 |
ImportantThis data source query method is no longer available after February 2, 2026. For more
information on the currently available data sources for use in XDR Data Explorer queries,
go to https://trendmicro.github.io/tm-v1-schema/pages/index.
|
|
Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
|
appIsSystem
|
|
-
|
Whether the app is a system app
|
|
|
|
appLabel
|
|
-
|
The app name (if the subject is an app)
|
|
|
|
appOrSystemEventHashId
|
|
-
|
The event object hash ID
|
|
|
|
appPkgName
|
|
-
|
The app package name (if the subject is an app)
|
|
|
|
appPublicKeySha1
|
|
|
The SHA-1 hash of the app public key (if the subject is an app)
|
|
|
|
appSize
|
|
-
|
The app size (in bytes) if the subject is an app
|
|
|
|
appVerCode
|
|
-
|
The app version code (if the subject is an app)
|
|
|
|
endpointGuid
|
|
|
The host GUID of the endpoint on which the event was detected
|
|
|
|
endpointHostName
|
|
|
The hostname of the endpoint on which the event was detected
|
|
|
|
endpointIp
|
|
|
The IP address of the endpoint on which the event was detected
|
|
|
|
endpointModel
|
|
-
|
The endpoint device model
|
|
|
|
eventHashId
|
|
-
|
The event hash ID
|
|
|
|
eventId
|
|
-
|
The event type
|
-
|
|
|
eventSubId
|
|
-
|
The access type
|
|
|
|
eventTime
|
|
-
|
The time the agent detected the event
|
|
|
|
extraInfo
|
|
-
|
The extra information about the app
|
|
|
|
filterRiskLevel
|
|
-
|
The top-level risk level of the event
|
|
|
|
firstSeen
|
|
-
|
The time when the event started (in milliseconds)
|
|
|
|
groupId
|
|
-
|
The group ID for the management scope filter
|
|
|
|
lastSeen
|
|
-
|
The time when the event ended (in milliseconds)
|
|
|
|
logReceivedTime
|
|
-
|
The time when the XDR log was received
|
|
|
|
logonUser
|
|
|
The sign-in user name
|
|
|
|
marsAccount
|
|
-
|
The account for Trend Micro Mobile Apps Reputation Service
|
|
|
|
objectAppBehavior
|
|
-
|
The activity that occurred on the app
|
|
|
|
objectAppBehaviorAttr
|
|
-
|
The attributes of the app activity
|
|
|
|
objectAppDexSha256
|
|
|
The SHA-256 hash of the app Dex value
|
|
|
|
objectAppInstalledTime
|
|
-
|
The time of app installation (in milliseconds)
|
|
|
|
objectAppIsSystemApp
|
|
-
|
Whether the app is a system app
|
|
|
|
objectAppLabel
|
|
-
|
The app name
|
|
|
|
objectAppPackageName
|
|
-
|
The app package name
|
|
|
|
objectAppPublicKeySha1
|
|
|
The SHA-1 hash of the app public key
|
|
|
|
objectAppSha256
|
|
|
The SHA-256 hash of the app
|
|
|
|
objectAppSize
|
|
-
|
The app size (in bytes)
|
|
|
|
objectAppVerCode
|
|
-
|
The app version code
|
|
|
|
objectAppVerName
|
|
-
|
The app version
|
|
|
|
objectCertAttr
|
|
-
|
The SHA-1 hash of the certificate public key
|
|
|
|
objectFileCreation
|
|
-
|
The time the target file was created (in milliseconds)
|
|
|
|
objectFileHashSha256
|
|
|
The SHA-256 hash of the target process image or target file
|
|
|
|
objectFileModifiedTime
|
|
-
|
The modification time of the target file (in milliseconds)
|
|
|
|
objectFilePath
|
|
|
The file path of the target process image or target file
|
|
|
|
objectFileSize
|
|
-
|
The target file size
|
|
|
|
objectFirstSeen
|
|
-
|
The time when the object first appeared (in milliseconds)
|
|
|
|
objectHashId
|
|
-
|
The event object hash ID
|
|
|
|
objectLastSeen
|
|
-
|
The time when the object was last seen (in milliseconds)
|
|
|
|
objectSystemEventAttr
|
|
-
|
The system event attributes
|
|
|
|
osName
|
|
-
|
The host OS name
|
|
|
|
osVer
|
|
-
|
The OS version
|
|
|
|
pname
|
|
-
|
The internal product ID (Deprecated, use productCode)
|
|
|
|
policyTreePath
|
|
-
|
The policy tree path (endpoint only)
|
|
|
|
productCode
|
|
-
|
The internal product code
|
|
|
|
pver
|
|
-
|
The product version
|
|
|
|
request
|
|
|
The request URL
|
|
|
|
srcFileCreation
|
|
-
|
The time when the source file was created (in milliseconds)
|
|
|
|
srcFileHashId
|
|
-
|
The source file hash ID
|
|
|
|
srcFileHashSha256
|
|
|
The SHA-256 hash of the source file
|
|
|
|
srcFileModifiedTime
|
|
-
|
The time when the source file was modified (in milliseconds)
|
|
|
|
srcFilePath
|
|
|
The source file path
|
|
|
|
srcFileSize
|
|
-
|
The source file size
|
|
|
|
srcFirstSeen
|
|
-
|
The time when the source file first appeared (in milliseconds)
|
|
|
|
srcLastSeen
|
|
-
|
The time when the source file was last seen (in milliseconds)
|
|
|
|
systemEventAttr
|
|
-
|
The attributes of the system event (if the subject is a system event)
|
|
|
|
tags
|
|
|
The detected technique ID based on the alert filter
|
|
|
|
userType
|
|
-
|
The user type
|
|
|
|
uuid
|
|
-
|
The unique key of the log
|
|
|