Views:
Field Name
Type
General Field
Description
Example
Products
accessPermission
  • string
-
The access permission type
  • Modify
  • Read and execute
  • List device content only
  • Block
  • Trend Micro Apex One as a Service
act
  • string[]
-
The actions taken to mitigate the event
  • log
  • isolate
  • terminate
  • not blocked
  • Block
  • Reset
  • Pass
  • User Decision
  • Trend Cloud One - Container Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Cloud App Security
  • TippingPoint Security Management System
  • XDR Endpoint Sensor
  • Trend Micro Web Security
  • Trend Micro Email Security
  • Trend Micro Deep Security
  • Trend Cloud One - Network Security
  • Trend Vision One Zero Trust Secure Access Internet Access
  • TXOne EdgeOne (on-premises)
  • Trend Vision One Zero Trust Secure Access Private Access
  • Email Sensor
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Vision One Mobile Security
  • Trend Micro Mobile Network Security
actResult
  • string[]
-
The result of an action
  • Dropped
  • Successful
  • Accepted
  • Trend Micro Apex One as a Service
  • Trend Micro Cloud App Security
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
  • TXOne Stellar (on-premises)
  • Trend Cloud One - Cloud Sentry
  • Trend Vision One Mobile Security
aggregateFunction
  • enum_sae.DdrDetectionLog.MetricAggregator
-
The metric aggregator
  • 0 - sum
  • 1 - avg
  • Data Detection and Response
aggregateUnit
  • string
-
The metric unit
  • file
  • Data Detection and Response
aggregatedCount
  • int64
-
The number of aggregated events
  • 1
  • 2
  • 3
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • TippingPoint Security Management System
  • Trend Micro Web Security
  • Trend Cloud One - Network Security
  • Trend Vision One Zero Trust Secure Access Internet Access
  • TXOne Stellar (on-premises)
  • Data Detection and Response
appDexSha256
  • string
  • FileSHA2
The app dex encoded using SHA-256
  • 08736EDDD3682AC26D9FD42DA2A20B0BADB5C85A5456A0AE85B52D60C564F290
  • Trend Vision One Mobile Security
appGroup
  • string
-
The app category of the event
  • DNS Response
  • HTTP
  • CIFS
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
appIsSystem
  • bool
-
Whether the app is a system app
  • false
  • Trend Vision One Mobile Security
appLabel
  • string
-
The app name
  • Mobile Security Virus Test Application
  • Trend Vision One Mobile Security
appPkgName
  • string
-
The app package name
  • com.example.app_pkg_name_file
  • Trend Vision One Mobile Security
appPublicKeySha1
  • string
  • FileSHA1
The app public key (SHA-1)
  • 72080A6B4EB11105B28E31C4753BC91414500AD4
  • Trend Vision One Mobile Security
appSize
  • string
-
The app size (in bytes)
  • 28461
  • Trend Vision One Mobile Security
appVerCode
  • uint32
-
The app version code
  • 1
  • Trend Vision One Mobile Security
application
  • string
-
The name of the requested application
  • HyperText Transfer Protocol
  • DoubleClick
  • The Secure HyperText Transfer Protocol
  • Trend Micro Web Security
  • Trend Vision One Zero Trust Secure Access Internet Access
  • Trend Vision One Zero Trust Secure Access Private Access
  • Trend Micro Apex One as a Service
  • Palo Alto Networks Next-Generation Firewalls
aptCampaigns
  • string[]
-
The related APT campaigns
  • POSSIBLE LSTUDIO
  • WEB LURKER
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
aptRelated
  • string
-
Whether the event is related to an APT
  • 0
  • 1
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
attachment
  • object_Attachment[]
-
The information about the email attachment
  • {"attachmentFileTlsh": "", "attachmentFileName": "testfile.txt","attachmentFileHash": "","attachmentFileSize": "-1"}
  • Trend Micro Cloud App Security
  • Email Sensor
attachmentFileHash
  • string
  • FileSHA1
The SHA-1 of the email attachment
  • C9877617DB6715792F9D5C959C1E8D4E56D0C281
  • 0340A8EE3AD2990E3EDCDB2E471EAA45B4286722
  • 0E56D9540B07ED15EF745348D35C72A6A00A0BD9
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Email Sensor
attachmentFileHashMd5
  • string
  • FileMD5
The MD5 of the attached file (attachmentFileName)
  • RSjbNuJB0hx39ZpzwLdipg==
  • +TmuTNLw3FMQlaTbPwjD8g==
  • +XWktHxXXdY0O4A82FQMzQ==
  • Trend Micro Cloud App Security
attachmentFileHashSha1
  • string
  • FileSHA1
The SHA-1 of the attached file (attachmentFileName)
  • d63b1739a2fe56eb412dff1c69b76d4b9aad8ebd
  • 3b923d078ea3bd39489ed6d334c423e4478a8ee3
  • 3a2e6a64e1b7f4c6cbebcb9e949dc66b667cdfbe
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
attachmentFileHashSha256
  • string
  • FileSHA2
The SHA-256 of the attached file (attachmentFileName)
  • D81D4C14DDEB8CA390FFADA69265AAD46CDEDD72CDD332CB8AA17D924626B397
  • 01DE1FC697D2D0850F0468474A3E1E0BF4D78B23F0633908CF82E504E0DCBFF9
  • 02D16D9970AB635A7B05C3A268E23F5B41C419DD022F1054E9FD912BE130BDB0
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Email Security
attachmentFileHashes
  • string[]
-
The SHA-1 of the email attachment
  • 056a2975edffe7188c03c324ae4335f9380b57e3
  • 05fd3ac8f9d8407e6637e0f91cd2ff5ab076658a
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • Email Sensor
attachmentFileHashs
  • string[]
-
The SHA-1 hash value of the attachment file
  • 056a2975edffe7188c03c324ae4335f9380b57e3
  • 05fd3ac8f9d8407e6637e0f91cd2ff5ab076658a
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • Email Sensor
attachmentFileName
  • string[]
  • FileName
The file name of an attachment
  • Mail Body
  • image001.png
  • image002.png
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Email Sensor
attachmentFileSize
  • int64
-
The file size of the email attachment
  • 190843
  • 104454
  • 112197
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Email Sensor
attachmentFileSizes
  • int64[]
-
The file size of email attachments
  • 190843
  • 104454
  • 112197
  • Email Sensor
attachmentFileTlshes
  • string[]
-
The TLSH of the email attachment
  • 0FE18E0807B75799EF3ADD7A98D62411FEB31DAB419C913C058068A3A6B33BD114EA39
  • 97D18E86E87A85D1D4137E6DA6FD00580E4CF06F65DB2B2937815E4F3A3013042A2189
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • Email Sensor
attachmentFileTlshs
  • string[]
-
The TLSH hash value of the attachment file
  • 0FE18E0807B75799EF3ADD7A98D62411FEB31DAB419C913C058068A3A6B33BD114EA39
  • 97D18E86E87A85D1D4137E6DA6FD00580E4CF06F65DB2B2937815E4F3A3013042A2189
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • Email Sensor
attachmentFileType
  • string
-
The file type of the email attachment
  • PDF
  • TEXT
  • PKZIP
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
authType
  • string
-
The authorization type
  • Cookie JWT
  • No Auth
  • Trend Vision One Zero Trust Secure Access Internet Access
azId
  • string
-
The virtual machine Availability Zone ID
  • us-east-1b
  • us-west-2a
  • Trend Cloud One - Cloud Sentry
behaviorCat
  • string
-
The matched policy category
  • Policy Enforcement
  • Grey-Detection
  • Threat-Detection
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
blocking
  • string
-
The blocking type
  • Web reputation
  • Web Server
  • Trend Micro Apex One as a Service
bmGroup
  • string
-
The one-to-many data structure
  • logGenLocalDatetime:2022-07-08T09:21:11+00:00, act:Assessment, behaviorType:Registry, riskConfidenceLevel:1, ruleId:7, ruleName:New Service, behaviorCategory:Policy Enforcement, processFilePath:C:\Windows\SysWOW64\srts\wmipr.exe, aegisOperation:Set Key, objectFilePath:HKLM\SYSTEM\CurrentControlSet\Services\DpsiBSvc\Start, policyId:007, objectFileHashSha1:null, objectCmd:null, processFileHashSha1:null, processCmd:null, objectRegistryData:null, objectRegistryKeyHandle:null, objectRegistryValue:null
  • Trend Micro Apex One as a Service
botCmd
  • string
  • CLICommand
The bot command
  • 1068
  • indows
  • chrome.exe
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
botUrl
  • string
  • URL
The bot URL
  • 7?01
  • 0000
  • indows
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
category
  • string
-
The event category
  • Exploits
  • Reconnaissance
  • Vulnerabilities
  • Security Policy
  • TippingPoint Security Management System
  • Trend Micro Mobile Network Security
cccaDestination
  • string
  • URL
The destination domain, IP, URL, or recipient
  • 10.10.10.10:443
  • www.example.dns04.com
  • example.ru
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
cccaDestinationFormat
  • string
-
The C&C server access format
  • IP_DOMAIN
  • URL
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
cccaDetection
  • string
-
Whether this log is identified as a C&C callback address detection
  • Yes
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
cccaDetectionSource
  • string
-
The list which defines this CCCA detection rule
  • CCCA_GLOBAL_LIST (0)
  • GLOBAL_INTELLIGENCE
  • USER_DEFINED
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
cccaRiskLevel
  • int32
-
The severity level of the threat actors associated with the C&C servers
  • 0
  • 1
  • 2
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
censusMaturityValue
  • int32
-
The CENSUS maturity value
  • 0
  • 1
  • 2
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
censusPrevalenceValue
  • int32
-
The CENSUS prevalence value
  • 0
  • 1
  • 2
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
channel
  • string
-
The channel through which the demanded Windows Event is delivered
  • Local file or network drive
  • Local file
  • Trend Micro Apex One as a Service
clientFlag
  • string
-
Whether the client is a source or destination
  • dst
  • src
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
clientIp
  • string[]
-
The IP addresses of the source
  • 10.10.10.10
  • Trend Vision One Zero Trust Secure Access Internet Access
  • Trend Vision One Zero Trust Secure Access Private Access
clientStatus
  • string
-
The client status when the event occurred
  • Rebuilding database
  • Online
  • Offline
  • Trend Micro Apex One as a Service
cloudAccountId
  • string
-
The cloud account ID
  • 123456789012
  • Trend Cloud One – File Storage Security
  • Trend Cloud One - Cloud Sentry
cloudAppCat
  • string
-
The category of the event in Cloud Reputation Service
  • All
  • Online Service
  • Application Suite
  • Business Intelligence and Analytics
  • Cloud Computing Platform
  • Trend Vision One Zero Trust Secure Access Internet Access
cloudAppName
  • string
-
The cloud app name
  • teams
  • sharepoint
  • exchange
  • gmail
  • Trend Micro Cloud App Security
cloudMachineImageId
  • string
-
The cloud machine image ID
  • ami-092d1c9fb626c2ba7
  • Trend Cloud One - Cloud Sentry
cloudMachineImageName
  • string
-
The cloud machine image name
  • Windows_Server-2022-English-Full-SQL_2022_Standard-2024.05.15
  • Trend Cloud One - Cloud Sentry
cloudProvider
  • string
-
The service provider of the cloud asset
  • aws
  • azure
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Cloud One – File Storage Security
  • Trend Cloud One - Cloud Sentry
cloudResourceDigest
  • string
-
The cloud resource digest
  • sha256:e8759728bdf756c2546bf88d772634d4b746ba2be6da74cb68d2a75fb135e29e
  • Z29gD6/9+UmEejeSqt4zcqux+1nNIRdGhoffijjkaBc=
  • Trend Cloud One - Cloud Sentry
cloudResourceId
  • string
-
The cloud resource ID
  • vol-00000000000000000
  • 670666259092.dkr.ecr.us-west-1.amazonaws.com/us-west-1-sentry-scan-samples-ecr
  • arn:aws:lambda:us-east-1:000000000000:function:StackSet-SentrySetdb47aff3-cc084aaa-5-sideScanVuln-6Dyn7ZcwCSPw
  • Trend Cloud One - Cloud Sentry
cloudResourceTags
  • string
-
The cloud resource tags
  • -
  • -
  • Trend Cloud One - Cloud Sentry
cloudResourceType
  • string
-
The cloud resource type
  • ebs-volume
  • ecr-repository-image
  • lambda-function
  • lambda-layer
  • Trend Cloud One - Cloud Sentry
cloudResourceVersion
  • string
-
The cloud resource version
  • 113
  • Trend Cloud One - Cloud Sentry
cloudStorageName
  • string
-
The cloud storage name
  • my-bucket
  • Trend Cloud One – File Storage Security
clusterId
  • string
-
The cluster ID of the container
  • ben_eks_test-20k90A3jGa4d3YMYfrdGIgs7g9u
  • Trend Cloud One - Container Security
clusterName
  • string
-
The cluster name of the container
  • ben_eks_test
  • Trend Cloud One - Container Security
cnt
  • int64
-
The total number of logs
  • 1
  • 2
  • 3
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • TXOne EdgeOne (on-premises)
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Micro Mobile Network Security
compressedFileHash
  • string
  • FileSHA1
The SHA-1 of the decompressed archive
  • 6E2ECB34B7798E179CC704111FB9733FBAAD5ACA
  • FA71B59F35F0EE44D27F74917EF5A0DA2797E80B
  • 14D2302172EB81465CE12E01361AE24CDE170F7B
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Vision One File Security
  • Trend Cloud One – File Storage Security
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Cloud Sentry
compressedFileHashSha256
  • string
  • FileSHA2
The SHA-256 of the compressed suspicious file
  • 60C7C5924DD09F7C6B150120FB92DCEE00AE82DB75C7402FA4D9152CF487A94F
  • 482FFC4F87B78C3C7073983CF65B593D9F13F0A3D6DC54B4A3F616F79838F3CE
  • 68C0126D9B4B0FC32DE181D0D67DA8FE82E23745F6023317D5E053B6F6ED26CF
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Vision One File Security
  • Trend Cloud One – File Storage Security
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Cloud Sentry
compressedFileName
  • string
  • FileName
The file name of the compressed file
  • /proc/32058/fd/150
  • NONAMEFL
  • /proc/10006/fd/30
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Vision One File Security
  • Trend Cloud One – File Storage Security
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Cloud One - Cloud Sentry
  • Trend Cloud One - Container Security
compressedFileSize
  • int64
-
The file size of the decompressed archive file
  • 0
  • 265314
  • 175864
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Vision One File Security
  • Trend Cloud One – File Storage Security
  • Trend Cloud One - Cloud Sentry
compressedFileType
  • string
-
The file type of the decompressed archive file
  • EXE
  • JAVA
  • PDF
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Vision One File Security
  • Trend Cloud One – File Storage Security
  • Trend Cloud One - Cloud Sentry
computerDomain
  • string
-
The computer domain
  • COMCEL_DOMINIO
  • HDWA
  • RANDON
  • Trend Micro Apex One as a Service
containerId
  • string
-
The Kubernetes container ID
  • 4102001853b8
  • Trend Cloud One - Container Security
containerImage
  • string
-
The Kubernetes container image
  • dockerhub.io/ubuntu:latest
  • Trend Cloud One - Container Security
containerImageDigest
  • string
-
The Kubernetes container image digest
  • sha256:626ffe58f6e7566e00254b638eb7e0f3b11d4da9675088f4781a50ae288f3322
  • Trend Cloud One - Container Security
containerName
  • string
-
The Kubernetes container name
  • k8s_ubuntu_ubuntu-ds-fp2jk_default_00000000-0000-0000-0000-000000000000_2
  • Trend Cloud One - Container Security
correlationCat
  • string
-
The correlation category
  • Suspicious Traffic
  • Authentication
  • Reconnaissance
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
customTags
  • string[]
-
The event tags
  • network
  • mitre_discovery
  • Trend Cloud One - Container Security
  • Trend Vision One File Security
cve
  • string
-
The CVE identifier
  • MS17-010
  • CVE-2021-45046
  • CVE-2021-44228
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
cves
  • string[]
-
The CVEs associated with this filter
  • CVE-2014-3567
  • CVE-2016-6304
  • CVE-2011-1385
  • TippingPoint Security Management System
  • Trend Cloud One - Endpoint & Workload Security
dOSClass
  • string
-
The destination device OS class
  • Linux
  • Trend Micro Mobile Network Security
dOSName
  • string
-
The destination host OS
  • Windows
  • Windows 10
  • Android
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Micro Mobile Network Security
dOSVendor
  • string
-
The destination device OS vendor
  • Others
  • Trend Micro Mobile Network Security
dUser1
  • string
  • UserAccount
The latest sign-in user of the destination
  • user\example
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Palo Alto Networks Next-Generation Firewalls
dacDeviceType
  • string
-
The device type
  • USB storage device
  • Mobile devices
  • Floppy disks
  • Network driver
  • Trend Micro Apex One as a Service
data0
  • string
-
The value of the Deep Discovery Inspector correlation log
  • 1
  • USR_SUSPICIOUS_IP.UMXX
  • USR_SUSPICIOUS_URL.UMXX
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
data0Name
  • string
-
The name of the Deep Discovery Inspector correlation log
  • Malware Name
  • Attacked this IP
  • IP Address under Attack
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
data1
  • string
-
The Deep Discovery Inspector correlation log metadata
  • 10.10.10.10
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
data1Name
  • string
-
The name of the Deep Discovery Inspector correlation log
  • Port Used
  • Malicious File Transferred To This IP Address
  • Malware Server IP Address
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
data2
  • string
-
The value of the Deep Discovery Inspector correlation log
  • 1
  • 10003
  • 2
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
data2Name
  • string
-
The name of the Deep Discovery Inspector correlation log
  • Number of Malware Files Downloaded
  • Protocol
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
data3
  • string
-
The value of the Deep Discovery Inspector correlation log
  • 1
  • 10.10.10.10
  • 23903
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
data4
  • string
-
The value of the Deep Discovery Inspector correlation log
  • 10.10.10.10
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
dceArtifactActions
  • string[]
-
The actions performed on Damage Cleanup Engine artifacts
  • folder_backup
  • objproc_dump
  • subproc_dump
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
dceHash1
  • string
-
Whether the Trend Micro Threat Mitigation Server requires the log (the Trend Micro Threat Mitigation Server is EOL)
  • 0
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
dceHash2
  • string
-
Whether the Trend Micro Threat Mitigation Server requires the log (the Trend Micro Threat Mitigation Server is EOL)
  • 0
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
denyListFileHash
  • string
  • FileSHA1
The SHA-1 of the Virtual Analyzer Suspicious Object
  • 746C4D6048A409F33446463B28CA21CB2C5DD941
  • DAA66CE3C1F08144885BB0E99837030C5231DE60
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
denyListFileHashSha256
  • string
-
The SHA-256 of the User-Defined Suspicious Object
  • 757E5C8823CAA7406030A7E26AED2A2C95D16F69C5A14C884C8CAA72A0C001C3
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
denyListHost
  • string
  • DomainName
The domain of the Virtual Analyzer Suspicious Object
  • www.example.dns01.com
  • example.com
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
denyListIp
  • string[]
  • IPv4
  • IPv6
The IP of the Virtual Analyzer Suspicious Object
  • 10.10.10.10
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
denyListRequest
  • string
-
The block list event request
  • *
  • test.url.com
  • https://example.com:443/gfx/flags/ua.png
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
denyListType
  • string
-
The block list type
  • Deny List URL
  • Deny List File SHA1
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
destinationPath
  • string
-
The intended destination of the file containing the digital asset or channel
  • Cloud Storage (OneDrive)
  • Printer
  • example.sharepoint.com/personal/page_path/onedrive.aspx
  • Trend Micro Apex One as a Service
detectedActions
  • string[]
-
The actions performed on detected artifacts
  • folder_backup
  • objproc_dump
  • subproc_dump
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
detectedBackupArtifacts
  • object_DceArtifact[]
-
The information about detected artifacts
  • {"objectArtifactId": "025d9f2a-ac9c-4cdf-b9e4-cf20c6e40281_0.dmp", "action": "object_process_dump", "status": 0, "processCreationTime": "1627574338077", "processImageFileName": "C:\Program Files\aaa\bbb\objprocess.exe"}
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
detectedBackupFolder
  • string
-
The folder path for detected backup folders
  • C:\\Program Files (x86)\\Trend Micro\\artifact\\DCE
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
detectedPattern
  • string
-
The detected pattern
  • dct.virus
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
detectionAggregationId
  • string
-
The correlation key for detection logs and artifacts
  • 00000000-0000-0000-0000-000000000000
  • 11111111-1111-1111-1111-111111111111
  • 22222222-2222-2222-2222-222222222222
  • XDR Endpoint Sensor
detectionDetail
  • string
-
The details about each event type
  • {}
  • {"detail":"4.7.1 \u003csample_email@trendmicro.com\u003e: Recipient address rejected: Ratelimit-2"}
  • {"detail":"4.7.1 \u003csample_email@trendmicro.com.br\u003e: Recipient address rejected: Ratelimit-2"}
  • Trend Micro Email Security
detectionEngineVersion
  • string
-
The detection engine version
  • 7.6.0
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
detectionName
  • string
-
The general name for the detection
  • Troj.Win32.TRX.XXPE50F13017
  • Troj.Win32.TRX.XXPE50FFF059
  • Trend Micro Apex One as a Service
  • Trend Vision One Mobile Security
detectionType
  • string
-
The detection type
  • 1
  • File
  • Process
  • net
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Web Security
  • Trend Micro Apex One as a Service
  • Trend Micro Cloud App Security
  • Trend Micro Deep Security
  • Trend Micro Email Security
  • Trend Vision One Zero Trust Secure Access Internet Access
  • Trend Vision One Mobile Security
  • Trend Vision One Zero Trust Secure Access Private Access
  • Trend Cloud One - Container Security
deviceDirection
  • string
-
The device direction (If the source IP is in the internal network monitored by Deep Discovery Inspector, it is tagged as outbound. All other cases are inbound. Internal-to-internal is also tagged as outbound.)
  • outbound
  • inbound
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Deep Security
deviceGUID
  • string
-
The GUID of the agent which reported the detection
  • 00000000-0000-0000-0000-000000000000
  • 11111111-1111-1111-1111-111111111111
  • 22222222-2222-2222-2222-222222222222
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • TippingPoint Security Management System
  • XDR Endpoint Sensor
  • Trend Cloud One - Network Security
  • Trend Vision One Zero Trust Secure Access Internet Access
deviceMacAddress
  • string
-
The device MAC address
  • 00:00:00:00:00:00
  • ff:ff:ff:ff:ff:ff
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
deviceModel
  • string
-
The device model number
  • c96a
  • Trend Micro Apex One as a Service
devicePayloadId
  • string
-
The device payload ID
  • 0:14343219::F:S
  • 0:94174860::F:
  • 0:9665982::F:
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
deviceSerial
  • string
-
The device serial ID
  • 000000063a2e8f
  • Trend Micro Apex One as a Service
dhost
  • string
  • DomainName
The destination hostname
  • 10.10.10.10
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Micro Mobile Network Security
direction
  • string
-
The direction
  • Incoming
  • Outgoing
  • Unknown
  • Trend Micro Apex One as a Service
  • TXOne EdgeOne (on-premises)
  • Palo Alto Networks Next-Generation Firewalls
diskPartitionId
  • string
-
The cloud volume partition ID
  • 0
  • 1
  • 2
  • Trend Cloud One - Cloud Sentry
dmac
  • string
-
The MAC address of the destination IP (dest_ip)
  • 00:00:00:00:00:00
  • ff:ff:ff:ff:ff:ff
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
  • TXOne EdgeOne (on-premises)
  • Palo Alto Networks Next-Generation Firewalls
domainName
  • string
  • DomainName
The detected domain name
  • http://10.10.10.10
  • example.domain.com
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Cloud App Security
dpt
  • int32
  • Port
The destination port
  • 0
  • 445
  • 80
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • TippingPoint Security Management System
  • Trend Micro Deep Security
  • Trend Cloud One - Network Security
  • XDR Endpoint Sensor
  • TXOne EdgeOne (on-premises)
  • Trend Vision One Zero Trust Secure Access Private Access
  • Trend Cloud One - Container Security
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Micro Mobile Network Security
dst
  • string[]
  • IPv4
  • IPv6
The destination IP
  • 10.10.10.10
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • TippingPoint Security Management System
  • Trend Micro Deep Security
  • Trend Cloud One - Network Security
  • XDR Endpoint Sensor
  • Trend Vision One Zero Trust Secure Access Internet Access
  • TXOne EdgeOne (on-premises)
  • Trend Vision One Zero Trust Secure Access Private Access
  • Trend Cloud One - Container Security
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Micro Mobile Network Security
dstEquipmentId
  • string
-
The destination IMEI
  • 350548054087659
  • Trend Micro Mobile Network Security
dstFamily
  • string
-
The destination device family
  • Computer
  • Trend Micro Mobile Network Security
dstGroup
  • string
-
The group name defined by the administrator of the destination
  • Default
  • Data Center Services DL_Deployed Block
  • Rede Wifi Visitantes-Pacientes
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Mobile Network Security
dstLocation
  • string
-
The destination country
  • Japan
  • Palo Alto Networks Next-Generation Firewalls
dstSubscriberDirNum
  • string
-
The destination MSISDN
  • 8618687654321
  • Trend Micro Mobile Network Security
dstSubscriberId
  • string
-
The destination IMSI
  • 466686007810478
  • Trend Micro Mobile Network Security
dstType
  • string
-
The destination device type
  • Desktop/Laptop
  • Trend Micro Mobile Network Security
dstZone
  • string
-
The network zone defined by the destination administrator
  • 1
  • 0
  • 2
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Palo Alto Networks Next-Generation Firewalls
duration
  • int64
-
The detection interval (in milliseconds)
  • 300000
  • Data Detection and Response
duser
  • string[]
  • EmailRecipient
The email recipient
  • (no user)
  • SYSTEM
  • SYSTEM
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Email Sensor
  • Palo Alto Networks Next-Generation Firewalls
dvc
  • string[]
-
The IP address of the Deep Discovery Inspector appliance
  • 10.10.10.10
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
dvchost
  • string
-
The computer which installed the Trend Micro product
  • CU-PRO1-9039-2
  • LTPF32PMNN
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Palo Alto Networks Next-Generation Firewalls
endpointGUID
  • string
  • EndpointID
The GUID of the agent which reported the detection
  • ae4d64aa-f8b8-bb36-b265-f59272ed342f
  • 8fb979f6-1376-bed3-227f-f2886e66194e
  • ca2b3a7e-8415-c571-cc19-e45f69470026
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
  • XDR Endpoint Sensor
  • Trend Vision One Zero Trust Secure Access Internet Access
  • Trend Vision One Mobile Security
  • Trend Vision One Zero Trust Secure Access Private Access
  • TXOne Stellar (on-premises)
  • Trend Cloud One - Container Security
  • Data Detection and Response
endpointHostName
  • string
  • EndpointName
The endpoint hostname or node where the event was detected
  • 10.10.10.10 (swpos-aws-aza02) [i-0f0f0f0f0f0f0f0f0]
  • ip-10-10-10-10.us-west-1.compute.internal
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
  • Trend Vision One Zero Trust Secure Access Internet Access
  • Trend Vision One Mobile Security
  • Trend Vision One Zero Trust Secure Access Private Access
  • TXOne Stellar (on-premises)
  • Trend Cloud One - Container Security
  • Trend Cloud One - Cloud Sentry
  • Data Detection and Response
endpointIp
  • string[]
  • IPv4
  • IPv6
The IP address of the endpoint on which the event was detected
  • 10.10.10.10
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
  • Trend Micro Apex One as a Service
  • TippingPoint Security Management System
  • Trend Cloud One - Network Security
  • TXOne EdgeOne (on-premises)
  • Trend Cloud One - Cloud Sentry
  • Data Detection and Response
endpointMacAddress
  • string
-
The endpoint MAC address
  • 00:00:00:00:00:00
  • ff:ff:ff:ff:ff:ff
  • Trend Micro Apex One as a Service
  • TXOne EdgeOne (on-premises)
  • TXOne Stellar (on-premises)
endpointModel
  • string
-
The mobile device model
  • M2101K9G
  • Trend Vision One Mobile Security
engType
  • string
-
The engine type
  • Virus Scan Engine (Windows XP/Server 2003, x64)
  • Virus Scan NT Kernel Engine
  • Spyware/Grayware Scan Engine v.6 (64-bit)
  • Trend Micro Apex One as a Service
  • Trend Vision One File Security
engVer
  • string
-
The engine version
  • 1.0.0.1123_1.0.0.1101
  • 9.0.1004
  • 22.540.1001
  • XDR Endpoint Sensor
  • Trend Micro Cloud App Security
  • Trend Micro Apex One as a Service
  • Trend Vision One File Security
engineOperation
  • string
-
The operation of the engine event
  • Set Key
  • Invoke API
  • Create
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
eventClass
  • string
-
The event category
  • Suspicious Traffic
  • Authentication
  • Reconnaissance
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Palo Alto Networks Next-Generation Firewalls
eventId
  • int64
  • string
-
The event ID from the logs of each product
  • 100100
  • 100101
  • 100116
  • 100117
  • 100119
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
  • Trend Micro Cloud App Security
  • XDR Endpoint Sensor
  • Trend Micro Email Security
  • TXOne Stellar (on-premises)
  • Trend Cloud One - Container Security
  • Email Sensor
  • Trend Vision One File Security
  • Trend Cloud One – File Storage Security
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Cloud One - Cloud Sentry
  • Trend Vision One Mobile Security
  • Trend Micro Mobile Network Security
  • Data Detection and Response
eventName
  • string
-
The event type
  • LOG_INSPECTION_EVENT
  • SECURITY_RISK_DETECTION
  • WEB_THREAT_DETECTION
  • LOG_INSPECTION_EVENT
  • MALWARE_DETECTION
  • PROCESS_ACTIVITY
  • WEB_POLICY_VIOLATION
  • DEEP_PACKET_INSPECTION_EVENT
  • INTEGRITY_MONITORING_EVENT
  • DISRUPTIVE_APPLICATION_DETECTION
  • PRODUCT_SUMMARY
  • PRODUCT_UPDATE
  • BEHAVIORAL_VIOLATION
  • FIREWALL_POLICY_VIOLATION
  • SUSPICIOUS_BEHAVIOUR_DETECTION
  • DENYLIST_CHANGE
  • MACHINE_LEARNING_DETECTION
  • DLP_VIOLATION
  • MALWARE_OUTBREAK_DETECTION
  • SENSITIVE_DATA_DETECTION
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
  • TippingPoint Security Management System
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • XDR Endpoint Sensor
  • Trend Cloud One - Network Security
  • Trend Vision One Zero Trust Secure Access Internet Access
  • TXOne EdgeOne (on-premises)
  • Trend Vision One Zero Trust Secure Access Private Access
  • TXOne Stellar (on-premises)
  • Email Sensor
  • Trend Vision One File Security
  • Trend Cloud One – File Storage Security
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Cloud One - Cloud Sentry
  • Trend Vision One Mobile Security
  • Trend Micro Mobile Network Security
  • Data Detection and Response
eventSubClass
  • string
-
The sub-event class category
  • DNS
  • Port Mis-use
  • Port Scanning
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
eventSubId
  • int64
-
The access type
  • 4
  • 101
  • 102
  • Trend Cloud One - Endpoint & Workload Security
  • TXOne Stellar (on-premises)
eventSubName
  • string
-
The event type sub-name
  • IPS Detection
  • Personal Firewall
  • Attack Discovery
  • Trend Micro Apex One as a Service
  • Trend Micro Cloud App Security
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Email Security
  • XDR Endpoint Sensor
  • Trend Vision One Zero Trust Secure Access Internet Access
  • Palo Alto Networks Next-Generation Firewalls
extraInfo
  • string[]
-
The network application name
  • N/A
  • Web Client Common
  • DCERPC Services
  • Trend Micro Apex One as a Service
fileCreation
  • string
-
The file creation date
  • 1595918517000
  • Trend Micro Apex One as a Service
fileDesc
  • string
-
The file description
  • Atualiza PJRO
  • Carpeta de archivos
  • 7z Setup SFX (x86)
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Container Security
fileExt
  • string
-
The file extension of the suspicious file
  • .lnk
  • .exe
  • .EXE
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
fileHash
  • string
  • FileSHA1
The SHA-1 of the file that triggered the rule or policy
  • DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • 89CE26EAD139D52B8A6B61BFFC6AF89AF246580F
  • 3AD1F4E7CAA11E5199EE80B8983677ADDD065450
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Deep Security
  • Trend Micro Apex One as a Service
  • Trend Vision One Zero Trust Secure Access Internet Access
  • Trend Vision One File Security
  • Trend Cloud One – File Storage Security
  • Trend Cloud One - Cloud Sentry
fileHashMd5
  • string
  • FileMD5
The MD5 of the file
  • d5120786925038601a77c2e1eB9a3a0a
  • Palo Alto Networks Next-Generation Firewalls
fileHashSha256
  • string
  • FileSHA2
The SHA-256 of the file (fileName)
  • 6A6EB2D717CEA041B4444193B45EDFB6CA1287518203B7230B3C4B8FFB031EAB
  • BFF703FF836196644586014DA13A097C2EE9A08E4D596DFB7C8E0F685FE01294
  • 12327F460AC9CBBC34D39EB3CF89C7FECCA37F08773A04566840F73F6ECC4104
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Vision One Zero Trust Secure Access Internet Access
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Vision One File Security
  • Trend Cloud One – File Storage Security
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Cloud One - Cloud Sentry
  • Trend Cloud One - Container Security
fileName
  • string[]
  • FileName
The file name
  • spoolss
  • hosts
  • svcrestarttask
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
  • Trend Vision One Zero Trust Secure Access Internet Access
  • TXOne Stellar (on-premises)
  • Trend Vision One File Security
  • Trend Cloud One – File Storage Security
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Cloud One - Cloud Sentry
fileOperation
  • string
-
The operation of the file
  • Created
  • Updated
  • Deleted
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
filePath
  • string
  • FileFullPath
The file path without the file name
  • security
  • /var/log/audit/audit.log
  • application
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • TXOne Stellar (on-premises)
  • Trend Vision One File Security
  • Trend Cloud One – File Storage Security
  • Trend Cloud One - Cloud Sentry
filePathName
  • string
  • FileFullPath
The file path with the file name
  • vss
  • spoolss
  • /etc/hosts
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Deep Security
  • TXOne Stellar (on-premises)
fileSize
  • int64
-
The file size of the suspicious file
  • 0
  • 1255856
  • 1237880
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Vision One Zero Trust Secure Access Internet Access
  • Trend Micro Apex One as a Service
  • Trend Vision One File Security
  • Trend Cloud One – File Storage Security
  • Trend Cloud One - Cloud Sentry
fileSystemUuid
  • string
-
The file system UUID
  • 00000000-0000-0000-0000-000000000000
  • 11111111-1111-1111-1111-111111111111
  • 22222222-2222-2222-2222-222222222222
  • Trend Cloud One - Cloud Sentry
fileType
  • string
-
The file type of the suspicious file
  • EXE
  • LNK
  • MIME
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Vision One Zero Trust Secure Access Internet Access
  • Trend Vision One File Security
  • Trend Cloud One – File Storage Security
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Cloud One - Cloud Sentry
  • Trend Cloud One - Container Security
fileVer
  • string
-
The file version
  • 10.0.19041.1
  • 10.0.19041.1766
  • 10.0.18362.1
  • Trend Micro Apex One as a Service
filterName
  • string
-
The filter name
  • ConnectionFilter
  • Virtual Analyzer
  • Data Loss Prevention
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • Trend Micro Apex One as a Service
  • TXOne EdgeOne (on-premises)
filterRiskLevel
  • string
-
The top level filter risk of the event
  • info
  • low
  • medium
  • Security Analytics Engine
filterType
  • string
-
The filter type
  • Spam filter
  • Size filter
  • Trend Micro Apex One as a Service
  • TXOne EdgeOne (on-premises)
firmalware
  • string[]
-
The Deep Discovery Inspector firmware version
  • 2017-12-01 15:05:07-05:00 3.83.1170 5.0.1555
  • 2020-11-13 18:04:29-05:00 5.0.1555 5.5.1200
  • 2020-11-13 18:43:30-05:00 5.5.1200 5.7.1178
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
firstAct
  • string
-
The first scan action
  • Pass
  • Quarantine
  • Clean
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
firstActResult
  • string
-
The first scan action result
  • File passed
  • Unable to quarantine file
  • File quarantined
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
firstSeen
  • int64
-
The first time the XDR log appeared
  • 1657195233000
  • Trend Micro Cloud App Security
  • TXOne Stellar (on-premises)
  • Data Detection and Response
flowId
  • string
-
The connection ID
  • 6717474604962545666
  • 6915244861077872618
  • 6915244908215815814
  • XDR add-on: Deep Discovery Inspector
  • Palo Alto Networks Next-Generation Firewalls
forensicFileHash
  • string
-
The hash value of the forensic data file
  • 177844c5927d0f20da06d79d986c7e7f8c7a3b6a
  • da39a3ee5e6b4b0d3255bfef95601890afd80709
  • 8dab234ab6cd96301f9452994f015a449d629edd
  • Trend Micro Apex One as a Service
forensicFilePath
  • string
-
The file path of the forensic file (When a Data Loss Prevention policy is triggered, the file is encrypted and copied to the OfficeScan server for post-mortem analysis.)
  • C:\Program Files (x86)\Trend Micro\OfficeScan Client\dlplite\forensic\frnsc_200411DC0594_xml_00000000000_20220314_132326281
  • C:\Program Files (x86)\Trend Micro\OfficeScan Client\dlplite\forensic\frnsc_CIL-OPRCOGEN_docx_00000000000_20211025_225445873
  • C:\Program Files (x86)\Trend Micro\OfficeScan Client\dlplite\forensic\frnsc_SHA-ESHOU_h265_00000000000_20220601_082417865
  • Trend Micro Apex One as a Service
ftpUser
  • string
-
The FTP sign-in user name
  • USER\TREND
  • User
  • ftpuser_service
  • Trend Micro Apex One as a Service
fullPath
  • string
  • FileFullPath
The combination of the file path and the file name
  • \etc\hosts
  • c:\windows\system32\tasks\microsoft\windows\softwareprotectionplatform\svcrestarttask
  • \var\log\auth.log
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Deep Security
  • TXOne Stellar (on-premises)
  • Trend Vision One File Security
  • Trend Cloud One – File Storage Security
  • Trend Cloud One - Cloud Sentry
  • Trend Cloud One - Container Security
groupId
  • string
-
The group ID for the management scope filter
  • 00000000-0000-0000-0000-000000000000
  • Security Analytics Engine
groups
  • string
-
The OSSEC rule group names
  • auditd,audit,
  • dirservice_log,authentication_failure,
  • windows,authentication_failures,
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
hasdtasres
  • string
-
Whether the log contains a report from Virtual Analyzer
  • No
  • Yes
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
highlightMailMsgSubject
  • string
-
The email subject
  • Delivery Status
  • Undelivered Mail Returned to Sender
  • Successful Mail Delivery Report
  • Trend Micro Email Security
highlightedFileHashes
  • string[]
  • FileSHA1
The SHA-1 hashes of the highlighted file
  • C9877617DB6715792F9D5C959C1E8D4E56D0C281
  • 0340A8EE3AD2990E3EDCDB2E471EAA45B4286722
  • 0E56D9540B07ED15EF745348D35C72A6A00A0BD9
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • Email Sensor
highlightedFileName
  • string[]
-
The file names of suspicious attachments
  • detect_me.zip
  • covid.zip
  • Trend Micro Cloud App Security
  • Email Sensor
hostName
  • string
  • DomainName
  • HostDomain
The computer name of the client host (the hostname from the suspicious URL detected by Deep Discovery Inspector)
  • Let's Encrypt
  • 10.10.10.10
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
  • TXOne EdgeOne (on-premises)
  • Palo Alto Networks Next-Generation Firewalls
hostSeverity
  • int32
-
The severity of the threat (specific to the interestedIp)
  • 1
  • 2
  • 4
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
hotFix
  • string[]
-
The applied Deep Discovery Inspector hotfix version
  • 2021-07-22 15:08:01+08:00 Hotfix 1042 hfb1042 Apply
  • 2021-12-22 09:03:42-06:00 Hotfix 1211 hfb1211 Apply
  • 2022-03-30 13:16:28-07:00 Hotfix 1218 hfb1218 Apply
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
httpReferer
  • string
  • URL
The HTTP referer
  • http://172.16.58.233/
  • http://example/page1/
  • https://www.google.com/
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
httpRespContentType
  • string
-
The HTTP response data content type
  • Application/json
  • Palo Alto Networks Next-Generation Firewalls
httpXForwardedFor
  • string
-
The HTTP X-Forwarded-For header
  • 10.10.10.10
  • Palo Alto Networks Next-Generation Firewalls
icmpCode
  • int32
-
The ICMP protocol code field
  • 0
  • Trend Micro Mobile Network Security
icmpType
  • int32
-
The ICMP protocol type
  • 0
  • 3
  • Trend Micro Mobile Network Security
instanceId
  • string
-
The ID of the instance that indicates the meta-cloud or data center VM
  • 52294e7b-f732-c6e9-b2c3-7a6b6f50d101
  • 00030912-c5e7-4348-9012-7c684751c531
  • 0008ae58-db0c-34ee-3e5c-5dfc9b10a739
  • i-0b22a22eec53b9321
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Cloud One - Cloud Sentry
  • Trend Micro Mobile Network Security
instanceName
  • string
-
The name of the instance that indicates the meta-cloud or data center VM
  • instapecot-1
  • Trend Micro Mobile Network Security
integrityLevel
  • int32
-
The integrity level of a process
  • 16384
  • XDR Endpoint Sensor
interestedGroup
  • string
-
The network group associated with the user-defined source IP or destination IP
  • Default
  • Rede DATACENTER Lumen/FORTIGATE - AD ESTACIO CORP
  • Data Center Services DL_Deployed Block
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
interestedHost
  • string
  • DomainName
The endpoint hostname
  • 10.10.10.10 (swpos-aws-aza02) [i-0f0f0f0f0f0f0f0f0]
  • es-dtc-w-dc02.example.corp
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Deep Security
  • Trend Micro Apex One as a Service
interestedIp
  • string[]
  • IPv4
  • IPv6
The IP of the interestedHost
  • 10.10.10.10
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Deep Security
  • Trend Micro Apex One as a Service
  • TippingPoint Security Management System
  • Trend Cloud One - Network Security
  • TXOne EdgeOne (on-premises)
interestedMacAddress
  • string
-
The log owner MAC address
  • 00:00:00:00:00:00
  • ff:ff:ff:ff:ff:ff
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • TXOne EdgeOne (on-premises)
ircChannelName
  • string
-
The IRC channel name
  • ManageEngine
  • unknown
  • Global Product Delivery Group
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
ircUserName
  • string
-
The IRC user name
  • R3
  • ManageEngineCA
  • DigiCert TLS RSA SHA256 2020 CA1
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
isEntity
  • string
-
The current entity (or after change/modification)
  • {"key":"<example>","type":"Service","attributes":[{"friendlyValue":null,"name":"binaryPathName","value":"C:\\Windows\\system32\\vssvc.exe"},{"friendlyValue":"manual","name":"startType","value":"3"},{"friendlyValue":"running","name":"state","value":"4"}]}
  • {"key":"<example>":"Service","attributes":[{"friendlyValue":null,"name":"binaryPathName","value":"C:\\Windows\\system32\\vssvc.exe"},{"friendlyValue":"manual","name":"startType","value":"3"},{"friendlyValue":"stopped","name":"state","value":"1"}]}
  • {"key":"<example>","type":"File","attributes":[]}
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
isHidden
  • string
-
Whether the detection log generated a grey rule match
  • Yes
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
isPrivateApp
  • bool
-
Whether the requested application is private
  • true
  • false
  • Trend Vision One Zero Trust Secure Access Internet Access
isProxy
  • bool
-
Whether something is a proxy
  • false
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
isRetroScan
  • bool
-
Whether the event matches the Security Analytics Engine filter
  • true
  • Security Analytics Engine
ja3Hash
  • string
-
The fingerprint of an SSL/TLS client application as detected via a network sensor or device
  • 72a589da586844d7f0818ce684948eea
  • cd08e31494f9531f560d64c695473da9
  • 6dca00d8741247e245e4f2a632f1e62b
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
ja3sHash
  • string
-
The fingerprint of an SSL/TLS server application as detected via a network sensor or device
  • e54965894d6b45ecb4323c7ea3d6c115
  • ec74a5c51106f0419184d0dd08fb05bc
  • ba1b42efc7dc57bb43bf81de59791c1b
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
k8sNamespace
  • string
-
The Kubernetes namespace of the container
  • default
  • Trend Cloud One - Container Security
k8sPodId
  • string
-
The Kubernetes pod ID of the container
  • 00000000-0000-0000-0000-000000000000
  • 11111111-1111-1111-1111-111111111111
  • 22222222-2222-2222-2222-222222222222
  • Trend Cloud One - Container Security
k8sPodName
  • string
-
The Kubernetes pod name of the container
  • ubuntu-ds-fp2jk
  • Trend Cloud One - Container Security
lastSeen
  • int64
-
The last time the XDR log appeared
  • 1657195233000
  • Trend Micro Cloud App Security
  • TXOne Stellar (on-premises)
  • Data Detection and Response
lineageId
  • string
-
The lineage ID
  • 00000000-0000-0000-0000-000000000000
  • 11111111-1111-1111-1111-111111111111
  • 22222222-2222-2222-2222-222222222222
  • Data Detection and Response
logKey
  • string
-
The unique key of the event
  • 123e4567-e89b-12d3-a456-426614174000
  • 987f6543-21ba-43cd-9e8f-123456789abc
  • 456789ab-cdef-1234-5678-9abcdef01234
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • TippingPoint Security Management System
  • XDR Endpoint Sensor
  • Trend Micro Web Security
  • Trend Cloud One - Network Security
  • Trend Vision One Zero Trust Secure Access Internet Access
logReceivedTime
  • int64
-
The time when the XDR log was received
  • 1656324260000
  • Security Analytics Engine
logonUsers
  • string[]
-
The telemetry events that match the Security Analytics Engine filter
  • BHBShortJ
  • Security Analytics Engine
  • Data Detection and Response
mDevice
  • string[]
-
The source IP
  • 10.10.10.10
  • fe80::1234:5678:9abc:def0
  • Trend Micro Apex One as a Service
mDeviceGUID
  • string
-
The GUID of the agent host
  • C5B09EDD-C725-907F-29D9-B8C30D18C48F
  • C05B75AB-B518-BDD0-D2B5-E9CB631C539F
  • 9C28ACD3-D0EC-22A4-B08D-5B0BEFF501FC
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
mailDeliveryTime
  • string
-
The mail delivery time
  • 1900-1-1 00:00:00
  • Trend Micro Apex One as a Service
mailFolder
  • string
-
The email folder name
  • CATEGORY_PROMOTIONS, UNREAD, INBOX
  • UNREAD, CATEGORY_PERSONAL, INBOX
  • UNREAD, CATEGORY_UPDATES, INBOX
  • Trend Micro Cloud App Security
mailMsgId
  • string
-
The internet message ID of the email
  • <sample_email@trendmicro.com>
  • Trend Micro Cloud App Security
mailMsgSubject
  • string
  • EmailSubject
The email subject
  • FW. mail subject
  • ManageEngine
  • Trend Micro Cloud App Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Email Security
  • Trend Micro Apex One as a Service
  • Email Sensor
  • Palo Alto Networks Next-Generation Firewalls
mailReceivedTime
  • string
-
The mail received timestamp
-
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
mailSmtpFromAddresses
  • string[]
-
The envelope address of the sender
  • sample_email@trendmicro.com
  • Trend Micro Email Security
mailSmtpHelo
  • string
-
The domain name of the email server by using the SMTP HELO command
  • example.com
  • Trend Micro Email Security
mailSmtpOriginalRecipients
  • string[]
-
The envelope addresses of the original recipients
  • sample_email@trendmicro.com
  • Trend Micro Email Security
mailSmtpRecipients
  • string[]
-
The envelope addresses of the current recipients
  • sample_email@trendmicro.com
  • Trend Micro Email Security
mailSmtpTls
  • string
-
The SMTP TLS version
  • noTLS
  • TLS 1.2
  • TLS 1.3
  • Trend Micro Email Security
mailUniqueId
  • string
-
The unique ID of the email
  • example_unique_id_1
  • example_unique_id_2
  • example_unique_id_3
  • Trend Micro Cloud App Security
mailbox
  • string
-
The mailbox that is protected by Trend Micro
  • sample_email@trendmicro.com
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • Trend Vision One Mobile Security
  • Email Sensor
majorVirusType
  • string
-
The virus type
  • Virus
  • Suspicious Activity
  • Trojan
  • TROJ
  • Trend Micro Deep Security
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Vision One Mobile Security
  • TXOne EdgeOne (on-premises)
  • TXOne Stellar (on-premises)
  • Trend Cloud One – File Storage Security
  • Trend Cloud One - Cloud Sentry
malDst
  • string
-
The malware infection destination
  • 3334_02W3P7
  • 2666_02N413
  • 3334_02NHEL
  • Trend Micro Apex One as a Service
malFamily
  • string
-
The threat family
  • EQUATED
  • STARTER
  • 0
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Vision One File Security
malName
  • string
-
The name of the detected malware
  • SecurityLevelDrop
  • Regla Logs All
  • USR_SUSPICIOUS_DOMAIN.UMXX
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Deep Security
  • Trend Micro Web Security
  • TXOne Stellar (on-premises)
  • Email Sensor
  • Trend Vision One File Security
  • Trend Cloud One – File Storage Security
  • Trend Cloud One - Cloud Sentry
  • Trend Cloud One - Container Security
malSrc
  • string
  • FileFullPath
The malware infection source
  • \\10.172.1.33\kortiz
  • \\10.240.0.148\wbind
  • \\10.240.1.69\MT26933059
  • Trend Micro Apex One as a Service
  • Trend Micro Mobile Network Security
malSubType
  • string
-
The subsidiary virus type
  • Unknown
  • Trend Micro Apex One as a Service
  • Trend Vision One File Security
malType
  • string
-
The risk type for Network Content Correlation Engine rules
  • OTHERS
  • MALWARE
  • Others
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
  • Trend Vision One File Security
  • Trend Cloud One - Container Security
malTypeGroup
  • string
-
The risk type group for Network Content Correlation Engine rules
  • Others
  • Malware
  • Spyware
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Vision One File Security
matchedContent
  • string[]
-
The one-to-many data structure
  • -
  • -
  • Trend Micro Apex One as a Service
mimeType
  • string
-
The MIME type or content type of the response body
  • application/octet-stream
  • application/json; charset=utf-8
  • application/json
  • Trend Vision One Zero Trust Secure Access Internet Access
minorVirusType
  • string
-
The minor virus type
  • RANSOMWARE
  • BANKER
  • CREDENTIAL
  • Trend Vision One Mobile Security
mitigationTaskId
  • string
-
The unique ID to identify the mitigation request
  • 09dcd06f-2f9c-4bab-8114-f823620fecb6
  • 0ed72c3c-05af-4c16-b2c4-789eaeccb944
  • 0f29cfc3-954a-4fd9-954e-bf14f7253d20
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
mitreMapping
  • string[]
-
The MITRE tags
  • T1090 (TA0011)
  • T1071 (TA0011)
  • T1071.001 (TA0011)
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
mitreVersion
  • string
-
The MITRE version
  • v9
  • v6
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
moduleScanType
  • string
-
The module scan type
  • traditional
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
mpname
  • string
-
The management product name
  • Cloud One - Workload Security
  • Apex Central
  • Deep Security Software
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
  • TippingPoint Security Management System
  • XDR Endpoint Sensor
  • Trend Cloud One - Network Security
mpver
  • string
-
The product version
  • Microsoft-Windows-Security-Auditing
  • Level -- Medium security
  • TASK1
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
msgAct
  • string
-
The message action
  • Quarantine
  • Deliver
  • Trend Micro Apex One as a Service
msgId
  • string
  • EmailMessageID
The internet message ID
  • 66.6.00.0006
  • example.test.com
  • dameware1svr
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Email Sensor
msgTOCUuid
  • string
-
The email unique ID
  • 00000000-0000-0000-0000-000000000000
  • 11111111-1111-1111-1111-111111111111
  • 22222222-2222-2222-2222-222222222222
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
msgUuid
  • string
-
The unique email ID
  • 00000000-0000-0000-0000-000000000000
  • 11111111-1111-1111-1111-111111111111
  • 22222222-2222-2222-2222-222222222222
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • Email Sensor
msgUuidChain
  • string
-
The message UUID chain
  • 00027ac3-f8f2-cc8f-d078-3a57f12f3d55;00027ac3-f8f2-cc8f-d078-3a57f12f3d55
  • 0005ab64-3992-644c-3592-503c3610cec9;0005ab64-3992-644c-3592-503c3610cec9
  • 00062621-fec4-9e4d-7609-25b2b3189214;00062621-fec4-9e4d-7609-25b2b3189214
  • Trend Micro Email Security
netBiosDomainName
  • string
  • DomainName
The NetBIOS domain name
  • TREND
  • Microsoft Active Directory
objectActions
  • string[]
-
The object process actions
  • ProcessDump
  • FileCollection
  • XDR Endpoint Sensor
objectApiName
  • string
-
The API name
  • GetIpNetTable
  • XDR Endpoint Sensor
objectArtifactIds
  • string[]
-
The artifact IDs generated by objectAction
  • 00000000-0000-0000-0000-000000000000_0.dmp
  • 11111111-1111-1111-1111-111111111111_2.bak
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectAttributes
  • string
-
The object attributes
  • attribute
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectCmd
  • string[]
  • CLICommand
The object process command line
  • C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding
  • "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -NoLogo -Noninteractive -NoProfile -ExecutionPolicy Bypass "& 'C:\WINDOWS\CCM\SystemTemp\afd6f0e5-e491-4764-a20a-9f1d9edf3cce.ps1'"
  • C:\WINDOWS\system32\lsass.exe
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
objectEntityName
  • string
-
The object entity name
  • any_process
  • exe_file
  • powershell
  • Trend Micro Apex One as a Service
objectFileAccess
  • string
-
The object file access details
  • 1717658631000
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectFileCreation
  • string
-
The UTC time that the object was created
  • 2014-11-22T01:45:51-06:00
  • 2009-07-13T23:31:13-05:00
  • 2014-11-21T02:43:28-05:00
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectFileHashMd5
  • string
  • FileMD5
The MD5 of the object
  • 801E8003C257C8F540B20F1E0DECD3A6
  • CDA48FC75952AD12D99E526D0B6BF70A
  • D5120786925038601A77C2E1EB9A3A0A
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
objectFileHashSha1
  • string
  • FileSHA1
The SHA-1 of the objectFilePath object
  • 51B8646308EE0B68AD1F7F1291B85395434DE49A
  • 36C5D12033B2EAF251BAE61C00690FFB17FDDC87
  • 2586528000199793730B05D3F169BCF139E4D7A1
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
objectFileHashSha256
  • string
  • FileSHA2
The SHA-256 of the object (objectFilePath)
  • A75C85F3B089993E9C042FB82ECB7757E8F460ED8065FC7991CAA38A6DE0F50C
  • 908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53
  • 1A2ABAAD8A166B66CA35AB51C7432C5A7E46996472C8174281842896408D7F96
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
objectFileModified
  • string
-
The UTC time that the object was modified
  • 2024-10-10T10:10:10.0000000Z
  • 2024-11-11T11:11:11.0000000Z
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectFileName
  • string
  • FileName
The object file name
  • powershell.exe
  • wmiprvse.exe
  • dismhost.exe
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Container Security
objectFilePath
  • string
  • FileFullPath
The file path of the target process image or target file
  • c:\windows\system32\windowspowershell\v1.0\powershell.exe
  • zwwritevirtualmemory
  • c:\windows\system32\wbem\wmiprvse.exe
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Cloud One - Container Security
objectFirstRecorded
  • string
-
The first time that the object appeared
-
  • Trend Micro Apex One as a Service
objectId
  • string
-
The UUID of the object
  • 3
  • 2
  • Trend Micro Apex One as a Service
  • Trend Vision One Zero Trust Secure Access Private Access
objectIp
  • string[]
  • IPv4
  • IPv6
The IP address of the domain
  • 10.10.10.10
  • Trend Cloud One - Endpoint & Workload Security
objectName
  • string
-
The base name of the object file or process
  • net.exe
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectPayloadFileHashSha1
  • string
  • FileSHA1
The SHA-1 of the object payload file
-
objectPipeName
  • string
-
The object pipe name
  • \\.\pipe\F451F406BD
  • XDR Endpoint Sensor
objectRegistryData
  • string
  • RegistryValueData
The registry data contents
  • C:\Program Files\AlertMedia\AlertMedia Desktop Notifications\AlertMedia.exe
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectRegistryKeyHandle
  • string
  • RegistryKey
The registry key path
  • HKCR\CID\{00000000-0000-0000-0000-000000000001}
  • HKLM\SOFTWARE\WOW6432Node\Eos
  • HKCU\SOFTWARE\Cerner\InstantAccess
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectRegistryRoot
  • string
-
The name of the object registry root key
  • HKCR
  • HKLM
  • HKCU
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
objectRegistryValue
  • string
  • RegistryValue
The registry value name
  • 1
  • key
  • reg
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectSigner
  • string[]
-
The list of object process signers
  • Microsoft Windows
  • Microsoft Windows Publisher
  • SecureWorks Inc
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
objectSignerFlagsAdhoc
  • bool[]
-
The list of object process signature adhoc flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Apex One
objectSignerFlagsLibValid
  • bool[]
-
The list of object process signature library validation flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Apex One
objectSignerFlagsRuntime
  • bool[]
-
The list of object process signature runtime flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Apex One
objectSignerValid
  • bool[]
-
Whether each signer of the object process is valid
-
  • XDR Endpoint Sensor
objectSubType
  • string
-
The sub-types of the policy event (displayed when a policy event has sub-types)
  • Spam Others
  • malware
  • ContentFiltering
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
objectTargetProcess
  • string
-
The file path of the target process that the API performs
  • C:\\Windows\\System32\\lsass.exe
objectType
  • string
-
The object type
  • file
  • process
  • qil
  • Trend Micro Cloud App Security
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Micro Email Security
  • XDR Endpoint Sensor
  • Trend Vision One File Security
objectUser
  • string
  • UserAccount
The owner name of the target process or the sign-in user name
  • Système
  • SYSTEM
  • SISTEMA
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectUserDomain
  • string
-
The owner domain of the target process
  • NT AUTHORITY
  • UNEB
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
oldFileHash
  • string
  • FileSHA1
The SHA-1 of the target process image or target file (wasEntity from an IM event)
  • DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • 89CE26EAD139D52B8A6B61BFFC6AF89AF246580F
  • 57247B810B0EE61DD86CE24AC14097B9B5405EEC
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
online
  • string
-
Whether the endpoint is online
  • Yes
  • No
  • Trend Micro Apex One as a Service
orgId
  • string
-
The organization ID
  • 00000000-0000-0000-0000-000000000000
  • 11111111-1111-1111-1111-111111111111
  • 22222222-2222-2222-2222-222222222222
  • Trend Micro Cloud App Security
  • Email Sensor
originEventSourceType
  • string
-
The event source type of the original events which matches the Security Analytics Engine filter
  • EVENT_SOURCE_TELEMETRY
  • Security Analytics Engine
originUUID
  • string[]
-
The UUID of the original events which matches the Security Analytics Engine filter
  • 00000000-0000-0000-0000-000000000000
  • 11111111-1111-1111-1111-111111111111
  • 22222222-2222-2222-2222-222222222222
  • Security Analytics Engine
originalFileHashes
  • string[]
  • FileSHA1
The hashes of the original file
  • ba4700bfd55741c657a99fbe416787835fb384da
  • 639dfe4a69c1e6aace1e4eece3b3bb25af6a1392
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
originalFilePaths
  • string[]
  • FileFullPath
  • FileName
The paths of the original file
  • C:\\Users\\user_name\\Downloads\\run.exe
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
osName
  • string
-
The host OS name
  • windows 10.0.22000
  • windows 10.0.19044
  • windows 10.0.19043
  • Trend Vision One Zero Trust Secure Access Internet Access
  • Trend Vision One Mobile Security
  • Trend Vision One Zero Trust Secure Access Private Access
  • Data Detection and Response
osVer
  • string
-
The OS version
  • 11
  • Trend Vision One Mobile Security
  • Trend Vision One Zero Trust Secure Access Private Access
  • Data Detection and Response
out
  • int64
-
The IP datagram length (in bytes)
  • 0
  • 439
  • 1314
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
overSsl
  • string
-
Whether the event was triggered by an SSL decryption stream (displayed only when SSL Inspection is supported)
  • Not over SSL/TLS
  • 0
  • Over SSL/TLS
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • TippingPoint Security Management System
  • Trend Cloud One - Network Security
pAttackPhase
  • string
-
The category of the primary Attack Phase
  • Lateral Movement
  • Point of Entry
  • Asset and Data Discovery
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
pComp
  • string
-
The component that made the detection
  • CAV
  • NCIE
  • TMUFE
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
pTags
  • string
-
The event tagging system
  • attack-T1059.001, mitre attack detection
  • suppress_alert
  • SMB
  • Trend Micro Deep Security
parentCmd
  • string
  • CLICommand
The command line of the subject parent process
  • "C:\Tiburon\CommandCAD\Test\Startup.exe"
  • C:\WINDOWS\Explorer.EXE
  • C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s Appinfo
  • XDR Endpoint Sensor
  • Trend Cloud One - Container Security
parentFileHashMd5
  • string
  • FileMD5
The MD5 of the subject parent process
  • 7B9E6D992AA86F0D2ECDF8F65A6BB792
  • 2B47C89252BB932B292122E54C3DAF25
  • CD10CB894BE2128FCA0BF0E2B0C27C16
  • XDR Endpoint Sensor
parentFileHashSha1
  • string
  • FileSHA1
The SHA-1 of the subject parent process
  • 9CF40F19A625F7033689D04F4C8E1CC6A8FA4F5B
  • 799AB02945EDB9A37A42A3F742DE73165F4A9665
  • 1F912D4BEC338EF10B7C9F19976286F8ACC4EB97
  • XDR Endpoint Sensor
parentFileHashSha256
  • string
  • FileSHA2
The SHA-256 of the subject parent process
  • 14A1223722D486ABBC88682AB49AF8E56DC65AC4E153027985BFFFF7C815C0EC
  • 2EF51284CA9211ADEC3E8E095F386FEC742E0532075894AE99024C65949F935E
  • F3FEB95E7BCFB0766A694D93FCA29EDA7E2CA977C2395B4BE75242814EB6D881
  • XDR Endpoint Sensor
  • TXOne Stellar (on-premises)
parentFilePath
  • string
  • FileFullPath
The full file path of the parent process
  • c:\windows\explorer.exe
  • c:\tiburon\commandcad\test\startup.exe
  • c:\windows\system32\svchost.exe
  • XDR Endpoint Sensor
parentHashId
  • int64
-
The FNV of the parent process
  • -1364311042632324339
  • 1879227689087156956
  • 4246064157470561345
  • XDR Endpoint Sensor
parentIntegrityLevel
  • int32
-
The integrity level of a parent
  • 16384
  • XDR Endpoint Sensor
parentName
  • string
-
The image name of the parent process
  • explorer.exe
  • startup.exe
  • svchost.exe
  • XDR Endpoint Sensor
  • Trend Cloud One - Container Security
parentPayloadSigner
  • string[]
-
The signer name list of the parent process payload
  • Microsoft Windows
  • Microsoft Windows Publisher
  • XDR Endpoint Sensor
parentPayloadSignerFlagsAdhoc
  • bool[]
-
The list of parent process payload signature adhoc flags
-
  • XDR Endpoint Sensor
parentPayloadSignerFlagsLibValid
  • bool[]
-
The list of parent process payload signature library validation flags
-
  • XDR Endpoint Sensor
parentPayloadSignerFlagsRuntime
  • bool[]
-
The list of parent process payload signature runtime flags
-
  • XDR Endpoint Sensor
parentPayloadSignerValid
  • bool[]
-
Whether each signer of the parent process payload is valid
-
  • XDR Endpoint Sensor
parentPid
  • int32
-
The PID of the parent process
-
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Deep Security
  • Trend Cloud One - Container Security
parentSigner
  • string[]
-
The signers of the parent process
  • Microsoft Windows
  • Microsoft Windows Publisher
  • Azul Systems, Inc.
  • XDR Endpoint Sensor
parentSignerFlagsAdhoc
  • bool[]
-
The list of parent process signature adhoc flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Apex One
parentSignerFlagsLibValid
  • bool[]
-
The list of parent process signature library validation flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Apex One
parentSignerFlagsRuntime
  • bool[]
-
The list of parent process signature runtime flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Apex One
parentSignerValid
  • bool[]
-
Whether each signer of the parent process is valid
-
  • XDR Endpoint Sensor
parentUser
  • string
-
The account name of the parent process
  • Administrator
  • Trend Cloud One - Endpoint & Workload Security
parentUserDomain
  • string
-
The domain name of the parent process
  • builtindomain
  • Trend Cloud One - Endpoint & Workload Security
patType
  • string
-
The pattern type
  • NCIE CNC Pattern
  • NCIE RR Pattern
  • NCIE User Define Block List
  • Trend Micro Apex One as a Service
patVer
  • string
-
The version of the behavior pattern
  • 35.1053.00
  • 630
  • 35.1071.00
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
  • Trend Micro Cloud App Security
pcapUUID
  • string
-
The PCAP file UUID
  • 00000000-0000-0000-0000-000000000000
  • 11111111-1111-1111-1111-111111111111
  • 22222222-2222-2222-2222-222222222222
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
peerEndpointGUID
  • string
-
The endpoint GUID of the agent peer host
  • 00000000-0000-0000-0000-000000000000
  • 11111111-1111-1111-1111-111111111111
  • 22222222-2222-2222-2222-222222222222
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Cloud One - Network Security
  • TippingPoint Security Management System
peerGroup
  • string
-
The peer IP group
  • Default
  • Rede DATACENTER Lumen/PALOALTO VPNSSL - VPN CLIENT
  • UHS
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
peerHost
  • string
  • DomainName
The hostname of peerIp
  • dns.google
  • 10.10.10.10
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
peerIp
  • string[]
  • IPv4
  • IPv6
The IP of peerHost
  • 10.10.10.10
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
pname
  • string
-
The internal product ID
  • Trend Micro Deep Security
  • Deep Discovery Inspector
  • Apex One
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • TippingPoint Security Management System
  • XDR Endpoint Sensor
  • Trend Micro Web Security
  • Trend Cloud One - Network Security
  • Trend Vision One Zero Trust Secure Access Internet Access
  • Trend Vision One Mobile Security
  • Trend Cloud One - Container Security
  • Email Sensor
  • Palo Alto Networks Next-Generation Firewalls
policyId
  • string
-
The policy ID of which the event was detected
  • 00000001-0001-0001-0001-000000007610
  • 007
  • 003
  • TM000001
  • TippingPoint Security Management System
  • Trend Micro Apex One as a Service
  • XDR Endpoint Sensor
  • Trend Cloud One - Network Security
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
  • Trend Cloud One - Container Security
policyName
  • string
-
The name of the triggered policy
  • Steelcase
  • Cabot
  • Tigre - Medium Policy
  • apiPostedPolicy
  • Trend Micro Apex One as a Service
  • Trend Micro Cloud App Security
  • Trend Micro Web Security
  • Trend Micro Email Security
  • Trend Vision One Zero Trust Secure Access Internet Access
  • TXOne EdgeOne (on-premises)
  • Trend Cloud One - Container Security
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Micro Mobile Network Security
policyTemplate
  • string[]
-
The one-to-many data structure
  • policyName:Monitoreo All Files, template:Managed - All files
  • policyName:HSS DLP, template:All File Extension
  • India: Mobile Numbers
  • Trend Micro Apex One as a Service
  • Trend Micro Cloud App Security
  • Trend Vision One Zero Trust Secure Access Internet Access
policyTreePath
  • string
-
The policy tree path
  • policyname1/policyname2/policyname3
  • Security Analytics Engine
policyUuid
  • string
-
The UUID of the cloud access or risk control policy, or the hard-coded string that indicates the rule of the global blocked/approved URL list
  • 7937cb0b-e598-4c8f-a50f-65c32905ba3a
  • C!7c4433e3-5b2c-449f-b66e-ccaac006b6f1
  • 8d265639-7202-4455-b640-48683aa2b57d
  • Trend Vision One Zero Trust Secure Access Internet Access
  • Trend Vision One Zero Trust Secure Access Private Access
  • Palo Alto Networks Next-Generation Firewalls
potentialRisk
  • string
-
Whether there is potential risk
  • 1
  • 0
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
principalName
  • string
-
The user principal name used to sign in to the proxy
  • sample_email@trendmicro.com
  • Trend Micro Web Security
  • Trend Vision One Zero Trust Secure Access Internet Access
  • Trend Micro Cloud App Security
  • Trend Vision One Zero Trust Secure Access Private Access
processActions
  • string[]
-
The process actions
  • ProcessDump
  • FileCollection
  • XDR Endpoint Sensor
processArtifactIds
  • string[]
-
The artifact IDs generated by processAction
  • 00000000-0000-0000-0000-000000000000_1.dmp
  • 11111111-1111-1111-1111-111111111111_2.bak
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
processCmd
  • string
  • CLICommand
The subject process command line
  • "C:\Program Files (x86)\AADM\AADM.exe"
  • /usr/lib/inet/sendmail -bl -q15m
  • ComDir
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Deep Security
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Container Security
processFileCreation
  • string
-
The Unix time of object creation
  • 1645828113585
  • 1655412594237
  • 1647162053219
  • Trend Cloud One - Endpoint & Workload Security
processFileHashMd5
  • string
  • FileMD5
The MD5 of the subject process
  • D07ADD0CE6E000D3CD20193B891E8ED3
  • 1a9ba93ebe4cb60030831f8ce9e7d5f9
  • EEE6691B48D2FB604DDF0CBC90D75B0E
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
processFileHashSha1
  • string
  • FileSHA1
The SHA-1 of the subject process
  • C0885381EBAC94AB20E78936434FA208F6B65352
  • ac373ed32b491da22924e2e11e36574e5d582a35
  • DF93F7DF887E86C3B56539B5046B286001C6F150
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileHashSha256
  • string
  • FileSHA2
The SHA-256 of the subject process
  • 4314A869B8DAE1BD3FFF810B1366E90FB7C961D4A3424260692377FDD87361D2
  • 7824c45fc033696603fe97d8f193a1872dfb2b5db75f0cda21df27017b3cb623
  • 1A6D5986EFEAE89308D9EE11B4A7907012603392E0E66D0E529DB09DF1B4CB64
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
processFilePath
  • string
  • ProcessFullPath
  • FileFullPath
  • FileName
The file path of the subject process
  • c:\windows\system32\svchost.exe
  • c:\windows\system32\windowspowershell\v1.0\powershell.exe
  • c:\windows\syswow64\srts\wmipr.exe
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
processHashId
  • int64
-
The FNV of the subject process
  • -2965450813604216022
  • 7111735426732308768
  • -7600358934761747729
  • XDR Endpoint Sensor
processImageFileNames
  • string[]
-
The process image file names of detected backup artifacts
  • C:\Program Files\aaa\bbb\objprocess.exe
  • C:\Program Files\ccc\ddd\sample.exe
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
processImagePath
  • string
-
The process triggered by the file event
  • c:\windows\system32\svchost.exe
  • /usr/bin/python2.7
  • /usr/bin/sed
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Deep Security
  • Trend Cloud One - Container Security
processLaunchTime
  • string
-
The time the subject process was launched
  • 1656400286556
  • 1656566610259
  • 1656587180493
  • Trend Cloud One - Endpoint & Workload Security
processName
  • string
  • ProcessName
The image name of the process that triggered the event
  • c:\windows\system32\svchost.exe
  • /usr/bin/python2.7
  • /usr/bin/sed
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Micro Deep Security
  • Trend Cloud One - Container Security
  • Trend Micro Apex One as a Service
processPayloadSigner
  • string[]
-
The signer name list of the process payload
  • Microsoft Windows
  • Microsoft Windows Publisher
  • XDR Endpoint Sensor
processPayloadSignerFlagsAdhoc
  • bool[]
-
The list of process payload signature adhoc flags
-
  • XDR Endpoint Sensor
processPayloadSignerFlagsLibValid
  • bool[]
-
The list of process payload signature library validation flags
-
  • XDR Endpoint Sensor
processPayloadSignerFlagsRuntime
  • bool[]
-
The list of process payload signature runtime flags
-
  • XDR Endpoint Sensor
processPayloadSignerValid
  • bool[]
-
Whether each signer of the process payload is valid
-
  • XDR Endpoint Sensor
processPid
  • int32
-
The PID of the subject process
-
  • Trend Cloud One - Endpoint & Workload Security
  • XDR Endpoint Sensor
  • Trend Cloud One - Container Security
processPkgName
  • string
-
The process package name
  • MSTeams
  • Microsoft.SkypeApp
  • XDR Endpoint Sensor
processSigner
  • string[]
-
The signer name list of the subject process
  • Microsoft Windows
  • Microsoft Windows Publisher
  • XDR Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
processSignerFlagsAdhoc
  • bool[]
-
The list of process signature adhoc flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Apex One
processSignerFlagsLibValid
  • bool[]
-
The list of process signature library validation flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Apex One
processSignerFlagsRuntime
  • bool[]
-
The list of process signature runtime flags
-
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Apex One
processUser
  • string
  • UserAccount
The user name of the process or the file creator
  • SYSTEM
  • SVC_JENKINS_CODE_DEV
  • NETWORK SERVICE
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
processUserDomain
  • string
-
The owner domain of the subject process image
  • NT AUTHORITY
  • DOMAINBA
  • PAEDMZ
  • Trend Cloud One - Endpoint & Workload Security
productCode
  • string
-
The internal product code
  • sds
  • pdi
  • xns
  • sao
  • Security Analytics Engine
  • Palo Alto Networks Next-Generation Firewalls
profile
  • string
-
The name of the triggered Threat Protection template or Data Loss Prevention profile
  • Primary Protection Rule
  • Multibak Scaner Threat
  • default
  • Trend Micro Web Security
  • Trend Vision One Zero Trust Secure Access Internet Access
proto
  • string
-
The exploited layer network protocol
  • 6
  • TCP
  • 17
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
  • TXOne EdgeOne (on-premises)
  • Trend Cloud One - Container Security
  • Trend Micro Mobile Network Security
protoFlag
  • string
-
The data flags
  • ACK PSH DF=1
  • ACK DF=1
  • DF=1
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
pver
  • string
-
The product version
  • 20.0.0.4726
  • 20.0.0.4416
  • 6.2.1125
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Deep Security
  • Trend Micro Apex One as a Service
  • TippingPoint Security Management System
  • Trend Cloud One - Network Security
  • Trend Vision One Zero Trust Secure Access Internet Access
  • Trend Vision One Mobile Security
  • Trend Cloud One - Container Security
  • Trend Vision One File Security
  • Trend Cloud One – File Storage Security
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Cloud One - Cloud Sentry
quarantineFileName
  • string
-
The file path of the quarantined object
  • C:\Program Files\TXOne\StellarProtect\private\quarantine\00000000-0000-0000-0000-000000000000
  • TXOne Stellar (on-premises)
quarantineFilePath
  • string
-
The OfficeScan server file path for the quarantined file
-
quarantineType
  • string
-
The descriptive name for the quarantine area
  • 0
  • 1
  • 538
  • Trend Micro Apex One as a Service
rating
  • string
-
The credibility level
  • Safe
  • Unknown
  • Dangerous
  • Trend Micro Apex One as a Service
rawDstIp
  • string
  • IPv4
  • IPv6
The destination IP without replacement
  • 10.10.10.10
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
rawDstPort
  • int32
  • Port
The destination port without replacement
  • 33186
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
rawSrcIp
  • string
  • IPv4
  • IPv6
The source IP without replacement
  • 10.10.10.10
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
rawSrcPort
  • int32
  • Port
The source port without replacement
  • 80
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
regionCode
  • string
-
The AWS Region code
  • us-east-1
  • Trend Cloud One – File Storage Security
  • Trend Cloud One - Cloud Sentry
regionId
  • string
-
The cloud asset region
  • US East (N. Virginia)
  • Europe (Frankfurt)
  • Trend Cloud One - Endpoint & Workload Security
remarks
  • string
-
The additional information
  • warning: fork: Resource temporarily unavailable
  • pam_unix(cron:session): session opened for user root by (uid=0)
  • WinEvtLog: Application: AUDIT_FAILURE(18470): MSSQL$SA: (no user): no domain: EXAMPLE.com: Login failed for user 'example_user'. Reason: The account is disabled. [CLIENT: 10.10.10.10]
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Deep Security
  • Trend Micro Cloud App Security
  • Trend Micro Apex One as a Service
  • Trend Micro Email Security
  • Trend Cloud One - Network Security
  • TXOne EdgeOne (on-premises)
  • Email Sensor
  • Trend Vision One File Security
  • Trend Cloud One - Cloud Sentry
reportGUID
  • string
-
The GUID for Workbench to request report page data
  • 00000000-0000-0000-0000-000000000000
  • 11111111-1111-1111-1111-111111111111
  • 22222222-2222-2222-2222-222222222222
  • Trend Micro Cloud App Security
  • Trend Vision One File Security
request
  • string
  • URL
The notable URLs
  • http://example.page.com/canonical.html
  • http://10.10.10.10
  • https://drive.google.com/
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • TippingPoint Security Management System
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Vision One Zero Trust Secure Access Internet Access
  • Trend Micro Cloud App Security
  • Trend Cloud One - Network Security
  • Trend Micro Email Security
  • Trend Micro Deep Security
  • Trend Vision One Mobile Security
  • Trend Vision One Zero Trust Secure Access Private Access
  • Palo Alto Networks Next-Generation Firewalls
requestBase
  • string
  • DomainName
  • HostDomain
The domain of the request URL
  • weather.service.msn.com
  • test.domain.com
  • Trend Micro Web Security
  • Trend Vision One Zero Trust Secure Access Internet Access
  • Trend Vision One Zero Trust Secure Access Private Access
requestClientApplication
  • string
-
The protocol user agent information
  • Microsoft-Delivery-Optimization/10.0
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
  • example Software GmbH
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
requestMethod
  • string
-
The network protocol request method
  • POST
  • Palo Alto Networks Next-Generation Firewalls
respCode
  • string
-
The network protocol response code
  • 302
  • 200
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
rewrittenUrl
  • string
-
The rewritten URL
  • https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fexample.io%2
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
riskConfidenceLevel
  • string
-
The risk confidence level
  • 0
  • 1
  • 2
  • Trend Micro Apex One as a Service
  • Trend Micro Cloud App Security
riskLevel
  • string
-
The risk level
  • 1
  • high
  • No Risk
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Micro Cloud App Security
  • XDR Endpoint Sensor
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
rozRating
  • string
-
The overall Virtual Analyzer rating
  • 0
  • -1
  • 1
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
rtDate
  • string
-
The date of the log generation
  • 1655337600000
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
rtWeekDay
  • string
-
The weekday of the log generation
  • Monday
  • Tuesday
  • Friday
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
ruleId
  • int32
-
The rule ID
  • 1002795
  • 1003802
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Deep Security
  • Trend Micro Apex One as a Service
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Micro Mobile Network Security
ruleId64
  • int64
-
The IPS rule ID
  • 1134268
  • 4026531849
  • 4026531852
  • TXOne EdgeOne (on-premises)
  • Trend Micro Mobile Network Security
ruleIdStr
  • string
-
The rule ID
  • TM-00000043
  • Trend Cloud One - Container Security
ruleName
  • string
-
The name of the rule that triggered the event
  • Directory Server - Microsoft Windows Active Directory
  • Microsoft Windows Events
  • Microsoft Windows Security Events - 3
  • (T1234) New executable created (chmod)
  • Sensitive Files Upload to Personal Cloud
  • Multiple Sensitive Files Compression
  • Transfer Sensitive Files to Removable Storage
  • Move Multiple Sensitive Files to Central Location
  • Multiple Sensitive Files Modification
  • Multiple Sensitive Files Deletion
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
  • Trend Micro Cloud App Security
  • TippingPoint Security Management System
  • XDR Endpoint Sensor
  • Trend Micro Email Security
  • Trend Cloud One - Network Security
  • Trend Vision One Zero Trust Secure Access Private Access
  • Trend Cloud One - Container Security
  • Email Sensor
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Micro Mobile Network Security
  • Data Detection and Response
ruleSetId
  • string
-
The rule set ID
  • AllRules-1zSSZPsDqfqkcOt5vNsD6f383HN
  • Trend Cloud One - Container Security
ruleSetName
  • string
-
The rule set name
  • AllRules
  • Trend Cloud One - Container Security
  • Trend Cloud One - Network Security
  • TippingPoint Security Management System
ruleType
  • string
-
The access rule type
  • udso
  • point of entry
  • unknown
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Micro Cloud App Security
  • Trend Vision One Zero Trust Secure Access Private Access
ruleUuid
  • string
-
The signature UUID from Digital Vaccine
  • 00000001-0001-0001-0001-000000007610
  • 00000001-0001-0001-0001-000000007120
  • 00000001-0001-0001-0001-000000017056
  • TippingPoint Security Management System
  • Trend Cloud One - Network Security
  • Trend Micro Cloud App Security
  • Trend Vision One Zero Trust Secure Access Private Access
ruleVer
  • string
-
The rule version
  • 202207060001
  • 202207190001
  • Trend Micro Cloud App Security
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Email Security
  • Email Sensor
sAttackPhase
  • string
-
The category of the second Attack Phase
  • Lateral Movement
  • Command and Control Communication
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
sOSClass
  • string
-
The source device OS class
  • Linux
  • Trend Micro Mobile Network Security
sOSName
  • string
-
The source OS
  • Windows
  • Windows 10
  • Windows XP
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Micro Mobile Network Security
sOSVendor
  • string
-
The source device OS vendor
  • Others
  • Trend Micro Mobile Network Security
sUser1
  • string
  • UserAccount
The latest sign-in user of the source
  • example\admin
  • example.us.com\account
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Palo Alto Networks Next-Generation Firewalls
scanTs
  • string
-
The mail scan time
-
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
scanType
  • string
-
The scan type
  • realtime_mailmeta-exchange
  • exchange_mailbox_realtime_detection_logs
  • gateway_realtime_blocking_traffic
  • malware_schedule_image
  • malware_schedule_file
  • malware_realtime_image
  • malware_realtime_file
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
  • Email Sensor
  • Trend Vision One File Security
  • Trend Cloud One - Cloud Sentry
  • Trend Cloud One - Container Security
schemaVersion
  • string
-
The schema version
  • 1.0
  • Trend Micro Cloud App Security
secondAct
  • string
-
The second scan action
  • Unknown
  • N/A
  • Deny Access
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
secondActResult
  • string
-
The result of the second scan action
  • Unknown
  • N/A
  • Access denied
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
sender
  • string
-
The roaming users or the gateway where the web traffic passed
  • test user
  • VE C&W - 10.10.10.10
  • Trend Micro Web Security
  • Trend Vision One Zero Trust Secure Access Internet Access
senderGUID
  • string
-
The sender GUID
  • 346648FC-9862-D2F0-F94C-FAB1A838ABD7
  • 36E5239E-EEBA-0100-C10E-C057E0455E1D
  • 9606BBD5-38A7-9024-83C8-9C88A2AF90CC
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
senderIp
  • string[]
-
The sender IP
  • 10.10.10.10
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Email Security
sessionEnd
  • int64
-
The session end time (in seconds)
  • 1575462989
  • Trend Vision One Zero Trust Secure Access Private Access
sessionStart
  • int64
-
The session start time (in seconds)
  • 1575462989
  • Trend Vision One Zero Trust Secure Access Private Access
severity
  • int32
-
The severity of the event
  • 2
  • 4
  • 6
  • 8
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Deep Security
  • Trend Micro Apex One as a Service
  • TippingPoint Security Management System
  • Trend Cloud One - Network Security
  • Trend Cloud One - Container Security
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Micro Mobile Network Security
shost
  • string
  • DomainName
The source hostname
  • dns.google
  • sw_us-east-1a_10-124-17-69
  • sw_us-east-1c_10-124-21-139
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Deep Security
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Micro Mobile Network Security
signInCountries
  • string[]
-
The countries from which a user signed in
  • PH
  • AU
  • Trend Micro Cloud App Security
  • Microsoft Entra ID
signer
  • string
-
The signer of the file
  • Shenzhen Smartspace Software technology Co.,Limited;Symantec Class 3 SHA256 Code Signing CA;1429491600;1492649999
  • Trend Micro Apex One as a Service
smac
  • string
-
The source MAC address
  • 00:11:22:33:44:55
  • 66:77:88:99:AA:BB
  • CC:DD:EE:FF:00:11
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
  • TXOne EdgeOne (on-premises)
  • Palo Alto Networks Next-Generation Firewalls
smbSharedName
  • string
-
The shared folder name for the server that contains the files to be opened
  • C:\sharedfolder
  • XDR Endpoint Sensor
sourceType
  • string
-
The source type
  • user defined
  • sandbox
  • syscall
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Container Security
  • XDR Endpoint Sensor
sproc
  • string
-
The OSSEC program name
  • postfix/sendmail
  • CRON
  • sshd
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
spt
  • int32
  • Port
The source port
  • 53
  • 0
  • 7680
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • TippingPoint Security Management System
  • Trend Micro Deep Security
  • Trend Cloud One - Network Security
  • XDR Endpoint Sensor
  • TXOne EdgeOne (on-premises)
  • Trend Vision One Zero Trust Secure Access Private Access
  • Trend Cloud One - Container Security
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Micro Mobile Network Security
src
  • string[]
  • IPv4
  • IPv6
The source IP
  • 10.10.10.10
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • TippingPoint Security Management System
  • Trend Micro Deep Security
  • Trend Cloud One - Network Security
  • XDR Endpoint Sensor
  • Trend Vision One Zero Trust Secure Access Internet Access
  • TXOne EdgeOne (on-premises)
  • Trend Vision One Zero Trust Secure Access Private Access
  • Trend Cloud One - Container Security
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Micro Mobile Network Security
srcEquipmentId
  • string
-
The source IMEI
  • 350548054087659
  • Trend Micro Mobile Network Security
srcFamily
  • string
-
The source device family
  • Computer
  • Trend Micro Mobile Network Security
srcFileHashMd5
  • string
  • FileMD5
The MD5 of the source file
-
srcFileHashSha1
  • string
  • FileSHA1
The SHA-1 of the source file
-
srcFileHashSha256
  • string
  • FileSHA2
The SHA-256 of the source file
-
srcFilePath
  • string
  • FileFullPath
The source file path
  • C:\\temp\\a.exe
srcGroup
  • string
-
The group named defined by the source administrator
  • Default
  • Rede DATACENTER example/example - AD example CORP
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Mobile Network Security
srcLocation
  • string
-
The source country
  • Japan
  • Palo Alto Networks Next-Generation Firewalls
srcSubscriberDirNum
  • string
-
The source MSISDN
  • 8618687654321
  • Trend Micro Mobile Network Security
srcSubscriberId
  • string
-
The source IMSI
  • 466686007810478
  • Trend Micro Mobile Network Security
srcType
  • string
-
The source device type
  • Desktop/Laptop
  • Trend Micro Mobile Network Security
srcZone
  • string
-
The network zone defined by the source administrator
  • 1
  • 0
  • 2
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Palo Alto Networks Next-Generation Firewalls
sslCertCommonName
  • string
  • DomainName
  • HostDomain
The subject common name
  • settings-win.data.microsoft.com
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
sslCertIssuerCommonName
  • string
-
The issuer common name
  • Microsoft Azure TLS Issuing CA 05
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
sslCertIssuerOrgName
  • string
-
The issuer organization name
  • Microsoft Corporation
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
sslCertOrgName
  • string
-
The subject organization name
  • Microsoft
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
subRuleId
  • string
-
The sub-rule ID
  • 85262
  • 914520
  • 18152
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
  • Trend Cloud One - Network Security
subRuleName
  • string
-
The sub-rule name
  • Pre-authentication failed.
  • ATTACK T1070.002,T1070.004: Indicator Removal on Host : Clear Linux or Mac System Logs,File Deletion
  • ATTACK T1110: Multiple Windows Logon Failures
  • invisible_url_domain
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • Email Sensor
suid
  • string
  • UserAccount
The user name or mailbox
  • root
  • US EXAMPLE\TEST
  • sample_email@trendmicro.com
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Cloud App Security
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Web Security
  • Trend Micro Deep Security
  • Trend Cloud One - Network Security
  • Trend Vision One Zero Trust Secure Access Internet Access
suser
  • string[]
  • EmailSender
The email sender
  • sample_email@trendmicro.com
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
  • Email Sensor
  • Palo Alto Networks Next-Generation Firewalls
suspiciousObject
  • string
-
The matched suspicious object
  • 36ba9de3da9e6f8abfffdda7787ab0ecc16724bb
  • XDR Endpoint Sensor
suspiciousObjectType
  • string
-
The matched suspicious object type
  • sha1
  • XDR Endpoint Sensor
tacticId
  • string[]
  • Tactic
The list of MITRE tactic IDs
  • TA0011
  • TA0008
  • TA0001
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • XDR Endpoint Sensor
  • Trend Micro Apex One as a Service
tags
  • string[]
  • Technique
  • Tactic
The detected technique ID based on the alert filter
  • MITREV9.T1090
  • MITRE.T1071
  • MITREV9.T1059.001
  • Security Analytics Engine
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
target
  • string
-
The target object for the behavior
  • c:\windows\system32\windowspowershell\v1.0\powershell.exe
  • zwwritevirtualmemory
  • /proc/211296/exe
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
targetShare
  • string
  • FileFullPath
The subject state or province (for HTTPS), the shared folder (for SMB)
  • 3MHIS
  • NETLOGON
  • CA
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
targetType
  • string
-
The target object type
  • File System
  • Uncategorized
  • Exploit
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
techniqueId
  • string[]
  • Technique
The Technique ID detected by the product agent based on a detection rule
-
  • TXOne Stellar (on-premises)
threatName
  • string
-
The threat name
  • Malicious_CnC_access_on_UDP_blocked
  • Malicious_CnC_access_on_TCP_blocked
  • Other protected file
  • Trend Micro Cloud App Security
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
threatNames
  • string[]
-
The associated threats
  • HM_GERAL.MIP00000001
  • HM_JADTRE.MIP00000001
  • VAN_BOT.UMXX
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
threatType
  • string
-
The log threat type
  • 2
  • 99
  • 5
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Apex One as a Service
trigger
  • string
-
The action trigger
  • ATSE
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
urlCat
  • string[]
-
The requested URL category
  • Untested
  • 158
  • Web Advertisement
  • Trend Micro Deep Discovery Inspector
  • Virtual Network Sensor
  • Trend Micro Web Security
  • Trend Micro Apex One as a Service
  • Trend Vision One Zero Trust Secure Access Internet Access
  • Trend Micro Cloud App Security
  • Trend Vision One Mobile Security
  • Palo Alto Networks Next-Generation Firewalls
  • Trend Cloud One - Endpoint & Workload Security
userDepartment
  • string
-
The user department
  • Operations
  • BANCA CONSTRUCCION
  • CONTACT CENTER
  • Trend Micro Web Security
  • Trend Vision One Zero Trust Secure Access Internet Access
userDomain
  • string
  • EndpointName
  • DomainName
  • AccountDomain
The user domain
  • example.com.pa
  • DOMAIN
  • Trend Micro Apex One as a Service
  • Trend Micro Web Security
  • Trend Vision One Zero Trust Secure Access Internet Access
userDomains
  • string[]
-
The telemetry events that match the Security Analytics Engine filter
  • CORP
  • Security Analytics Engine
uuid
  • string
-
The unique key of the log
  • 000008d7-35fd-4d7b-bada-7f38dca2abf7
  • 0000116b-ac61-48d2-89e1-3d1ce2d13cdd
  • 000017f4-ac10-43b4-8aef-97158e0f8533
  • Security Analytics Engine
uuids
  • string[]
-
The UUIDs of detection records
  • -
  • Data Detection and Response
vendor
  • string
-
The device vendor
  • adata
  • Trend Micro Apex One as a Service
vpcId
  • string
-
The virtual private cloud that contains the cloud asset
  • vpc-01234567890abcdef
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Cloud One - Cloud Sentry
vsysName
  • string
-
The Palo Alto Networks virtual system of the session
  • vsys1
  • Palo Alto Networks Next-Generation Firewalls
wasEntity
  • string
-
The entity before change/modification
  • {"key":"<example>","type":"Service","attributes":[{"friendlyValue":null,"name":"binaryPathName","value":"C:\\Windows\\system32\\vssvc.exe"},{"friendlyValue":"manual","name":"startType","value":"3"},{"friendlyValue":"stopped","name":"state","value":"1"}]}
  • {"key":"<example>","type":"Service","attributes":[{"friendlyValue":null,"name":"binaryPathName","value":"C:\\Windows\\system32\\vssvc.exe"},{"friendlyValue":"manual","name":"startType","value":"3"},{"friendlyValue":"running","name":"state","value":"4"}]}
  • {"key":"<example>","type":"File","attributes":[]}
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
winEventId
  • int32
-
The Windows Event ID
  • 11
  • 4624
  • 4670
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security