +The internal product ID | +
+
|
+
+
|
+
| policyId | +string | +- | +The policy ID of which the event was detected | +
+
|
+
+
|
+
| pver | +string | +- | +The product version | +
+
|
+
+
|
+
| request | +string | +URL | +The notable URLs | +
+
|
+
+
|
+
| rt | +string | +- | +The Unix time of the log generation | +1656324260000 | +
+
|
+
| ruleName | +string | +- | +The name of the rule that triggered the event | +
+
|
+
+
|
+
| ruleSetName | +string | +- | +The rule set name | +AllRules | +
+
|
+
| ruleUuid | +string | +- | +The signature UUID from the DV (Digital Vaccine) | +
+
|
+
+
|
+
| severity | +int | +- | +The severity of the event | +
+
|
+
+
|
+
| spt | +int | +Port | +The source port | +
+
|
+
+
|
+
| src | +dynamic | +
+
|
+ The source IP | +10.10.10.10 | +
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| act | +dynamic | +- | +The actions taken to mitigate the event | +
+
|
+
+
|
+
| aggregatedCount | +string | +- | +The number of aggregated events | +
+
|
+
+
|
+
| deviceGUID | +string | +- | +The GUID of the agent which reported the detection | +
+
|
+
+
|
+
| dpt | +int | +Port | +The destination port | +
+
|
+
+
|
+
| dst | +dynamic | +
+
|
+ The destination IP | +10.10.10.10 | +
+
|
+
| endpointIp | +dynamic | +
+
|
+ The IP address of the endpoint on which the event was detected | +10.10.10.10 | +
+
|
+
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| interestedIp | +dynamic | +
+
|
+ The IP of the interestedHost | +10.10.10.10 | +
+
|
+
| logKey | +string | +- | +The unique key of the event | +
+
|
+
+
|
+
| mpname | +string | +- | +The management product name | +
+
|
+
+
|
+
| overSsl | +string | +- | +Whether the event was triggered by an SSL decryption stream (Displayed only when SSL Inspection is supported) | +
+
|
+
+
|
+
| peerEndpointGUID | +string | +- | +The endpoint GUID of the agent peer host | +
+
|
+
+
|
+
| pname | +string | +- | +The internal product ID | +
+
|
+
+
|
+
| policyId | +string | +- | +The policy ID of which the event was detected | +
+
|
+
+
|
+
| pver | +string | +- | +The product version | +
+
|
+
+
|
+
| remarks | +string | +- | +The additional information | +
+
|
+
+
|
+
| request | +string | +URL | +The notable URLs | +
+
|
+
+
|
+
| rt | +string | +- | +The Unix time of the log generation | +1656324260000 | +
+
|
+
| ruleName | +string | +- | +The name of the rule that triggered the event | +
+
|
+
+
|
+
| ruleSetName | +string | +- | +The rule set name | +AllRules | +
+
|
+
| ruleUuid | +string | +- | +The signature UUID from the DV (Digital Vaccine) | +
+
|
+
+
|
+
| severity | +int | +- | +The severity of the event | +
+
|
+
+
|
+
| spt | +int | +Port | +The source port | +
+
|
+
+
|
+
| src | +dynamic | +
+
|
+ The source IP | +10.10.10.10 | +
+
|
+
| subRuleId | +string | +- | +ID of a subordinate rule | +
+
|
+
+
|
+
| suid | +string | +UserAccount | +User name or mailbox | +
+
|
+
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| act | +dynamic | +- | +The actions taken to mitigate the event | +
+
|
+
+
|
+
| aggregatedCount | +string | +- | +The number of aggregated events | +
+
|
+
+
|
+
| app | +string | +- | +The network protocol | +HTTP | +
+
|
+
| appGroup | +string | +- | +The app category of the event | +
+
|
+
+
|
+
| aptCampaigns | +dynamic | +- | +The related APT campaigns | +
+
|
+
+
|
+
| aptRelated | +string | +- | +The event is related to an APT | +
+
|
+
+
|
+
| archFiles | +dynamic | +- | +The file information extracted from detected files | +None | +
+
|
+
| attachmentFileHash | +string | +FileSHA1 | +The SHA-1 of the email attachment | +
+
|
+
+
|
+
| attachmentFileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the attached file (attachementFileName) | +
+
|
+
+
|
+
| attachmentFileName | +dynamic | +FileName | +The file name of an attachment | +
+
|
+
+
|
+
| attachmentFileSize | +string | +- | +The file size of the email attachment | +
+
|
+
+
|
+
| attachmentFileType | +string | +- | +The file type of the email attachment | +
+
|
+
+
|
+
| botCmd | +string | +CLICommand | +The bot command | +
+
|
+
+
|
+
| botUrl | +string | +URL | +The bot URL | +
+
|
+
+
|
+
| cccaDestination | +string | +URL | +The destination domain, IP, URL, or recipient | +
+
|
+
+
|
+
| cccaDestinationFormat | +string | +- | +C&C server access format | +
+
|
+
+
|
+
| cccaDetection | +string | +- | +Is this log identified as a C&C callback address detection | +Yes | +
+
|
+
| cccaDetectionSource | +string | +- | +Which list defines this CCCA detection rule | +
+
|
+
+
|
+
| cccaRiskLevel | +int | +- | +The severity level of the threat actors associated with the C&C servers | +
+
|
+
+
|
+
| clientFlag | +string | +- | +Whether the client is a source or destination | +
+
|
+
+
|
+
| clientGroup | +string | +- | +The client IP network group | +
+
|
+
+
|
+
| clientIp | +string | +
+
|
+ The endpoint IP address | +10.10.10.10 | +
+
|
+
| clientMAC | +string | +- | +The client MAC address | +00-00-00-ff-ff-ff | +
+
|
+
| clientPort | +int | +Port | +The client port number | +5566 | +
+
|
+
| cnt | +string | +- | +The total number of logs | +
+
|
+
+
|
+
| compressedFileHash | +string | +FileSHA1 | +The SHA-1 of the decompressed archive | +
+
|
+
+
|
+
| compressedFileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the compressed suspicious file | +
+
|
+
+
|
+
| compressedFileName | +string | +FileName | +The file name of the compressed file | +
+
|
+
+
|
+
| compressedFileSize | +string | +- | +The file size of the decompressed archive file | +
+
|
+
+
|
+
| compressedFileType | +string | +- | +The file type of the decompressed archive file | +
+
|
+
+
|
+
| correlationCat | +string | +- | +The correlation category | +
+
|
+
+
|
+
| cve | +string | +- | +The CVE identifier | +
+
|
+
+
|
+
| cves | +dynamic | +- | +The CVEs associated with this filter | +
+
|
+
+
|
+
| data0 | +string | +- | +The value of the DDI Correlation log | +
+
|
+
+
|
+
| data0Name | +string | +- | +The name of the DDI Correlation log | +
+
|
+
+
|
+
| data1 | +string | +- | +The Deep Discover Inspector correlation log metadata | +10.10.10.10 | +
+
|
+
| data1Name | +string | +- | +The name of the DDI Correlation log | +
+
|
+
+
|
+
| data2 | +string | +- | +The value of the DDI Correlation log | +
+
|
+
+
|
+
| data2Name | +string | +- | +The name of the DDI Correlation log | +
+
|
+
+
|
+
| data3 | +string | +- | +The value of the DDI Correlation log | +
+
|
+
+
|
+
| data4 | +string | +- | +The value of the DDI Correlation log | +10.10.10.10 | +
+
|
+
| dceHash1 | +string | +- | +The Trend Micro Threat Mitigation Server requires the log, but the Trend Micro Threat Mitigation Server is EOL. | +0 | +
+
|
+
| dceHash2 | +string | +- | +The Trend Micro Threat Mitigation Server requires the log, but the Trend Micro Threat Mitigation Server is EOL. | +0 | +
+
|
+
| denyListFileHash | +string | +FileSHA1 | +The SHA-1 of the Virtual Analyzer Suspicious Object | +
+
|
+
+
|
+
| denyListFileHashSha256 | +string | +- | +The SHA-256 of User-Defined Suspicious Object | +757E5C8823CAA7406030A7E26AED2A2C95D16F69C5A14C884C8CAA72A0C001C3 | +
+
|
+
| denyListHost | +string | +DomainName | +The domain of the Virtual Analyzer Suspicious Object | +
+
|
+
+
|
+
| denyListIp | +dynamic | +
+
|
+ The IP of the Virtual Analyzer Suspicious Object | +10.10.10.10 | +
+
|
+
| denyListRequest | +string | +- | +Block list event request | +
+
|
+
+
|
+
| denyListType | +string | +- | +Block list type | +
+
|
+
+
|
+
| detectionType | +string | +- | +The detection type | +
+
|
+
+
|
+
| deviceDirection | +string | +- | +Device Direction. If the source IP is in the internal network (the network monitored by Deep Discovery Inspector) it is tagged as outbound. All other cases are inbound. Internal-to-internal is also tagged as outbound. | +
+
|
+
+
|
+
| deviceGUID | +string | +- | +The GUID of the agent which reported the detection | +
+
|
+
+
|
+
| deviceGUID | +string | +- | +The non-endpoint object such as a network appliance | +11111111-1111-1111-1111-111111111111 | +
+
|
+
| deviceMacAddress | +string | +- | +The device mac address | +
+
|
+
+
|
+
| devicePayloadId | +string | +- | +The device payload ID | +
+
|
+
+
|
+
| deviceRiskConfidenceLevel | +int | +- | +The confidence level of device risk | +- | +
+
|
+
| dhost | +string | +DomainName | +The destination hostname | +10.10.10.10 | +
+
|
+
| direction | +string | +- | +The object transfer direction | +Download | +
+
|
+
| dmac | +string | +- | +The MAC address of the destination IP (dest_ip) | +
+
|
+
+
|
+
| dnsQueryType | +string | +- | +The record type requested by the DNS protocol | +A | +
+
|
+
| domainName | +string | +DomainName | +The detected domain name | +
+
|
+
+
|
+
| dOSName | +string | +- | +The destination host OS | +
+
|
+
+
|
+
| dpt | +int | +Port | +The destination port | +
+
|
+
+
|
+
| dst | +dynamic | +
+
|
+ The destination IP | +10.10.10.10 | +
+
|
+
| dstGroup | +string | +- | +The group name defined by the administrator of the destination | +
+
|
+
+
|
+
| dstZone | +string | +- | +The network zone defined by the destination administrator | +
+
|
+
+
|
+
| duser | +dynamic | +EmailRecipient | +The email recipient | +
+
|
+
+
|
+
| duser | +dynamic | +EmailRecipient | +The email recipient | +sample_email@trendmicro.com | +
+
|
+
| dUser1 | +string | +UserAccount | +The latest sign-in user of the destination | +user\example | +
+
|
+
| dvc | +dynamic | +- | +The IP address of the Deep Discover Inspector appliance | +10.10.10.10 | +
+
|
+
| dvc | +dynamic | +- | +The IP address of the Deep Discovery Inspector or Virtual Network Sensor appliance | +10.10.10.10 | +
+
|
+
| dvchost | +string | +- | +The computer which installed the Trend Micro product | +
+
|
+
+
|
+
| dvchost | +string | +- | +The network device hostname | +
+
|
+
+
|
+
| eventClass | +string | +- | +The event category | +
+
|
+
+
|
+
| eventId | +string | +- | +The event ID from the logs of each product | +
+
|
+
+
|
+
| eventId | +string | +- | +The event ID | +
+
|
+
+
|
+
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| eventName | +string | +- | +The name of the log event | +
+
|
+
+
|
+
| eventSubClass | +string | +- | +The category of sub-event class | +
+
|
+
+
|
+
| eventTime | +real | +- | +The time the agent or product detected the event | +1657135700000 | +
+
|
+
| fileExt | +string | +- | +The file extension of the suspicious file | +
+
|
+
+
|
+
| fileHash | +string | +FileSHA1 | +The SHA-1 of the file that triggered the rule or policy | +
+
|
+
+
|
+
| fileHash | +string | +FileSHA1 | +The SHA-1 of the file that violated the policy | +1e15bf99022a9164708cebb3eace8fd61ad45cba | +
+
|
+
| fileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the file (fileName) | +
+
|
+
+
|
+
| fileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the file that violated the policy | +ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93 | +
+
|
+
| fileName | +dynamic | +FileName | +The file name | +
+
|
+
+
|
+
| fileName | +string | +
+
|
+ The name of the file that violated the policy | +word.doc | +
+
|
+
| filePath | +string | +FileFullPath | +The file path without the file name | +
+
|
+
+
|
+
| filePathName | +string | +FileFullPath | +The file path with the file name | +
+
|
+
+
|
+
| fileSize | +string | +- | +The file size of the suspicious file | +
+
|
+
+
|
+
| fileSize | +string | +- | +The size of the file that is violating the policy | +12134 | +
+
|
+
| fileType | +string | +- | +The file type of the suspicious file | +
+
|
+
+
|
+
| fileType | +string | +- | +The type of file which is violating the policy | +Microsoft Words | +
+
|
+
| filterRiskLevel | +string | +- | +The top level filter risk of the event | +
+
|
+
+
|
+
| firmalware | +dynamic | +- | +The firmware version of Deep Discover Inspector | +
+
|
+
+
|
+
| flowId | +string | +- | +The network analysis flow ID | +6837014561409730558 | +
+
|
+
| ftpTrans | +dynamic | +- | +The transaction information of the FTP protocol | +None | +
+
|
+
| fullPath | +string | +FileFullPath | +The combination of the file path and the file name | +
+
|
+
+
|
+
| hasdtasres | +string | +- | +Whether the log contains a report from Virtual Analyzer | +
+
|
+
+
|
+
| heurFlag | +int | +- | +Whether it has an Advanced Threat Scan Engine detection | +
+
|
+
+
|
+
| hostName | +string | +
+
|
+ The computer name of the client host (The hostname from the suspicious URL detected by Deep Discovery Inspector) | +
+
|
+
+
|
+
| hostName | +string | +
+
|
+ The host name | +NJ-EFFY-ZHAO1 | +
+
|
+
| hostSeverity | +int | +- | +The severity of the threat (specific to the interestedIp) | +
+
|
+
+
|
+
| hotFix | +dynamic | +- | +The applied Deep Discover Inspector hotfix version | +
+
|
+
+
|
+
| httpLocation | +string | +URL | +The HTTP location header | +www.google.com.tw | +
+
|
+
| httpReferer | +string | +URL | +The HTTP referer | +
+
|
+
+
|
+
| httpReferer | +string | +URL | +The HTTP referrer header | +www.google.com.tw | +
+
|
+
| httpXForwardedFor | +string | +- | +The HTTP X-Forwarded-For header | +10.10.10.10, 10.10.10.11, 10.10.10.12 | +
+
|
+
| httpXForwardedForGroup | +string | +- | +The X-Forwarded-For IP network group | +
+
|
+
+
|
+
| httpXForwardedForIp | +string | +
+
|
+ The x-forwarded-for IP used by the network appliance | +10.10.10.10 | +
+
|
+
| httpXForwardedForPort | +int | +- | +The patched HTTP server port when the network appliance selects an x-forwarded-for IP address to use | +65535 | +
+
|
+
| interestedGroup | +string | +- | +The network group associated with the user-defined source IP or destination IP | +
+
|
+
+
|
+
| interestedHost | +string | +DomainName | +The endpoint hostname (For example, if an intranet host accesses a suspicious internet host, the intranet host is the "peerHost" and the internet host is the "interestedHost") | +
+
|
+
+
|
+
| interestedIp | +dynamic | +
+
|
+ The IP of the interestedHost | +10.10.10.10 | +
+
|
+
| interestedMacAddress | +string | +- | +The MAC address identified as the log owner's | +
+
|
+
+
|
+
| ircChannelName | +string | +- | +The IRC channel name | +
+
|
+
+
|
+
| ircUserName | +string | +- | +The IRC user name | +
+
|
+
+
|
+
| isHidden | +string | +- | +Whether the detection log generated a grey rule match | +Yes | +
+
|
+
| ja3Hash | +string | +- | +The fingerprint of an SSL/TLS client application as detected via a network sensor or device | +
+
|
+
+
|
+
| ja3Hash | +string | +- | +The JA3 hash | +478e74fad764c966f19c5232c7cdfc5a | +
+
|
+
| ja3sHash | +string | +- | +The fingerprint of an SSL/TLS server application as detected via a network sensor or device | +
+
|
+
+
|
+
| ja3sHash | +string | +- | +The JA3S hash | +6d37fb1b3306d6e9f875650d8eb74b4f | +
+
|
+
| logKey | +string | +- | +The unique key of the event | +
+
|
+
+
|
+
| mailMsgSubject | +string | +EmailSubject | +The email subject | +
+
|
+
+
|
+
| mailMsgSubject | +string | +EmailSubject | +The email subject | +test | +
+
|
+
| malFamily | +string | +- | +The threat family | +
+
|
+
+
|
+
| malName | +string | +- | +The name of the detected malware | +
+
|
+
+
|
+
| malType | +string | +- | +The risk type for Network Content Correlation Engine rules | +
+
|
+
+
|
+
| malTypeGroup | +string | +- | +The risk type group for NCCE (Network Content Correlation Engine) rules. This field comes from NCCP (Network Content Correlation Pattern) rule type definitions. | +
+
|
+
+
|
+
| mimeType | +string | +- | +The MIME type or content type of the response body | +text/html | +
+
|
+
| mitigationTaskId | +string | +- | +The unique ID to identify the mitigation request | +
+
|
+
+
|
+
| mitreMapping | +dynamic | +- | +The MITRE tags | +
+
|
+
+
|
+
| mitreVersion | +string | +- | +The MITRE version | +
+
|
+
+
|
+
| msgId | +string | +EmailMessageID | +The internet message ID | +
+
|
+
+
|
+
| msgId | +string | +EmailMessageID | +The service provider message ID | +<sample_email@trendmicro.com> | +
+
|
+
| objectIps | +dynamic | +
+
|
+ The IP address resolved by the DNS protocol | +10.10.10.10 | +
+
|
+
| overSsl | +string | +- | +Whether the event was triggered by an SSL decryption stream (Displayed only when SSL Inspection is supported) | +
+
|
+
+
|
+
| overSsl | +string | +- | +SSL protocol connection | +YES | +
+
|
+
| pAttackPhase | +string | +- | +The category of the primary Attack Phase | +
+
|
+
+
|
+
| pcapUUID | +string | +- | +The PCAP file UUID | +
+
|
+
+
|
+
| pComp | +string | +- | +The component that made the detection | +
+
|
+
+
|
+
| peerEndpointGUID | +string | +- | +The endpoint GUID of the agent peer host | +
+
|
+
+
|
+
| peerGroup | +string | +- | +The peer IP group | +
+
|
+
+
|
+
| peerHost | +string | +DomainName | +The hostname of peerIp | +
+
|
+
+
|
+
| peerIp | +dynamic | +
+
|
+ The IP of peerHost | +10.10.10.10 | +
+
|
+
| pname | +string | +- | +The internal product ID | +
+
|
+
+
|
+
| pname | +string | +- | +The product name | +
+
|
+
+
|
+
| potentialRisk | +string | +- | +The tag if it's a potential risk according to heuristics | +
+
|
+
+
|
+
| pver | +string | +- | +The product version | +
+
|
+
+
|
+
| rating | +string | +- | +The credibility level | +
+
|
+
+
|
+
| rawDataStr | +string | +- | +The JSON string that contains additional information | +
+
|
+
+
|
+
| rawDataStr | +string | +- | +The raw data string that contains additional information | +[{ "oid": "1.2.3.4", "value_type": 4, "value": "MANUFACTURER:SAMPLE\ nMODEL:SAMPLE C1234", "parse": 1}] | +
+
|
+
| rawDstIp | +string | +
+
|
+ The destination IP without replacement | +10.10.10.10 | +
+
|
+
| rawDstPort | +int | +Port | +The destination port number without replacement | +33186 | +
+
|
+
| rawSrcIp | +string | +
+
|
+ The source IP without replacement | +10.10.10.10 | +
+
|
+
| rawSrcPort | +int | +Port | +The source port number without replacement | +80 | +
+
|
+
| remarks | +string | +- | +The additional information | +
+
|
+
+
|
+
| reportGUID | +string | +- | +The GUID for Workbench to request report page data | +
+
|
+
+
|
+
| reqAppVersion | +string | +- | +The client application version number | +SSH-2.0-OPENSSH_9.0 | +
+
|
+
| reqDataSize | +string | +- | +The data volume transmitted over the transport layer by the client (in bytes) | +15688 | +
+
|
+
| reqScannedBytes | +string | +- | +The data volume transmitted by the client (in bytes) | +4655 | +
+
|
+
| request | +string | +URL | +The notable URLs | +
+
|
+
+
|
+
| request | +string | +URL | +The destination URL that the user is accessing | +
+
|
+
+
|
+
| requestClientApplication | +string | +- | +The protocol user agent information | +
+
|
+
+
|
+
| requestClientApplication | +string | +- | +The HTTP user agent | +Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 | +
+
|
+
| requestDate | +string | +- | +The HTTP date header | +Fri, 20 Oct 2017 06:02:09 GMT | +
+
|
+
| requestHeaders | +string | +- | +All HTTP headers without sensitive information | +Host: 10.10.10.10:8080 +User-Agent: curl/7.78.0 +Accept: */* + | +
+
|
+
| requestMethod | +string | +- | +The network protocol request method | +POST | +
+
|
+
| requestMimeType | +string | +- | +The type of request content | +application/json; charset=utf-8 | +
+
|
+
| requests | +dynamic | +URL | +The URLs of the request | +www.google.com.tw | +
+
|
+
| resolvedUrlGroup | +string | +- | +The IP address FQDN network group | +
+
|
+
+
|
+
| resolvedUrlIp | +string | +
+
|
+ The IP address of the FQDN | +10.10.10.10 | +
+
|
+
| resolvedUrlPort | +int | +Port | +The HTTP server port | +443 | +
+
|
+
| respAppVersion | +string | +- | +The server application version number | +SSH-2.0-OPENSSH_8.7 | +
+
|
+
| respArchFiles | +dynamic | +- | +The file information extracted from files detected in response direction | +None | +
+
|
+
| respCode | +string | +- | +The network protocol response code | +
+
|
+
+
|
+
| respDataSize | +string | +- | +The data volume transmitted over the transport layer by the server (in bytes) | +7856 | +
+
|
+
| respDate | +string | +- | +The HTTP response date header | +Fri, 20 Oct 2017 06:02:09 GMT | +
+
|
+
| respFileHash | +string | +FileSHA1 | +The SHA-1 of the file detected in the response direction | +f17d9c55dea88f9aec8f74363f01e918cffb4142 | +
+
|
+
| respFileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the file detected in the response direction | +5ad4396d67f0c9d54572f051e28e9e62f4010c269a953d25259b17ad5fab4fd5 | +
+
|
+
| respFileType | +string | +- | +The file type detected in the response direction | +PKZIP | +
+
|
+
| respHeaders | +string | +- | +All HTTP response headers without sensitive information | +Accept-Ranges: bytes +Content-Length: 68 +Content-Type: - text/plain; charset=utf-8 +Last-Modified: Thu, 19 Aug 2021 06:23:54 GMT +Date: Thu, 19 Aug 2021 06:24:00 GMT + | +
+
|
+
| respMethod | +string | +- | +The response method | +
+
|
+
+
|
+
| respScannedBytes | +string | +- | +The data volume transmitted by the server (in bytes) | +6654 | +
+
|
+
| riskLevel | +string | +- | +The risk level | +
+
|
+
+
|
+
| rozRating | +string | +- | +The VA overall rating | +
+
|
+
+
|
+
| rt | +string | +- | +The Unix time of the log generation | +1656324260000 | +
+
|
+
| rtDate | +string | +- | +The date of the log generation | +1655337600000 | +
+
|
+
| rtHour | +int | +- | +The hour of the log generation | +
+
|
+
+
|
+
| rtWeekDay | +string | +- | +The weekday of the log generation | +
+
|
+
+
|
+
| ruleId | +int | +- | +The rule ID | +
+
|
+
+
|
+
| ruleName | +string | +- | +The name of the rule that triggered the event | +
+
|
+
+
|
+
| sAttackPhase | +string | +- | +The category of the second Attack Phase | +
+
|
+
+
|
+
| scanTs | +string | +- | +The mail scan time | +- | +
+
|
+
| score | +int | +- | +The Web Reputation Services URL rating | +
+
|
+
+
|
+
| senderGUID | +string | +- | +The sender GUID | +
+
|
+
+
|
+
| senderIp | +dynamic | +- | +The sender IP | +10.10.10.10 | +
+
|
+
| serverGroup | +string | +- | +The server IP network group | +
+
|
+
+
|
+
| serverIp | +string | +
+
|
+ The server IP address | +10.10.10.10 | +
+
|
+
| serverMAC | +string | +- | +The server MAC address | +00-00-00-ff-ff-ff | +
+
|
+
| serverPort | +int | +Port | +The server port number | +443 | +
+
|
+
| sessionEnd | +string | +- | +The session end time, in seconds | +1575462989 | +
+
|
+
| sessionEndReason | +string | +- | +The reason why a session was terminated | +
+
|
+
+
|
+
| sessionStart | +string | +- | +The session start time (in seconds) | +1575462989 | +
+
|
+
| severity | +int | +- | +The severity of the event | +
+
|
+
+
|
+
| shost | +string | +DomainName | +The source hostname | +
+
|
+
+
|
+
| smac | +string | +- | +The source MAC address | +
+
|
+
+
|
+
| sOSName | +string | +- | +The source OS | +
+
|
+
+
|
+
| spt | +int | +Port | +The source port | +
+
|
+
+
|
+
| src | +dynamic | +
+
|
+ The source IP | +10.10.10.10 | +
+
|
+
| srcGroup | +string | +- | +The group named defined by the source administrator | +
+
|
+
+
|
+
| srcZone | +string | +- | +The network zone defined by the source administrator | +
+
|
+
+
|
+
| sslCertCommonName | +string | +
+
|
+ The subject common name | +settings-win.data.microsoft.com | +
+
|
+
| sslCertCommonName | +string | +
+
|
+ The certificate common name | +*.www.sample.com | +
+
|
+
| sslCertFingerprint | +string | +- | +The certificate fingerprint | +3914af80223c833f26df001cbf342eff8a31aba1 | +
+
|
+
| sslCertIssuer | +string | +- | +The issuer of the certificate | +/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA | +
+
|
+
| sslCertIssuerCommonName | +string | +- | +The issuer common name | +Microsoft Azure TLS Issuing CA 05 | +
+
|
+
| sslCertIssuerOrgName | +string | +- | +The issuer organization name | +Microsoft Corporation | +
+
|
+
| sslCertOrgName | +string | +- | +The subject organization name | +Microsoft | +
+
|
+
| sslCertSANs | +dynamic | +- | +The Subject Alternative Name of the certificate | +
+
|
+
+
|
+
| sslCertSerialNumber | +string | +- | +The certificate serial number | +0888b1ad2a593310593f47565a5a5a4a | +
+
|
+
| sslCertValidFrom | +string | +- | +The certificate validity start time | +2014-11-21T02:43:28 | +
+
|
+
| sslCertValidUntil | +string | +- | +The certificate validity end time | +2018-11-21T02:43:28 | +
+
|
+
| status | +string | +- | +The network analysis flow session status | +2 | +
+
|
+
| suid | +string | +UserAccount | +User name or mailbox | +
+
|
+
+
|
+
| suid | +string | +UserAccount | +The user name or IP address (IPv4) | +
+
|
+
+
|
+
| suser | +dynamic | +EmailSender | +The email sender | +sample_email@trendmicro.com | +
+
|
+
| suser | +string | +EmailSender | +The email sender | +sample_email@trendmicro.com | +
+
|
+
| sUser1 | +string | +UserAccount | +The latest sign-in user of the source | +
+
|
+
+
|
+
| tacticId | +dynamic | +Tactic | +The list of MITRE tactic IDs | +
+
|
+
+
|
+
| tags | +dynamic | +
+
|
+ The detected technique ID based on the alert filter | +
+
|
+
+
|
+
| targetShare | +string | +FileFullPath | +For HTTPS protocol: Subject State or Province Name; For SMB protocol: Shared folder | +
+
|
+
+
|
+
| techniqueId | +dynamic | +Technique | +Technique ID detected by the product agent base on a detection rule | +- | +
+
|
+
| threatName | +string | +- | +The threat name | +
+
|
+
+
|
+
| threatNames | +dynamic | +- | +The associated threats | +
+
|
+
+
|
+
| threatType | +string | +- | +The log threat type | +
+
|
+
+
|
+
| tlsJA3Fingerprint | +string | +- | +The JA3 fingerprint | +- | +
+
|
+
| tlsJA3SFingerprint | +string | +- | +The raw JA3S | +771,157,65281-15 | +
+
|
+
| tlsSelectedCipher | +string | +- | +The selected cipher of the TLS protocol | +c02f | +
+
|
+
| urlCat | +dynamic | +- | +The requested URL category | +
+
|
+
+
|
+
| userDomain | +string | +
+
|
+ Active directory domain, domain of username for logging in TMAS adminportal adminportal | +trendmicro.com | +
+
|
+
| vLANId | +int | +- | +The virtual LAN ID | +- | +
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| act | +dynamic | +- | +The actions taken to mitigate the event | +
+
|
+
+
|
+
| aggregatedCount | +string | +- | +The number of aggregated events | +
+
|
+
+
|
+
| application | +string | +- | +The name of the requested application | +
+
|
+
+
|
+
| detectionType | +string | +- | +The detection type | +
+
|
+
+
|
+
| logKey | +string | +- | +The unique key of the event | +
+
|
+
+
|
+
| malName | +string | +- | +The name of the detected malware | +
+
|
+
+
|
+
| pname | +string | +- | +The internal product ID | +
+
|
+
+
|
+
| policyName | +string | +- | +The name of the triggered policy | +
+
|
+
+
|
+
| principalName | +string | +- | +The user principal name used to sign in to the proxy | +sample_email@trendmicro.com | +
+
|
+
| profile | +string | +- | +The name of the triggered Threat Protection template or Data Loss Prevention profile | +
+
|
+
+
|
+
| requestBase | +string | +
+
|
+ The domain of the request URL | +
+
|
+
+
|
+
| rt | +string | +- | +The Unix time of the log generation | +1656324260000 | +
+
|
+
| sender | +string | +- | +The roaming users or the gateway where the web traffic passed | +
+
|
+
+
|
+
| suid | +string | +UserAccount | +User name or mailbox | +
+
|
+
+
|
+
| urlCat | +dynamic | +- | +The requested URL category | +
+
|
+
+
|
+
| userDepartment | +string | +- | +User department | +
+
|
+
+
|
+
| userDomain | +string | +
+
|
+ The user domain | +
+
|
+
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| act | +dynamic | +- | +The actions taken to mitigate the event | +
+
|
+
+
|
+
| act | +string | +- | +The action | +
+
|
+
+
|
+
| aggregatedCount | +string | +- | +The number of aggregated events | +
+
|
+
+
|
+
| application | +string | +- | +The name of the requested application | +
+
|
+
+
|
+
| application | +string | +- | +The name of the requested application | +
+
|
+
+
|
+
| authType | +string | +- | +The authorization type | +
+
|
+ Zero Trust Secure Access - Internet Access | +
| authType | +string | +- | +The authentication method | +
+
|
+ Zero Trust Secure Access - Internet Access | +
| clientIp | +dynamic | +- | +The IP addresses of the source | +10.10.10.10 | +
+
|
+
| clientIp | +string | +
+
|
+ The endpoint IP address | +10.10.10.10 | +
+
|
+
| clientProtocol | +string | +- | +The client protocol | +HTTP/1.1 | +Zero Trust Secure Access - Internet Access | +
| clientTls | +string | +- | +The transport layer security of the client | +TLS 1.2 | +Zero Trust Secure Access - Internet Access | +
| cloudAppCat | +string | +- | +The category of the event in Cloud Reputation Service | +
+
|
+ Zero Trust Secure Access - Internet Access | +
| cloudAppCat | +string | +- | +The category of the event in Cloud Reputation Service | +
+
|
+ Zero Trust Secure Access - Internet Access | +
| contentEncoding | +string | +- | +The content encoding of the request or the response | +gzip | +Zero Trust Secure Access - Internet Access | +
| detectionType | +string | +- | +The detection type | +
+
|
+
+
|
+
| detectionType | +string | +- | +The traffic detection type | +
+
|
+
+
|
+
| deviceGUID | +string | +- | +The GUID of the agent which reported the detection | +
+
|
+
+
|
+
| deviceGUID | +string | +- | +The non-endpoint object such as a network appliance | +11111111-1111-1111-1111-111111111111 | +
+
|
+
| dst | +dynamic | +
+
|
+ The destination IP | +10.10.10.10 | +
+
|
+
| dst | +string | +
+
|
+ The destination IP address (dstaddr) | +10.10.10.10 | +
+
|
+
| dstLocation | +string | +- | +The destination country | +JP | +Zero Trust Secure Access - Internet Access | +
| dstLocation | +string | +- | +The destination country | +JP | +Zero Trust Secure Access - Internet Access | +
| duration | +string | +- | +The time it took the scanner to complete the scan, in milliseconds | +1599465660123 | +Zero Trust Secure Access - Internet Access | +
| e2eLatency | +string | +- | +The end-to-end traffic latency time, in milliseconds | +10000 | +Zero Trust Secure Access - Internet Access | +
| endpointGUID | +string | +EndpointID | +The GUID of the agent which reported the detection | +
+
|
+
+
|
+
| endpointGuid | +string | +EndpointID | +The device GUID | +
+
|
+
+
|
+
| endpointHostName | +string | +EndpointName | +The endpoint hostname or node where the event was detected | +
+
|
+
+
|
+
| endpointHostName | +string | +EndpointName | +The host name of the device on which the event was detected | +
+
|
+
+
|
+
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| eventName | +string | +- | +The name of the log event | +
+
|
+
+
|
+
| eventSubName | +string | +- | +The event type sub-name | +
+
|
+
+
|
+
| eventSubName | +string | +- | +The Zero Trust Secure Access - Internet Access cloud app action or the Palo Alto Networks firewall log sub-type | +
+
|
+ Zero Trust Secure Access - Internet Access | +
| eventTime | +real | +- | +The time the agent or product detected the event | +1657135700000 | +
+
|
+
| failedHTTPSInspection | +bool | +- | +HTTPS traffic inspection failure | +True | +Zero Trust Secure Access - Internet Access | +
| fileHash | +string | +FileSHA1 | +The SHA-1 of the file that triggered the rule or policy | +
+
|
+
+
|
+
| fileHash | +string | +FileSHA1 | +The SHA-1 of the file that violated the policy | +1e15bf99022a9164708cebb3eace8fd61ad45cba | +
+
|
+
| fileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the file (fileName) | +
+
|
+
+
|
+
| fileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the file that violated the policy | +ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93 | +
+
|
+
| fileName | +dynamic | +FileName | +The file name | +
+
|
+
+
|
+
| fileName | +string | +
+
|
+ The name of the file that violated the policy | +word.doc | +
+
|
+
| fileSize | +string | +- | +The file size of the suspicious file | +
+
|
+
+
|
+
| fileSize | +string | +- | +The size of the file that is violating the policy | +12134 | +
+
|
+
| fileType | +string | +- | +The file type of the suspicious file | +
+
|
+
+
|
+
| fileType | +string | +- | +The type of file which is violating the policy | +Microsoft Words | +
+
|
+
| isPrivateApp | +bool | +- | +Whether the requested application is private | +
+
|
+ Zero Trust Secure Access - Internet Access | +
| isPrivateApp | +bool | +- | +Whether the requested application is private | +
+
|
+ Zero Trust Secure Access - Internet Access | +
| logKey | +string | +- | +The unique key of the event | +
+
|
+
+
|
+
| malName | +string | +- | +The name of the detected malware | +- | +Zero Trust Secure Access - Internet Access | +
| mimeType | +string | +- | +The MIME type or content type of the response body | +
+
|
+ Zero Trust Secure Access - Internet Access | +
| mimeType | +string | +- | +The MIME type or content type of the response body | +text/html | +
+
|
+
| osName | +string | +- | +The host OS name | +
+
|
+
+
|
+
| osName | +string | +- | +The host operating system name | +
+
|
+
+
|
+
| pname | +string | +- | +The internal product ID | +
+
|
+
+
|
+
| pname | +string | +- | +The product name | +
+
|
+
+
|
+
| policyName | +string | +- | +The name of the triggered policy | +
+
|
+
+
|
+
| policyTemplate | +dynamic | +- | +The one-to-many data structure | +
+
|
+
+
|
+
| policyTemplate | +dynamic | +- | +The Data Loss Prevention template name | +Australia, New Zealand: Healthcare Template,Germany: Banking and Financial Information | +Zero Trust Secure Access - Internet Access | +
| policyUuid | +string | +- | +The UUID of the cloud access or risk control policy, or the hard-coded string that indicates the rule of the global blocked/approved URL list | +
+
|
+
+
|
+
| principalName | +string | +- | +The user principal name used to sign in to the proxy | +sample_email@trendmicro.com | +
+
|
+
| principalName | +string | +UserAccount | +The User Principal Name | +sample_email@trendmicro.com | +
+
|
+
| profile | +string | +- | +The name of the triggered Threat Protection template or Data Loss Prevention profile | +
+
|
+
+
|
+
| profile | +string | +- | +The name of the triggered Threat Protection template or Data Loss Prevention profile triggered | +- | +Zero Trust Secure Access - Internet Access | +
| pver | +string | +- | +The product version | +
+
|
+
+
|
+
| pver | +string | +- | +The product version | +1.0 | +Zero Trust Secure Access - Internet Access | +
| request | +string | +URL | +The notable URLs | +
+
|
+
+
|
+
| request | +string | +URL | +The destination URL that the user is accessing | +
+
|
+
+
|
+
| requestBase | +string | +
+
|
+ The domain of the request URL | +
+
|
+
+
|
+
| requestBase | +string | +
+
|
+ The URL domain | +
+
|
+
+
|
+
| requestMethod | +string | +- | +The network protocol request method | +POST | +
+
|
+
| requestMimeType | +string | +- | +The type of request content | +application/json; charset=utf-8 | +
+
|
+
| requestSize | +string | +- | +The request length | +1324 | +Zero Trust Secure Access - Internet Access | +
| responseSize | +string | +- | +The response length | +1324 | +Zero Trust Secure Access - Internet Access | +
| rt | +string | +- | +The Unix time of the log generation | +1656324260000 | +
+
|
+
| rt | +string | +- | +The UTC timestamp | +1599465660 | +
+
|
+
| ruleName | +string | +- | +The name of the triggered cloud access rule | +
+
|
+
+
|
+
| score | +int | +- | +The WRS score | +81 | +Zero Trust Secure Access - Internet Access | +
| sender | +string | +- | +The roaming users or the gateway where the web traffic passed | +
+
|
+
+
|
+
| sender | +string | +- | +The Zero Trust Internet Access gateway location | +
+
|
+ Zero Trust Secure Access - Internet Access | +
| serverProtocol | +string | +- | +The version of the HTTP protocol between the Service Gateway and server/website | +HTTP/1.1 | +
+
|
+
| serverRespTime | +string | +- | +The time the server took to respond to the request, in milliseconds | +1599465660123 | +Zero Trust Secure Access - Internet Access | +
| serverTls | +string | +- | +The TLS version between the Service Gateway and server/website | +TLS 1.2 | +
+
|
+
| src | +dynamic | +
+
|
+ The source IP | +10.10.10.10 | +
+
|
+
| src | +string | +
+
|
+ The source IP address (srcaddr) | +10.10.10.10 | +
+
|
+
| srcLocation | +string | +- | +The source country | +JP | +Zero Trust Secure Access - Internet Access | +
| srcLocation | +string | +- | +The source country | +JP | +Zero Trust Secure Access - Internet Access | +
| suid | +string | +UserAccount | +User name or mailbox | +
+
|
+
+
|
+
| suid | +string | +UserAccount | +The user name or IP address (IPv4) | +
+
|
+
+
|
+
| tlsJA3Fingerprint | +string | +- | +The JA3 fingerprint | +- | +
+
|
+
| trafficType | +string | +- | +The Zero Trust Internet Access gateway service mode | +
+
|
+ Zero Trust Secure Access - Internet Access | +
| urlCat | +dynamic | +- | +The requested URL category | +
+
|
+
+
|
+
| urlCat | +string | +- | +The URL category | +Social Networking | +Zero Trust Secure Access - Internet Access | +
| userAgent | +string | +- | +The user agent or the agent through which the request was made | +
+
|
+
+
|
+
| userDepartment | +string | +- | +User department | +
+
|
+
+
|
+
| userDepartment | +string | +- | +The user department request method | +Sales | +Zero Trust Secure Access - Internet Access | +
| userDomain | +string | +
+
|
+ The user domain | +
+
|
+
+
|
+
| userDomain | +string | +
+
|
+ Active directory domain, domain of username for logging in TMAS adminportal adminportal | +trendmicro.com | +
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| act | +dynamic | +- | +The actions taken to mitigate the event | +
+
|
+
+
|
+
| act | +string | +- | +The action | +
+
|
+
+
|
+
| application | +string | +- | +The name of the requested application | +
+
|
+
+
|
+
| application | +string | +- | +The name of the requested application | +
+
|
+
+
|
+
| clientIp | +dynamic | +- | +The IP addresses of the source | +10.10.10.10 | +
+
|
+
| clientIp | +string | +
+
|
+ The endpoint IP address | +10.10.10.10 | +
+
|
+
| companyName | +string | +- | +The company name | +Trend Micro | +Zero Trust Secure Access - Private Access | +
| detectionType | +string | +- | +The detection type | +
+
|
+
+
|
+
| detectionType | +string | +- | +The traffic detection type | +
+
|
+
+
|
+
| dpt | +int | +Port | +The destination port | +
+
|
+
+
|
+
| dpt | +int | +Port | +The service destination port of the private application server (dstport) | +443 | +
+
|
+
| dst | +dynamic | +
+
|
+ The destination IP | +10.10.10.10 | +
+
|
+
| dst | +string | +
+
|
+ The destination IP address (dstaddr) | +10.10.10.10 | +
+
|
+
| endpointGUID | +string | +EndpointID | +The GUID of the agent which reported the detection | +
+
|
+
+
|
+
| endpointGuid | +string | +EndpointID | +The device GUID | +
+
|
+
+
|
+
| endpointHostName | +string | +EndpointName | +The endpoint hostname or node where the event was detected | +
+
|
+
+
|
+
| endpointHostName | +string | +EndpointName | +The host name of the device on which the event was detected | +
+
|
+
+
|
+
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| eventName | +string | +- | +The name of the log event | +
+
|
+
+
|
+
| eventTime | +real | +- | +The time the agent or product detected the event | +1657135700000 | +
+
|
+
| objectId | +string | +- | +The UUID of the object | +
+
|
+
+
|
+
| objectId | +string | +- | +The UUID of the Zero Trust Secure Access private access application | +11111111-1111-1111-1111-111111111111 | +Zero Trust Secure Access - Private Access | +
| osName | +string | +- | +The host OS name | +
+
|
+
+
|
+
| osName | +string | +- | +The host operating system name | +
+
|
+
+
|
+
| osVer | +string | +- | +The OS version | +11 | +
+
|
+
| policyUuid | +string | +- | +The UUID of the cloud access or risk control policy, or the hard-coded string that indicates the rule of the global blocked/approved URL list | +
+
|
+
+
|
+
| policyUuid | +string | +- | +The policy UUID | +11111111-1111-1111-1111-111111111111 | +Zero Trust Secure Access - Private Access | +
| principalName | +string | +- | +The user principal name used to sign in to the proxy | +sample_email@trendmicro.com | +
+
|
+
| principalName | +string | +UserAccount | +The User Principal Name | +sample_email@trendmicro.com | +
+
|
+
| request | +string | +URL | +The notable URLs | +
+
|
+
+
|
+
| request | +string | +URL | +The destination URL that the user is accessing | +
+
|
+
+
|
+
| requestBase | +string | +
+
|
+ The domain of the request URL | +
+
|
+
+
|
+
| requestBase | +string | +
+
|
+ The URL domain | +
+
|
+
+
|
+
| rt | +string | +- | +The Unix time of the log generation | +1656324260000 | +
+
|
+
| rt | +string | +- | +The UTC timestamp | +1599465660 | +
+
|
+
| ruleName | +string | +- | +The name of the rule that triggered the event | +
+
|
+
+
|
+
| ruleName | +string | +- | +The name of the triggered cloud access rule | +
+
|
+
+
|
+
| ruleType | +string | +- | +The access rule type | +
+
|
+
+
|
+
| ruleType | +string | +- | +The rule type which is applied to the traffic | +access | +Zero Trust Secure Access - Private Access | +
| ruleUuid | +string | +- | +The signature UUID from the DV (Digital Vaccine) | +
+
|
+
+
|
+
| ruleUuid | +string | +- | +The risk assessment and control design that is defined by Zero Trust Secure Access risk control rules | +11111111-1111-1111-1111-111111111111 | +Zero Trust Secure Access - Private Access | +
| serverProtocol | +string | +- | +The version of the HTTP protocol between the Service Gateway and server/website | +HTTP/1.1 | +
+
|
+
| serverTls | +string | +- | +The TLS version between the Service Gateway and server/website | +TLS 1.2 | +
+
|
+
| sessionEnd | +string | +- | +The session end time, in seconds | +1575462989 | +Zero Trust Secure Access - Private Access | +
| sessionEnd | +string | +- | +The session end time, in seconds | +1575462989 | +
+
|
+
| sessionStart | +string | +- | +The session start time, in seconds | +1575462989 | +Zero Trust Secure Access - Private Access | +
| sessionStart | +string | +- | +The session start time (in seconds) | +1575462989 | +
+
|
+
| spt | +int | +Port | +The source port | +
+
|
+
+
|
+
| spt | +int | +Port | +The virtual port of the source assigned to the Secure Access Module (srcport) | +57763 | +
+
|
+
| src | +dynamic | +
+
|
+ The source IP | +10.10.10.10 | +
+
|
+
| src | +string | +
+
|
+ The source IP address (srcaddr) | +10.10.10.10 | +
+
|
+
| userAgent | +string | +- | +The user agent or the agent through which the request was made | +
+
|
+
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| act | +dynamic | +- | +The actions taken to mitigate the event | +
+
|
+
+
|
+
| actResult | +dynamic | +- | +The result of an action | +
+
|
+
+
|
+
| appDexSha256 | +string | +FileSHA2 | +The app dex encoded using SHA-256 | +08736EDDD3682AC26D9FD42DA2A20B0BADB5C85A5456A0AE85B52D60C564F290 | +Mobile Security | +
| appIsSystem | +bool | +- | +Whether the app is a system app | +False | +Mobile Security | +
| appIsSystem | +bool | +- | +Whether the app is a system app | +False | +Mobile Security | +
| appLabel | +string | +- | +App name | +Mobile Security Virus Test Application | +Mobile Security | +
| appLabel | +string | +- | +The app name (if the subject is an app) | +Collection Nes Games | +Mobile Security | +
| appOrSystemEventHashId | +string | +- | +The event object hash ID | +3859886410 | +Mobile Security | +
| appPkgName | +string | +- | +The app package name | +com.example.app_pkg_name_file | +Mobile Security | +
| appPkgName | +string | +- | +The app package name (if the subject is an app) | +com.ConsolesXX.CollectionNesGames | +Mobile Security | +
| appPublicKeySha1 | +string | +FileSHA1 | +The app public key (SHA-1) | +72080A6B4EB11105B28E31C4753BC91414500AD4 | +Mobile Security | +
| appPublicKeySha1 | +string | +FileSHA1 | +The SHA-1 hash of the app public key (if the subject is an app) | +05FC638156219800DADAC48D8E621E0BCBD3C321 | +Mobile Security | +
| appSize | +string | +- | +The app size (in bytes) | +28461 | +Mobile Security | +
| appSize | +string | +- | +The app size (in bytes) if the subject is an app | +16906043 | +Mobile Security | +
| appVerCode | +int | +- | +The app version code | +1 | +Mobile Security | +
| appVerCode | +string | +- | +The app version code (if the subject is an app) | +0 | +Mobile Security | +
| detectionName | +string | +- | +The general name for the detection | +
+
|
+
+
|
+
| detectionType | +string | +- | +The detection type | +
+
|
+
+
|
+
| endpointGUID | +string | +EndpointID | +The GUID of the agent which reported the detection | +
+
|
+
+
|
+
| endpointGuid | +string | +EndpointID | +Host GUID of the endpoint on which the event was detected | +11111111-1111-1111-1111-111111111111 | +Mobile Security | +
| endpointHostName | +string | +EndpointName | +The endpoint hostname or node where the event was detected | +
+
|
+
+
|
+
| endpointHostName | +string | +EndpointName | +The host name of the endpoint on which the event was detected | +
+
|
+ Mobile Security | +
| endpointIp | +dynamic | +
+
|
+ IP address of the endpoint on which the event was detected | +
+
|
+ Mobile Security | +
| endpointModel | +string | +- | +Mobile device model | +M2101K9G | +Mobile Security | +
| endpointModel | +string | +- | +The endpoint device model | +Pixel 3 XL | +Mobile Security | +
| eventHashId | +string | +- | +The event hash ID | +
+
|
+ Mobile Security | +
| eventId | +string | +- | +The event ID from the logs of each product | +
+
|
+
+
|
+
| eventId | +int | +- | +Event type | +- | +Mobile Security | +
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| eventSubId | +int | +- | +The access type | +
+
|
+ Mobile Security | +
| eventTime | +real | +- | +The time the agent detected the event | +1657781088000 | +Mobile Security | +
| extraInfo | +dynamic | +- | +The extra information about the app | +
+
|
+ Mobile Security | +
| firstSeen | +string | +- | +The time when the event started (in milliseconds) | +1656355418449 | +Mobile Security | +
| lastSeen | +string | +- | +The time when the event ended (in milliseconds) | +1656355418449 | +Mobile Security | +
| logonUser | +dynamic | +UserAccount | +The logon user name | +
+
|
+ Mobile Security | +
| mailbox | +string | +- | +The mailbox that is protected by Trend Micro | +sample_email@trendmicro.com | +
+
|
+
| majorVirusType | +string | +- | +The virus type | +
+
|
+
+
|
+
| marsAccount | +string | +- | +The account for Trend Micro Mobile Apps Reputation Service | +XDRv1 | +Mobile Security | +
| minorVirusType | +string | +- | +Minor virus type | +
+
|
+ Mobile Security | +
| objectAppBehavior | +string | +- | +The activity that occurred on the app | +
+
|
+ Mobile Security | +
| objectAppBehaviorAttr | +string | +- | +The attributes of the app activity | +android.intent.action.BOOT_COMPLETED | +Mobile Security | +
| objectAppDexSha256 | +string | +FileSHA2 | +The SHA-256 hash of the app Dex value | +C23A87B77B06442FD9AF9A80DD87191EDEADFAB766C862EBC592FE18063D0449 | +Mobile Security | +
| objectAppInstalledTime | +string | +- | +The time of app installation (in milliseconds) | +1607935850 | +Mobile Security | +
| objectAppIsSystemApp | +bool | +- | +Whether the app is a system app | +True | +Mobile Security | +
| objectAppLabel | +string | +- | +The app name | +Collection Nes Games | +Mobile Security | +
| objectAppPackageName | +string | +- | +The app package name | +com.ConsolesXX.CollectionNesGames | +Mobile Security | +
| objectAppPublicKeySha1 | +string | +FileSHA1 | +The SHA-1 hash of the app public key | +05FC638156219800DADAC48D8E621E0BCBD3C321 | +Mobile Security | +
| objectAppSha256 | +string | +FileSHA2 | +The SHA-256 hash of the app | +692BC8E6BC51807A24BEACC13ED2B68E1F954E152863430E3179FA812937B8B0 | +Mobile Security | +
| objectAppSize | +string | +- | +The app size (in bytes) | +16906043 | +Mobile Security | +
| objectAppVerCode | +string | +- | +The app version code | +0 | +Mobile Security | +
| objectAppVerName | +string | +- | +The app version | +1.0 | +Mobile Security | +
| objectCertAttr | +string | +- | +The SHA-1 hash of the certificate public key | +05FC638156219800DADAC48D8E621E0BCBD3C321 | +Mobile Security | +
| objectFileCreation | +string | +- | +The time the target file was created (in milliseconds) | +
+
|
+ Mobile Security | +
| objectFileHashSha256 | +string | +FileSHA2 | +The SHA256 hash of target process image or target file | +
+
|
+ Mobile Security | +
| objectFileModifiedTime | +string | +- | +The modification time of the target file (in milliseconds) | +
+
|
+ Mobile Security | +
| objectFilePath | +string | +
+
|
+ The file path of the target process image or target file | +
+
|
+ Mobile Security | +
| objectFileSize | +string | +- | +The target file size | +
+
|
+ Mobile Security | +
| objectFirstSeen | +string | +- | +The time when the object first appeared (in milliseconds) | +
+
|
+ Mobile Security | +
| objectHashId | +string | +- | +The event object hash ID | +
+
|
+ Mobile Security | +
| objectLastSeen | +string | +- | +The time when the object was last seen (in milliseconds) | +
+
|
+ Mobile Security | +
| objectSystemEventAttr | +string | +- | +The system event attributes | +LOCK_SCREEN | +Mobile Security | +
| osName | +string | +- | +The host OS name | +
+
|
+
+
|
+
| osName | +string | +- | +The host operating system name | +
+
|
+ Mobile Security | +
| osVer | +string | +- | +The OS version | +11 | +
+
|
+
| osVer | +string | +- | +The OS version | +
+
|
+ Mobile Security | +
| pname | +string | +- | +The internal product ID | +
+
|
+
+
|
+
| pname | +string | +- | +Internal product ID (Deprecated, use productCode) | +
+
|
+ Mobile Security | +
| pver | +string | +- | +The product version | +
+
|
+
+
|
+
| pver | +string | +- | +The product version | +
+
|
+ Mobile Security | +
| request | +string | +URL | +The notable URLs | +
+
|
+
+
|
+
| request | +string | +URL | +Request URL | +
+
|
+ Mobile Security | +
| score | +int | +- | +The Web Reputation Services URL rating | +
+
|
+
+
|
+
| srcFileCreation | +string | +- | +The time when the source file was created (in milliseconds) | +
+
|
+ Mobile Security | +
| srcFileHashId | +string | +- | +The source file hash ID | +
+
|
+ Mobile Security | +
| srcFileHashSha256 | +string | +FileSHA2 | +The SHA256 hash of source file | +
+
|
+ Mobile Security | +
| srcFileModifiedTime | +string | +- | +The time when the source file was modified (in milliseconds) | +
+
|
+ Mobile Security | +
| srcFilePath | +string | +
+
|
+ The source file path | +
+
|
+ Mobile Security | +
| srcFileSize | +string | +- | +The source file size | +
+
|
+ Mobile Security | +
| srcFirstSeen | +string | +- | +The time when the source file first appeared (in milliseconds) | +
+
|
+ Mobile Security | +
| srcLastSeen | +string | +- | +The time when the source file was last seen (in milliseconds) | +
+
|
+ Mobile Security | +
| systemEventAttr | +string | +- | +The attributes of the system event (if the subject is a system event) | +usbdebugging | +Mobile Security | +
| urlCat | +dynamic | +- | +The requested URL category | +
+
|
+
+
|
+
| userType | +string | +- | +The user type | +
+
|
+ Mobile Security | +
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| act | +dynamic | +- | +The actions taken to mitigate the event | +
+
|
+
+
|
+
| cnt | +string | +- | +The total number of logs | +
+
|
+
+
|
+
| direction | +string | +- | +The direction | +
+
|
+
+
|
+
| dmac | +string | +- | +The MAC address of the destination IP (dest_ip) | +
+
|
+
+
|
+
| dpt | +int | +Port | +The destination port | +
+
|
+
+
|
+
| dst | +dynamic | +
+
|
+ The destination IP | +10.10.10.10 | +
+
|
+
| endpointIp | +dynamic | +
+
|
+ The IP address of the endpoint on which the event was detected | +10.10.10.10 | +
+
|
+
| endpointMacAddress | +string | +- | +The MAC address of endpoint | +
+
|
+
+
|
+
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| filterName | +string | +- | +The filter name | +
+
|
+
+
|
+
| filterType | +string | +- | +The filter type | +
+
|
+
+
|
+
| hostName | +string | +
+
|
+ The computer name of the client host (The hostname from the suspicious URL detected by Deep Discovery Inspector) | +
+
|
+
+
|
+
| interestedIp | +dynamic | +
+
|
+ The IP of the interestedHost | +10.10.10.10 | +
+
|
+
| interestedMacAddress | +string | +- | +The MAC address identified as the log owner's | +
+
|
+
+
|
+
| majorVirusType | +string | +- | +The virus type | +
+
|
+
+
|
+
| policyName | +string | +- | +The name of the triggered policy | +
+
|
+
+
|
+
| proto | +string | +- | +The exploited layer network protocol | +
+
|
+
+
|
+
| remarks | +string | +- | +The additional information | +
+
|
+
+
|
+
| ruleId64 | +long | +- | +The IPS rule ID | +
+
|
+
+
|
+
| smac | +string | +- | +The source MAC address | +
+
|
+
+
|
+
| spt | +int | +Port | +The source port | +
+
|
+
+
|
+
| src | +dynamic | +
+
|
+ The source IP | +10.10.10.10 | +
+
|
+
| vLANId | +int | +- | +The virtual LAN ID | +- | +
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| actResult | +dynamic | +- | +The result of an action | +
+
|
+
+
|
+
| aggregatedCount | +string | +- | +The number of aggregated events | +
+
|
+
+
|
+
| endpointGUID | +string | +EndpointID | +The GUID of the agent which reported the detection | +
+
|
+
+
|
+
| endpointHostName | +string | +EndpointName | +The endpoint hostname or node where the event was detected | +
+
|
+
+
|
+
| endpointMacAddress | +string | +- | +The MAC address of endpoint | +
+
|
+
+
|
+
| eventId | +string | +- | +The event ID from the logs of each product | +
+
|
+
+
|
+
| eventName | +string | +- | +The event type | +
+
|
+
+
|
+
| eventSubId | +int | +- | +The access type | +
+
|
+
+
|
+
| fileName | +dynamic | +FileName | +The file name | +
+
|
+
+
|
+
| filePath | +string | +FileFullPath | +The file path without the file name | +
+
|
+
+
|
+
| filePathName | +string | +FileFullPath | +The file path with the file name | +
+
|
+
+
|
+
| firstSeen | +string | +- | +The first time the XDR log appeared | +1657195233000 | +
+
|
+
| fullPath | +string | +FileFullPath | +The combination of the file path and the file name | +
+
|
+
+
|
+
| lastSeen | +string | +- | +The last time the XDR log appeared | +1657195233000 | +
+
|
+
| majorVirusType | +string | +- | +The virus type | +
+
|
+
+
|
+
| malName | +string | +- | +The name of the detected malware | +
+
|
+
+
|
+
| parentFileHashSha256 | +string | +FileSHA2 | +The SHA-256 of the subject parent process | +
+
|
+
+
|
+
| quarantineFileName | +string | +- | +The file path of the quarantined object | +C:\Program Files\TXOne\StellarProtect\private\quarantine\00000000-0000-0000-0000-000000000000 | +TXOne StellarOne | +
| techniqueId | +dynamic | +Technique | +Technique ID detected by the product agent base on a detection rule | +- | +
+
|
+
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| additionalEventData | +dynamic | +- | +The additional data about the event that was not part of the request | +{"SignatureVersion":"SigV4","CipherSuite":"ECDHE-RSA-AES128-GCM-SHA256"} | +Trend Cloud One - AWS CloudTrail Integration | +
| apiVersion | +string | +- | +API version associated with the AwsApiCall eventType value | +2012-08-10 | +Trend Cloud One - AWS CloudTrail Integration | +
| awsRegion | +string | +- | +AWS region that the request was made to | +
+
|
+ Trend Cloud One - AWS CloudTrail Integration | +
| errorCode | +string | +- | +AWS service error code | +
+
|
+ Trend Cloud One - AWS CloudTrail Integration | +
| errorMessage | +string | +- | +Description of the error | +
+
|
+ Trend Cloud One - AWS CloudTrail Integration | +
| eventCategory | +string | +- | +Event category used in LookupEvents calls | +
+
|
+ Trend Cloud One - AWS CloudTrail Integration | +
| eventID | +string | +- | +GUID generated by AWS CloudTrail to identify events | +11111111-1111-1111-1111-111111111111 | +Trend Cloud One - AWS CloudTrail Integration | +
| eventName | +string | +- | +The name of the log event | +
+
|
+ Trend Cloud One - AWS CloudTrail Integration | +
| eventSource | +string | +- | +The AWS service the request was made to | +
+
|
+ Trend Cloud One - AWS CloudTrail Integration | +
| eventTime | +string | +- | +The time the agent or product detected the event | +2022-07-06T22:28:06+00:00 | +Trend Cloud One - AWS CloudTrail Integration | +
| eventType | +string | +- | +Type of event that generated the event record | +
+
|
+ Trend Cloud One - AWS CloudTrail Integration | +
| eventVersion | +string | +- | +Version of the log event format | +1.08 | +Trend Cloud One - AWS CloudTrail Integration | +
| readOnly | +bool | +- | +Whether the operation is read-only | +
+
|
+ Trend Cloud One - AWS CloudTrail Integration | +
| recipientAccountId | +string | +- | +Account ID that received the event | +123456789012 | +Trend Cloud One - AWS CloudTrail Integration | +
| requestID | +string | +- | +Value that identifies the request (The service being called generates this value) | +11111111-1111-1111-1111-111111111111 | +Trend Cloud One - AWS CloudTrail Integration | +
| requestParameters | +dynamic | +- | +The parameters, if any, that were sent with the request (Parameters are documented in the API reference docs for the appropriate AWS service) | +{"durationSeconds": 3600, "roleSessionName":"BackplaneAssumeRoleSession"} | +Trend Cloud One - AWS CloudTrail Integration | +
| resources | +dynamic | +- | +List of resources accessed in the event | +[{"type":"AWS::S3::Object","ARN":"arn:aws:s3:::your-bucket/file.txt"}] | +Trend Cloud One - AWS CloudTrail Integration | +
| responseElements | +dynamic | +- | +Response elements for actions that made changes (create, update, or delete actions) | +{"user":{"createDate":"Mar 24, 2014 9:11:59 PM","userName":"Bob","arn":"arn:aws:iam::123456789012:user/Bob","path":"/","userId":"EXAMPLEUSERID"}} | +Trend Cloud One - AWS CloudTrail Integration | +
| serviceEventDetails | +dynamic | +- | +The service event (including what triggered the event and the result) | +{"lifecycleEventPolicy":{"policyVersion":1,"policyId":"11111111-1111-1111-1111-111111111111"}} | +Trend Cloud One - AWS CloudTrail Integration | +
| sharedEventID | +string | +- | +GUID generated by AWS CloudTrail to uniquely identify CloudTrail events (From the same AWS action that is sent to different AWS accounts) | +11111111-1111-1111-1111-111111111111 | +Trend Cloud One - AWS CloudTrail Integration | +
| sourceIPAddress | +string | +
+
|
+ IP address the request was made from (For actions that originate from the service console, the address reported is for the underlying customer resource, not the console web server. For services in AWS, only the DNS name is displayed.) | +
+
|
+ Trend Cloud One - AWS CloudTrail Integration | +
| userAgent | +string | +CLICommand | +The user agent or the agent through which the request was made | +
+
|
+ Trend Cloud One - AWS CloudTrail Integration | +
| userIdentity | +dynamic | +- | +Information about the user that made a request | +
+
|
+ Trend Cloud One - AWS CloudTrail Integration | +
| vpcEndpointId | +string | +- | +VPC endpoint in which requests were made from a VPC to another AWS service (Such as Amazon S3) | +vpce-00000000000000000 | +Trend Cloud One - AWS CloudTrail Integration | +
| Field Name | +Type | +General Field | +Description | +Example | +Products | +
|---|---|---|---|---|---|
| flowId | +string | +- | +The connection ID | +
+
|
+ Trend Micro Deep Discovery Director Network Analytic SaaS | +