Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
accessPermission
|
-
|
-
|
The access permission type
|
|
|
act
|
-
|
-
|
The actions taken to mitigate the event
|
|
|
actResult
|
-
|
-
|
The result of an action
|
|
|
aggregatedCount
|
-
|
-
|
The number of aggregated events
|
|
|
app
|
-
|
-
|
The network protocol being exploited
|
|
|
appDexSha256
|
-
|
|
The app dex encoded using SHA-256
|
|
|
appGroup
|
-
|
-
|
The app category of the event
|
|
|
appIsSystem
|
-
|
-
|
Whether the app is a system app
|
|
|
appLabel
|
-
|
-
|
The app name
|
|
|
appPkgName
|
-
|
-
|
The app package name
|
|
|
appPublicKeySha1
|
-
|
|
The app public key (SHA-1)
|
|
|
appSize
|
-
|
-
|
The app size (in bytes)
|
|
|
appVerCode
|
-
|
-
|
The app version code
|
|
|
application
|
-
|
-
|
The name of the requested application
|
|
|
aptCampaigns
|
-
|
-
|
The related APT campaigns
|
|
|
aptRelated
|
-
|
-
|
Whether the event is related to an APT
|
|
|
attachment
|
-
|
-
|
The information about the email attachment
|
|
|
attachmentFileHash
|
-
|
|
The SHA-1 of the email attachment
|
|
|
attachmentFileHashMd5
|
-
|
|
The MD5 of the attached file (attachmentFileName)
|
|
|
attachmentFileHashSha1
|
-
|
|
The SHA-1 of the attached file (attachmentFileName)
|
|
|
attachmentFileHashSha256
|
-
|
|
The SHA-256 of the attached file (attachmentFileName)
|
|
|
attachmentFileHashes
|
-
|
-
|
The SHA-1 of the email attachment
|
|
|
attachmentFileHashs
|
-
|
-
|
The SHA-1 hash value of the attachment file
|
|
|
attachmentFileName
|
-
|
|
The file name of an attachment
|
|
|
attachmentFileSize
|
-
|
-
|
The file size of the email attachment
|
|
|
attachmentFileSizes
|
-
|
-
|
The file size of email attachments
|
|
|
attachmentFileTlshes
|
-
|
-
|
The TLSH of the email attachment
|
|
|
attachmentFileTlshs
|
-
|
-
|
The TLSH hash value of the attachment file
|
|
|
attachmentFileType
|
-
|
-
|
The file type of the email attachment
|
|
|
authType
|
-
|
-
|
The authorization type
|
|
|
behaviorCat
|
-
|
-
|
The matched policy category
|
|
|
blocking
|
-
|
-
|
The blocking type
|
|
|
bmGroup
|
-
|
-
|
The one-to-many data structure
|
|
|
botCmd
|
-
|
|
The bot command
|
|
|
botUrl
|
-
|
|
The bot URL
|
|
|
cccaDestination
|
-
|
|
The destination domain, IP, URL, or recipient
|
|
|
cccaDestinationFormat
|
-
|
-
|
The C&C server access format
|
|
|
cccaDetection
|
-
|
-
|
Whether the log is identified as a C&C callback address detection
|
|
|
cccaDetectionSource
|
-
|
-
|
The list which defines the CCCA detection rule
|
|
|
cccaRiskLevel
|
-
|
-
|
The severity level of the threat actors associated with the C&C servers
|
-
|
|
channel
|
-
|
-
|
The channel through which the demanded Windows Event is delivered
|
|
|
clientFlag
|
-
|
-
|
Whether the client is a source or destination
|
|
|
clientIp
|
-
|
-
|
The source IP addresses
|
|
|
clientStatus
|
-
|
-
|
The client status when the event occurred
|
|
|
cloudAccountId
|
-
|
-
|
The cloud account ID
|
|
|
cloudAppName
|
-
|
-
|
The cloud app name
|
|
|
cloudProvider
|
-
|
-
|
The service provider of the cloud asset
|
|
|
cloudStorageName
|
-
|
-
|
The cloud storage name
|
|
|
clusterId
|
-
|
-
|
The cluster ID of the container
|
|
|
clusterName
|
-
|
-
|
The cluster name of the container
|
|
|
cnt
|
-
|
-
|
The total log count
|
|
|
compressedFileHash
|
-
|
|
The SHA-1 of the decompressed archive
|
|
|
compressedFileHashSha256
|
-
|
|
The SHA-256 of the compressed suspicious file
|
|
|
compressedFileName
|
-
|
|
The file name of the compressed file
|
|
|
compressedFileSize
|
-
|
-
|
The file size of the decompressed archive file
|
|
|
compressedFileType
|
-
|
-
|
The file type of the decompressed archive file
|
|
|
computerDomain
|
-
|
-
|
The computer domain
|
|
|
containerId
|
-
|
-
|
The Kubernetes container ID
|
|
|
containerImage
|
-
|
-
|
The Kubernetes container image
|
|
|
containerImageDigest
|
-
|
-
|
The Kubernetes container image digest
|
|
|
containerName
|
-
|
-
|
The Kubernetes container name
|
|
|
correlationCat
|
-
|
-
|
The correlation category
|
|
|
customTags
|
-
|
-
|
The event tags
|
|
|
cve
|
-
|
-
|
The CVE identifier
|
|
|
cves
|
-
|
-
|
The CVEs associated with this filter
|
|
|
dOSName
|
-
|
-
|
The destination host OS
|
|
|
dUser1
|
-
|
-
|
The latest sign-in user of the destination
|
|
|
dacDeviceType
|
-
|
-
|
The device type
|
|
|
data0
|
-
|
-
|
The Deep Discovery Inspector correlation log value
|
|
|
data0Name
|
-
|
-
|
The Deep Discovery Inspector correlation log name
|
|
|
data1
|
-
|
-
|
The Deep Discovery Inspector correlation log metadata
|
|
|
data1Name
|
-
|
-
|
The Deep Discovery Inspector correlation log name
|
|
|
data2
|
-
|
-
|
The Deep Discovery Inspector correlation log value
|
|
|
data2Name
|
-
|
-
|
The Deep Discovery Inspector correlation log name
|
|
|
data3
|
-
|
-
|
The Deep Discovery Inspector correlation log value
|
|
|
data4
|
-
|
-
|
The Deep Discovery Inspector correlation log value
|
|
|
dceHash1
|
-
|
-
|
Whether Trend Micro Threat Mitigation Server requires the log (Trend Micro Threat
Mitigation Server is EOL.)
|
|
|
dceHash2
|
-
|
-
|
Whether Trend Micro Threat Mitigation Server requires the log (Trend Micro Threat
Mitigation Server is EOL.)
|
|
|
denyListFileHash
|
-
|
|
The SHA-1 of the Virtual Analyzer Suspicious Object
|
|
|
denyListFileHashSha256
|
-
|
-
|
The SHA-256 of User-Defined Suspicious Object
|
|
|
denyListHost
|
-
|
|
The domain of the Virtual Analyzer Suspicious Object
|
|
|
denyListIp
|
-
|
|
The IP of the Virtual Analyzer Suspicious Object
|
|
|
denyListRequest
|
-
|
-
|
The block list event request
|
|
|
denyListType
|
-
|
-
|
The block list type
|
|
|
destinationPath
|
-
|
-
|
The intended destination of the file containing the digital asset or channel
|
|
|
detectionDetail
|
-
|
-
|
The details about each event type
|
|
|
detectionName
|
-
|
-
|
The general name for the detection
|
|
|
detectionType
|
-
|
-
|
The detection type
|
|
|
deviceDirection
|
-
|
-
|
The device direction (If the source IP is in the internal network monitored by Deep
Discovery Inspector, it is tagged as outbound. All other cases are inbound.
Internal-to-internal is also tagged as outbound.)
|
|
|
deviceGUID
|
-
|
-
|
The GUID of the agent which reported the detection
|
|
|
deviceMacAddress
|
-
|
-
|
The device MAC address
|
|
|
deviceModel
|
-
|
-
|
The device model number
|
|
|
devicePayloadId
|
-
|
-
|
The device payload ID
|
|
|
deviceSerial
|
-
|
-
|
The device serial ID
|
|
|
dhost
|
-
|
|
The destination hostname
|
|
|
direction
|
-
|
-
|
The direction
|
|
|
dmac
|
-
|
-
|
The MAC address of the destination IP (dest_ip)
|
|
|
domainName
|
-
|
|
The detected domain name
|
|
|
dpt
|
-
|
|
The destination port
|
|
|
dst
|
-
|
|
The destination IP
|
|
|
dstGroup
|
-
|
-
|
The group name defined by the administrator of the destination
|
|
|
dstZone
|
-
|
-
|
The network zone defined by the destination administrator
|
|
|
duser
|
-
|
|
The email recipient
|
|
|
dvc
|
-
|
-
|
The Deep Discovery Inspector appliance IP
|
|
|
dvchost
|
-
|
-
|
The computer which installed the Trend Micro product
|
|
|
endpointGUID
|
-
|
|
The GUID of the agent which reported the detection
|
|
|
endpointHostName
|
-
|
|
The endpoint hostname or node where the event was detected
|
|
|
endpointIp
|
-
|
|
The endpoint host IP (for ptp/stp: the client IP)
|
|
|
endpointMacAddress
|
-
|
-
|
The endpoint MAC address
|
|
|
endpointModel
|
-
|
-
|
The mobile device model
|
|
|
engType
|
-
|
-
|
The engine type
|
|
|
engVer
|
-
|
-
|
The engine version
|
|
|
engineOperation
|
-
|
-
|
The operation of the engine event
|
|
|
eventClass
|
-
|
-
|
The event category
|
|
|
eventId
|
-
|
-
|
The event ID from the logs of each product
|
|
|
eventName
|
-
|
-
|
The event type
|
|
|
eventSubClass
|
-
|
-
|
The category of the sub-event class
|
|
|
eventSubId
|
-
|
-
|
The access type
|
|
|
eventSubName
|
-
|
-
|
The event type sub-name
|
|
|
eventTime
|
-
|
-
|
The time the agent detected the event
|
|
|
extraInfo
|
-
|
-
|
The network application name
|
|
|
fileCreation
|
-
|
-
|
The file creation date
|
|
|
fileDesc
|
-
|
-
|
The file description
|
|
|
fileExt
|
-
|
-
|
The file extension of the suspicious file
|
|
|
fileHash
|
-
|
|
The SHA-1 of the file that triggered the rule or policy
|
|
|
fileHashSha256
|
-
|
|
The SHA-256 of the file (fileName)
|
|
|
fileName
|
-
|
|
The file name
|
|
|
fileOperation
|
-
|
-
|
The operation of the file
|
|
|
filePath
|
-
|
|
The file path without the file name
|
|
|
filePathName
|
-
|
|
The file path with the file name
|
|
|
fileSize
|
-
|
-
|
The file size of the suspicious file
|
|
|
fileType
|
-
|
-
|
The file type of the suspicious file
|
|
|
fileVer
|
-
|
-
|
The file version
|
|
|
filterName
|
-
|
-
|
The filter name
|
|
|
filterRiskLevel
|
-
|
-
|
The top level filter risk of the event
|
|
|
filterType
|
-
|
-
|
The filter type
|
|
|
firmalware
|
-
|
-
|
The Deep Discovery Inspector firmware version
|
|
|
firstAct
|
-
|
-
|
The first scan action
|
|
|
firstActResult
|
-
|
-
|
The first scan action result
|
|
|
firstSeen
|
-
|
-
|
The first time the XDR log appeared
|
|
|
flowId
|
-
|
-
|
The Connection ID
|
|
|
forensicFileHash
|
-
|
-
|
The hash value of the forensic data file
|
|
|
forensicFilePath
|
-
|
-
|
The file path of the forensic file (When a Data Loss Prevention policy is triggered,
the
file is encrypted and copied to the OfficeScan server for post-mortem analysis.)
|
|
|
ftpUser
|
-
|
-
|
The FTP sign-in user name
|
|
|
fullPath
|
-
|
|
The combination of the file path and the file name
|
|
|
groups
|
-
|
-
|
The OSSEC rule group names
|
|
|
hasdtasres
|
-
|
-
|
Whether the log contains a report from Virtual Analyzer
|
|
|
highlightMailMsgSubject
|
-
|
-
|
The email subject
|
|
|
highlightedFileHashes
|
-
|
|
The SHA-1 hashes of the highlighted file
|
|
|
highlightedFileName
|
-
|
-
|
The file names of suspicious attachments
|
|
|
hostName
|
-
|
|
The computer name of the client host (the hostname from the suspicious URL detected
by
Deep Discovery Inspector)
|
|
|
hostSeverity
|
-
|
-
|
The severity of the threat (specific to the interestedIp)
|
|
|
hotFix
|
-
|
-
|
The applied Deep Discovery Inspector hotfix version
|
|
|
httpReferer
|
-
|
|
The HTTP referer
|
|
|
instanceId
|
-
|
-
|
The ID of the instance that indicates the meta-cloud or data center VM
|
|
|
interestedGroup
|
-
|
-
|
The network group associated with the user-defined source IP or destination IP
|
|
|
interestedHost
|
-
|
|
The endpoint hostname (If an intranet host accesses a suspicious internet host, the
intranet host is the peerHost and the internet host is the interestedHost.)
|
|
|
interestedIp
|
-
|
|
The IP of the interestedHost
|
|
|
interestedMacAddress
|
-
|
-
|
The log owner MAC address
|
|
|
ircChannelName
|
-
|
-
|
The IRC channel name
|
|
|
ircUserName
|
-
|
-
|
The IRC user name
|
|
|
isEntity
|
-
|
-
|
The current entity (or after change/modification)
|
|
|
isHidden
|
-
|
-
|
Whether the detection log generated a grey rule match
|
|
|
isRetroScan
|
-
|
-
|
Whether the event matches the Security Analytics Engine filter
|
|
|
ja3Hash
|
-
|
-
|
The fingerprint of an SSL/TLS client application as detected via a network sensor
or
device
|
|
|
ja3sHash
|
-
|
-
|
The fingerprint of an SSL/TLS server application as detected via a network sensor
or
device
|
|
|
k8sNamespace
|
-
|
-
|
The Kubernetes namespace of the container
|
|
|
k8sPodId
|
-
|
-
|
The Kubernetes pod ID of the container
|
|
|
k8sPodName
|
-
|
-
|
The Kubernetes pod name of the container
|
|
|
lastSeen
|
-
|
-
|
The last time the XDR log appeared
|
|
|
logKey
|
-
|
-
|
The unique key of the event
|
|
|
logonUsers
|
-
|
-
|
The telemetry events that match the Security Analytics Engine filter (logonUsers stores
the logonUsers value of the original events)
|
|
|
mDevice
|
-
|
-
|
The source IP
|
|
|
mDeviceGUID
|
-
|
-
|
The GUID of the agent host
|
|
|
mailDeliveryTime
|
-
|
-
|
The email delivery time
|
|
|
mailFolder
|
-
|
-
|
The email folder name
|
|
|
mailMsgId
|
-
|
-
|
The internet message ID of the email
|
|
|
mailMsgSubject
|
-
|
|
The message subject
|
|
|
mailReceivedTime
|
-
|
-
|
The mail received timestamp
|
-
|
|
mailSmtpFromAddresses
|
-
|
-
|
The envelope address of the sender
|
|
|
mailSmtpHelo
|
-
|
-
|
The domain name of the email server by using the SMTP HELO command
|
|
|
mailSmtpOriginalRecipients
|
-
|
-
|
The envelope addresses of the original recipients
|
|
|
mailSmtpRecipients
|
-
|
-
|
The envelope addresses of the current recipients
|
|
|
mailSmtpTls
|
-
|
-
|
The SMTP TLS version
|
|
|
mailUniqueId
|
-
|
-
|
The unique ID of the email
|
|
|
mailbox
|
-
|
-
|
The mailbox that is protected by Trend Micro
|
|
|
majorVirusType
|
-
|
-
|
The virus type
|
|
|
malDst
|
-
|
-
|
The malware infection destination
|
|
|
malFamily
|
-
|
-
|
The threat family
|
|
|
malName
|
-
|
-
|
The name of the detected malware
|
|
|
malSrc
|
-
|
|
The malware infection source
|
|
|
malSubType
|
-
|
-
|
The subsidiary virus type
|
|
|
malType
|
-
|
-
|
The risk type for Network Content Correlation Engine rules
|
|
|
malTypeGroup
|
-
|
-
|
The risk type group for Network Content Correlation Engine rules (This field comes
from
Network Content Correlation Pattern rule type definitions.)
|
|
|
matchedContent
|
-
|
-
|
The one-to-many data structure
|
|
|
mimeType
|
-
|
-
|
The MIME type or content type of the response body
|
|
|
minorVirusType
|
-
|
-
|
The minor virus type
|
|
|
mitigationTaskId
|
-
|
-
|
The unique ID to identify the mitigation request
|
|
|
mitreMapping
|
-
|
-
|
The MITRE tags
|
|
|
mitreVersion
|
-
|
-
|
The MITRE version
|
|
|
mpname
|
-
|
-
|
The management product name
|
|
|
mpver
|
-
|
-
|
The product version
|
|
|
msgAct
|
-
|
-
|
The message action
|
|
|
msgId
|
-
|
|
The internet message ID
|
|
|
msgUuid
|
-
|
-
|
The unique email ID
|
|
|
msgUuidChain
|
-
|
-
|
The message UUID chain
|
|
|
objectApiName
|
-
|
-
|
The API name
|
|
|
objectCmd
|
-
|
|
The object process command line
|
|
|
objectEntityName
|
-
|
-
|
The object entity name
|
|
|
objectFileCreation
|
-
|
-
|
The UTC time that the object was created
|
|
|
objectFileHashMd5
|
-
|
|
The MD5 of the object
|
|
|
objectFileHashSha1
|
-
|
|
The SHA-1 of the objectFilePath object
|
|
|
objectFileHashSha256
|
-
|
|
The SHA-256 of the object (objectFilePath)
|
|
|
objectFileModified
|
-
|
-
|
The UTC time that the object was modified
|
-
|
|
objectFileName
|
-
|
|
The object file name
|
|
|
objectFilePath
|
-
|
|
The file path of the target process image or target file
|
|
|
objectFirstRecorded
|
-
|
-
|
The first time that the object appeared
|
-
|
|
objectId
|
-
|
-
|
The UUID of the object
|
|
|
objectIp
|
-
|
|
The IP address of the domain
|
|
|
objectName
|
-
|
-
|
The base name of the object file or process
|
|
|
objectPayloadFileHashSha1
|
-
|
|
The SHA-1 of the object payload file
|
-
|
|
objectRegistryData
|
-
|
|
The registry data contents
|
|
|
objectRegistryKeyHandle
|
-
|
|
The registry key path
|
|
|
objectRegistryRoot
|
-
|
-
|
The name of the object registry root key
|
|
|
objectRegistryValue
|
-
|
|
The registry value name
|
|
|
objectSigner
|
-
|
-
|
The list of object process signers
|
|
|
objectSignerValid
|
-
|
-
|
Whether each signer of the object process is valid
|
-
|
|
objectSubType
|
-
|
-
|
The sub-types of the policy event (displayed when a policy event has sub-types)
|
|
|
objectTargetProcess
|
-
|
-
|
The file path of the target process that the API performs
|
|
|
objectType
|
-
|
-
|
The object type
|
|
|
objectUser
|
-
|
|
The owner name of the target process or the sign-in user name
|
|
|
objectUserDomain
|
-
|
-
|
The owner domain of the target process
|
|
|
oldFileHash
|
-
|
|
The SHA-1 of the target process image or target file (wasEntity from an IM event)
|
|
|
online
|
-
|
-
|
Whether the endpoint is online
|
|
|
orgId
|
-
|
-
|
The organization ID
|
|
|
originEventSourceType
|
-
|
-
|
The event source type of the original events which matches the Security Analytics
Engine
filter
|
|
|
originUUID
|
-
|
-
|
The UUID of the original events which matches the Security Analytics Engine filter
|
|
|
osName
|
-
|
-
|
The host OS
|
|
|
osVer
|
-
|
-
|
The OS version
|
|
|
out
|
-
|
-
|
The IP datagram length (in bytes)
|
|
|
overSsl
|
-
|
-
|
Whether the event was triggered by an SSL decryption stream (displayed only when SSL
inspection is supported)
|
|
|
pAttackPhase
|
-
|
-
|
The category of the primary Attack Phase
|
|
|
pComp
|
-
|
-
|
The component that made the detection
|
|
|
pTags
|
-
|
-
|
The event tagging system
|
|
|
parentCmd
|
-
|
|
The command line of the subject parent process
|
|
|
parentFileHashMd5
|
-
|
|
The MD5 of the subject parent process
|
|
|
parentFileHashSha1
|
-
|
|
The SHA-1 of the subject parent process
|
|
|
parentFileHashSha256
|
-
|
|
The SHA-256 of the subject parent process
|
|
|
parentFilePath
|
-
|
|
The full file path of the parent process
|
|
|
parentHashId
|
-
|
-
|
The FNV of the parent process
|
|
|
parentName
|
-
|
-
|
The image name of the parent process
|
|
|
parentPid
|
-
|
-
|
The PID of the parent process
|
-
|
|
parentSigner
|
-
|
-
|
The signers of the parent process
|
|
|
parentSignerValid
|
-
|
-
|
Whether each signer of the parent process is valid
|
-
|
|
parentUser
|
-
|
-
|
The account name of the parent process
|
|
|
parentUserDomain
|
-
|
-
|
The domain name of the parent process
|
|
|
patType
|
-
|
-
|
The pattern type
|
|
|
patVer
|
-
|
-
|
The version of the behavior pattern
|
|
|
pcapUUID
|
-
|
-
|
The PCAP file UUID
|
|
|
peerEndpointGUID
|
-
|
-
|
The endpoint GUID of the agent peer host
|
|
|
peerGroup
|
-
|
-
|
The peer IP group
|
|
|
peerHost
|
-
|
|
The hostname of peerIp
|
|
|
peerIp
|
-
|
|
The IP of peerHost
|
|
|
pname
|
-
|
-
|
The internal product ID
|
|
|
policyId
|
-
|
-
|
The policy ID of which the event was detected
|
|
|
policyName
|
-
|
-
|
The name of the triggered policy
|
|
|
policyTemplate
|
-
|
-
|
The one-to-many data structure
|
|
|
policyTreePath
|
-
|
-
|
The policy tree path
|
|
|
policyUuid
|
-
|
-
|
The UUID of the cloud access or risk control policy, or the hard-coded string that
indicates the rule of the global blocked/approved URL list
|
|
|
potentialRisk
|
-
|
-
|
Where there is a potential risk
|
|
|
principalName
|
-
|
-
|
The User Principal Name used to sign in to the proxy
|
|
|
processCmd
|
-
|
|
The subject process command line
|
|
|
processFileCreation
|
-
|
-
|
The Unix time of object creation
|
|
|
processFileHashMd5
|
-
|
|
The MD5 of the subject process
|
|
|
processFileHashSha1
|
-
|
|
The SHA-1 of the subject process
|
|
|
processFileHashSha256
|
-
|
|
The SHA-256 of the subject process
|
|
|
processFilePath
|
-
|
|
The file path of the subject process
|
|
|
processHashId
|
-
|
-
|
The FNV of the subject process
|
|
|
processImagePath
|
-
|
-
|
The process triggered by the file event
|
|
|
processLaunchTime
|
-
|
-
|
The time the subject process was launched
|
|
|
processName
|
-
|
|
The image name of the process that triggered the event
|
|
|
processPid
|
-
|
-
|
The PID of the subject process
|
-
|
|
processSigner
|
-
|
-
|
The signer name list of the subject process
|
|
|
processUser
|
-
|
|
The user name of the process or the file creator
|
|
|
processUserDomain
|
-
|
-
|
The owner domain of the subject process image
|
|
|
productCode
|
-
|
-
|
The internal product code
|
|
|
profile
|
-
|
-
|
The name of the triggered Threat Protection template or Data Loss Prevention profile
|
|
|
proto
|
-
|
-
|
The exploited network protocol layer
|
|
|
protoFlag
|
-
|
-
|
The data flags
|
|
|
pver
|
-
|
-
|
The product version
|
|
|
quarantineFileName
|
-
|
-
|
The file path of the quarantined object
|
|
|
quarantineFilePath
|
-
|
-
|
The OfficeScan server file path for the quarantined file (A quarantined file is encrypted
and copied to the OfficeScan server for post-mortem analysis.)
|
-
|
|
quarantineType
|
-
|
-
|
The descriptive name for the quarantine area
|
|
|
rating
|
-
|
-
|
The credibility level
|
|
|
rawDstIp
|
-
|
|
The destination IP without replacement
|
|
|
rawDstPort
|
-
|
|
The destination port without replacement
|
|
|
rawSrcIp
|
-
|
|
The source IP without replacement
|
|
|
rawSrcPort
|
-
|
|
The source port without replacement
|
|
|
regionId
|
-
|
-
|
The cloud asset region
|
|
|
remarks
|
-
|
-
|
The additional information
|
|
|
reportGUID
|
-
|
-
|
The GUID for Workbench to request report page data
|
|
|
request
|
-
|
|
The notable URLs
|
|
|
requestBase
|
-
|
|
The domain of the request URL
|
|
|
requestClientApplication
|
-
|
-
|
The protocol user agent information
|
|
|
riskConfidenceLevel
|
-
|
-
|
The risk confidence level
|
|
|
riskLevel
|
-
|
-
|
The risk level
|
|
|
rozRating
|
-
|
-
|
The Virtual Analyzer overall rating
|
|
|
rtDate
|
-
|
-
|
The date of the log generation
|
|
|
rtWeekDay
|
-
|
-
|
The weekday of the log generation
|
|
|
ruleId
|
-
|
-
|
The rule ID
|
|
|
ruleId64
|
-
|
-
|
The IPS rule ID
|
|
|
ruleIdStr
|
-
|
-
|
The rule ID
|
|
|
ruleName
|
-
|
-
|
The name of the rule that triggered the event
|
|
|
ruleSetId
|
-
|
-
|
The rule set ID
|
|
|
ruleSetName
|
-
|
-
|
The rule set name
|
|
|
ruleType
|
-
|
-
|
The access rule type
|
|
|
ruleUuid
|
-
|
-
|
The signature UUID from the Digital Vaccine
|
|
|
ruleVer
|
-
|
-
|
The rule version
|
|
|
sAttackPhase
|
-
|
-
|
The category of the second Attack Phase
|
|
|
sOSName
|
-
|
-
|
The source OS
|
|
|
sUser1
|
-
|
-
|
The latest sign-in user of the source
|
|
|
scanTs
|
-
|
-
|
The mail scan time
|
-
|
|
scanType
|
-
|
-
|
The scan type
|
|
|
schemaVersion
|
-
|
-
|
The schema version
|
|
|
secondAct
|
-
|
-
|
The second scan action
|
|
|
secondActResult
|
-
|
-
|
The result of the second scan action
|
|
|
sender
|
-
|
-
|
The roaming users or the gateway where the web traffic passed
|
|
|
senderGUID
|
-
|
-
|
The sender GUID
|
|
|
senderIp
|
-
|
-
|
The sender IP
|
|
|
sessionEnd
|
-
|
-
|
The session end time (in seconds)
|
|
|
sessionStart
|
-
|
-
|
The session start time (in seconds)
|
|
|
severity
|
-
|
-
|
The severity of the event
|
|
|
shost
|
-
|
|
The source hostname
|
|
|
signer
|
-
|
-
|
The signer of the file
|
|
|
smac
|
-
|
-
|
The source MAC address
|
|
|
smbSharedName
|
-
|
-
|
The shared folder name for the server that contains the files to be opened
|
|
|
sourceType
|
-
|
-
|
The source type
|
|
|
sproc
|
-
|
-
|
The OSSEC program name
|
|
|
spt
|
-
|
|
The source port
|
|
|
src
|
-
|
|
The source IP
|
|
|
srcFileHashMd5
|
-
|
|
The MD5 of the source file
|
-
|
|
srcFileHashSha1
|
-
|
|
The SHA-1 of the source file
|
-
|
|
srcFileHashSha256
|
-
|
|
The SHA-256 of the source file
|
-
|
|
srcFilePath
|
-
|
|
The source file path
|
|
|
srcGroup
|
-
|
-
|
The group named defined by the source administrator
|
|
|
srcZone
|
-
|
-
|
The network zone defined by the source administrator
|
|
|
sslCertCommonName
|
-
|
-
|
The subject common name
|
|
|
sslCertIssuerCommonName
|
-
|
-
|
The issuer common name
|
|
|
sslCertIssuerOrgName
|
-
|
-
|
The issuer organization name
|
|
|
sslCertOrgName
|
-
|
-
|
The subject organization name
|
|
|
subRuleId
|
-
|
-
|
The sub-rule ID
|
|
|
subRuleName
|
-
|
-
|
The sub-rule name
|
|
|
suid
|
-
|
|
The user name or mailbox
|
|
|
suser
|
-
|
|
The email sender
|
|
|
suspiciousObject
|
-
|
-
|
The matched suspicious object
|
|
|
suspiciousObjectType
|
-
|
-
|
The matched suspicious object type
|
|
|
tacticId
|
-
|
|
The list of MITRE tactic IDs
|
|
|
tags
|
-
|
|
The detected technique ID based on the alert filter
|
|
|
targetShare
|
-
|
|
The subject state or province (for HTTPS), the shared folder (for SMB)
|
|
|
targetType
|
-
|
-
|
The target object type
|
|
|
techniqueId
|
-
|
|
The MITRE technique ID detected by the product agent based on a detection rule
|
-
|
|
threatName
|
-
|
-
|
The threat name
|
|
|
threatNames
|
-
|
-
|
The associated threats
|
|
|
threatType
|
-
|
-
|
The log threat type
|
|
|
urlCat
|
-
|
-
|
The requested URL category
|
|
|
userDepartment
|
-
|
-
|
The user department
|
|
|
userDomain
|
-
|
|
The user domain
|
|
|
userDomains
|
-
|
-
|
The telemetry events that match the Security Analytics Engine filter (userDomains
stores
the value of the original events)
|
|
|
uuid
|
-
|
-
|
The unique key of the log
|
|
|
vendor
|
-
|
-
|
The device vendor
|
|
|
vpcId
|
-
|
-
|
The virtual private cloud that contains the cloud asset
|
|
|
wasEntity
|
-
|
-
|
The entity before change/modification
|
|
|
winEventId
|
-
|
-
|
The Windows Event ID
|
|
|
Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
act
|
-
|
-
|
The actions taken to mitigate the event
|
|
|
actResult
|
-
|
-
|
The result of an action
|
|
|
behaviorCat
|
-
|
-
|
The matched policy category
|
|
|
cves
|
-
|
-
|
The CVEs associated with this filter
|
|
|
detectionType
|
-
|
-
|
The detection type
|
|
|
dmac
|
-
|
-
|
The MAC address of the destination IP (dest_ip)
|
|
|
dpt
|
-
|
|
The destination port
|
|
|
dst
|
-
|
|
The destination IP
|
|
|
duser
|
-
|
|
The email recipient
|
|
|
endpointGUID
|
-
|
|
The GUID of the agent which reported the detection
|
|
|
endpointHostName
|
-
|
|
The endpoint hostname or node where the event was detected
|
|
|
endpointIp
|
-
|
|
The endpoint host IP (for ptp/stp: the client IP)
|
|
|
eventId
|
-
|
-
|
The event ID from the logs of each product
|
|
|
eventName
|
-
|
-
|
The event type
|
|
|
eventSubId
|
-
|
-
|
The access type
|
|
|
eventSubName
|
-
|
-
|
The event type sub-name
|
|
|
fileHash
|
-
|
|
The SHA-1 of the file that triggered the rule or policy
|
|
|
fileName
|
-
|
|
The file name
|
|
|
fileOperation
|
-
|
-
|
The operation of the file
|
|
|
filePath
|
-
|
|
The file path without the file name
|
|
|
filePathName
|
-
|
|
The file path with the file name
|
|
|
firstAct
|
-
|
-
|
The first scan action
|
|
|
firstActResult
|
-
|
-
|
The first scan action result
|
|
|
fullPath
|
-
|
|
The combination of the file path and the file name
|
|
|
groups
|
-
|
-
|
The OSSEC rule group names
|
|
|
hostName
|
-
|
|
The computer name of the client host (the hostname from the suspicious URL detected
by
Deep Discovery Inspector)
|
|
|
instanceId
|
-
|
-
|
The ID of the instance that indicates the meta-cloud or data center VM
|
|
|
interestedIp
|
-
|
|
The IP of the interestedHost
|
|
|
isEntity
|
-
|
-
|
The current entity (or after change/modification)
|
|
|
logKey
|
-
|
-
|
The unique key of the event
|
|
|
mDeviceGUID
|
-
|
-
|
The GUID of the agent host
|
|
|
majorVirusType
|
-
|
-
|
The virus type
|
|
|
malFamily
|
-
|
-
|
The threat family
|
|
|
malName
|
-
|
-
|
The name of the detected malware
|
|
|
malType
|
-
|
-
|
The risk type for Network Content Correlation Engine rules
|
|
|
mitreVersion
|
-
|
-
|
The MITRE version
|
|
|
mpname
|
-
|
-
|
The management product name
|
|
|
mpver
|
-
|
-
|
The product version
|
|
|
objectCmd
|
-
|
|
The object process command line
|
|
|
objectFileHashMd5
|
-
|
|
The MD5 of the object
|
|
|
objectFileHashSha1
|
-
|
|
The SHA-1 of the objectFilePath object
|
|
|
objectFileHashSha256
|
-
|
|
The SHA-256 of the object (objectFilePath)
|
|
|
objectFilePath
|
-
|
|
The file path of the target process image or target file
|
|
|
objectIp
|
-
|
|
The IP address of the domain
|
|
|
objectRegistryData
|
-
|
|
The registry data contents
|
|
|
objectRegistryKeyHandle
|
-
|
|
The registry key path
|
|
|
objectRegistryRoot
|
-
|
-
|
The name of the object registry root key
|
|
|
objectRegistryValue
|
-
|
|
The registry value name
|
|
|
objectType
|
-
|
-
|
The object type
|
|
|
objectUser
|
-
|
|
The owner name of the target process or the sign-in user name
|
|
|
objectUserDomain
|
-
|
-
|
The owner domain of the target process
|
|
|
parentPid
|
-
|
-
|
The PID of the parent process
|
-
|
|
parentUser
|
-
|
-
|
The account name of the parent process
|
|
|
parentUserDomain
|
-
|
-
|
The domain name of the parent process
|
|
|
pname
|
-
|
-
|
The internal product ID
|
|
|
policyId
|
-
|
-
|
The policy ID of which the event was detected
|
|
|
processCmd
|
-
|
|
The subject process command line
|
|
|
processFileCreation
|
-
|
-
|
The Unix time of object creation
|
|
|
processFileHashMd5
|
-
|
|
The MD5 of the subject process
|
|
|
processFileHashSha1
|
-
|
|
The SHA-1 of the subject process
|
|
|
processFileHashSha256
|
-
|
|
The SHA-256 of the subject process
|
|
|
processFilePath
|
-
|
|
The file path of the subject process
|
|
|
processImagePath
|
-
|
-
|
The process triggered by the file event
|
|
|
processLaunchTime
|
-
|
-
|
The time the subject process was launched
|
|
|
processName
|
-
|
|
The image name of the process that triggered the event
|
|
|
processPid
|
-
|
-
|
The PID of the subject process
|
-
|
|
processUser
|
-
|
|
The user name of the process or the file creator
|
|
|
processUserDomain
|
-
|
-
|
The owner domain of the subject process image
|
|
|
proto
|
-
|
-
|
The exploited network protocol layer
|
|
|
protoFlag
|
-
|
-
|
The data flags
|
|
|
regionId
|
-
|
-
|
The cloud asset region
|
|
|
remarks
|
-
|
-
|
The additional information
|
|
|
request
|
-
|
|
The notable URLs
|
|
|
riskLevel
|
-
|
-
|
The risk level
|
|
|
rtDate
|
-
|
-
|
The date of the log generation
|
|
|
rtWeekDay
|
-
|
-
|
The weekday of the log generation
|
|
|
ruleName
|
-
|
-
|
The name of the rule that triggered the event
|
|
|
ruleType
|
-
|
-
|
The access rule type
|
|
|
ruleVer
|
-
|
-
|
The rule version
|
|
|
scanType
|
-
|
-
|
The scan type
|
|
|
secondAct
|
-
|
-
|
The second scan action
|
|
|
secondActResult
|
-
|
-
|
The result of the second scan action
|
|
|
senderGUID
|
-
|
-
|
The sender GUID
|
|
|
severity
|
-
|
-
|
The severity of the event
|
|
|
shost
|
-
|
|
The source hostname
|
|
|
smac
|
-
|
-
|
The source MAC address
|
|
|
sproc
|
-
|
-
|
The OSSEC program name
|
|
|
spt
|
-
|
|
The source port
|
|
|
src
|
-
|
|
The source IP
|
|
|
subRuleId
|
-
|
-
|
The sub-rule ID
|
|
|
subRuleName
|
-
|
-
|
The sub-rule name
|
|
|
suid
|
-
|
|
The user name or mailbox
|
|
|
targetType
|
-
|
-
|
The target object type
|
|
|
vpcId
|
-
|
-
|
The virtual private cloud that contains the cloud asset
|
|
|
wasEntity
|
-
|
-
|
The entity before change/modification
|
|
|
winEventId
|
-
|
-
|
The Windows Event ID
|
|
|