Views:
Field Name
Type
General Field
Description
Example
Products
additionalInfo
  • string
-
The filter rule info
  • Default
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
app
  • string
-
The Layer 7 network protocol being exploited
  • SMB
  • XDR Endpoint Sensor
authId
  • int64
-
The authorization ID
  • 999
  • 996
  • 997
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
azId
  • string
-
The Availability Zone ID of the virtual machine that made the request
  • us-east-1b
  • us-west-2a
  • XDR Endpoint Sensor
channel
  • string
-
The Windows Event channel
  • Security
  • Microsoft-Windows-WMI-Activity/Trace
  • Microsoft-Windows-TaskScheduler/Operational
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
cloudIdentityAccountId
  • string
-
The Cloud Identity account ID used for authorization
  • 111111111111
  • XDR Endpoint Sensor
cloudIdentityId
  • string
-
The Cloud Identity ID used for authorization
  • arn:aws:sts::111111111111:assumed-role/eksctl-aws-test-nodegroup-ng-21d38-NodeInstanceRole-3wPxVEo4zHlK/i-01234567890abcdef
  • XDR Endpoint Sensor
cloudIdentityName
  • string
-
The Cloud Identity name used for authorization
  • AWSsampleToken
  • XDR Endpoint Sensor
cloudProvider
  • string
-
The service provider of the cloud asset
  • aws
  • azure
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
cloudServiceApiName
  • string
-
The cloud service API
  • AssumeRole
  • GetCallerIdentity
  • ListBuckets
  • XDR Endpoint Sensor
cloudServiceName
  • string
-
The cloud service
  • s3.us-east-1.amazonaws.com
  • dynamodb.us-west-2.amazonaws.com
  • XDR Endpoint Sensor
codeIntegrityOptionEnabled
  • bool
-
Whether the system enforced signed kernel loading according to driver signature enforcement
  • 1
  • 0
  • XDR Endpoint Sensor
codeIntegrityOptionTestsign
  • bool
-
Whether the system bypassed driver signature enforcement checks and permitted loading of test-signed drivers
  • 1
  • 0
  • XDR Endpoint Sensor
correlationData
  • object_correlation[]
-
The data for correlation
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
deviceType
  • enum_TELEMETRY_DEVICE_TYPE
-
The disk drive type
  • TELEMETRY_DEVICE_TYPE_UNKNOWN
  • TELEMETRY_DEVICE_TYPE_REMOVABLE
  • XDR Endpoint Sensor
dpt
  • int32
  • Port
The destination port
-
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Data Detection and Response
dst
  • string
  • IPv4
  • IPv6
The destination IP
  • ::
  • 10.10.10.10
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Data Detection and Response
endpointGuid
  • string
  • EndpointID
The host GUID of the endpoint on which the event was detected
  • 11111111-1111-1111-1111-111111111111
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
endpointHostName
  • string
  • EndpointName
The hostname of the endpoint on which the event was detected
  • PHILIPSIBE09
  • WHAM6WK8XG2
  • MacBook-Pro-del-Meno
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
endpointIp
  • string[]
  • IPv4
  • IPv6
The IP address of the endpoint on which the event was detected
  • 10.10.10.10
  • ::1
  • fe80::1
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
endpointMacAddress
  • string[]
-
The host MAC address
  • 0-0-0-0-0-0-0-e0
  • 00:00:00:ff:ff:ff
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataActionName
  • string
-
The action performed
  • Language Components Installer
  • Group Policy Background Processing
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
eventDataAuthenticationPackageName
  • string
-
The authentication package name of the Windows Event data
  • NTLM
  • Negotiate
  • MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataConsumer
  • string
-
The recipient of the reported event
  • HealthDriverEventConsumer="Health Event Consumer"
  • MemoryEventConsumer="Memory Event Consumer"
  • SysEventConsumer="System Event Consumer"
  • XDR Endpoint Sensor
eventDataIpAddress
  • string
-
The IP address of Windows Event 4624 (successful sign-in attempt)
  • -
  • 10.10.10.10
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataJobOwner
  • string
-
The name of the account that initiated the event
  • BEI\holdej
  • NT AUTHORITY\SYSTEM
  • Trend Micro Apex One as a Service
eventDataLogonProcessName
  • string
-
The Windows Event sign-in process name
  • NtLmSsp
  • Advapi
  • Advapi
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataLogonType
  • string
-
The sign-in type of Windows Event 4624 (successful sign-in attempt)
  • 3
  • 5
  • 2
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataOperation
  • string
-
The Windows Event 11
  • Start IWbemServices::ExecQuery - root\ccm : select * from SMS_Authority
  • Start IWbemServices::ExecQuery - root\cimv2 : select * from win32_process
  • Start IWbemServices::ExecQuery - root\ccm : SELECT * FROM SMS_Authority
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataPath
  • string
-
The path of the Windows Event data
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\officesvcmgr.exe
  • taskhostw.exe
  • gpupdate.exe
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataProcessPath
  • string
-
The process path that initiated the event
  • C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE
  • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
  • C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
  • Trend Micro Apex One as a Service
eventDataProviderName
  • string
-
The name of the Windows Event data provider
  • SmsClientMethodProvider
  • MS_NT_EVENTLOG_PROVIDER
  • RegProv
  • XDR Endpoint Sensor
eventDataProviderPath
  • string
-
The file path of the Windows Event data provider
  • %systemroot%\system32\wbem\ntevt.dll
  • %systemroot%\system32\wbem\stdprov.dll
  • C:\WINDOWS\CCM\smsclient.dll
  • XDR Endpoint Sensor
eventDataScriptBlockText
  • string
-
The Windows Event 4104 (the execution of a remote command using PowerShell)
  • $global:?
  • 0
  • { Set-StrictMode -Version 1; $_.PSMessageDetails }
  • Trend Micro Apex One as a Service
eventDataServiceFileName
  • string
-
The full file path of the service executable file
  • %SystemRoot%\PSEXESVC.exe
  • C:\Windows\System32\svchost.exe -k WinSysRestoreGroup
  • XDR Endpoint Sensor
eventDataServiceName
  • string
-
The service name
  • PSEXESVC
  • WinResSvc
  • XDR Endpoint Sensor
eventDataStatus
  • string
-
The Windows Event data status
  • 0xc000006d
  • -1073741715
  • 0xc000006e
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataSubStatus
  • string
-
The Windows Event data sub-status
  • 0xc0000064
  • 0xc000006a
  • -1073741724
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataTargetUserName
  • string
-
The user name of the Windows Event data target
  • Offer Remote Assistance Helpers
  • Administrators
  • Administradores
  • Trend Micro Apex One as a Service
eventDataTaskName
  • string
-
The task name logged by the Windows Event
  • \Microsoft\Windows\LanguageComponentsInstaller\Installation
  • \Microsoft\Office\Office Serviceability Manager
  • \MicrosoftEdgeUpdateTaskMachineUA
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataUserContext
  • string
-
The user context of the Windows Event data
  • MP\MPBSA179345$
  • MP\MPBSASPU179370$
  • MP\MPBSA4025625$
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
eventHashId
  • int64
-
The event hash ID
  • -8406473586387535914
  • 138486453338666581
  • -7909265752378976284
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
eventId
  • enum_TelemetryHeader.TELEMETRY_EVENT_ID
-
The event type
-
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
eventMessage
  • string
-
The event message
  • [0x13bb4e2a0] activating connection: mach=true listener=false peer=false name=com.apple.airportd
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
eventSubId
  • enum_TelemetryHeader.TELEMETRY_EVENT_SUB_ID
-
The access type
  • 2 - TELEMETRY_PROCESS_CREATE
  • 101 - TELEMETRY_FILE_CREATE
  • 204 - TELEMETRY_CONNECTION_CONNECT_OUTBOUND
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
eventTime
  • int64
-
The time the agent detected the event
  • 1657781088000
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
filterRiskLevel
  • string
-
The top-level risk level of the event
  • info
  • low
  • medium
  • Security Analytics Engine
groupId
  • string
-
The group ID for the management scope filter
  • 11111111-1111-1111-1111-111111111111
  • Security Analytics Engine
hookId
  • int64
-
The hook ID
  • -1
  • 5
  • 4
  • Trend Micro Apex One as a Service
hostName
  • string
  • DomainName
  • HostDomain
The domain name
  • localhost
  • wpad
  • settings-win.data.microsoft.com
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
httpReferer
  • string
  • URL
The HTTP header referer
  • http://10.10.10.10/
  • http://fake/home/
  • http://fake.com/page/Test.jsp
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
importTable
  • object_ImportTable[]
-
The imported table information
-
  • XDR Endpoint Sensor
importTableFileName
  • string[]
-
The library file name which has imported functions
  • KERNEL32.dll
  • ADVAPI32.dll
  • XDR Endpoint Sensor
importTableFunctionName
  • string[]
-
The imported function file name
  • SwitchToThread/GetSystemInfo
  • OpenProcessToken
  • XDR Endpoint Sensor
instanceAccountId
  • string
-
The cloud account ID of the virtual machine that made the request
  • 111111111111
  • XDR Endpoint Sensor
instanceId
  • string
-
The virtual machine instance ID on the cloud platform
  • i-01234567890abcdef
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
instanceName
  • string
-
The virtual machine that made the request
  • ec2-123-124-0-12.us-west-2.compute.amazonaws.com
  • XDR Endpoint Sensor
integrityLevel
  • int32
-
The integrity level of a process
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
logReceivedTime
  • int64
-
The time when the XDR log was received
  • 1656324260000
  • Security Analytics Engine
logonUser
  • string[]
  • UserAccount
The sign-in user name
  • root
  • SISTEMA
  • oracle
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
messageType
  • string
-
The message type
  • Default
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
metaSrcExtra
  • string
-
The meta for identifying the source of events
  • [{'metaSrcUri': ...]
  • Data Detection and Response
networkInterfaceId
  • string
-
The network interface of the virtual machine that made the request
  • eni-01234567890abcdef
  • XDR Endpoint Sensor
objectApiName
  • string
-
The name of the executed API
  • GetIpNetTable
  • XDR Endpoint Sensor
objectApiRvInNum
  • uint64
-
The API telemetry return value
  • 0
  • XDR Endpoint Sensor
objectAppName
  • string
-
The name of the app involved in the AMSI event
  • Exchange Server 2016
  • PowerShell_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.19041.1
  • PowerShell_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.14393.0
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectAuthId
  • int64
-
The object authorization ID
  • 999
  • 996
  • 997
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectBmData
  • string
-
The BM event data
  • {"provider":"ORCA","schema_version":1,"data":[{"str":"Access /proc/<pid>/*"}]}
  • {"provider":"ORCA","schema_version":1,"data":[{"str":"source '/etc/profile.d/lang.sh'"}]}
  • {"provider":"ORCA","schema_version":1,"data":[{"str":"source '/etc/profile.d/bash_completion.sh'"}]}
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
objectCmd
  • string
  • CLICommand
The command line entry of the target process
  • wc -l
  • runc init
  • docker-init --version
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectContentName
  • string
-
The AMSI object content name
  • C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.2\PowerShellGet.psd1
  • c:\synclog\BLAST_SCAN.vbs
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectCurrentFileSize
  • int64
-
The previous size of the modified object file
  • 0
  • 59456
  • 60
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectCurrentPosixPermission
  • string
-
The new POSIX permission file used in file events and CHMOD events
  • 1050180
  • Trend Cloud One - Endpoint & Workload Security
objectFileAttributesHashId
  • int64
-
The hash ID of the file attribute meta information
  • 1626660901647460000
  • -3744588546027070000
  • 8709345175736065000
  • XDR Endpoint Sensor
objectFileCreation
  • int64
-
The time the object file was created
  • 1652131848000
  • 1577865600000
  • 1648279273000
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectFileCurrentOwnerName
  • string
-
The current owner name of the object file
  • NT AUTHORITY\SYSTEM
  • BUILTIN\Administrators
  • BUILTIN\Administradores
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileCurrentOwnerSid
  • string
-
The current security identifier owner of the object file
  • S-1-5-18
  • S-1-5-32-544
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileDaclString
  • string
-
The discretionary access control list of the object file
  • D:(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BU)(A;;0x1200a9;;;AC)(A;;0x1200a9;;;S-1-15-2-2)
  • D:(A;OICI;GA;;;SY)(A;OICI;0xa0120000;;;WD)(A;OICI;GA;;;BA)
  • D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileExtendedAttribute
  • string
-
The extended attributes of the file
  • com.apple.quarantine
  • com.apple.metadata:kMDItemWhereFroms
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileGroupName
  • string
-
The object file user group name
  • wheel
  • staff
  • admin
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectFileGroupSid
  • string
-
The security identifier of the object file group
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • S-1-5-18
  • S-1-5-21-397955417-626881126-188441444-513
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileHash
  • string
-
The cryptographic hash of the target process image or file, with the specific hash algorithm to be determined
  • 1ca71017d2fa4775253670e1e55e26912bfdc156
  • Data Detection and Response
objectFileHashId
  • int64
-
The object file hash ID
  • 2141057820373638746
  • -6516669617381620295
  • -4912169863817247597
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileHashMd5
  • string
  • FileMD5
The MD5 hash of the target process image or target file
  • 7ac47235c7bb452a03d3afd872f44c9e
  • c9873d83a969645a97f21adc1b164cc5
  • 3b32b378c8b288de6f15e1607a8c2145
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileHashSha1
  • string
  • FileSHA1
The SHA-1 hash of the target process image or target file
  • ded3833f145989fd86c1f4811b61497298ebc7fd
  • c4fa06404142f1994431f9eef3df2cbe0f1998f1
  • 3c01d486ed5aa1ecc2d8f33dc24b0ed59b3e609e
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileHashSha256
  • string
  • FileSHA2
The SHA-256 hash of the target process image or target file
  • 39109eef00821658893b45634fe2f4664f880da9242712df907f1327d4ceefb8
  • 49fa3e206abf6a1f4546417dbe09f3f06b38847866a4a66de75bd90f39cb6c1c
  • 0969321ad5a0923f0f03896ad2c10e49290515c44b721d773942a37f62a24893
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileIsRemoteAccess
  • bool
-
Whether there is remote access to the object file
-
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
objectFileModifiedTime
  • int64
-
The time the object file was modified
  • 1652131848000
  • 1577865600000
  • 1648279273000
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectFileOriginalName
  • string
  • FileName
The original file name of the object image
  • Taskmgr.exe
  • WINLOGON.EXE
  • svchost.exe
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectFileOwnerName
  • string
-
The object file owner name
  • root
  • NT SERVICE\TrustedInstaller
  • BUILTIN\Administrators
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectFileOwnerSid
  • string
-
The security identifier of the object file owner
  • S-1-5-32-544
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • S-1-5-18
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFilePath
  • string
  • FileFullPath
  • FileName
The file path of the target process image or target file
  • /usr/bin/bash
  • /bin/bash
  • /opt/folder1/probes/system/processes/processes
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileRemoteAccess
  • bool
-
The remote access for the object file
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileSaclString
  • string
-
The system access control list of the object file
  • S:NO_ACCESS_CONTROL
  • S:(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
  • S:(AU;SAFA;0x1f0116;;;WD)
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
objectFileSize
  • int64
-
The file size of the object file
  • 0
  • 59456
  • 60
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • Data Detection and Response
objectFirstSeen
  • int64
-
The first time the object was seen
  • 1656458063638
  • 1656260547165
  • 0
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectHostName
  • string
  • DomainName
The server name where the event was detected
  • 10.10.10.10
  • sample.test.org
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
objectIntegrityLevel
  • int32
-
The integrity level of the target process
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectIp
  • string
  • IPv4
  • IPv6
The IP address of the event
  • 10.10.10.10
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
objectIps
  • string[]
  • IPv4
  • IPv6
The IP address list of the event
  • ::1
  • 10.10.10.10
  • ::ffff:10.10.10.10
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectLastSeen
  • int64
-
The last time the object was seen
  • 1656458354730
  • 1656260580722
  • 0
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectLaunchTime
  • int64
-
The object launch time of the Windows Event
  • 1616412892557
  • 1620778597056
  • 1616414113105
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectLoginOutFailureMessage
  • string
-
The sign-in/sign-out error message
  • Login incorrect
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectLoginOutFirstSeen
  • int64
-
The first time the object sign-in/sign-out was seen
  • 1713903612
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectLoginOutHashId
  • int64
-
The FNV of the object sign-in/sign-out meta
  • -8981232070268295000
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectLoginOutLastSeen
  • int64
-
The last time the object sign-in/sign-out was seen
  • 1713903612
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectLoginOutMetaType
  • enum_LOGIN_OUT_META_TYPE
-
The sign-in/sign-out meta
  • 1 - LOGIN_OUT_META_TYPE_OPENSSH
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectLoginOutSessionId
  • uint64
-
The sign-in/sign-out session ID
  • 260
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectLoginOutSourceAddress
  • string
-
The sign-in/sign-out source IP
  • 10.10.10.10
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectLoginOutStatus
  • int32
-
The sign-in/sign-out status
  • -1
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectName
  • string
-
The object name
  • /usr/bin/bash
  • /bin/bash
  • /opt/folder1/probes/system/processes/processes
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectPid
  • int32
-
The PID of the target process
-
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectPipeName
  • string
-
The named pipe of the event
  • \\.\pipe\name1
  • \\serverHostName\pipe\name1
  • \\serverIp\pipe\name1
  • XDR Endpoint Sensor
objectPort
  • int32
  • Port
The port used by the event
-
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
objectPosixPermission
  • string
-
The current POSIX permission for the file
  • 1050112
  • Trend Cloud One - Endpoint & Workload Security
objectPosixPermissionHashId
  • int64
-
The POSIX permission hash ID
  • -8931783023607716000
  • Trend Cloud One - Endpoint & Workload Security
objectProcessHashId
  • int64
-
The FNV of the target process
  • 1415699552492662761
  • -100650285065767982
  • -1139416698673814436
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
objectRawDataSize
  • int64[]
-
The raw data size of the Windows Event object
  • 9
  • 1
  • 564
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectRawDataStr
  • string[]
-
The data contents of the AMSI event
  • $global:?
  • 0
  • $servicename = "WinRM" $arrService = Get-Service $servicename if ($arrService.Status -ne "Running") { Restart-Service $servicename }
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectRegistryData
  • string
  • RegistryValueData
The registry value data
  • {11111111-1111-1111-1111-111111111111}
  • 1
  • 0
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectRegistryKeyHandle
  • string
  • RegistryKey
The registry key
  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  • HKLM\system\currentcontrolset\services\w32time\config
  • HKLM\system\currentcontrolset\services\tcpip\parameters
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectRegistryValue
  • string
  • RegistryValue
The registry value name
  • lastknowngoodtime
  • threadingmodel
  • epoch
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectRunAsLocalAccount
  • bool
-
Whether the "runas" command uses a local account
  • 0
  • 1
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectServiceType
  • string
-
The target file type
  • local
  • smb
  • web
  • Data Detection and Response
objectSessionId
  • int32
  • int64
-
The object session ID
  • 0
  • 1
  • 2
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectSigner
  • string[]
-
The certificate signer of the object process or file
  • Microsoft Windows
  • Software Signing;Apple Code Signing Certification Authority;Apple Root CA;
  • Microsoft Corporation
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectSignerFlagsAdhoc
  • bool[]
-
The list of object process or file signature adhoc flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectSignerFlagsLibValid
  • bool[]
-
The list of object process or file signature library validation flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectSignerFlagsRuntime
  • bool[]
-
The list of object process or file signature runtime flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
objectSignerValid
  • bool[]
-
The certificate signer validity
  • 1
  • 0
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectSubTrueType
  • int32
-
The file object true sub-type
  • 0
  • 5000
  • 18000
  • 28001
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectThreadId
  • int64
-
The object process thread ID
  • 10196
  • 10104
  • 10004
  • Trend Micro Apex One as a Service
objectTrueType
  • int32
-
The file object true major type
  • 7
  • 5
  • 18
  • 4051
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
objectUri
  • string
-
The target file path
  • C://path/of/file.txt
  • Data Detection and Response
objectUser
  • string
  • UserAccount
The owner name of the target process or the sign-in user name
  • root
  • SYSTEM
  • oracle
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Data Detection and Response
objectUserGroup
  • string
-
The user group name
  • staff
  • _spotlight
  • wheel
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectUserGroupSids
  • string[]
-
The user group SIDs of the object
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • S-1-5-18
  • S-1-5-21-3770350686-3666354711-3866293128-513
  • XDR Endpoint Sensor
osDescription
  • string
-
The OS version
  • Windows 10 (64 bit)
  • Windows 10 Pro (64 bit) build 19044
  • Amazon Linux 2 (64 bit) (5.4.188-104.359.amzn2.x86_64)
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
osName
  • string
-
The host OS name
  • Windows
  • Linux
  • macOS
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
osType
  • string
-
The host OS type
  • 0x00000030
  • 4
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
osVer
  • string
-
The host OS version
  • Amazon Linux 2
  • 10.0.19044
  • 10.0.19042
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentAuthId
  • int64
-
The parent authorization ID
  • 999
  • 996
  • 997
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentCmd
  • string
  • CLICommand
The command line entry of the parent process
  • C:\WINDOWS\system32\services.exe
  • C:\Windows\system32\services.exe
  • /sbin/launchd
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
parentFileCreation
  • int64
-
The time the parent file was created
  • 1652131848000
  • 1577865600000
  • 1635172968000
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentFileCurrentOwnerName
  • string
-
The current owner name of the parent file
  • NT AUTHORITY\SYSTEM
  • BUILTIN\Administradores
  • BUILTIN\Administrators
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFileCurrentOwnerSid
  • string
-
The current security identifier owner of the parent file
  • S-1-5-32-544
  • S-1-5-18
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFileDaclString
  • string
-
The discretionary access control list of the parent file
  • D:(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BU)(A;;0x1200a9;;;AC)(A;;0x1200a9;;;S-1-15-2-2)
  • D:(A;OICI;GA;;;SY)(A;OICI;0xa0120000;;;WD)(A;OICI;GA;;;BA)
  • D:(A;ID;0x1200a9;;;AC)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;S-1-15-2-2)
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFileGroupName
  • string
-
The name of the parent file user group
  • wheel
  • admin
  • staff
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentFileGroupSid
  • string
-
The security identifier of the parent process file group
  • S-1-5-18
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • S-1-5-32-544
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFileHashId
  • int64
-
The parent file hash ID
  • -4092577940452904134
  • 2141057820373638746
  • -821808160829839906
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFileHashMd5
  • string
  • FileMD5
The MD5 hash of the parent process
  • d8e577bf078c45954f4531885478d5a9
  • cd10cb894be2128fca0bf0e2b0c27c16
  • cfd65bed18a1fae631091c3a4c4dd533
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFileHashSha1
  • string
  • FileSHA1
The SHA-1 hash of the parent process
  • d7a213f3cfee2a8a191769eb33847953be51de54
  • 1f912d4bec338ef10b7c9f19976286f8acc4eb97
  • 9ad737cbd8bbdddc96726156dbd3bc03936bf02f
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFileHashSha256
  • string
  • FileSHA2
The SHA-256 hash of the parent process
  • dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674
  • f3feb95e7bcfb0766a694d93fca29eda7e2ca977c2395b4be75242814eb6d881
  • 00f8cbc5b3a6640af5ac18d01bc5a666f6f583b1379b9491e0bcc28ba78c92e9
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFileModifiedTime
  • int64
-
The time the parent file was modified
  • 1652131848000
  • 1577865600000
  • 1635172968000
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentFileOriginalName
  • string
  • FileName
The original file name of the parent image
  • Taskmgr.exe
  • WINLOGON.EXE
  • svchost.exe
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentFileOwnerName
  • string
-
The owner name of the parent file
  • root
  • cit
  • BUILTIN\Administrators
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentFileOwnerSid
  • string
-
The security identifier of the parent file owner
  • S-1-5-32-544
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • S-1-5-18
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFilePath
  • string
  • FileFullPath
  • FileName
The file path of the parent process
  • c:\windows\system32\services.exe
  • /usr/bin/bash
  • c:\windows\system32\svchost.exe
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFileRemoteAccess
  • bool
-
Whether there is remote access to the parent file
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFileSaclString
  • string
-
The system access control list of the parent file
  • S:(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
  • S:NO_ACCESS_CONTROL
  • S:(AU;IDSAFA;DCLCRPSDWDWO;;;AU)
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
parentFileSize
  • int64
-
The file size of the parent file
  • 714856
  • 59952
  • 5114880
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentHashId
  • int64
-
The parent hash ID
  • -865367326691173681
  • -2903238741593506113
  • -4358168316031740439
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentIntegrityLevel
  • int32
-
The integrity level of a parent
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentLaunchTime
  • int64
-
The time when the parent process was launched
  • 1653614773895
  • 1656118625928
  • 0
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentName
  • string
-
The image name of the parent process
  • c:\windows\system32\services.exe
  • /usr/bin/bash
  • c:\windows\system32\svchost.exe
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentPid
  • int32
-
The PID of the parent process
  • 1
  • 976
  • 920
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentSigner
  • string[]
-
The signer of the parent file
  • Microsoft Windows Publisher
  • Microsoft Windows
  • Software Signing;Apple Code Signing Certification Authority;Apple Root CA;
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentSignerFlagsAdhoc
  • bool[]
-
The list of parent process signature adhoc flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentSignerFlagsLibValid
  • bool[]
-
The list of parent process signature library validation flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentSignerFlagsRuntime
  • bool[]
-
The list of parent process signature runtime flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentSignerValid
  • bool[]
-
The validity of the parent signer
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentSubTrueType
  • int32
-
The true file sub-type of the parent file
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentTrueType
  • int32
-
The true file type of the parent file
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentUser
  • string
-
The type of user that executed the parent process
  • root
  • SYSTEM
  • SISTEMA
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
parentUserDomain
  • string
-
The user domain of the parent process
  • NT AUTHORITY
  • AUTORIDADE NT
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentUserGroupSids
  • string[]
-
The SIDs of the parent user group
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • S-1-5-18
  • S-1-5-21-3770350686-3666354711-3866293128-513
  • XDR Endpoint Sensor
pname
  • string
-
The internal product ID (deprecated, use productCode)
  • 2200
  • 751
  • 533
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
policyIds
  • string
-
The Data Detection and Response data policy IDs
  • 11111111-1111-1111-1111-111111111111
  • Data Detection and Response
policyTreePath
  • string
-
The policy tree path
  • policyname1/policyname2/policyname3
  • Security Analytics Engine
processCmd
  • string
  • CLICommand
The command line entry of the subject process
  • C:\Windows\system32\lsass.exe
  • C:\WINDOWS\system32\lsass.exe
  • nimbus(processes)
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
processFileCreation
  • int64
-
The time the process file was created
  • 1652131848000
  • 1577865600000
  • 1635172906000
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processFileCurrentOwnerName
  • string
-
The current owner name of the process file
  • NT AUTHORITY\SYSTEM
  • BUILTIN\Administrators
  • BUILTIN\Administradores
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileCurrentOwnerSid
  • string
-
The owner of the process file current security identifier
  • S-1-5-18
  • S-1-5-32-544
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileDaclString
  • string
-
The discretionary access control list of the process file
  • D:(A;ID;0x1200a9;;;AC)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;S-1-15-2-2)
  • D:(A;ID;FA;;;SY)
  • D:(A;ID;FA;;;BA)(A;ID;FA;;;SY)
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileGroupName
  • string
-
The name of the process file user group
  • wheel
  • admin
  • staff
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processFileGroupSid
  • string
-
The security identifier of the process file group
  • S-1-5-18
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • S-1-5-32-544
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileHashId
  • int64
-
The file hash of the process
  • 2141057820373638746
  • -821808160829839906
  • 5222963427542927736
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileHashMd5
  • string
  • FileMD5
The MD5 hash of the subject process image
  • cd10cb894be2128fca0bf0e2b0c27c16
  • 7ac47235c7bb452a03d3afd872f44c9e
  • cfd65bed18a1fae631091c3a4c4dd533
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileHashSha1
  • string
  • FileSHA1
The SHA-1 hash of the subject process image
  • 1f912d4bec338ef10b7c9f19976286f8acc4eb97
  • ded3833f145989fd86c1f4811b61497298ebc7fd
  • 9ad737cbd8bbdddc96726156dbd3bc03936bf02f
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileHashSha256
  • string
  • FileSHA2
The SHA-256 hash of the subject process image
  • f3feb95e7bcfb0766a694d93fca29eda7e2ca977c2395b4be75242814eb6d881
  • 39109eef00821658893b45634fe2f4664f880da9242712df907f1327d4ceefb8
  • 00f8cbc5b3a6640af5ac18d01bc5a666f6f583b1379b9491e0bcc28ba78c92e9
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileModifiedTime
  • int64
-
The time the process file was modified
  • 1652131848000
  • 1633413236462
  • 1414554708877
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processFileOriginalName
  • string
  • FileName
The original file name of the process image
  • Taskmgr.exe
  • WINLOGON.EXE
  • svchost.exe
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processFileOwnerName
  • string
-
The process file owner name
  • root
  • cit
  • BUILTIN\Administrators
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processFileOwnerSid
  • string
-
The security identifier of the process file owner
  • S-1-5-32-544
  • S-1-5-18
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
processFilePath
  • string
  • ProcessFullPath
  • ProcessName
  • FileFullPath
  • FileName
The file path of the subject process
  • /usr/bin/bash
  • c:\windows\system32\svchost.exe
  • c:\windows\system32\lsass.exe
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileRemoteAccess
  • bool
-
Whether there is remote access to the process file
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileSaclString
  • string
-
The system access control list of the process file
  • S:(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
  • S:(AU;IDSAFA;DCLCRPSDWDWO;;;AU)
  • S:NO_ACCESS_CONTROL
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
processFileSize
  • int64
-
The file size of the process file
  • 59952
  • 59456
  • 47024
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processHashId
  • int64
-
The FNV of the subject process
  • 7114696589795796819
  • 1307755369266815004
  • -5015325378148567246
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
processLaunchTime
  • int64
-
The time the subject process was launched
  • 1653614775212
  • 1656118626642
  • 1652098160298
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
processName
  • string
  • ProcessName
The image name of the process that triggered the event
  • /usr/bin/bash
  • c:\windows\system32\svchost.exe
  • c:\windows\system32\lsass.exe
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
processPid
  • int32
-
The PID of the subject process
  • 4
  • 1
  • 784
  • 792
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
processSigner
  • string[]
-
The process file signer
  • Microsoft Windows
  • Microsoft Windows Publisher
  • Microsoft Corporation
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processSignerFlagsAdhoc
  • bool[]
-
The list of process signature adhoc flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
processSignerFlagsLibValid
  • bool[]
-
The list of process signature library validation flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
processSignerFlagsRuntime
  • bool[]
-
The list of process signature runtime flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
processSignerValid
  • bool[]
-
The validity of the process signer
  • 1
  • 0
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processSubTrueType
  • int32
-
The true file sub-type of the process
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processTrueType
  • int32
-
The true file type of the process
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processUser
  • string
  • UserAccount
The owner name of subject process image
  • root
  • SYSTEM
  • SISTEMA
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
processUserDomain
  • string
-
The process user domain
  • NT AUTHORITY
  • AUTORIDADE NT
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processUserGroupSids
  • string[]
-
The user group SIDs of the process
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • S-1-5-18
  • S-1-5-21-3770350686-3666354711-3866293128-513
  • XDR Endpoint Sensor
productCode
  • string
-
The internal product code
  • sds
  • xes
  • sao
  • Security Analytics Engine
providerGUID
  • string
-
The GUID of the Windows Event provider
  • {11111111-1111-1111-1111-111111111111}
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
providerName
  • string
-
The name of the Windows Event provider
  • Microsoft-Windows-Security-Auditing
  • Microsoft-Windows-WMI-Activity
  • Microsoft-Windows-TaskScheduler
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
proxy
  • string
-
The proxy address
  • proxy.sample:8080
  • 10.10.10.10:8080
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
publicSpt
  • int32
  • Port
The public port of the endpoint making the request
  • 57163
  • XDR Endpoint Sensor
publicSrc
  • string
  • IPv4
  • IPv6
The public IP of the endpoint making the request
  • 10.10.10.10
  • XDR Endpoint Sensor
pver
  • string
-
The product version
  • 1.2.0.2752
  • 1.0.345
  • 1.2.0.2657
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
rawDataSize
  • int64
-
The size of the Windows Event log
  • 1128
  • 1129
  • 1127
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
rawDataStr
  • string
-
The Windows Event raw contents
  • { "EventData" : { "LogonType" : "", "TargetDomainName" : "", "TargetLogonId" : "", "TargetUserName" : "", "TargetUserSid" : "" } }
  • { "EventData" : { "LogonType" : "10", "TargetDomainName" : "AFASADV", "TargetLogonId" : "14941011731", "TargetUserName" : "administrator", "TargetUserSid" : "S-1-5-21-1507008304-2416677881-2121376573-500" } }
  • { "EventData" : { "LogonType" : "10", "TargetDomainName" : "AIS", "TargetLogonId" : "216921070", "TargetUserName" : "MWoodr01", "TargetUserSid" : "S-1-5-21-1873864278-1756520048-3043165120-15057" } }
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
regionId
  • string
-
The cloud asset region
  • US East (N. Virginia)
  • Europe (Frankfurt)
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
request
  • string
  • URL
The request URL
  • http://10.10.10.10/fake/site
  • http:///fake/param.cgi?action=list&group=Alarm.Status
  • http://fake.com/
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
requestMethod
  • string
-
The network protocol request method
  • GET
  • POST
  • PUT
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
ruleId
  • int32
-
The rule ID
  • 1005566
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
smbSharedName
  • string
-
The shared folder name for the server that contains the files
  • sharedfolder
  • XDR Endpoint Sensor
spt
  • int32
  • Port
The source port
  • 53
  • 5353
  • 443
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Data Detection and Response
src
  • string
  • IPv4
  • IPv6
The source IP
  • ::
  • 10.10.10.10
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Data Detection and Response
srcFileCreation
  • int64
-
The time the source file was created
  • 1577865600000
  • 1626201752000
  • 1626201750000
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
srcFileCurrentOwnerName
  • string
-
The current owner name of the source file
  • NT AUTHORITY\SYSTEM
  • BUILTIN\Administrators
  • AUTORIDADE NT\SISTEMA
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
srcFileCurrentOwnerSid
  • string
-
The current security identifier owner of the source file
  • S-1-5-18
  • S-1-5-32-544
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
srcFileDaclString
  • string
-
The discretionary access control list of the source file
  • D:(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BU)(A;;0x1200a9;;;AC)(A;;0x1200a9;;;S-1-15-2-2)
  • D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
  • D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
srcFileGroupName
  • string
-
The source file user group name
  • wheel
  • staff
  • NT SERVICE\TrustedInstaller
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
srcFileGroupSid
  • string
-
The security identifier of the source file group
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • S-1-5-18
  • S-1-5-21-3770350686-3666354711-3866293128-513
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
srcFileHash
  • string
-
The cryptographic hash of the source process image or file
  • 1ca71017d2fa4775253670e1e55e26912bfdc156
  • Data Detection and Response
srcFileHashMd5
  • string
  • FileMD5
The MD5 hash of the source file
  • e5d5e9c1f65b8ec7aa5b7f1b1acdd731
  • a6779bf446db07e4c4ba3516b273c496
  • 4bb7334fdadc6eccb8e6ab402aae013b
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
srcFileHashSha1
  • string
  • FileSHA1
The SHA-1 hash of the source file
  • 5d34902fecc1760138212ada36be1e742bda5e52
  • dbb14dcda6502ab1d23a7c77d405dafbcbeb439e
  • 2292f8109cd756e790c068a52d50f1b0858f503b
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
srcFileHashSha256
  • string
  • FileSHA2
The SHA-256 hash of the source file
  • 4eaa002225f4ea2dedcd19b7f1337d7c58ea7dd6d4571c12468dde95e6bcfdaf
  • e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80
  • 16b20a3ad485b4fbbe3028c7e743b226db21ea93cacc8b3d7d7d4a731bf02333
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
srcFileIsRemoteAccess
  • bool
-
Whether there is remote access to the source file
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
srcFileModifiedTime
  • int64
-
The time the source file was modified
  • 1626201752000
  • 1626201750000
  • 1577865600000
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
srcFileOwnerName
  • string
-
The source file owner name
  • root
  • NT SERVICE\TrustedInstaller
  • NT AUTHORITY\SYSTEM
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
srcFileOwnerSid
  • string
-
The security identifier of the source file owner
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • S-1-5-18
  • S-1-5-32-544
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
srcFilePath
  • string
  • FileFullPath
  • FileName
The source file path
  • \\cnva-apps\megaclockprod\traveler\travelerprint.accdb
  • c:\program files\common files\microsoft shared\clicktorun\officesvcmgrschedule.xml
  • q:\a7_dbs\a4_pkg\a4_packaging.accde
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
srcFileSaclString
  • string
-
The system access control list of the source file
  • S:NO_ACCESS_CONTROL
  • S:(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
  • S:(AU;IDSAFA;DCLCRPSDWDWO;;;AU)
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
srcFileSize
  • int64
-
The file size of the source file
  • 0
  • 131072
  • 196608
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • Data Detection and Response
srcFirstSeen
  • int64
-
The first time the source file was seen
  • 0
  • 1656355418449
  • 1656714760440
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
srcLastSeen
  • int64
-
The last time the source file was seen
  • 0
  • 1656355418449
  • 1656715147313
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
srcServiceType
  • string
-
The source file type
  • local
  • smb
  • web
  • Data Detection and Response
srcSigner
  • string[]
-
The signer of the source file
  • Microsoft Windows
  • Microsoft Corporation
  • Google LLC
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
srcSignerFlagsAdhoc
  • bool[]
-
The list of source file signature adhoc flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
srcSignerFlagsLibValid
  • bool[]
-
The list of source file signature library validation flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
srcSignerFlagsRuntime
  • bool[]
-
The list of source file signature runtime flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
srcSignerValid
  • bool[]
-
The validity of the source file signer
-
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
srcUri
  • string
-
The source file path
  • C://path/of/file.txt
  • Data Detection and Response
srcUser
  • string
-
The owner name of the source process or the sign-in user name
  • root
  • SYSTEM
  • oracle
  • Data Detection and Response
status
  • string
-
The HTTP response status code
  • 200
  • 500
  • 403
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
subSystem
  • string
-
The sub-system information
  • com.apple.xpc
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
subnetId
  • string
-
The subnet ID of the virtual machine that made the request
  • subnet-01234567890abcdef
  • XDR Endpoint Sensor
tags
  • string[]
  • Technique
The detected Technique ID based on the alert filter
  • MITREV9.T1057
  • MITREV9.T1059.003
  • XSAE.F2924
  • Security Analytics Engine
timezone
  • string
-
The host time zone
  • UTC+00:00
  • UTC-05:00
  • UTC-03:00
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
userDomain
  • string[]
-
The user domain name
  • CORP
  • AUTORIDADE NT
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
uuid
  • string
-
The unique key of the log
  • 11111111-1111-1111-1111-111111111111
  • Security Analytics Engine
vpcId
  • string
-
The virtual private cloud that contains the cloud asset
  • vpc-01234567890abcdef
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
winEventId
  • int32
-
The Windows Event ID
  • 11
  • 4624
  • 4670
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service