|
Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
||||||
|
accessPermission
|
|
-
|
The access permission type
|
|
|
||||||
|
act
|
|
-
|
The actions taken to mitigate the event
|
|
|
||||||
|
actResult
|
|
-
|
The result of an action
|
|
|
||||||
|
aggregateFunction
|
|
-
|
The metric aggregator
|
|
|
||||||
|
aggregateUnit
|
|
-
|
The metric unit
|
|
|
||||||
|
aggregatedCount
|
|
-
|
The number of aggregated events
|
|
|
||||||
|
appDexSha256
|
|
|
The app dex encoded using SHA-256
|
|
|
||||||
|
appGroup
|
|
-
|
The app category of the event
|
|
|
||||||
|
appIsSystem
|
|
-
|
Whether the app is a system app
|
|
|
||||||
|
appLabel
|
|
-
|
The app name
|
|
|
||||||
|
appPkgName
|
|
-
|
The app package name
|
|
|
||||||
|
appPublicKeySha1
|
|
|
The app public key (SHA-1)
|
|
|
||||||
|
appSize
|
|
-
|
The app size (in bytes)
|
|
|
||||||
|
appVerCode
|
|
-
|
The app version code
|
|
|
||||||
|
application
|
|
-
|
The name of the requested application
|
|
|
||||||
|
aptCampaigns
|
|
-
|
The related APT campaigns
|
|
|
||||||
|
aptRelated
|
|
-
|
Whether the event is related to an advanced persistent threat (APT)
|
|
|
||||||
|
attachment
|
|
-
|
The information about the email attachment
|
|
|
||||||
|
attachmentFileHash
|
|
|
The SHA-1 of the email attachment
|
|
|
||||||
|
attachmentFileHashMd5
|
|
|
The MD5 of the attached file (attachmentFileName)
|
|
|
||||||
|
attachmentFileHashSha1
|
|
|
The SHA-1 of the attached file (attachmentFileName)
|
|
|
||||||
|
attachmentFileHashSha256
|
|
|
The SHA-256 of the attached file (attachmentFileName)
|
|
|
||||||
|
attachmentFileHashes
|
|
-
|
The SHA-1 of the email attachment
|
|
|
||||||
|
attachmentFileHashs
|
|
-
|
The SHA-1 hash value of the attachment file
|
|
|
||||||
|
attachmentFileName
|
|
|
The file name of an attachment
|
|
|
||||||
|
attachmentFileSize
|
|
-
|
The file size of the email attachment
|
|
|
||||||
|
attachmentFileSizes
|
|
-
|
The file size of email attachments
|
|
|
||||||
|
attachmentFileTlshes
|
|
-
|
The TLSH of the email attachment
|
|
|
||||||
|
attachmentFileTlshs
|
|
-
|
The TLSH hash value of the attachment file
|
|
|
||||||
|
attachmentFileType
|
|
-
|
The file type of the email attachment
|
|
|
||||||
|
authType
|
|
-
|
The authorization type
|
|
|
||||||
|
azId
|
|
-
|
The virtual machine Availability Zone ID
|
|
|
||||||
|
behaviorCat
|
|
-
|
The matched policy category
|
|
|
||||||
|
blocking
|
|
-
|
The blocking type
|
|
|
||||||
|
bmGroup
|
|
-
|
The one-to-many data structure
|
|
|
||||||
|
botCmd
|
|
|
The bot command
|
|
|
||||||
|
botUrl
|
|
|
The bot URL
|
|
|
||||||
|
category
|
|
-
|
The event category
|
|
|
||||||
|
cccaDestination
|
|
|
The destination domain, IP, URL, or recipient
|
|
|
||||||
|
cccaDestinationFormat
|
|
-
|
The C&C server access format
|
|
|
||||||
|
cccaDetection
|
|
-
|
Whether this log is identified as a C&C callback address detection
|
|
|
||||||
|
cccaDetectionSource
|
|
-
|
Whether this log is identified as a C&C callback address detection
|
|
|
||||||
|
cccaRiskLevel
|
|
-
|
The severity level of the threat actors associated with the C&C servers
|
|
|
||||||
|
censusMaturityValue
|
|
-
|
The CENSUS maturity value
|
|
|
||||||
|
censusPrevalenceValue
|
|
-
|
The CENSUS prevalence value
|
|
|
||||||
|
channel
|
|
-
|
The channel through which the demanded Windows Event is delivered
|
|
|
||||||
|
clientFlag
|
|
-
|
Whether the client is a source or destination
|
|
|
||||||
|
clientIp
|
|
-
|
The IP addresses of the source
|
|
|
||||||
|
clientStatus
|
|
-
|
The client status when the event occurred
|
|
|
||||||
|
cloudAccountId
|
|
-
|
The AWS cloud account ID, Google Cloud product ID, or Azure subscription ID
|
|
|
||||||
|
cloudAppCat
|
|
-
|
The category of the event in Cloud Reputation Service
|
|
|
||||||
|
cloudAppName
|
|
-
|
The cloud app name
|
|
|
||||||
|
cloudMachineImageId
|
|
-
|
The cloud machine image ID
|
|
|
||||||
|
cloudMachineImageName
|
|
-
|
The cloud machine image name
|
|
|
||||||
|
cloudProvider
|
|
-
|
The service provider of the cloud asset
|
|
|
||||||
|
cloudResourceDigest
|
|
-
|
The cloud resource digest
|
|
|
||||||
|
cloudResourceId
|
|
-
|
The cloud resource ID
|
|
|
||||||
|
cloudResourceTags
|
|
-
|
The cloud resource tags
|
|
|
||||||
|
cloudResourceType
|
|
-
|
The cloud resource type
|
|
|
||||||
|
cloudResourceVersion
|
|
-
|
The cloud resource version
|
|
|
||||||
|
cloudStorageName
|
|
-
|
The cloud storage name
|
|
|
||||||
|
clusterId
|
|
-
|
The cluster ID of the container
|
|
|
||||||
|
clusterName
|
|
-
|
The cluster name of the container
|
|
|
||||||
|
cnt
|
|
-
|
The total number of logs
|
|
|
||||||
|
compressedFileHash
|
|
|
The SHA-1 of the decompressed archive
|
|
|
||||||
|
compressedFileHashSha256
|
|
|
The SHA-256 of the compressed suspicious file
|
|
|
||||||
|
compressedFileName
|
|
|
The file name of the compressed file
|
|
|
||||||
|
compressedFileSize
|
|
-
|
The file size of the decompressed archive file
|
|
|
||||||
|
compressedFileType
|
|
-
|
The file type of the decompressed archive file
|
|
|
||||||
|
computerDomain
|
|
-
|
The computer domain
|
|
|
||||||
|
containerId
|
|
-
|
The Kubernetes container ID
|
|
|
||||||
|
containerImage
|
|
-
|
The Kubernetes container image
|
|
|
||||||
|
containerImageDigest
|
|
-
|
The Kubernetes container image digest
|
|
|
||||||
|
containerName
|
|
-
|
The Kubernetes container name
|
|
|
||||||
|
correlatedIntelligence
|
|
-
|
The Correlated Intelligence detection
|
|
|
||||||
|
correlationCat
|
|
-
|
The correlation category
|
|
|
||||||
|
customTags
|
|
-
|
The event tags
|
|
|
||||||
|
cve
|
|
-
|
The CVE identifier
|
|
|
||||||
|
cves
|
|
-
|
The CVEs associated with this filter
|
|
|
||||||
|
dOSClass
|
|
-
|
The destination device OS class
|
|
|
||||||
|
dOSName
|
|
-
|
The destination host OS
|
|
|
||||||
|
dOSVendor
|
|
-
|
The destination device OS vendor
|
|
|
||||||
|
dUser1
|
|
|
The latest sign-in user of the destination
|
|
|
||||||
|
dacDeviceType
|
|
-
|
The device type
|
|
|
||||||
|
data0
|
|
-
|
The value of the Deep Discovery Inspector correlation log
|
|
|
||||||
|
data0Name
|
|
-
|
The name of the Deep Discovery Inspector correlation log
|
|
|
||||||
|
data1
|
|
-
|
The Deep Discovery Inspector correlation log metadata
|
|
|
||||||
|
data1Name
|
|
-
|
The name of the Deep Discovery Inspector correlation log
|
|
|
||||||
|
data2
|
|
-
|
The value of the Deep Discovery Inspector correlation log
|
|
|
||||||
|
data2Name
|
|
-
|
The name of the Deep Discovery Inspector correlation log
|
|
|
||||||
|
data3
|
|
-
|
The value of the Deep Discovery Inspector correlation log
|
|
|
||||||
|
data4
|
|
-
|
The value of the Deep Discovery Inspector correlation log
|
|
|
||||||
|
dceArtifactActions
|
|
-
|
The actions performed on Damage Cleanup Engine artifacts
|
|
|
||||||
|
dceHash1
|
|
-
|
Whether the Trend Micro Threat Mitigation Server requires the log (the Trend Micro
Threat Mitigation Server is EOL)
|
|
|
||||||
|
dceHash2
|
|
-
|
Whether the Trend Micro Threat Mitigation Server requires the log (the Trend Micro
Threat Mitigation Server is EOL)
|
|
|
||||||
|
denyListFileHash
|
|
|
The SHA-1 of the Virtual Analyzer Suspicious Object
|
|
|
||||||
|
denyListFileHashSha256
|
|
-
|
The SHA-256 of User-Defined Suspicious Object
|
|
|
||||||
|
denyListHost
|
|
|
The domain of the Virtual Analyzer Suspicious Object
|
|
|
||||||
|
denyListIp
|
|
|
The IP of the Virtual Analyzer Suspicious Object
|
|
|
||||||
|
denyListRequest
|
|
-
|
The block list event request
|
|
|
||||||
|
denyListType
|
|
-
|
The block list type
|
|
|
||||||
|
destinationPath
|
|
-
|
The intended destination of the file containing the digital asset or channel
|
|
|
||||||
|
detectedActions
|
|
-
|
The actions performed on detected artifacts
|
|
|
||||||
|
detectedBackupArtifacts
|
|
-
|
The information about detected artifacts
|
|
|
||||||
|
detectedBackupArtifactsStatus
|
|
-
|
The backup status of detected artifacts
|
|
|
||||||
|
detectedBackupFolder
|
|
-
|
The folder path for detected backup folders
|
|
|
||||||
|
detectedPattern
|
|
-
|
The detected pattern
|
|
|
||||||
|
detectionAggregationId
|
|
-
|
The correlation key for detection logs and artifacts
|
|
|
||||||
|
detectionDetail
|
|
-
|
The details about each event type
|
|
|
||||||
|
detectionEngineVersion
|
|
-
|
The detection engine version
|
|
|
||||||
|
detectionName
|
|
-
|
The general name for the detection
|
|
|
||||||
|
detectionType
|
|
-
|
The detection type
|
|
|
||||||
|
deviceDirection
|
|
-
|
The device direction (If the source IP is in the internal network monitored by Deep
Discovery Inspector, it is tagged as outbound. All other cases are inbound. Internal-to-internal
is also tagged as outbound.)
|
|
|
||||||
|
deviceGUID
|
|
-
|
The GUID of the agent which reported the detection
|
|
|
||||||
|
deviceMacAddress
|
|
-
|
The device MAC address
|
|
|
||||||
|
deviceModel
|
|
-
|
The device model number
|
|
|
||||||
|
devicePayloadId
|
|
-
|
The device payload ID
|
|
|
||||||
|
deviceSerial
|
|
-
|
The device serial ID
|
|
|
||||||
|
dhost
|
|
|
The destination hostname
|
|
|
||||||
|
direction
|
|
-
|
The direction
|
|
|
||||||
|
diskPartitionId
|
|
-
|
The cloud volume partition ID
|
|
|
||||||
|
dmac
|
|
-
|
The MAC address of the destination IP (dest_ip)
|
|
|
||||||
|
domainName
|
|
|
The detected domain name
|
|
|
||||||
|
dpt
|
|
|
The destination port
|
|
|
||||||
|
dst
|
|
|
The destination IP
|
|
|
||||||
|
dstEquipmentId
|
|
-
|
The destination IMEI
|
|
|
||||||
|
dstFamily
|
|
-
|
The destination device family
|
|
|
||||||
|
dstGroup
|
|
-
|
The group name defined by the administrator of the destination
|
|
|
||||||
|
dstLocation
|
|
-
|
The destination country
|
|
|
||||||
|
dstSubscriberDirNum
|
|
-
|
The destination MSISDN
|
|
|
||||||
|
dstSubscriberId
|
|
-
|
The destination IMSI
|
|
|
||||||
|
dstType
|
|
-
|
The destination device type
|
|
|
||||||
|
dstZone
|
|
-
|
The network zone defined by the destination administrator
|
|
|
||||||
|
duration
|
|
-
|
The detection interval (in milliseconds)
|
|
|
||||||
|
duser
|
|
|
The email recipient
|
|
|
||||||
|
dvc
|
|
-
|
The IP address of the Deep Discovery Inspector appliance
|
|
|
||||||
|
dvchost
|
|
-
|
The computer which installed the Trend Micro product
|
|
|
||||||
|
endpointGUID
|
|
|
The GUID of the agent which reported the detection
|
|
|
||||||
|
endpointHostName
|
|
|
The endpoint hostname or node where the event was detected
|
|
|
||||||
|
endpointIp
|
|
|
The IP address of the endpoint on which the event was detected
|
|
|
||||||
|
endpointMacAddress
|
|
-
|
The endpoint MAC address
|
|
|
||||||
|
endpointModel
|
|
-
|
The mobile device model
|
|
|
||||||
|
engType
|
|
-
|
The engine type
|
|
|
||||||
|
engVer
|
|
-
|
The engine version
|
|
|
||||||
|
engineOperation
|
|
-
|
The operation of the engine event
|
|
|
||||||
|
eventClass
|
|
-
|
The event category
|
|
|
||||||
|
eventId
|
|
-
|
The event ID from the logs of each product
|
|
|
||||||
|
eventName
|
|
-
|
The event type
|
|
|
||||||
|
eventSubClass
|
|
-
|
The sub-event class category
|
|
|
||||||
|
eventSubId
|
|
-
|
The access type
|
|
|
||||||
|
eventSubName
|
|
-
|
The event type sub-name
|
|
|
||||||
|
extraInfo
|
|
-
|
The network application name
|
|
|
||||||
|
fileCreation
|
|
-
|
The file creation date
|
|
|
||||||
|
fileDesc
|
|
-
|
The file description
|
|
|
||||||
|
fileExt
|
|
-
|
The file extension of the suspicious file
|
|
|
||||||
|
fileHash
|
|
|
The SHA-1 of the file that triggered the rule or policy
|
|
|
||||||
|
fileHashMd5
|
|
|
The MD5 of the file
|
|
|
||||||
|
fileHashSha256
|
|
|
The SHA-256 of the file (fileName)
|
|
|
||||||
|
fileName
|
|
|
The file name
|
|
|
||||||
|
fileOperation
|
|
-
|
The operation of the file
|
|
|
||||||
|
filePath
|
|
|
The file path without the file name
|
|
|
||||||
|
filePathName
|
|
|
The file path with the file name
|
|
|
||||||
|
fileSize
|
|
-
|
The file size of the suspicious file
|
|
|
||||||
|
fileSystemUuid
|
|
-
|
The file system UUID
|
|
|
||||||
|
fileType
|
|
-
|
The file type of the suspicious file
|
|
|
||||||
|
fileVer
|
|
-
|
The file version
|
|
|
||||||
|
filterName
|
|
-
|
The filter name
|
|
|
||||||
|
filterRiskLevel
|
|
-
|
The top level filter risk of the event
|
|
|
||||||
|
filterType
|
|
-
|
The filter type
|
|
|
||||||
|
firmalware
|
|
-
|
The Deep Discovery Inspector firmware version
|
|
|
||||||
|
firstAct
|
|
-
|
The first scan action
|
|
|
||||||
|
firstActResult
|
|
-
|
The first scan action result
|
|
|
||||||
|
firstSeen
|
|
-
|
The first time the XDR log appeared
|
|
|
||||||
|
flowId
|
|
-
|
The connection ID
|
|
|
||||||
|
forensicFileHash
|
|
-
|
The hash value of the forensic data file
|
|
|
||||||
|
forensicFilePath
|
|
-
|
The file path of the forensic file (When a Data Loss Prevention policy is triggered,
the file is encrypted and copied to the OfficeScan server for post-mortem analysis.)
|
|
|
||||||
|
ftpUser
|
|
-
|
The FTP sign-in user name
|
|
|
||||||
|
fullPath
|
|
|
The combination of the file path and the file name
|
|
|
||||||
|
groupId
|
|
-
|
The group ID for the management scope filter
|
|
|
||||||
|
groups
|
|
-
|
The OSSEC rule group names
|
|
|
||||||
|
hasdtasres
|
|
-
|
Whether the log contains a report from Virtual Analyzer
|
|
|
||||||
|
highlightMailMsgSubject
|
|
-
|
The email subject
|
|
|
||||||
|
highlightedFileHashes
|
|
|
The SHA-1 hashes of the highlighted file
|
|
|
||||||
|
highlightedFileName
|
|
-
|
The file names of suspicious attachments
|
|
|
||||||
|
hostName
|
|
|
The computer name of the client host (the hostname from the suspicious URL detected
by Deep Discovery Inspector)
|
|
|
||||||
|
hostSeverity
|
|
-
|
The severity of the threat (specific to the interestedIp)
|
|
|
||||||
|
hotFix
|
|
-
|
The applied Deep Discovery Inspector hotfix version
|
|
|
||||||
|
httpReferer
|
|
|
The HTTP referer
|
|
|
||||||
|
httpRespContentType
|
|
-
|
The HTTP response data content type
|
|
|
||||||
|
httpXForwardedFor
|
|
-
|
The HTTP X-Forwarded-For header
|
|
|
||||||
|
icmpCode
|
|
-
|
The ICMP protocol code field
|
|
|
||||||
|
icmpType
|
|
-
|
The ICMP protocol type
|
|
|
||||||
|
instanceId
|
|
-
|
The ID of the instance that indicates the meta-cloud or data center VM
|
|
|
||||||
|
instanceName
|
|
-
|
The name of the instance that indicates the meta-cloud or data center VM
|
|
|
||||||
|
integrityLevel
|
|
-
|
The integrity level of a process
|
|
|
||||||
|
interestedGroup
|
|
-
|
The network group associated with the user-defined source IP or destination IP
|
|
|
||||||
|
interestedHost
|
|
|
The endpoint hostname (If an intranet host accesses a suspicious internet host, the
intranet host is the "peerHost" and the internet host is the "interestedHost".)
|
|
|
||||||
|
interestedIp
|
|
|
The IP of the interestedHost
|
|
|
||||||
|
interestedMacAddress
|
|
-
|
The log owner MAC address
|
|
|
||||||
|
ircChannelName
|
|
-
|
The IRC channel name
|
|
|
||||||
|
ircUserName
|
|
-
|
The IRC user name
|
|
|
||||||
|
isEntity
|
|
-
|
The current entity (or after change/modification)
|
|
|
||||||
|
isHidden
|
|
-
|
Whether the detection log generated a grey rule match
|
|
|
||||||
|
isPrivateApp
|
|
-
|
Whether the requested application is private
|
|
|
||||||
|
isProxy
|
|
-
|
Whether something is a proxy
|
|
|
||||||
|
isRetroScan
|
|
-
|
Whether the event matches the Security Analytics Engine filter
|
|
|
||||||
|
ja3Hash
|
|
-
|
The fingerprint of an SSL/TLS client application as detected via a network sensor
or device
|
|
|
||||||
|
ja3sHash
|
|
-
|
The fingerprint of an SSL/TLS server application as detected via a network sensor
or device
|
|
|
||||||
|
k8sNamespace
|
|
-
|
The Kubernetes namespace of the container
|
|
|
||||||
|
k8sPodId
|
|
-
|
The Kubernetes pod ID of the container
|
|
|
||||||
|
k8sPodName
|
|
-
|
The Kubernetes pod name of the container
|
|
|
||||||
|
lastSeen
|
|
-
|
The last time the XDR log appeared
|
|
|
||||||
|
lineageId
|
|
-
|
The lineage ID
|
|
|
||||||
|
logKey
|
|
-
|
The unique key of the event
|
|
|
||||||
|
logReceivedTime
|
|
-
|
The time when the XDR log was received
|
|
|
||||||
|
logonUsers
|
|
-
|
The telemetry events that match the Security Analytics Engine filter, and logonUsers
stores the logonUsers value of the original events
|
|
|
||||||
|
mDevice
|
|
-
|
The source IP
|
|
|
||||||
|
mDeviceGUID
|
|
-
|
The GUID of the agent host
|
|
|
||||||
|
mailDeliveryTime
|
|
-
|
The mail delivery time
|
|
|
||||||
|
mailFolder
|
|
-
|
The email folder name
|
|
|
||||||
|
mailMsgId
|
|
-
|
The internet message ID of the email
|
|
|
||||||
|
mailMsgSubject
|
|
|
The email subject
|
|
|
||||||
|
mailReceivedTime
|
|
-
|
The mail received timestamp
|
-
|
|
||||||
|
mailSmtpFromAddresses
|
|
-
|
The envelope address of the sender
|
|
|
||||||
|
mailSmtpHelo
|
|
-
|
The domain name of the email server by using the SMTP HELO command
|
|
|
||||||
|
mailSmtpOriginalRecipients
|
|
-
|
The envelope addresses of the original recipients
|
|
|
||||||
|
mailSmtpRecipients
|
|
-
|
The envelope addresses of the current recipients
|
|
|
||||||
|
mailSmtpTls
|
|
-
|
The SMTP TLS version
|
|
|
||||||
|
mailUniqueId
|
|
-
|
The unique ID of the email
|
|
|
||||||
|
mailbox
|
|
-
|
The mailbox that is protected by Trend Micro
|
|
|
||||||
|
majorVirusType
|
|
-
|
The virus type
|
|
|
||||||
|
malDst
|
|
-
|
The malware infection destination
|
|
|
||||||
|
malFamily
|
|
-
|
The threat family
|
|
|
||||||
|
malName
|
|
-
|
The name of the detected malware
|
|
|
||||||
|
malSrc
|
|
|
The malware infection source
|
|
|
||||||
|
malSubType
|
|
-
|
The subsidiary virus type
|
|
|
||||||
|
malType
|
|
-
|
The risk type for Network Content Correlation Engine rules
|
|
|
||||||
|
malTypeGroup
|
|
-
|
The risk type group for Network Content Correlation Engine rules
|
|
|
||||||
|
matchedContent
|
|
-
|
The one-to-many data structure
|
|
|
||||||
|
mimeType
|
|
-
|
The MIME type or content type of the response body
|
|
|
||||||
|
minorVirusType
|
|
-
|
The minor virus type
|
|
|
||||||
|
mitigationTaskId
|
|
-
|
The unique ID to identify the mitigation request
|
|
|
||||||
|
mitreMapping
|
|
-
|
The MITRE tags
|
|
|
||||||
|
mitreVersion
|
|
-
|
The MITRE version
|
|
|
||||||
|
moduleScanType
|
|
-
|
The module scan type
|
|
|
||||||
|
mpname
|
|
-
|
The management product name
|
|
|
||||||
|
mpver
|
|
-
|
The product version
|
|
|
||||||
|
msgAct
|
|
-
|
The message action
|
|
|
||||||
|
msgId
|
|
|
The internet message ID
|
|
|
||||||
|
msgTOCUuid
|
|
-
|
The email unique ID
|
|
|
||||||
|
msgUuid
|
|
-
|
The unique email ID
|
|
|
||||||
|
msgUuidChain
|
|
-
|
The message UUID chain
|
|
|
||||||
|
netBiosDomainName
|
|
|
The NetBIOS domain name
|
|
|
||||||
|
objectActions
|
|
-
|
The object process actions
|
|
|
||||||
|
objectApiName
|
|
-
|
The API name
|
|
|
||||||
|
objectArtifactIds
|
|
-
|
The artifact IDs generated by objectAction
|
|
|
||||||
|
objectAttributes
|
|
-
|
The object attributes
|
|
|
||||||
|
objectCmd
|
|
|
The object process command line
|
|
|
||||||
|
objectEntityName
|
|
-
|
The object entity name
|
|
|
||||||
|
objectFileAccess
|
|
-
|
The object file access details
|
|
|
||||||
|
objectFileCreation
|
|
-
|
The UTC time that the object was created
|
|
|
||||||
|
objectFileHashMd5
|
|
|
The MD5 of the object
|
|
|
||||||
|
objectFileHashSha1
|
|
|
The SHA-1 of the objectFilePath object
|
|
|
||||||
|
objectFileHashSha256
|
|
|
The SHA-256 of the object (objectFilePath)
|
|
|
||||||
|
objectFileModified
|
|
-
|
The UTC time that the object was modified
|
|
|
||||||
|
objectFileName
|
|
|
The object file name
|
|
|
||||||
|
objectFilePath
|
|
|
The file path of the target process image or target file
|
|
|
||||||
|
objectFirstRecorded
|
|
-
|
The first time that the object appeared
|
-
|
|
||||||
|
objectId
|
|
-
|
The UUID of the object
|
|
|
||||||
|
objectIp
|
|
|
The IP address of the domain
|
|
|
||||||
|
objectName
|
|
-
|
The base name of the object file or process
|
|
|
||||||
|
objectPayloadFileHashSha1
|
|
|
The SHA-1 of the object payload file
|
-
|
|||||||
|
objectPipeName
|
|
-
|
The object pipe name
|
|
|
||||||
|
objectRegistryData
|
|
|
The registry data contents
|
|
|
||||||
|
objectRegistryKeyHandle
|
|
|
The registry key path
|
|
|
||||||
|
objectRegistryRoot
|
|
-
|
The name of the object registry root key
|
|
|
||||||
|
objectRegistryValue
|
|
|
The registry value name
|
|
|
||||||
|
objectSigner
|
|
-
|
The list of object process signers
|
|
|
||||||
|
objectSignerFlagsAdhoc
|
|
-
|
The list of object process signature adhoc flags
|
-
|
|
||||||
|
objectSignerFlagsLibValid
|
|
-
|
The list of object process signature library validation flags
|
-
|
|
||||||
|
objectSignerFlagsRuntime
|
|
-
|
The list of object process signature runtime flags
|
-
|
|
||||||
|
objectSignerValid
|
|
-
|
Whether each signer of the object process is valid
|
-
|
|
||||||
|
objectSubType
|
|
-
|
The sub-types of the policy event (displayed when a policy event has sub-types)
|
|
|
||||||
|
objectTargetProcess
|
|
-
|
The file path of the target process that the API performs
|
|
|||||||
|
objectType
|
|
-
|
The object type
|
|
|
||||||
|
objectUser
|
|
|
The owner name of the target process or the sign-in user name
|
|
|
||||||
|
objectUserDomain
|
|
-
|
The owner domain of the target process
|
|
|
||||||
|
oldFileHash
|
|
|
The SHA-1 of the target process image or target file (wasEntity from an IM event)
|
|
|
||||||
|
online
|
|
-
|
Whether the endpoint is online
|
|
|
||||||
|
orgId
|
|
-
|
The organization ID
|
|
|
||||||
|
originEventSourceType
|
|
-
|
The event source type of the original events which matches the Security Analytics
Engine filter
|
|
|
||||||
|
originUUID
|
|
-
|
The UUID of the original events which matches the Security Analytics Engine filter
|
|
|
||||||
|
originalFileHashes
|
|
|
The hashes of the original file
|
|
|
||||||
|
originalFilePaths
|
|
|
The paths of the original file
|
|
|
||||||
|
osName
|
|
-
|
The host OS name
|
|
|
||||||
|
osVer
|
|
-
|
The OS version
|
|
|
||||||
|
out
|
|
-
|
The IP datagram length (in bytes)
|
|
|
||||||
|
overSsl
|
|
-
|
Whether the event was triggered by an SSL decryption stream (displayed only when SSL
Inspection is supported)
|
|
|
||||||
|
pAttackPhase
|
|
-
|
The category of the primary Attack Phase
|
|
|
||||||
|
pComp
|
|
-
|
The component that made the detection
|
|
|
||||||
|
pTags
|
|
-
|
The event tagging system
|
|
|
||||||
|
parentCmd
|
|
|
The command line of the subject parent process
|
|
|
||||||
|
parentFileHashMd5
|
|
|
The MD5 of the subject parent process
|
|
|
||||||
|
parentFileHashSha1
|
|
|
The SHA-1 of the subject parent process
|
|
|
||||||
|
parentFileHashSha256
|
|
|
The SHA-256 of the subject parent process
|
|
|
||||||
|
parentFilePath
|
|
|
The full file path of the parent process
|
|
|
||||||
|
parentHashId
|
|
-
|
The FNV of the parent process
|
|
|
||||||
|
parentIntegrityLevel
|
|
-
|
The integrity level of a parent
|
|
|
||||||
|
parentName
|
|
-
|
The image name of the parent process
|
|
|
||||||
|
parentPayloadSigner
|
|
-
|
The signer name list of the parent process payload
|
|
|
||||||
|
parentPayloadSignerFlagsAdhoc
|
|
-
|
The list of parent process payload signature adhoc flags
|
-
|
|
||||||
|
parentPayloadSignerFlagsLibValid
|
|
-
|
The list of parent process payload signature library validation flags
|
-
|
|
||||||
|
parentPayloadSignerFlagsRuntime
|
|
-
|
The list of parent process payload signature runtime flags
|
-
|
|
||||||
|
parentPayloadSignerValid
|
|
-
|
Whether each signer of the parent process payload is valid
|
-
|
|
||||||
|
parentPid
|
|
-
|
The PID of the parent process
|
-
|
|
||||||
|
parentSigner
|
|
-
|
The signers of the parent process
|
|
|
||||||
|
parentSignerFlagsAdhoc
|
|
-
|
The list of parent process signature adhoc flags
|
-
|
|
||||||
|
parentSignerFlagsLibValid
|
|
-
|
The list of parent process signature library validation flags
|
-
|
|
||||||
|
parentSignerFlagsRuntime
|
|
-
|
The list of parent process signature runtime flags
|
-
|
|
||||||
|
parentSignerValid
|
|
-
|
Whether each signer of the parent process is valid
|
-
|
|
||||||
|
parentUser
|
|
-
|
The account name of the parent process
|
|
|
||||||
|
parentUserDomain
|
|
-
|
The domain name of the parent process
|
|
|
||||||
|
patType
|
|
-
|
The pattern type
|
|
|
||||||
|
patVer
|
|
-
|
The version of the behavior pattern
|
|
|
||||||
|
pcapUUID
|
|
-
|
The PCAP file UUID
|
|
|
||||||
|
peerEndpointGUID
|
|
-
|
The endpoint GUID of the agent peer host
|
|
|
||||||
|
peerGroup
|
|
-
|
The peer IP group
|
|
|
||||||
|
peerHost
|
|
|
The hostname of peerIp
|
|
|
||||||
|
peerIp
|
|
|
The IP of peerHost
|
|
|
||||||
|
pname
|
|
-
|
The internal product ID
|
|
|
||||||
|
policyId
|
|
-
|
The policy ID of which the event was detected
|
|
|
||||||
|
policyName
|
|
-
|
The name of the triggered policy
|
|
|
||||||
|
policyTemplate
|
|
-
|
The one-to-many data structure
|
|
|
||||||
|
policyTreePath
|
|
-
|
The policy tree path
|
|
|
||||||
|
policyUuid
|
|
-
|
The UUID of the cloud access or risk control policy, or the hard-coded string that
indicates the rule of the global blocked/approved URL list
|
|
|
||||||
|
potentialRisk
|
|
-
|
Whether something is a potential risk
|
|
|
||||||
|
principalName
|
|
-
|
The user principal name used to sign in to the proxy
|
|
|
||||||
|
processActions
|
|
-
|
The process actions
|
|
|
||||||
|
processArtifactIds
|
|
-
|
The artifact IDs generated by processAction
|
|
|
||||||
|
processCmd
|
|
|
The subject process command line
|
|
|
||||||
|
processFileCreation
|
|
-
|
The Unix time of object creation
|
|
|
||||||
|
processFileHashMd5
|
|
|
The MD5 of the subject process
|
|
|
||||||
|
processFileHashSha1
|
|
|
The SHA-1 of the subject process
|
|
|
||||||
|
processFileHashSha256
|
|
|
The SHA-256 of the subject process
|
|
|
||||||
|
processFilePath
|
|
|
The file path of the subject process
|
|
|
||||||
|
processHashId
|
|
-
|
The FNV of the subject process
|
|
|
||||||
|
processImageFileNames
|
|
-
|
The process image file names of detected backup artifacts
|
|
|
||||||
|
processImagePath
|
|
-
|
The process triggered by the file event
|
|
|
||||||
|
processLaunchTime
|
|
-
|
The time the subject process was launched
|
|
|
||||||
|
processName
|
|
|
The image name of the process that triggered the event
|
|
|
||||||
|
processPayloadSigner
|
|
-
|
The signer name list of the process payload
|
|
|
||||||
|
processPayloadSignerFlagsAdhoc
|
|
-
|
The list of process payload signature adhoc flags
|
-
|
|
||||||
|
processPayloadSignerFlagsLibValid
|
|
-
|
The list of process payload signature library validation flags
|
-
|
|
||||||
|
processPayloadSignerFlagsRuntime
|
|
-
|
The list of process payload signature runtime flags
|
-
|
|
||||||
|
processPayloadSignerValid
|
|
-
|
Whether each signer of the process payload is valid
|
-
|
|
||||||
|
processPid
|
|
-
|
The PID of the subject process
|
-
|
|
||||||
|
processPkgName
|
|
-
|
The process package name
|
|
|
||||||
|
processSigner
|
|
-
|
The signer name list of the subject process
|
|
|
||||||
|
processSignerFlagsAdhoc
|
|
-
|
The list of process signature adhoc flags
|
-
|
|
||||||
|
processSignerFlagsLibValid
|
|
-
|
The list of process signature library validation flags
|
-
|
|
||||||
|
processSignerFlagsRuntime
|
|
-
|
The list of process signature runtime flags
|
-
|
|
||||||
|
processUser
|
|
|
The user name of the process or the file creator
|
|
|
||||||
|
processUserDomain
|
|
-
|
The owner domain of the subject process image
|
|
|
||||||
|
productCode
|
|
-
|
The internal product code
|
|
|
||||||
|
profile
|
|
-
|
The name of the triggered Threat Protection template or Data Loss Prevention profile
|
|
|
||||||
|
proto
|
|
-
|
The exploited layer network protocol
|
|
|
||||||
|
protoFlag
|
|
-
|
The data flags
|
|
|
||||||
|
pver
|
|
-
|
The product version
|
|
|
||||||
|
quarantineFileName
|
|
-
|
The file path of the quarantined object
|
|
|
||||||
|
quarantineFilePath
|
|
-
|
The OfficeScan server file path for the quarantined file (a quarantined file is encrypted
and copied to the OfficeScan server for post-mortem analysis)
|
-
|
|||||||
|
quarantineType
|
|
-
|
The descriptive name for the quarantine area
|
|
|
||||||
|
rating
|
|
-
|
The credibility level
|
|
|
||||||
|
rawDstIp
|
|
|
The destination IP without replacement
|
|
|
||||||
|
rawDstPort
|
|
|
The destination port without replacement
|
|
|
||||||
|
rawSrcIp
|
|
|
The source IP without replacement
|
|
|
||||||
|
rawSrcPort
|
|
|
The source port without replacement
|
|
|
||||||
|
regionCode
|
|
-
|
The cloud provider region code
|
|
|
||||||
|
regionId
|
|
-
|
The cloud asset region
|
|
|
||||||
|
remarks
|
|
-
|
The additional information
|
|
|
||||||
|
reportGUID
|
|
-
|
The GUID for Workbench to request report page data
|
|
|
||||||
|
request
|
|
|
The notable URLs
|
|
|
||||||
|
requestBase
|
|
|
The domain of the request URL
|
|
|
||||||
|
requestClientApplication
|
|
-
|
The protocol user agent information
|
|
|
||||||
|
requestMethod
|
|
-
|
The network protocol request method
|
|
|
||||||
|
respCode
|
|
-
|
The network protocol response code
|
|
|
||||||
|
rewrittenUrl
|
|
-
|
The rewritten URL
|
|
|
||||||
|
riskConfidenceLevel
|
|
-
|
The risk confidence level
|
|
|
||||||
|
riskLevel
|
|
-
|
The risk level
|
|
|
||||||
|
rozRating
|
|
-
|
The overall Virtual Analyzer rating
|
|
|
||||||
|
rtDate
|
|
-
|
The date of the log generation
|
|
|
||||||
|
rtWeekDay
|
|
-
|
The weekday of the log generation
|
|
|
||||||
|
ruleId
|
|
-
|
The rule ID
|
|
|
||||||
|
ruleId64
|
|
-
|
The IPS rule ID
|
|
|
||||||
|
ruleIdStr
|
|
-
|
The rule ID
|
|
|
||||||
|
ruleName
|
|
-
|
The name of the rule that triggered the event
|
|
|
||||||
|
ruleSetId
|
|
-
|
The rule set ID
|
|
|
||||||
|
ruleSetName
|
|
-
|
The rule set name
|
|
|
||||||
|
ruleType
|
|
-
|
The access rule type
|
|
|
||||||
|
ruleUuid
|
|
-
|
The signature UUID from Digital Vaccine
|
|
|
||||||
|
ruleVer
|
|
-
|
The rule version
|
|
|
||||||
|
sAttackPhase
|
|
-
|
The category of the second Attack Phase
|
|
|
||||||
|
sOSClass
|
|
-
|
The source device OS class
|
|
|
||||||
|
sOSName
|
|
-
|
The source OS
|
|
|
||||||
|
sOSVendor
|
|
-
|
The source device OS vendor
|
|
|
||||||
|
sUser1
|
|
|
The latest sign-in user of the source
|
|
|
||||||
|
scanTs
|
|
-
|
The mail scan time
|
-
|
|
||||||
|
scanType
|
|
-
|
The scan type
|
|
|
||||||
|
schemaVersion
|
|
-
|
The schema version
|
|
|
||||||
|
secondAct
|
|
-
|
The second scan action
|
|
|
||||||
|
secondActResult
|
|
-
|
The result of the second scan action
|
|
|
||||||
|
sender
|
|
-
|
The roaming users or the gateway where the web traffic passed
|
|
|
||||||
|
senderGUID
|
|
-
|
The sender GUID
|
|
|
||||||
|
senderIp
|
|
-
|
The sender IP
|
|
|
||||||
|
sessionEnd
|
|
-
|
The session end time (in seconds)
|
|
|
||||||
|
sessionStart
|
|
-
|
The session start time (in seconds)
|
|
|
||||||
|
severity
|
|
-
|
The severity of the event
|
|
|
||||||
|
shost
|
|
|
The source hostname
|
|
|
||||||
|
signInCountries
|
|
-
|
The countries from which a user signed in
|
|
|
||||||
|
signer
|
|
-
|
The signer of the file
|
|
|
||||||
|
smac
|
|
-
|
The source MAC address
|
|
|
||||||
|
smbSharedName
|
|
-
|
The shared folder name for the server that contains the files to be opened
|
|
|
||||||
|
sourceType
|
|
-
|
The source type
|
|
|
||||||
|
sproc
|
|
-
|
The OSSEC program name
|
|
|
||||||
|
spt
|
|
|
The source port
|
|
|
||||||
|
src
|
|
|
The source IP
|
|
|
||||||
|
srcEquipmentId
|
|
-
|
The source IMEI
|
|
|
||||||
|
srcFamily
|
|
-
|
The source device family
|
|
|
||||||
|
srcFileHashMd5
|
|
|
The MD5 of the source file
|
-
|
|||||||
|
srcFileHashSha1
|
|
|
The SHA-1 of the source file
|
-
|
|||||||
|
srcFileHashSha256
|
|
|
The SHA-256 of the source file
|
-
|
|||||||
|
srcFilePath
|
|
|
The source file path
|
|
|||||||
|
srcGroup
|
|
-
|
The group named defined by the source administrator
|
|
|
||||||
|
srcLocation
|
|
-
|
The source country
|
|
|
||||||
|
srcSubscriberDirNum
|
|
-
|
The source MSISDN
|
|
|
||||||
|
srcSubscriberId
|
|
-
|
The source IMSI
|
|
|
||||||
|
srcType
|
|
-
|
The source device type
|
|
|
||||||
|
srcZone
|
|
-
|
The network zone defined by the source administrator
|
|
|
||||||
|
sslCertCommonName
|
|
|
The subject common name
|
|
|
||||||
|
sslCertIssuerCommonName
|
|
-
|
The issuer common name
|
|
|
||||||
|
sslCertIssuerOrgName
|
|
-
|
The issuer organization name
|
|
|
||||||
|
sslCertOrgName
|
|
-
|
The subject organization name
|
|
|
||||||
|
subRuleId
|
|
-
|
The sub-rule ID
|
|
|
||||||
|
subRuleName
|
|
-
|
The sub-rule name
|
|
|
||||||
|
suid
|
|
|
The user name or mailbox
|
|
|
||||||
|
suser
|
|
|
The email sender
|
|
|
||||||
|
suspiciousObject
|
|
-
|
The matched suspicious object
|
|
|
||||||
|
suspiciousObjectType
|
|
-
|
The matched suspicious object type
|
|
|
||||||
|
tacticId
|
|
|
The list of MITRE tactic IDs
|
|
|
||||||
|
tags
|
|
|
The detected technique ID based on the alert filter
|
|
|
||||||
|
target
|
|
-
|
The target object for the behavior
|
|
|
||||||
|
targetShare
|
|
|
The subject state or province for hypertext transfer protocol secure (HTTPS) or the
shared folder for server message block (SMB)
|
|
|
||||||
|
targetType
|
|
-
|
The target object type
|
|
|
||||||
|
techniqueId
|
|
|
The Technique ID detected by the product agent based on a detection rule
|
-
|
|
||||||
|
threatName
|
|
-
|
The threat name
|
|
|
||||||
|
threatNames
|
|
-
|
The associated threats
|
|
|
||||||
|
threatType
|
|
-
|
The log threat type
|
|
|
||||||
|
trigger
|
|
-
|
The action trigger
|
|
|
||||||
|
triggerReason
|
|
-
|
The cause of the triggered action
|
|
|
||||||
|
urlCat
|
|
-
|
The requested URL category
|
|
|
||||||
|
userDepartment
|
|
-
|
The user department
|
|
|
||||||
|
userDomain
|
|
|
The user domain
|
|
|
||||||
|
userDomains
|
|
-
|
The telemetry events that match the Security Analytics Engine filter, and userDomains
stores the userDomains value of the original events
|
|
|
||||||
|
uuid
|
|
-
|
The unique key of the log
|
|
|
||||||
|
uuids
|
|
-
|
The UUIDs of detection records
|
|
|
||||||
|
vendor
|
|
-
|
The device vendor
|
|
|
||||||
|
vpcId
|
|
-
|
The virtual private cloud that contains the cloud asset
|
|
|
||||||
|
vsysName
|
|
-
|
The Palo Alto Networks virtual system of the session
|
|
|
||||||
|
wasEntity
|
|
-
|
The entity before change/modification
|
|
|
||||||
|
winEventId
|
|
-
|
The Windows Event ID
|
|
|
accessPermission
|
string |
-
|
The access permission type
|
|
Trend Micro Apex One as a Service
|
|
act
|
string[] |
-
|
The actions taken to mitigate the event
|
|
|
||||||
|
actResult
|
string[] |
-
|
The result of an action
|
|
|
||||||
|
aggregateFunction
|
enum_sae.DdrDetectionLog.MetricAggregator |
-
|
The metric aggregator
|
|
Data Detection and Response
|
||||||
|
aggregateUnit
|
string |
-
|
The metric unit
|
|
Data Detection and Response
|
||||||
|
aggregatedCount
|
int64 |
-
|
The number of aggregated events
|
|
|
||||||
|
appDexSha256
|
string |
FileSHA2
|
The app dex encoded using SHA-256
|
08736EDDD3682AC26D9FD42DA2A20B0BADB5C85A5456A0AE85B52D60C564F290 |
Trend Vision One Mobile Security
|
||||||
|
appGroup
|
string |
-
|
The app category of the event
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
appIsSystem
|
bool |
-
|
Whether the app is a system app
|
false |
Trend Vision One Mobile Security
|
||||||
|
appLabel
|
string |
-
|
The app name
|
Mobile Security Virus Test Application |
Trend Vision One Mobile Security
|
||||||
|
appPkgName
|
string |
-
|
The app package name
|
com.trustport.mobilesecurity_eicar_test_file |
Trend Vision One Mobile Security
|
||||||
|
appPublicKeySha1
|
string |
|
The app public key (SHA-1)
|
72080A6B4EB11105B28E31C4753BC91414500AD4 |
Trend Vision One Mobile Security
|
||||||
|
appSize
|
string |
-
|
The app size (in bytes)
|
28461 |
Trend Vision One Mobile Security
|
||||||
|
appVerCode
|
uint32 |
-
|
The app version code
|
1 |
Trend Vision One Mobile Security
|
||||||
|
application
|
string |
-
|
The name of the requested application
|
|
|
||||||
|
aptCampaigns
|
string[] |
-
|
The related APT campaigns
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
aptRelated
|
string |
-
|
Whether the event is related to an advanced persistent threat (APT)
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
attachment
|
object_Attachment[] |
-
|
The information about the email attachment
|
{"attachmentFileTlsh": "", "attachmentFileName": "testfile.txt","attachmentFileHash":
"","attachmentFileSize": "-1"} |
|
||||||
|
attachmentFileHash
|
string |
FileSHA1
|
The SHA-1 of the email attachment
|
|
|
||||||
|
attachmentFileHashMd5
|
string |
FileMD5
|
The MD5 of the attached file (attachmentFileName)
|
|
Trend Micro
Cloud App Security
|
||||||
|
attachmentFileHashSha1
|
string |
FileSHA1
|
The SHA-1 of the attached file (attachmentFileName)
|
|
|
||||||
|
attachmentFileHashSha256
|
string |
FileSHA2
|
The SHA-256 of the attached file (attachmentFileName)
|
|
|
||||||
|
attachmentFileHashes
|
string[] |
-
|
The SHA-1 of the email attachment
|
|
|
||||||
|
attachmentFileHashs
|
string[] |
-
|
The SHA-1 hash value of the attachment file
|
|
|
||||||
|
attachmentFileName
|
string[] |
|
The file name of an attachment
|
|
|
||||||
|
attachmentFileSize
|
int64 |
-
|
The file size of the email attachment
|
|
|
||||||
|
attachmentFileSizes
|
int64[] |
-
|
The file size of email attachments
|
|
Email Sensor
|
||||||
|
attachmentFileTlshes
|
string[] |
-
|
The TLSH of the email attachment
|
|
|
||||||
|
attachmentFileTlshs
|
string[] |
-
|
The TLSH hash value of the attachment file
|
|
|
||||||
|
attachmentFileType
|
string |
-
|
The file type of the email attachment
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
authType
|
string |
-
|
The authorization type
|
|
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
azId
|
string |
-
|
The virtual machine Availability Zone ID
|
|
Trend Cloud One - Cloud Sentry
|
||||||
|
behaviorCat
|
string |
-
|
The matched policy category
|
|
|
||||||
|
blocking
|
string |
-
|
The blocking type
|
|
Trend Micro Apex One as a Service
|
||||||
|
bmGroup
|
string |
-
|
The one-to-many data structure
|
|
Trend Micro Apex One as a Service
|
||||||
|
botCmd
|
string |
CLICommand
|
The bot command
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
botUrl
|
string |
URL
|
The bot URL
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
category
|
string |
-
|
The event category
|
|
|
||||||
|
cccaDestination
|
string |
URL
|
The destination domain, IP, URL, or recipient
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
cccaDestinationFormat
|
string |
-
|
The C&C server access format
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
cccaDetection
|
string |
-
|
Whether this log is identified as a C&C callback address detection
|
Yes |
|
||||||
|
cccaDetectionSource
|
string |
-
|
The list which defines this CCCA detection rule
|
|
|
||||||
|
cccaRiskLevel
|
int32 |
-
|
The severity level of the threat actors associated with the C&C servers
|
-
|
|
||||||
|
censusMaturityValue
|
int32 |
-
|
The CENSUS maturity value
|
|
|
||||||
|
censusPrevalenceValue
|
int32 |
-
|
The CENSUS prevalence value
|
|
|
||||||
|
channel
|
string |
-
|
The channel through which the demanded Windows Event is delivered
|
|
Trend Micro Apex One as a Service
|
||||||
|
clientFlag
|
string |
-
|
Whether the client is a source or destination
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
clientIp
|
string[] |
-
|
The IP addresses of the source
|
|
|
||||||
|
clientStatus
|
string |
-
|
The client status when the event occurred
|
|
Trend Micro Apex One as a Service
|
||||||
|
cloudAccountId
|
string |
-
|
The cloud account ID
|
123456789012 |
|
||||||
|
cloudAppCat
|
string |
-
|
The category of the event in Cloud Reputation Service
|
|
TTrend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
cloudAppName
|
string |
-
|
The cloud app name
|
|
Trend Micro
Cloud App Security
|
||||||
|
cloudMachineImageId
|
string |
-
|
The cloud machine image ID
|
ami-092d1c9fb626c2ba7 |
Trend Cloud One - Cloud Sentry
|
||||||
|
cloudMachineImageName
|
string |
-
|
The cloud machine image name
|
Windows_Server-2022-English-Full-SQL_2022_Standard-2024.05.15 |
Trend Cloud One - Cloud Sentry
|
||||||
|
cloudProvider
|
string |
-
|
The service provider of the cloud asset
|
|
|
||||||
|
cloudResourceDigest
|
string |
-
|
The cloud resource digest
|
|
Trend Cloud One - Cloud Sentry
|
||||||
|
cloudResourceId
|
string |
-
|
The cloud resource ID
|
|
Trend Cloud One - Cloud Sentry
|
||||||
|
cloudResourceTags
|
string |
-
|
The cloud resource tags
|
|
Trend Cloud One - Cloud Sentry
|
||||||
|
cloudResourceType
|
string |
-
|
The cloud resource type
|
|
Trend Cloud One - Cloud Sentry
|
||||||
|
cloudResourceVersion
|
string |
-
|
The cloud resource version
|
113 |
Trend Cloud One - Cloud Sentry
|
||||||
|
cloudStorageName
|
string |
-
|
The cloud storage name
|
my-bucket |
Trend Cloud One – File Storage Security
|
||||||
|
clusterId
|
string |
-
|
The cluster ID of the container
|
ben_eks_test-20k90A3jGa4d3YMYfrdGIgs7g9u |
Trend Cloud One - Container Security
|
||||||
|
clusterName
|
string |
-
|
The cluster name of the container
|
ben_eks_test |
Trend Cloud One - Container Security
|
||||||
|
cnt
|
int64 |
-
|
The total number of logs
|
|
|
||||||
|
compressedFileHash
|
string |
FileSHA1
|
The SHA-1 of the decompressed archive
|
|
|
||||||
|
compressedFileHashSha256
|
string |
FileSHA2
|
The SHA-256 of the compressed suspicious file
|
|
|
||||||
|
compressedFileName
|
string |
FileName
|
The file name of the compressed file
|
|
|
||||||
|
compressedFileSize
|
int64 |
-
|
The file size of the decompressed archive file
|
|
|
||||||
|
compressedFileType
|
string |
-
|
The file type of the decompressed archive file
|
|
|
||||||
|
computerDomain
|
string |
-
|
The computer domain
|
|
Trend Micro Apex One as a Service | ||||||
|
containerId
|
string |
-
|
The Kubernetes container ID
|
4102001853b8 |
Trend Cloud One - Container Security
|
||||||
|
containerImage
|
string |
-
|
The Kubernetes container image
|
dockerhub.io/ubuntu:latest |
Trend Cloud One - Container Security
|
||||||
|
containerImageDigest
|
string |
-
|
The Kubernetes container image digest
|
sha256:626ffe58f6e7566e00254b638eb7e0f3b11d4da9675088f4781a50ae288f3322 |
Trend Cloud One - Container Security
|
||||||
|
containerName
|
string |
-
|
The Kubernetes container name
|
k8s_ubuntu_ubuntu-ds-fp2jk_default_fc550ed4-3b54-402a-a56d-46096c285660_2 |
Trend Cloud One - Container Security
|
||||||
|
correlationCat
|
string |
-
|
The correlation category
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
customTags
|
string[] |
-
|
The event tags
|
|
|
||||||
|
cve
|
string |
-
|
The CVE identifier
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
cves
|
string[] |
-
|
The CVEs associated with this filter
|
|
|
||||||
|
dOSClass
|
string |
-
|
The destination device OS class
|
Linux |
Trend Micro Mobile Network Security
|
||||||
|
dOSName
|
string |
-
|
The destination host OS
|
|
|
||||||
|
dOSVendor
|
string |
-
|
The destination device OS vendor
|
Others |
Trend Micro Mobile Network Security
|
||||||
|
dUser1
|
string |
UserAccount
|
The latest sign-in user of the destination
|
|
|
||||||
|
dacDeviceType
|
string |
-
|
The device type
|
|
Trend Micro Apex One as a Service
|
||||||
|
data0
|
string |
-
|
The value of the Deep Discovery Inspector correlation log
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
data0Name
|
string |
-
|
The name of the Deep Discovery Inspector correlation log
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
data1
|
string |
-
|
The Deep Discovery Inspector correlation log metadata
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
data1Name
|
string |
-
|
The name of the Deep Discovery Inspector correlation log
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
data2
|
string |
-
|
The value of the Deep Discovery Inspector correlation log
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
data2Name
|
string |
-
|
The name of the Deep Discovery Inspector correlation log
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
data3
|
string |
-
|
The value of the Deep Discovery Inspector correlation log
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
data4
|
string |
-
|
The value of the Deep Discovery Inspector correlation log
|
2.57.122.209 |
Trend Micro
Deep Discovery Inspector
|
||||||
|
dceArtifactActions
|
string[] |
-
|
The actions performed on Damage Cleanup Engine artifacts
|
|
|
||||||
|
dceHash1
|
string |
-
|
Whether the Trend Micro Threat Mitigation Server requires the log (the Trend Micro
Threat Mitigation Server is EOL)
|
0 |
Trend Micro
Deep Discovery Inspector
|
||||||
|
dceHash2
|
string |
-
|
Whether the Trend Micro Threat Mitigation Server requires the log (the Trend Micro
Threat Mitigation Server is EOL)
|
0 |
Trend Micro
Deep Discovery Inspector
|
||||||
|
denyListFileHash
|
string |
FileSHA1
|
The SHA-1 of the Virtual Analyzer Suspicious Object
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
denyListFileHashSha256
|
string |
-
|
The SHA-256 of the User-Defined Suspicious Object
|
757E5C8823CAA7406030A7E26AED2A2C95D16F69C5A14C884C8CAA72A0C001C3 |
Trend Micro
Deep Discovery Inspector
|
||||||
|
denyListHost
|
string |
DomainName
|
The domain of the Virtual Analyzer Suspicious Object
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
denyListIp
|
string[] |
|
The IP of the Virtual Analyzer Suspicious Object
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
denyListRequest
|
string |
-
|
The block list event request
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
denyListType
|
string |
-
|
The block list type
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
destinationPath
|
string |
-
|
The intended destination of the file containing the digital asset or channel
|
|
Trend Micro Apex One as a Service
|
||||||
|
detectedActions
|
string[] |
-
|
The actions performed on detected artifacts
|
|
|
||||||
|
detectedBackupArtifacts
|
object_DceArtifact[] |
-
|
The information about detected artifacts
|
{"objectArtifactId": "025d9f2a-ac9c-4cdf-b9e4-cf20c6e40281_0.dmp", "action": "object_process_dump",
"status": 0, "processCreationTime": "1627574338077", "processImageFileName": "C:\Program
Files\aaa\bbb\objprocess.exe"} |
|
||||||
|
detectedBackupFolder
|
string |
-
|
The folder path for detected backup folders
|
C:\\Program Files (x86)\\Trend Micro\\artifact\\DCE |
|
||||||
|
detectedPattern
|
string |
-
|
The detected pattern
|
dct.virus |
|
||||||
|
detectionAggregationId
|
string |
-
|
The correlation key for detection logs and artifacts
|
550e8400-e29b-41d4-a716-446655440000 |
Endpoint Sensor
|
||||||
|
detectionDetail
|
string |
-
|
The details about each event type
|
|
Trend Micro Email Security
|
||||||
|
detectionEngineVersion
|
string |
-
|
The detection engine version
|
7.6.0 |
|
||||||
|
detectionName
|
string |
-
|
The general name for the detection
|
|
|
||||||
|
detectionType
|
string |
-
|
The detection type
|
|
|
||||||
|
deviceDirection
|
string |
-
|
The device direction (If the source IP is in the internal network monitored by Deep
Discovery Inspector, it is tagged as outbound. All other cases are inbound. Internal-to-internal
is also tagged as outbound.)
|
|
|
||||||
|
deviceGUID
|
string |
-
|
The GUID of the agent which reported the detection
|
|
|
||||||
|
deviceMacAddress
|
string |
-
|
The device MAC address
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
deviceModel
|
string |
-
|
The device model number
|
c96a |
Trend Micro Apex One as a Service
|
||||||
|
devicePayloadId
|
string |
-
|
The device payload ID
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
deviceSerial
|
string |
-
|
The device serial ID
|
000000063a2e8f |
Trend Micro Apex One as a Service
|
||||||
|
dhost
|
string |
DomainName
|
The destination hostname
|
|
|
||||||
|
direction
|
string |
-
|
The direction
|
|
|
||||||
|
diskPartitionId
|
string |
-
|
The cloud volume partition ID
|
|
Trend Cloud One - Cloud Sentry
|
||||||
|
dmac
|
string |
-
|
The MAC address of the destination IP (dest_ip)
|
|
|
||||||
|
domainName
|
string |
DomainName
|
The detected domain name
|
|
|
||||||
|
dpt
|
int32 |
Port
|
The destination port
|
|
|
||||||
|
dst
|
string[] |
|
The destination IP
|
|
|
||||||
|
dstEquipmentId
|
string |
-
|
The destination IMEI
|
350548054087659 |
Trend Micro Mobile Network Security
|
||||||
|
dstFamily
|
string |
-
|
The destination device family
|
Computer |
Trend Micro Mobile Network Security
|
||||||
|
dstGroup
|
string |
-
|
The group name defined by the administrator of the destination
|
|
|
||||||
|
dstLocation
|
string |
-
|
The destination country
|
Japan |
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
dstSubscriberDirNum
|
string |
-
|
The destination MSISDN
|
8618687654321 |
Trend Micro Mobile Network Security
|
||||||
|
dstSubscriberId
|
string |
-
|
The destination IMSI
|
466686007810478 |
Trend Micro Mobile Network Security
|
||||||
|
dstType
|
string |
-
|
The destination device type
|
Desktop/Laptop |
Trend Micro Mobile Network Security
|
||||||
|
dstZone
|
string |
-
|
The network zone defined by the destination administrator
|
|
|
||||||
|
duration
|
int64 |
-
|
The detection interval (in milliseconds)
|
|
Data Detection and Response
|
||||||
|
duser
|
string[] |
EmailRecipient
|
The email recipient
|
|
|
||||||
|
dvc
|
string[] |
-
|
The IP address of the Deep Discovery Inspector appliance
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
dvchost
|
string |
-
|
The computer which installed the Trend Micro product
|
|
|
||||||
|
endpointGUID
|
string |
EndpointID
|
The GUID of the agent which reported the detection
|
|
|
||||||
|
endpointHostName
|
string |
EndpointName
|
The endpoint hostname or node where the event was detected
|
|
|
||||||
|
endpointIp
|
string[] |
|
The IP address of the endpoint on which the event was detected
|
|
|
||||||
|
endpointMacAddress
|
string |
-
|
The endpoint MAC address
|
|
|
||||||
|
endpointModel
|
string |
-
|
The mobile device model
|
M2101K9G |
Trend Vision One Mobile Security
|
||||||
|
engType
|
string |
-
|
The engine type
|
|
|
||||||
|
engVer
|
string |
-
|
The engine version
|
|
|
||||||
|
engineOperation
|
string |
-
|
The operation of the engine event
|
|
|
||||||
|
eventClass
|
string |
-
|
The event category
|
|
|
||||||
|
eventId
|
|
-
|
The event ID from the logs of each product
|
|
|
||||||
|
eventName
|
string |
-
|
The event type
|
|
|
||||||
|
eventSubClass
|
string |
-
|
The sub-event class category
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
eventSubId
|
int64 |
-
|
The access type
|
|
|
||||||
|
eventSubName
|
string |
-
|
The event type sub-name
|
|
|
||||||
|
extraInfo
|
string[] |
-
|
The network application name
|
|
Trend Micro Apex One as a Service
|
||||||
|
fileCreation
|
string |
-
|
The file creation date
|
|
Trend Micro Apex One as a Service
|
||||||
|
fileDesc
|
string |
-
|
The file description
|
|
|
||||||
|
fileExt
|
string |
-
|
The file extension of the suspicious file
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
fileHash
|
string |
|
The SHA-1 of the file that triggered the rule or policy
|
|
|
||||||
|
fileHashMd5
|
string |
FileMD5
|
The MD5 of the file
|
d5120786925038601a77c2e1eB9a3a0a |
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
fileHashSha256
|
string |
FileSHA2
|
The SHA-256 of the file (fileName)
|
|
|
||||||
|
fileName
|
string[] |
FileName
|
The file name
|
|
|
||||||
|
fileOperation
|
string |
-
|
The operation of the file
|
|
|
||||||
|
filePath
|
string |
|
The file path without the file name
|
|
|
||||||
|
filePathName
|
string |
FileFullPath
|
The file path with the file name
|
|
|
||||||
|
fileSize
|
int64 |
-
|
The file size of the suspicious file
|
|
|
||||||
|
fileSystemUuid
|
string |
-
|
The file system UUID
|
|
Trend Cloud One - Cloud Sentry
|
||||||
|
fileType
|
string |
-
|
The file type of the suspicious file
|
|
|
||||||
|
fileVer
|
string |
-
|
The file version
|
|
Trend Micro Apex One as a Service
|
||||||
|
filterName
|
string |
-
|
The filter name
|
|
|
||||||
|
filterRiskLevel
|
string |
-
|
The top level filter risk of the event
|
|
Security Analytics Engine
|
||||||
|
filterType
|
string |
-
|
The filter type
|
|
|
||||||
|
firmalware
|
string[] |
-
|
The Deep Discovery Inspector firmware version
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
firstAct
|
string |
-
|
The first scan action
|
|
|
||||||
|
firstActResult
|
string |
-
|
The first scan action result
|
|
|
||||||
|
firstSeen
|
int64 |
-
|
The first time the XDR log appeared
|
1657195233000 |
|
||||||
|
flowId
|
string |
-
|
The connection ID
|
|
|
||||||
|
forensicFileHash
|
string |
-
|
The hash value of the forensic data file
|
|
Trend Micro Apex One as a Service
|
||||||
|
forensicFilePath
|
string |
-
|
The file path of the forensic file (When a Data Loss Prevention policy is triggered,
the file is encrypted and copied to the OfficeScan server for post-mortem analysis.)
|
|
Trend Micro Apex One as a Service
|
||||||
|
ftpUser
|
string |
-
|
The FTP sign-in user name
|
|
Trend Micro Apex One as a Service
|
||||||
|
fullPath
|
string |
FileFullPath
|
The combination of the file path and the file name
|
|
|
||||||
|
groups
|
string |
-
|
The OSSEC rule group names
|
|
|
||||||
|
hasdtasres
|
string |
-
|
Whether the log contains a report from Virtual Analyzer
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
highlightMailMsgSubject
|
string |
-
|
The email subject
|
|
Trend Micro Email Security
|
||||||
|
highlightedFileHashes
|
string[] |
FileSHA1
|
The SHA-1 hashes of the highlighted file
|
|
|
||||||
|
highlightedFileName
|
string[] |
-
|
The file names of suspicious attachments
|
|
|
||||||
|
hostName
|
string |
|
The computer name of the client host (the hostname from the suspicious URL detected
by Deep Discovery Inspector)
|
|
|
||||||
|
hostSeverity
|
int32 |
-
|
The severity of the threat (specific to the interestedIp)
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
hotFix
|
string[] |
-
|
The applied Deep Discovery Inspector hotfix version
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
httpReferer
|
string |
URL
|
The HTTP referer
|
|
|
||||||
|
httpRespContentType
|
string |
-
|
The HTTP response data content type
|
Application/json |
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
httpXForwardedFor
|
string |
-
|
The HTTP X-Forwarded-For header
|
192.168.1.103, 192.168.1.104, 192.168.1.106 |
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
icmpCode
|
int32 |
-
|
The ICMP protocol code field
|
0 |
Trend Micro Mobile Network Security
|
||||||
|
icmpType
|
int32 |
-
|
The ICMP protocol type
|
|
Trend Micro Mobile Network Security
|
||||||
|
instanceId
|
string |
-
|
The ID of the instance that indicates the meta-cloud or data center VM
|
|
|
||||||
|
instanceName
|
string |
-
|
The name of the instance that indicates the meta-cloud or data center VM
|
instapecot-1 |
Trend Micro Mobile Network Security
|
||||||
|
integrityLevel
|
int32 |
-
|
The integrity level of a process
|
16384 |
Endpoint Sensor
|
||||||
|
interestedGroup
|
string |
-
|
The network group associated with the user-defined source IP or destination IP
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
interestedHost
|
string |
DomainName
|
The endpoint hostname (If an intranet host accesses a suspicious internet host, the
intranet host is the "peerHost" and the internet host is the "interestedHost".)
|
|
|
||||||
|
interestedIp
|
string[] |
|
The IP of the interestedHost
|
|
|
||||||
|
interestedMacAddress
|
string |
-
|
The log owner MAC address
|
|
|
||||||
|
ircChannelName
|
string |
-
|
The IRC channel name
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
ircUserName
|
string |
-
|
The IRC user name
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
isEntity
|
string |
-
|
The current entity (or after change/modification)
|
|
|
||||||
|
isHidden
|
string |
-
|
Whether the detection log generated a gray rule match
|
Yes |
|
||||||
|
isPrivateApp
|
bool |
-
|
Whether the requested application is private
|
|
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
isProxy
|
bool |
-
|
Whether something is a proxy
|
false |
|
||||||
|
isRetroScan
|
bool |
-
|
Whether the event matches the Security Analytics Engine filter
|
true |
Security Analytics Engine
|
||||||
|
ja3Hash
|
string |
-
|
The fingerprint of an SSL/TLS client application as detected via a network sensor
or device
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
ja3sHash
|
string |
-
|
The fingerprint of an SSL/TLS server application as detected via a network sensor
or device
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
k8sNamespace
|
string |
-
|
The Kubernetes namespace of the container
|
default |
Trend Cloud One - Container Security
|
||||||
|
k8sPodId
|
string |
-
|
The Kubernetes pod ID of the container
|
fc550ed4-3b54-402a-a56d-46096c285660 |
Trend Cloud One - Container Security
|
||||||
|
k8sPodName
|
string |
-
|
The Kubernetes pod name of the container
|
ubuntu-ds-fp2jk |
Trend Cloud One - Container Security
|
||||||
|
lastSeen
|
int64 |
-
|
The last time the XDR log appeared
|
1657195233000 |
|
||||||
|
lineageId
|
string |
-
|
The lineage ID
|
555a8b4c-c9a7-410c-b218-45517d5cd645 |
Data Detection and Response
|
||||||
|
logKey
|
string |
-
|
The unique key of the event
|
|
|
||||||
|
logReceivedTime
|
int64 |
-
|
The time when the XDR log was received
|
1656324260000 |
Security Analytics Engine
|
||||||
|
logonUsers
|
string[] |
-
|
The telemetry events that match the Security Analytics Engine filter, and logonUsers
stores the logonUsers value of the original events
|
BHBShortJ |
|
||||||
|
mDevice
|
string[] |
-
|
The source IP
|
|
Trend Micro Apex One as a Service
|
||||||
|
mDeviceGUID
|
string |
-
|
The GUID of the agent host
|
|
|
||||||
|
mailDeliveryTime
|
string |
-
|
The mail delivery time
|
1900-1-1 00:00:00 |
Trend Micro Apex One as a Service
|
||||||
|
mailFolder
|
string |
-
|
The email folder name
|
|
Trend Micro
Cloud App Security
|
||||||
|
mailMsgId
|
string |
-
|
The internet message ID of the email
|
|
Trend Micro
Cloud App Security
|
||||||
|
mailMsgSubject
|
string |
EmailSubject
|
The email subject
|
|
|
||||||
|
mailReceivedTime
|
string |
-
|
The mail received timestamp
|
-
|
|
||||||
|
mailSmtpFromAddresses
|
string[] |
-
|
The envelope address of the sender
|
|
Trend Micro Email Security
|
||||||
|
mailSmtpHelo
|
string |
-
|
The domain name of the email server by using the SMTP HELO command
|
|
Trend Micro Email Security
|
||||||
|
mailSmtpOriginalRecipients
|
string[] |
-
|
The envelope addresses of the original recipients
|
|
Trend Micro Email Security
|
||||||
|
mailSmtpRecipients
|
string[] |
-
|
The envelope addresses of the current recipients
|
|
Trend Micro Email Security
|
||||||
|
mailSmtpTls
|
string |
-
|
The SMTP TLS version
|
|
Trend Micro Email Security
|
||||||
|
mailUniqueId
|
string |
-
|
The unique ID of the email
|
|
Trend Micro
Cloud App Security
|
||||||
|
mailbox
|
string |
-
|
The mailbox that is protected by Trend Micro
|
|
|
||||||
|
majorVirusType
|
string |
-
|
The virus type
|
|
|
||||||
|
malDst
|
string |
-
|
The malware infection destination
|
|
Trend Micro Apex One as a Service
|
||||||
|
malFamily
|
string |
-
|
The threat family
|
|
|
||||||
|
malName
|
string |
-
|
The name of the detected malware
|
|
|
||||||
|
malSrc
|
string |
FileFullPath
|
The malware infection source
|
|
|
||||||
|
malSubType
|
string |
-
|
The subsidiary virus type
|
Unknown |
|
||||||
|
malType
|
string |
-
|
The risk type for Network Content Correlation Engine rules
|
|
|
||||||
|
malTypeGroup
|
string |
-
|
The risk type group for Network Content Correlation Engine rules
|
|
|
||||||
|
matchedContent
|
string[] |
-
|
The one-to-many data structure
|
|
Trend Micro Apex One as a Service
|
||||||
|
mimeType
|
string |
-
|
The MIME type or content type of the response body
|
|
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
minorVirusType
|
string |
-
|
The minor virus type
|
|
Trend Vision One Mobile Security
|
||||||
|
mitigationTaskId
|
string |
-
|
The unique ID to identify the mitigation request
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
mitreMapping
|
string[] |
-
|
The MITRE tags
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
mitreVersion
|
string |
-
|
The MITRE version
|
|
|
||||||
|
moduleScanType
|
string |
-
|
The module scan type
|
traditional |
|
||||||
|
mpname
|
string |
-
|
The management product name
|
|
|
||||||
|
mpver
|
string |
-
|
The product version
|
|
|
||||||
|
msgAct
|
string |
-
|
The message action
|
|
Trend Micro Apex One as a Service
|
||||||
|
msgId
|
string |
EmailMessageID
|
The internet message ID
|
|
|
||||||
|
msgTOCUuid
|
string |
-
|
The email unique ID
|
b52012c4-6340-11e5-9960-001e4f4ada6e |
|
||||||
|
msgUuid
|
string |
-
|
The unique email ID
|
|
|
||||||
|
msgUuidChain
|
string |
-
|
The message UUID chain
|
|
Trend Micro Email Security
|
||||||
|
netBiosDomainName
|
string |
DomainName
|
The NetBIOS domain name
|
TREND |
Microsoft Active Directory
|
||||||
|
objectActions
|
string[] |
-
|
The object process actions
|
|
Trend Vision One Endpoint Sensor
|
||||||
|
objectApiName
|
string |
-
|
The API name
|
|
Endpoint Sensor
|
||||||
|
objectArtifactIds
|
string[] |
-
|
The artifact IDs generated by objectAction
|
|
|
||||||
|
objectAttributes
|
string |
-
|
The object attributes
|
attribute |
|
||||||
|
objectCmd
|
string[] |
|
The object process command line
|
|
|
||||||
|
objectEntityName
|
string |
-
|
The object entity name
|
|
Trend Micro Apex One as a Service
|
||||||
|
objectFileAccess
|
string |
-
|
The object file access details
|
1717658631000 |
|
||||||
|
objectFileCreation
|
string |
-
|
The UTC time that the object was created
|
|
|
||||||
|
objectFileHashMd5
|
string |
FileMD5
|
The MD5 of the object
|
|
|
||||||
|
objectFileHashSha1
|
string |
FileSHA1
|
The SHA-1 of the objectFilePath object
|
|
|
||||||
|
objectFileHashSha256
|
string |
FileSHA2
|
The SHA-256 of the object (objectFilePath)
|
|
|
||||||
|
objectFileModified
|
string |
-
|
The UTC time that the object was modified
|
-
|
|
||||||
|
objectFileName
|
string |
FileName
|
The object file name
|
|
|
||||||
|
objectFilePath
|
string |
FileFullPath
|
The file path of the target process image or target file
|
|
|
||||||
|
objectFirstRecorded
|
string |
-
|
The first time that the object appeared
|
-
|
Trend Micro Apex One as a Service
|
||||||
|
objectId
|
string |
-
|
The UUID of the object
|
|
|
||||||
|
objectIp
|
string[] |
|
The IP address of the domain
|
|
Trend Cloud One - Endpoint & Workload Security
|
||||||
|
objectName
|
string |
-
|
The base name of the object file or process
|
net.exe |
|
||||||
|
objectPayloadFileHashSha1
|
string |
FileSHA1
|
The SHA-1 of the object payload file
|
-
|
|||||||
|
objectPipeName
|
string |
-
|
The object pipe name
|
\\.\pipe\F451F406BD |
Endpoint Sensor
|
||||||
|
objectRegistryData
|
string |
RegistryValueData
|
The registry data contents
|
|
|
||||||
|
objectRegistryKeyHandle
|
string |
RegistryKey
|
The registry key path
|
|
|
||||||
|
objectRegistryRoot
|
string |
-
|
The name of the object registry root key
|
|
|
||||||
|
objectRegistryValue
|
string |
RegistryValue
|
The registry value name
|
|
|
||||||
|
objectSigner
|
string[] |
-
|
The list of object process signers
|
|
|
||||||
|
objectSignerFlagsAdhoc
|
bool[] |
-
|
The list of object process signature adhoc flags
|
-
|
|
||||||
|
objectSignerFlagsLibValid
|
bool[] |
-
|
The list of object process signature library validation flags
|
-
|
|
||||||
|
objectSignerFlagsRuntime
|
bool[] |
-
|
The list of object process signature runtime flags
|
-
|
|
||||||
|
objectSignerValid
|
bool[] |
-
|
Whether each signer of the object process is valid
|
-
|
Endpoint Sensor
|
||||||
|
objectSubType
|
string |
-
|
The sub-types of the policy event (displayed when a policy event has sub-types)
|
|
|
||||||
|
objectTargetProcess
|
string |
-
|
The file path of the target process that the API performs
|
C:\\Windows\\System32\\lsass.exe |
|||||||
|
objectType
|
string |
-
|
The object type
|
|
|
||||||
|
objectUser
|
string |
UserAccount
|
The owner name of the target process or the sign-in user name
|
|
|
||||||
|
objectUserDomain
|
string |
-
|
The owner domain of the target process
|
|
|
||||||
|
oldFileHash
|
string |
FileSHA1
|
The SHA-1 of the target process image or target file (wasEntity from an IM event)
|
|
|
||||||
|
online
|
string |
-
|
Whether the endpoint is online
|
|
Trend Micro Apex One as a Service
|
||||||
|
orgId
|
string |
-
|
The organization ID
|
|
|
||||||
|
originEventSourceType
|
string |
-
|
The event source type of the original events which matches the Security Analytics
Engine filter
|
EVENT_SOURCE_TELEMETRY |
Security Analytics Engine
|
||||||
|
originUUID
|
string[] |
-
|
The UUID of the original events which matches the Security Analytics Engine filter
|
5b3a70cb-f338-40fe-b17b-ab8f9aeedee7 |
Security Analytics Engine
|
||||||
|
originalFileHashes
|
string[] |
FileSHA1
|
The hashes of the original file
|
|
|
||||||
|
originalFilePaths
|
string[] |
|
The paths of the original file
|
|
|
||||||
|
osName
|
string |
-
|
The host OS name
|
|
|
||||||
|
osVer
|
string |
-
|
The OS version
|
11 |
|
||||||
|
out
|
int64 |
-
|
The IP datagram length (in bytes)
|
|
|
||||||
|
overSsl
|
string |
-
|
Whether the event was triggered by an SSL decryption stream (displayed only when SSL
Inspection is supported)
|
|
|
||||||
|
pAttackPhase
|
string |
-
|
The category of the primary Attack Phase
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
pComp
|
string |
-
|
The component that made the detection
|
|
|
||||||
|
pTags
|
string |
-
|
The event tagging system
|
|
Deep Security
|
||||||
|
parentCmd
|
string |
CLICommand
|
The command line of the subject parent process
|
|
|
||||||
|
parentFileHashMd5
|
string |
FileMD5
|
The MD5 of the subject parent process
|
|
Endpoint Sensor
|
||||||
|
parentFileHashSha1
|
string |
FileSHA1
|
The SHA-1 of the subject parent process
|
|
Endpoint Sensor
|
||||||
|
parentFileHashSha256
|
string |
FileSHA2
|
The SHA-256 of the subject parent process
|
|
|
||||||
|
parentFilePath
|
string |
FileFullPath
|
The full file path of the parent process
|
|
Endpoint Sensor
|
||||||
|
parentHashId
|
int64 |
-
|
The FNV of the parent process
|
|
Endpoint Sensor
|
||||||
|
parentIntegrityLevel
|
int32 |
-
|
The integrity level of a parent
|
16384 |
Endpoint Sensor
|
||||||
|
parentName
|
string |
-
|
The image name of the parent process
|
|
|
||||||
|
parentPayloadSigner
|
string[] |
-
|
The signer name list of the parent process payload
|
|
Endpoint Sensor
|
||||||
|
parentPayloadSignerFlagsAdhoc
|
bool[] |
-
|
The list of parent process payload signature adhoc flags
|
-
|
Endpoint Sensor
|
||||||
|
parentPayloadSignerFlagsLibValid
|
bool[] |
-
|
The list of parent process payload signature library validation flags
|
-
|
Endpoint Sensor
|
||||||
|
parentPayloadSignerFlagsRuntime
|
bool[] |
-
|
The list of parent process payload signature runtime flags
|
-
|
Endpoint Sensor
|
||||||
|
parentPayloadSignerValid
|
bool[] |
-
|
Whether each signer of the parent process payload is valid
|
-
|
Endpoint Sensor
|
||||||
|
parentPid
|
int32 |
-
|
The PID of the parent process
|
-
|
|
||||||
|
parentSigner
|
string[] |
-
|
The signers of the parent process
|
|
Endpoint Sensor
|
||||||
|
parentSignerFlagsAdhoc
|
bool[] |
-
|
The list of parent process signature adhoc flags
|
-
|
|
||||||
|
parentSignerFlagsLibValid
|
bool[] |
-
|
The list of parent process signature library validation flags
|
-
|
|
||||||
|
parentSignerFlagsRuntime
|
bool[] |
-
|
The list of parent process signature runtime flags
|
-
|
|
||||||
|
parentSignerValid
|
bool[] |
-
|
Whether each signer of the parent process is valid
|
-
|
Endpoint Sensor
|
||||||
|
parentUser
|
string |
-
|
The account name of the parent process
|
Administrator |
Trend Cloud One - Endpoint & Workload Security
|
||||||
|
parentUserDomain
|
string |
-
|
The domain name of the parent process
|
builtindomain |
Trend Cloud One - Endpoint & Workload Security
|
||||||
|
patType
|
string |
-
|
The pattern type
|
|
Trend MicroApex One
|
||||||
|
patVer
|
string |
-
|
The version of the behavior pattern
|
|
|
||||||
|
pcapUUID
|
string |
-
|
The PCAP file UUID
|
c9ebd33e-4e69-4dff-bd5c-907081e8492c |
Trend Micro
Deep Discovery Inspector
|
||||||
|
peerEndpointGUID
|
string |
-
|
The endpoint GUID of the agent peer host
|
7a45e787-ab13-41d2-87b5-6e2eb972d6b0 |
|
||||||
|
peerGroup
|
string |
-
|
The peer IP group
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
peerHost
|
string |
DomainName
|
The hostname of peerIp
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
peerIp
|
string[] |
|
The IP of peerHost
|
|
|
||||||
|
pname
|
string |
-
|
The internal product ID
|
|
|
||||||
|
policyId
|
string |
-
|
The policy ID of which the event was detected
|
|
|
||||||
|
policyName
|
string |
-
|
The name of the triggered policy
|
|
|
||||||
|
policyTemplate
|
string[] |
-
|
The one-to-many data structure
|
|
|
||||||
|
policyTreePath
|
string |
-
|
The policy tree path
|
policyname1/policyname2/policyname3 |
Security Analytics Engine
|
||||||
|
policyUuid
|
string |
-
|
The UUID of the cloud access or risk control policy, or the hard-coded string that
indicates the rule of the global blocked/approved URL list
|
|
|
||||||
|
potentialRisk
|
string |
-
|
Whether there is potential risk
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
principalName
|
string |
-
|
The user principal name used to sign in to the proxy
|
|
|
||||||
|
processActions
|
string[] |
-
|
The process actions
|
|
Endpoint Sensor
|
||||||
|
processArtifactIds
|
string[] |
-
|
The artifact IDs generated by processAction
|
|
|
||||||
|
processCmd
|
string |
CLICommand
|
The subject process command line
|
|
|
||||||
|
processFileCreation
|
string |
-
|
The Unix time of object creation
|
|
|
||||||
|
processFileHashMd5
|
string |
FileMD5
|
The MD5 of the subject process
|
|
|
||||||
|
processFileHashSha1
|
string |
|
The SHA-1 of the subject process
|
|
|
||||||
|
processFileHashSha256
|
string |
FileSHA2
|
The SHA-256 of the subject process
|
|
|
||||||
|
processFilePath
|
string |
|
The file path of the subject process
|
|
|
||||||
|
processHashId
|
int64 |
-
|
The FNV of the subject process
|
|
Endpoint Sensor
|
||||||
|
processImageFileNames
|
string[] |
-
|
The process image file names of detected backup artifacts
|
|
|
||||||
|
processImagePath
|
string |
-
|
The process triggered by the file event
|
|
|
||||||
|
processLaunchTime
|
string |
-
|
The time the subject process was launched
|
|
Trend Cloud One - Endpoint & Workload Security
|
||||||
|
processName
|
string |
|
The image name of the process that triggered the event
|
|
|
||||||
|
processPayloadSigner
|
string[] |
-
|
The signer name list of the process payload
|
|
Endpoint Sensor
|
||||||
|
processPayloadSignerFlagsAdhoc
|
bool[] |
-
|
The list of process payload signature adhoc flags
|
-
|
Endpoint Sensor
|
||||||
|
processPayloadSignerFlagsLibValid
|
bool[] |
-
|
The list of process payload signature library validation flags
|
-
|
Endpoint Sensor
|
||||||
|
processPayloadSignerFlagsRuntime
|
bool[] |
-
|
The list of process payload signature runtime flags
|
-
|
Endpoint Sensor
|
||||||
|
processPayloadSignerValid
|
bool[] |
-
|
Whether each signer of the process payload is valid
|
-
|
Endpoint Sensor
|
||||||
|
processPid
|
int32 |
-
|
The PID of the subject process
|
-
|
|
||||||
|
processPkgName
|
string |
-
|
The process package name
|
|
Endpoint Sensor
|
||||||
|
processSigner
|
string[] |
-
|
The signer name list of the subject process
|
|
|
||||||
|
processSignerFlagsAdhoc
|
bool[] |
-
|
The list of process signature adhoc flags
|
-
|
|
||||||
|
processSignerFlagsLibValid
|
bool[] |
-
|
The list of process signature library validation flags
|
-
|
|
||||||
|
processSignerFlagsRuntime
|
bool[] |
-
|
The list of process signature runtime flags
|
-
|
|
||||||
|
processUser
|
string |
UserAccount
|
The user name of the process or the file creator
|
|
|
||||||
|
processUserDomain
|
string |
-
|
The owner domain of the subject process image
|
|
Trend Cloud One - Endpoint & Workload Security
|
||||||
|
productCode
|
string |
-
|
The internal product code
|
|
|
||||||
|
profile
|
string |
-
|
The name of the triggered Threat Protection template or Data Loss Prevention profile
|
|
|
||||||
|
proto
|
string |
-
|
The exploited layer network protocol
|
|
|
||||||
|
protoFlag
|
string |
-
|
The data flags
|
|
|
||||||
|
pver
|
string |
-
|
The product version
|
|
|
||||||
|
quarantineFileName
|
string |
-
|
The file path of the quarantined object
|
C:\Program Files\TXOne\StellarProtect\private\quarantine\4429d703-9845-4dff-af25-aab707fb0f19 |
TXOne Stellar (on-premises)
|
||||||
|
quarantineFilePath
|
string |
-
|
The OfficeScan server file path for the quarantined file (a quarantined file is encrypted
and copied to the OfficeScan server for post-mortem analysis)
|
-
|
|||||||
|
quarantineType
|
string |
-
|
The descriptive name for the quarantine area
|
|
Trend MicroApex One
|
||||||
|
rating
|
string |
-
|
The credibility level
|
|
Trend MicroApex One
|
||||||
|
rawDstIp
|
string |
|
The destination IP without replacement
|
182.223.158.84 |
Trend Micro
Deep Discovery Inspector
|
||||||
|
rawDstPort
|
int32 |
Port
|
The destination port without replacement
|
33186 |
Trend Micro
Deep Discovery Inspector
|
||||||
|
rawSrcIp
|
string |
|
The source IP without replacement
|
108.111.231.95 |
Trend Micro
Deep Discovery Inspector
|
||||||
|
rawSrcPort
|
int32 |
Port
|
The source port without replacement
|
80 |
Trend Micro
Deep Discovery Inspector
|
||||||
|
regionCode
|
string |
-
|
The AWS Region code
|
us-east-1 |
|
||||||
|
regionId
|
string |
-
|
The cloud asset region
|
|
Trend Cloud One - Endpoint & Workload Security
|
||||||
|
remarks
|
string |
-
|
The additional information
|
|
|
||||||
|
reportGUID
|
string |
-
|
The GUID for Workbench to request report page data
|
959eaca0-bd45-41a1-9fa2-6a80d2642215 |
|
||||||
|
request
|
string |
URL
|
The notable URLs
|
|
|
||||||
|
requestBase
|
string |
|
The domain of the request URL
|
|
|
||||||
|
requestClientApplication
|
string |
-
|
The protocol user agent information
|
|
|
||||||
|
requestMethod
|
string |
-
|
The network protocol request method
|
POST |
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
respCode
|
string |
-
|
The network protocol response code
|
|
|
||||||
|
rewrittenUrl
|
string |
-
|
The rewritten URL
|
https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fpageimprove.io%2freact%27&umid=91176188-91a7-474c-b1a0-f5616c525eb5&auth=927c0b1ab45858384aa0e7e4a36abbaf860b921f-1644792ad5ca5887134be3e439c4a8c600000000 |
|
||||||
|
riskConfidenceLevel
|
string |
-
|
The risk confidence level
|
|
|
||||||
|
riskLevel
|
string |
-
|
The risk level
|
|
|
||||||
|
rozRating
|
string |
-
|
The overall Virtual Analyzer rating
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
rtDate
|
string |
-
|
The date of the log generation
|
1655337600000 |
|
||||||
|
rtWeekDay
|
string |
-
|
The weekday of the log generation
|
|
|
||||||
|
ruleId
|
int32 |
-
|
The rule ID
|
|
|
||||||
|
ruleId64
|
int64 |
-
|
The IPS rule ID
|
|
|
||||||
|
ruleIdStr
|
string |
-
|
The rule ID
|
TM-00000043 |
Trend Cloud One - Container Security
|
||||||
|
ruleName
|
string |
-
|
The name of the rule that triggered the event
|
|
|
||||||
|
ruleSetId
|
string |
-
|
The rule set ID
|
AllRules-1zSSZPsDqfqkcOt5vNsD6f383HN |
Trend Cloud One - Container Security
|
||||||
|
ruleSetName
|
string |
-
|
The rule set name
|
AllRules |
|
||||||
|
ruleType
|
string |
-
|
The access rule type
|
|
|
||||||
|
ruleUuid
|
string |
-
|
The signature UUID from Digital Vaccine
|
|
|
||||||
|
ruleVer
|
string |
-
|
The rule version
|
|
|
||||||
|
sAttackPhase
|
string |
-
|
The category of the second Attack Phase
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
sOSClass
|
string |
-
|
The source device OS class
|
Linux |
Trend Micro Mobile Network Security
|
||||||
|
sOSName
|
string |
-
|
The source OS
|
|
|
||||||
|
sOSVendor
|
string |
-
|
The source device OS vendor
|
Others |
Trend Micro Mobile Network Security
|
||||||
|
sUser1
|
string |
UserAccount
|
The latest sign-in user of the source
|
|
|
||||||
|
scanTs
|
string |
-
|
The mail scan time
|
-
|
|
||||||
|
scanType
|
string |
-
|
The scan type
|
|
|
||||||
|
schemaVersion
|
string |
-
|
The schema version
|
1.0 |
Trend Micro
Cloud App Security
|
||||||
|
secondAct
|
string |
-
|
The second scan action
|
|
|
||||||
|
secondActResult
|
string |
-
|
The result of the second scan action
|
|
|
||||||
|
sender
|
string |
-
|
The roaming users or the gateway where the web traffic passed
|
|
|
||||||
|
senderGUID
|
string |
-
|
The sender GUID
|
|
|
||||||
|
senderIp
|
string[] |
-
|
The sender IP
|
|
|
||||||
|
sessionEnd
|
int64 |
-
|
The session end time (in seconds)
|
1575462989 |
Trend Vision One Zero Trust Secure Access Private Access
|
||||||
|
sessionStart
|
int64 |
-
|
The session start time (in seconds)
|
1575462989 |
Trend Vision One Zero Trust Secure Access Private Access
|
||||||
|
severity
|
int32 |
-
|
The severity of the event
|
|
|
||||||
|
shost
|
string |
DomainName
|
The source hostname
|
|
|
||||||
|
signInCountries
|
string[] |
-
|
The countries from which a user signed in
|
|
|
||||||
|
signer
|
string |
-
|
The signer of the file
|
Shenzhen Smartspace Software technology Co.,Limited;Symantec Class 3 SHA256 Code Signing
CA;1429491600;1492649999 |
Trend MicroApex One
|
||||||
|
smac
|
string |
-
|
The source MAC address
|
|
|
||||||
|
smbSharedName
|
string |
-
|
The shared folder name for the server that contains the files to be opened
|
C:\sharedfolder |
Endpoint Sensor
|
||||||
|
sourceType
|
string |
-
|
The source type
|
|
|
||||||
|
sproc
|
string |
-
|
The OSSEC program name
|
|
|
||||||
|
spt
|
int32 |
|
The source port
|
|
|
||||||
|
src
|
string[] |
|
The source IP
|
|
|
||||||
|
srcEquipmentId
|
string |
-
|
The source IMEI
|
350548054087659 |
Trend Micro Mobile Network Security
|
||||||
|
srcFamily
|
string |
-
|
The source device family
|
Computer |
Trend Micro Mobile Network Security
|
||||||
|
srcFileHashMd5
|
string |
FileMD5
|
The MD5 of the source file
|
-
|
|||||||
|
srcFileHashSha1
|
string |
FileSHA1
|
The SHA-1 of the source file
|
-
|
|||||||
|
srcFileHashSha256
|
string |
FileSHA2
|
The secure hash algorithm 256 bit (SHA-256) of the source file
|
-
|
|||||||
|
srcFilePath
|
string |
FileFullPath
|
The source file path
|
C:\\temp\\a.exe |
|||||||
|
srcGroup
|
string |
-
|
The group named defined by the source administrator
|
|
|
||||||
|
srcLocation
|
string |
-
|
The source country
|
Japan |
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
srcSubscriberDirNum
|
string |
-
|
The source mobile station international subscriber directory number (MSISDN)
|
8618687654321 |
Trend Micro Mobile Network Security
|
||||||
|
srcSubscriberId
|
string |
-
|
The source international mobile subscriber identity (IMSI)
|
466686007810478 |
Trend Micro Mobile Network Security
|
||||||
|
srcType
|
string |
-
|
The source device type
|
Desktop/Laptop |
Trend Micro Mobile Network Security
|
||||||
|
srcZone
|
string |
-
|
The network zone defined by the source administrator
|
|
|
||||||
|
sslCertCommonName
|
string |
|
The subject common name
|
settings-win.data.microsoft.com |
Trend Micro
Deep Discovery Inspector
|
||||||
|
sslCertIssuerCommonName
|
string |
-
|
The issuer common name
|
Microsoft Azure TLS Issuing CA 05 |
Trend Micro
Deep Discovery Inspector
|
||||||
|
sslCertIssuerOrgName
|
string |
-
|
The issuer organization name
|
Microsoft Corporation |
Trend Micro
Deep Discovery Inspector
|
||||||
|
sslCertOrgName
|
string |
-
|
The subject organization name
|
Microsoft |
Trend Micro
Deep Discovery Inspector
|
||||||
|
subRuleId
|
string |
-
|
The sub-rule ID
|
|
|
||||||
|
subRuleName
|
string |
-
|
The sub-rule name
|
|
|
||||||
|
suid
|
string |
UserAccount
|
The user name or mailbox
|
|
|
||||||
|
suser
|
string[] |
EmailSender
|
The email sender
|
|
|
||||||
|
suspiciousObject
|
string |
-
|
The matched suspicious object
|
36ba9de3da9e6f8abfffdda7787ab0ecc16724bb |
Endpoint Sensor
|
||||||
|
suspiciousObjectType
|
string |
-
|
The matched suspicious object type
|
sha1 |
Endpoint Sensor
|
||||||
|
tacticId
|
string[] |
Tactic
|
The list of MITRE tactic IDs
|
|
|
||||||
|
tags
|
string[] |
|
The detected technique ID based on the alert filter
|
|
|
||||||
|
target
|
string |
-
|
The target object for the behavior
|
|
|
||||||
|
targetShare
|
string |
FileFullPath
|
The subject state or province for hypertext transfer protocol secure (HTTPS) or the
shared folder for server message block (SMB)
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
targetType
|
string |
-
|
The target object type
|
|
|
||||||
|
techniqueId
|
string[] |
Technique
|
The technique ID detected by the product agent based on a detection rule
|
-
|
TXOne Stellar (on-premises)
|
||||||
|
threatName
|
string |
-
|
The threat name
|
|
|
||||||
|
threatNames
|
string[] |
-
|
The associated threats
|
|
Trend Micro
Deep Discovery Inspector
|
||||||
|
threatType
|
string |
-
|
The log threat type
|
|
|
||||||
|
trigger
|
string |
-
|
The action trigger
|
ATSE |
|
||||||
|
urlCat
|
string[] |
-
|
The requested universal resource locator (URL) category
|
|
|
||||||
|
userDepartment
|
string |
-
|
The user department
|
|
|
||||||
|
userDomain
|
string |
|
The user domain
|
|
|
||||||
|
userDomains
|
string[] |
-
|
The telemetry events that match the Security Analytics Engine filter, and userDomains
stores the userDomains value of the original events
|
CORP |
Security Analytics Engine
|
||||||
|
uuid
|
string |
-
|
The unique key of the log
|
|
Security Analytics Engine
|
||||||
|
uuids
|
string[] |
-
|
The universally unique identifiers (UUIDs) of detection records
|
- |
Data Detection and Response
|
||||||
|
vendor
|
string |
-
|
The device vendor
|
adata |
Trend MicroApex One
|
||||||
|
vpcId
|
string |
-
|
The virtual private cloud that contains the cloud asset
|
vpc-01234567890abcdef |
|
||||||
|
vsysName
|
string |
-
|
The Palo Alto Networks virtual system of the session
|
vsys1 |
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
wasEntity
|
string |
-
|
The entity before change/modification
|
|
|
||||||
|
winEventId
|
int32 |
-
|
The Windows Event ID
|
|
|
Views: