Data Mapping: Detection Data

Field

General Field

Example

Notes

Products

endpointGUID

EndpointID

e3c49595-09b9-47a3-a43f-6c21aa52e54f

Host GUID of the endpoint on which the event was generated

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

endpointHostName

EndpointName

hr-johndoe1

Hostname of the endpoint on which the event was generated

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

userDomain

EndpointName

hr-johndoe1

Hostname of the endpoint on which a Data Protection event was generated

  • Apex One

hostName

DomainName

  • self.events.data.microsoft.com

  • 192.0.2.0

  • hr-johndoe1

Hostname of the endpoint on which the event was generated

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

interestedHost

DomainName

  • self.events.data.microsoft.com

  • 192.0.2.0

  • hr-johndoe1

Highlighted indicator for incident response members

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

objectDomain

DomainName

-

The DNS domain logged by Attack Discovery

  • Apex One

shost

DomainName

  • self.events.data.microsoft.com

  • 192.0.2.0

  • hr-johndoe1

Source host (hostname | IP address | domain)

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

dhost

DomainName

  • self.events.data.microsoft.com

  • 192.0.2.0

Destination host (hostname | IP address | domain)

  • Deep Discovery Inspector

denyListHost

DomainName

  • self.events.data.microsoft.com

-

  • Apex One

  • Deep Discovery Inspector

  • Deep Discovery Email Inspector

request

URL

https://www.example.com

Request URL (normally detected by Web Reputation Services

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

  • Deep Discovery Email Inspector

  • Cloud App Security

botUrl

URL

https://www.example.com

Bot URL

  • Deep Discovery Inspector

cccaDestination

URL

https://www.example.com

Command and Control Contact Alert Service destination

  • Deep Discovery Inspector

src

  • IPv4

  • IPv6

  • 192.0.2.0

  • 2001:0db8:85a3:0000:0000:8a2e:0370:7334

Source IP address

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

  • Deep Discovery Email Inspector

dst

  • IPv4

  • IPv6

  • 192.0.2.0

  • 2001:0db8:85a3:0000:0000:8a2e:0370:7334

Destination IP address

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

  • Deep Discovery Email Inspector

interestedIp

  • IPv4

  • IPv6

  • 192.0.2.0

  • 2001:0db8:85a3:0000:0000:8a2e:0370:7334

Highlighted indicator for incident response members

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

endpointIp

  • IPv4

  • IPv6

  • 192.0.2.0

  • 2001:0db8:85a3:0000:0000:8a2e:0370:7334

Endpoint IP address

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

peerIp

  • IPv4

  • IPv6

  • 192.0.2.0

  • 2001:0db8:85a3:0000:0000:8a2e:0370:7334

The peer IP address is the IP address of the other end of the tunnel. From the client endpoint, the peer IP address would be the IP address of the router.

  • Apex One

  • Deep Discovery Inspector

denyListIp

  • IPv4

  • IPv6

  • 192.0.2.0

  • 2001:0db8:85a3:0000:0000:8a2e:0370:7334

-

  • Deep Discovery Inspector

  • Deep Discovery Email Inspector

dpt

Port

8080

Destination port

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

spt

Port

8080

Source port

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

fileName

FileName

  • example.exe

  • hosts

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Email Inspector

objectFileName

FileName

  • example.exe

-

  • Apex One

compressedFileName

FileName

  • compressed-installer.exe

  • NONAMEFL

Name of the compressed archive that contained the infected file

  • Apex One

  • Deep Discovery Inspector

attachmentFileName

FileName

  • NONAMEFL

  • example.zip

Email attachment file name

  • Deep Discovery Inspector

  • Cloud App Security

filePath

FileFullPath

  • APAC BOS\\OM-BOS\\OM-BOS\\OM_MMEA Project\\

Full file path without file name

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

filePathName

FileFullPath

  • C$\\jenkins\\workspace\\DrWindows\\DoctorCleanerForWindows\\ui\\release\\win-ia32-unpacked\\libEGL.dll

Full file path

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

objectFilePath

FileFullPath

  • C:\Program Files (x86)\temp\Application\test.exe

-

  • Apex One

quarantineFilePath

FileFullPath

  • -

After quarantining a file, the Apex One server copies and encrypts the file on the server for post-mortem analysis.

  • Apex One

forensicFilePath

FileFullPath

  • C:\\Program Files\\Trend Micro\\OfficeScan Client\\dlplite\\forensic\\frnsc_DESKTOP-UEJAQJ8_UnknownFileType_170eb512b06_20200318_094935253

After triggering a Data Loss Prevention policy, the Apex One server copies and encrypts the file on the server for post-mortem analysis.

  • Apex One

fileHash

FileSHA1

  • 98A9A1C8F69373B211E5F1E303BA8762F44BC898

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

  • Deep Discovery Email Inspector

attachmentFileHash

FileSHA1

  • 98A9A1C8F69373B211E5F1E303BA8762F44BC898

Email attachment file hash

  • Deep Discovery Inspector

attachmentFileHashSha1

FileSHA1

  • 98A9A1C8F69373B211E5F1E303BA8762F44BC898

Email attachment file hash

  • Cloud App Security

compressedFileHash

FileSHA1

  • 98A9A1C8F69373B211E5F1E303BA8762F44BC898

Compressed file hash

  • Deep Discovery Inspector

denyListFileHash

FileSHA1

  • 98A9A1C8F69373B211E5F1E303BA8762F44BC898

File hash stored in deny / blocked list

  • Apex One

  • Deep Discovery Inspector

  • Deep Discovery Email Inspector

objectFileHashSha1

FileSHA1

  • 98A9A1C8F69373B211E5F1E303BA8762F44BC898

File hash detected by Attack Discovery

  • Apex One

oldFileHash

FileSHA1

  • 98A9A1C8F69373B211E5F1E303BA8762F44BC898

EntityTransport of the monitored entity before the change which triggered the event

  • Deep Security

  • Cloud One - Workload Security

fileHashSha256

FileSHA2

16e4e8b57e82159a16f5d7d898da9e2a4fbe90c17cd95c02074e75226337c90a

In Apex One, file hash detected by an Attack Discovery AMSI event

  • Apex One

  • Deep Discovery Inspector

attachmentFileHashSha256

FileSHA2

16e4e8b57e82159a16f5d7d898da9e2a4fbe90c17cd95c02074e75226337c90a

Email attachment file hash

  • Deep Discovery Inspector

compressedFileHashSha256

FileSHA2

16e4e8b57e82159a16f5d7d898da9e2a4fbe90c17cd95c02074e75226337c90a

Compressed file hash

  • Deep Discovery Inspector

objectFileHashSha256

FileSHA2

16e4e8b57e82159a16f5d7d898da9e2a4fbe90c17cd95c02074e75226337c90a

In Apex One, file hash detected by Attack Discovery

  • Apex One

attachmentFileHashMd5

FileMD5

46CFB4E38C6299983048DE39012FD08F

Email attachment file hash

  • Cloud App Security

objectFileHashMd5

FileMD5

46CFB4E38C6299983048DE39012FD08F

File hash detected by Attack Discovery

  • Apex One

processCmd

CLICommand

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --lang=en-US --no-sandbox

Only applicable to the SLF_DetectionType = Process. The command line used to launch this process.

  • Apex One

objectCmd

CLICommand

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --lang=en-US --no-sandbox

The command line that a process detected by Attack Discovery uses to execute other processes.

  • Apex One

objectRegistryKeyHandle

RegistryKey

hklm\software\wow6432node\microsoft\windows\currentversion\run

-

  • Apex One

objectRegistryData

RegistryValueData

wscript "C:\Program Files (x86)\JNJ\ITS_IE_PREF\IE_Preferences.vbs"

-

  • Apex One

objectRegistryValue

RegistryValue

its_ie_settings

-

  • Apex One

suid

UserAccount

john_doe

  • Apex One: Logon user

  • Deep Security: Name of the user which the Integrity rule triggered on during a scan (if available)

  • Cloud One - Workload Security: Name of the user which the Integrity rule triggered on during a scan (if available)

  • Deep Discovery Inspector: Latest logon user (not necessarily the compromised user)

  • Cloud App Security: Mailbox that triggered the security event

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

  • Cloud App Security

processFilePath

ProcessFullPath

C:\Program Files (x86)\temp\Application\test.exe

-

  • Apex One

suser

EmailSender

john_doe@example.com

  • Apex One detections

    • Malware: Affected target

    • Security policy: Message sender

    • Data Protection: Message sender

    • File hash: Message sender

  • Deep Discovery Inspector: Message sender

  • Cloud App Security: Message sender

  • Apex One

  • Deep Discovery Inspector

  • Deep Discovery Email Inspector

  • Cloud App Security

duser

EmailRecipient

john_doe@example.com

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

  • Deep Discovery Email Inspector

  • Cloud App Security

mailMsgSubject

EmailSubject

Subject: From the desk of the Nigerian Prince

-

  • Apex One

  • Deep Discovery Inspector

  • Deep Discovery Email Inspector

  • Cloud App Security

msgId

EmailMessageID

<rRzmIhBrXbgjvr4uhIwCcbtE6BnmgNTtAU51qWmqY@example.online>

-

  • Cloud App Security

techniqueId

Technique

T1210

Detected by Security Agent or product policy

  • Apex One

  • Deep Discovery Inspector

tags

Technique

MITRE.T1210

Detected by Security Analytics Engine filters

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

tacticId

Tactic

TA0008

Detected by Security Agent or product policy

  • Apex One

  • Deep Discovery Inspector

tags

Tactic

MITRE.TA1136

Detected by Security Analytics Engine filters

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

ruleName

-

  • Deep Security detected a malicious URL

  • WebScript Injection - HTTP (Request)

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

  • Cloud App Security

ruleId

-

718

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

malName

-

  • Grey-Detection

  • Threat Detection

Malware name

  • Apex One

  • Deep Discovery Inspector

eventName

-

  • SECURITY_RISK_DETECTION

  • WEB_THREAT_DETECTION

  • LOG_INSPECTION_EVENT

  • MALWARE_DETECTION

  • PROCESS_ACTIVITY

  • WEB_POLICY_VIOLATION

  • DEEP_PACKET_INSPECTION_EVENT

  • INTEGRITY_MONITORING_EVENT

  • DISRUPTIVE_APPLICATION_DETECTION

  • PRODUCT_SUMMARY

  • PRODUCT_UPDATE

  • BEHAVIORAL_VIOLATION

  • FIREWALL_POLICY_VIOLATION

  • SUSPICIOUS_BEHAVIOUR_DETECTION

  • DENYLIST_CHANGE

  • MACHINE_LEARNING_DETECTION

  • DLP_VIOLATION

  • MALWARE_OUTBREAK_DETECTION

Predefined event enumerator

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

  • Deep Discovery Email Inspector

  • Cloud App Security

act

-

  • Not blocked

  • Log

  • Block

 
  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

  • Deep Discovery Email Inspector

  • Cloud App Security

actResult

-

  • Quarantined successfully

  • File passed

-

  • Apex One

  • Cloud App Security

app

-

  • HTTP

  • KEBEROS

  • TCP

-

  • Apex One

  • Deep Discovery Inspector

appGroup

-

  • HTTP

  • AUTH

  • CIFS

-

  • Deep Discovery Inspector

aptCampaign

-

test

-

  • Deep Discovery Inspector

aptGroup

-

loq

-

  • Deep Discovery Inspector

aptRelated

-

0 or 1 (true / false)

-

  • Deep Discovery Inspector

attachmentFileSize

-

-

-

  • Deep Discovery Inspector

attachmentFileType

-

  • PKZIP

  • COM

  • TXT

-

  • Deep Discovery Inspector

eventClass

-

  • Authentication

  • Exploit

  • Suspicious Traffic

-

  • Deep Discovery Inspector

eventSubClass

-

  • Login Failed

  • Generic

  • DNS

-

  • Deep Discovery Inspector

clientFlag

-

  • src

  • dst

-

  • Deep Discovery Inspector

dOSName

-

  • Linux

  • Windows XP

  • Mac OS

-

  • Deep Discovery Inspector

blocking

-

Web reputation

-

  • Apex One

callbackAttemptCnt

-

-

-

  • Deep Discovery Inspector

cat

-

-

-

  • Deep Security

  • Cloud One - Workload Security

cccaDestination

-

  • update-product.net

  • xjgftnm.info

-

  • Deep Discovery Inspector

cccaDestinationFormat

-

  • IP_DOMAIN

  • URL

-

  • Deep Discovery Inspector

cccaDetection

-

Yes

-

  • Apex One

  • Deep Discovery Inspector

cccaDetectionSource

-

  • RELEVANCE_RULE

  • GLOBAL_INTELLIGENCE

  • VIRTUAL_ANALYZER

  • USER_DEFINED

-

  • Apex One

  • Deep Discovery Inspector

cccaRiskLevel

-

-

-

  • Apex One

  • Deep Discovery Inspector

cncHostCnt

-

-

-

  • Deep Discovery Inspector

cnt

-

-

-

  • Deep Discovery Inspector

component

-

  • TM_AU_PRODUCT_TDA_WIDGET_20 3.50.1192

  • TM_AU_ENGINE_TMIA24DDI_LINUX64 2.0.1019

-

  • Deep Discovery Inspector

compressedFileSize

-

-

-

  • Deep Discovery Inspector

compressedFileType

-

  • EXE

  • COM

  • JAVA

-

  • Deep Discovery Inspector

compromisedClientCnt

-

-

-

  • Deep Discovery Inspector

correlationCat

-

  • Authentication

  • Exploit

  • Suspicious Traffic

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

  • Deep Discovery Email Inspector

cve

-

  • CVE-2017-0016

  • CVE-2005-2120

-

  • Deep Discovery Inspector

dUser1

-

  • micro\\corpdmadmin

  • tw.trendnet.org\\hillary_dris

-

  • Deep Discovery Inspector

dUser2

-

micro\\d2

-

  • Deep Discovery Inspector

dUser3

-

micro\\d3

-

  • Deep Discovery Inspector

data0

-

diemen.nl.eu.undernet.org

-

  • Deep Discovery Inspector

data0Name

-

Hostname

-

  • Deep Discovery Inspector

data1

-

10.1.116.23

-

  • Deep Discovery Inspector

data1Name

-

Malicious File Came From This IP

-

  • Deep Discovery Inspector

data2

-

10.1.116.23

-

  • Deep Discovery Inspector

data2Name

-

Port Attacked

-

  • Deep Discovery Inspector

data3

-

2020-03-18 15:29:00

-

  • Deep Discovery Inspector

data3Name

-

Number of Attacks

-

  • Deep Discovery Inspector

dceHash1

-

0

-

  • Deep Discovery Inspector

dceHash2

-

0

-

  • Deep Discovery Inspector

denyListRequest

-

  • http://wrs21.winshipway.com:80/

  • http://wrs21.winshipway.com:80/favicon.ico

-

  • Apex One

  • Deep Discovery Inspector

denyListType

-

  • Deny List URL

  • Deny List Domain

-

  • Apex One

  • Deep Discovery Inspector

  • Deep Discovery Email Inspector

detectionName

-

  • Troj.Win32.TRX.XXPE50F13009

  • Ransom.Win32.TRX.XXPE1

-

  • Apex One

  • Deep Discovery Inspector

detectionType

-

  • File

  • Reputation Service

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

  • Cloud App Security

deviceDirection

-

  • outbound

  • inbound

-

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

deviceGUID

-

544508E49687-42FC9C98-CD30-7392-F8CE

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

  • Deep Discovery Email Inspector

  • Cloud App Security

deviceMacAddress

-

00:50:56:84:ca:cc

-

  • Deep Discovery Inspector

  • Deep Discovery Email Inspector

devicePayloadId

-

  • 2:23::F:

  • 2:25::F:S

-

  • Deep Discovery Inspector

deviceProcessName

-

C:\\Users\\Administrator\\AppData\\Local\\Programs\\Python\\Python38-32\\python.exe

-

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

deviceRiskConfidenceLevel

-

-

-

  • Deep Discovery Inspector

direction

-

  • Outgoing

  • Unknown

  • Incoming

-

  • Apex One

dmac

-

00:08:e3:ff:fd:90

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

dstGroup

-

  • My Company

  • My Company/TW A wireless

-

  • Deep Discovery Inspector

dstZone

-

  • 1

  • 0

-

  • Deep Discovery Inspector

endpointGUID

-

72436165-b5a5-471a-9389-0bdc3647bc33

-

  • Apex One

endpointMacAddress

-

00-15-5D-CA-01-02

-

  • Apex One

engineOperation

-

  • Create

  • 403

-

  • Apex One

engType

-

  • 0x00001000

  • Virus Scan Engine (Windows XP/Server 2003, x64)

-

  • Apex One

  • Deep Discovery Inspector

engVer

-

12.000.1008

-

  • Apex One

  • Deep Discovery Inspector

  • Cloud App Security

eventId

-

-

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

fileExt

-

  • .dll

  • .nupkg

  • .exe

-

  • Deep Discovery Inspector

fileOperation

-

Updated

-

  • Deep Security

  • Cloud One - Workload Security

fileType

-

  • .EXE

  • .PKZIP

-

  • Apex One

  • Deep Discovery Inspector

  • Deep Discovery Email Inspector

filterName

-

  • File Blocking

  • Data Loss Prevention

-

  • Apex One

  • Cloud App Security

firmalware

-

  • 2020-03-02 22:46:38+08:00 5.61.1038 5.61.1049

  • 2020-01-22 10:18:40+08:00 5.1.1191 5.61.1032

firmware version

  • Deep Discovery Inspector

firstAct

-

  • Clean

  • Pass/Log

first action taken on threat

  • Apex One

firstActResult

-

  • Unable to clean file

  • File cleaned

first action result

  • Apex One

groups

-

  • windows,adduser,account_changed

Groups of the LogInspectionRuleTransport triggered sub-rule

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

hasdtasres

-

  • Yes

  • No

-

  • Deep Discovery Inspector

heurFlag

-

  • -

-

  • Deep Discovery Inspector

hostId

-

  • -

-

  • Deep Security

  • Cloud One - Workload Security

hostSeverity

-

  • -

Host severity is based on the aggregation and correlation of the severity of the events that affect a host. If several events affect a host and have no detected connection, the host severity will be based on the highest event severity of those events. However, if the events have a detected correlation, the host severity level will increase accordingly.

  • Deep Discovery Inspector

httpReferer

-

  • https://www.google.com/

  • http://video.eyny.com/channel/UC3GVqldo-z

-

  • Deep Discovery Inspector

interestedGroup

-

  • My Company

  • My Company/TW A wireless

-

  • Deep Discovery Inspector

interestedMacAddress

-

  • 3c:2c:30:15:aa:02

-

  • Apex One

  • Deep Discovery Inspector

ircUserName

-

  • localhost

  • TS Series NAS

-

  • Deep Discovery Inspector

mDeviceGUID

-

  • 000D3A43-BB34-5D80-03A3-0595D0E00061

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

mailDeliveryTime

-

  • 1900-1-1 00:00:00

  • 2020-3-2 11:30:00

-

  • Apex One

mailSentTime

-

  • 1586428240000

  • 1586486292000

-

  • Cloud App Security

mailFolder

-

  • admin@bucksware2.onmicrosoft.com

-

  • Apex One

  • Cloud App Security

malFamily

-

  • SHIZ

  • \"POSSIBLE MALICIOUS CHROME EXTENSION\"

-

  • Deep Discovery Inspector

malName

-

  • Eicar_test_file

  • PACP_UPX.STD

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

  • Deep Discovery Email Inspector

malSrc

-

  • InfectionSrc

-

  • Apex One

malSubType

-

  • Unknown

-

  • Apex One

malType

-

  • OTHERS

  • MALWARE

-

  • Apex One

  • Deep Discovery Inspector

malTypeGroup

-

  • OTHERS

  • MALWARE

-

  • Deep Discovery Inspector

mitigationTaskId

-

  • 6cd92f8a-f1ea-4e5a-aeae-7d8e4469831d

-

  • Deep Discovery Inspector

mpname

-

  • Deep Security Manager

  • Control Manager

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

mpver

-

  • 2019.4590

  • Deep Security/12.5.798

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

msg

-

  • Microsoft-Windows-Security-Auditing

  • Deleted

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

msgId

-

  • hk.mensuno.asia

  • incoming.telemetry.mozilla.org

-

  • Apex One

  • Deep Discovery Inspector

  • Cloud App Security

objectFileCreation

-

  • 1579496374000

  • 1579525174000

-

  • Apex One

objectFileModified

-

  • 1579496374000

  • 1579525174000

-

  • Apex One

objectFirstRecorded

-

  • 1585661319000

  • 1584697016000

-

  • Apex One

objectId

-

  • 1

  • 2

-

  • Apex One

objectEntityName

-

  • autorun_keys_1

  • installer_1

-

  • Apex One

objectPid

-

  • 1940

  • 4740

-

  • Apex One

objectSigner

-

  • Microsoft Windows

  • Microsoft Corporation

-

  • Apex One

objectType

-

  • registry

  • file

-

  • Apex One

  • Cloud App Security

objectUser

-

  • SYSTEM

  • joe_doe

-

  • Apex One

pAttackPhase

-

  • Lateral Movement

  • Asset and Data Discovery

-

  • Deep Discovery Inspector

pComp

-

  • NCIE

  • CAV

Detection engine/component

  • Apex One

  • Deep Discovery Inspector

patType

-

  • NCIE RR Pattern

  • NCIE CNC Pattern

-

  • Apex One

  • Deep Discovery Inspector

patVer

-

  • 35.1021.00

  • 5.879.00

-

  • Apex One

  • Deep Discovery Inspector

  • Cloud App Security

peerGroup

-

  • My Company

  • MyCompany/13F

-

  • Deep Discovery Inspector

peerHost

-

  • 10.1.1.1

  • my.example.company.org

-

  • Deep Discovery Inspector

pname

-

  • Deep Discovery Inspector

  • Trend Micro Deep Security

  • Cloud App Security

  • Apex One

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

  • Cloud App Security

policyId

-

  • 100

  • 1983Q_CQ

-

  • Apex One

policyName

-

  • Strat√©gie utilisateur interne

-

  • Apex One

  • Cloud App Security

potentialRisk

-

  • 1

  • 0

-

  • Deep Discovery Inspector

protoFlag

-

  • ACK PSH DF=1

Flags recorded from a network packet; a space-separated list of strings.

  • Deep Security

  • Cloud One - Workload Security

pver

-

  • 5.61.1049

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

rating

-

  • Dangerous

  • Unknown

-

  • Apex One

  • Deep Discovery Inspector

remarks

-

  • [\"IP address: 10.1.1.1\"]

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

  • Cloud App Security

requestClientApplication

-

  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)

  • python-requests/2.21.0

-

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

riskConfidenceLevel

-

  • 0

  • 3

SLF_RISK_LEVEL_UNKNOWN 0

SLF_RISK_LEVEL_LOW 100

SLF_RISK_LEVEL_MEDIUM 500

SLF_RISK_LEVEL_HIGH 1000

  • Apex One

riskLevel

-

  • 1

  • RISK_DANGEROUS

-

  • Apex One

  • Deep Discovery Inspector

  • Cloud App Security

operationLevel

-

  • -

-

  • Apex One

rozRating

-

  • -1

  • 3

-

  • Deep Discovery Inspector

rt

-

  • 1584697695000

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

  • Cloud App Security

rtDate

-

  • 1584921600000

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

  • Cloud App Security

rtHour

-

  • -

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

  • Cloud App Security

rtWeekDay

-

  • Monday

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

  • Cloud App Security

ruleId

-

  • -

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

ruleType

-

  • point of entry

  • lateral movement

-

  • Apex One

sAttackPhase

-

  • Command and Control Communication

  • Lateral Movement

Secondary attack phase

  • Deep Discovery Inspector

sOSName

-

  • Windows XP

  • Mac OS

-

  • Deep Discovery Inspector

sUser1

-

  • company\\john_doe

-

  • Deep Discovery Inspector

sUser2

-

  • company\\john_doe

-

  • Deep Discovery Inspector

sUser3

-

  • company\\john_doe

-

  • Deep Discovery Inspector

scanType

-

  • REALTIME

  • Manual Scan

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Cloud App Security

score

-

  • -

-

  • Apex One

  • Deep Discovery Inspector

  • Cloud App Security

secondAct

-

  • Quarantine

  • Pass/Log

-

  • Apex One

secondActResult

-

  • Quarantined successfully

  • File passed

-

  • Apex One

senderGUID

-

  • 544508E49687-42FC9C98-CD30-7392-F8CE

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

severity

-

  • 1

  • 3

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

smac

-

  • 00:08:e3:ff:fd:90

-

  • Apex One

  • Deep Security

  • Cloud One - Workload Security

  • Deep Discovery Inspector

srcGroup

-

  • My Company

  • MyCompany/13F

-

  • Deep Discovery Inspector

srcZone

-

  • 1

  • 0

  • 0: Not in monitored network

  • 1: In monitored network and trusted

  • 2: In monitored network and untrusted

  • Deep Discovery Inspector

subRuleId

-

  • 18110

  • 18112

-

  • Deep Security

  • Cloud One - Workload Security

subRuleName

-

  • User account enabled or created

  • User account disabled or deleted

-

  • Deep Security

  • Cloud One - Workload Security

targetShare

-

  • C$

  • FIN_Dept

-

  • Deep Discovery Inspector

threatName

-

  • VAN_MALWARE.UMXX

  • Unregistered DNS Server

-

  • Apex One

  • Deep Discovery Inspector

  • Cloud App Security

threatType

-

  • 2

  • 99

  • "Disruptive Applications": "6"

  • "Exploits": "3"

  • "Grayware": "4"

  • "Malicious Behavior": "1"

  • "Malicious Content": "0"

  • "Suspicious Behavior": "2"

  • "Web Reputation": "5"

  • Apex One

  • Deep Discovery Inspector

urlCat

-

  • Untested

  • New Domain

-

  • Apex One

  • Deep Discovery Inspector

  • Cloud App Security

vLANId

-

  • -

-

  • Deep Discovery Inspector

policyTemplate

-

  • Taiwan: Mobile Phone Number

  • policyName:Wll, template:Alle: Kreditkartennummer

-

  • Apex One

  • Cloud App Security

destinationPath

-

  • Clipboard

  • https://dlptest.com/https-post/

-

  • Apex One

matchedContent

-

  • matchedContentEx:4040-4444-5555-6666, matchedInfo:0,19

-

  • Apex One

online

-

  • Yes

-

  • Apex One

instanceId

-

  • 0091350d-193b-7a00-01ed-3346e6f118ac

-

  • Apex One

extraInfo

-

  • extra info

-

  • Apex One

fileVer

-

  • 10.0.18362.1

-

  • Apex One

channel

-

  • Local file or network drive

  • Local file

-

  • Apex One

channelLocation

-

  • TrendX_TestKit/TrendX_FileTestKit/Sample/detect/TRENDX_detect-E.exe

-

  • Apex One

fileDesc

-

  • FakeMalware

-

  • Apex One

fileCreation

-

  • 1579295452000

-

  • Apex One

confidence

-

  • -

-

  • Apex One

detailTrace

-

  • -

-

  • Apex One

overSsl

-

  • Not over SSL/TLS

  • Over SSL/TLS

-

  • Deep Discovery Inspector

vaStatus

-

  • -

-

  • Deep Discovery Inspector

data

-

  • (New-Object System.Net.WebClient)

-

  • Apex One

sourceType

-

  • sandbox

  • user defined

-

  • Apex One

mitreMapping

-

  • T1210 (TA0008)

-

  • Deep Discovery Inspector

aggregatedCount

-

  • -

-

  • Apex One

  • Deep Discovery Inspector

ja3Hash

-

  • -

-

  • Deep Discovery Inspector

ja3sHash

-

  • -

-

  • Deep Discovery Inspector

Table 1. pname Value Mapping

Product

pname Value

Trend Micro Apex One (Windows Security Agent)

533

Trend Micro Apex One (Mac Security Agent)

620

Trend Micro XDR Endpoint Agent

751

Trend Micro Apex One (Deep Security Linux Agent)

2200

Deep Security

2200

Deep Security Virtual Appliance

2201

Deep Security Relay

2202

Deep Security Manager

2203

Deep Security MANIFEST

2211

Deep Security Relay Manifest

2212

Deep Security Rules Updates

2213

Deep Security Smart Check 1

2214