|
Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
||||||
|
additionalInfo
|
|
-
|
The filter rule information
|
|
|
||||||
|
app
|
|
-
|
The Layer 7 network protocol being exploited
|
|
|
||||||
|
authId
|
|
-
|
The authorization ID
|
|
|
||||||
|
azId
|
|
-
|
The Availability Zone ID of the virtual machine that made the request
|
|
|
||||||
|
channel
|
|
-
|
The Windows Event channel
|
|
|
||||||
|
cloudIdentityAccountId
|
|
-
|
The Cloud Identity account ID used for authorization
|
|
|
||||||
|
cloudIdentityId
|
|
-
|
The Cloud Identity ID used for authorization
|
|
|
||||||
|
cloudIdentityName
|
|
-
|
The Cloud Identity name used for authorization
|
|
|
||||||
|
cloudProvider
|
|
-
|
The service provider of the cloud asset
|
|
|
||||||
|
cloudServiceApiName
|
|
-
|
The cloud service API
|
|
|
||||||
|
cloudServiceName
|
|
-
|
The cloud service
|
|
|
||||||
|
codeIntegrityOptionEnabled
|
|
-
|
Whether the system enforced signed kernel loading according to driver signature enforcement
|
|
|
||||||
|
codeIntegrityOptionTestsign
|
|
-
|
Whether the system bypassed driver signature enforcement checks and permitted loading
of test-signed drivers
|
|
|
||||||
|
correlationData
|
|
-
|
The data for correlation
|
-
|
|
||||||
|
deviceType
|
|
-
|
The disk drive type
|
|
|
||||||
|
dpt
|
|
|
The destination port
|
-
|
|
||||||
|
dst
|
|
|
The destination IP
|
|
|
||||||
|
endpointGuid
|
|
|
The host GUID of the endpoint on which the event was detected
|
|
|
||||||
|
endpointHostName
|
|
|
The hostname of the endpoint on which the event was detected
|
|
|
||||||
|
endpointIp
|
|
|
The IP address of the endpoint on which the event was detected
|
|
|
||||||
|
endpointMacAddress
|
|
-
|
The host MAC address
|
|
|
||||||
|
eventDataActionName
|
|
-
|
The action performed
|
|
|
||||||
|
eventDataAuthenticationPackageName
|
|
-
|
The authentication package name of the Windows Event data
|
|
|
||||||
|
eventDataConsumer
|
|
-
|
The recipient of the reported event
|
|
|
||||||
|
eventDataIpAddress
|
|
-
|
The IP address of Windows Event 4624 (successful sign-in attempt)
|
|
|
||||||
|
eventDataJobOwner
|
|
-
|
The name of the account that initiated the event
|
|
|
||||||
|
eventDataLogonProcessName
|
|
-
|
The name of the Windows Event sign-in process name
|
|
|
||||||
|
eventDataLogonType
|
|
-
|
The sign-in type of Windows Event 4624 (successful sign-in attempt)
|
|
|
||||||
|
eventDataOperation
|
|
-
|
The Windows Event 11
|
|
|
||||||
|
eventDataPath
|
|
-
|
The path of the Windows event data
|
|
|
||||||
|
eventDataProcessPath
|
|
-
|
The process path that initiated the event
|
|
|
||||||
|
eventDataProviderName
|
|
-
|
The name of the Windows Event data provider
|
|
|
||||||
|
eventDataProviderPath
|
|
-
|
The file path of the Windows Event data provider
|
|
|
||||||
|
eventDataScriptBlockText
|
|
-
|
The Windows Event 4104 (the execution of a remote command using PowerShell)
|
|
|
||||||
|
eventDataServiceFileName
|
|
-
|
The full file path of the service executable file
|
|
|
||||||
|
eventDataServiceName
|
|
-
|
The service name
|
|
|
||||||
|
eventDataStatus
|
|
-
|
The Windows Event data status
|
|
|
||||||
|
eventDataSubStatus
|
|
-
|
The Windows Event data sub-status
|
|
|
||||||
|
eventDataTargetUserName
|
|
-
|
The user name of the Windows Event data target
|
|
|
||||||
|
eventDataTaskName
|
|
-
|
The task name logged by the Windows Event
|
|
|
||||||
|
eventDataUserContext
|
|
-
|
The user context of the Windows Event data
|
|
|
||||||
|
eventHashId
|
|
-
|
The event hash ID
|
|
|
||||||
|
eventId
|
|
-
|
The event type
|
-
|
|
||||||
|
eventMessage
|
|
-
|
The event message
|
|
|
||||||
|
eventSubId
|
|
-
|
The access type
|
|
|
||||||
|
eventTime
|
|
-
|
The time the agent detected the event
|
|
|
||||||
|
filterRiskLevel
|
|
-
|
The top-level risk level of the event
|
|
|
||||||
|
groupId
|
|
-
|
The group ID for the management scope filter
|
|
|
||||||
|
hookId
|
|
-
|
The hook ID
|
|
|
||||||
|
hostName
|
|
|
The domain name
|
|
|
||||||
|
httpReferer
|
|
|
The HTTP header referer
|
|
|
||||||
|
importTable
|
|
-
|
The imported table information
|
-
|
|
||||||
|
importTableFileName
|
|
-
|
The library file name which has imported functions
|
|
|
||||||
|
importTableFunctionName
|
|
-
|
The imported function file name
|
|
|
||||||
|
instanceAccountId
|
|
-
|
The cloud account ID of the virtual machine that made the request
|
|
|
||||||
|
instanceId
|
|
-
|
The virtual machine instance ID on the cloud platform
|
|
|
||||||
|
instanceName
|
|
-
|
The virtual machine that made the request
|
|
|
||||||
|
integrityLevel
|
|
-
|
The integrity level of a process
|
-
|
|
||||||
|
logReceivedTime
|
|
-
|
The time when the XDR log was received
|
|
|
||||||
|
logonUser
|
|
|
The sign-in user name
|
|
|
||||||
|
messageType
|
|
-
|
The message type
|
|
|
||||||
|
metaSrcExtra
|
|
-
|
The meta for identifying the source of events
|
|
|
||||||
|
networkInterfaceId
|
|
-
|
The network interface of the virtual machine that made the request
|
|
|
||||||
|
objectApiName
|
|
-
|
The name of the executed API
|
|
|
||||||
|
objectApiRvInNum
|
|
-
|
The API telemetry return value
|
|
|
||||||
|
objectAppName
|
|
-
|
The app involved in the anti-malware scan interface (AMSI) event
|
|
|
||||||
|
objectAuthId
|
|
-
|
The object authorization ID
|
|
|
||||||
|
objectBmData
|
|
-
|
The BM event data
|
|
|
||||||
|
objectCmd
|
|
|
The command line entry of the target process
|
|
|
||||||
|
objectContentName
|
|
-
|
The anti-malware scan interface (AMSI) object content name
|
|
|
||||||
|
objectCurrentFileSize
|
|
-
|
The previous size of the modified object file
|
|
|
||||||
|
objectCurrentPosixPermission
|
|
-
|
The new POSIX permission file used in file events and CHMOD events
|
|
|
||||||
|
objectFileAttributesHashId
|
|
-
|
The hash ID of the file attribute meta information
|
|
|
||||||
|
objectFileCreation
|
|
-
|
The time the object file was created
|
|
|
||||||
|
objectFileCurrentOwnerName
|
|
-
|
The current owner name of the object file
|
|
|
||||||
|
objectFileCurrentOwnerSid
|
|
-
|
The current security identifier owner of the object file
|
|
|
||||||
|
objectFileDaclString
|
|
-
|
The discretionary access control list of the object file
|
|
|
||||||
|
objectFileExtendedAttribute
|
|
-
|
The extended attributes of the file
|
|
|
||||||
|
objectFileGroupName
|
|
-
|
The object file user group name
|
|
|
||||||
|
objectFileGroupSid
|
|
-
|
The security identifier of the object file group
|
|
|
||||||
|
objectFileHash
|
|
-
|
The cryptographic hash of the target process image or file, with the specific hash
algorithm to be determined
|
|
|
||||||
|
objectFileHashId
|
|
-
|
The object file hash ID
|
|
|
||||||
|
objectFileHashMd5
|
|
|
The MD5 hash of the target process image or target file
|
|
|
||||||
|
objectFileHashSha1
|
|
|
The SHA-1 hash of target process image or target file
|
|
|
||||||
|
objectFileHashSha256
|
|
|
The SHA-256 hash of target process image or target file
|
|
|
||||||
|
objectFileIsRemoteAccess
|
|
-
|
Whether there is remote access to the object file
|
-
|
|
||||||
|
objectFileModifiedTime
|
|
-
|
The time the object file was modified
|
|
|
||||||
|
objectFileOriginalName
|
|
|
The original file name of the object image
|
|
|
||||||
|
objectFileOwnerName
|
|
-
|
The object file owner name
|
|
|
||||||
|
objectFileOwnerSid
|
|
-
|
The security identifier of the object file owner
|
|
|
||||||
|
objectFilePath
|
|
|
The file path of the target process image or target file
|
|
|
||||||
|
objectFileRemoteAccess
|
|
-
|
Whether there is remote access to the object file
|
-
|
|
||||||
|
objectFileSaclString
|
|
-
|
The system access control list of the object file
|
|
|
||||||
|
objectFileSize
|
|
-
|
The file size of the object file
|
|
|
||||||
|
objectFirstSeen
|
|
-
|
The first time the object was seen
|
|
|
||||||
|
objectHostName
|
|
|
The server name where the event was detected
|
|
|
||||||
|
objectIntegrityLevel
|
|
-
|
The integrity level of the target process
|
-
|
|
||||||
|
objectIp
|
|
|
The IP address of the internet event
|
|
|
||||||
|
objectIps
|
|
|
The IP address list of the internet event
|
|
|
||||||
|
objectLastSeen
|
|
-
|
The last time the object was seen
|
|
|
||||||
|
objectLaunchTime
|
|
-
|
The object launch time of the Windows Event
|
|
|
||||||
|
objectLoginOutFailureMessage
|
|
-
|
The sign-in/sign-out error message
|
|
|
||||||
|
objectLoginOutFirstSeen
|
|
-
|
The first time the object sign-in/sign-out was seen
|
|
|
||||||
|
objectLoginOutHashId
|
|
-
|
The FNV of the object sign-in/sign-out meta
|
|
|
||||||
|
objectLoginOutLastSeen
|
|
-
|
The last time the object sign-in/sign-out was seen
|
|
|
||||||
|
objectLoginOutMetaType
|
|
-
|
The sign-in/sign-out meta
|
|
|
||||||
|
objectLoginOutSessionId
|
|
-
|
The sign-in/sign-out session ID
|
|
|
||||||
|
objectLoginOutSourceAddress
|
|
-
|
The sign-in/sign-out source IP
|
|
|
||||||
|
objectLoginOutStatus
|
|
-
|
The sign-in/sign-out status
|
|
|
||||||
|
objectName
|
|
-
|
The object name
|
|
|
||||||
|
objectPid
|
|
-
|
The PID of target process
|
-
|
|
||||||
|
objectPipeName
|
|
-
|
The named pipe of the event
|
|
|
||||||
|
objectPort
|
|
|
The port used by the internet event
|
-
|
|
||||||
|
objectPosixPermission
|
|
-
|
The current POSIX permission for the file
|
|
|
||||||
|
objectPosixPermissionHashId
|
|
-
|
The POSIX permission hash ID
|
|
|
||||||
|
objectProcessHashId
|
|
-
|
The FNV of the target process
|
|
|
||||||
|
objectRawDataSize
|
|
-
|
The raw data size of the Windows Event object
|
|
|
||||||
|
objectRawDataStr
|
|
-
|
The data contents of the AMSI event
|
|
|
||||||
|
objectRegistryData
|
|
|
The registry value data
|
|
|
||||||
|
objectRegistryKeyHandle
|
|
|
The registry key
|
|
|
||||||
|
objectRegistryValue
|
|
|
The registry value name
|
|
|
||||||
|
objectRunAsLocalAccount
|
|
-
|
Whether the "runas" command uses a local account
|
|
|
||||||
|
objectServiceType
|
|
-
|
The target file type
|
|
|
||||||
|
objectSessionId
|
|
-
|
The object session ID
|
|
|
||||||
|
objectSigner
|
|
-
|
The certificate signer of the object process or file
|
|
|
||||||
|
objectSignerFlagsAdhoc
|
|
-
|
The list of object process or file signature adhoc flags
|
-
|
|
||||||
|
objectSignerFlagsLibValid
|
|
-
|
The list of object process or file signature library validation flags
|
-
|
|
||||||
|
objectSignerFlagsRuntime
|
|
-
|
The list of object process or file signature runtime flags
|
-
|
|
||||||
|
objectSignerValid
|
|
-
|
The validity of the certificate signer
|
|
|
||||||
|
objectSubTrueType
|
|
-
|
The file object true sub-type
|
|
|
||||||
|
objectThreadId
|
|
-
|
The object process thread ID
|
|
|
||||||
|
objectTrueType
|
|
-
|
The file object true major type
|
|
|
||||||
|
objectUri
|
|
-
|
The target file path
|
|
|
||||||
|
objectUser
|
|
|
The owner name of the target process or the sign-in user name
|
|
|
||||||
|
objectUserGroup
|
|
-
|
The user group name
|
|
|
||||||
|
objectUserGroupSids
|
|
-
|
The user group SIDs of the object
|
|
|
||||||
|
osDescription
|
|
-
|
The OS version
|
|
|
||||||
|
osName
|
|
-
|
The host OS name
|
|
|
||||||
|
osType
|
|
-
|
The host OS type
|
|
|
||||||
|
osVer
|
|
-
|
The host OS version
|
|
|
||||||
|
parentAuthId
|
|
-
|
The parent authorization ID
|
|
|
||||||
|
parentCmd
|
|
|
The command line entry of the parent process
|
|
|
||||||
|
parentFileCreation
|
|
-
|
The time the parent file was created
|
|
|
||||||
|
parentFileCurrentOwnerName
|
|
-
|
The current owner name of the parent file
|
|
|
||||||
|
parentFileCurrentOwnerSid
|
|
-
|
The current security identifier owner of the parent file
|
|
|
||||||
|
parentFileDaclString
|
|
-
|
The discretionary access control list of the parent file
|
|
|
||||||
|
parentFileGroupName
|
|
-
|
The name of the parent file user group
|
|
|
||||||
|
parentFileGroupSid
|
|
-
|
The security identifier of the parent process file group
|
|
|
||||||
|
parentFileHashId
|
|
-
|
The parent file hash ID
|
|
|
||||||
|
parentFileHashMd5
|
|
|
The MD5 hash of parent process
|
|
|
||||||
|
parentFileHashSha1
|
|
|
The SHA-1 hash of the parent process
|
|
|
||||||
|
parentFileHashSha256
|
|
|
The SHA-256 hash of parent process
|
|
|
||||||
|
parentFileModifiedTime
|
|
-
|
The time the parent file was modified
|
|
|
||||||
|
parentFileOriginalName
|
|
|
The original file name of the parent image
|
|
|
||||||
|
parentFileOwnerName
|
|
-
|
The owner name of the parent file
|
|
|
||||||
|
parentFileOwnerSid
|
|
-
|
The security identifier of the parent file owner
|
|
|
||||||
|
parentFilePath
|
|
|
The file path of the parent process
|
|
|
||||||
|
parentFileRemoteAccess
|
|
-
|
Whether there is remote access to the parent file
|
-
|
|
||||||
|
parentFileSaclString
|
|
-
|
The system access control list of the parent file
|
|
|
||||||
|
parentFileSize
|
|
-
|
The file size of the parent file
|
|
|
||||||
|
parentHashId
|
|
-
|
The parent hash ID
|
|
|
||||||
|
parentIntegrityLevel
|
|
-
|
The integrity level of a parent
|
-
|
|
||||||
|
parentLaunchTime
|
|
-
|
The time when the parent process was launched
|
|
|
||||||
|
parentName
|
|
-
|
The image name of the parent process
|
|
|
||||||
|
parentPid
|
|
-
|
The PID of the parent process
|
|
|
||||||
|
parentSigner
|
|
-
|
The signer of the parent file
|
|
|
||||||
|
parentSignerFlagsAdhoc
|
|
-
|
The list of parent process signature adhoc flags
|
-
|
|
||||||
|
parentSignerFlagsLibValid
|
|
-
|
The list of parent process signature library validation flags
|
-
|
|
||||||
|
parentSignerFlagsRuntime
|
|
-
|
The list of parent process signature runtime flags
|
-
|
|
||||||
|
parentSignerValid
|
|
-
|
The validity of the parent signer
|
-
|
|
||||||
|
parentSubTrueType
|
|
-
|
The true file sub-type of the parent file
|
-
|
|
||||||
|
parentTrueType
|
|
-
|
The true file type of the parent file
|
-
|
|
||||||
|
parentUser
|
|
-
|
The type of user that executed the parent process
|
|
|
||||||
|
parentUserDomain
|
|
-
|
The user domain of the parent process
|
|
|
||||||
|
parentUserGroupSids
|
|
-
|
The SIDs of the parent user group
|
|
|
||||||
|
pname
|
|
-
|
The internal product ID (deprecated, use productCode)
|
|
|
||||||
|
policyIds
|
|
-
|
The Data Detection and Response data policy IDs
|
|
|
||||||
|
policyTreePath
|
|
-
|
The policy tree path
|
|
|
||||||
|
processCmd
|
|
|
The command line entry of the subject process
|
|
|
||||||
|
processFileCreation
|
|
-
|
The time the process file was created
|
|
|
||||||
|
processFileCurrentOwnerName
|
|
-
|
The current owner name of the process file
|
|
|
||||||
|
processFileCurrentOwnerSid
|
|
-
|
The owner of the process file current security identifier
|
|
|
||||||
|
processFileDaclString
|
|
-
|
The discretionary access control list of the process file
|
|
|
||||||
|
processFileGroupName
|
|
-
|
The name of the process file user group
|
|
|
||||||
|
processFileGroupSid
|
|
-
|
The security identifier of the process file group
|
|
|
||||||
|
processFileHashId
|
|
-
|
The file hash of the process
|
|
|
||||||
|
processFileHashMd5
|
|
|
The MD5 hash of the subject process image
|
|
|
||||||
|
processFileHashSha1
|
|
|
The SHA-1 hash of the subject process image
|
|
|
||||||
|
processFileHashSha256
|
|
|
The SHA-256 hash of the subject process image
|
|
|
||||||
|
processFileModifiedTime
|
|
-
|
The time the process file was modified
|
|
|
||||||
|
processFileOriginalName
|
|
|
The original file name of the process image
|
|
|
||||||
|
processFileOwnerName
|
|
-
|
The process file owner name
|
|
|
||||||
|
processFileOwnerSid
|
|
-
|
The security identifier of the process file owner
|
|
|
||||||
|
processFilePath
|
|
|
The file path of the subject process
|
|
|
||||||
|
processFileRemoteAccess
|
|
-
|
Whether there is remote access to the process file
|
-
|
|
||||||
|
processFileSaclString
|
|
-
|
The system access control list of the process file
|
|
|
||||||
|
processFileSize
|
|
-
|
The file size of the process file
|
|
|
||||||
|
processHashId
|
|
-
|
The FNV of the subject process
|
|
|
||||||
|
processLaunchTime
|
|
-
|
The time the subject process was launched
|
|
|
||||||
|
processName
|
|
|
The image name of the process that triggered the event
|
|
|
||||||
|
processPid
|
|
-
|
The PID of the subject process
|
|
|
||||||
|
processSigner
|
|
-
|
The process file signer
|
|
|
||||||
|
processSignerFlagsAdhoc
|
|
-
|
The list of process signature adhoc flags
|
-
|
|
||||||
|
processSignerFlagsLibValid
|
|
-
|
The list of process signature library validation flags
|
-
|
|
||||||
|
processSignerFlagsRuntime
|
|
-
|
The list of process signature runtime flags
|
-
|
|
||||||
|
processSignerValid
|
|
-
|
The validity of the process signer
|
|
|
||||||
|
processSubTrueType
|
|
-
|
The true file sub-type of the process
|
-
|
|
||||||
|
processTrueType
|
|
-
|
The true file type of the process
|
-
|
|
||||||
|
processUser
|
|
|
The owner name of subject process image
|
|
|
||||||
|
processUserDomain
|
|
-
|
The process user domain
|
|
|
||||||
|
processUserGroupSids
|
|
-
|
The user group SIDs of the process
|
|
|
||||||
|
productCode
|
|
-
|
The internal product code
|
|
|
||||||
|
providerGUID
|
|
-
|
The GUID of the Windows Event provider
|
|
|
||||||
|
providerName
|
|
-
|
The name of the Windows Event provider
|
|
|
||||||
|
proxy
|
|
-
|
The proxy address
|
|
|
||||||
|
publicSpt
|
|
|
The public port of the endpoint making the request
|
|
|
||||||
|
publicSrc
|
|
|
The public IP of the endpoint making the request
|
|
|
||||||
|
pver
|
|
-
|
The product version
|
|
|
||||||
|
rawDataSize
|
|
-
|
The size of the Windows Event log
|
|
|
||||||
|
rawDataStr
|
|
-
|
The Windows Event raw contents
|
|
|
||||||
|
regionId
|
|
-
|
The cloud asset region
|
|
|
||||||
|
request
|
|
|
The request URL
|
|
|
||||||
|
requestMethod
|
|
-
|
The network protocol request method
|
|
|
||||||
|
ruleId
|
|
-
|
The rule ID
|
|
|
||||||
|
smbSharedName
|
|
-
|
The shared folder name for the server that contains the files
|
|
|
||||||
|
spt
|
|
|
The source port |
|
|
||||||
|
src
|
|
|
The source IP
|
|
|
||||||
|
srcFileCreation
|
|
-
|
The time the source file was created
|
|
|
||||||
|
srcFileCurrentOwnerName
|
|
-
|
The current owner name of the source file
|
|
|
||||||
|
srcFileCurrentOwnerSid
|
|
-
|
The current security identifier owner of the source file
|
|
|
||||||
|
srcFileDaclString
|
|
-
|
The discretionary access control list of the source file
|
|
|
||||||
|
srcFileGroupName
|
|
-
|
The source file user group name
|
|
|
||||||
|
srcFileGroupSid
|
|
-
|
The security identifier of the source file group
|
|
|
||||||
|
srcFileHash
|
|
-
|
The cryptographic hash of the source process image or file with the specific hash
algorithm to be determined
|
|
|
||||||
|
srcFileHashMd5
|
|
|
The MD5 hash of the source file
|
|
|
||||||
|
srcFileHashSha1
|
|
|
The SHA-1 hash of the source file
|
|
|
||||||
|
srcFileHashSha256
|
|
|
The SHA-256 hash of the source file
|
|
|
||||||
|
srcFileIsRemoteAccess
|
|
-
|
Whether there is remote access to the source file
|
-
|
|
||||||
|
srcFileModifiedTime
|
|
-
|
The time the source file was modified
|
|
|
||||||
|
srcFileOwnerName
|
|
-
|
The source file owner name
|
|
|
||||||
|
srcFileOwnerSid
|
|
-
|
The security identifier of the source file owner
|
|
|
||||||
|
srcFilePath
|
|
|
The source file path
|
|
|
||||||
|
srcFileSaclString
|
|
-
|
The system access control list of the source file
|
|
|
||||||
|
srcFileSize
|
|
-
|
The file size of the source file
|
|
|
||||||
|
srcFirstSeen
|
|
-
|
The first time the source file was seen
|
|
|
||||||
|
srcLastSeen
|
|
-
|
The last time the source file was seen
|
|
|
||||||
|
srcServiceType
|
|
-
|
The source file type
|
|
|
||||||
|
srcSigner
|
|
-
|
The signer of the source file
|
|
|
||||||
|
srcSignerFlagsAdhoc
|
|
-
|
The list of source file signature adhoc flags
|
-
|
|
||||||
|
srcSignerFlagsLibValid
|
|
-
|
The list of source file signature library validation flags
|
-
|
|
||||||
|
srcSignerFlagsRuntime
|
|
-
|
The list of source file signature runtime flags
|
-
|
|
||||||
|
srcSignerValid
|
|
-
|
The validity of the source file signer
|
-
|
|
||||||
|
srcUri
|
|
-
|
The source file path
|
|
|
||||||
|
srcUser
|
|
-
|
The owner name of the source process or the sign-in user name
|
|
|
||||||
|
status
|
|
-
|
The HTTP response status code
|
|
|
||||||
|
subSystem
|
|
-
|
The sub-system information
|
|
|
||||||
|
subnetId
|
|
-
|
The subnet ID of the virtual machine that made the request
|
|
|
||||||
|
tags
|
|
|
The detected technique ID based on the alert filter
|
|
|
||||||
|
timezone
|
|
-
|
The host time zone
|
|
|
||||||
|
userDomain
|
|
-
|
The user domain name
|
|
|
||||||
|
uuid
|
|
-
|
The unique key of the log
|
|
|
||||||
|
vpcId
|
|
-
|
The virtual private cloud that contains the cloud asset
|
|
|
||||||
|
winEventId
|
|
-
|
The Windows Event ID
|
|
|
additionalInfo
|
string |
The filter rule information
|
Default |
|
|
|
app
|
string |
The Layer 7 network protocol being exploited
|
SMB |
Endpoint Sensor
|
|||||||
|
authId
|
int64 |
The authorization ID
|
|
|
|||||||
|
azId
|
string |
The Availability Zone ID of the virtual machine that made the request
|
|
Endpoint Sensor
|
|||||||
|
channel
|
string |
The Windows Event channel
|
|
|
|||||||
|
cloudIdentityAccountId
|
string |
The Cloud Identity account ID used for authorization
|
111111111111 |
Endpoint Sensor
|
|||||||
|
cloudIdentityId
|
string |
The Cloud Identity ID used for authorization
|
arn:aws:sts::111111111111:assumed-role/eksctl-aws-test-nodegroup-ng-21d38-NodeInstanceRole-3wPxVEo4zHlK/i-0355006acbbde82b8 |
Endpoint Sensor
|
|||||||
|
cloudIdentityName
|
string |
The Cloud Identity name used for authorization
|
AWSsampleToken |
Endpoint Sensor
|
|||||||
|
cloudProvider
|
string |
The service provider of the cloud asset
|
|
|
|||||||
|
cloudServiceApiName
|
string |
The cloud service application programming interface (API)
|
|
Endpoint Sensor
|
|||||||
|
cloudServiceName
|
string |
The cloud service
|
|
Endpoint Sensor
|
|||||||
|
codeIntegrityOptionEnabled
|
bool |
Whether the system enforced signed kernel loading according to driver signature enforcement
|
|
Endpoint Sensor
|
|||||||
|
codeIntegrityOptionTestsign
|
bool |
Whether the system bypassed driver signature enforcement checks and permitted loading
of test-signed drivers
|
|
Endpoint Sensor
|
|||||||
|
correlationData
|
object_correlation[] |
The data for correlation
|
|
||||||||
|
deviceType
|
enum_TELEMETRY_DEVICE_TYPE |
The disk drive type
|
|
Endpoint Sensor
|
|||||||
|
dpt
|
int32 |
Port
|
The destination port
|
|
|||||||
|
dst
|
string |
|
The destination internet protocol (IP)
|
|
|
||||||
|
endpointGuid
|
string |
EndpointID
|
The host globally unique identifier (GUID) of the endpoint on which the event was
detected
|
|
|
||||||
|
endpointHostName
|
string |
EndpointName
|
The hostname of the endpoint on which the event was detected
|
|
|
||||||
|
endpointIp
|
string[] |
|
The IP address of the endpoint on which the event was detected
|
|
|
||||||
|
endpointMacAddress
|
string[] |
The host media access control (MAC) address
|
|
|
|||||||
|
eventDataActionName
|
string |
The action performed
|
|
|
|||||||
|
eventDataAuthenticationPackageName
|
string |
The authentication package name of the Windows Event data
|
|
|
|||||||
|
eventDataConsumer
|
string |
The recipient of the reported event
|
|
Endpoint Sensor
|
|||||||
|
eventDataIpAddress
|
string |
The IP address of Windows Event 4624 (successful sign-in attempt)
|
|
|
|||||||
|
eventDataJobOwner
|
string |
The name of the account that initiated the event
|
|
Trend Micro Apex One as a Service
|
|||||||
|
eventDataLogonProcessName
|
string |
The Windows Event sign-in process name
|
|
|
|||||||
|
eventDataLogonType
|
string |
The sign-in type of Windows Event 4624 (successful sign-in attempt)
|
|
|
|||||||
|
eventDataOperation
|
string |
The Windows Event 11
|
|
|
|||||||
|
eventDataPath
|
string |
The path of the Windows Event data
|
|
|
|||||||
|
eventDataProcessPath
|
string |
The process path that initiated the event
|
|
Trend Micro Apex One as a Service
|
|||||||
|
eventDataProviderName
|
string |
The name of the Windows Event data provider
|
|
Endpoint Sensor
|
|||||||
|
eventDataProviderPath
|
string |
The file path of the Windows Event data provider
|
|
Endpoint Sensor
|
|||||||
|
eventDataScriptBlockText
|
string |
The Windows Event 4104 (the execution of a remote command using PowerShell)
|
|
Trend Micro Apex One as a Service
|
|||||||
|
eventDataServiceFileName
|
string |
The full file path of the service executable file
|
|
Endpoint Sensor
|
|||||||
|
eventDataServiceName
|
string |
The service name
|
|
Endpoint Sensor
|
|||||||
|
eventDataStatus
|
string |
The Windows Event data status
|
|
|
|||||||
|
eventDataSubStatus
|
string |
The Windows Event data sub-status
|
|
|
|||||||
|
eventDataTargetUserName
|
string |
The user name of the Windows Event data target
|
|
Trend Micro Apex One as a Service
|
|||||||
|
eventDataTaskName
|
string |
The task name logged by the Windows Event
|
|
|
|||||||
|
eventDataUserContext
|
string |
The user context of the Windows Event data
|
|
|
|||||||
|
eventHashId
|
int64 |
The event hash ID
|
|
|
|||||||
|
eventId
|
enum_TelemetryHeader.TELEMETRY_EVENT_ID |
The event type
|
|
||||||||
|
eventMessage
|
string |
The event message
|
[0x13bb4e2a0] activating connection: mach=true listener=false peer=false name=com.apple.airportd |
|
|||||||
|
eventSubId
|
enum_TelemetryHeader.TELEMETRY_EVENT_SUB_ID |
The access type
|
|
|
|||||||
|
eventTime
|
int64 |
The time the agent detected the event
|
1657781088000 |
|
|||||||
|
filterRiskLevel
|
string |
The top-level risk level of the event
|
|
Security Analytics Engine
|
|||||||
|
hookId
|
int64 |
The hook ID
|
|
Trend Micro Apex One as a Service
|
|||||||
|
hostName
|
string |
|
The domain name
|
|
|
||||||
|
httpReferer
|
string |
URL
|
The hypertext transfer protocol (HTTP) header referer
|
|
|
||||||
|
importTable
|
object_ImportTable[] |
The imported table information
|
Endpoint Sensor
|
||||||||
|
importTableFileName
|
string[] |
The library file name which has imported functions
|
|
Endpoint Sensor
|
|||||||
|
importTableFunctionName
|
string[] |
The imported function file name
|
|
Endpoint Sensor
|
|||||||
|
instanceAccountId
|
string |
The cloud account ID of the virtual machine that made the request
|
111111111111 |
Endpoint Sensor
|
|||||||
|
instanceId
|
string |
The virtual machine instance ID on the cloud platform
|
i-0b22a22eec53b9321 |
|
|||||||
|
instanceName
|
string |
The virtual machine that made the request
|
ec2-123-124-0-12.us-west-2.compute.amazonaws.com |
Endpoint Sensor
|
|||||||
|
integrityLevel
|
int32 |
The integrity level of a process
|
|
||||||||
|
logReceivedTime
|
int64 |
The time when the Extended Detection and Response (XDR) log was received
|
1656324260000 |
Security Analytics Engine
|
|||||||
|
logonUser
|
string[] |
UserAccount
|
The sign-in user name
|
|
|
||||||
|
messageType
|
string |
The message type
|
Default |
|
|||||||
|
metaSrcExtra
|
string |
The meta for identifying the source of events
|
[{'metaSrcUri': ...] |
Data Detection and Response
|
|||||||
|
networkInterfaceId
|
string |
The network interface of the virtual machine that made the request
|
eni-0a1b2c3d4e5f6g7h8 |
Endpoint Sensor
|
|||||||
|
objectApiName
|
string |
The name of the executed API
|
GetIpNetTable |
Endpoint Sensor
|
|||||||
|
objectApiRvInNum
|
uint64 |
The API telemetry return value
|
0 |
Endpoint Sensor
|
|||||||
|
objectAppName
|
string |
The app involved in the antimalware scan interface (AMSI) event
|
|
|
|||||||
|
objectAuthId
|
int64 |
The object authorization ID
|
|
|
|||||||
|
objectBmData
|
string |
The BM event data
|
|
|
|||||||
|
objectCmd
|
string |
CLICommand
|
The command line entry of the target process
|
|
|
||||||
|
objectContentName
|
string |
The AMSI object content name
|
|
|
|||||||
|
objectCurrentFileSize
|
int64 |
The previous size of the modified object file
|
|
|
|||||||
|
objectCurrentPosixPermission
|
string |
The new Portable Operating System Interface (POSIX) permission file used in file events
and change mode (CHMOD) events
|
1050180 |
Trend Cloud One - Endpoint & Workload Security
|
|||||||
|
objectFileAttributesHashId
|
int64 |
The hash ID of the file attribute meta information
|
|
Endpoint Sensor
|
|||||||
|
objectFileCreation
|
int64 |
The time the object file was created
|
|
|
|||||||
|
objectFileCurrentOwnerName
|
string |
The current owner name of the object file
|
|
|
|||||||
|
objectFileCurrentOwnerSid
|
string |
The current security identifier owner of the object file
|
|
|
|||||||
|
objectFileDaclString
|
string |
The discretionary access control list of the object file
|
|
|
|||||||
|
objectFileExtendedAttribute
|
string |
The extended attributes of the file
|
|
|
|||||||
|
objectFileGroupName
|
string |
The object file user group name
|
|
|
|||||||
|
objectFileGroupSid
|
string |
The security identifier of the object file group
|
|
|
|||||||
|
objectFileHash
|
string |
The cryptographic hash of the target process image or file with the specific hash
algorithm to be determined
|
1ca71017d2fa4775253670e1e55e26912bfdc156 |
Data Detection and Response
|
|||||||
|
objectFileHashId
|
int64 |
The object file hash ID
|
|
|
|||||||
|
objectFileHashMd5
|
string |
FileMD5
|
The message digest 5 (MD5) hash of the target process image or target file
|
|
|
||||||
|
objectFileHashSha1
|
string |
FileSHA1
|
The secure hash algorithm 1 (SHA-1) hash of the target process image or target file
|
|
|
||||||
|
objectFileHashSha256
|
string |
FileSHA2
|
The SHA-256 hash of the target process image or target file
|
|
|
||||||
|
objectFileIsRemoteAccess
|
bool |
Whether there is remote access to the object file
|
|
||||||||
|
objectFileModifiedTime
|
int64 |
The time the object file was modified
|
|
|
|||||||
|
objectFileOriginalName
|
string |
FileName
|
The original file name of the object image
|
|
|
||||||
|
objectFileOwnerName
|
string |
The object file owner name
|
|
|
|||||||
|
objectFileOwnerSid
|
string |
The security identifier of the object file owner
|
|
|
|||||||
|
objectFilePath
|
string |
|
The file path of the target process image or target file
|
|
|
||||||
|
objectFileRemoteAccess
|
bool |
Whether there is remote access to the object file
|
|
||||||||
|
objectFileSaclString
|
string |
The system access control list of the object file
|
|
|
|||||||
|
objectFileSize
|
int64 |
The file size of the object file
|
|
|
|||||||
|
objectFirstSeen
|
int64 |
The first time the object was seen
|
|
|
|||||||
|
objectHostName
|
string |
DomainName
|
The server name where the event was detected
|
|
|
||||||
|
objectIntegrityLevel
|
int32 |
The integrity level of the target process
|
|
||||||||
|
objectIp
|
string |
|
The IP address of the internet event
|
|
|
||||||
|
objectIps
|
string[] |
|
The list of IP addresses in the event
|
|
|
||||||
|
objectLastSeen
|
int64 |
The last time the object was seen
|
|
|
|||||||
|
objectLaunchTime
|
int64 |
The object launch time of the Windows Event
|
|
|
|||||||
|
objectLoginOutFailureMessage
|
string |
The sign-in/sign-out error message
|
Login incorrect |
|
|||||||
|
objectLoginOutFirstSeen
|
int64 |
The first time the object sign-in/sign-out was seen
|
1713903612 |
|
|||||||
|
objectLoginOutHashId
|
int64 |
The Fowler–Noll–Vo (FNV) hash of the object sign-in/sign-out meta
|
-8981232070268295000 |
|
|||||||
|
objectLoginOutLastSeen
|
int64 |
The last time the object sign-in/sign-out was seen
|
1713903612 |
|
|||||||
|
objectLoginOutMetaType
|
enum_LOGIN_OUT_META_TYPE |
The sign-in/sign-out meta
|
1 - LOGIN_OUT_META_TYPE_OPENSSH |
|
|||||||
|
objectLoginOutSessionId
|
uint64 |
The sign-in/sign-out session ID
|
260 |
|
|||||||
|
objectLoginOutSourceAddress
|
string |
The sign-in/sign-out source IP
|
10.64.18.49 |
|
|||||||
|
objectLoginOutStatus
|
int32 |
The sign-in/sign-out status
|
-1 |
|
|||||||
|
objectName
|
string |
The object name
|
|
|
|||||||
|
objectPid
|
int32 |
The PID of the target process
|
|
||||||||
|
objectPipeName
|
string |
The named pipe of the event
|
|
Endpoint Sensor
|
|||||||
|
objectPort
|
int32 |
Port
|
The port used by the internet event
|
|
|||||||
|
objectPosixPermission
|
string |
The current POSIX permission for the file
|
1050112 |
Trend Cloud One - Endpoint & Workload Security
|
|||||||
|
objectPosixPermissionHashId
|
int64 |
The POSIX permission hash ID
|
-8931783023607716000 |
Trend Cloud One - Endpoint & Workload Security
|
|||||||
|
objectProcessHashId
|
int64 |
The target process FNV
|
|
|
|||||||
|
objectRawDataSize
|
int64[] |
The raw data size of the Windows Event object
|
|
|
|||||||
|
objectRawDataStr
|
string[] |
The data contents of the AMSI event
|
|
|
|||||||
|
objectRegistryData
|
string |
RegistryValueData
|
The registry value data
|
|
|
||||||
|
objectRegistryKeyHandle
|
string |
RegistryKey
|
The registry key
|
|
|
||||||
|
objectRegistryValue
|
string |
RegistryValue
|
The registry value name
|
|
|
||||||
|
objectRunAsLocalAccount
|
bool |
Whether the runas command uses a local account
|
|
|
|||||||
|
objectServiceType
|
string |
The target file type
|
|
Data Detection and Response
|
|||||||
|
objectSessionId
|
|
The object session ID
|
|
|
|||||||
|
objectSigner
|
string[] |
The certificate signer of the object process or file
|
|
|
|||||||
|
objectSignerFlagsAdhoc
|
bool[] |
The list of object process or file signature ad-hoc flags
|
|
||||||||
|
objectSignerFlagsLibValid
|
bool[] |
The list of object process or file signature library validation flags
|
|
||||||||
|
objectSignerFlagsRuntime
|
bool[] |
The list of object process or file signature runtime flags
|
|
||||||||
|
objectSignerValid
|
bool[] |
The certificate signer validity
|
|
|
|||||||
|
objectSubTrueType
|
int32 |
The file object true sub-type
|
|
|
|||||||
|
objectThreadId
|
int64 |
The object process thread ID
|
|
Trend Micro Apex One as a Service
|
|||||||
|
objectTrueType
|
int32 |
The file object true major type
|
|
|
|||||||
|
objectUri
|
string |
The target file path
|
C://path/of/file.txt |
Data Detection and Response
|
|||||||
|
objectUser
|
string |
UserAccount
|
The owner name of the target process or the sign-in user name
|
|
|
||||||
|
objectUserGroup
|
string |
The user group name
|
|
|
|||||||
|
objectUserGroupSids
|
string[] |
The user group secure identifiers (SIDs) of the object
|
|
Endpoint Sensor
|
|||||||
|
osDescription
|
string |
The operating system (OS) version
|
|
|
|||||||
|
osName
|
string |
The host OS
|
|
|
|||||||
|
osType
|
string |
The host OS type
|
|
|
|||||||
|
osVer
|
string |
The host OS version
|
|
|
|||||||
|
parentAuthId
|
int64 |
The parent authorization ID
|
|
|
|||||||
|
parentCmd
|
string |
CLICommand
|
The command line entry of the parent process
|
|
|
||||||
|
parentFileCreation
|
int64 |
The time the parent file was created
|
|
|
|||||||
|
parentFileCurrentOwnerName
|
string |
The current owner name of the parent file
|
|
|
|||||||
|
parentFileCurrentOwnerSid
|
string |
The current security identifier owner of the parent file
|
|
|
|||||||
|
parentFileDaclString
|
string |
The discretionary access control list of the parent file
|
|
|
|||||||
|
parentFileGroupName
|
string |
The name of the parent file user group
|
|
|
|||||||
|
parentFileGroupSid
|
string |
The security identifier of the parent process file group
|
|
|
|||||||
|
parentFileHashId
|
int64 |
The parent file hash ID
|
|
|
|||||||
|
parentFileHashMd5
|
string |
FileMD5
|
The MD5 hash of the parent process
|
|
|
||||||
|
parentFileHashSha1
|
string |
FileSHA1
|
The SHA-1 hash of the parent process
|
|
|
||||||
|
parentFileHashSha256
|
string |
FileSHA2
|
The SHA-256 hash of the parent process
|
|
|
||||||
|
parentFileModifiedTime
|
int64 |
The time the parent file was modified
|
|
|
|||||||
|
parentFileOriginalName
|
string |
FileName
|
The original file name of the parent image
|
|
|
||||||
|
parentFileOwnerName
|
string |
The owner name of the parent file
|
|
|
|||||||
|
parentFileOwnerSid
|
string |
The security identifier of the parent file owner
|
|
|
|||||||
|
parentFilePath
|
string |
|
The file path of the parent process
|
|
|
||||||
|
parentFileRemoteAccess
|
bool |
Whether there is remote access to the parent file
|
|
||||||||
|
parentFileSaclString
|
string |
The system access control list of the parent file
|
|
|
|||||||
|
parentFileSize
|
int64 |
The file size of the parent file
|
|
|
|||||||
|
parentHashId
|
int64 |
The parent hash ID
|
|
|
|||||||
|
parentIntegrityLevel
|
int32 |
The integrity level of a parent
|
|
||||||||
|
parentLaunchTime
|
int64 |
The time when the parent process was launched
|
|
|
|||||||
|
parentName
|
string |
The image name of the parent process
|
|
|
|||||||
|
parentPid
|
int32 |
The PID of the parent process
|
|
|
|||||||
|
parentSigner
|
string[] |
The signer of the parent file
|
|
|
|||||||
|
parentSignerFlagsAdhoc
|
bool[] |
The list of parent process signature adhoc flags
|
|
||||||||
|
parentSignerFlagsLibValid
|
bool[] |
The list of parent process signature library validation flags
|
|
||||||||
|
parentSignerFlagsRuntime
|
bool[] |
The list of parent process signature runtime flags
|
|
||||||||
|
parentSignerValid
|
bool[] |
The validity of the parent signer
|
|
||||||||
|
parentSubTrueType
|
int32 |
The true file sub-type of the parent file
|
|
||||||||
|
parentTrueType
|
int32 |
The true file type of the parent file
|
|
||||||||
|
parentUser
|
string |
The type of user that executed the parent process
|
|
|
|||||||
|
parentUserDomain
|
string |
The user domain of the parent process
|
|
|
|||||||
|
parentUserGroupSids
|
string[] |
The SIDs of the parent user group
|
|
Endpoint Sensor
|
|||||||
|
pname
|
string |
The internal product ID (deprecated, use productCode) |
|
|
|||||||
|
policyIds
|
string |
The Data Detection and Response data policy IDs
|
555a8b4c-c9a7-410c-b218-45517d5cd645 |
Data Detection and Response
|
|||||||
|
policyTreePath
|
string |
The policy tree path
|
policyname1/policyname2/policyname3 |
Security Analytics Engine
|
|||||||
|
processCmd
|
string |
CLICommand
|
The command line entry of the subject process
|
|
|
||||||
|
processFileCreation
|
int64 |
The time the process file was created
|
|
|
|||||||
|
processFileCurrentOwnerName
|
string |
The current owner name of the process file
|
|
|
|||||||
|
processFileCurrentOwnerSid
|
string |
The owner of the process file current security identifier
|
|
|
|||||||
|
processFileDaclString
|
string |
The discretionary access control list of the process file
|
|
|
|||||||
|
processFileGroupName
|
string |
The name of the process file user group
|
|
|
|||||||
|
processFileGroupSid
|
string |
The security identifier of the process file group
|
|
|
|||||||
|
processFileHashId
|
int64 |
The file hash of the process
|
|
|
|||||||
|
processFileHashMd5
|
string |
FileMD5
|
The MD5 hash of the subject process image
|
|
|
||||||
|
processFileHashSha1
|
string |
FileSHA1
|
The SHA-1 hash of the subject process image
|
|
|
||||||
|
processFileHashSha256
|
string |
FileSHA2
|
The SHA-256 hash of the subject process image
|
|
|
||||||
|
processFileModifiedTime
|
int64 |
The time the process file was modified
|
|
|
|||||||
|
processFileOriginalName
|
string |
FileName
|
The original file name of the process image
|
|
|
||||||
|
processFileOwnerName
|
string |
The process file owner name
|
|
|
|||||||
|
processFileOwnerSid
|
string |
The security identifier of the process file owner
|
|
|
|||||||
|
processFilePath
|
string |
|
The file path of the subject process
|
|
|
||||||
|
processFileRemoteAccess
|
bool |
Whether there is remote access to the process file
|
|
||||||||
|
processFileSaclString
|
string |
The system access control list of the process file
|
|
|
|||||||
|
processFileSize
|
int64 |
The file size of the process file
|
|
|
|||||||
|
processHashId
|
int64 |
The FNV of the subject process
|
|
|
|||||||
|
processLaunchTime
|
int64 |
The time the subject process was launched
|
|
|
|||||||
|
processName
|
string |
ProcessName
|
The image name of the process that triggered the event
|
|
|
||||||
|
processPid
|
int32 |
The process ID (PID) of the subject process
|
|
|
|||||||
|
processSigner
|
string[] |
The process file signer
|
|
|
|||||||
|
processSignerFlagsAdhoc
|
bool[] |
The list of process signature ad-hoc flags
|
|
||||||||
|
processSignerFlagsLibValid
|
bool[] |
The list of process signature library validation flags
|
|
||||||||
|
processSignerFlagsRuntime
|
bool[] |
The list of process signature runtime flags
|
|
||||||||
|
processSignerValid
|
bool[] |
The validity of the process signer
|
|
|
|||||||
|
processSubTrueType
|
int32 |
The true file sub-type of the process
|
|
||||||||
|
processTrueType
|
int32 |
The true file type of the process
|
|
||||||||
|
processUser
|
string |
UserAccount
|
The owner name of subject process image
|
|
|
||||||
|
processUserDomain
|
string |
The process user domain
|
|
|
|||||||
|
processUserGroupSids
|
string[] |
The user group SIDs of the process
|
|
Endpoint Sensor
|
|||||||
|
productCode
|
string |
The internal product code
|
|
Security Analytics Engine
|
|||||||
|
providerGUID
|
string |
The GUID of the Windows Event provider
|
|
|
|||||||
|
providerName
|
string |
The name of the Windows Event provider
|
|
|
|||||||
|
proxy
|
string |
The proxy address
|
|
|
|||||||
|
publicSpt
|
int32 |
Port
|
The public port of the endpoint making the request
|
57163 |
Endpoint Sensor
|
||||||
|
publicSrc
|
string |
|
The public IP of the endpoint making the request
|
54.231.169.40 |
Endpoint Sensor
|
||||||
|
pver
|
string |
The product version
|
|
|
|||||||
|
rawDataSize
|
int64 |
The size of the Windows Event log
|
|
|
|||||||
|
rawDataStr
|
string |
The Windows Event raw contents
|
|
|
|||||||
|
regionId
|
string |
The cloud asset region
|
|
|
|||||||
|
request
|
string |
URL
|
The request URL
|
|
|
||||||
|
ruleId
|
int32 |
The rule ID
|
1005566 |
|
|||||||
|
smbSharedName
|
string |
The shared folder name for the server that contains the files
|
sharedfolder |
Endpoint Sensor
|
|||||||
|
spt
|
int32 |
Port
|
The source port
|
|
|
||||||
|
src
|
string |
|
The source IP
|
|
|
||||||
|
srcFileCreation
|
int64 |
The time the source file was created
|
|
|
|||||||
|
srcFileCurrentOwnerName
|
string |
The current owner name of the source file
|
|
|
|||||||
|
srcFileCurrentOwnerSid
|
string |
The current security identifier owner of the source file
|
|
|
|||||||
|
srcFileDaclString
|
string |
The discretionary access control list of the source file
|
|
|
|||||||
|
srcFileGroupName
|
string |
The source file user group name
|
|
|
|||||||
|
srcFileGroupSid
|
string |
The security identifier of the source file group
|
|
|
|||||||
|
srcFileHash
|
string |
The cryptographic hash of the source process image or file with the specific hash
algorithm to be determined
|
1ca71017d2fa4775253670e1e55e26912bfdc156 |
Data Detection and Response
|
|||||||
|
srcFileHashMd5
|
string |
FileMD5
|
The MD5 hash of the source file
|
|
|
||||||
|
srcFileHashSha1
|
string |
FileSHA1
|
The SHA-1 hash of the source file
|
|
|
||||||
|
srcFileHashSha256
|
string |
FileSHA2
|
The SHA-256 hash of the source file
|
|
|
||||||
|
srcFileIsRemoteAccess
|
bool |
Whether there is remote access to the source file
|
|
||||||||
|
srcFileModifiedTime
|
int64 |
The time the source file was modified
|
|
|
|||||||
|
srcFileOwnerName
|
string |
The source file owner name
|
|
|
|||||||
|
srcFileOwnerSid
|
string |
The security identifier of the source file owner
|
|
|
|||||||
|
srcFilePath
|
string |
|
The source file path
|
|
|
||||||
|
srcFileSaclString
|
string |
The system access control list of the source file
|
|
|
|||||||
|
srcFileSize
|
int64 |
The file size of the source file
|
|
|
|||||||
|
srcFirstSeen
|
int64 |
The first time the source file was seen
|
|
|
|||||||
|
srcLastSeen
|
int64 |
The last time the source file was seen
|
|
|
|||||||
|
srcServiceType
|
string |
The source file type
|
|
Data Detection and Response
|
|||||||
|
srcSigner
|
string[] |
The signer of the source file
|
|
|
|||||||
|
srcSignerFlagsAdhoc
|
bool[] |
The list of source file signature adhoc flags
|
|
||||||||
|
srcSignerFlagsLibValid
|
bool[] |
The list of source file signature library validation flags
|
|
||||||||
|
srcSignerFlagsRuntime
|
bool[] |
The list of source file signature runtime flags
|
|
||||||||
|
srcSignerValid
|
bool[] |
The validity of the source file signer
|
|
||||||||
|
srcUri
|
string |
The source file path
|
C://path/of/file.txt |
Data Detection and Response
|
|||||||
|
srcUser
|
string |
The owner name of the source process or the sign-in user name
|
|
Data Detection and Response
|
|||||||
|
subSystem
|
string |
The sub-system information
|
com.apple.xpc |
|
|||||||
|
subnetId
|
string |
The subnet ID of the virtual machine that made the request
|
subnet-0a1b2c3d4e5f6g7h8 |
Endpoint Sensor
|
|||||||
|
tags
|
string[] |
Technique
|
The detected technique ID based on the alert filter
|
|
Security Analytics Engine
|
||||||
|
timezone
|
string |
The host time zone
|
|
|
|||||||
|
userDomain
|
string[] |
The user domain name
|
|
|
|||||||
|
uuid
|
string |
The unique key of the log
|
|
Security Analytics Engine
|
|||||||
|
vpcId
|
string |
The virtual private cloud that contains the cloud asset
|
vpc-01234567890abcdef |
|
|||||||
|
winEventId
|
int32 |
The Windows Event ID
|
|
|
Views: