 |
ImportantThis data source query method is no longer available after February 2, 2026. For more
information on the currently available data sources for use in XDR Data Explorer queries,
go to https://trendmicro.github.io/tm-v1-schema/pages/index.
|
|
Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
|
additionalInfo
|
|
-
|
The filter rule information
|
|
|
|
app
|
|
-
|
The Layer 7 network protocol being exploited
|
|
|
|
authId
|
|
-
|
The authorization ID
|
|
|
|
azId
|
|
-
|
The Availability Zone ID of the virtual machine that made the request
|
|
|
|
channel
|
|
-
|
The Windows Event channel
|
|
|
|
cloudIdentityAccountId
|
|
-
|
The Cloud Identity account ID used for authorization
|
|
|
|
cloudIdentityId
|
|
-
|
The Cloud Identity ID used for authorization
|
|
|
|
cloudIdentityName
|
|
-
|
The Cloud Identity name used for authorization
|
|
|
|
cloudProvider
|
|
-
|
The service provider of the cloud asset
|
|
|
|
cloudServiceApiName
|
|
-
|
The cloud service API
|
|
|
|
cloudServiceName
|
|
-
|
The cloud service
|
|
|
|
codeIntegrityOptionEnabled
|
|
-
|
Whether the system enforced signed kernel loading according to driver signature enforcement
|
|
|
|
codeIntegrityOptionTestsign
|
|
-
|
Whether the system bypassed driver signature enforcement checks and permitted loading
of test-signed drivers
|
|
|
|
correlationData
|
|
-
|
The data for correlation
|
-
|
|
|
customAssetTags
|
|
-
|
The list of custom asset tags
|
|
|
|
deviceType
|
|
-
|
The disk drive type
|
|
|
|
dpt
|
|
|
The destination port
|
-
|
|
|
dst
|
|
|
The destination IP
|
|
|
|
endpointGuid
|
|
|
The host GUID of the endpoint on which the event was detected
|
|
|
|
endpointHostName
|
|
|
The hostname of the endpoint on which the event was detected
|
|
|
|
endpointIp
|
|
|
The IP address of the endpoint on which the event was detected
|
|
|
|
endpointMacAddress
|
|
-
|
The host MAC address
|
|
|
|
eventDataAccessList
|
|
-
|
The list of requested access rights
|
|
|
|
eventDataAccessMask
|
|
-
|
The hexadecimal value of the requested or used permissions during an access attempt
|
|
|
|
eventDataActionName
|
|
-
|
The action performed
|
|
|
|
eventDataAuthenticationPackageName
|
|
-
|
The authentication package name of the Windows Event data
|
|
|
|
eventDataConsumer
|
|
-
|
The recipient of the reported event
|
|
|
|
eventDataElevatedToken
|
|
-
|
Whether the session is elevated and has administrator privileges
|
|
|
|
eventDataFullyQualifiedAssemblyName
|
|
-
|
The fully qualified .NET assembly name
|
|
|
|
eventDataImpersonationLevel
|
|
-
|
The sign-in session impersonation level
|
|
|
|
eventDataIpAddress
|
|
-
|
The IP address of Windows Event 4624 (successful sign-in attempt)
|
|
|
|
eventDataJobOwner
|
|
-
|
The name of the account that initiated the event
|
|
|
|
eventDataLogonProcessName
|
|
-
|
The name of the Windows Event sign-in process name
|
|
|
|
eventDataLogonType
|
|
-
|
The sign-in type of Windows Event 4624 (successful sign-in attempt)
|
|
|
|
eventDataModuleILPath
|
|
-
|
The CIL image path of the module or the dynamic module name
|
|
|
|
eventDataObjectName
|
|
-
|
The identifying information about the object for which access was requested
|
|
|
|
eventDataObjectType
|
|
-
|
The object type
|
|
|
|
eventDataOperation
|
|
-
|
Windows Event 11
|
|
|
|
eventDataPath
|
|
-
|
The path of the Windows Event data
|
|
|
|
eventDataProcessPath
|
|
-
|
The process path that initiated the event
|
|
|
|
eventDataProviderName
|
|
-
|
The name of the Windows Event data provider
|
|
|
|
eventDataProviderPath
|
|
-
|
The file path of the Windows Event data provider
|
|
|
|
eventDataScriptBlockText
|
|
-
|
Windows Event 4104 (the execution of a remote command using PowerShell)
|
|
|
|
eventDataServiceFileName
|
|
-
|
The full file path of the service executable file
|
|
|
|
eventDataServiceName
|
|
-
|
The service name
|
|
|
|
eventDataStatus
|
|
-
|
The Windows Event data status
|
|
|
|
eventDataSubStatus
|
|
-
|
The Windows Event data sub-status
|
|
|
|
eventDataSubjectUserName
|
|
-
|
The account name
|
|
|
|
eventDataTargetDomainName
|
|
-
|
The target sign-in account domain or computer name
|
|
|
|
eventDataTargetName
|
|
-
|
The service, application, or network resource name
|
|
|
|
eventDataTargetUserName
|
|
-
|
The user name of the Windows Event data target
|
|
|
|
eventDataTaskName
|
|
-
|
The task name logged by the Windows Event
|
|
|
|
eventDataTicketEncryptionType
|
|
-
|
The cryptographic suite used for the Kerberos TGS
|
|
|
|
eventDataTicketOptions
|
|
-
|
The authentication request Kerberos ticket behavior and permissions flags
|
|
|
|
eventDataUserContext
|
|
-
|
The user context of the Windows Event data
|
|
|
|
eventDataWorkstationName
|
|
-
|
The name of the computer used in the sign-in attempt
|
|
|
|
eventHashId
|
|
-
|
The event hash ID
|
|
|
|
eventId
|
|
-
|
The event type
|
-
|
|
|
eventMessage
|
|
-
|
The event message
|
|
|
|
eventSubId
|
|
-
|
The access type
|
|
|
|
eventTime
|
|
-
|
The time the agent detected the event
|
|
|
|
filterRiskLevel
|
|
-
|
The top-level risk level of the event
|
|
|
|
groupId
|
|
-
|
The group ID for the management scope filter
|
|
|
|
hookId
|
|
-
|
The hook ID
|
|
|
|
hostName
|
|
|
The domain name
|
|
|
|
httpReferer
|
|
|
The HTTP header referer
|
|
|
|
importTable
|
|
-
|
The imported table information
|
-
|
|
|
importTableFileName
|
|
-
|
The library file name which has imported functions
|
|
|
|
importTableFunctionName
|
|
-
|
The imported function file name
|
|
|
|
instanceAccountId
|
|
-
|
The cloud account ID of the virtual machine that made the request
|
|
|
|
instanceId
|
|
-
|
The virtual machine instance ID on the cloud platform
|
|
|
|
instanceName
|
|
-
|
The virtual machine that made the request
|
|
|
|
integrityLevel
|
|
-
|
The integrity level of a process
|
-
|
|
|
logReceivedTime
|
|
-
|
The time when the XDR log was received
|
|
|
|
logonUser
|
|
|
The sign-in user name
|
|
|
|
messageType
|
|
-
|
The message type
|
|
|
|
metaSrcExtra
|
|
-
|
The meta for identifying the source of events
|
|
|
|
networkInterfaceId
|
|
-
|
The network interface of the virtual machine that made the request
|
|
|
|
objectApiName
|
|
-
|
The name of the executed API
|
|
|
|
objectApiRvInNum
|
|
-
|
The API telemetry return value
|
|
|
|
objectAppName
|
|
-
|
The app involved in the AMSI event
|
|
|
|
objectAuthId
|
|
-
|
The object authorization ID
|
|
|
|
objectBmData
|
|
-
|
The data of the BM event
|
|
|
|
objectCmd
|
|
|
The command line entry of the target process
|
|
|
|
objectContentName
|
|
-
|
The AMSI object content name
|
|
|
|
objectCurrentFileSize
|
|
-
|
The previous size of modified object file
|
|
|
|
objectCurrentPosixPermission
|
|
-
|
The new POSIX permission file used in file events and CHMOD events
|
|
|
|
objectFileAttributesHashId
|
|
-
|
The hash ID of the file attribute meta information
|
|
|
|
objectFileCreation
|
|
-
|
The time the object file was created
|
|
|
|
objectFileCurrentOwnerName
|
|
-
|
The current owner name of the object file
|
|
|
|
objectFileCurrentOwnerSid
|
|
-
|
The current security identifier owner of the object file
|
|
|
|
objectFileDaclString
|
|
-
|
The discretionary access control list of the object file
|
|
|
|
objectFileExtendedAttribute
|
|
-
|
The extended attributes of the file
|
|
|
|
objectFileGroupName
|
|
-
|
The object file user group name
|
|
|
|
objectFileGroupSid
|
|
-
|
The security identifier of the object file group
|
|
|
|
objectFileHash
|
|
-
|
The cryptographic hash of the target process image or file
|
|
|
|
objectFileHashId
|
|
-
|
The object file hash ID
|
|
|
|
objectFileHashMD5
|
|
|
The MD5 hash of the target process image or target file
|
|
|
|
objectFileHashSHA-1
|
|
|
The SHA-1 hash of the target process image or target file
|
|
|
|
objectFileHashSha256
|
|
|
The SHA-256 hash of the target process image or target file
|
|
|
|
objectFileIsRemoteAccess
|
|
-
|
Whether there was remote access to the object file
|
-
|
|
|
objectFileModifiedTime
|
|
-
|
The time the object file was modified
|
|
|
|
objectFileOriginalName
|
|
|
The original file name of the object image
|
|
|
|
objectFileOwnerName
|
|
-
|
The object file owner name
|
|
|
|
objectFileOwnerSid
|
|
-
|
The security identifier of the object file owner
|
|
|
|
objectFilePath
|
|
|
The file path of the target process image or target file
|
|
|
|
objectFileRemoteAccess
|
|
-
|
Whether there was remote access to the object file
|
-
|
|
|
objectFileSaclString
|
|
-
|
The system access control list of the object file
|
|
|
|
objectFileSize
|
|
-
|
The file size of the object file
|
|
|
|
objectFirstSeen
|
|
-
|
The first time the object was seen
|
|
|
|
objectHostName
|
|
|
The server name where the event was detected
|
|
|
|
objectIntegrityLevel
|
|
-
|
The integrity level of the target process
|
-
|
|
|
objectIp
|
|
|
The IP address of the event
|
|
|
|
objectIps
|
|
|
The list of IP addresses in the event
|
|
|
|
objectLastSeen
|
|
-
|
The last time the object was seen
|
|
|
|
objectLaunchTime
|
|
-
|
The object launch time of the Windows Event
|
|
|
|
objectLoginOutFailureMessage
|
|
-
|
The sign-in/sign-out error message
|
|
|
|
objectLoginOutFirstSeen
|
|
-
|
The first time the object sign-in/sign-out was seen
|
|
|
|
objectLoginOutHashId
|
|
-
|
The FNV of the object sign-in/sign-out meta
|
|
|
|
objectLoginOutLastSeen
|
|
-
|
The last time the object sign-in/sign-out was seen
|
|
|
|
objectLoginOutMetaType
|
|
-
|
The sign-in/sign-out meta
|
|
|
|
objectLoginOutSessionId
|
|
-
|
The sign-in/sign-out session ID
|
|
|
|
objectLoginOutSourceAddress
|
|
-
|
The sign-in/sign-out source IP
|
|
|
|
objectLoginOutStatus
|
|
-
|
The sign-in/sign-out status
|
|
|
|
objectName
|
|
-
|
The object name
|
|
|
|
objectPid
|
|
-
|
The PID of target process
|
-
|
|
|
objectPipeName
|
|
-
|
The named pipe of the event
|
|
|
|
objectPort
|
|
|
The port used by the event
|
-
|
|
|
objectPosixPermission
|
|
-
|
The current POSIX permission for the file
|
|
|
|
objectPosixPermissionHashId
|
|
-
|
The POSIX permission hash ID
|
|
|
|
objectProcessHashId
|
|
-
|
The target process FNV
|
|
|
|
objectRawDataSize
|
|
-
|
The raw data size of the Windows Event object
|
|
|
|
objectRawDataStr
|
|
-
|
The data contents of the AMSI event
|
|
|
|
objectRegistryData
|
|
|
The registry value data
|
|
|
|
objectRegistryKeyHandle
|
|
|
The registry key
|
|
|
|
objectRegistryValue
|
|
|
The registry value name
|
|
|
|
objectRunAsLocalAccount
|
|
-
|
Whether the "runas" command uses a local account
|
|
|
|
objectServiceType
|
|
-
|
The target file type
|
|
|
|
objectSessionId
|
|
-
|
The object session ID
|
|
|
|
objectSigner
|
|
-
|
The certificate signer of the object process or file
|
|
|
|
objectSignerFlagsAdhoc
|
|
-
|
The list of object process or file signature adhoc flags
|
-
|
|
|
objectSignerFlagsLibValid
|
|
-
|
The list of object process or file signature library validation flags
|
-
|
|
|
objectSignerFlagsRuntime
|
|
-
|
The list of object process or file signature runtime flags
|
-
|
|
|
objectSignerValid
|
|
-
|
The certificate signer validity |
|
|
|
objectSubTrueType
|
|
-
|
The file object true sub-type
|
|
|
|
objectThreadId
|
|
-
|
The object process thread ID
|
|
|
|
objectTrueType
|
|
-
|
The file object true major type
|
|
|
|
objectUri
|
|
-
|
The target file path |
|
|
|
objectUser
|
|
|
The owner name of the target process or the sign-in user name
|
|
|
|
objectUserGroup
|
|
-
|
The user group name
|
|
|
|
objectUserGroupSids
|
|
-
|
The user group SIDs of the object
|
|
|
|
osDescription
|
|
-
|
The OS version
|
|
|
|
osName
|
|
-
|
The host OS
|
|
|
|
osType
|
|
-
|
The host OS type
|
|
|
|
osVer
|
|
-
|
The version of the host OS
|
|
|
|
parentAuthId
|
|
-
|
The parent authorization ID
|
|
|
|
parentCmd
|
|
|
The command line entry of the parent process
|
|
|
|
parentFileCreation
|
|
-
|
The time the parent file was created
|
|
|
|
parentFileCurrentOwnerName
|
|
-
|
The current owner name of the parent file
|
|
|
|
parentFileCurrentOwnerSid
|
|
-
|
The current security identifier owner of the parent file
|
|
|
|
parentFileDaclString
|
|
-
|
The discretionary access control list of the parent file
|
|
|
|
parentFileGroupName
|
|
-
|
The name of the parent file user group
|
|
|
|
parentFileGroupSid
|
|
-
|
The security identifier of the parent process file group
|
|
|
|
parentFileHashId
|
|
-
|
The parent file hash ID
|
|
|
|
parentFileHashMD5
|
|
|
The MD5 hash of the parent process
|
|
|
|
parentFileHashSHA-1
|
|
|
The SHA-1 hash of the parent process
|
|
|
|
parentFileHashSHA-256
|
|
|
The SHA-256 hash of the parent process
|
|
|
|
parentFileModifiedTime
|
|
-
|
The time the parent file was modified
|
|
|
|
parentFileOriginalName
|
|
|
The original file name of the parent image
|
|
|
|
parentFileOwnerName
|
|
-
|
The owner name of the parent file
|
|
|
|
parentFileOwnerSid
|
|
-
|
The security identifier of the parent file owner
|
|
|
|
parentFilePath
|
|
|
The file path of the parent process
|
|
|
|
parentFileRemoteAccess
|
|
-
|
Whether there was remote access to the parent file
|
-
|
|
|
parentFileSaclString
|
|
-
|
The system access control list of the parent file
|
|
|
|
parentFileSize
|
|
-
|
The file size of the parent file
|
|
|
|
parentHashId
|
|
-
|
The parent hash ID
|
|
|
|
parentIntegrityLevel
|
|
-
|
The integrity level of a parent
|
-
|
|
|
parentLaunchTime
|
|
-
|
The time when the parent process was launched
|
|
|
|
parentName
|
|
-
|
The image name of the parent process
|
|
|
|
parentPid
|
|
-
|
The PID of the parent process
|
|
|
|
parentSigner
|
|
-
|
The signer of the parent file
|
|
|
|
parentSignerFlagsAdhoc
|
|
-
|
The list of parent process signature adhoc flags
|
-
|
|
|
parentSignerFlagsLibValid
|
|
-
|
The list of parent process signature library validation flags
|
-
|
|
|
parentSignerFlagsRuntime
|
|
-
|
The list of parent process signature runtime flags
|
-
|
|
|
parentSignerValid
|
|
-
|
The validity of the parent signer
|
-
|
|
|
parentSubTrueType
|
|
-
|
The true file sub-type of the parent file
|
-
|
|
|
parentTrueType
|
|
-
|
The true file type of the parent file
|
-
|
|
|
parentUser
|
|
-
|
The type of user that executed the parent process
|
|
|
|
parentUserDomain
|
|
-
|
The user domain of the parent process
|
|
|
|
parentUserGroupSids
|
|
-
|
The SIDs of the parent user group
|
|
|
|
platformAssetTags
|
|
-
|
The list of platform custom asset tags
|
|
|
|
pname
|
|
-
|
The internal product ID (Deprecated, use productCode)
|
|
|
|
policyIds
|
|
-
|
The Data Detection and Response data policy IDs
|
|
|
|
policyTreePath
|
|
-
|
The policy tree path
|
|
|
|
processCmd
|
|
|
The command line entry of the subject process
|
|
|
|
processFileCreation
|
|
-
|
The time the process file was created
|
|
|
|
processFileCurrentOwnerName
|
|
-
|
The current owner name of the process file
|
|
|
|
processFileCurrentOwnerSid
|
|
-
|
The owner of the process file current security identifier
|
|
|
|
processFileDaclString
|
|
-
|
The discretionary access control list of the process file
|
|
|
|
processFileGroupName
|
|
-
|
The name of the process file user group
|
|
|
|
processFileGroupSid
|
|
-
|
The security identifier of the process file group
|
|
|
|
processFileHashId
|
|
-
|
The file hash of the process
|
|
|
|
processFileHashMD5
|
|
|
The MD5 hash of the subject process image
|
|
|
|
processFileHashSHA-1
|
|
|
The SHA-1 hash of the subject process image
|
|
|
|
processFileHashSHA-256
|
|
|
The SHA-256 hash of the subject process image
|
|
|
|
processFileModifiedTime
|
|
-
|
The time the process file was modified
|
|
|
|
processFileOriginalName
|
|
|
The original file name of the process image
|
|
|
|
processFileOwnerName
|
|
-
|
The process file owner name
|
|
|
|
processFileOwnerSid
|
|
-
|
The security identifier of the process file owner
|
|
|
|
processFilePath
|
|
|
The file path of the subject process
|
|
|
|
processFileRemoteAccess
|
|
-
|
Whether there was remote access to the process file
|
-
|
|
|
processFileSaclString
|
|
-
|
The system access control list of the process file
|
|
|
|
processFileSize
|
|
-
|
The file size of the process file
|
|
|
|
processHashId
|
|
-
|
The FNV of subject process
|
|
|
|
processLaunchTime
|
|
-
|
The time the subject process was launched
|
|
|
|
processName
|
|
|
The image name of the process that triggered the event
|
|
|
|
processPid
|
|
-
|
The PID of the subject process
|
|
|
|
processSigner
|
|
-
|
The process file signer
|
|
|
|
processSignerFlagsAdhoc
|
|
-
|
The list of process signature adhoc flags
|
-
|
|
|
processSignerFlagsLibValid
|
|
-
|
The list of process signature library validation flags
|
-
|
|
|
processSignerFlagsRuntime
|
|
-
|
The list of process signature runtime flags
|
-
|
|
|
processSignerValid
|
|
-
|
The validity of the process signer
|
|
|
|
processStackTrace
|
|
-
|
The process stack trace of the telemetry event
|
|
|
|
processSubTrueType
|
|
-
|
The true file sub-type of the process
|
-
|
|
|
processTrueType
|
|
-
|
The true file type of the process
|
-
|
|
|
processUser
|
|
|
The owner name of the subject process image
|
|
|
|
processUserDomain
|
|
-
|
The process user domain
|
|
|
|
processUserGroupSids
|
|
-
|
The user group SIDs of the process
|
|
|
|
productCode
|
|
-
|
The internal product code
|
|
|
|
providerGUID
|
|
-
|
The GUID of the Windows Event provider
|
|
|
|
providerName
|
|
-
|
The name of the Windows Event provider
|
|
|
|
proxy
|
|
-
|
The proxy IP
|
|
|
|
publicSpt
|
|
|
The public port of the endpoint making the request
|
|
|
|
publicSrc
|
|
|
The public IP of the endpoint making the request
|
|
|
|
pver
|
|
-
|
The product version
|
|
|
|
rawDataSize
|
|
-
|
The size of the Windows Event log
|
|
|
|
rawDataStr
|
|
-
|
The Windows Event raw contents
|
|
|
|
regionId
|
|
-
|
The cloud asset region
|
|
|
|
request
|
|
|
The request URL
|
|
|
|
requestMethod
|
|
-
|
The network protocol request method
|
|
|
|
ruleId
|
|
-
|
The rule ID
|
|
|
|
ruleIdStr
|
|
-
|
The rule ID
|
|
|
|
smbSharedName
|
|
-
|
The shared folder name for the server that contains the files
|
|
|
|
spt
|
|
|
The source port
|
|
|
|
src
|
|
|
The source IP
|
|
|
|
srcFileCreation
|
|
-
|
The time the source file was created
|
|
|
|
srcFileCurrentOwnerName
|
|
-
|
The current owner name of the source file
|
|
|
|
srcFileCurrentOwnerSid
|
|
-
|
The current security identifier owner of the source file
|
|
|
|
srcFileDaclString
|
|
-
|
The discretionary access control list of the source file
|
|
|
|
srcFileGroupName
|
|
-
|
The source file user group name
|
|
|
|
srcFileGroupSid
|
|
-
|
The security identifier of the source file group
|
|
|
|
srcFileHash
|
|
-
|
The cryptographic hash of the source process image or file
|
|
|
|
srcFileHashMD5
|
|
|
The MD5 hash of the source file
|
|
|
|
srcFileHashSHA-1
|
|
|
The SHA-1 hash of the source file
|
|
|
|
srcFileHashSHA-256
|
|
|
The SHA-256 hash of the source file
|
|
|
|
srcFileIsRemoteAccess
|
|
-
|
Whether there was remote access to the source file
|
-
|
|
|
srcFileModifiedTime
|
|
-
|
The time the source file was modified
|
|
|
|
srcFileOwnerName
|
|
-
|
The source file owner name
|
|
|
|
srcFileOwnerSid
|
|
-
|
The security identifier of the source file owner
|
|
|
|
srcFilePath
|
|
|
The source file path
|
|
|
|
srcFileSaclString
|
|
-
|
The system access control list of the source file
|
|
|
|
srcFileSize
|
|
-
|
The file size of the source file
|
|
|
|
srcFirstSeen
|
|
-
|
The first time the source file was seen
|
|
|
|
srcLastSeen
|
|
-
|
The last time the source file was seen
|
|
|
|
srcServiceType
|
|
-
|
The source file type
|
|
|
|
srcSigner
|
|
-
|
The signer of the source file
|
|
|
|
srcSignerFlagsAdhoc
|
|
-
|
The list of source file signature adhoc flags
|
-
|
|
|
srcSignerFlagsLibValid
|
|
-
|
The list of source file signature library validation flags
|
-
|
|
|
srcSignerFlagsRuntime
|
|
-
|
The list of source file signature runtime flags
|
-
|
|
|
srcSignerValid
|
|
-
|
The validity of the source file signer
|
-
|
|
|
srcUri
|
|
-
|
The source file path
|
|
|
|
srcUser
|
|
-
|
The owner name of the source process or the sign-in user name
|
|
|
|
status
|
|
-
|
The HTTP response status code
|
|
|
|
subSystem
|
|
-
|
The sub-system information
|
|
|
|
subnetId
|
|
-
|
The subnet ID of the virtual machine that made the request
|
|
|
|
tags
|
|
|
The detected technique ID based on the alert filter
|
|
|
|
timezone
|
|
-
|
The host time zone
|
|
|
|
userDomain
|
|
-
|
The user domain name
|
|
|
|
uuid
|
|
-
|
The unique key of the log
|
|
|
|
vpcId
|
|
-
|
The virtual private cloud that contains the cloud asset
|
|
|
|
winEventId
|
|
-
|
The Windows Event ID
|
|
|