Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
actResult
|
|
-
|
The action result
|
|
|
actionName
|
|
-
|
The user or service action
|
|
|
applicationId
|
|
-
|
The application ID
|
|
|
attachmentFileHashSha256s
|
|
|
The SHA-256 hash of the email attachment
|
|
|
attachmentFileHashes
|
|
|
The SHA-1 hash of the email attachment
|
|
|
attachmentFileName
|
|
|
The file name of the email attachment
|
|
|
attachmentFileTlshes
|
|
-
|
The TLSH hash detected by Trend Micro Anti-Spam Engine
|
-
|
|
attachmentMd5
|
|
|
The MD5 hash of the email attachment
|
|
|
attachmentSha1
|
|
|
The SHA-1 hash of the email attachment
|
|
|
attachmentSha256
|
|
|
The SHA-256 hash of the email attachment
|
|
|
attachmentSize
|
|
-
|
The attachment file size
|
-
|
|
attachmentSource
|
|
-
|
The attachment source
|
|
|
attachmentTlsh
|
|
-
|
The TLSH hash detected by Trend Micro Anti-Spam Engine
|
|
|
attachmentUrls
|
|
-
|
The URLs and URL sources extracted from the email attachment
|
-
|
|
clientIp
|
|
|
The client IP
|
|
|
cloudStorageId
|
|
-
|
The file or folder location ID
|
|
|
cloudStorageName
|
|
-
|
The file or folder URL
|
|
|
correlationId
|
|
-
|
The correlation ID
|
|
|
eventId
|
|
-
|
The event ID
|
|
|
eventName
|
|
-
|
The event type
|
|
|
eventSubName
|
|
-
|
The event type sub-name
|
|
|
eventTime
|
|
-
|
The time the agent detected the event
|
|
|
extraInfo
|
|
-
|
The additional information about the sharing action
|
|
|
fileExt
|
|
-
|
The file extension (If the object is a folder, there is no value for this field.)
|
|
|
fileName
|
|
|
The file or folder name
|
|
|
filterRiskLevel
|
|
-
|
The top-level risk level of the event
|
|
|
groupId
|
|
-
|
The group ID for the management scope filter
|
|
|
isExternalAccess
|
|
-
|
Whether the cmdlet was run by an external user (true=external user, false=internal
user in your organization)
|
|
|
isSensitiveInfo
|
|
-
|
Whether the event contains sensitive information
|
|
|
logReceivedTime
|
|
-
|
The time when the XDR log was received
|
|
|
mExternalUid
|
|
-
|
The unique ID of the email
|
|
|
mailAttachmentHash
|
|
|
The hash value of the email attachment
|
|
|
mailBccAddresses
|
|
|
The BCC address in the email header
|
|
|
mailCacheId
|
|
-
|
The internal email cache ID to identify emails in the same group mails
|
|
|
mailCcAddresses
|
|
|
The CC address in the email header
|
|
|
mailDirection
|
|
-
|
The email traffic direction
|
|
|
mailEurekaRuleIds
|
|
-
|
The list of rule IDs scanned by Eureka and detected by Trend Micro Anti-Spam Engine
|
|
|
mailFeatureId
|
|
-
|
The email protocol detected by Trend Micro Anti-Spam Engine
|
-
|
|
mailFolder
|
|
-
|
The email folder name
|
|
|
mailFromAddresses
|
|
|
The From address in the email header
|
|
|
mailHeaderHash
|
|
-
|
The email header hash detected by Trend Micro Anti-Spam Engine
|
|
|
mailHelo
|
|
-
|
The HELO command detected by Trend Micro Anti-Spam Engine
|
|
|
mailMetaText
|
|
-
|
The postman meta text detected by Trend Micro Anti-Spam Engine
|
|
|
mailMetaTraceId
|
|
-
|
The trace ID generated by Trend Micro Feedback Engine
|
|
|
mailMsgId
|
|
|
The email ID
|
|
|
mailMsgSubject
|
|
|
The email subject
|
|
|
mailReplyToAddresses
|
|
-
|
The Reply To address detected by Trend Micro Anti-Spam Engine
|
|
|
mailRuleId
|
|
-
|
The rule ID of the matched rule detected by Trend Micro Anti-Spam Engine
|
|
|
mailScore
|
|
-
|
The score assigned to the email by Trend Micro Anti-Spam Engine
|
-
|
|
mailSenderIp
|
|
-
|
The sender IP address
|
|
|
mailSmtpFromAddresses
|
|
-
|
The sender email address
|
|
|
mailSmtpOriginalRecipients
|
|
-
|
The original email recipients in the SMTP envelope
|
|
|
mailSmtpRecipients
|
|
-
|
The mail recipients in the SMTP envelope after scanning
|
|
|
mailSmtpTls
|
|
-
|
The SMTP TLS version number
|
|
|
mailSourceDomain
|
|
-
|
The email domain of the sender
|
|
|
mailTagHash
|
|
-
|
The email tag hash detected by Trend Micro Anti-Spam Engine
|
|
|
mailTagHashRawSignature
|
|
-
|
The raw signature hash of the email
|
|
|
mailTextHash
|
|
-
|
The email text hash detected by Trend Micro Anti-Spam Engine
|
|
|
mailThreatType
|
|
-
|
The type of email detected by Trend Micro Anti-Spam Engine
|
|
|
mailToAddresses
|
|
|
The Mail To address in the email header
|
|
|
mailUrlHash
|
|
-
|
The email URL hash detected by Trend Micro Anti-Spam Engine
|
|
|
mailUrlsOriginalLink
|
|
-
|
The original URL extracted from the email content
|
|
|
mailUrlsRealLink
|
|
|
The URL extracted from the email content
|
|
|
mailUrlsVisibleLink
|
|
|
The URL extracted from the email content
|
|
|
mailUserAgent
|
|
-
|
The user agent
|
|
|
mailWantedHeaderName
|
|
-
|
The WantedHeader key name detected by Trend Micro Anti-Spam Engine
|
|
|
mailWantedHeaderValue
|
|
-
|
The WantedHeader key value detected by Trend Micro Anti-Spam Engine
|
|
|
mailWholeHeader
|
|
-
|
The name and email address of the sender in the From header detected by Trend Micro
Anti-Spam Engine
|
|
|
mailXMailer
|
|
-
|
The X-Mailer header of the email
|
|
|
mailbox
|
|
-
|
The primary email address
|
|
|
msgUuid
|
|
-
|
The internal email UUID to identify each email message
|
|
|
msgUuidChain
|
|
-
|
The internal UUID chain for each email in Trend Micro Feedback Engine
|
|
|
orgId
|
|
-
|
The organization ID
|
|
|
orgName
|
|
-
|
The tenant name
|
|
|
originatingServer
|
|
-
|
The server where the operation originated
|
|
|
parameters
|
|
-
|
The names and values of all parameters used in the cmdlet identified in the Operations
property
|
|
|
pname
|
|
-
|
The internal product code (deprecated)
|
|
|
policyTreePath
|
|
-
|
The policy tree path (endpoint only)
|
|
|
principalName
|
|
|
The User Principal Name
|
|
|
productCode
|
|
-
|
The product code of the product that sent the log
|
|
|
recordType
|
|
-
|
The operation type
|
|
|
scanTs
|
|
-
|
The time the email was scanned
|
|
|
scanType
|
|
-
|
The manual or real-time scan type
|
|
|
service
|
|
-
|
The Microsoft 365 service where the activity occurred
|
|
|
tags
|
|
-
|
The detected technique ID based on the alert filter
|
|
|
target
|
|
-
|
The object accessed by a user or application
|
|
|
targetType
|
|
-
|
The type of object that was accessed or modified
|
|
|
userAgent
|
|
-
|
The user agent
|
|
|
userSessionId
|
|
-
|
The user session ID
|
|
|
userType
|
|
-
|
The user type
|
|
|
uuid
|
|
-
|
The unique key of the log entry
|
|
|
Views: