Views:
Important
Important
This data source query method is no longer available after May 4, 2026. For more information on the currently available data sources for use in XDR Data Explorer queries, go to https://trendmicro.github.io/tm-v1-schema/pages/index.
Field Name
Type
General Field
Description
Example
Products
additionalEventData
  • dynamic
-
The additional data about the event that was not part of the request
  • {"SignatureVersion":"SigV4","CipherSuite":"ECDHE-RSA-AES128-GCM-SHA256"}
  • Cloud One - AWS CloudTrail
apiVersion
  • string
-
The API version associated with the AwsApiCall eventType value
  • 2012-08-10
  • Cloud One - AWS CloudTrail
awsRegion
  • string
-
The AWS region that the request was made to
  • us-east-1
  • us-east-2
  • us-west-1
  • Cloud One - AWS CloudTrail
errorCode
  • string
-
The AWS service error code
  • ThrottlingException
  • InvalidParameterValueException
  • NoSuchLifecycleConfiguration
  • Cloud One - AWS CloudTrail
errorMessage
  • string
-
The error description
  • The specified bucket does not have a website configuration
  • An unknown error occurred
  • The lifecycle configuration does not exist
  • Cloud One - AWS CloudTrail
eventCase
  • string
-
The AWS service that the request was made to
  • workspaces.amazonaws.com
  • sts.amazonaws.com
  • kms.amazonaws.com
  • All products
eventCategory
  • string
-
The event category used in LookupEvents calls
  • Management
  • Data
  • Insight
  • Cloud One - AWS CloudTrail
eventID
  • string
-
The GUID generated by AWS CloudTrail to identify events
  • 11111111-1111-1111-1111-111111111111
  • Cloud One - AWS CloudTrail
eventName
  • string
-
The name of the log event
  • PutObject
  • GetObject
  • DescribeTable
  • Cloud One - AWS CloudTrail
eventSource
  • string
-
The AWS service the request was made to
  • s3.amazonaws.com
  • dynamodb.amazonaws.com
  • xray.amazonaws.com
  • Cloud One - AWS CloudTrail
eventSubId
  • string
-
The access type
  • PutObject
  • GetObject
  • DescribeTable
  • All products
eventTime
  • string
-
The time the agent or product detected the event
  • 2022-07-06T22:28:06Z
  • Cloud One - AWS CloudTrail
eventType
  • string
-
The type of event that generated the event record
  • AwsApiCall
  • AwsServiceEvent
  • AwsConsoleAction
  • Cloud One - AWS CloudTrail
eventVersion
  • string
-
The log event format version
  • 1.08
  • Cloud One - AWS CloudTrail
filterRiskLevel
  • string
-
The top-level risk level of the event
  • info
  • low
  • medium
  • All products
groupId
  • string
-
The group ID for the management scope filter
  • 11111111-1111-1111-1111-111111111111
  • All products
logReceivedTime
  • long
-
The time when the XDR log was received
  • 1656324260000
  • All products
policyTreePath
  • string
-
The policy tree path (endpoint only)
  • policyname1/policyname2/policyname3
  • All products
productCode
  • string
-
The internal product code
  • sct
  • All products
readOnly
  • bool
-
Whether the operation is read-only
  • true
  • false
  • Cloud One - AWS CloudTrail
recipientAccountId
  • string
-
The account ID that received the event
  • 123456789012
  • Cloud One - AWS CloudTrail
requestID
  • string
-
The request value
  • 11111111-1111-1111-1111-111111111111
  • Cloud One - AWS CloudTrail
requestParameters
  • dynamic
-
The parameters, if any, that were sent with the request
  • {"durationSeconds": 3600, "roleSessionName":"BackplaneAssumeRoleSession"}
  • Cloud One - AWS CloudTrail
resources
  • dynamic
-
The list of resources accessed in the event
  • [{"type":"AWS::S3::Object","ARN":"arn:aws:s3:::your-bucket/file.txt"}]
  • Cloud One - AWS CloudTrail
responseElements
  • dynamic
-
The response elements for actions that made changes (create, update, or delete actions)
  • {"user":{"createDate":"Mar 24, 2014 9:11:59 PM","userName":"Bob","arn":"arn:aws:iam::123456789012:user/Bob","path":"/","userId":"EXAMPLEUSERID"}}
  • Cloud One - AWS CloudTrail
serviceEventDetails
  • dynamic
-
The service event (including what triggered the event and the result)
  • {"lifecycleEventPolicy":{"policyVersion":1,"policyId":"11111111-1111-1111-1111-111111111111"}}
  • Cloud One - AWS CloudTrail
sharedEventID
  • string
-
The GUID generated by AWS CloudTrail to uniquely identify CloudTrail events (From the same AWS action that is sent to different AWS accounts)
  • 11111111-1111-1111-1111-111111111111
  • Cloud One - AWS CloudTrail
sourceIPAddress
  • string
  • IPv4
  • IPv6
The IP address the request was made from (For actions that originate from the service console, the address reported is for the underlying customer resource, not the console web server. For services in AWS, only the DNS name is displayed.)
  • 10.10.10.10
  • apigateway.amazonaws.com
  • config.amazonaws.com
  • Cloud One - AWS CloudTrail
tags
  • dynamic
-
The detected technique ID based on the alert filter
  • MITREV9.T1090
  • MITRE.T1059
  • MITREV9.T1059.001
  • All products
userAgent
  • string
  • CLICommand
The user agent or the agent through which the request was made
  • signin.amazonaws.com
  • console.amazonaws.com
  • aws-cli/1.3.23 Python/2.7.6 Linux/2.6.18-164.el5
  • Cloud One - AWS CloudTrail
userIdentity
  • dynamic
-
The information about the user that made a request
  • {"type":"AWSService","invokedBy":"apigateway.amazonaws.com"}
  • {"type":"AWSService","invokedBy":"lambda.amazonaws.com"}
  • Cloud One - AWS CloudTrail
uuid
  • string
-
The unique key of the log
  • 11111111-1111-1111-1111-111111111111
  • All products
vpcEndpointId
  • string
-
The VPC endpoint in which requests were made from a VPC to another AWS service (Such as Amazon S3)
  • vpce-00000000000000000
  • Cloud One - AWS CloudTrail