Data Mapping: Endpoint Activity Data

Field

General Field

Example

Notes

hostName

DomainName

self.events.data.microsoft.com

DNS event

endpointGuid

EndpointID

e3c49595-09b9-47a3-a43f-6c21aa52e54f

-

endpointHostName

EndpointName

hr-johndoe1

-

endpointIp

  • IPv4

  • IPv6

  • 192.0.2.0

  • 2001:0db8:85a3:0000:0000:8a2e:0370:7334

Trend Micro Apex One records all IP addresses including 127.0.01 and virtual machine addresses.

request

URL

https://www.example.com

-

objectIp

  • IPv4

  • IPv6

  • 192.0.2.0

  • 2001:0db8:85a3:0000:0000:8a2e:0370:7334

Internet event

dst

  • IPv4

  • IPv6

  • 192.0.2.0

  • 2001:0db8:85a3:0000:0000:8a2e:0370:7334

Connection event

src

  • IPv4

  • IPv6

  • 192.0.2.0

  • 2001:0db8:85a3:0000:0000:8a2e:0370:7334

Connection event

objectPort

Port

8080

Internet event

spt

Port

5353

Port of connection source

dpt

Port

5353

Port of connection destination

objectFileHashSha1

FileSHA1

98A9A1C8F69373B211E5F1E303BA8762F44BC898

-

parentFileHashSha1

FileSHA1

98A9A1C8F69373B211E5F1E303BA8762F44BC898

-

processFileHashSha1

FileSHA1

98A9A1C8F69373B211E5F1E303BA8762F44BC898

-

srcFileHashSha1

FileSHA1

98A9A1C8F69373B211E5F1E303BA8762F44BC898

-

objectFileHashSha256

FileSHA2

16e4e8b57e82159a16f5d7d898da9e2a4fbe90c17cd95c02074e75226337c90a

 

parentFileHashSha256

FileSHA2

16e4e8b57e82159a16f5d7d898da9e2a4fbe90c17cd95c02074e75226337c90a

 

processFileHashSha256

FileSHA2

16e4e8b57e82159a16f5d7d898da9e2a4fbe90c17cd95c02074e75226337c90a

 

srcFileHashSha256

FileSHA2

16e4e8b57e82159a16f5d7d898da9e2a4fbe90c17cd95c02074e75226337c90a

 

objectFilePath

FileFullPath

C:\Program Files (x86)\temp\Application\test.exe

-

parentFilePath

FileFullPath

C:\Program Files (x86)\temp\Application\test.exe

-

srcFilePath

FileFullPath

C:\Program Files (x86)\temp\Application\test.exe

-

processFilePath

ProcessFullPath

C:\Program Files (x86)\temp\Application\test.exe

-

objectCmd

CLICommand

\??\c:\windows\system32\conhost.exe 0xffffffff -forcev1

-

parentCmd

CLICommand

"c:\program files (x86)\tanium\tanium client\taniumclient.exe" -c

-

processCmd

CLICommand

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --lang=en-US --no-sandbox

-

objectRegistryKeyHandle

RegistryKey

hklm\software\wow6432node\microsoft\windows\currentversion\run

-

objectRegistryValue

RegistryValue

its_ie_settings

-

objectRegistryData

RegistryValueData

wscript "C:\Program Files (x86)\JNJ\ITS_IE_PREF\IE_Preferences.vbs"

-

logonUser

UserAccount

[lenovo_tmp_uktqYZKK, jdodd4]

-

objectUser

UserAccount

john_doe

Process event: The account that executed the process

eventTime

-

1573752859458

Event occurrence time

eventId

-

eventId and eventSubId Mapping

-

eventSubId

-

eventId and eventSubId Mapping

-

objectSigner

-

[trend micro, inc., trend micro, inc.]

-

objectSignerValid

-

[true, true]

-

pname

-

533

ID value for the reporting product

For a complete list, see the table below.

tags

-

-

productCode

-

-

Table 1. pname Value Mapping

Product

pname Value

Trend Micro Apex One (Windows Security Agent)

533

Trend Micro Apex One (Mac Security Agent)

620

Trend Micro Apex One (Deep Security Linux Agent)

2200

Deep Security

2200

Deep Security Virtual Appliance

2201

Deep Security Relay

2202

Deep Security Manager

2203

Deep Security MANIFEST

2211

Deep Security Relay Manifest

2212

Deep Security Rules Updates

2213

Deep Security Smart Check 1

2214