Data Mapping: Endpoint Activity Data
|
Field |
General Field |
Example |
Notes |
|---|---|---|---|
|
hostName |
DomainName |
self.events.data.microsoft.com |
DNS event |
|
endpointGuid |
EndpointID |
e3c49595-09b9-47a3-a43f-6c21aa52e54f |
- |
|
endpointHostName |
EndpointName |
hr-johndoe1 |
- |
|
endpointIp |
|
|
Trend Micro Apex One records all IP addresses including 127.0.01 and virtual machine addresses. |
|
request |
URL |
https://www.example.com |
- |
|
objectIp |
|
|
Internet event |
|
dst |
|
|
Connection event |
|
src |
|
|
Connection event |
|
objectPort |
Port |
8080 |
Internet event |
|
spt |
Port |
5353 |
Port of connection source |
|
dpt |
Port |
5353 |
Port of connection destination |
|
objectFileHashSha1 |
FileSHA1 |
98A9A1C8F69373B211E5F1E303BA8762F44BC898 |
- |
|
parentFileHashSha1 |
FileSHA1 |
98A9A1C8F69373B211E5F1E303BA8762F44BC898 |
- |
|
processFileHashSha1 |
FileSHA1 |
98A9A1C8F69373B211E5F1E303BA8762F44BC898 |
- |
|
srcFileHashSha1 |
FileSHA1 |
98A9A1C8F69373B211E5F1E303BA8762F44BC898 |
- |
|
objectFileHashSha256 |
FileSHA2 |
16e4e8b57e82159a16f5d7d898da9e2a4fbe90c17cd95c02074e75226337c90a |
|
|
parentFileHashSha256 |
FileSHA2 |
16e4e8b57e82159a16f5d7d898da9e2a4fbe90c17cd95c02074e75226337c90a |
|
|
processFileHashSha256 |
FileSHA2 |
16e4e8b57e82159a16f5d7d898da9e2a4fbe90c17cd95c02074e75226337c90a |
|
|
srcFileHashSha256 |
FileSHA2 |
16e4e8b57e82159a16f5d7d898da9e2a4fbe90c17cd95c02074e75226337c90a |
|
|
objectFilePath |
FileFullPath |
C:\Program Files (x86)\temp\Application\test.exe |
- |
|
parentFilePath |
FileFullPath |
C:\Program Files (x86)\temp\Application\test.exe |
- |
|
srcFilePath |
FileFullPath |
C:\Program Files (x86)\temp\Application\test.exe |
- |
|
processFilePath |
ProcessFullPath |
C:\Program Files (x86)\temp\Application\test.exe |
- |
|
objectCmd |
CLICommand |
\??\c:\windows\system32\conhost.exe 0xffffffff -forcev1 |
- |
|
parentCmd |
CLICommand |
"c:\program files (x86)\tanium\tanium client\taniumclient.exe" -c |
- |
|
processCmd |
CLICommand |
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --lang=en-US --no-sandbox |
- |
|
objectRegistryKeyHandle |
RegistryKey |
hklm\software\wow6432node\microsoft\windows\currentversion\run |
- |
|
objectRegistryValue |
RegistryValue |
its_ie_settings |
- |
|
objectRegistryData |
RegistryValueData |
wscript "C:\Program Files (x86)\JNJ\ITS_IE_PREF\IE_Preferences.vbs" |
- |
|
logonUser |
UserAccount |
[lenovo_tmp_uktqYZKK, jdodd4] |
- |
|
objectUser |
UserAccount |
john_doe |
Process event: The account that executed the process |
|
eventTime |
- |
1573752859458 |
Event occurrence time |
|
eventId |
- |
- |
|
|
eventSubId |
- |
- |
|
|
objectSigner |
- |
[trend micro, inc., trend micro, inc.] |
- |
|
objectSignerValid |
- |
[true, true] |
- |
|
pname |
- |
533 |
ID value for the reporting product For a complete list, see the table below. |
|
tags |
- |
- |
|
|
productCode |
- |
- |
|
Product |
pname Value |
|---|---|
|
Trend Micro Apex One (Windows Security Agent) |
533 |
|
Trend Micro Apex One (Mac Security Agent) |
620 |
|
Trend Micro Apex One (Deep Security Linux Agent) |
2200 |
|
Deep Security |
2200 |
|
Deep Security Virtual Appliance |
2201 |
|
Deep Security Relay |
2202 |
|
Deep Security Manager |
2203 |
|
Deep Security MANIFEST |
2211 |
|
Deep Security Relay Manifest |
2212 |
|
Deep Security Rules Updates |
2213 |
|
Deep Security Smart Check 1 |
2214 |
