Secure Access Activity Data
|
Field Name
|
General Field
|
Description
|
Example
|
Products
|
|
eventSourceType
|
-
|
-
|
|
|
|
version
|
-
|
-
|
|
|
|
eventTime
|
-
|
The event generation time from the agent side
|
|
|
|
customerId
|
-
|
-
|
|
|
|
tags
|
|
The technique ID detected by the Security Analytics Engine based on the alert
filter
|
|
|
|
uuid
|
-
|
The unique key of the log
|
|
|
|
receivedTime
|
-
|
The time of the received XDR log
|
|
|
|
productCode
|
-
|
-
|
|
|
|
packageTraceId
|
-
|
-
|
|
|
|
filterRiskLevel
|
-
|
The event top level filter risk
|
|
|
|
groupId
|
-
|
-
|
|
|
|
tenantGuid
|
-
|
-
|
|
|
|
bitwiseFilterRiskLevel
|
-
|
Bitwise filter level
|
|
|
|
endpointHostName
|
|
-
|
|
|
|
osName
|
-
|
-
|
|
|
|
dst
|
|
-
|
|
|
|
endpointGuid
|
|
-
|
|
|
|
principalName
|
|
-
|
|
|
|
request
|
|
URL request that is usually found in the Web Reputation Services scan
|
|
|
|
act
|
-
|
-
|
|
|
|
src
|
|
Source IP
|
|
|
|
serverTls
|
-
|
-
|
|
|
|
serverProtocol
|
-
|
-
|
|
|
|
userAgent
|
-
|
-
|
|
|
|
rt
|
-
|
-
|
|
|
|
eventName
|
-
|
-
|
|
|
|
application
|
-
|
-
|
|
|
|
ruleName
|
-
|
-
|
|
|
|
clientIp
|
|
-
|
|
|
|
requestBase
|
|
The domain of the URL
|
|
|
|
score
|
-
|
Web Reputation Services score
|
|
|
|
userDomain
|
|
Active Directory domain, domain of the user name signing in to the Trend Micro
Anti-Spam administrator portal
|
|
|
|
suid
|
|
User name or IP address (IPv4)
|
|
|
|
duration
|
-
|
How long it takes the scanner to complete the scan, in milliseconds
|
|
|
|
eventSubName
|
-
|
-
|
|
|
|
fileHash
|
|
The SHA-1 of the file that is violating the policy
|
|
|
|
fileHashSha256
|
|
The SHA-256 of the file that is violating the policy
|
|
|
|
fileName
|
|
The name of file that is violating the policy
|
|
|
|
fileSize
|
-
|
The size of file that is violating the policy
|
|
|
|
malName
|
-
|
The name of the detected malware
|
-
|
|
|
fileType
|
-
|
The type of file that is violating the policy
|
|
|
|
mimeType
|
-
|
The mime type or content type of the response body
|
|
|
|
sender
|
-
|
Roaming users or Trend Micro Web Security gateway where the web traffic
passed
|
|
|
|
profile
|
-
|
The name of the triggered Threat Protection template or Data Loss Prevention
profile
|
-
|
|
|
detectionType
|
-
|
Scan type
|
|
|
|
userDepartment
|
-
|
User department
|
|
|
|
requestMethod
|
-
|
The request method of the network protocol
|
|
|
|
pname
|
-
|
Product name
|
|
|
|
pver
|
-
|
Product version
|
|
|
|
deviceGUID
|
-
|
The GUID of an object that is a device but not an endpoint
|
|
|
|
requestMimeType
|
-
|
Request content-type
|
|
|
|
tlsJA3Fingerprint
|
-
|
JA3 fingerprint
|
-
|
|
|
failedHTTPSInspection
|
-
|
If the HTTPS traffic failed to be inspected
|
|
|
|
responseSize
|
-
|
Response length
|
|
|
|
clientProtocol
|
-
|
Client protocol
|
|
|
|
clientTls
|
-
|
-
|
|
|
|
contentEncoding
|
-
|
Response or request content-encoding
|
|
|
|
authType
|
-
|
Authorization type
|
|
|
|
requestSize
|
-
|
Request length
|
|
|
|
serverRespTime
|
-
|
How long it takes for the server to respond to the request, in milliseconds
|
|
|
|
trafficType
|
-
|
-
|
|
|
|
urlCat
|
-
|
URL category
|
|
|
|
ruleType
|
-
|
-
|
|
|
|
ruleUuid
|
-
|
Designed for risk assessment and control, defined by Zero Trust Secure Access
risk control rules
|
|
|
|
objectId
|
-
|
The UUID of Zero Trust Secure Access Private Access
|
|
|
|
spt
|
|
The virtual port assigned to the Zero Trust Secure Access agent
|
|
|
|
policyUuid
|
-
|
UUID of private access or risk control rules in Zero Trust Secure Access
|
|
|
|
dpt
|
|
Service port of the private application server
|
|
|
|
companyName
|
-
|
The company name
|
|
|
|
start
|
-
|
Start time, in milliseconds
|
|
|
|
sessionStart
|
-
|
Session start time, in seconds
|
|
|
|
sessionEnd
|
-
|
Session end time, in seconds
|
|
|
|
policyTemplate
|
-
|
Data Loss Prevention template names
|
|
|
|
serverIp
|
|
Server IP address
|
|
|
|
clientPort
|
|
Client port number
|
|
|
|
serverPort
|
|
Server port number
|
|
|
|
clientMAC
|
-
|
Client MAC address
|
|
|
|
serverMAC
|
-
|
Server MAC address
|
|
|
|
flowId
|
-
|
NA flow ID
|
|
|
|
status
|
-
|
The connection status of the NA flow
|
|
|
|
app
|
-
|
Application layer protocol
|
|
|
|
httpReferer
|
|
HTTP referrer header
|
|
|
|
httpXForwardedFor
|
-
|
HTTP x-forwarded-for header
|
|
|
|
requestClientApplication
|
-
|
HTTP user agent
|
|
|
|
requestDate
|
-
|
HTTP date header
|
|
|
|
requestHeaders
|
-
|
All HTTP headers without sensitive information
|
|
|
|
overSsl
|
-
|
If the connection is over SSL protocol or not
|
|
|
|
respCode
|
-
|
The response code of the network protocol
|
|
|
|
respDate
|
-
|
HTTP response date header
|
|
|
|
httpLocation
|
|
HTTP location header
|
|
|
|
respHeaders
|
-
|
All HTTP response headers without sensitive information
|
|
|
|
respFileHash
|
|
The SHA-1 of the file detected in response direction
|
|
|
|
respFileHashSha256
|
|
The SHA-256 of the file detected in response direction
|
|
|
|
respFileType
|
-
|
The file type of the file detected in response direction
|
|
|
|
respArchFiles
|
-
|
Information from files extracted from the file detected in response direction
|
|
|
|
httpXForwardedForIp
|
|
The x-forwarded-for IP used by the sensor
|
|
|
|
httpXForwardedForPort
|
-
|
The patched HTTP server port when the sensor selects an x-forwarded-for IP to
use
|
|
|
|
resolvedUrlIp
|
|
The IP of the URL FQDN
|
|
|
|
resolvedUrlPort
|
|
The port of the HTTP server
|
|
|
|
respMethod
|
-
|
The response method
|
|
|
|
msgId
|
|
The message ID provided by the service provider
|
|
|
|
mailMsgSubject
|
|
The email subject
|
|
|
|
suser
|
|
The email sender
|
|
|
|
duser
|
|
The email recipient
|
|
|
|
requests
|
|
URLs
|
|
|
|
direction
|
-
|
The object transfer direction
|
|
|
|
archFiles
|
-
|
-
|
|
|
|
hostName
|
|
The host name
|
|
|
|
tlsSelectedCipher
|
-
|
The selected cipher of TLS protocol
|
|
|
|
sslCertCommonName
|
-
|
The common name of the certificate
|
|
|
|
sslCertIssuer
|
-
|
The issuer of the certificate
|
|
|
|
sslCertValidFrom
|
-
|
The time that the certificate starts to be valid
|
|
|
|
sslCertValidUntil
|
-
|
The time that the certificate stops being valid
|
|
|
|
sslCertSerialNumber
|
-
|
The serial number of the certificate
|
|
|
|
sslCertSANs
|
-
|
The subject alternative name of the certificate
|
|
|
|
sslCertFingerprint
|
-
|
The fingerprint of the certificate
|
|
|
|
ja3Hash
|
-
|
JA3 hash
|
|
|
|
ja3sHash
|
-
|
JA3S hash
|
|
|
|
tlsJA3SFingerprint
|
-
|
JA3S raw
|
|
|
|
ftpTrans
|
-
|
Transaction information of the FTP protocol
|
|
|
|
customFilterTags
|
|
The filter ID matched by XDR based on custom filters
|
|
|
|
customFilterRiskLevel
|
-
|
The top-level risk level of the event by custom filter
|
|
|
|
e2eLatency
|
-
|
The latency time of the E2E traffic, in milliseconds
|
|
|