 |
ImportantThis data source query method is no longer available after February 2, 2026. For more
information on the currently available data sources for use in XDR Data Explorer queries,
go to https://trendmicro.github.io/tm-v1-schema/pages/index.
|
|
Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
|
actionName
|
|
-
|
The user or service action
|
|
|
|
application
|
|
-
|
The displayed application name
|
|
|
|
applicationId
|
|
-
|
The Microsoft Entra ID application ID
|
|
|
|
authenticationProtocol
|
|
-
|
The authentication protocol or grant type
|
|
|
|
autonomousSystemNumber
|
|
-
|
The network Autonomous System Number
|
|
|
|
clientApp
|
|
-
|
The app that the client accessed
|
|
|
|
clientBrowser
|
|
-
|
The client browser
|
|
|
|
clientCredentialType
|
|
-
|
The user client or service principal credential type
|
|
|
|
clientDisplayName
|
|
|
The client display name
|
|
|
|
clientId
|
|
-
|
The unique client device ID
|
|
|
|
clientOS
|
|
-
|
The client OS
|
|
|
|
conditionalAccessStatus
|
|
-
|
The conditional access policy status
|
|
|
|
correlationId
|
|
-
|
The correlation ID
|
|
|
|
crossTenantAccessType
|
|
-
|
The cross-tenant access type
|
|
|
|
eventAdditionalDetails
|
|
-
|
The raw data string that contains additional information
|
|
|
|
eventCategory
|
|
-
|
The resource category targeted by the event
|
|
|
|
eventId
|
|
-
|
The identity provider event ID
|
|
|
|
eventName
|
|
-
|
The identity provider event name
|
|
|
|
eventTime
|
|
-
|
The time the identity provider detected the event
|
|
|
|
filterRiskLevel
|
|
-
|
The top-level risk level of the event
|
|
|
|
groupId
|
|
-
|
The group ID for the management scope filter
|
|
|
|
idpId
|
|
-
|
The internal product code of the identity provider
|
|
|
|
idpIssuerName
|
|
-
|
The identity provider that issued the token
|
|
|
|
idpName
|
|
-
|
The identity provider
|
|
|
|
incomingTokentype
|
|
-
|
The authentication token types
|
|
|
|
initiatedByAppDisplayName
|
|
-
|
The application display name
|
|
|
|
initiatedByAppId
|
|
-
|
The resource category targeted by the event
|
|
|
|
initiatedByServicePrincipalId
|
|
-
|
The unique ID of the service principal
|
|
|
|
initiatedByServicePrincipalName
|
|
-
|
The unique ID of the service principal
|
|
|
|
initiatedByUserDisplayName
|
|
|
The user display name
|
|
|
|
initiatedByUserHomeTenantId
|
|
-
|
The tenant ID of the user
|
|
|
|
initiatedByUserHomeTenantName
|
|
-
|
The tenant ID of the user
|
|
|
|
initiatedByUserId
|
|
|
The unique ID of the user who initiated the event
|
|
|
|
initiatedByUserIpAddress
|
|
|
The client IP of the user
|
|
|
|
initiatedByUserPrincipalName
|
|
|
The User Principal Name of the user
|
|
|
|
ipAddress
|
|
|
The client IP
|
|
|
|
locationCity
|
|
-
|
The city where the event happened
|
|
|
|
locationCountry
|
|
-
|
The country where the event happened
|
|
|
|
locationLatitude
|
|
-
|
The latitude of the event location
|
|
|
|
locationLongitude
|
|
-
|
The longitude of the event location
|
|
|
|
locationState
|
|
-
|
The state where the event happened
|
|
|
|
logBatchId
|
|
-
|
The batch data retrieval process ID
|
|
|
|
logReceivedTime
|
|
-
|
The time when the XDR log was received
|
|
|
|
loggedByService
|
|
-
|
The service that initiated the event
|
|
|
|
operationType
|
|
-
|
The operation performed in the event
|
|
|
|
orgId
|
|
-
|
The organization ID
|
|
|
|
pname
|
|
-
|
The internal product ID
|
|
|
|
policyTreePath
|
|
-
|
The policy tree path (endpoint only)
|
|
|
|
principalName
|
|
|
The User Principal Name
|
|
|
|
productCode
|
|
-
|
The internal product code of the identity provider (aad=Microsoft Entra ID, opa=Microsoft
Active Directory)
|
|
|
|
requestMethod
|
|
-
|
The sign-in authentication method
|
|
|
|
result
|
|
-
|
The event result
|
|
|
|
resultReason
|
|
-
|
The cause of event failure or timeout
|
|
|
|
riskEventTypes
|
|
-
|
The associated sign-in risk event types
|
|
|
|
servicePrincipalId
|
|
-
|
The service principal ID
|
|
|
|
servicePrincipalName
|
|
-
|
The service principal name
|
|
|
|
signInEventTypes
|
|
-
|
The sign-in event type
|
|
|
|
signInIdentifierType
|
|
-
|
The sign-in ID type
|
|
|
|
status
|
|
-
|
The sign-in status result
|
|
|
|
statusDetail
|
|
-
|
The additional information about sign-in status
|
|
|
|
statusReason
|
|
-
|
The sign-in status
|
|
|
|
tags
|
|
|
The attack technique ID detected by Trend Vision One based on the alert filter
|
|
|
|
targetResourceDisplayName
|
|
-
|
The target resource display name
|
|
|
|
targetResourceId
|
|
-
|
The target resource ID
|
|
|
|
targetResources
|
|
-
|
The targeted resource of the event
|
|
|
|
tenantId
|
|
-
|
The Microsoft Entra ID Tenant ID of the organization
|
|
|
|
userAgent
|
|
-
|
The user agent
|
|
|
|
userDisplayName
|
|
|
The user display name
|
|
|
|
userId
|
|
|
The user ID
|
|
|
|
userSessionId
|
|
-
|
The session ID
|
|
|
|
userType
|
|
-
|
The tenant user type
|
|
|
|
uuid
|
|
-
|
The unique key of the log entry
|
|
|