|
Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
|
appIsSystem
|
|
-
|
Whether the app is a system app
|
|
|
|
appLabel
|
|
-
|
The app name (if the subject is an app)
|
|
|
|
appOrSystemEventHashId
|
|
-
|
The event object hash ID
|
|
|
|
appPkgName
|
|
-
|
The app package name (if the subject is an app)
|
|
|
|
appPublicKeySha1
|
|
|
The SHA-1 hash of the app public key (if the subject is an app)
|
|
|
|
appSize
|
|
-
|
The app size (in bytes) if the subject is an app
|
|
|
|
appVerCode
|
|
-
|
The app version code (if the subject is an app)
|
|
|
|
endpointGuid
|
|
|
The host GUID of the endpoint on which the event was detected
|
|
|
|
endpointHostName
|
|
|
The hostname of the endpoint on which the event was detected
|
|
|
|
endpointIp
|
|
|
The IP address of the endpoint on which the event was detected
|
|
|
|
endpointModel
|
|
-
|
The endpoint device model
|
|
|
|
eventHashId
|
|
-
|
The event hash ID
|
|
|
|
eventId
|
|
-
|
The event type
|
-
|
|
|
eventSubId
|
|
-
|
The access type
|
|
|
|
eventTime
|
|
-
|
The time the agent detected the event
|
|
|
|
extraInfo
|
|
-
|
The extra information about the app
|
|
|
|
filterRiskLevel
|
|
-
|
The top-level risk level of the event
|
|
|
|
firstSeen
|
|
-
|
The time when the event started (in milliseconds)
|
|
|
|
groupId
|
|
-
|
The group ID for the management scope filter
|
|
|
|
lastSeen
|
|
-
|
The time when the event ended (in milliseconds)
|
|
|
|
logReceivedTime
|
|
-
|
The time when the XDR log was received
|
|
|
|
logonUser
|
|
|
The sign-in user name
|
|
|
|
marsAccount
|
|
-
|
The account for Trend Micro Mobile Apps Reputation Service
|
|
|
|
objectAppBehavior
|
|
-
|
The activity that occurred on the app
|
|
|
|
objectAppBehaviorAttr
|
|
-
|
The attributes of the app activity
|
|
|
|
objectAppDexSha256
|
|
|
The SHA-256 hash of the app Dex value
|
|
|
|
objectAppInstalledTime
|
|
-
|
The time of app installation (in milliseconds)
|
|
|
|
objectAppIsSystemApp
|
|
-
|
Whether the app is a system app
|
|
|
|
objectAppLabel
|
|
-
|
The app name
|
|
|
|
objectAppPackageName
|
|
-
|
The app package name
|
|
|
|
objectAppPublicKeySha1
|
|
|
The SHA-1 hash of the app public key
|
|
|
|
objectAppSha256
|
|
|
The SHA-256 hash of the app
|
|
|
|
objectAppSize
|
|
-
|
The app size (in bytes)
|
|
|
|
objectAppVerCode
|
|
-
|
The app version code
|
|
|
|
objectAppVerName
|
|
-
|
The app version
|
|
|
|
objectCertAttr
|
|
-
|
The SHA-1 hash of the certificate public key
|
|
|
|
objectFileCreation
|
|
-
|
The time the target file was created (in milliseconds)
|
|
|
|
objectFileHashSha256
|
|
|
The SHA-256 hash of the target process image or target file
|
|
|
|
objectFileModifiedTime
|
|
-
|
The modification time of the target file (in milliseconds)
|
|
|
|
objectFilePath
|
|
|
The file path of the target process image or target file
|
|
|
|
objectFileSize
|
|
-
|
The target file size
|
|
|
|
objectFirstSeen
|
|
-
|
The time when the object first appeared (in milliseconds)
|
|
|
|
objectHashId
|
|
-
|
The event object hash ID
|
|
|
|
objectLastSeen
|
|
-
|
The time when the object was last seen (in milliseconds)
|
|
|
|
objectSystemEventAttr
|
|
-
|
The system event attributes
|
|
|
|
osName
|
|
-
|
The host OS name
|
|
|
|
osVer
|
|
-
|
The OS version
|
|
|
|
pname
|
|
-
|
The internal product ID (Deprecated, use productCode)
|
|
|
|
policyTreePath
|
|
-
|
The policy tree path (endpoint only)
|
|
|
|
productCode
|
|
-
|
The internal product code
|
|
|
|
pver
|
|
-
|
The product version
|
|
|
|
request
|
|
|
The request URL
|
|
|
|
srcFileCreation
|
|
-
|
The time when the source file was created (in milliseconds)
|
|
|
|
srcFileHashId
|
|
-
|
The source file hash ID
|
|
|
|
srcFileHashSha256
|
|
|
The SHA-256 hash of the source file
|
|
|
|
srcFileModifiedTime
|
|
-
|
The time when the source file was modified (in milliseconds)
|
|
|
|
srcFilePath
|
|
|
The source file path
|
|
|
|
srcFileSize
|
|
-
|
The source file size
|
|
|
|
srcFirstSeen
|
|
-
|
The time when the source file first appeared (in milliseconds)
|
|
|
|
srcLastSeen
|
|
-
|
The time when the source file was last seen (in milliseconds)
|
|
|
|
systemEventAttr
|
|
-
|
The attributes of the system event (if the subject is a system event)
|
|
|
|
tags
|
|
|
The detected technique ID based on the alert filter
|
|
|
|
userType
|
|
-
|
The user type
|
|
|
|
uuid
|
|
-
|
The unique key of the log
|
|
|
Views: