|
Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
|
accessPermission
|
|
-
|
The access permission type
|
|
|
|
act
|
|
-
|
The actions taken to mitigate the event
|
|
|
|
actResult
|
|
-
|
The result of an action
|
|
|
|
aggregatedCount
|
|
-
|
The number of aggregated events
|
|
|
|
appDexSha256
|
|
|
The app dex encoded using SHA-256
|
|
|
|
appGroup
|
|
-
|
The app category of the event
|
|
|
|
appIsSystem
|
|
-
|
Whether the app is a system app
|
|
|
|
appLabel
|
|
-
|
The app name
|
|
|
|
appPkgName
|
|
-
|
The app package name
|
|
|
|
appPublicKeySha1
|
|
|
The app public key (SHA-1)
|
|
|
|
appSize
|
|
-
|
The app size (in bytes)
|
|
|
|
appVerCode
|
|
-
|
The app version code
|
|
|
|
application
|
|
-
|
The name of the requested application
|
|
|
|
aptCampaigns
|
|
-
|
The related APT campaigns
|
|
|
|
aptRelated
|
|
-
|
Whether the event is related to an APT
|
|
|
|
attachment
|
|
-
|
The information about the email attachment
|
|
|
|
attachmentFileHash
|
|
|
The SHA-1 of the email attachment
|
|
|
|
attachmentFileHashMd5
|
|
|
The MD5 of the attached file (attachmentFileName)
|
|
|
|
attachmentFileHashSha1
|
|
|
The SHA-1 of the attached file (attachmentFileName)
|
|
|
|
attachmentFileHashSha256
|
|
|
The SHA-256 of the attached file (attachmentFileName)
|
|
|
|
attachmentFileHashes
|
|
-
|
The SHA-1 of the email attachment
|
|
|
|
attachmentFileHashs
|
|
-
|
The SHA-1 hash value of the attachment file
|
|
|
|
attachmentFileName
|
|
|
The file name of an attachment
|
|
|
|
attachmentFileSize
|
|
-
|
The file size of the email attachment
|
|
|
|
attachmentFileSizes
|
|
-
|
The file size of email attachments
|
|
|
|
attachmentFileTlshes
|
|
-
|
The TLSH of the email attachment
|
|
|
|
attachmentFileTlshs
|
|
-
|
The TLSH hash value of the attachment file
|
|
|
|
attachmentFileType
|
|
-
|
The file type of the email attachment
|
|
|
|
authType
|
|
-
|
The authorization type
|
|
|
|
azId
|
|
-
|
The virtual machine Availability Zone ID
|
|
|
|
behaviorCat
|
|
-
|
The matched policy category
|
|
|
|
blocking
|
|
-
|
The blocking type
|
|
|
|
bmGroup
|
|
-
|
The one-to-many data structure
|
|
|
|
botCmd
|
|
|
The bot command
|
|
|
|
botUrl
|
|
|
The bot URL
|
|
|
|
category
|
|
-
|
The event category
|
|
|
|
cccaDestination
|
|
|
The destination domain, IP, URL, or recipient
|
|
|
|
cccaDestinationFormat
|
|
-
|
The C&C server access format
|
|
|
|
cccaDetection
|
|
-
|
Whether this log is identified as a C&C callback address detection
|
|
|
|
cccaDetectionSource
|
|
-
|
The list which defines this CCCA detection rule
|
|
|
|
cccaRiskLevel
|
|
-
|
The severity level of the threat actors associated with the C&C servers
|
-
|
|
|
censusMaturityValue
|
|
-
|
The CENSUS maturity value
|
|
|
|
censusPrevalenceValue
|
|
-
|
The CENSUS prevalence value
|
|
|
|
channel
|
|
-
|
The channel through which the demanded Windows Event is delivered
|
|
|
|
clientFlag
|
|
-
|
Whether the client is a source or destination
|
|
|
|
clientIp
|
|
-
|
The IP addresses of the source
|
|
|
|
clientStatus
|
|
-
|
The client status when the event occurred
|
|
|
|
cloudAccountId
|
|
-
|
The cloud account ID
|
|
|
|
cloudAppCat
|
|
-
|
The category of the event in Cloud Reputation Service
|
|
|
|
cloudAppName
|
|
-
|
The cloud app name
|
|
|
|
cloudMachineImageId
|
|
-
|
The cloud machine image ID
|
|
|
|
cloudMachineImageName
|
|
-
|
The cloud machine image name
|
|
|
|
cloudProvider
|
|
-
|
The service provider of the cloud asset
|
|
|
|
cloudResourceDigest
|
|
-
|
The cloud resource digest
|
|
|
|
cloudResourceId
|
|
-
|
The cloud resource ID
|
|
|
|
cloudResourceTags
|
|
-
|
The cloud resource tags
|
|
|
|
cloudResourceType
|
|
-
|
The cloud resource type
|
|
|
|
cloudResourceVersion
|
|
-
|
The cloud resource version
|
|
|
|
cloudStorageName
|
|
-
|
The cloud storage name
|
|
|
|
clusterId
|
|
-
|
The cluster ID of the container
|
|
|
|
clusterName
|
|
-
|
The cluster name of the container
|
|
|
|
cnt
|
|
-
|
The total number of logs
|
|
|
|
compressedFileHash
|
|
|
The SHA-1 of the decompressed archive
|
|
|
|
compressedFileHashSha256
|
|
|
The SHA-256 of the compressed suspicious file
|
|
|
|
compressedFileName
|
|
|
The file name of the compressed file
|
|
|
|
compressedFileSize
|
|
-
|
The file size of the decompressed archive file
|
|
|
|
compressedFileType
|
|
-
|
The file type of the decompressed archive file
|
|
|
|
computerDomain
|
|
-
|
The computer domain
|
|
|
|
containerId
|
|
-
|
The Kubernetes container ID
|
|
|
|
containerImage
|
|
-
|
The Kubernetes container image
|
|
|
|
containerImageDigest
|
|
-
|
The Kubernetes container image digest
|
|
|
|
containerName
|
|
-
|
The Kubernetes container name
|
|
|
|
correlationCat
|
|
-
|
The correlation category
|
|
|
|
customTags
|
|
-
|
The event tags
|
|
|
|
cve
|
|
-
|
The CVE identifier
|
|
|
|
cves
|
|
-
|
The CVEs associated with this filter
|
|
|
|
dOSClass
|
|
-
|
The destination device OS class
|
|
|
|
dOSName
|
|
-
|
The destination host OS
|
|
|
|
dOSVendor
|
|
-
|
The destination device OS vendor
|
|
|
|
dUser1
|
|
|
The latest sign-in user of the destination
|
|
|
|
dacDeviceType
|
|
-
|
The device type
|
|
|
|
data0
|
|
-
|
The value of the Deep Discovery Inspector correlation log
|
|
|
|
data0Name
|
|
-
|
The name of the Deep Discovery Inspector correlation log
|
|
|
|
data1
|
|
-
|
The Deep Discovery Inspector correlation log metadata
|
|
|
|
data1Name
|
|
-
|
The name of the Deep Discovery Inspector correlation log
|
|
|
|
data2
|
|
-
|
The value of the Deep Discovery Inspector correlation log
|
|
|
|
data2Name
|
|
-
|
The name of the Deep Discovery Inspector correlation log
|
|
|
|
data3
|
|
-
|
The value of the Deep Discovery Inspector correlation log
|
|
|
|
data4
|
|
-
|
The value of the Deep Discovery Inspector correlation log
|
|
|
|
dceArtifactActions
|
|
-
|
The actions performed on Damage Cleanup Engine artifacts
|
|
|
|
dceHash1
|
|
-
|
Whether the Trend Micro Threat Mitigation Server requires the log (the Trend Micro
Threat Mitigation Server is EOL)
|
|
|
|
dceHash2
|
|
-
|
Whether the Trend Micro Threat Mitigation Server requires the log (the Trend Micro
Threat Mitigation Server is EOL)
|
|
|
|
denyListFileHash
|
|
|
The SHA-1 of the Virtual Analyzer Suspicious Object
|
|
|
|
denyListFileHashSha256
|
|
-
|
The SHA-256 of User-Defined Suspicious Object
|
|
|
|
denyListHost
|
|
|
The domain of the Virtual Analyzer Suspicious Object
|
|
|
|
denyListIp
|
|
|
The IP of the Virtual Analyzer Suspicious Object
|
|
|
|
denyListRequest
|
|
-
|
The block list event request
|
|
|
|
denyListType
|
|
-
|
The block list type
|
|
|
|
destinationPath
|
|
-
|
The intended destination of the file containing the digital asset or channel
|
|
|
|
detectedActions
|
|
-
|
The actions performed on detected artifacts
|
|
|
|
detectedBackupArtifacts
|
|
-
|
The information about detected artifacts
|
|
|
|
detectedBackupFolder
|
|
-
|
The folder path for detected backup folders
|
|
|
|
detectedPattern
|
|
-
|
The detected pattern
|
|
|
|
detectionAggregationId
|
|
-
|
The correlation key for detection logs and artifacts
|
|
|
|
detectionDetail
|
|
-
|
The details about each event type
|
|
|
|
detectionEngineVersion
|
|
-
|
The detection engine version
|
|
|
|
detectionName
|
|
-
|
The general name for the detection
|
|
|
|
detectionType
|
|
-
|
The detection type
|
|
|
|
deviceDirection
|
|
-
|
The device direction (If the source IP is in the internal network monitored by Deep
Discovery Inspector, it is tagged as outbound. All other cases are inbound. Internal-to-internal
is also tagged as outbound.)
|
|
|
|
deviceGUID
|
|
-
|
The GUID of the agent which reported the detection
|
|
|
|
deviceMacAddress
|
|
-
|
The device MAC address
|
|
|
|
deviceModel
|
|
-
|
The device model number
|
|
|
|
devicePayloadId
|
|
-
|
The device payload ID
|
|
|
|
deviceSerial
|
|
-
|
The device serial ID
|
|
|
|
dhost
|
|
|
The destination hostname
|
|
|
|
direction
|
|
-
|
The direction
|
|
|
|
diskPartitionId
|
|
-
|
The cloud volume partition ID
|
|
|
|
dmac
|
|
-
|
The MAC address of the destination IP (dest_ip)
|
|
|
|
domainName
|
|
|
The detected domain name
|
|
|
|
dpt
|
|
|
The destination port
|
|
|
|
dst
|
|
|
The destination IP
|
|
|
|
dstEquipmentId
|
|
-
|
The destination IMEI
|
|
|
|
dstFamily
|
|
-
|
The destination device family
|
|
|
|
dstGroup
|
|
-
|
The group name defined by the administrator of the destination
|
|
|
|
dstLocation
|
|
-
|
The destination country
|
|
|
|
dstSubscriberDirNum
|
|
-
|
The destination MSISDN
|
|
|
|
dstSubscriberId
|
|
-
|
The destination IMSI
|
|
|
|
dstType
|
|
-
|
The destination device type
|
|
|
|
dstZone
|
|
-
|
The network zone defined by the destination administrator
|
|
|
|
duser
|
|
|
The email recipient
|
|
|
|
dvc
|
|
-
|
The Deep Discovery Inspector appliance IP address
|
|
|
|
dvchost
|
|
-
|
The computer which installed the Trend Micro product
|
|
|
|
endpointGUID
|
|
|
The GUID of the agent which reported the detection
|
|
|
|
endpointHostName
|
|
|
The endpoint hostname or node where the event was detected
|
|
|
|
endpointIp
|
|
|
The IP address of the endpoint on which the event was detected
|
|
|
|
endpointMacAddress
|
|
-
|
The endpoint MAC address
|
|
|
|
endpointModel
|
|
-
|
The mobile device model
|
|
|
|
engType
|
|
-
|
The engine type
|
|
|
|
engVer
|
|
-
|
The engine version
|
|
|
|
engineOperation
|
|
-
|
The operation of the engine event
|
|
|
|
eventClass
|
|
-
|
The event category
|
|
|
|
eventId
|
|
-
|
The event ID from the logs of each product
|
|
|
|
eventName
|
|
-
|
The event type
|
|
|
|
eventSubClass
|
|
-
|
The category of sub-event class
|
|
|
|
eventSubId
|
|
-
|
The access type
|
|
|
|
eventSubName
|
|
-
|
The event type sub-name
|
|
|
|
extraInfo
|
|
-
|
The network application name
|
|
|
|
fileCreation
|
|
-
|
The file creation date
|
|
|
|
fileDesc
|
|
-
|
The file description
|
|
|
|
fileExt
|
|
-
|
The file extension of the suspicious file
|
|
|
|
fileHash
|
|
|
The SHA-1 of the file that triggered the rule or policy
|
|
|
|
fileHashMd5
|
|
|
The MD5 of the file
|
|
|
|
fileHashSha256
|
|
|
The SHA-256 of the file (fileName)
|
|
|
|
fileName
|
|
|
The file name
|
|
|
|
fileOperation
|
|
-
|
The operation of the file
|
|
|
|
filePath
|
|
|
The file path without the file name
|
|
|
|
filePathName
|
|
|
The file path with the file name
|
|
|
|
fileSize
|
|
-
|
The file size of the suspicious file
|
|
|
|
fileType
|
|
-
|
The file type of the suspicious file
|
|
|
|
fileVer
|
|
-
|
The file version
|
|
|
|
filterName
|
|
-
|
The filter name
|
|
|
|
filterRiskLevel
|
|
-
|
The top level filter risk of the event
|
|
|
|
filterType
|
|
-
|
The filter type
|
|
|
|
firmalware
|
|
-
|
The Deep Discovery Inspector firmware version
|
|
|
|
firstAct
|
|
-
|
The first scan action
|
|
|
|
firstActResult
|
|
-
|
The first scan action result
|
|
|
|
firstSeen
|
|
-
|
The first time the XDR log appeared
|
|
|
|
flowId
|
|
-
|
The connection ID
|
|
|
|
forensicFileHash
|
|
-
|
The hash value of the forensic data file
|
|
|
|
forensicFilePath
|
|
-
|
The file path of the forensic file (When a Data Loss Prevention policy is triggered,
the file is encrypted and copied to the OfficeScan server for post-mortem analysis.)
|
|
|
|
ftpUser
|
|
-
|
The FTP sign-in user name
|
|
|
|
fullPath
|
|
|
The combination of the file path and the file name
|
|
|
|
groups
|
|
-
|
The OSSEC rule group names
|
|
|
|
hasdtasres
|
|
-
|
Whether the log contains a report from Virtual Analyzer
|
|
|
|
highlightMailMsgSubject
|
|
-
|
The email subject
|
|
|
|
highlightedFileHashes
|
|
|
The SHA-1 hashes of the highlighted file
|
|
|
|
highlightedFileName
|
|
-
|
The file names of suspicious attachments
|
|
|
|
hostName
|
|
|
The computer name of the client host (the hostname from the suspicious URL detected
by Deep Discovery Inspector)
|
|
|
|
hostSeverity
|
|
-
|
The severity of the threat (specific to the interestedIp)
|
|
|
|
hotFix
|
|
-
|
The applied Deep Discovery Inspector hotfix version
|
|
|
|
httpReferer
|
|
|
The HTTP referer
|
|
|
|
httpRespContentType
|
|
-
|
The HTTP response data content type
|
|
|
|
httpXForwardedFor
|
|
-
|
The HTTP X-Forwarded-For header
|
|
|
|
icmpCode
|
|
-
|
The ICMP protocol code field
|
|
|
|
icmpType
|
|
-
|
The ICMP protocol type
|
|
|
|
instanceId
|
|
-
|
The ID of the instance that indicates the meta-cloud or data center VM
|
|
|
|
instanceName
|
|
-
|
The name of the instance that indicates the meta-cloud or data center VM
|
|
|
|
integrityLevel
|
|
-
|
The integrity level of a process
|
|
|
|
interestedGroup
|
|
-
|
The network group associated with the user-defined source IP or destination IP
|
|
|
|
interestedHost
|
|
|
The endpoint hostname (for example, if an intranet host accesses a suspicious internet
host, the intranet host is the "peerHost" and the internet host is the "interestedHost")
|
|
|
|
interestedIp
|
|
|
The IP of the interestedHost
|
|
|
|
interestedMacAddress
|
|
-
|
The log owner MAC address
|
|
|
|
ircChannelName
|
|
-
|
The IRC channel name
|
|
|
|
ircUserName
|
|
-
|
The IRC user name
|
|
|
|
isEntity
|
|
-
|
The current entity (or after change/modification)
|
|
|
|
isHidden
|
|
-
|
Whether the detection log generated a grey rule match
|
|
|
|
isPrivateApp
|
|
-
|
Whether the requested application is private
|
|
|
|
isProxy
|
|
-
|
Whether something is a proxy
|
|
|
|
isRetroScan
|
|
-
|
Whether the event matches the Security Analytics Engine filter
|
|
|
|
ja3Hash
|
|
-
|
The fingerprint of an SSL/TLS client application as detected via a network sensor
or device
|
|
|
|
ja3sHash
|
|
-
|
The fingerprint of an SSL/TLS server application as detected via a network sensor
or device
|
|
|
|
k8sNamespace
|
|
-
|
The Kubernetes namespace of the container
|
|
|
|
k8sPodId
|
|
-
|
The Kubernetes pod ID of the container
|
|
|
|
k8sPodName
|
|
-
|
The Kubernetes pod name of the container
|
|
|
|
lastSeen
|
|
-
|
The last time the XDR log appeared
|
|
|
|
logKey
|
|
-
|
The unique key of the event
|
|
|
|
logReceivedTime
|
|
-
|
The time when the XDR log was received
|
|
|
|
logonUsers
|
|
-
|
The telemetry events match the Security Analytics Engine filter, and logonUsers stores
the logonUsers value of the original events
|
|
|
|
mDevice
|
|
-
|
The source IP
|
|
|
|
mDeviceGUID
|
|
-
|
The GUID of the agent host
|
|
|
|
mailDeliveryTime
|
|
-
|
The mail delivery time
|
|
|
|
mailFolder
|
|
-
|
The email folder name
|
|
|
|
mailMsgId
|
|
-
|
The internet message ID of the email
|
|
|
|
mailMsgSubject
|
|
|
The email subject
|
|
|
|
mailReceivedTime
|
|
-
|
The mail received timestamp
|
-
|
|
|
mailSmtpFromAddresses
|
|
-
|
The envelope address of the sender
|
|
|
|
mailSmtpHelo
|
|
-
|
The domain name of the email server by using the SMTP HELO command
|
|
|
|
mailSmtpOriginalRecipients
|
|
-
|
The envelope addresses of the original recipients
|
|
|
|
mailSmtpRecipients
|
|
-
|
The envelope addresses of the current recipients
|
|
|
|
mailSmtpTls
|
|
-
|
The SMTP TLS version
|
|
|
|
mailUniqueId
|
|
-
|
The unique ID of the email
|
|
|
|
mailbox
|
|
-
|
The mailbox that is protected by Trend Micro
|
|
|
|
majorVirusType
|
|
-
|
The virus type
|
|
|
|
malDst
|
|
-
|
The malware infection destination
|
|
|
|
malFamily
|
|
-
|
The threat family
|
|
|
|
malName
|
|
-
|
The name of the detected malware
|
|
|
|
malSrc
|
|
|
The malware infection source
|
|
|
|
malSubType
|
|
-
|
The subsidiary virus type
|
|
|
|
malType
|
|
-
|
The risk type for Network Content Correlation Engine rules
|
|
|
|
malTypeGroup
|
|
-
|
The risk type group for Network Content Correlation Engine rules
|
|
|
|
matchedContent
|
|
-
|
The one-to-many data structure
|
|
|
|
mimeType
|
|
-
|
The MIME type or content type of the response body
|
|
|
|
minorVirusType
|
|
-
|
The minor virus type
|
|
|
|
mitigationTaskId
|
|
-
|
The unique ID to identify the mitigation request
|
|
|
|
mitreMapping
|
|
-
|
The MITRE tags
|
|
|
|
mitreVersion
|
|
-
|
The MITRE version
|
|
|
|
moduleScanType
|
|
-
|
The module scan type
|
|
|
|
mpname
|
|
-
|
The management product name
|
|
|
|
mpver
|
|
-
|
The product version
|
|
|
|
msgAct
|
|
-
|
The message action
|
|
|
|
msgId
|
|
|
The internet message ID
|
|
|
|
msgTOCUuid
|
|
-
|
The email unique ID
|
|
|
|
msgUuid
|
|
-
|
The unique email ID
|
|
|
|
msgUuidChain
|
|
-
|
The message UUID chain
|
|
|
|
netBiosDomainName
|
|
|
The NetBIOS domain name
|
|
|
|
objectActions
|
|
-
|
The object process actions
|
|
|
|
objectApiName
|
|
-
|
The API name
|
|
|
|
objectArtifactIds
|
|
-
|
The artifact IDs generated by objectAction
|
|
|
|
objectAttributes
|
|
-
|
The object attributes
|
|
|
|
objectCmd
|
|
|
The object process command line
|
|
|
|
objectEntityName
|
|
-
|
The object entity name
|
|
|
|
objectFileAccess
|
|
-
|
The object file access details
|
|
|
|
objectFileCreation
|
|
-
|
The UTC time that the object was created
|
|
|
|
objectFileHashMd5
|
|
|
The MD5 of the object
|
|
|
|
objectFileHashSha1
|
|
|
The SHA-1 of the objectFilePath object
|
|
|
|
objectFileHashSha256
|
|
|
The SHA-256 of the object (objectFilePath)
|
|
|
|
objectFileModified
|
|
-
|
The UTC time that the object was modified
|
-
|
|
|
objectFileName
|
|
|
The object file name
|
|
|
|
objectFilePath
|
|
|
The file path of the target process image or target file
|
|
|
|
objectFirstRecorded
|
|
-
|
The first time that the object appeared
|
-
|
|
|
objectId
|
|
-
|
The UUID of the object
|
|
|
|
objectIp
|
|
|
The IP address of the domain
|
|
|
|
objectName
|
|
-
|
The base name of the object file or process
|
|
|
|
objectPayloadFileHashSha1
|
|
|
The SHA-1 of the object payload file
|
-
|
|
|
objectPipeName
|
|
-
|
The object pipe name
|
|
|
|
objectRegistryData
|
|
|
The registry data contents
|
|
|
|
objectRegistryKeyHandle
|
|
|
The registry key path
|
|
|
|
objectRegistryRoot
|
|
-
|
The name of the object registry root key
|
|
|
|
objectRegistryValue
|
|
|
The registry value name
|
|
|
|
objectSigner
|
|
-
|
The list of object process signers
|
|
|
|
objectSignerFlagsAdhoc
|
|
-
|
The list of object process signature adhoc flags
|
-
|
|
|
objectSignerFlagsLibValid
|
|
-
|
The list of object process signature library validation flags
|
-
|
|
|
objectSignerFlagsRuntime
|
|
-
|
The list of object process signature runtime flags
|
-
|
|
|
objectSignerValid
|
|
-
|
Whether each signer of the object process is valid
|
-
|
|
|
objectSubType
|
|
-
|
The sub-types of the policy event (displayed when a policy event has sub-types)
|
|
|
|
objectTargetProcess
|
|
-
|
The file path of the target process that the API performs
|
|
|
|
objectType
|
|
-
|
The object type
|
|
|
|
objectUser
|
|
|
The owner name of the target process or the sign-in user name
|
|
|
|
objectUserDomain
|
|
-
|
The owner domain of the target process
|
|
|
|
oldFileHash
|
|
|
The SHA-1 of the target process image or target file (wasEntity from an IM event)
|
|
|
|
online
|
|
-
|
Whether the endpoint is online
|
|
|
|
orgId
|
|
-
|
The organization ID
|
|
|
|
originEventSourceType
|
|
-
|
The event source type of the original events which matches the Security Analytics
Engine filter
|
|
|
|
originUUID
|
|
-
|
The UUID of the original events which matches the Security Analytics Engine filter
|
|
|
|
originalFileHashes
|
|
|
The hashes of the original file
|
|
|
|
originalFilePaths
|
|
|
The paths of the original file
|
|
|
|
osName
|
|
-
|
The host OS
|
|
|
|
osVer
|
|
-
|
The OS version
|
|
|
|
out
|
|
-
|
The IP datagram length (in bytes)
|
|
|
|
overSsl
|
|
-
|
Whether the event was triggered by an SSL decryption stream (displayed only when SSL
Inspection is supported)
|
|
|
|
pAttackPhase
|
|
-
|
The category of the primary Attack Phase
|
|
|
|
pComp
|
|
-
|
The component that made the detection
|
|
|
|
pTags
|
|
-
|
The event tagging system
|
|
|
|
parentCmd
|
|
|
The command line of the subject parent process
|
|
|
|
parentFileHashMd5
|
|
|
The MD5 of the subject parent process
|
|
|
|
parentFileHashSha1
|
|
|
The SHA-1 of the subject parent process
|
|
|
|
parentFileHashSha256
|
|
|
The SHA-256 of the subject parent process
|
|
|
|
parentFilePath
|
|
|
The full file path of the parent process
|
|
|
|
parentHashId
|
|
-
|
The FNV of the parent process
|
|
|
|
parentIntegrityLevel
|
|
-
|
The integrity level of a parent
|
|
|
|
parentName
|
|
-
|
The image name of the parent process
|
|
|
|
parentPayloadSigner
|
|
-
|
The signer name list of the parent process payload
|
|
|
|
parentPayloadSignerFlagsAdhoc
|
|
-
|
The list of parent process payload signature adhoc flags
|
-
|
|
|
parentPayloadSignerFlagsLibValid
|
|
-
|
The list of parent process payload signature library validation flags
|
-
|
|
|
parentPayloadSignerFlagsRuntime
|
|
-
|
The list of parent process payload signature runtime flags
|
-
|
|
|
parentPayloadSignerValid
|
|
-
|
Whether each signer of the parent process payload is valid
|
-
|
|
|
parentPid
|
|
-
|
The PID of the parent process
|
-
|
|
|
parentSigner
|
|
-
|
The signers of the parent process
|
|
|
|
parentSignerFlagsAdhoc
|
|
-
|
The list of parent process signature adhoc flags
|
-
|
|
|
parentSignerFlagsLibValid
|
|
-
|
The list of parent process signature library validation flags
|
-
|
|
|
parentSignerFlagsRuntime
|
|
-
|
The list of parent process signature runtime flags
|
-
|
|
|
parentSignerValid
|
|
-
|
Whether each signer of the parent process is valid
|
-
|
|
|
parentUser
|
|
-
|
The account name of the parent process
|
|
|
|
parentUserDomain
|
|
-
|
The domain name of the parent process
|
|
|
|
patType
|
|
-
|
The pattern type
|
|
|
|
patVer
|
|
-
|
The version of the behavior pattern
|
|
|
|
pcapUUID
|
|
-
|
The PCAP file UUID
|
|
|
|
peerEndpointGUID
|
|
-
|
The endpoint GUID of the agent peer host
|
|
|
|
peerGroup
|
|
-
|
The peer IP group
|
|
|
|
peerHost
|
|
|
The hostname of peerIp
|
|
|
|
peerIp
|
|
|
The IP of peerHost
|
|
|
|
pname
|
|
-
|
The internal product ID
|
|
|
|
policyId
|
|
-
|
The policy ID of which the event was detected
|
|
|
|
policyName
|
|
-
|
The name of the triggered policy
|
|
|
|
policyTemplate
|
|
-
|
The one-to-many data structure
|
|
|
|
policyTreePath
|
|
-
|
The policy tree path
|
|
|
|
policyUuid
|
|
-
|
The UUID of the cloud access or risk control policy, or the hard-coded string that
indicates the rule of the global blocked/approved URL list
|
|
|
|
potentialRisk
|
|
-
|
Whether there is potential risk
|
|
|
|
principalName
|
|
-
|
The user principal name used to sign in to the proxy
|
|
|
|
processActions
|
|
-
|
The process actions
|
|
|
|
processArtifactIds
|
|
-
|
The artifact IDs generated by processAction
|
|
|
|
processCmd
|
|
|
The subject process command line
|
|
|
|
processFileCreation
|
|
-
|
The Unix time of object creation
|
|
|
|
processFileHashMd5
|
|
|
The MD5 of the subject process
|
|
|
|
processFileHashSha1
|
|
|
The SHA-1 of the subject process
|
|
|
|
processFileHashSha256
|
|
|
The SHA-256 of the subject process
|
|
|
|
processFilePath
|
|
|
The file path of the subject process
|
|
|
|
processHashId
|
|
-
|
The FNV of the subject process
|
|
|
|
processImageFileNames
|
|
-
|
The process image file names of detected backup artifacts
|
|
|
|
processImagePath
|
|
-
|
The process triggered by the file event
|
|
|
|
processLaunchTime
|
|
-
|
The time the subject process was launched
|
|
|
|
processName
|
|
|
The image name of the process that triggered the event
|
|
|
|
processPayloadSigner
|
|
-
|
The signer name list of the process payload
|
|
|
|
processPayloadSignerFlagsAdhoc
|
|
-
|
The list of process payload signature adhoc flags
|
-
|
|
|
processPayloadSignerFlagsLibValid
|
|
-
|
The list of process payload signature library validation flags
|
-
|
|
|
processPayloadSignerFlagsRuntime
|
|
-
|
The list of process payload signature runtime flags
|
-
|
|
|
processPayloadSignerValid
|
|
-
|
Whether each signer of the process payload is valid
|
-
|
|
|
processPid
|
|
-
|
The PID of the subject process
|
-
|
|
|
processPkgName
|
|
-
|
The process package name
|
|
|
|
processSigner
|
|
-
|
The signer name list of the subject process
|
|
|
|
processSignerFlagsAdhoc
|
|
-
|
The list of process signature adhoc flags
|
-
|
|
|
processSignerFlagsLibValid
|
|
-
|
The list of process signature library validation flags
|
-
|
|
|
processSignerFlagsRuntime
|
|
-
|
The list of process signature runtime flags
|
-
|
|
|
processUser
|
|
|
The user name of the process or the file creator
|
|
|
|
processUserDomain
|
|
-
|
The owner domain of the subject process image
|
|
|
|
productCode
|
|
-
|
The internal product code
|
|
|
|
profile
|
|
-
|
The name of the triggered Threat Protection template or Data Loss Prevention profile
|
|
|
|
proto
|
|
-
|
The exploited layer network protocol
|
|
|
|
protoFlag
|
|
-
|
The data flags
|
|
|
|
pver
|
|
-
|
The product version
|
|
|
|
quarantineFileName
|
|
-
|
The file path of the quarantined object
|
|
|
|
quarantineFilePath
|
|
-
|
The OfficeScan server file path for the quarantined file (A quarantined file is encrypted
and copied to the OfficeScan server for post-mortem analysis.)
|
-
|
|
|
quarantineType
|
|
-
|
The descriptive name for the quarantine area
|
|
|
|
rating
|
|
-
|
The credibility level
|
|
|
|
rawDstIp
|
|
|
The destination IP without replacement
|
|
|
|
rawDstPort
|
|
|
The destination port without replacement
|
|
|
|
rawSrcIp
|
|
|
The source IP without replacement
|
|
|
|
rawSrcPort
|
|
|
The source port without replacement
|
|
|
|
regionCode
|
|
-
|
The AWS Region code
|
|
|
|
regionId
|
|
-
|
The cloud asset region
|
|
|
|
remarks
|
|
-
|
The additional information
|
|
|
|
reportGUID
|
|
-
|
The GUID for Workbench to request report page data
|
|
|
|
request
|
|
|
The notable URLs
|
|
|
|
requestBase
|
|
|
The domain of the request URL
|
|
|
|
requestClientApplication
|
|
-
|
The protocol user agent information
|
|
|
|
requestMethod
|
|
-
|
The network protocol request method
|
|
|
|
respCode
|
|
-
|
The network protocol response code
|
|
|
|
rewrittenUrl
|
|
-
|
The rewritten URL
|
|
|
|
riskConfidenceLevel
|
|
-
|
The risk confidence level
|
|
|
|
riskLevel
|
|
-
|
The risk level
|
|
|
|
rozRating
|
|
-
|
The overall Virtual Analyzer rating
|
|
|
|
rtDate
|
|
-
|
The date of the log generation
|
|
|
|
rtWeekDay
|
|
-
|
The weekday of the log generation
|
|
|
|
ruleId
|
|
-
|
The rule ID
|
|
|
|
ruleId64
|
|
-
|
The IPS rule ID
|
|
|
|
ruleIdStr
|
|
-
|
The rule ID
|
|
|
|
ruleName
|
|
-
|
The name of the rule that triggered the event
|
|
|
|
ruleSetId
|
|
-
|
The rule set ID
|
|
|
|
ruleSetName
|
|
-
|
The rule set name
|
|
|
|
ruleType
|
|
-
|
The access rule type
|
|
|
|
ruleUuid
|
|
-
|
The signature UUID from Digital Vaccine
|
|
|
|
ruleVer
|
|
-
|
The rule version
|
|
|
|
sAttackPhase
|
|
-
|
The category of the second Attack Phase
|
|
|
|
sOSClass
|
|
-
|
The source device OS class
|
|
|
|
sOSName
|
|
-
|
The source OS
|
|
|
|
sOSVendor
|
|
-
|
The source device OS vendor
|
|
|
|
sUser1
|
|
|
The latest sign-in user of the source
|
|
|
|
scanTs
|
|
-
|
The mail scan time
|
-
|
|
|
scanType
|
|
-
|
The scan type
|
|
|
|
schemaVersion
|
|
-
|
The schema version
|
|
|
|
secondAct
|
|
-
|
The second scan action
|
|
|
|
secondActResult
|
|
-
|
The result of the second scan action
|
|
|
|
sender
|
|
-
|
The roaming users or the gateway where the web traffic passed
|
|
|
|
senderGUID
|
|
-
|
The sender GUID
|
|
|
|
senderIp
|
|
-
|
The sender IP
|
|
|
|
sessionEnd
|
|
-
|
The session end time (in seconds)
|
|
|
|
sessionStart
|
|
-
|
The session start time (in seconds)
|
|
|
|
severity
|
|
-
|
The severity of the event
|
|
|
|
shost
|
|
|
The source hostname
|
|
|
|
signer
|
|
-
|
The signer of the file
|
|
|
|
smac
|
|
-
|
The source MAC address
|
|
|
|
smbSharedName
|
|
-
|
The shared folder name for the server that contains the files to be opened
|
|
|
|
sourceType
|
|
-
|
The source type
|
|
|
|
sproc
|
|
-
|
The OSSEC program name
|
|
|
|
spt
|
|
|
The source port
|
|
|
|
src
|
|
|
The source IP
|
|
|
|
srcEquipmentId
|
|
-
|
The source IMEI
|
|
|
|
srcFamily
|
|
-
|
The source device family
|
|
|
|
srcFileHashMd5
|
|
|
The MD5 of the source file
|
-
|
|
|
srcFileHashSha1
|
|
|
The SHA-1 of the source file
|
-
|
|
|
srcFileHashSha256
|
|
|
The SHA-256 of the source file
|
-
|
|
|
srcFilePath
|
|
|
The source file path
|
|
|
|
srcGroup
|
|
-
|
The group named defined by the source administrator
|
|
|
|
srcLocation
|
|
-
|
The source country
|
|
|
|
srcSubscriberDirNum
|
|
-
|
The source MSISDN
|
|
|
|
srcSubscriberId
|
|
-
|
The source IMSI
|
|
|
|
srcType
|
|
-
|
The source device type
|
|
|
|
srcZone
|
|
-
|
The network zone defined by the source administrator
|
|
|
|
sslCertCommonName
|
|
|
The subject common name
|
|
|
|
sslCertIssuerCommonName
|
|
-
|
The issuer common name
|
|
|
|
sslCertIssuerOrgName
|
|
-
|
The issuer organization name
|
|
|
|
sslCertOrgName
|
|
-
|
The subject organization name
|
|
|
|
subRuleId
|
|
-
|
The sub-rule ID
|
|
|
|
subRuleName
|
|
-
|
The sub-rule name
|
|
|
|
suid
|
|
|
The user name or mailbox
|
|
|
|
suser
|
|
|
The email sender
|
|
|
|
suspiciousObject
|
|
-
|
The matched suspicious object
|
|
|
|
suspiciousObjectType
|
|
-
|
The matched suspicious object type
|
|
|
|
tacticId
|
|
|
The list of MITRE tactic IDs
|
|
|
|
tags
|
|
|
The detected technique ID based on the alert filter
|
|
|
|
target
|
|
-
|
The target object for the behavior
|
|
|
|
targetShare
|
|
|
The subject state or province (for HTTPS), the shared folder (for SMB)
|
|
|
|
targetType
|
|
-
|
The target object type
|
|
|
|
techniqueId
|
|
|
The technique ID detected by the product agent based on a detection rule
|
-
|
|
|
threatName
|
|
-
|
The threat name
|
|
|
|
threatNames
|
|
-
|
The associated threats
|
|
|
|
threatType
|
|
-
|
The log threat type
|
|
|
|
trigger
|
|
-
|
The action trigger
|
|
|
|
urlCat
|
|
-
|
The requested URL category
|
|
|
|
userDepartment
|
|
-
|
The user department
|
|
|
|
userDomain
|
|
|
The user domain
|
|
|
|
userDomains
|
|
-
|
The telemetry events match the Security Analytics Engine filter, and userDomains stores
the userDomains value of the original events
|
|
|
|
uuid
|
|
-
|
The unique key of the log
|
|
|
|
vendor
|
|
-
|
The device vendor
|
|
|
|
vpcId
|
|
-
|
The virtual private cloud that contains the cloud asset
|
|
|
|
vsysName
|
|
-
|
The Palo Alto Networks virtual system of the session
|
|
|
|
wasEntity
|
|
-
|
The entity before change/modification
|
|
|
|
winEventId
|
|
-
|
The Windows Event ID
|
|
|
Views: