 |
ImportantThis data source query method is no longer available after February 2, 2026. For more
information on the currently available data sources for use in XDR Data Explorer queries,
go to https://trendmicro.github.io/tm-v1-schema/pages/index.
|
|
Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
|
actResult
|
|
-
|
The action result
|
|
|
|
actionName
|
|
-
|
The user or service action
|
|
|
|
applicationId
|
|
-
|
The application ID
|
|
|
|
attachmentFileHashSha256s
|
|
|
The SHA-256 hash of the email attachment
|
|
|
|
attachmentFileHashes
|
|
|
The SHA-1 hash of the email attachment
|
|
|
|
attachmentFileName
|
|
|
The file name of the email attachment
|
|
|
|
attachmentFileTlshes
|
|
-
|
The TLSH hash detected by Trend Micro Anti-Spam Engine
|
-
|
|
|
attachmentMd5
|
|
|
The MD5 hash of the email attachment
|
|
|
|
attachmentSha1
|
|
|
The SHA-1 hash of the email attachment
|
|
|
|
attachmentSha256
|
|
|
The SHA-256 hash of the email attachment
|
|
|
|
attachmentSize
|
|
-
|
The attachment file size
|
-
|
|
|
attachmentSource
|
|
-
|
The attachment source
|
|
|
|
attachmentTlsh
|
|
-
|
The TLSH hash detected by Trend Micro Anti-Spam Engine
|
|
|
|
attachmentUrls
|
|
-
|
The URLs and URL sources extracted from the email attachment
|
-
|
|
|
clientIp
|
|
|
The client IP
|
|
|
|
cloudStorageId
|
|
-
|
The file or folder location ID
|
|
|
|
cloudStorageName
|
|
-
|
The file or folder URL
|
|
|
|
correlationId
|
|
-
|
The correlation ID
|
|
|
|
eventId
|
|
-
|
The event ID
|
|
|
|
eventName
|
|
-
|
The event type
|
|
|
|
eventSubName
|
|
-
|
The event type sub-name
|
|
|
|
eventTime
|
|
-
|
The time the agent detected the event
|
|
|
|
extraInfo
|
|
-
|
The additional information about the sharing action
|
|
|
|
fileExt
|
|
-
|
The file extension (If the object is a folder, there is no value for this field.)
|
|
|
|
fileName
|
|
|
The file or folder name
|
|
|
|
filterRiskLevel
|
|
-
|
The top-level risk level of the event
|
|
|
|
groupId
|
|
-
|
The group ID for the management scope filter
|
|
|
|
isExternalAccess
|
|
-
|
Whether the cmdlet was run by an external user (True=external user, False=internal
user in your organization)
|
|
|
|
isSensitiveInfo
|
|
-
|
Whether the event contains sensitive information
|
|
|
|
logReceivedTime
|
|
-
|
The time when the XDR log was received
|
|
|
|
mExternalUid
|
|
-
|
The unique ID of the email
|
|
|
|
mailAttachmentHash
|
|
|
The hash value of the email attachment
|
|
|
|
mailBccAddresses
|
|
|
The BCC address in the email header
|
|
|
|
mailCacheId
|
|
-
|
The internal email cache ID to identify emails in the same group mails
|
|
|
|
mailCcAddresses
|
|
|
The CC address in the email header
|
|
|
|
mailDirection
|
|
-
|
The email traffic direction
|
|
|
|
mailEurekaRuleIds
|
|
-
|
The list of rule IDs scanned by Eureka and detected by Trend Micro Anti-Spam Engine
|
|
|
|
mailFeatureId
|
|
-
|
The email protocol detected by Trend Micro Anti-Spam Engine
|
-
|
|
|
mailFolder
|
|
-
|
The email folder name
|
|
|
|
mailFromAddresses
|
|
|
The From address in the email header
|
|
|
|
mailHeaderHash
|
|
-
|
The email header hash detected by Trend Micro Anti-Spam Engine
|
|
|
|
mailHelo
|
|
-
|
The HELO command detected by Trend Micro Anti-Spam Engine
|
|
|
|
mailMetaText
|
|
-
|
The postman meta text detected by Trend Micro Anti-Spam Engine
|
|
|
|
mailMetaTraceId
|
|
-
|
The trace ID generated by Trend Micro Feedback Engine
|
|
|
|
mailMsgId
|
|
|
The email ID
|
|
|
|
mailMsgSubject
|
|
|
The email subject
|
|
|
|
mailReplyToAddresses
|
|
-
|
The Reply To address detected by Trend Micro Anti-Spam Engine
|
|
|
|
mailRuleId
|
|
-
|
The rule ID of the matched rule detected by Trend Micro Anti-Spam Engine
|
|
|
|
mailScore
|
|
-
|
The score assigned to the email by Trend Micro Anti-Spam Engine
|
-
|
|
|
mailSenderIp
|
|
-
|
The email sender IP address
|
|
|
|
mailSmtpFromAddresses
|
|
-
|
The sender email address
|
|
|
|
mailSmtpOriginalRecipients
|
|
-
|
The original email recipients in the SMTP envelope
|
|
|
|
mailSmtpRecipients
|
|
-
|
The email recipients in the SMTP envelope after scanning
|
|
|
|
mailSmtpTls
|
|
-
|
The SMTP TLS version number
|
|
|
|
mailSourceDomain
|
|
-
|
The email domain of the sender
|
|
|
|
mailTagHash
|
|
-
|
The email tag hash detected by Trend Micro Anti-Spam Engine
|
|
|
|
mailTagHashRawSignature
|
|
-
|
The raw signature hash of the email
|
|
|
|
mailTextHash
|
|
-
|
The email text hash detected by Trend Micro Anti-Spam Engine
|
|
|
|
mailThreatType
|
|
-
|
The type of email detected by Trend Micro Anti-Spam Engine
|
|
|
|
mailToAddresses
|
|
|
The Mail To address in the email header
|
|
|
|
mailUrlHash
|
|
-
|
The email URL hash detected by Trend Micro Anti-Spam Engine
|
|
|
|
mailUrlsOriginalLink
|
|
-
|
The original URL extracted from the email content
|
|
|
|
mailUrlsRealLink
|
|
|
The URL extracted from the email content
|
|
|
|
mailUrlsVisibleLink
|
|
|
The URL extracted from the email content
|
|
|
|
mailUserAgent
|
|
-
|
The user agent
|
|
|
|
mailWantedHeaderName
|
|
-
|
The WantedHeader key name detected by Trend Micro Anti-Spam Engine
|
|
|
|
mailWantedHeaderValue
|
|
-
|
The WantedHeader key value detected by Trend Micro Anti-Spam Engine
|
|
|
|
mailWholeHeader
|
|
-
|
The name and email address of the sender in the From header detected by Trend Micro
Anti-Spam Engine
|
|
|
|
mailXMailer
|
|
-
|
The X-Mailer header of the email
|
|
|
|
mailbox
|
|
-
|
The primary email address
|
|
|
|
msgUuid
|
|
-
|
The internal email UUID to identify each email message
|
|
|
|
msgUuidChain
|
|
-
|
The internal UUID chain for each email in Trend Micro Feedback Engine
|
|
|
|
orgId
|
|
-
|
The organization ID
|
|
|
|
orgName
|
|
-
|
The tenant name
|
|
|
|
originatingServer
|
|
-
|
The server where the operation originated
|
|
|
|
parameters
|
|
-
|
The names and values of all parameters used in the cmdlet identified in the Operations
property
|
|
|
|
pname
|
|
-
|
The internal product code (deprecated)
|
|
|
|
policyTreePath
|
|
-
|
The policy tree path (endpoint only)
|
|
|
|
principalName
|
|
|
The User Principal Name
|
|
|
|
productCode
|
|
-
|
The product code of the product that sent the log
|
|
|
|
recordType
|
|
-
|
The operation type
|
|
|
|
scanTs
|
|
-
|
The time the email was scanned
|
|
|
|
scanType
|
|
-
|
The manual or real-time scan type
|
|
|
|
service
|
|
-
|
The Microsoft 365 service where the activity occurred
|
|
|
|
tags
|
|
-
|
The detected technique ID based on the alert filter
|
|
|
|
target
|
|
-
|
The object accessed by a user or application
|
|
|
|
targetType
|
|
-
|
The type of object that was accessed or modified
|
|
|
|
userAgent
|
|
-
|
The user agent
|
|
|
|
userSessionId
|
|
-
|
The user session ID
|
|
|
|
userType
|
|
-
|
The user type
|
|
|
|
uuid
|
|
-
|
The unique key of the log entry
|
|
|