 |
ImportantThis data source query method is no longer available after February 2, 2026. For more
information on the currently available data sources for use in XDR Data Explorer queries,
go to https://trendmicro.github.io/tm-v1-schema/pages/index.
|
|
Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
|
act
|
|
-
|
The action
|
|
|
|
actResult
|
|
-
|
The result of an action
|
|
|
|
action
|
|
-
|
The traffic processing action
|
|
|
|
actionName
|
|
-
|
The user or service action
|
|
|
|
additionalEventData
|
|
-
|
The additional event information that was not part of the request or response
|
|
|
|
alertCategories
|
|
-
|
The list of alert categories
|
|
|
|
alertTitle
|
|
-
|
The alert title
|
|
|
|
apiVersion
|
|
-
|
The API version associated with the AwsApiCall eventType value
|
|
|
|
app
|
|
-
|
The network protocol
|
|
|
|
appPkgName
|
|
-
|
The app package name (if the subject is an app)
|
|
|
|
application
|
|
-
|
The name of the requested application
|
|
|
|
applicationId
|
|
-
|
The application ID
|
|
|
|
attachmentFileHashSha256s
|
|
|
The SHA-256 hash of the email attachment
|
|
|
|
attachmentFileHashes
|
|
|
The SHA-1 of the email attachment
|
|
|
|
attachmentFileName
|
|
|
The file name of an attachment
|
|
|
|
attachmentMd5
|
|
|
The MD5 hash of the email attachment
|
|
|
|
attachmentUrls
|
|
-
|
The URLs and URL sources extracted from the email attachment
|
-
|
|
|
awsRegion
|
|
-
|
The AWS region the request was made to
|
|
|
|
azId
|
|
-
|
The Availability Zone ID
|
|
|
|
bytes
|
|
-
|
The number of transmitted data bytes
|
|
|
|
category
|
|
-
|
The event category
|
|
|
|
cloudAccountId
|
|
-
|
The owner AWS account ID of the source network interface (account-id)
|
|
|
|
cloudTrailEventId
|
|
-
|
The GUID generated by AWS CloudTrail to identify events
|
|
|
|
clusterId
|
|
-
|
The cluster ID of the container
|
|
|
|
clusterName
|
|
-
|
The cluster name of the container
|
|
|
|
cnt
|
|
-
|
The total number of logs
|
|
|
|
containerId
|
|
-
|
The Kubernetes container ID
|
|
|
|
containerImage
|
|
-
|
The Kubernetes container image
|
|
|
|
containerImageDigest
|
|
-
|
The Kubernetes container image digest
|
|
|
|
containerName
|
|
-
|
The Kubernetes container name
|
|
|
|
cves
|
|
-
|
The CVEs associated with this filter
|
|
|
|
dOSName
|
|
-
|
The destination OS
|
|
|
|
dUser1
|
|
|
The latest sign-in user of the destination
|
|
|
|
dhost
|
|
|
The destination hostname
|
|
|
|
direction
|
|
-
|
The direction
|
|
|
|
dmac
|
|
-
|
The destination MAC address
|
|
|
|
dnsQueryType
|
|
-
|
The record type requested by the DNS protocol
|
|
|
|
dpt
|
|
|
The destination port
|
|
|
|
dst
|
|
|
The destination IP
|
|
|
|
dstEndpointGuid
|
|
-
|
The destination host GUID on which the event was detected
|
|
|
|
dstEndpointHostName
|
|
|
The hostname of the destination device on which the event was detected
|
|
|
|
dstIpType
|
|
-
|
The destination IP type
|
|
|
|
dstLocation
|
|
-
|
The destination country
|
|
|
|
dstZone
|
|
-
|
The destination zone of the session
|
|
|
|
duser
|
|
|
The email recipient
|
|
|
|
dvc
|
|
-
|
The device IP
|
-
|
|
|
dvchost
|
|
-
|
The network device hostname
|
|
|
|
ecsTaskArn
|
|
-
|
The list of ECS task ARNs
|
|
|
|
ecsTaskId
|
|
-
|
The ECS task ID
|
|
|
|
endpointGuid
|
|
-
|
The host endpoint GUID on which the event was detected
|
|
|
|
endpointHostName
|
|
|
The host name of the device on which the event was detected
|
|
|
|
endpointIp
|
|
|
The IP address of the endpoint on which the event was detected
|
|
|
|
errorCode
|
|
-
|
The AWS service error code
|
|
|
|
errorMessage
|
|
-
|
The error description
|
|
|
|
eventCase
|
|
-
|
The AWS service that the request was made to
|
|
|
|
eventCategory
|
|
-
|
The event category used in LookupEvents calls
|
|
|
|
eventDataLogonType
|
|
-
|
The sign-in type of Windows Event 4624 (successful sign-in attempt)
|
|
|
|
eventId
|
|
-
|
The event ID
|
|
|
|
eventName
|
|
-
|
The log type
|
|
|
|
eventSource
|
|
-
|
The AWS service the request was made to
|
|
|
|
eventSubName
|
|
-
|
The event type sub-name
|
|
|
|
eventTime
|
|
-
|
The time the agent or product detected the event
|
|
|
|
eventType
|
|
-
|
The type of event that generated the event record
|
|
|
|
eventVersion
|
|
-
|
The log event format version
|
|
|
|
fileHash
|
|
|
The SHA-1 of the file
|
|
|
|
fileHashMd5
|
|
|
The MD5 of the file
|
|
|
|
fileHashSha256
|
|
|
The SHA-256 of the file
|
|
|
|
fileName
|
|
|
The file name
|
|
|
|
fileOriginIP
|
|
-
|
The IP address from where the file was downloaded
|
|
|
|
fileOriginUrl
|
|
-
|
The URL from where the file was downloaded
|
|
|
|
filePath
|
|
|
The file path
|
|
|
|
fileSize
|
|
-
|
The file size
|
|
|
|
fileType
|
|
-
|
The file type
|
|
|
|
filterRiskLevel
|
|
-
|
The top level filter risk of the event
|
|
|
|
flowDirection
|
|
-
|
The network interface traffic direction
|
|
|
|
flowId
|
|
-
|
The connection ID
|
|
|
|
flowType
|
|
-
|
The type of traffic (type)
|
|
|
|
fullPath
|
|
|
The full file path
|
|
|
|
groupId
|
|
-
|
The group ID for the management scope filter
|
|
|
|
hostName
|
|
|
The hostname
|
|
|
|
httpReferer
|
|
|
The HTTP referer
|
|
|
|
httpRespContentType
|
|
-
|
The HTTP response data content type
|
|
|
|
httpXForwardedFor
|
|
-
|
The HTTP X-Forwarded-For header
|
|
|
|
idpName
|
|
-
|
The identity provider
|
|
|
|
initiatedByUserIpAddress
|
|
|
The client IP of the user
|
|
|
|
initiatedByUserPrincipalName
|
|
|
The User Principal Name of the user
|
|
|
|
instanceId
|
|
-
|
The instance ID
|
|
|
|
ipProto
|
|
-
|
The protocol number (protocol)
|
|
|
|
isLocalAdmin
|
|
-
|
Whether the user is a local administrator on the device
|
|
|
|
k8sNamespace
|
|
-
|
The Kubernetes namespace of the container
|
|
|
|
k8sPodId
|
|
-
|
The Kubernetes pod ID of the container
|
|
|
|
k8sPodName
|
|
-
|
The Kubernetes pod name of the container
|
|
|
|
logReceivedTime
|
|
-
|
The time when the XDR log was received
|
|
|
|
logStatus
|
|
-
|
The VPC Flow Log status
|
|
|
|
logonUser
|
|
|
The sign-in user name
|
|
|
|
mailBccAddresses
|
|
|
The BCC address in the email header
|
|
|
|
mailCcAddresses
|
|
|
The CC address in the email header
|
|
|
|
mailDirection
|
|
-
|
The email traffic direction
|
|
|
|
mailFromAddresses
|
|
|
The Mail From address in the email header
|
|
|
|
mailMsgId
|
|
|
The internet message ID of the email
|
|
|
|
mailMsgSubject
|
|
|
The email subject
|
|
|
|
mailToAddresses
|
|
|
The Mail To address in the email header
|
|
|
|
mailUrlsRealLink
|
|
|
The URL extracted from the email content
|
|
|
|
mailUrlsVisibleLink
|
|
|
The URL extracted from the email content
|
|
|
|
mailbox
|
|
-
|
The target or primary email address
|
|
|
|
malFamily
|
|
-
|
The threat family
|
|
|
|
malName
|
|
-
|
The name of the detected malware
|
|
|
|
managementEvent
|
|
-
|
The management event
|
|
|
|
monitoringLevel
|
|
-
|
The cloud activity monitoring level
|
|
|
|
networkInterfaceId
|
|
-
|
The network interface ID (interface-id)
|
|
|
|
objectAppLabel
|
|
-
|
The app name
|
|
|
|
objectAppPackageName
|
|
-
|
The app package name
|
|
|
|
objectCmd
|
|
|
The command line entry of the target process
|
|
|
|
objectFileHashMd5
|
|
|
The MD5 of the target file
|
|
|
|
objectFileHashSha1
|
|
|
The SHA-1 hash of the target process image or target file
|
|
|
|
objectFileHashSha256
|
|
|
The SHA-256 hash of the target process image or target file
|
|
|
|
objectFileName
|
|
|
The object file name
|
|
|
|
objectFilePath
|
|
|
The file path of the target process image or target file
|
|
|
|
objectIps
|
|
|
The IP address resolved by the DNS protocol
|
|
|
|
objectPid
|
|
-
|
The object process PID
|
|
|
|
objectRegistryData
|
|
|
The registry data contents
|
|
|
|
objectRegistryKeyHandle
|
|
|
The registry key path
|
|
|
|
objectRegistryOriginalData
|
|
-
|
The original registry value data before modification
|
|
|
|
objectRegistryOriginalKeyHandle
|
|
-
|
The original registry key before modification
|
|
|
|
objectRegistryOriginalValue
|
|
-
|
The original registry value name before modification
|
|
|
|
objectRegistryValue
|
|
|
The registry value name
|
|
|
|
objectRegistryValueType
|
|
-
|
The Windows Registry Type ID
|
|
|
|
objectSessionIp
|
|
|
The remote device IP address
|
|
|
|
objectSigner
|
|
-
|
The list of object process signers
|
|
|
|
objectSignerValid
|
|
-
|
Whether each signer of the object process is valid
|
|
|
|
objectType
|
|
-
|
The object type
|
|
|
|
objectUser
|
|
|
The user name of the target process which is launched by current running process
|
|
|
|
objectUserDomain
|
|
-
|
The owner domain of the target process which is launched by current running process
|
|
|
|
objectVersionInfoOriginalFileName
|
|
|
The original file name from the version information of the object image
|
|
|
|
oldFileHash
|
|
|
The old file hash
|
|
|
|
pComp
|
|
-
|
The component that made the detection
|
|
|
|
packets
|
|
-
|
The number of transmitted data packets
|
|
|
|
parentCmd
|
|
|
The command line entry of the parent process
|
|
|
|
parentFileName
|
|
-
|
The parent process name
|
|
|
|
parentPid
|
|
-
|
The PID of the parent process
|
|
|
|
pktDstAddr
|
|
|
The packet level destination IP
|
|
|
|
pktDstCloudServiceName
|
|
-
|
The subset IP address range name for the cloud service destination IP (pkt-dst-aws-service)
|
|
|
|
pktSrcAddr
|
|
|
The packet level source IP
|
|
|
|
pktSrcCloudServiceName
|
|
-
|
The subset IP address range name for the cloud service source IP (pkt-src-aws-service)
|
|
|
|
pname
|
|
-
|
The product name
|
|
|
|
policyName
|
|
-
|
The name of the triggered policy
|
|
|
|
policyTreePath
|
|
-
|
The policy tree path
|
|
|
|
policyUuid
|
|
-
|
The policy UUID
|
|
|
|
previousObjectFileName
|
|
|
The previous object file name
|
|
|
|
previousObjectFilePath
|
|
|
The previous file path of the target process image or target file
|
|
|
|
principalName
|
|
-
|
The user principal name used to sign in to the proxy
|
|
|
|
processCmd
|
|
|
The subject process command line
|
|
|
|
processFileHashMd5
|
|
|
The MD5 hash of the subject process image
|
|
|
|
processFileHashSha1
|
|
|
The SHA-1 of the subject process
|
|
|
|
processFileHashSha256
|
|
|
The SHA-256 of the subject process image file
|
|
|
|
processFileName
|
|
-
|
The file name of the subject process
|
|
|
|
processFilePath
|
|
|
The file path of the subject process
|
|
|
|
processFileRemoteAccess
|
|
-
|
Whether there was remote access to the process file
|
|
|
|
processName
|
|
|
The image name of the process that triggered the event
|
|
|
|
processPid
|
|
-
|
The PID of the subject process
|
|
|
|
processRemoteSessionDeviceName
|
|
-
|
The remote device name of the process
|
|
|
|
processRemoteSessionIp
|
|
|
The remote device IP address of the process
|
|
|
|
processSigner
|
|
-
|
The list of process signers in an endpoint or container
|
|
|
|
processUser
|
|
|
The user name of the process or the file creator
|
|
|
|
processUserDomain
|
|
-
|
The owner domain of the subject process image
|
|
|
|
processVersionInfoOriginalFileName
|
|
|
The original file name from the version information of the process image
|
|
|
|
productCode
|
|
-
|
The internal product code
|
|
|
|
profile
|
|
-
|
The name of the triggered Threat Protection template or Data Loss Prevention profile
|
|
|
|
proto
|
|
-
|
The transport network protocol
|
|
|
|
pver
|
|
-
|
The product version
|
|
|
|
quarantineFilePath
|
|
|
The file path of the quarantined object
|
|
|
|
quarantineFileSha256
|
|
|
The SHA-256 of the quarantined object
|
|
|
|
rating
|
|
-
|
The credibility level
|
|
|
|
readOnly
|
|
-
|
Whether the operation is read-only
|
|
|
|
recipientAccountId
|
|
-
|
The Account ID that received the event
|
|
|
|
regionCode
|
|
-
|
The network interface AWS Region
|
|
|
|
reqDataSize
|
|
-
|
The data volume transmitted over the transport layer by the client (in bytes)
|
|
|
|
requestClientApplication
|
|
-
|
The HTTP user agent
|
|
|
|
requestID
|
|
-
|
The request ID generated by the service this value)
|
|
|
|
requestMethod
|
|
-
|
The network protocol request method
|
|
|
|
requestParameters
|
|
-
|
The parameters sent with the request
|
|
|
|
requests
|
|
|
The URLs of the request
|
|
|
|
resources
|
|
-
|
The resources accessed in the event
|
|
|
|
respDataSize
|
|
-
|
The data volume transmitted over the transport layer by the server (in bytes)
|
|
|
|
responseElements
|
|
-
|
The response elements for create, update, and delete actions
|
|
|
|
ruleId
|
|
-
|
The rule ID
|
|
|
|
ruleName
|
|
-
|
The name of the rule that triggered the event
|
|
|
|
sOSName
|
|
-
|
The source OS
|
|
|
|
sUser1
|
|
|
The latest sign-in user of the source
|
|
|
|
samUser
|
|
-
|
The user name of the SAM account
|
|
|
|
service
|
|
-
|
The Microsoft 365 service where the activity occurred
|
|
|
|
serviceEventDetails
|
|
-
|
The service event details
|
|
|
|
sessionEnd
|
|
-
|
The session end time (in seconds)
|
|
|
|
sessionEndReason
|
|
-
|
The reason why a session was terminated
|
|
|
|
sessionStart
|
|
-
|
The session start name (in seconds)
|
|
|
|
severity
|
|
-
|
The severity of the event
|
|
|
|
sharedEventID
|
|
-
|
The AWS CloudTrail GUID (from the same AWS action sent to different AWS accounts)
|
|
|
|
shost
|
|
|
The source hostname
|
|
|
|
smac
|
|
-
|
The source MAC address
|
|
|
|
sourceIPAddress
|
|
|
The request IP address (for service console actions: the customer resource, for AWS
services: the DNS name)
|
|
|
|
spt
|
|
|
The source port
|
|
|
|
src
|
|
|
The source IP
|
|
|
|
srcEndpointGuid
|
|
-
|
The source endpoint GUID on which the event was detected
|
|
|
|
srcEndpointHostName
|
|
|
The hostname of the source device on which the event was detected
|
|
|
|
srcFilePath
|
|
|
The file path which is moved or copied to another path
|
|
|
|
srcIpType
|
|
-
|
The source IP type
|
|
|
|
srcLocation
|
|
-
|
The source country
|
|
|
|
srcZone
|
|
-
|
The source zone of the session
|
|
|
|
sslCertIssuerCommonName
|
|
-
|
The issuer common name
|
|
|
|
subLocationId
|
|
-
|
The sub-location ID
|
|
|
|
subLocationType
|
|
-
|
The sub-location type
|
|
|
|
subnetId
|
|
-
|
The subnet ID
|
|
|
|
suid
|
|
|
The username or mailbox
|
|
|
|
suser
|
|
|
The email sender
|
|
|
|
tacticId
|
|
|
The list of MITRE tactic IDs
|
|
|
|
tags
|
|
|
The detected technique ID based on the alert filter
|
|
|
|
tcpFlags
|
|
-
|
The bitmask value of the FIN/SYN/RST/SYN-ACK TCP flags
|
|
|
|
techniqueId
|
|
|
The technique ID detected by the product agent based on a detection rule
|
|
|
|
tlsDetails
|
|
-
|
The TLS details
|
|
|
|
trafficPath
|
|
-
|
The egress traffic path number
|
|
|
|
urlCat
|
|
-
|
The requested URL category
|
|
|
|
userAgent
|
|
|
The user agent or the agent through which the request was made
|
|
|
|
userDomain
|
|
|
The user domain
|
|
|
|
userIdentity
|
|
-
|
The information about a user who made a request
|
|
|
|
uuid
|
|
-
|
The unique key of the log entry
|
|
|
|
vendor
|
|
-
|
The device vendor
|
|
|
|
vendorDeviceId
|
|
-
|
The device ID
|
|
|
|
vendorLogId
|
|
-
|
The vendor event log ID
|
|
|
|
vendorParsed
|
|
-
|
The normalized event log (JSON format)
|
{"cefHeader": { "cefVersion": "0", "deviceVendor": "Palo Alto Networks","deviceProduct": "PAN-OS","deviceEventClassId": "Machine Learning found virus(599805)"},"cefExtension": "rt":".."}
|
|
|
vendorRaw
|
|
-
|
The original event log string
|
CEF:0|Palo Alto Networks|PAN-OS|10.2.9-h1|end|TRAFFIC|1|rt=Aug 12 2024 15:31:19 GMT deviceExternalId=021201072197 src=10.10.10.10 dst=10.10.10.11 sourceTranslatedAddress=0.0.0.0 destinationTranslatedAddress=0.0.0.0 cs1Label=Rule cs1=TLC-to-nat-trust suser= duser= app=ping cs3Label=Virtual System cs3=vsys1 cs4Label=Source Zone cs4=TLC cs5Label=Destination Zone cs5=nat-trust deviceInboundInterface=ethernet1/6 deviceOutboundInterface=ethernet1/8 cs6Label=LogProfile cs6=PA440_to_Panorama cn1Label=SessionID cn1=19120 cnt=1 spt=0 dpt=0 sourceTranslatedPort=0 destinationTranslatedPort=0 flexString1Label=Flags flexString1=0x100019 proto=icmp act=allow flexNumber1Label=Total bytes flexNumber1=98 in=98 out=0 cn2Label=Packets cn2=1 |
|
|
vpcEndpointId
|
|
-
|
The VPC endpoint in which requests where made from a VPC to another AWS service
|
|
|
|
vpcId
|
|
-
|
The VPC ID
|
|
|
|
vsysName
|
|
-
|
The virtual system of the session
|
|
|
|
winEventId
|
|
-
|
The Windows Event ID
|
|
|