 |
ImportantThis data source query method is no longer available after February 2, 2026. For more
information on the currently available data sources for use in XDR Data Explorer queries,
go to https://trendmicro.github.io/tm-v1-schema/pages/index.
|
|
Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
|
accessPermission
|
|
-
|
The access permission type
|
|
|
|
act
|
|
-
|
The actions taken to mitigate the event
|
|
|
|
actResult
|
|
-
|
The result of an action
|
|
|
|
aggregateFunction
|
|
-
|
The metric aggregator
|
|
|
|
aggregateUnit
|
|
-
|
The metric unit
|
|
|
|
aggregatedCount
|
|
-
|
The number of aggregated events
|
|
|
|
appDexSha256
|
|
|
The app dex encoded using SHA-256
|
|
|
|
appGroup
|
|
-
|
The app category of the event
|
|
|
|
appIsSystem
|
|
-
|
Whether the app is a system app
|
|
|
|
appLabel
|
|
-
|
The app name
|
|
|
|
appPkgName
|
|
-
|
The app package name
|
|
|
|
appPublicKeySha1
|
|
|
The app public key (SHA-1)
|
|
|
|
appSize
|
|
-
|
The app size (in bytes)
|
|
|
|
appVerCode
|
|
-
|
The app version code
|
|
|
|
application
|
|
-
|
The name of the requested application
|
|
|
|
aptCampaigns
|
|
-
|
The related APT campaigns
|
|
|
|
aptRelated
|
|
-
|
Whether the event is related to an APT
|
|
|
|
attachment
|
|
-
|
The information about the email attachment
|
|
|
|
attachmentFileHash
|
|
|
The SHA-1 of the email attachment
|
|
|
|
attachmentFileHashMd5
|
|
|
The MD5 of the attached file (attachmentFileName)
|
|
|
|
attachmentFileHashSha1
|
|
|
The SHA-1 of the attached file (attachmentFileName)
|
|
|
|
attachmentFileHashSha256
|
|
|
The SHA-256 of the attached file (attachmentFileName)
|
|
|
|
attachmentFileHashes
|
|
-
|
The SHA-1 of the email attachment
|
|
|
|
attachmentFileHashs
|
|
-
|
The SHA-1 hash value of the attachment file
|
|
|
|
attachmentFileName
|
|
|
The file name of an attachment
|
|
|
|
attachmentFileSize
|
|
-
|
The file size of the email attachment
|
|
|
|
attachmentFileSizes
|
|
-
|
The file size of email attachments
|
|
|
|
attachmentFileTlshes
|
|
-
|
The TLSH of the email attachment
|
|
|
|
attachmentFileTlshs
|
|
-
|
The TLSH hash value of the attachment file
|
|
|
|
attachmentFileType
|
|
-
|
The file type of the email attachment
|
|
|
|
authType
|
|
-
|
The authorization type
|
|
|
|
azId
|
|
-
|
The virtual machine Availability Zone ID
|
|
|
|
behaviorCat
|
|
-
|
The matched policy category
|
|
|
|
blocking
|
|
-
|
The blocking type
|
|
|
|
bmGroup
|
|
-
|
The one-to-many data structure
|
|
|
|
botCmd
|
|
|
The bot command
|
|
|
|
botUrl
|
|
|
The bot URL
|
|
|
|
category
|
|
-
|
The event category
|
|
|
|
cccaDestination
|
|
|
The destination domain, IP, URL, or recipient
|
|
|
|
cccaDestinationFormat
|
|
-
|
The C&C server access format
|
|
|
|
cccaDetection
|
|
-
|
Whether this log is identified as a C&C callback address detection
|
|
|
|
cccaDetectionSource
|
|
-
|
The list which defines this CCCA detection rule
|
|
|
|
cccaRiskLevel
|
|
-
|
The severity level of the threat actors associated with the C&C servers
|
|
|
|
censusMaturityValue
|
|
-
|
The CENSUS maturity value
|
|
|
|
censusPrevalenceValue
|
|
-
|
The CENSUS prevalence value
|
|
|
|
channel
|
|
-
|
The channel through which the demanded Windows Event is delivered
|
|
|
|
clientFlag
|
|
-
|
Whether the client is a source or destination
|
|
|
|
clientIp
|
|
-
|
The IP addresses of the source
|
|
|
|
clientStatus
|
|
-
|
The client status when the event occurred
|
|
|
|
cloudAccountId
|
|
-
|
The AWS cloud account ID, Google Cloud product ID, or Azure subscription ID
|
|
|
|
cloudAppCat
|
|
-
|
The category of the event in Cloud Reputation Service
|
|
|
|
cloudAppName
|
|
-
|
The cloud app name
|
|
|
|
cloudMachineImageId
|
|
-
|
The cloud machine image ID
|
|
|
|
cloudMachineImageName
|
|
-
|
The cloud machine image name
|
|
|
|
cloudProvider
|
|
-
|
The service provider of the cloud asset
|
|
|
|
cloudResourceDigest
|
|
-
|
The cloud resource digest
|
|
|
|
cloudResourceId
|
|
-
|
The cloud resource ID
|
|
|
|
cloudResourceTags
|
|
-
|
The cloud resource tags
|
|
|
|
cloudResourceType
|
|
-
|
The cloud resource type
|
|
|
|
cloudResourceVersion
|
|
-
|
The cloud resource version
|
|
|
|
cloudStorageName
|
|
-
|
The cloud storage name
|
|
|
|
clusterId
|
|
-
|
The cluster ID of the container
|
|
|
|
clusterName
|
|
-
|
The cluster name of the container
|
|
|
|
cnt
|
|
-
|
The total number of logs
|
|
|
|
compressedFileHash
|
|
|
The SHA-1 of the decompressed archive
|
|
|
|
compressedFileHashSha256
|
|
|
The SHA-256 of the compressed suspicious file
|
|
|
|
compressedFileName
|
|
|
The file name of the compressed file
|
|
|
|
compressedFileSize
|
|
-
|
The file size of the decompressed archive file
|
|
|
|
compressedFileType
|
|
-
|
The file type of the decompressed archive file
|
|
|
|
computerDomain
|
|
-
|
The computer domain
|
|
|
|
containerId
|
|
-
|
The Kubernetes container ID
|
|
|
|
containerImage
|
|
-
|
The Kubernetes container image
|
|
|
|
containerImageDigest
|
|
-
|
The Kubernetes container image digest
|
|
|
|
containerName
|
|
-
|
The Kubernetes container name
|
|
|
|
correlatedIntelligence
|
|
-
|
The Correlated Intelligence detection
|
{"risk_type": "Anomaly","matched_rules": [{"threat_type": "Possibly Unwanted Email","matched_filters": [{"id":"FIL013", "name": "Marketing Email Traits"},{"id":"FIL098", "name": "Infrequent Sender Email Domain"}],"name": "Possibly Unwanted Marketing Email","id": "AN004"}]}
|
|
|
correlationCat
|
|
-
|
The correlation category
|
|
|
|
customAssetTags
|
|
-
|
The list of custom asset tags
|
|
|
|
customTags
|
|
-
|
The event tags
|
|
|
|
cve
|
|
-
|
The CVE identifier
|
|
|
|
cves
|
|
-
|
The CVEs associated with this filter
|
|
|
|
dOSClass
|
|
-
|
The destination device OS class
|
|
|
|
dOSName
|
|
-
|
The destination host OS
|
|
|
|
dOSVendor
|
|
-
|
The destination device OS vendor
|
|
|
|
dUser1
|
|
|
The latest sign-in user of the destination
|
|
|
|
dacDeviceType
|
|
-
|
The device type
|
|
|
|
data0
|
|
-
|
The value of the Deep Discovery Inspector correlation log
|
|
|
|
data0Name
|
|
-
|
The name of the Deep Discovery Inspector correlation log
|
|
|
|
data1
|
|
-
|
The Deep Discover Inspector correlation log metadata
|
|
|
|
data1Name
|
|
-
|
The name of the Deep Discovery Inspector correlation log
|
|
|
|
data2
|
|
-
|
The value of the Deep Discovery Inspector correlation log
|
|
|
|
data2Name
|
|
-
|
The name of the Deep Discovery Inspector correlation log
|
|
|
|
data3
|
|
-
|
The value of the Deep Discovery Inspector correlation log
|
|
|
|
data4
|
|
-
|
The value of the Deep Discovery Inspector correlation log
|
|
|
|
dceArtifactActions
|
|
-
|
The actions performed on Damage Cleanup Engine artifacts
|
|
|
|
dceHash1
|
|
-
|
Whether the Trend Micro Threat Mitigation Server requires the log
|
|
|
|
dceHash2
|
|
-
|
Whether the Trend Micro Threat Mitigation Server requires the log
|
|
|
|
denyListFileHash
|
|
|
The SHA-1 of the Virtual Analyzer Suspicious Object
|
|
|
|
denyListFileHashSha256
|
|
-
|
The SHA-256 of User-Defined Suspicious Object
|
|
|
|
denyListHost
|
|
|
The domain of the Virtual Analyzer Suspicious Object
|
|
|
|
denyListIp
|
|
|
The IP of the Virtual Analyzer Suspicious Object
|
|
|
|
denyListRequest
|
|
-
|
The block list event request
|
|
|
|
denyListType
|
|
-
|
The block list type
|
|
|
|
destinationPath
|
|
-
|
The intended destination of the file containing the digital asset or channel
|
|
|
|
detectedActions
|
|
-
|
The actions performed on detected artifacts
|
|
|
|
detectedBackupArtifacts
|
|
-
|
The information about detected artifacts
|
|
|
|
detectedBackupArtifactsStatus
|
|
-
|
The backup status of detected artifacts
|
|
|
|
detectedBackupFolder
|
|
-
|
The folder path for detected backup folders
|
|
|
|
detectedPattern
|
|
-
|
The detected pattern
|
|
|
|
detectionAggregationId
|
|
-
|
The correlation key for detection logs and artifacts
|
|
|
|
detectionAggregationIds
|
|
-
|
The list of detection aggregation IDs
|
|
|
|
detectionDetail
|
|
-
|
The details about each event type
|
|
|
|
detectionEngineVersion
|
|
-
|
The detection engine version
|
|
|
|
detectionFileList
|
|
-
|
The information about the related files
|
|
|
|
detectionMeta
|
|
-
|
The descriptions of the detected techniques
|
|
|
|
detectionName
|
|
-
|
The general name for the detection
|
|
|
|
detectionNames
|
|
-
|
The rules that triggered the event
|
|
|
|
detectionType
|
|
-
|
The detection type
|
|
|
|
deviceDirection
|
|
-
|
The device direction
|
|
|
|
deviceGUID
|
|
-
|
The GUID of the agent which reported the detection
|
|
|
|
deviceMacAddress
|
|
-
|
The device MAC address
|
|
|
|
deviceModel
|
|
-
|
The device model number
|
|
|
|
devicePayloadId
|
|
-
|
The device payload ID
|
|
|
|
deviceSerial
|
|
-
|
The device serial ID
|
|
|
|
dhost
|
|
|
The destination hostname
|
|
|
|
direction
|
|
-
|
The direction
|
|
|
|
diskPartitionId
|
|
-
|
The cloud volume partition ID
|
|
|
|
dmac
|
|
-
|
The MAC address of the destination IP (dest_ip)
|
|
|
|
domainName
|
|
|
The detected domain name
|
|
|
|
dpt
|
|
|
The destination port
|
|
|
|
dst
|
|
|
The destination IP
|
|
|
|
dstEquipmentId
|
|
-
|
The destination IMEI
|
|
|
|
dstFamily
|
|
-
|
The destination device family
|
|
|
|
dstGroup
|
|
-
|
The group name defined by the administrator of the destination
|
|
|
|
dstLocation
|
|
-
|
The destination country
|
|
|
|
dstSubscriberDirNum
|
|
-
|
The destination MSISDN
|
|
|
|
dstSubscriberId
|
|
-
|
The destination IMSI
|
|
|
|
dstType
|
|
-
|
The destination device type
|
|
|
|
dstZone
|
|
-
|
The network zone defined by the destination administrator
|
|
|
|
duration
|
|
-
|
The detection interval (in milliseconds)
|
|
|
|
duser
|
|
|
The email recipient
|
|
|
|
dvc
|
|
-
|
The Deep Discovery Inspector appliance IP
|
|
|
|
dvchost
|
|
-
|
The computer which installed the Trend Micro product
|
|
|
|
endTime
|
|
-
|
The time when the last event was received (in Unix milliseconds)
|
|
|
|
endpointGUID
|
|
|
The GUID of the agent which reported the detection
|
|
|
|
endpointHostName
|
|
|
The endpoint hostname or node where the event was detected
|
|
|
|
endpointIp
|
|
|
The IP address of the endpoint on which the event was detected
|
|
|
|
endpointMacAddress
|
|
-
|
The endpoint MAC address
|
|
|
|
endpointModel
|
|
-
|
The mobile device model
|
|
|
|
engType
|
|
-
|
The engine type
|
|
|
|
engVer
|
|
-
|
The engine version
|
|
|
|
engineOperation
|
|
-
|
The operation of the engine event
|
|
|
|
eventClass
|
|
-
|
The event category
|
|
|
|
eventId
|
|
-
|
The event ID from the logs of each product
|
|
|
|
eventName
|
|
-
|
The event type
|
|
|
|
eventSubClass
|
|
-
|
The event sub-class
|
|
|
|
eventSubId
|
|
-
|
The access type
|
|
|
|
eventSubName
|
|
-
|
The event type sub-name
|
|
|
|
extraInfo
|
|
-
|
The network application name
|
|
|
|
fileCreation
|
|
-
|
The file creation date
|
|
|
|
fileDesc
|
|
-
|
The file description
|
|
|
|
fileExt
|
|
-
|
The file extension of the suspicious file
|
|
|
|
fileHash
|
|
|
The SHA-1 of the file that triggered the rule or policy
|
|
|
|
fileHashMd5
|
|
|
The MD5 of the file
|
|
|
|
fileHashSha256
|
|
|
The SHA-256 of the file (fileName)
|
|
|
|
fileName
|
|
|
The file name
|
|
|
|
fileOperation
|
|
-
|
The operation of the file
|
|
|
|
filePath
|
|
|
The file path without the file name
|
|
|
|
filePathName
|
|
|
The file path with the file name
|
|
|
|
fileSize
|
|
-
|
The file size of the suspicious file
|
|
|
|
fileSystemUuid
|
|
-
|
The file system UUID
|
|
|
|
fileType
|
|
-
|
The file type of the suspicious file
|
|
|
|
fileVer
|
|
-
|
The file version
|
|
|
|
filterName
|
|
-
|
The filter name
|
|
|
|
filterRiskLevel
|
|
-
|
The top level filter risk of the event
|
|
|
|
filterType
|
|
-
|
The filter type
|
|
|
|
firmalware
|
|
-
|
The Deep Discovery Inspector firmware version |
|
|
|
firstAct
|
|
-
|
The first scan action
|
|
|
|
firstActResult
|
|
-
|
The first scan action result
|
|
|
|
firstSeen
|
|
-
|
The first time the XDR log appeared
|
|
|
|
flowId
|
|
-
|
The connection ID
|
|
|
|
forensicFileHash
|
|
-
|
The hash value of the forensic data file
|
|
|
|
forensicFilePath
|
|
-
|
The file path of the forensic file
|
|
|
|
ftpUser
|
|
-
|
The FTP sign-in user name
|
|
|
|
fullPath
|
|
|
The combination of the file path and the file name
|
|
|
|
groupId
|
|
-
|
The group ID for the management scope filter
|
|
|
|
groups
|
|
-
|
The OSSEC rule group names
|
|
|
|
hasdtasres
|
|
-
|
Whether the log contains a report from Virtual Analyzer
|
|
|
|
highlightMailMsgSubject
|
|
-
|
The email subject
|
|
|
|
highlightedFileHashes
|
|
|
The SHA-1 hashes of the highlighted file
|
|
|
|
highlightedFileName
|
|
-
|
The file names of suspicious attachments
|
|
|
|
hostName
|
|
|
The computer name of the client host (The hostname from the suspicious URL detected
by Deep Discovery Inspector)
|
|
|
|
hostSeverity
|
|
-
|
The severity of the threat (specific to the interestedIp)
|
|
|
|
hotFix
|
|
-
|
The applied Deep Discovery Inspector hotfix version
|
|
|
|
httpReferer
|
|
|
The HTTP referer
|
|
|
|
icmpCode
|
|
-
|
The ICMP protocol code field
|
|
|
|
icmpType
|
|
-
|
The ICMP protocol type
|
|
|
|
instanceId
|
|
-
|
The ID of the instance that indicates the meta-cloud or data center VM
|
|
|
|
instanceName
|
|
-
|
The name of the instance that indicates the meta-cloud or data center VM
|
|
|
|
integrityLevel
|
|
-
|
The integrity level of a process
|
|
|
|
interestedGroup
|
|
-
|
The network group associated with the user-defined source IP or destination IP
|
|
|
|
interestedHost
|
|
|
The endpoint hostname
|
|
|
|
interestedIp
|
|
|
The IP of the interestedHost
|
|
|
|
interestedMacAddress
|
|
-
|
The log owner MAC address
|
|
|
|
ircChannelName
|
|
-
|
The IRC channel name
|
|
|
|
ircUserName
|
|
-
|
The IRC user name
|
|
|
|
isEntity
|
|
-
|
The current entity (or after change/modification)
|
|
|
|
isHidden
|
|
-
|
Whether the detection log generated a grey rule match
|
|
|
|
isPrivateApp
|
|
-
|
Whether the requested application is private
|
|
|
|
isProxy
|
|
-
|
Whether something is a proxy
|
|
|
|
isRetroScan
|
|
-
|
Whether the event matches the Security Analytics Engine filter
|
|
|
|
ja3Hash
|
|
-
|
The fingerprint of an SSL/TLS client application as detected via a network sensor
or device
|
|
|
|
ja3sHash
|
|
-
|
The fingerprint of an SSL/TLS server application as detected via a network sensor
or device
|
|
|
|
k8sNamespace
|
|
-
|
The Kubernetes namespace of the container
|
|
|
|
k8sPodId
|
|
-
|
The Kubernetes pod ID of the container
|
|
|
|
k8sPodName
|
|
-
|
The Kubernetes pod name of the container
|
|
|
|
lastSeen
|
|
-
|
The last time the XDR log appeared
|
|
|
|
lineageId
|
|
-
|
The lineage ID
|
|
|
|
logKey
|
|
-
|
The unique key of the event
|
|
|
|
logReceivedTime
|
|
-
|
The time when the XDR log was received
|
|
|
|
logonUsers
|
|
-
|
The telemetry events that match the Security Analytics Engine filter, and logonUsers
stores the logonUsers value of the original events
|
|
|
|
mDevice
|
|
-
|
The source IP
|
|
|
|
mDeviceGUID
|
|
-
|
The GUID of the agent host
|
|
|
|
mailDeliveryTime
|
|
-
|
The mail delivery time
|
|
|
|
mailFolder
|
|
-
|
The email folder name
|
|
|
|
mailMsgId
|
|
-
|
The internet message ID of the email
|
|
|
|
mailMsgSubject
|
|
|
The email subject
|
|
|
|
mailReceivedTime
|
|
-
|
The mail received timestamp
|
-
|
|
|
mailSmtpFromAddresses
|
|
-
|
The envelope address of the sender
|
|
|
|
mailSmtpHelo
|
|
-
|
The domain name of the email server by using the SMTP HELO command
|
|
|
|
mailSmtpOriginalRecipients
|
|
-
|
The envelope addresses of the original recipients
|
|
|
|
mailSmtpRecipients
|
|
-
|
The envelope addresses of the current recipients
|
|
|
|
mailSmtpTls
|
|
-
|
The SMTP TLS version
|
|
|
|
mailUniqueId
|
|
-
|
The unique ID of the email
|
|
|
|
mailbox
|
|
-
|
The mailbox that is protected by Trend Micro
|
|
|
|
majorVirusType
|
|
-
|
The virus type
|
|
|
|
malDst
|
|
-
|
The malware infection destination
|
|
|
|
malFamily
|
|
-
|
The threat family
|
|
|
|
malName
|
|
-
|
The name of the detected malware
|
|
|
|
malSrc
|
|
|
The malware infection source
|
|
|
|
malSubType
|
|
-
|
The virus sub-type
|
|
|
|
malType
|
|
-
|
The risk type for Network Content Correlation Engine rules
|
|
|
|
malTypeGroup
|
|
-
|
The risk type group for Network Content Correlation Engine rules
|
|
|
|
matchedContent
|
|
-
|
The one-to-many data structure
|
|
|
|
matchedPolicies
|
|
-
|
The matched policies of detection records
|
|
|
|
mimeType
|
|
-
|
The MIME type or content type of the response body
|
|
|
|
minorVirusType
|
|
-
|
The minor virus type
|
|
|
|
mitigationTaskId
|
|
-
|
The unique ID to identify the mitigation request
|
|
|
|
mitreMapping
|
|
-
|
The MITRE tags
|
|
|
|
mitreVersion
|
|
-
|
The MITRE version
|
|
|
|
moduleScanType
|
|
-
|
The module scan type
|
|
|
|
mpname
|
|
-
|
The management product name
|
|
|
|
mpver
|
|
-
|
The product version
|
|
|
|
msgAct
|
|
-
|
The message action
|
|
|
|
msgId
|
|
|
The internet message ID
|
|
|
|
msgTOCUuid
|
|
-
|
The email unique ID
|
|
|
|
msgUuid
|
|
-
|
The unique email ID
|
|
|
|
msgUuidChain
|
|
-
|
The message UUID chain
|
|
|
|
netBiosDomainName
|
|
|
The NetBIOS domain name
|
|
|
|
objectActions
|
|
-
|
The object process actions
|
|
|
|
objectApiName
|
|
-
|
The API name
|
|
|
|
objectArtifactIds
|
|
-
|
The artifact IDs generated by objectAction
|
|
|
|
objectAttributes
|
|
-
|
The object attributes
|
|
|
|
objectCmd
|
|
|
The object process command line
|
|
|
|
objectEntityName
|
|
-
|
The object entity name
|
|
|
|
objectFileAccess
|
|
-
|
The object file access details
|
|
|
|
objectFileCreation
|
|
-
|
The UTC time that the object was created
|
|
|
|
objectFileHashMd5
|
|
|
The MD5 of the object
|
|
|
|
objectFileHashSha1
|
|
|
The SHA-1 of the objectFilePath object
|
|
|
|
objectFileHashSha256
|
|
|
The SHA-256 of the object (objectFilePath)
|
|
|
|
objectFileModified
|
|
-
|
The UTC time that the object was modified
|
|
|
|
objectFileName
|
|
|
The object file name
|
|
|
|
objectFilePath
|
|
|
The file path of the target process image or target file
|
|
|
|
objectFileSize
|
|
-
|
The object file size
|
|
|
|
objectFirstRecorded
|
|
-
|
The first time that the object appeared
|
-
|
|
|
objectId
|
|
-
|
The UUID of the object
|
|
|
|
objectIp
|
|
|
The IP address of the domain
|
|
|
|
objectName
|
|
-
|
The base name of the object file or process
|
|
|
|
objectPayloadFileHashSha1
|
|
|
The SHA-1 of the object payload file
|
-
|
|
|
objectPipeName
|
|
-
|
The object pipe name
|
|
|
|
objectRegistryData
|
|
|
The registry data contents
|
|
|
|
objectRegistryKeyHandle
|
|
|
The registry key path
|
|
|
|
objectRegistryRoot
|
|
-
|
The name of the object registry root key
|
|
|
|
objectRegistryValue
|
|
|
The registry value name
|
|
|
|
objectSigner
|
|
-
|
The list of object process signers
|
|
|
|
objectSignerFlagsAdhoc
|
|
-
|
The list of object process signature adhoc flags
|
-
|
|
|
objectSignerFlagsLibValid
|
|
-
|
The list of object process signature library validation flags
|
-
|
|
|
objectSignerFlagsRuntime
|
|
-
|
The list of object process signature runtime flags
|
-
|
|
|
objectSignerValid
|
|
-
|
Whether each signer of the object process is valid
|
-
|
|
|
objectSubType
|
|
-
|
The sub-types of the policy event
|
|
|
|
objectTargetProcess
|
|
-
|
The file path of the target process that the API performs
|
|
|
|
objectType
|
|
-
|
The object type
|
|
|
|
objectUser
|
|
|
The owner name of the target process or the sign-in user name
|
|
|
|
objectUserDomain
|
|
-
|
The owner domain of the target process
|
|
|
|
oldFileHash
|
|
|
The SHA-1 of the target process image or target file (wasEntity from an IM event)
|
|
|
|
online
|
|
-
|
Whether the endpoint is online
|
|
|
|
orgId
|
|
-
|
The organization ID
|
|
|
|
originEventSourceType
|
|
-
|
The event source type of the original events which matches the Security Analytics
Engine filter
|
|
|
|
originUUID
|
|
-
|
The UUID of the original events which matches the Security Analytics Engine filter
|
|
|
|
originalFileHashes
|
|
|
The hashes of the original file
|
|
|
|
originalFilePaths
|
|
|
The paths of the original file
|
|
|
|
osName
|
|
-
|
The host OS name
|
|
|
|
osVer
|
|
-
|
The OS version
|
|
|
|
out
|
|
-
|
The IP datagram length (in bytes)
|
|
|
|
overSsl
|
|
-
|
Whether the event was triggered by an SSL decryption stream
|
|
|
|
pAttackPhase
|
|
-
|
The category of the primary Attack Phase
|
|
|
|
pComp
|
|
-
|
The component that made the detection
|
|
|
|
pTags
|
|
-
|
The event tagging system
|
|
|
|
parentCmd
|
|
|
The command line of the subject parent process
|
|
|
|
parentFileHashMd5
|
|
|
The MD5 of the subject parent process
|
|
|
|
parentFileHashSha1
|
|
|
The SHA-1 of the subject parent process
|
|
|
|
parentFileHashSha256
|
|
|
The SHA-256 of the subject parent process
|
|
|
|
parentFilePath
|
|
|
The full file path of the parent process
|
|
|
|
parentHashId
|
|
-
|
The FNV of the parent process
|
|
|
|
parentIntegrityLevel
|
|
-
|
The integrity level of a parent
|
|
|
|
parentName
|
|
-
|
The image name of the parent process
|
|
|
|
parentPayloadSigner
|
|
-
|
The signer name list of the parent process payload
|
|
|
|
parentPayloadSignerFlagsAdhoc
|
|
-
|
The list of parent process payload signature adhoc flags
|
-
|
|
|
parentPayloadSignerFlagsLibValid
|
|
-
|
The list of parent process payload signature library validation flags
|
-
|
|
|
parentPayloadSignerFlagsRuntime
|
|
-
|
The list of parent process payload signature runtime flags
|
-
|
|
|
parentPayloadSignerValid
|
|
-
|
Whether each signer of the parent process payload is valid
|
-
|
|
|
parentPid
|
|
-
|
The PID of the parent process
|
-
|
|
|
parentSigner
|
|
-
|
The signers of the parent process
|
|
|
|
parentSignerFlagsAdhoc
|
|
-
|
The list of parent process signature adhoc flags
|
-
|
|
|
parentSignerFlagsLibValid
|
|
-
|
The list of parent process signature library validation flags
|
-
|
|
|
parentSignerFlagsRuntime
|
|
-
|
The list of parent process signature runtime flags
|
-
|
|
|
parentSignerValid
|
|
-
|
Whether each signer of the parent process is valid
|
-
|
|
|
parentUser
|
|
-
|
The account name of the parent process
|
|
|
|
parentUserDomain
|
|
-
|
The domain name of the parent process
|
|
|
|
patType
|
|
-
|
The pattern type
|
|
|
|
patVer
|
|
-
|
The version of the behavior pattern
|
|
|
|
pcapUUID
|
|
-
|
The PCAP file UUID
|
|
|
|
peerEndpointGUID
|
|
-
|
The endpoint GUID of the agent peer host
|
|
|
|
peerGroup
|
|
-
|
The peer IP group
|
|
|
|
peerHost
|
|
|
The hostname of peerIp
|
|
|
|
peerIp
|
|
|
The IP of peerHost
|
|
|
|
platformAssetTags
|
|
-
|
The list of platform custom asset tags
|
|
|
|
pname
|
|
-
|
The internal product ID
|
|
|
|
policyId
|
|
-
|
The policy ID of which the event was detected
|
|
|
|
policyName
|
|
-
|
The name of the triggered policy
|
|
|
|
policyTemplate
|
|
-
|
The one-to-many data structure
|
|
|
|
policyTreePath
|
|
-
|
The policy tree path
|
|
|
|
policyUuid
|
|
-
|
The UUID of the cloud access or risk control policy, or the hard-coded string that
indicates the rule of the global blocked/approved URL list
|
|
|
|
potentialRisk
|
|
-
|
Whether something is a potential risk
|
|
|
|
principalName
|
|
-
|
The user principal name used to sign in to the proxy
|
|
|
|
processActions
|
|
-
|
The process actions
|
|
|
|
processArtifactIds
|
|
-
|
The artifact IDs generated by processAction
|
|
|
|
processCmd
|
|
|
The subject process command line
|
|
|
|
processFileCreation
|
|
-
|
The Unix time of object creation
|
|
|
|
processFileHashMd5
|
|
|
The MD5 of the subject process
|
|
|
|
processFileHashSha1
|
|
|
The SHA-1 of the subject process
|
|
|
|
processFileHashSha256
|
|
|
The SHA-256 of the subject process
|
|
|
|
processFilePath
|
|
|
The file path of the subject process
|
|
|
|
processHashId
|
|
-
|
The FNV of the subject process
|
|
|
|
processImageFileNames
|
|
-
|
The process image file names of detected backup artifacts
|
|
|
|
processImagePath
|
|
-
|
The process triggered by the file event
|
|
|
|
processLaunchTime
|
|
-
|
The time the subject process was launched
|
|
|
|
processName
|
|
|
The image name of the process that triggered the event
|
|
|
|
processPayloadSigner
|
|
-
|
The signer name list of the process payload
|
|
|
|
processPayloadSignerFlagsAdhoc
|
|
-
|
The list of process payload signature adhoc flags
|
-
|
|
|
processPayloadSignerFlagsLibValid
|
|
-
|
The list of process payload signature library validation flags
|
-
|
|
|
processPayloadSignerFlagsRuntime
|
|
-
|
The list of process payload signature runtime flags
|
-
|
|
|
processPayloadSignerValid
|
|
-
|
Whether each signer of the process payload is valid
|
-
|
|
|
processPid
|
|
-
|
The PID of the subject process
|
-
|
|
|
processPkgName
|
|
-
|
The process package name
|
|
|
|
processSigner
|
|
-
|
The signer name list of the subject process
|
|
|
|
processSignerFlagsAdhoc
|
|
-
|
The list of process signature adhoc flags
|
-
|
|
|
processSignerFlagsLibValid
|
|
-
|
The list of process signature library validation flags
|
-
|
|
|
processSignerFlagsRuntime
|
|
-
|
The list of process signature runtime flags
|
-
|
|
|
processUser
|
|
|
The user name of the process or the file creator
|
|
|
|
processUserDomain
|
|
-
|
The owner domain of the subject process image
|
|
|
|
processUserGroupId
|
|
-
|
The process user group ID or file creator
|
|
|
|
processUserGroupName
|
|
-
|
The process user group name or file creator
|
|
|
|
processUserId
|
|
-
|
The process user ID or file creator
|
|
|
|
productCode
|
|
-
|
The internal product code
|
|
|
|
profile
|
|
-
|
The name of the triggered Threat Protection template or Data Loss Prevention profile
|
|
|
|
proto
|
|
-
|
The exploited layer network protocol
|
|
|
|
protoFlag
|
|
-
|
The data flags
|
|
|
|
pver
|
|
-
|
The product version
|
|
|
|
quarantineFileId
|
|
-
|
The unique identifier of the quarantined object
|
|
|
|
quarantineFileName
|
|
-
|
The file path of the quarantined object
|
|
|
|
quarantineFilePath
|
|
|
The file path of the quarantined object
|
|
|
|
quarantineFileSha256
|
|
|
The SHA-256 of the quarantined object
|
|
|
|
quarantineType
|
|
-
|
The descriptive name for the quarantine area
|
|
|
|
rating
|
|
-
|
The credibility level
|
|
|
|
rawDstIp
|
|
|
The destination IP without replacement
|
|
|
|
rawDstPort
|
|
|
The destination port without replacement
|
|
|
|
rawSrcIp
|
|
|
The source IP without replacement
|
|
|
|
rawSrcPort
|
|
|
The source port without replacement
|
|
|
|
regionCode
|
|
-
|
The cloud provider region code
|
|
|
|
regionId
|
|
-
|
The cloud asset region
|
|
|
|
remarks
|
|
-
|
The additional information
|
|
|
|
reportGUID
|
|
-
|
The GUID for Workbench to request report page data
|
|
|
|
request
|
|
|
The notable URLs
|
|
|
|
requestBase
|
|
|
The domain of the request URL
|
|
|
|
requestClientApplication
|
|
-
|
The protocol user agent information
|
|
|
|
requestMethod
|
|
-
|
The network protocol request method
|
|
|
|
respCode
|
|
-
|
The network protocol response code
|
|
|
|
rewrittenUrl
|
|
-
|
The rewritten URL
|
|
|
|
riskConfidenceLevel
|
|
-
|
The risk confidence level
|
|
|
|
riskLevel
|
|
-
|
The risk level
|
|
|
|
rozRating
|
|
-
|
The overall Virtual Analyzer rating
|
|
|
|
rtDate
|
|
-
|
The date of the log generation
|
|
|
|
rtWeekDay
|
|
-
|
The weekday of the log generation
|
|
|
|
ruleId
|
|
-
|
The rule ID
|
|
|
|
ruleId64
|
|
-
|
The IPS rule ID
|
|
|
|
ruleIdStr
|
|
-
|
The rule ID
|
|
|
|
ruleName
|
|
-
|
The name of the rule that triggered the event
|
|
|
|
ruleSetId
|
|
-
|
The rule set ID
|
|
|
|
ruleSetName
|
|
-
|
The rule set name
|
|
|
|
ruleType
|
|
-
|
The access rule type
|
|
|
|
ruleUuid
|
|
-
|
The signature UUID from Digital Vaccine
|
|
|
|
ruleVer
|
|
-
|
The rule version
|
|
|
|
sAttackPhase
|
|
-
|
The category of the second Attack Phase
|
|
|
|
sOSClass
|
|
-
|
The source device OS class
|
|
|
|
sOSName
|
|
-
|
The source OS
|
|
|
|
sOSVendor
|
|
-
|
The source device OS vendor
|
|
|
|
sUser1
|
|
|
The latest sign-in user of the source
|
|
|
|
scanTs
|
|
-
|
The mail scan time
|
-
|
|
|
scanType
|
|
-
|
The scan type
|
|
|
|
schemaVersion
|
|
-
|
The schema version
|
|
|
|
secondAct
|
|
-
|
The second scan action
|
|
|
|
secondActResult
|
|
-
|
The result of the second scan action
|
|
|
|
sender
|
|
-
|
The roaming users or the gateway where the web traffic passed
|
|
|
|
senderGUID
|
|
-
|
The sender GUID
|
|
|
|
senderIp
|
|
-
|
The sender IP
|
|
|
|
sessionEnd
|
|
-
|
The session end time (in seconds)
|
|
|
|
sessionStart
|
|
-
|
The session start time (in seconds)
|
|
|
|
severity
|
|
-
|
The severity of the event
|
|
|
|
shost
|
|
|
The source hostname
|
|
|
|
signInCountries
|
|
-
|
The countries from which a user signed in
|
|
|
|
signer
|
|
-
|
The signer of the file
|
|
|
|
smac
|
|
-
|
The source MAC address
|
|
|
|
smbSharedName
|
|
-
|
The shared folder name for the server that contains the files to be opened
|
|
|
|
sourceType
|
|
-
|
The source type
|
|
|
|
sproc
|
|
-
|
The OSSEC program name
|
|
|
|
spt
|
|
|
The source port
|
|
|
|
src
|
|
|
The source IP
|
|
|
|
srcEquipmentId
|
|
-
|
The source IMEI
|
|
|
|
srcFamily
|
|
-
|
The source device family
|
|
|
|
srcFileHashMd5
|
|
|
The MD5 of the source file
|
-
|
|
|
srcFileHashSha1
|
|
|
The SHA-1 of the source file
|
-
|
|
|
srcFileHashSha256
|
|
|
The SHA-256 of the source file
|
-
|
|
|
srcFilePath
|
|
|
The source file path
|
|
|
|
srcGroup
|
|
-
|
The group named defined by the source administrator
|
|
|
|
srcLocation
|
|
-
|
The source country
|
|
|
|
srcSubscriberDirNum
|
|
-
|
The source MSISDN
|
|
|
|
srcSubscriberId
|
|
-
|
The source IMSI
|
|
|
|
srcType
|
|
-
|
The source device type
|
|
|
|
srcZone
|
|
-
|
The network zone defined by the source administrator
|
|
|
|
sslCertCommonName
|
|
|
The subject common name
|
|
|
|
sslCertIssuerCommonName
|
|
-
|
The issuer common name
|
|
|
|
sslCertIssuerOrgName
|
|
-
|
The issuer organization name
|
|
|
|
sslCertOrgName
|
|
-
|
The subject organization name
|
|
|
|
startTime
|
|
-
|
The time when the first event was received (in Unix milliseconds)
|
|
|
|
subRuleId
|
|
-
|
The sub-rule ID
|
|
|
|
subRuleName
|
|
-
|
The sub-rule name
|
|
|
|
suid
|
|
|
The user name or mailbox
|
|
|
|
suser
|
|
|
The email sender
|
|
|
|
suspiciousObject
|
|
-
|
The matched suspicious object
|
|
|
|
suspiciousObjectType
|
|
-
|
The matched suspicious object type
|
|
|
|
tacticId
|
|
|
The list of MITRE tactic IDs
|
|
|
|
tags
|
|
|
The detected technique ID based on the alert filter
|
|
|
|
target
|
|
-
|
The target object for the behavior
|
|
|
|
targetShare
|
|
|
The subject state or province name (for HTTPS) or the shared folder (for SMB)
|
|
|
|
targetType
|
|
-
|
The target object type
|
|
|
|
techniqueId
|
|
|
The technique ID detected by the product agent based on a detection rule
|
-
|
|
|
threatName
|
|
-
|
The threat name
|
|
|
|
threatNames
|
|
-
|
The associated threats
|
|
|
|
threatType
|
|
-
|
The log threat type
|
|
|
|
trigger
|
|
-
|
The action trigger
|
|
|
|
triggerInfo
|
|
-
|
The trigger information
|
|
|
|
triggerReason
|
|
-
|
The cause of the triggered action
|
|
|
|
urlCat
|
|
-
|
The requested URL category
|
|
|
|
userDepartment
|
|
-
|
The user department
|
|
|
|
userDomain
|
|
|
The user domain
|
|
|
|
userDomains
|
|
-
|
The telemetry events that match the Security Analytics Engine filter, and userDomains
stores the userDomains value of the original events
|
|
|
|
uuid
|
|
-
|
The unique key of the log
|
|
|
|
uuids
|
|
-
|
The UUIDs of detection records
|
|
|
|
vendor
|
|
-
|
The device vendor
|
|
|
|
vpcId
|
|
-
|
The virtual private cloud that contains the cloud asset
|
|
|
|
wasEntity
|
|
-
|
The entity before change/modification
|
|
|
|
winEventId
|
|
-
|
The Windows Event ID
|
|
|