Data Mapping: Mobile Activity Data

Table 1. Common Fields

Field Name

General Field

Description

Sample

endpointGuid

EndpointID

Host GUID of the endpoint on which the event was detected

  • e9a2b77b02f0d434

  • 5dac9580-71ec-4386-8e49-2bb1179ee0ef

endpointHostName

EndpointName

Host Name of the endpoint on which the event was detected

  • auto tester's Android AOSP on taimen

  • autotester_AndroidForWork_10/24/2022_9:15 AM

  • John_Doe’s iPad

endpointIp

  • IPv4

  • IPv6

IP address of the endpoint on which the event was detected

  • ["10.54.2.94","10.1.10.1","fe80::accb:42ff:fe81:92b2","fe80::e7e:4353:cfbf:1e41","fd00:1:fd00:1:fd00:1:fd00:1"]

  • ["192.168.1.82","10.1.10.1","fe80::7c66:f5ff:fe4d:be62","fe80::d0c8:adff:fe12:620d","2001:999:6d0:9a0d:b8fa:2387:2ef7:235e","fe80::b577:e80d:1a0f:9707","fd00:1:fd00:1:fd00:1:fd00:1"]

endpointModel

-

Model of the endpoint on which the event was detected

  • Pixel 3

  • SM-G990B

  • SM-A515F

osName

-

Operating system of the endpoint on which the event was detected

  • Android

osVer

-

Operating system version of the endpoint on which the event was detected

  • 11

  • 12

eventId

-

Event type

  • 7

  • 15

  • 16

eventSubId

-

Access type of an event

  • 101

  • 601

  • 1301

firstSeen

-

Time recorded when the agent detected the event

  • 1668048109000

logonUser

UserAccount

The logon user name

  • autotester@mxdrstgtest.onmicrosoft.com

  • Test1@mxdrtest.onmicrosoft.com

userType

UserType

MDM solution that the customer is using

  • AzureAD

  • Intune

  • AirWatch

pname

-

Product name

  • Mobile Security as a Service

pver

-

Product version

  • 1056019

  • 1056028

Table 2. Mobile App Event (eventId=15)

Field Name

General Field

Description

Sample

objectAppPackageName

-

Name of the app package that the agent detected

  • com.google.android.videos

  • com.google.android.googlequicksearchbox

objectAppInstalledTime

-

Installation time of the app that the agent detected

  • 1665628884000

  • 1668046012000

  • 1668046002000

objectAppLabel

-

Label of the app that the agent detected

  • Ultra Cleaner

  • Firefox

  • Google TV

objectAppSize

-

Size of the app that the agent detected

  • 2055660

  • 564361

  • 22651909

objectAppIsSystemApp

-

Whether the app that the agent detected is a system app

  • true

  • false

objectAppVerCode

-

Version code of the app that the agent detected

  • 530409133

  • 301216757

  • 224417044

objectAppSha256

-

SHA-256 of the app that the agent detected

  • DD9FD35350502ABC534220EDC33EA6B6BE4AE67D2E0B7EDC1905711FE1A884DB

  • 1BE5C296A1FFD55DB14E1827ECCD25E1E0E1D4CE07B0FB1C4D26697F97227C4A

objectAppPublicKeySha1

-

SHA-1 pubic key of the app that the agent detected

  • B2DA9EF7EC0F4474117FB0CBA4DCA3B795C0EAB7

  • 274EE057AFB694FD6FD81C38D3288FE8FDA2DCDF

Table 3. Mobile Internet Event (eventId=7)

Field Name

General Field

Description

Sample

request

URL

URL that was requested

  • clients4.google.com:443

  • www.googleapis.com:443

  • http://wrs49.winshipway.com/

appLabel

-

Label of the app on which the event was detected

  • Chrome

  • Edge

  • Firefox

appPkgName

-

Name of the app package on which the event was detected

  • com.android.chrome

  • com.microsoft.emmx

  • org.mozilla.firefox

appPublicKeySha1

-

SHA-1 public key of the app on which the event was detected

  • B2DA9EF7EC0F4474117FB0CBA4DCA3B795C0EAB7

  • 3D4FFF78408B159058428BFF8D07589A4C18AA8B

  • 0A16A0E8DC1503DC8D5B5E92C4A5ABD9AA651531

appSize

-

Size of the app on which the event was detected

  • 9797934

  • 118099447

  • 84491650

appIsSystem

-

Whether the app on which the event was detected is a system app

  • true

  • false

objectHostName

-

Hostname of the requested URL

  • accounts.google.com

  • www.googleapis.com

  • clients4.google.com

appVerCode

-

Version code of the app on which the event was detected

  • 530409133

  • 2015918523

  • 141804315

Table 4. Mobile System Event (eventId=16)

Field Name

General Field

Description

Sample

objectSystemEventAttr

-

System event that the endpoint triggered

  • LOCK_SCREEN

  • DEVELOPMENT_MODE

  • ROOT

Table 5. Mobile File Event (eventId=2)

Field Name

General Field

Description

Sample

objectFilePath

  • FileFullPath

  • FileName

File path of the target process image or file

  • /storage/emulated/0/Download/test.apk

  • /storage/emulated/0/keepSpy2.apk

objectFileSize

-

Size of the target process image or file

  • 19988477

  • 2948135

  • 40961370

objectFileCreation

-

Creation time of the target process image or file

  • 1668043462000

  • 1641007549000

  • 1669865149000

objectFileModifiedTime

-

Modification time of the target process image or file

  • 1668043462000

  • 1669865149000

  • 1641007549000

objectFileHashSha256

FileSHA2

SHA-256 hash vaule of the target process image or file

  • 6852E7581313CC2CFA75D7513BDCDC37A40141AD20576F3923F68D77499BFA05

  • 6B4C38C5F3FECBE61E0D170D6835B89B4E6BFD4277C42A8A50910B7273499406