Views:
Important
Important
This data source query method is no longer available after May 4, 2026. For more information on the currently available data sources for use in XDR Data Explorer queries, go to https://trendmicro.github.io/tm-v1-schema/pages/index.
Field Name
Type
General Field
Description
Example
Products
clusterId
  • string
-
The cluster ID of the container
  • TestCluster-2HJdImvH6eO1fgTnCBK3xYA7Sph
  • Cloud One - Container Security
clusterName
  • string
-
The cluster name of the container
  • TestCluster
  • Cloud One - Container Security
containerId
  • string
-
The Kubernetes container ID
  • 7d1e00176d78
  • Cloud One - Container Security
containerImage
  • string
-
The Kubernetes container image
  • debian:latest
  • Cloud One - Container Security
containerName
  • string
-
The Kubernetes container name
  • k8s_democon_longrunl_default_11111111-1111-1111-1111-111111111111_0
  • Cloud One - Container Security
customAssetTags
  • dynamic
-
The list of custom asset tags
  • {"os":["linux", "windows"], "org":["bu1"]}
  • Cloud One - Container Security
dpt
  • int
  • Port
The destination port
-
  • Cloud One - Container Security
dst
  • string
  • IPv4
  • IPv6
The destination IP
  • ::
  • 10.10.10.10
  • Cloud One - Container Security
eventId
  • int
-
The event type
-
  • Cloud One - Container Security
eventSubId
  • int
-
The access type
  • 2 - TELEMETRY_PROCESS_CREATE
  • 101 - TELEMETRY_FILE_CREATE
  • 204 - TELEMETRY_CONNECTION_CONNECT_OUTBOUND
  • Cloud One - Container Security
eventTime
  • real
-
The time the agent detected the event
  • 1657781088000
  • Cloud One - Container Security
filterRiskLevel
  • string
-
The top-level risk level of the event
  • info
  • low
  • medium
  • All products
groupId
  • string
-
The group ID for the management scope filter
  • 11111111-1111-1111-1111-111111111111
  • All products
k8sNamespace
  • string
-
The Kubernetes namespace of the container
  • default
  • Cloud One - Container Security
k8sPodId
  • string
-
The Kubernetes pod ID of the container
  • 11111111-1111-1111-1111-111111111111
  • Cloud One - Container Security
k8sPodName
  • string
-
The Kubernetes pod name of the container
  • longrunl
  • Cloud One - Container Security
logReceivedTime
  • long
-
The time when the XDR log was received
  • 1656324260000
  • All products
objectFilePath
  • string
  • FileFullPath
  • FileName
The file path of the target process image or target file
  • /usr/bin/bash
  • /bin/bash
  • /opt/folder1/probes/system/processes/processes
  • Cloud One - Container Security
objectUser
  • string
  • UserAccount
The owner name of the target process or the sign-in user name
  • root
  • SYSTEM
  • oracle
  • Cloud One - Container Security
parentCmd
  • string
  • CLICommand
The command line entry of the parent process
  • C:\WINDOWS\system32\services.exe
  • C:\Windows\system32\services.exe
  • /sbin/launchd
  • Cloud One - Container Security
parentFilePath
  • string
  • FileFullPath
  • FileName
The file path of the parent process
  • c:\windows\system32\services.exe
  • /usr/bin/bash
  • c:\windows\system32\svchost.exe
  • Cloud One - Container Security
parentPid
  • int
-
The PID of the parent process
  • 4
  • 1
  • 784
  • 792
  • Cloud One - Container Security
platformAssetTags
  • dynamic
-
The list of platform custom asset tags
  • {"Asset group":["finance"], "some.ip": ["10.1.0.1"]}
  • Cloud One - Container Security
processCmd
  • string
  • CLICommand
The command line entry of the subject process
  • C:\WINDOWS\system32\services.exe
  • C:\Windows\system32\services.exe
  • /sbin/launchd
  • Cloud One - Container Security
processFilePath
  • string
  • ProcessFullPath
The file path of the subject process
  • c:\windows\system32\services.exe
  • /usr/bin/bash
  • c:\windows\system32\svchost.exe
  • Cloud One - Container Security
processName
  • string
  • ProcessName
The image name of the process that triggered the event
  • /usr/bin/bash
  • c:\windows\system32\svchost.exe
  • c:\windows\system32\lsass.exe
  • Cloud One - Container Security
processPid
  • int
-
The PID of the subject process
  • 4
  • 1
  • 784
  • 792
  • Cloud One - Container Security
productCode
  • string
-
The internal product code
  • scs
  • All products
pver
  • string
-
The product version
  • 1.2.0.2752
  • 1.0.345
  • 1.2.0.2657
  • Cloud One - Container Security
spt
  • int
  • Port
The source port
  • 53
  • 5353
  • 443
  • Cloud One - Container Security
src
  • string
  • IPv4
  • IPv6
The source IP
  • ::
  • 10.10.10.10
  • Cloud One - Container Security
srcFilePath
  • string
  • FileFullPath
  • FileName
The source file path
  • \\cnva-apps\megaclockprod\traveler\travelerprint.accdb
  • c:\program files\common files\microsoft shared\clicktorun\officesvcmgrschedule.xml
  • q:\a7_dbs\a4_pkg\a4_packaging.accde
  • Cloud One - Container Security
tags
  • dynamic
  • Technique
  • Tactic
The detected ID based on the alert filter
  • MITREV9.T1057
  • MITREV9.T1059.003
  • XSAE.F2924
  • All products
  • Cloud One - Container Security
uuid
  • string
-
The unique key of the log
  • 11111111-1111-1111-1111-111111111111
  • All products