Data Mapping: Endpoint Activity Data
|
Field Name |
General Field |
Description |
Sample |
Products |
|---|---|---|---|---|
|
endpointGuid |
EndpointID |
Host GUID of the endpoint on which the event was detected |
|
|
|
endpointHostName |
EndpointName |
Host Name of the endpoint on which the event was detected |
|
|
|
endpointIp |
|
IP address of the endpoint on which the event was detected |
|
|
|
eventId |
- |
Event type |
- |
|
|
eventSubId |
- |
Access type of an event |
|
|
|
eventTime |
- |
Time recorded when agent detected the event |
|
|
|
hostName |
DomainName |
The domain name |
|
|
|
integrityLevel |
- |
Integrity level of a process |
- |
|
|
logonUser |
UserAccount |
The logon user name |
|
|
|
objectAppName |
- |
Name of the app involved in the AMSI event |
|
|
|
objectCmd |
CLICommand |
Command line entry of target process |
|
|
|
objectFileHashMd5 |
FileMD5 |
The md5 hash of target process image or target file |
|
|
|
objectFileHashSha1 |
FileSHA1 |
The SHA1 hash of target process image or target file |
|
|
|
objectFileHashSha256 |
FileSHA2 |
The SHA256 hash of target process image or target file |
|
|
|
objectFilePath |
|
File path location of target process image or target file |
|
|
|
objectHostName |
DomainName |
Server name where Internet event was detected |
|
|
|
objectIntegrityLevel |
- |
Integrity level of target process |
- |
|
|
objectIp |
|
IP address of internet event |
|
|
|
objectIps |
|
IP address list of internet event |
|
|
|
objectPid |
- |
The PID of target process |
- |
|
|
objectPort |
Port |
The port number used by internet event |
- |
|
|
objectProcessHashId |
- |
FNV of target process |
|
|
|
objectRawDataStr |
- |
The data contents of the AMSI event |
|
|
|
objectRegistryData |
RegistryValueData |
The registry value data |
|
|
|
objectRegistryKeyHandle |
RegistryKey |
The registry key |
|
|
|
objectRegistryValue |
RegistryValue |
Registry value name |
|
|
|
objectSigner |
- |
Certificate signer of object process or file |
|
|
|
objectSignerValid |
- |
Validity of certificate signer |
|
|
|
objectSubTrueType |
- |
File object's true sub-type |
|
|
|
objectTrueType |
- |
File object's true major type |
|
|
|
objectUser |
UserAccount |
The owner name of target process / The logon user name |
|
|
|
parentCmd |
CLICommand |
Command line entry of parent process |
|
|
|
parentFileHashMd5 |
FileMD5 |
The md5 hash of parent process |
|
|
|
parentFileHashSha1 |
FileSHA1 |
The SHA1 hash of parent process |
|
|
|
parentFileHashSha256 |
FileSHA2 |
The SHA256 hash of parent process |
|
|
|
parentFilePath |
|
The file path location of parent process |
|
|
|
parentPid |
- |
The PID of parent process |
|
|
|
pname |
- |
Internal product ID (Deprecated, use productCode) |
|
|
|
processCmd |
CLICommand |
The command line entry of the subject process |
|
|
|
processFileHashMd5 |
FileMD5 |
The md5 hash of subject process image |
|
|
|
processFileHashSha1 |
FileSHA1 |
The SHA1 hash of subject process image |
|
|
|
processFileHashSha256 |
FileSHA2 |
The SHA256 hash of subject process image |
|
|
|
processFilePath |
|
The file path location of subject process image |
|
|
|
processHashId |
- |
The FNV of subject process |
|
|
|
processName |
ProcessName |
The image name of the process which triggered the event |
|
|
|
processPid |
- |
The PID of the subject process |
|
|
|
processUser |
UserAccount |
The owner name of subject process image |
|
|
|
rawDataStr |
- |
Windows event raw contents |
|
|
|
request |
URL |
Request URL |
|
|
|
dpt |
Port |
The destination port number of network connection |
- |
|
|
dst |
|
The destination IP address of network connection |
|
|
|
spt |
Port |
The source port number of network connection |
|
|
|
src |
|
The source address of network connection |
|
|
|
srcFileHashMd5 |
FileMD5 |
The md5 hash of source file |
|
|
|
srcFileHashSha1 |
FileSHA1 |
The SHA1 hash of source file |
|
|
|
srcFileHashSha256 |
FileSHA2 |
The SHA256 hash of source file |
|
|
|
srcFilePath |
|
The file path location of source file |
|
|
|
tags |
Technique |
Attack technique ID detected by XDR based on alert filter |
|
|
|
uuid |
- |
Unique key of the log |
|
|
|
winEventId |
- |
Event ID of Windows event |
|
|
|
productCode |
- |
Product which sent the log |
|
|
|
filterRiskLevel |
- |
Top-level risk level of the event |
|
|
|
eventDataIpAddress |
- |
The IP address for Windows event 4624 which is "An account was successfully logged on" |
|
|
|
eventDataLogonType |
- |
The logon type for Windows event 4624 which is "An account was successfully logged on" |
|
|
|
eventDataScriptBlockText |
- |
Windows event 4104, Creating Scriptblock text |
|
|
|
eventDataOperation |
- |
Windows event 11 |
|
|
|
objectBmData |
- |
The data of BM event |
|
|
|
osDescription |
- |
The OS version |
|
|
|
receivedTime |
- |
Time when XDR log was received |
|
|
|
Product |
pname Value |
|---|---|
|
Trend Micro Apex One (Windows Security Agent) |
533 |
|
Trend Micro Apex One (Mac Security Agent) |
620 |
|
Trend Micro Apex One (Deep Security Linux Agent) |
2200 |
|
Deep Security |
2200 |
|
Deep Security Virtual Appliance |
2201 |
|
Deep Security Relay |
2202 |
|
Deep Security Manager |
2203 |
|
Deep Security MANIFEST |
2211 |
|
Deep Security Relay Manifest |
2212 |
|
Deep Security Rules Updates |
2213 |
|
Deep Security Smart Check 1 |
2214 |
