Data Mapping: Endpoint Activity Data

Field Name

General Field

Description

Sample

Products

endpointGuid

EndpointID

Host GUID of the endpoint on which the event was detected

  • 885fd860-cc63-5c61-9eca-37911c864cc9

  • fbcf0426-c46b-4fe7-b3a8-e6896de49ea3

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

endpointHostName

EndpointName

Host Name of the endpoint on which the event was detected

  • PHILIPSIBE09

  • WHAM6WK8XG2

  • MacBook-Pro-del-Meno

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

endpointIp

  • IPv4

  • IPv6

IP address of the endpoint on which the event was detected

  • 127.0.0.1

  • ::1

  • fe80::1

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

eventId

-

Event type

-

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

eventSubId

-

Access type of an event

  • TELEMETRY_PROCESS_CREATE

  • TELEMETRY_FILE_CREATE

  • TELEMETRY_CONNECTION_CONNECT_OUTBOUND

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

eventTime

-

Time recorded when agent detected the event

  • 1657781088000

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

hostName

DomainName

The domain name

  • localhost

  • wpad

  • settings-win.data.microsoft.com

  • XDR Endpoint Sensor

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Apex One as a Service

integrityLevel

-

Integrity level of a process

-

  • XDR Endpoint Sensor

  • Apex One as a Service

logonUser

UserAccount

The logon user name

  • root

  • SISTEMA

  • oracle

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

objectAppName

-

Name of the app involved in the AMSI event

  • Exchange Server 2016

  • PowerShell_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.19041.1

  • PowerShell_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.14393.0

  • XDR Endpoint Sensor

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Apex One as a Service

objectCmd

CLICommand

Command line entry of target process

  • wc -l

  • runc init

  • docker-init --version

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

objectFileHashMd5

FileMD5

The md5 hash of target process image or target file

  • 7ac47235c7bb452a03d3afd872f44c9e

  • c9873d83a969645a97f21adc1b164cc5

  • 3b32b378c8b288de6f15e1607a8c2145

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

objectFileHashSha1

FileSHA1

The SHA1 hash of target process image or target file

  • ded3833f145989fd86c1f4811b61497298ebc7fd

  • c4fa06404142f1994431f9eef3df2cbe0f1998f1

  • 3c01d486ed5aa1ecc2d8f33dc24b0ed59b3e609e

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

objectFileHashSha256

FileSHA2

The SHA256 hash of target process image or target file

  • 39109eef00821658893b45634fe2f4664f880da9242712df907f1327d4ceefb8

  • 49fa3e206abf6a1f4546417dbe09f3f06b38847866a4a66de75bd90f39cb6c1c

  • 0969321ad5a0923f0f03896ad2c10e49290515c44b721d773942a37f62a24893

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

objectFilePath

  • FileFullPath

  • FileName

File path location of target process image or target file

  • /usr/bin/bash

  • /bin/bash

  • /opt/nimsoft/probes/system/processes/processes

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

objectHostName

DomainName

Server name where Internet event was detected

  • 10.1.222.175

  • alertusupstate.ghs.org

  • alertusmidlands.palmettohealth.org

  • Apex One as a Service

  • XDR Endpoint Sensor

objectIntegrityLevel

-

Integrity level of target process

-

  • XDR Endpoint Sensor

  • Apex One as a Service

objectIp

  • IPv4

  • IPv6

IP address of internet event

  • 10.1.222.175

  • 10.6.32.77

  • 167.171.82.37

  • Apex One as a Service

  • XDR Endpoint Sensor

objectIps

  • IPv4

  • IPv6

IP address list of internet event

  • ::1

  • 127.0.0.1

  • ::ffff:127.0.0.1

  • XDR Endpoint Sensor

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Apex One as a Service

objectPid

-

The PID of target process

-

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

objectPort

Port

The port number used by internet event

-

  • Apex One as a Service

  • XDR Endpoint Sensor

objectProcessHashId

-

FNV of target process

  • 1415699552492662761

  • -100650285065767982

  • -1139416698673814436

  • Apex One as a Service

  • XDR Endpoint Sensor

  • Trend Micro Cloud One - Endpoint & Workload Security

objectRawDataStr

-

The data contents of the AMSI event

  • $global:?

  • 0

  • $servicename = "WinRM" $arrService = Get-Service $servicename if ($arrService.Status -ne "Running") { Restart-Service $servicename }

  • XDR Endpoint Sensor

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Apex One as a Service

objectRegistryData

RegistryValueData

The registry value data

  • {00020424-0000-0000-C000-000000000046}

  • 1

  • 0

  • XDR Endpoint Sensor

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Apex One as a Service

objectRegistryKeyHandle

RegistryKey

The registry key

  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

  • HKLM\system\currentcontrolset\services\w32time\config

  • HKLM\system\currentcontrolset\services\tcpip\parameters

  • XDR Endpoint Sensor

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Apex One as a Service

objectRegistryValue

RegistryValue

Registry value name

  • lastknowngoodtime

  • threadingmodel

  • epoch

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

objectSigner

-

Certificate signer of object process or file

  • Microsoft Windows

  • Software Signing;Apple Code Signing Certification Authority;Apple Root CA;

  • Microsoft Corporation

  • XDR Endpoint Sensor

  • Apex One as a Service

  • Trend Micro Cloud One - Endpoint & Workload Security

objectSignerValid

-

Validity of certificate signer

  • 1

  • 0

  • XDR Endpoint Sensor

  • Apex One as a Service

  • Trend Micro Cloud One - Endpoint & Workload Security

objectSubTrueType

-

File object's true sub-type

  • 0

  • 5000

  • 18000

  • 28001

  • XDR Endpoint Sensor

  • Apex One as a Service

  • Trend Micro Cloud One - Endpoint & Workload Security

objectTrueType

-

File object's true major type

  • 7

  • 5

  • 18

  • 4051

  • Apex One as a Service

  • XDR Endpoint Sensor

  • Trend Micro Cloud One - Endpoint & Workload Security

objectUser

UserAccount

The owner name of target process / The logon user name

  • root

  • SYSTEM

  • oracle

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

parentCmd

CLICommand

Command line entry of parent process

  • C:\WINDOWS\system32\services.exe

  • C:\Windows\system32\services.exe

  • /sbin/launchd

  • XDR Endpoint Sensor

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Apex One as a Service

parentFileHashMd5

FileMD5

The md5 hash of parent process

  • d8e577bf078c45954f4531885478d5a9

  • cd10cb894be2128fca0bf0e2b0c27c16

  • cfd65bed18a1fae631091c3a4c4dd533

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

parentFileHashSha1

FileSHA1

The SHA1 hash of parent process

  • d7a213f3cfee2a8a191769eb33847953be51de54

  • 1f912d4bec338ef10b7c9f19976286f8acc4eb97

  • 9ad737cbd8bbdddc96726156dbd3bc03936bf02f

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

parentFileHashSha256

FileSHA2

The SHA256 hash of parent process

  • dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674

  • f3feb95e7bcfb0766a694d93fca29eda7e2ca977c2395b4be75242814eb6d881

  • 00f8cbc5b3a6640af5ac18d01bc5a666f6f583b1379b9491e0bcc28ba78c92e9

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

parentFilePath

  • FileFullPath

  • FileName

The file path location of parent process

  • c:\windows\system32\services.exe

  • /usr/bin/bash

  • c:\windows\system32\svchost.exe

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

parentPid

-

The PID of parent process

  • 1

  • 976

  • 920

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

pname

-

Internal product ID (Deprecated, use productCode)

  • 2200

  • 751

  • 533

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

processCmd

CLICommand

The command line entry of the subject process

  • C:\Windows\system32\lsass.exe

  • C:\WINDOWS\system32\lsass.exe

  • nimbus(processes)

  • XDR Endpoint Sensor

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Apex One as a Service

processFileHashMd5

FileMD5

The md5 hash of subject process image

  • cd10cb894be2128fca0bf0e2b0c27c16

  • 7ac47235c7bb452a03d3afd872f44c9e

  • cfd65bed18a1fae631091c3a4c4dd533

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

processFileHashSha1

FileSHA1

The SHA1 hash of subject process image

  • 1f912d4bec338ef10b7c9f19976286f8acc4eb97

  • ded3833f145989fd86c1f4811b61497298ebc7fd

  • 9ad737cbd8bbdddc96726156dbd3bc03936bf02f

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

processFileHashSha256

FileSHA2

The SHA256 hash of subject process image

  • f3feb95e7bcfb0766a694d93fca29eda7e2ca977c2395b4be75242814eb6d881

  • 39109eef00821658893b45634fe2f4664f880da9242712df907f1327d4ceefb8

  • 00f8cbc5b3a6640af5ac18d01bc5a666f6f583b1379b9491e0bcc28ba78c92e9

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

processFilePath

  • ProcessFullPath

  • ProcessName

  • FileFullPath

  • FileName

The file path location of subject process image

  • /usr/bin/bash

  • c:\windows\system32\svchost.exe

  • c:\windows\system32\lsass.exe

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

processHashId

-

The FNV of subject process

  • 7114696589795796819

  • 1307755369266815004

  • -5015325378148567246

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

processName

ProcessName

The image name of the process which triggered the event

  • /usr/bin/bash

  • c:\windows\system32\svchost.exe

  • c:\windows\system32\lsass.exe

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

processPid

-

The PID of the subject process

  • 4

  • 1

  • 784

  • 792

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

processUser

UserAccount

The owner name of subject process image

  • root

  • SYSTEM

  • SISTEMA

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

rawDataStr

-

Windows event raw contents

  • { "EventData" : { "LogonType" : "", "TargetDomainName" : "", "TargetLogonId" : "", "TargetUserName" : "", "TargetUserSid" : "" } }

  • { "EventData" : { "LogonType" : "10", "TargetDomainName" : "AFASADV", "TargetLogonId" : "14941011731", "TargetUserName" : "administrator", "TargetUserSid" : "S-1-5-21-1507008304-2416677881-2121376573-500" } }

  • { "EventData" : { "LogonType" : "10", "TargetDomainName" : "AIS", "TargetLogonId" : "216921070", "TargetUserName" : "MWoodr01", "TargetUserSid" : "S-1-5-21-1873864278-1756520048-3043165120-15057" } }

  • XDR Endpoint Sensor

  • Apex One as a Service

request

URL

Request URL

  • http://10.1.222.175/Conserver/CommunicationNode

  • http:///cgi-bin/admin/param.cgi?action=list&group=Alarm.Status

  • http://search.namequery.com/

  • Apex One as a Service

  • XDR Endpoint Sensor

dpt

Port

The destination port number of network connection

-

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

dst

  • IPv4

  • IPv6

The destination IP address of network connection

  • ::

  • 0.0.0.0

  • 127.0.0.1

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

spt

Port

The source port number of network connection

  • 53

  • 5353

  • 443

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

src

  • IPv4

  • IPv6

The source address of network connection

  • ::

  • 172.20.0.10

  • 192.168.0.10

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

srcFileHashMd5

FileMD5

The md5 hash of source file

  • e5d5e9c1f65b8ec7aa5b7f1b1acdd731

  • a6779bf446db07e4c4ba3516b273c496

  • 4bb7334fdadc6eccb8e6ab402aae013b

  • Apex One as a Service

  • XDR Endpoint Sensor

srcFileHashSha1

FileSHA1

The SHA1 hash of source file

  • 5d34902fecc1760138212ada36be1e742bda5e52

  • dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

  • 2292f8109cd756e790c068a52d50f1b0858f503b

  • Apex One as a Service

  • XDR Endpoint Sensor

srcFileHashSha256

FileSHA2

The SHA256 hash of source file

  • 4eaa002225f4ea2dedcd19b7f1337d7c58ea7dd6d4571c12468dde95e6bcfdaf

  • e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

  • 16b20a3ad485b4fbbe3028c7e743b226db21ea93cacc8b3d7d7d4a731bf02333

  • Apex One as a Service

  • XDR Endpoint Sensor

srcFilePath

  • FileFullPath

  • FileName

The file path location of source file

  • \\cnva-apps\megaclockprod\traveler\travelerprint.accdb

  • c:\program files\common files\microsoft shared\clicktorun\officesvcmgrschedule.xml

  • q:\a7_dbs\a4_pkg\a4_packaging.accde

  • XDR Endpoint Sensor

  • Apex One as a Service

  • Trend Micro Cloud One - Endpoint & Workload Security

tags

Technique

Attack technique ID detected by XDR based on alert filter

  • MITREV9.T1057

  • MITREV9.T1059.003

  • XSAE.F2924

  • Security Analytics Engine

uuid

-

Unique key of the log

  • 00000003-be87-4aad-add2-d395e4efad3e

  • 00000014-0493-459d-9f90-93565402f41e

  • 0000006b-b5ea-4f5e-8d56-ddec452ef3bd

  • Security Analytics Engine

winEventId

-

Event ID of Windows event

  • 11

  • 4624

  • 4670

  • XDR Endpoint Sensor

  • Apex One as a Service

productCode

-

Product which sent the log

  • sds

  • xes

  • sao

  • Security Analytics Engine

filterRiskLevel

-

Top-level risk level of the event

  • info

  • low

  • medium

  • Security Analytics Engine

eventDataIpAddress

-

The IP address for Windows event 4624 which is "An account was successfully logged on"

  • -

  • 10.37.38.237

  • 10.5.10.5

  • XDR Endpoint Sensor

  • Apex One as a Service

eventDataLogonType

-

The logon type for Windows event 4624 which is "An account was successfully logged on"

  • 3

  • 5

  • 2

  • XDR Endpoint Sensor

  • Apex One as a Service

eventDataScriptBlockText

-

Windows event 4104, Creating Scriptblock text

  • $global:?

  • 0

  • { Set-StrictMode -Version 1; $_.PSMessageDetails }

  • Apex One as a Service

eventDataOperation

-

Windows event 11

  • Start IWbemServices::ExecQuery - root\ccm : select * from SMS_Authority

  • Start IWbemServices::ExecQuery - root\cimv2 : select * from win32_process

  • Start IWbemServices::ExecQuery - root\ccm : SELECT * FROM SMS_Authority

  • XDR Endpoint Sensor

  • Apex One as a Service

objectBmData

-

The data of BM event

  • {"provider":"ORCA","schema_version":1,"data":[{"str":"Access /proc/<pid>/*"}]}

  • {"provider":"ORCA","schema_version":1,"data":[{"str":"source '/etc/profile.d/lang.sh'"}]}

  • {"provider":"ORCA","schema_version":1,"data":[{"str":"source '/etc/profile.d/bash_completion.sh'"}]}

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

osDescription

-

The OS version

  • Windows 10 (64 bit)

  • Windows 10 Pro (64 bit) build 19044

  • Amazon Linux 2 (64 bit) (5.4.188-104.359.amzn2.x86_64)

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

receivedTime

-

Time when XDR log was received

  • 1657781088000

  • Security Analytics Engine

Table 1. pname Value Mapping

Product

pname Value

Trend Micro Apex One (Windows Security Agent)

533

Trend Micro Apex One (Mac Security Agent)

620

Trend Micro Apex One (Deep Security Linux Agent)

2200

Deep Security

2200

Deep Security Virtual Appliance

2201

Deep Security Relay

2202

Deep Security Manager

2203

Deep Security MANIFEST

2211

Deep Security Relay Manifest

2212

Deep Security Rules Updates

2213

Deep Security Smart Check 1

2214