 |
ImportantThis data source query method is no longer available after February 2, 2026. For more
information on the currently available data sources for use in XDR Data Explorer queries,
go to https://trendmicro.github.io/tm-v1-schema/pages/index.
|
|
Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
|
act
|
|
-
|
The action
|
|
|
|
action
|
|
-
|
The traffic processing action
|
|
|
|
app
|
|
-
|
The network protocol
|
|
|
|
application
|
|
-
|
The name of the requested application
|
|
|
|
archFiles
|
|
-
|
The file information extracted from detected files
|
|
|
|
authType
|
|
-
|
The authentication method
|
|
|
|
azId
|
|
-
|
The Availability Zone ID
|
|
|
|
bytes
|
|
-
|
The number of transmitted data bytes
|
|
|
|
clientGroup
|
|
-
|
The client IP network group
|
|
|
|
clientHost
|
|
-
|
The client IP hostname
|
|
|
|
clientIp
|
|
|
The endpoint IP
|
|
|
|
clientMAC
|
|
-
|
The client MAC address
|
|
|
|
clientPort
|
|
|
The client port
|
|
|
|
clientProtocol
|
|
-
|
The client protocol
|
|
|
|
clientTls
|
|
-
|
The transport layer security of the client
|
|
|
|
cloudAccountId
|
|
-
|
The owner AWS account ID of the source network interface (account-id)
|
|
|
|
cloudAppCat
|
|
-
|
The category of the event in Cloud Reputation Service
|
|
|
|
companyName
|
|
-
|
The company name
|
|
|
|
contentEncoding
|
|
-
|
The content encoding of the request or the response
|
|
|
|
dUser1
|
|
|
The latest sign-in user of the destination
|
|
|
|
detectionType
|
|
-
|
The traffic detection type
|
|
|
|
deviceGUID
|
|
-
|
The non-endpoint object such as a network appliance
|
|
|
|
dhost
|
|
|
The destination hostname
|
|
|
|
direction
|
|
-
|
The object transfer direction
|
|
|
|
dnsQueryType
|
|
-
|
The record type requested by the DNS protocol
|
|
|
|
dpt
|
|
|
The service destination port of the private application server (dstport)
|
|
|
|
dst
|
|
|
The destination IP (dstaddr)
|
|
|
|
dstLocation
|
|
-
|
The destination country
|
|
|
|
duration
|
|
-
|
The time it took the scanner to complete the scan (in milliseconds)
|
|
|
|
duser
|
|
|
The email recipient
|
|
|
|
dvc
|
|
-
|
The IP address of the Deep Discovery Inspector or Virtual Network Sensor appliance
|
|
|
|
dvchost
|
|
-
|
The network device hostname
|
|
|
|
e2eLatency
|
|
-
|
The end-to-end traffic latency time (in milliseconds)
|
|
|
|
endpointGuid
|
|
|
The device GUID
|
|
|
|
endpointHostName
|
|
|
The hostname of the device on which the event was detected
|
|
|
|
eventId
|
|
-
|
The event ID
|
|
|
|
eventName
|
|
-
|
The name of the log event
|
|
|
|
eventSubName
|
|
-
|
The Zero Trust Secure Access - Internet Access cloud app action or the Palo Alto Networks
firewall log sub-type
|
|
|
|
eventTime
|
|
-
|
The time the agent or product detected the event
|
|
|
|
failedHTTPSInspection
|
|
-
|
Whether something failed HTTPS traffic inspection
|
|
|
|
fileHash
|
|
|
The SHA-1 of the file that violated the policy
|
|
|
|
fileHashSha256
|
|
|
The SHA-256 of the file that violated the policy
|
|
|
|
fileName
|
|
|
The name of the file that violated the policy
|
|
|
|
fileSize
|
|
-
|
The size of the file that is violating the policy
|
|
|
|
fileType
|
|
-
|
The type of file which is violating the policy
|
|
|
|
filterRiskLevel
|
|
-
|
The top-level risk level of the event
|
|
|
|
flowDirection
|
|
-
|
The network interface traffic direction
|
|
|
|
flowId
|
|
-
|
The network analysis flow ID
|
|
|
|
flowType
|
|
-
|
The type of traffic (type)
|
|
|
|
ftpTrans
|
|
-
|
The transaction information of the FTP protocol
|
|
|
|
groupId
|
|
-
|
The group ID for the management scope filter
|
|
|
|
hostName
|
|
|
The hostname
|
|
|
|
httpLocation
|
|
|
The HTTP location header
|
|
|
|
httpReferer
|
|
|
The HTTP referrer header
|
|
|
|
httpXForwardedFor
|
|
-
|
The HTTP X-Forwarded-For header
|
|
|
|
httpXForwardedForGroup
|
|
-
|
The X-Forwarded-For IP network group
|
|
|
|
httpXForwardedForHost
|
|
-
|
The X-Forwarded-For IP hostname
|
|
|
|
httpXForwardedForIp
|
|
|
The X-Forwarded-For IP used by the network appliance
|
|
|
|
instanceId
|
|
-
|
The instance ID
|
|
|
|
ipProto
|
|
-
|
The protocol number (protocol)
|
|
|
|
isPrivateApp
|
|
-
|
Whether the requested application is private
|
|
|
|
isRetroScan
|
|
-
|
Whether the event matches the Security Analytics Engine filter
|
|
|
|
ja3Hash
|
|
-
|
The JA3 hash
|
|
|
|
ja3sHash
|
|
-
|
The JA3S hash
|
|
|
|
logReceivedTime
|
|
-
|
The time when the XDR log was received
|
|
|
|
logStatus
|
|
-
|
The VPC Flow Log status
|
|
|
|
mailMsgSubject
|
|
|
The email subject
|
|
|
|
malName
|
|
-
|
The name of the detected malware
|
-
|
|
|
mimeType
|
|
-
|
The MIME type or content type of the response body
|
|
|
|
msgId
|
|
|
The service provider message ID
|
|
|
|
networkInterfaceId
|
|
-
|
The network interface ID (interface-id)
|
|
|
|
objectId
|
|
-
|
The UUID of the Zero Trust Secure Access private access application
|
|
|
|
objectIps
|
|
|
The IP address resolved by the DNS protocol
|
|
|
|
originEventSourceType
|
|
-
|
The source type of the original event which matches the Security Analytics Engine
filter
|
|
|
|
originUUID
|
|
-
|
The UUID of the original event which matches the Security Analytics Engine filter
|
|
|
|
osName
|
|
-
|
The host OS name
|
|
|
|
overSsl
|
|
-
|
Whether there is SSL protocol connection
|
|
|
|
packets
|
|
-
|
The number of transmitted data packets
|
|
|
|
pktDstAddr
|
|
|
The packet level destination IP
|
|
|
|
pktDstCloudServiceName
|
|
-
|
The subset IP address range name for cloud service destination IP (pkt-dst-aws-service)
|
|
|
|
pktSrcAddr
|
|
|
The packet level source IP
|
|
|
|
pktSrcCloudServiceName
|
|
-
|
The subset IP address range name for cloud service source IP (pkt-src-aws-service)
|
|
|
|
pname
|
|
-
|
The product name
|
|
|
|
policyTemplate
|
|
-
|
The Data Loss Prevention template name
|
|
|
|
policyTreePath
|
|
-
|
The policy tree path (endpoint only)
|
|
|
|
policyUuid
|
|
-
|
The policy UUID
|
|
|
|
principalName
|
|
|
The User Principal Name
|
|
|
|
productCode
|
|
-
|
The internal product code
|
|
|
|
profile
|
|
-
|
The name of the triggered Threat Protection template or Data Loss Prevention profile
|
-
|
|
|
pver
|
|
-
|
The product version
|
|
|
|
regionCode
|
|
-
|
The network interface AWS Region
|
|
|
|
reqAppVersion
|
|
-
|
The client application version number
|
|
|
|
reqDataSize
|
|
-
|
The data volume transmitted over the transport layer by the client (in bytes)
|
|
|
|
reqScannedBytes
|
|
-
|
The data volume transmitted by the client (in bytes)
|
|
|
|
request
|
|
|
The destination URL that the user is accessing
|
|
|
|
requestBase
|
|
|
The URL domain
|
|
|
|
requestClientApplication
|
|
-
|
The HTTP user agent
|
|
|
|
requestDate
|
|
-
|
The HTTP date header
|
|
|
|
requestHeaders
|
|
-
|
The list of all HTTP headers without sensitive information
|
|
|
|
requestMethod
|
|
-
|
The network protocol request method
|
|
|
|
requestMimeType
|
|
-
|
The type of request content
|
|
|
|
requestSize
|
|
-
|
The request length
|
|
|
|
requests
|
|
|
The URLs of the request
|
|
|
|
resolvedUrlGroup
|
|
-
|
The IP address FQDN network group
|
|
|
|
resolvedUrlIp
|
|
|
The IP address of the FQDN
|
|
|
|
resolvedUrlPort
|
|
|
The HTTP server port
|
|
|
|
respAppVersion
|
|
-
|
The server application version number
|
|
|
|
respArchFiles
|
|
-
|
The file information extracted from files detected in response direction
|
|
|
|
respCode
|
|
-
|
The network protocol response code
|
|
|
|
respDataSize
|
|
-
|
The data volume transmitted over the transport layer by the server (in bytes)
|
|
|
|
respDate
|
|
-
|
The HTTP response date header
|
|
|
|
respFileHash
|
|
|
The SHA-1 of the file detected in the response direction
|
|
|
|
respFileHashSha256
|
|
|
The SHA-256 of the file detected in the response direction
|
|
|
|
respFileType
|
|
-
|
The file type detected in the response direction
|
|
|
|
respHeaders
|
|
-
|
The list of all HTTP response headers without sensitive information
|
|
|
|
respMethod
|
|
-
|
The response method
|
|
|
|
respScannedBytes
|
|
-
|
The data volume transmitted by the server (in bytes)
|
|
|
|
responseSize
|
|
-
|
The response length
|
|
|
|
ruleName
|
|
-
|
The name of the triggered cloud access rule
|
|
|
|
ruleUuid
|
|
-
|
The risk assessment and control design that is defined by Zero Trust Secure Access
risk control rules
|
|
|
|
sUser1
|
|
|
The latest sign-in user of the source
|
|
|
|
sender
|
|
-
|
The Zero Trust Internet Access gateway location
|
|
|
|
serverGroup
|
|
-
|
The server IP network group
|
|
|
|
serverHost
|
|
-
|
The server IP hostname
|
|
|
|
serverIp
|
|
|
The server IP
|
|
|
|
serverMAC
|
|
-
|
The server MAC address
|
|
|
|
serverPort
|
|
|
The server port
|
|
|
|
serverProtocol
|
|
-
|
The version of the HTTP protocol between the Service Gateway and server/website
|
|
|
|
serverRespTime
|
|
-
|
The time the server took to respond to the request (in milliseconds)
|
|
|
|
serverTls
|
|
-
|
The TLS version between the Service Gateway and server/website
|
|
|
|
sessionEnd
|
|
-
|
The session end time (in seconds)
|
|
|
|
sessionEndReason
|
|
-
|
The reason why a session was terminated
|
|
|
|
sessionStart
|
|
-
|
The session start time (in seconds)
|
|
|
|
shost
|
|
|
The source hostname
|
|
|
|
spt
|
|
|
The virtual port of the source assigned to the Secure Access Module (srcport)
|
|
|
|
src
|
|
|
The source IP (srcaddr)
|
|
|
|
srcLocation
|
|
-
|
The source country
|
|
|
|
sslCertCommonName
|
|
|
The certificate common name
|
|
|
|
sslCertFingerprint
|
|
-
|
The certificate fingerprint
|
|
|
|
sslCertIssuer
|
|
-
|
The issuer of the certificate
|
|
|
|
sslCertSANs
|
|
-
|
The Subject Alternative Name of the certificate
|
|
|
|
sslCertSerialNumber
|
|
-
|
The certificate serial number
|
|
|
|
sslCertValidFrom
|
|
-
|
The certificate validity start time
|
|
|
|
sslCertValidUntil
|
|
-
|
The certificate validity end time
|
|
|
|
status
|
|
-
|
The network analysis flow session status
|
|
|
|
subLocationId
|
|
-
|
The sub-location ID
|
|
|
|
subLocationType
|
|
-
|
The sub-location type
|
|
|
|
subnetId
|
|
-
|
The subnet ID
|
|
|
|
suid
|
|
|
The user name or IP address (IPv4)
|
|
|
|
suser
|
|
|
The email sender
|
|
|
|
tags
|
|
|
The detected technique ID based on the alert filter
|
|
|
|
tcpFlags
|
|
-
|
The bitmask value of the FIN/SYN/RST/SYN-ACK TCP flags
|
|
|
|
tlsJA3Fingerprint
|
|
-
|
The JA3 fingerprint
|
-
|
|
|
tlsJA3SFingerprint
|
|
-
|
The raw JA3S
|
|
|
|
tlsSelectedCipher
|
|
-
|
The selected cipher of the TLS protocol
|
|
|
|
trafficPath
|
|
-
|
The egress traffic path number
|
|
|
|
trafficType
|
|
-
|
The Zero Trust Internet Access gateway service mode
|
|
|
|
userDepartment
|
|
-
|
The user department request method
|
|
|
|
userDomain
|
|
|
The Active Directory domain or the user domain for the TMAS admin portal
|
|
|
|
uuid
|
|
-
|
The unique key of the log
|
|
|
|
vpcId
|
|
-
|
The VPC ID
|
|
|