Data Mapping: Detections

Field Name

General Field

Description

Sample

Products

uuid

-

Unique key of the log

  • 000008d7-35fd-4d7b-bada-7f38dca2abf7

  • 0000116b-ac61-48d2-89e1-3d1ce2d13cdd

  • 000017f4-ac10-43b4-8aef-97158e0f8533

  • Security Analytics Engine

filterRiskLevel

-

Event's top level filter risk

  • info

  • low

  • medium

  • Security Analytics Engine

hostName

DomainName

Computer name of the client host (For Deep Discover Inspector, the hostname from the suspicious URL)

  • Let's Encrypt

  • 35.247.144.219

  • 204.65.0.20

  • Deep Discovery Inspector

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Security

  • On-prem ODC(EdgeOne)

interestedHost

DomainName

Endpoint hostname (For example, if an intranet host accesses a suspicious internet host, intranet host will be "peerHost" and internet host will be "interestedHost")

  • 10.124.17.69 (swpos-aws-aza02) [i-0fd28720e80225308]

  • 10.124.21.139 (swpos-aws-azc02) [i-07e2c4a803cd0fa93]

  • es-dtc-w-dc02.estacio.corp

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Discovery Inspector

  • Deep Security

  • Apex One as a Service

shost

DomainName

Source hostname

  • dns.google

  • sw_us-east-1a_10-124-17-69

  • sw_us-east-1c_10-124-21-139

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Discovery Inspector

  • Deep Security

dhost

DomainName

Destination hostname

  • 10.46.91.40

  • 200.185.65.108

  • 8.243.49.4

  • Deep Discovery Inspector

denyListHost

DomainName

Domain of the Virtual Analyzer Suspicious Object

  • www.yandex2unitedstated.dns04.com

  • bingsearchlib.com

  • laborerregular.com

  • Deep Discovery Inspector

endpointHostName

EndpointName

Endpoint hostname

  • 10.124.17.69 (swpos-aws-aza02) [i-0fd28720e80225308]

  • 10.124.21.139 (swpos-aws-azc02) [i-07e2c4a803cd0fa93]

  • 10.15.52.160 (swpos-aws-azc02) [i-06d8a16f428e7e85b]

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Security

  • Apex One as a Service

  • XDR Endpoint Sensor

  • Zero Trust Secure Access - Internet Access

  • Mobile Security

userDomain

EndpointName

Domain of the username (For Apex One SaaS, last signed in user; For Trend Micro Web Security, last signed in user to Trend Micro Web Security proxy; For Internet Access Gateway, last signed in user Internet Access Gateway proxy)

  • multibank.com.pa

  • COMCEL_DOMINIO

  • HDWA

  • Apex One as a Service

  • Trend Micro Web Security

  • Zero Trust Secure Access - Internet Access

endpointGUID

EndpointID

GUID of the agent which reported this detection

  • ae4d64aa-f8b8-bb36-b265-f59272ed342f

  • 8fb979f6-1376-bed3-227f-f2886e66194e

  • ca2b3a7e-8415-c571-cc19-e45f69470026

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Apex One as a Service

  • Deep Security

  • XDR Endpoint Sensor

  • Zero Trust Secure Access - Internet Access

  • Mobile Security

request

URL

Notable URL

  • http://detectportal.firefox.com/canonical.html

  • http://35.247.144.219/

  • http://35.247.144.219

  • Deep Discovery Inspector

  • Apex One as a Service

  • TippingPoint Security Management System

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Zero Trust Secure Access - Internet Access

  • Trend Micro Cloud App Security

  • Trend Micro Cloud One - Network Security

  • Trend Micro Email Security

  • Deep Security

  • Mobile Security

botUrl

URL

Bot URL

  • 7?01

  • 0000

  • indows

  • Deep Discovery Inspector

cccaDestination

URL

Destination domain, IP, URL, or recipient

  • 157.240.233.61:443

  • www.yandex2unitedstated.dns04.com

  • amnsreiuojy.ru

  • Deep Discovery Inspector

src

  • IPv4

  • IPv6

Source IP

  • 8.8.8.8

  • 0.0.0.0

  • 10.150.54.5

  • Deep Discovery Inspector

  • Apex One as a Service

  • Trend Micro Cloud One - Endpoint & Workload Security

  • TippingPoint Security Management System

  • Deep Security

  • Trend Micro Cloud One - Network Security

  • XDR Endpoint Sensor

  • Zero Trust Secure Access - Internet Access

  • On-prem ODC(EdgeOne)

dst

  • IPv4

  • IPv6

Destination IP

  • 239.255.255.250

  • 0.0.0.0

  • 10.46.91.40

  • Deep Discovery Inspector

  • Apex One as a Service

  • Trend Micro Cloud One - Endpoint & Workload Security

  • TippingPoint Security Management System

  • Deep Security

  • Trend Micro Cloud One - Network Security

  • XDR Endpoint Sensor

  • Zero Trust Secure Access - Internet Access

  • On-prem ODC(EdgeOne)

interestedIp

  • IPv4

  • IPv6

IP of interestedHost

  • 192.168.204.215

  • 192.168.26.167

  • 192.168.46.168

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Discovery Inspector

  • Deep Security

  • Apex One as a Service

  • TippingPoint Security Management System

  • Trend Micro Cloud One - Network Security

  • On-prem ODC(EdgeOne)

endpointIp

  • IPv4

  • IPv6

IP of endpointHost (For ptp/stp, client IP)

  • 192.168.204.215

  • 192.168.26.167

  • 192.168.46.168

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Security

  • Apex One as a Service

  • TippingPoint Security Management System

  • Trend Micro Cloud One - Network Security

  • On-prem ODC(EdgeOne)

peerIp

  • IPv4

  • IPv6

IP of peerHost

  • 8.8.8.8

  • 0.0.0.0

  • 208.67.222.222

  • Deep Discovery Inspector

  • Apex One as a Service

denyListIp

  • IPv4

  • IPv6

IP of the Virtual Analyzer Suspicious Object

  • 146.185.253.132

  • 170.114.10.75

  • 104.21.17.237

  • Deep Discovery Inspector

dpt

Port

Destination port

  • 0

  • 445

  • 80

  • Deep Discovery Inspector

  • Apex One as a Service

  • Trend Micro Cloud One - Endpoint & Workload Security

  • TippingPoint Security Management System

  • Deep Security

  • Trend Micro Cloud One - Network Security

  • XDR Endpoint Sensor

  • On-prem ODC(EdgeOne)

spt

Port

Source port

  • 53

  • 0

  • 7680

  • Deep Discovery Inspector

  • Apex One as a Service

  • Trend Micro Cloud One - Endpoint & Workload Security

  • TippingPoint Security Management System

  • Deep Security

  • Trend Micro Cloud One - Network Security

  • XDR Endpoint Sensor

  • On-prem ODC(EdgeOne)

policyUuid

-

Unique key of the cloud access or risk control rule, or the hardcode unique key of the global blocked/approved list

  • C!cb05893d-aec2-4181-9a17-d8b4ec6f6786

Zero Trust Secure Access - Internet Access

ruleUuid

-

ID of the risk assessment and control action defined in risk control rules

  • a0ffc0f0-5cae-43d9-9f91-f8b1b3ab7d2c

Zero Trust Secure Access - Internet Access

fileName

FileName

File name

  • spoolss

  • hosts

  • svcrestarttask

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Discovery Inspector

  • Apex One as a Service

  • Deep Security

  • Zero Trust Secure Access - Internet Access

objectFileName

FileName

Object file name

  • powershell.exe

  • wmiprvse.exe

  • dismhost.exe

  • Apex One as a Service

compressedFileName

FileName

File name of the compressed file

  • /proc/32058/fd/150

  • NONAMEFL

  • /proc/10006/fd/30

  • Deep Discovery Inspector

  • Apex One as a Service

attachmentFileName

FileName

File name of an attachment

  • Mail Body

  • image001.png

  • image002.png

  • Trend Micro Cloud App Security

  • Trend Micro Email Security

  • Deep Discovery Inspector

filePath

FileFullPath

File path without the file name

  • security

  • /var/log/audit/audit.log

  • application

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Security

  • Apex One as a Service

  • Deep Discovery Inspector

filePathName

FileFullPath

File path with the file name

  • vss

  • spoolss

  • /etc/hosts

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Discovery Inspector

  • Deep Security

objectFilePath

FileFullPath

File path of the target object

  • c:\windows\system32\windowspowershell\v1.0\powershell.exe

  • zwwritevirtualmemory

  • c:\windows\system32\wbem\wmiprvse.exe

  • Apex One as a Service

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

quarantineFilePath

-

OfficeScan server file path for the quarantined file (When a file is quarantined, it is encrypted and copied to the OfficeScan server for post-mortem analysis)

-

-

forensicFilePath

-

File path of the forensic file (When a Data Loss Prevention policy is triggered, the file is encrypted and copied to the OfficeScan server for post-mortem analysis)

  • C:\Program Files (x86)\Trend Micro\OfficeScan Client\dlplite\forensic\frnsc_200411DC0594_xml_184956f80d8_20220314_132326281

  • C:\Program Files (x86)\Trend Micro\OfficeScan Client\dlplite\forensic\frnsc_CIL-OPRCOGEN_docx_1f5743ba18c_20211025_225445873

  • C:\Program Files (x86)\Trend Micro\OfficeScan Client\dlplite\forensic\frnsc_SHA-ESHOU_h265_1f498d16c96_20220601_082417865

  • Apex One as a Service

fileHash

FileSHA1

SHA-1 of file that triggered the rule or policy

  • DA39A3EE5E6B4B0D3255BFEF95601890AFD80709

  • 89CE26EAD139D52B8A6B61BFFC6AF89AF246580F

  • 3AD1F4E7CAA11E5199EE80B8983677ADDD065450

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Discovery Inspector

  • Deep Security

  • Apex One as a Service

  • Zero Trust Secure Access - Internet Access

attachmentFileHash

FileSHA1

SHA-1 of the email attachment

  • C9877617DB6715792F9D5C959C1E8D4E56D0C281

  • 0340A8EE3AD2990E3EDCDB2E471EAA45B4286722

  • 0E56D9540B07ED15EF745348D35C72A6A00A0BD9

  • Deep Discovery Inspector

attachmentFileHashSha1

FileSHA1

SHA-1 of the attached file (attachementFileName)

  • d63b1739a2fe56eb412dff1c69b76d4b9aad8ebd

  • 3b923d078ea3bd39489ed6d334c423e4478a8ee3

  • 3a2e6a64e1b7f4c6cbebcb9e949dc66b667cdfbe

  • Trend Micro Cloud App Security

  • Trend Micro Email Security

compressedFileHash

FileSHA1

SHA-1 of the decompressed archive

  • 6E2ECB34B7798E179CC704111FB9733FBAAD5ACA

  • FA71B59F35F0EE44D27F74917EF5A0DA2797E80B

  • 14D2302172EB81465CE12E01361AE24CDE170F7B

  • Deep Discovery Inspector

denyListFileHash

FileSHA1

SHA-1 of the Virtual Analyzer Suspicious Object

  • 746C4D6048A409F33446463B28CA21CB2C5DD941

  • DAA66CE3C1F08144885BB0E99837030C5231DE60

  • Deep Discovery Inspector

objectFileHashSha1

FileSHA1

SHA-1 of the objectFilePath object

  • 51B8646308EE0B68AD1F7F1291B85395434DE49A

  • 36C5D12033B2EAF251BAE61C00690FFB17FDDC87

  • 2586528000199793730B05D3F169BCF139E4D7A1

  • Apex One as a Service

  • XDR Endpoint Sensor

  • Trend Micro Cloud One - Endpoint & Workload Security

oldFileHash

FileSHA1

SHA-1 of the target process image or target file (wasEntity from an IM event)

  • DA39A3EE5E6B4B0D3255BFEF95601890AFD80709

  • 89CE26EAD139D52B8A6B61BFFC6AF89AF246580F

  • 57247B810B0EE61DD86CE24AC14097B9B5405EEC

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Security

fileHashSha256

FileSHA2

SHA-256 of the file (fileName)

  • 6A6EB2D717CEA041B4444193B45EDFB6CA1287518203B7230B3C4B8FFB031EAB

  • BFF703FF836196644586014DA13A097C2EE9A08E4D596DFB7C8E0F685FE01294

  • 12327F460AC9CBBC34D39EB3CF89C7FECCA37F08773A04566840F73F6ECC4104

  • Deep Discovery Inspector

  • Apex One as a Service

  • Zero Trust Secure Access - Internet Access

  • Trend Micro Cloud One - Endpoint & Workload Security

attachmentFileHashSha256

FileSHA2

SHA-256 of the attached file (attachementFileName)

  • D81D4C14DDEB8CA390FFADA69265AAD46CDEDD72CDD332CB8AA17D924626B397

  • 01DE1FC697D2D0850F0468474A3E1E0BF4D78B23F0633908CF82E504E0DCBFF9

  • 02D16D9970AB635A7B05C3A268E23F5B41C419DD022F1054E9FD912BE130BDB0

  • Deep Discovery Inspector

  • Trend Micro Email Security

compressedFileHashSha256

FileSHA2

SHA-256 of compressed suspicious file

  • 60C7C5924DD09F7C6B150120FB92DCEE00AE82DB75C7402FA4D9152CF487A94F

  • 482FFC4F87B78C3C7073983CF65B593D9F13F0A3D6DC54B4A3F616F79838F3CE

  • 68C0126D9B4B0FC32DE181D0D67DA8FE82E23745F6023317D5E053B6F6ED26CF

  • Deep Discovery Inspector

objectFileHashSha256

FileSHA2

SHA-256 of the object (objectFilePath)

  • A75C85F3B089993E9C042FB82ECB7757E8F460ED8065FC7991CAA38A6DE0F50C

  • 908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53

  • 1A2ABAAD8A166B66CA35AB51C7432C5A7E46996472C8174281842896408D7F96

  • Apex One as a Service

  • XDR Endpoint Sensor

  • Trend Micro Cloud One - Endpoint & Workload Security

attachmentFileHashMd5

FileMD5

MD5 of the attached file (attachementFileName)

  • RSjbNuJB0hx39ZpzwLdipg==

  • +TmuTNLw3FMQlaTbPwjD8g==

  • +XWktHxXXdY0O4A82FQMzQ==

  • Trend Micro Cloud App Security

objectFileHashMd5

FileMD5

MD5 of the object

  • 801E8003C257C8F540B20F1E0DECD3A6

  • CDA48FC75952AD12D99E526D0B6BF70A

  • D5120786925038601A77C2E1EB9A3A0A

  • Apex One as a Service

  • XDR Endpoint Sensor

  • Trend Micro Cloud One - Endpoint & Workload Security

processCmd

CLICommand

Subject process command line

  • "C:\Program Files (x86)\AADM\AADM.exe"

  • /usr/lib/inet/sendmail -bl -q15m

  • ComDir

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Deep Security

  • Apex One as a Service

objectCmd

CLICommand

Object process command line

  • C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding

  • "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -NoLogo -Noninteractive -NoProfile -ExecutionPolicy Bypass "& 'C:\WINDOWS\CCM\SystemTemp\afd6f0e5-e491-4764-a20a-9f1d9edf3cce.ps1'"

  • C:\WINDOWS\system32\lsass.exe

  • Apex One as a Service

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

objectRegistryData

RegistryValueData

Registry data contents

  • 07EFCDAB010001007CE21B54433A0CD356BCEA7C1C5DEE683999E759484BD7E82BDE5B3F598057F5AFCBB15B2C6EFB679F0744879657

  • C:\Program Files\AlertMedia\AlertMedia Desktop Notifications\AlertMedia.exe

  • XDR Endpoint Sensor

  • Apex One as a Service

  • Trend Micro Cloud One - Endpoint & Workload Security

objectRegistryKeyHandle

RegistryKey

Registry key path

  • HKCR\CID\{42003200-2F00-6400-6800-4E0034003800}

  • HKLM\SOFTWARE\WOW6432Node\Eos

  • HKCU\SOFTWARE\Cerner\InstantAccess

  • XDR Endpoint Sensor

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Apex One as a Service

objectRegistryValue

RegistryValue

Registry value name

  • 1

  • key

  • reg

  • XDR Endpoint Sensor

  • Apex One as a Service

  • Trend Micro Cloud One - Endpoint & Workload Security

mimeType

-

MIME type or content type of the response body

  • text/html; charset=UTF-8

  • Zero Trust Secure Access - Internet Access

objectType

-

Object type

  • file

  • process

  • qil

  • Trend Micro Cloud App Security

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Apex One as a Service

  • Trend Micro Email Security

  • XDR Endpoint Sensor

processFilePath

  • ProcessFullPath

  • FileFullPath

  • FileName

Image path of the subject process

  • c:\windows\system32\svchost.exe

  • c:\windows\system32\windowspowershell\v1.0\powershell.exe

  • c:\windows\syswow64\srts\wmipr.exe

  • Apex One as a Service

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

suid

UserAccount

User name or mailbox

  • root

  • NT AUTHORITY\SYSTEM

  • telnet.user@internal.firs.gov.ng

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Trend Micro Cloud App Security

  • Apex One as a Service

  • Deep Discovery Inspector

  • Trend Micro Web Security

  • Deep Security

  • Trend Micro Cloud One - Network Security

  • Zero Trust Secure Access - Internet Access

suser

EmailSender

Email sender

  • WF-BATCH@ngcp.ph

  • mckinseyrr@evalueserve.com

  • difusionissste@issste.gob.mx

  • Trend Micro Cloud App Security

  • Trend Micro Email Security

  • Deep Discovery Inspector

  • Apex One as a Service

duser

EmailRecipient

Email receipient

  • (no user)

  • SYSTEM

  • SYSTEM

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Security

  • Trend Micro Cloud App Security

  • Trend Micro Email Security

  • Deep Discovery Inspector

  • Apex One as a Service

mailMsgSubject

EmailSubject

Message subject

  • mail.dhr-rgv.com

  • ManageEngine

  • Trend Micro Cloud App Security

  • Deep Discovery Inspector

  • Trend Micro Email Security

  • Apex One as a Service

msgId

EmailMessageID

Internet message ID

  • 11.2.00.0007

  • mail.dhr-rgv.com

  • dameware1svr

  • Trend Micro Cloud App Security

  • Trend Micro Email Security

  • Deep Discovery Inspector

  • Apex One as a Service

techniqueId

Technique

Technique ID detected by the product agent base on a detection rule

-

-

tags

  • Technique

  • Tactic

Technique ID detected by XDR base on an alert filter

  • MITREV9.T1090

  • MITRE.T1071

  • MITREV9.T1059.001

  • Security Analytics Engine

tacticId

Tactic

List of MITRE tactic IDs

  • TA0011

  • TA0008

  • TA0001

  • Deep Discovery Inspector

  • XDR Endpoint Sensor

  • Apex One as a Service

ruleName

-

Name of the rule that triggered the event

  • Directory Server - Microsoft Windows Active Directory

  • Microsoft Windows Events

  • Microsoft Windows Security Events - 3

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Discovery Inspector

  • Apex One as a Service

  • Deep Security

  • Trend Micro Cloud App Security

  • TippingPoint Security Management System

  • XDR Endpoint Sensor

  • Trend Micro Email Security

  • Trend Micro Cloud One - Network Security

ruleId

-

ID of a rule

  • 1002795

  • 1003802

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Discovery Inspector

  • Deep Security

  • Apex One as a Service

malName

-

Name of the malware detected

  • SecurityLevelDrop

  • Regla Logs All

  • USR_SUSPICIOUS_DOMAIN.UMXX

  • Apex One as a Service

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Discovery Inspector

  • Deep Security

  • Trend Micro Web Security

  • Zero Trust Secure Access - Internet Access

malType

-

Type of the malware detected

  • Virus

  • Zero Trust Secure Access - Internet Access

eventName

-

Event type name

  • LOG_INSPECTION_EVENT

  • SECURITY_RISK_DETECTION

  • WEB_THREAT_DETECTION

  • LOG_INSPECTION_EVENT

  • MALWARE_DETECTION

  • PROCESS_ACTIVITY

  • WEB_POLICY_VIOLATION

  • DEEP_PACKET_INSPECTION_EVENT

  • INTEGRITY_MONITORING_EVENT

  • DISRUPTIVE_APPLICATION_DETECTION

  • PRODUCT_SUMMARY

  • PRODUCT_UPDATE

  • BEHAVIORAL_VIOLATION

  • FIREWALL_POLICY_VIOLATION

  • SUSPICIOUS_BEHAVIOUR_DETECTION

  • DENYLIST_CHANGE

  • MACHINE_LEARNING_DETECTION

  • DLP_VIOLATION

  • MALWARE_OUTBREAK_DETECTION

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Discovery Inspector

  • Apex One as a Service

  • Deep Security

  • TippingPoint Security Management System

  • Trend Micro Cloud App Security

  • Trend Micro Email Security

  • XDR Endpoint Sensor

  • Trend Micro Cloud One - Network Security

  • Zero Trust Secure Access - Internet Access

  • On-prem ODC(EdgeOne)

eventSubName

-

Event type subName

  • IPS Detection

  • Personal Firewall

  • Attack Discovery

  • Apex One as a Service

  • Trend Micro Cloud App Security

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Trend Micro Email Security

  • XDR Endpoint Sensor

  • Zero Trust Secure Access - Internet Access

subRuleId

-

ID of a subordinate rule

  • 85262

  • 914520

  • 18152

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Security

  • Trend Micro Cloud One - Network Security

subRuleName

-

Subrule name

  • Pre-authentication failed.

  • ATTACK T1070.002,T1070.004: Indicator Removal on Host : Clear Linux or Mac System Logs,File Deletion

  • ATTACK T1110: Multiple Windows Logon Failures

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Security

remarks

-

Additional information

  • warning: fork: Resource temporarily unavailable

  • pam_unix(cron:session): session opened for user root by (uid=0)

  • WinEvtLog: Application: AUDIT_FAILURE(18470): MSSQL$SA: (no user): no domain: SVR-CCS-ARMSD-3.elrosado.com: Login failed for user 'rherrera'. Reason: The account is disabled. [CLIENT: 172.29.3.180]

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Discovery Inspector

  • Deep Security

  • Trend Micro Cloud App Security

  • Apex One as a Service

  • Trend Micro Email Security

  • Trend Micro Cloud One - Network Security

  • On-prem ODC(EdgeOne)

fullPath

FileFullPath

A combination of the file path and file name, introduced by SAE

  • \etc\hosts

  • c:\windows\system32\tasks\microsoft\windows\softwareprotectionplatform\svcrestarttask

  • \var\log\auth.log

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Apex One as a Service

  • Deep Discovery Inspector

  • Deep Security

parentCmd

CLICommand

Command line of a subject's parent process

  • "C:\Tiburon\CommandCAD\Test\Startup.exe"

  • C:\WINDOWS\Explorer.EXE

  • C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s Appinfo

  • XDR Endpoint Sensor

parentFilePath

FileFullPath

Full path of a subject's parent process

  • c:\windows\explorer.exe

  • c:\tiburon\commandcad\test\startup.exe

  • c:\windows\system32\svchost.exe

  • XDR Endpoint Sensor

parentFileHashSha1

FileSHA1

SHA-1 of a subject's parent process

  • 9CF40F19A625F7033689D04F4C8E1CC6A8FA4F5B

  • 799AB02945EDB9A37A42A3F742DE73165F4A9665

  • 1F912D4BEC338EF10B7C9F19976286F8ACC4EB97

  • XDR Endpoint Sensor

parentFileHashSha256

FileSHA2

SHA-256 of a subject's parent process

  • 14A1223722D486ABBC88682AB49AF8E56DC65AC4E153027985BFFFF7C815C0EC

  • 2EF51284CA9211ADEC3E8E095F386FEC742E0532075894AE99024C65949F935E

  • F3FEB95E7BCFB0766A694D93FCA29EDA7E2CA977C2395B4BE75242814EB6D881

  • XDR Endpoint Sensor

parentFileHashMd5

FileMD5

MD5 of a subject's parent process

  • 7B9E6D992AA86F0D2ECDF8F65A6BB792

  • 2B47C89252BB932B292122E54C3DAF25

  • CD10CB894BE2128FCA0BF0E2B0C27C16

  • XDR Endpoint Sensor

processFileHashSha1

FileSHA1

SHA-1 of a subject process

  • C0885381EBAC94AB20E78936434FA208F6B65352

  • ac373ed32b491da22924e2e11e36574e5d582a35

  • DF93F7DF887E86C3B56539B5046B286001C6F150

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

  • Apex One as a Service

processFileHashSha256

FileSHA2

SHA-256 of a subject process

  • 4314A869B8DAE1BD3FFF810B1366E90FB7C961D4A3424260692377FDD87361D2

  • 7824c45fc033696603fe97d8f193a1872dfb2b5db75f0cda21df27017b3cb623

  • 1A6D5986EFEAE89308D9EE11B4A7907012603392E0E66D0E529DB09DF1B4CB64

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

processFileHashMd5

FileMD5

MD5 of a subject process

  • D07ADD0CE6E000D3CD20193B891E8ED3

  • 1a9ba93ebe4cb60030831f8ce9e7d5f9

  • EEE6691B48D2FB604DDF0CBC90D75B0E

  • Trend Micro Cloud One - Endpoint & Workload Security

  • XDR Endpoint Sensor

objectPayloadFileHashSha1

FileSHA1

SHA-1 of an object payload file

-

-

objectTargetProcess

-

File path of the target process that API perform to. For example, process of "a.exe" dumps credential from lsass.exe.

  • C:\\Windows\\System32\\lsass.exe

-

srcFilePath

FileFullPath

File path of a source file

  • C:\\temp\\a.exe

-

srcFileHashSha1

FileSHA1

SHA-1 of a source file

-

-

srcFileHashSha256

FileSHA2

SHA-256 of a source file

-

-

srcFileHashMd5

FileMD5

MD5 of a source file

-

-

policyId

-

ID of a policy

  • 00000001-0001-0001-0001-000000007610

  • 007

  • 003

  • TippingPoint Security Management System

  • Apex One as a Service

  • XDR Endpoint Sensor

  • Trend Micro Cloud One - Network Security

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Security

actResult

-

Result of an action

  • Dropped

  • Successful

  • Accepted

  • Apex One as a Service

  • Trend Micro Cloud App Security

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Security

scanType

-

Scan type

  • realtime_mailmeta-exchange

  • exchange_mailbox_realtime_detection_logs

  • gateway_realtime_blocking_traffic

  • Trend Micro Cloud App Security

  • Trend Micro Email Security

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Apex One as a Service

  • Deep Security

productCode

-

Product that sent this log

  • sds

  • pdi

  • sao

  • Security Analytics Engine

malSrc

FileFullPath

Malware infection source

  • \\10.172.1.33\kortiz

  • \\10.240.0.148\wbind

  • \\10.240.1.69\MT26933059

  • Apex One as a Service

malDst

-

Malware infection destination

  • 3334_02W3P7

  • 2666_02N413

  • 3334_02NHEL

  • Apex One as a Service

pname

-

Internal product ID (Deprecated, please use productCode instead)

  • Trend Micro Deep Security

  • Deep Discovery Inspector

  • Apex One

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Discovery Inspector

  • Apex One as a Service

  • Deep Security

  • Trend Micro Cloud App Security

  • Trend Micro Email Security

  • TippingPoint Security Management System

  • XDR Endpoint Sensor

  • Trend Micro Web Security

  • Trend Micro Cloud One - Network Security

  • Zero Trust Secure Access - Internet Access

  • Mobile Security

pver

-

Product version

  • 1.0

  • Zero Trust Secure Access - Internet Access

act

-

Action taken for the violation

  • not blocked

  • Block

  • Reset

  • Deep Discovery Inspector

  • Apex One as a Service

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Trend Micro Cloud App Security

  • TippingPoint Security Management System

  • XDR Endpoint Sensor

  • Trend Micro Web Security

  • Trend Micro Email Security

  • Deep Security

  • Trend Micro Cloud One - Network Security

  • Zero Trust Secure Access - Internet Access

  • On-prem ODC(EdgeOne)

deviceGUID

-

GUID of the agent which reported this detection

  • 2C3208D7F62B-4C4C89CF-8D08-8F3F-8642

  • 0A8F141278A6-413487AF-70E4-FD28-8141

  • 3d9d04ee-e853-42a5-9c71-646d02d4fd64

  • Deep Discovery Inspector

  • Apex One as a Service

  • TippingPoint Security Management System

  • XDR Endpoint Sensor

  • Trend Micro Cloud One - Network Security

  • Zero Trust Secure Access - Internet Access

isHidden

-

Whether to show this detection log generated for a grey rule match

  • Yes

  • Deep Discovery Inspector

  • Apex One as a Service

severity

-

The severity of the event

  • 4

  • 6

  • 2

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Discovery Inspector

  • Deep Security

  • Apex One as a Service

  • TippingPoint Security Management System

  • Trend Micro Cloud One - Network Security

objectIp

  • IPv4

  • IPv6

IP address of a domain

  • 10.10.23.240

  • 0.0.0.0

  • 10.11.3.22

  • Trend Micro Cloud One - Endpoint & Workload Security

domainName

DomainName

Detected domain name

  • http://35.247.144.219

  • Zoho Corporation

  • ELET-RJ

  • Deep Discovery Inspector

  • Apex One as a Service

  • Trend Micro Cloud App Security

peerHost

DomainName

Hostname of peerIp

  • dns.google

  • resolver1.level3.net

  • dns.opendns.com

  • Deep Discovery Inspector

httpReferer

URL

HTTP referer

  • http://201.174.161.181/

  • http://info2/home/

  • http://lpcare.corp.pvt/loopcare/CircuitTest.jsp

  • Deep Discovery Inspector

data1

-

Deep Discover Inspector correlation log metadata

  • 2.57.122.209

  • 204.79.197.200

  • 208.111.136.0

  • Deep Discovery Inspector

targetShare

FileFullPath

For HTTPS protocol: Subject State or Province Name; For SMB protocol: Shared folder

  • 3MHIS

  • NETLOGON

  • CA

  • Deep Discovery Inspector

botCmd

CLICommand

Bot command

  • 1068

  • indows

  • chrome.exe

  • Deep Discovery Inspector

objectName

-

Base name of an object file or process

  • net.exe

  • XDR Endpoint Sensor

dUser1

-

The latest logon user of the destination

  • dhr\m42svc

  • corp.uhsinc.biz\altsvc

  • coppel.io\host

  • Deep Discovery Inspector

processUser

UserAccount

User name of the process or file creator

  • SYSTEM

  • SVC_JENKINS_CODE_DEV

  • NETWORK SERVICE

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Apex One as a Service

sUser1

-

The latest logon user of the source

  • corp.uhsinc.biz\altsvc

  • 000c29edef58

  • corpdmz.com\ser-desktopcentral

  • Deep Discovery Inspector

msgUuid

-

Unique email ID

  • 00027ac3-f8f2-cc8f-d078-3a57f12f3d55

  • 0005ab64-3992-644c-3592-503c3610cec9

  • 00062621-fec4-9e4d-7609-25b2b3189214

  • Trend Micro Cloud App Security

  • Trend Micro Email Security

orgId

-

Cloud App Security organization ID

  • 182a3fa0-a3a7-11eb-8590-8d526fa1feaa

  • 29273bd0-133d-11e8-8330-21b547e8c0e0

  • 1cd58b70-2238-11e8-8536-65a275de1ba9

  • Trend Micro Cloud App Security

cve

-

CVE identifier

  • MS17-010

  • CVE-2021-45046

  • CVE-2021-44228

  • Deep Discovery Inspector

cves

-

CVEs associated with this filter

  • CVE-2014-3567

  • CVE-2016-6304

  • CVE-2011-1385

  • TippingPoint Security Management System

  • Trend Micro Cloud One - Endpoint & Workload Security

requestBase

-

Domain of the 'request' URL

  • weather.service.msn.com

  • activity.windows.com

  • login.live.com

  • Trend Micro Web Security

  • Zero Trust Secure Access - Internet Access

urlCat

-

Category of the requested URL

  • Untested

  • 158

  • Web Advertisement

  • Deep Discovery Inspector

  • Trend Micro Web Security

  • Apex One as a Service

  • Zero Trust Secure Access - Internet Access

  • Trend Micro Cloud App Security

  • Mobile Security

userDepartment

-

User department

  • Operations

  • BANCA CONSTRUCCION

  • CONTACT CENTER

  • Trend Micro Web Security

  • Zero Trust Secure Access - Internet Access

sender

-

Roaming users or the gateway where the web traffic passed

  • roaming user

  • VE C&W - 201.224.85.210

  • reclnxproxycloud

  • Trend Micro Web Security

  • Zero Trust Secure Access - Internet Access

policyName

-

Name of the triggered policy

  • Steelcase

  • Cabot

  • Tigre - Medium Policy

  • Apex One as a Service

  • Trend Micro Cloud App Security

  • Trend Micro Web Security

  • Trend Micro Email Security

  • Zero Trust Secure Access - Internet Access

  • On-prem ODC(EdgeOne)

principalName

-

User principal name used to log on to the proxy

  • chin.shun@multibank.com.pa

  • leonelc@edsitrend.com

  • alcides.cuevas@multibank.com.pa

  • Trend Micro Web Security

  • Zero Trust Secure Access - Internet Access

  • Trend Micro Cloud App Security

profile

-

Name of the Threat Protection rule or Data Loss Prevention rule triggered

  • Primary Protection Rule

  • Multibak Scaner Threat

  • default

  • Trend Micro Web Security

  • Zero Trust Secure Access - Internet Access

application

-

Name of the requested application

  • HyperText Transfer Protocol

  • DoubleClick

  • The Secure HyperText Transfer Protocol

  • Trend Micro Web Security

  • Zero Trust Secure Access - Internet Access

app

-

Network protocol being exploited

  • DNS Response

  • TCP

  • HTTP

  • Deep Discovery Inspector

  • Apex One as a Service

  • TippingPoint Security Management System

  • Trend Micro Cloud One - Network Security

  • On-prem ODC(EdgeOne)

majorVirusType

-

Virus type

  • Virus

  • Suspicious Activity

  • Trojan

  • TROJ

  • Deep Security

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Mobile Security

  • On-prem ODC(EdgeOne)

eventSourceType

-

Event source type

  • EVENT_SOURCE_EVENT_LOG

  • EVENT_SOURCE_JAGUAR

  • Security Analytics Engine

version

-

Version

  • 1.0

  • 1.1

  • v1.15.1

  • Security Analytics Engine

eventTime

-

Event generation time on the agent side

  • 1656324260000

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Discovery Inspector

  • Apex One as a Service

  • Deep Security

  • Trend Micro Cloud App Security

  • Trend Micro Email Security

  • TippingPoint Security Management System

  • XDR Endpoint Sensor

  • Trend Micro Web Security

  • Trend Micro Cloud One - Network Security

  • Mobile Security

  • On-prem ODC(EdgeOne)

customerId

-

Customer ID, CLP ID, or Company ID

  • dcf53bea-fa92-44fa-b1c5-da7ce3c1329e

  • fd70962d-386e-4bd1-9f18-6ec68fe9dc52

  • 2721fd5c-085d-426c-9dca-8a01d990ad86

  • Security Analytics Engine

  • Zero Trust Secure Access - Internet Access

receivedTime

-

XDR log received time

  • 1656324260000

  • Security Analytics Engine

packageTraceId

-

Package trace id

  • 0008797f-3836-4cab-90c8-0d6ed56ad139

  • 0054663e-76a7-4ef6-a027-0a8140b09387

  • c0281438-52d3-4223-8ea1-22ae1b13f682

  • Security Analytics Engine

tenantGuid

-

Tenant GUID

  • 00000000-0000-0000-0000-000000000000

  • Zero Trust Secure Access - Internet Access

bitwiseFilterRiskLevel

-

Bitwise filter level (to help search performance)

  • 1

  • 2

  • 8

  • Security Analytics Engine

detectionName

-

A general name for the detection

  • Troj.Win32.TRX.XXPE50F13017

  • Troj.Win32.TRX.XXPE50FFF059

  • Apex One as a Service

  • Mobile Security

score

-

Web Reputation Services URL rating

  • 71

  • 81

  • 0

  • Deep Discovery Inspector

  • Apex One as a Service

  • Trend Micro Cloud App Security

  • Mobile Security

targetType

-

The target object type

  • File System

  • Uncategorized

  • Exploit

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Deep Security

endpointModel

-

Mobile device model

  • M2101K9G

  • Mobile Security

appPkgName

-

App package name

  • com.trustport.mobilesecurity_eicar_test_file

  • Mobile Security

appLabel

-

App name

  • Mobile Security Virus Test Application

  • Mobile Security

appVerCode

-

App version code

  • 1

  • Mobile Security

appDL_DeployedKeySha1

FileSHA1

App public key (SHA-1)

  • 72080A6B4EB11105B28E31C4753BC91414500AD4

  • Mobile Security

appSize

-

App size in bytes

  • 28461

  • Mobile Security

appDexSha256

FileSHA2

App dex encoded using SHA-256

  • 08736EDDD3682AC26D9FD42DA2A20B0BADB5C85A5456A0AE85B52D60C564F290

  • Mobile Security

appIsSystem

-

Whether the app is a system app

  • false

  • Mobile Security

osName

-

OS name

  • Windows 10

  • Zero Trust Secure Access - Internet Access

osVer

-

OS version

  • 11

  • Mobile Security

minorVirusType

-

Minor virus type

  • RANSOMWARE

  • BANKER

  • CREDENTIAL

  • Mobile Security

flowId

-

Connection ID

  • 6717474604962545666

  • 6915244861077872618

  • 6915244908215815814

  • XDR Addon: Deep Discovery Inspector

rawDataStr

-

JSON string containing of additional information

  • {"TLS version": "0x0303", "Cipher Suite": "0xc030"}

  • {"Scanned ports": "23, 80, 443"}

  • {"HTTP Content-Type": "application/hal+json", "HTTP Content-Body": "{\\"_links\\": {\\"type\\": {\\"href\\": \\"http://192.168.86.76/rest/type/node/INVALID_VALUE\\"}}, \\"type\\": {\\"target_id\\": \\"article\\"}, \\"title\\": {\\"value\\": \\"My Article\\"}, \\"body\\": {\\"value\\": \\"\\"}}"}

  • Deep Discovery Inspector

denyListFileHashSha256

-

SHA-256 of User-Defined Suspicious Object

  • 757E5C8823CAA7406030A7E26AED2A2C95D16F69C5A14C884C8CAA72A0C001C3

  • Deep Discovery Inspector

clientIP

-

Internal IP address of source endpoint

  • 190.210.251.166

  • 192.168.0.40

  • 10.64.23.45

  • Zero Trust Secure Access - Internet Access

  • Zero Trust Secure Access - Private Access

detectionType

-

Scan type

  • No rules matched

  • Access control

  • Process

  • Zero Trust Secure Access - Internet Access

  • Deep Discovery Inspector

  • Deep Security

  • Trend Micro Web Security

  • Apex One as a Service

  • Trend Micro Cloud App Security

  • Trend Micro Cloud One - Endpoint & Workload Security

  • Trend Micro Email Security

  • Mobile Security

fileType

-

The type of file which violated the policy

  • Microsoft Word

  • PDF

  • EXE

  • Zero Trust Secure Access - Internet Access

  • Deep Discovery Inspector

fileSize

-

The size of file which violated the policy

  • 19048

  • Zero Trust Secure Access - Internet Access

aggregatedCount

-

Number of raw logs

  • 1

  • Zero Trust Secure Access - Internet Access

rt

-

Local time when the event was generated

  • 1970-01-19T18:10:30+0000

  • Zero Trust Secure Access - Internet Access

rt_utc

-

UTC time when the event was generated

  • 2022-12-06T10:00:00Z

  • Zero Trust Secure Access - Internet Access

Table 1. pname Value Mapping

Product

pname Value

Trend Micro Apex One (Windows Security Agent)

533

Trend Micro Apex One (Mac Security Agent)

620

Trend Micro XDR Endpoint Agent

751

Trend Micro Apex One (Deep Security Linux Agent)

2200

Deep Security

2200

Deep Security Virtual Appliance

2201

Deep Security Relay

2202

Deep Security Manager

2203

Deep Security MANIFEST

2211

Deep Security Relay Manifest

2212

Deep Security Rules Updates

2213

Deep Security Smart Check 1

2214