Data Mapping: Network Activity Data
|
Field Name |
General Field |
Description |
Example |
Products |
|---|---|---|---|---|
|
eventSourceType |
- |
- |
|
|
|
version |
- |
- |
|
|
|
eventTime |
- |
The event generation time from the agent side |
|
|
|
customerId |
- |
- |
|
|
|
tags |
|
The technique ID detected by the Security Analytics Engine based on the alert filter |
|
|
|
uuid |
- |
The unique key of the log |
|
|
|
receivedTime |
- |
The time of the received XDR log |
|
|
|
productCode |
- |
- |
|
|
|
packageTraceId |
- |
- |
|
|
|
filterRiskLevel |
- |
The event top level filter risk |
|
|
|
groupId |
- |
- |
|
|
|
tenantGuid |
- |
- |
|
|
|
bitwiseFilterRiskLevel |
- |
Bitwise filter level |
|
|
|
endpointHostName |
|
- |
|
|
|
osName |
- |
- |
|
|
|
dst |
|
- |
|
|
|
endpointGuid |
|
- |
|
|
|
principalName |
|
- |
|
|
|
request |
|
URL request that is usually found in the Web Reputation Services scan |
|
|
|
act |
- |
- |
|
|
|
src |
|
Source IP |
|
|
|
serverTls |
- |
- |
|
|
|
serverProtocol |
- |
- |
|
|
|
userAgent |
- |
- |
|
|
|
rt |
- |
- |
|
|
|
eventName |
- |
- |
|
|
|
application |
- |
- |
|
|
|
ruleName |
- |
- |
|
|
|
clientIp |
|
- |
|
|
|
requestBase |
|
The domain of the URL |
|
|
|
score |
- |
Web Reputation Services score |
|
|
|
userDomain |
|
Active Directory domain, domain of the user name signing in to the Trend Micro Anti-Spam administrator portal |
|
|
|
suid |
|
User name or IP address (IPv4) |
|
|
|
duration |
- |
How long it takes the scanner to complete the scan, in milliseconds |
|
|
|
eventSubName |
- |
- |
|
|
|
fileHash |
|
The SHA-1 of the file that is violating the policy |
|
|
|
fileHashSha256 |
|
The SHA-256 of the file that is violating the policy |
|
|
|
fileName |
|
The name of file that is violating the policy |
|
|
|
fileSize |
- |
The size of file that is violating the policy |
|
|
|
malName |
- |
The name of the detected malware |
- |
|
|
fileType |
- |
The type of file that is violating the policy |
|
|
|
mimeType |
- |
The mime type or content type of the response body |
|
|
|
sender |
- |
Roaming users or Trend Micro Web Security gateway where the web traffic passed |
|
|
|
profile |
- |
The name of the triggered Threat Protection template or Data Loss Prevention profile |
- |
|
|
detectionType |
- |
Scan type |
|
|
|
userDepartment |
- |
User department |
|
|
|
requestMethod |
- |
The request method of the network protocol |
|
|
|
pname |
- |
Product name |
|
|
|
pver |
- |
Product version |
|
|
|
deviceGUID |
- |
The GUID of an object that is a device but not an endpoint |
|
|
|
requestMimeType |
- |
Request content-type |
|
|
|
tlsJA3Fingerprint |
- |
JA3 fingerprint |
- |
|
|
failedHTTPSInspection |
- |
If the HTTPS traffic failed to be inspected |
|
|
|
responseSize |
- |
Response length |
|
|
|
clientProtocol |
- |
Client protocol |
|
|
|
clientTls |
- |
- |
|
|
|
contentEncoding |
- |
Response or request content-encoding |
|
|
|
authType |
- |
Authorization type |
|
|
|
requestSize |
- |
Request length |
|
|
|
serverRespTime |
- |
How long it takes for the server to respond to the request, in milliseconds |
|
|
|
trafficType |
- |
- |
|
|
|
urlCat |
- |
URL category |
|
|
|
ruleType |
- |
- |
|
|
|
ruleUuid |
- |
Designed for risk assessment and control, defined by Zero Trust Secure Access risk control rules |
|
|
|
objectId |
- |
The UUID of Zero Trust Secure Access Private Access |
|
|
|
spt |
|
The virtual port assigned to the Zero Trust Secure Access agent |
|
|
|
policyUuid |
- |
UUID of private access or risk control rules in Zero Trust Secure Access |
|
|
|
dpt |
|
Service port of the private application server |
|
|
|
companyName |
- |
The company name |
|
|
|
start |
- |
Start time, in milliseconds |
|
|
|
sessionStart |
- |
Session start time, in seconds |
|
|
|
sessionEnd |
- |
Session end time, in seconds |
|
|
|
policyTemplate |
- |
Data Loss Prevention template names |
|
|
|
serverIp |
|
Server IP address |
|
|
|
clientPort |
|
Client port number |
|
|
|
serverPort |
|
Server port number |
|
|
|
clientMAC |
- |
Client MAC address |
|
|
|
serverMAC |
- |
Server MAC address |
|
|
|
flowId |
- |
NA flow ID |
|
|
|
status |
- |
The connection status of the NA flow |
|
|
|
app |
- |
Application layer protocol |
|
|
|
httpReferer |
|
HTTP referrer header |
|
|
|
httpXForwardedFor |
- |
HTTP x-forwarded-for header |
|
|
|
requestClientApplication |
- |
HTTP user agent |
|
|
|
requestDate |
- |
HTTP date header |
|
|
|
requestHeaders |
- |
All HTTP headers without sensitive information |
|
|
|
overSsl |
- |
If the connection is over SSL protocol or not |
|
|
|
respCode |
- |
The response code of the network protocol |
|
|
|
respDate |
- |
HTTP response date header |
|
|
|
httpLocation |
|
HTTP location header |
|
|
|
respHeaders |
- |
All HTTP response headers without sensitive information |
|
|
|
respFileHash |
|
The SHA-1 of the file detected in response direction |
|
|
|
respFileHashSha256 |
|
The SHA-256 of the file detected in response direction |
|
|
|
respFileType |
- |
The file type of the file detected in response direction |
|
|
|
respArchFiles |
- |
Information from files extracted from the file detected in response direction |
|
|
|
httpXForwardedForIp |
|
The x-forwarded-for IP used by the sensor |
|
|
|
httpXForwardedForPort |
- |
The patched HTTP server port when the sensor selects an x-forwarded-for IP to use |
|
|
|
resolvedUrlIp |
|
The IP of the URL FQDN |
|
|
|
resolvedUrlPort |
|
The port of the HTTP server |
|
|
|
respMethod |
- |
The response method |
|
|
|
msgId |
|
The message ID provided by the service provider |
|
|
|
mailMsgSubject |
|
The email subject |
|
|
|
suser |
|
The email sender |
|
|
|
duser |
|
The email recipient |
|
|
|
requests |
|
URLs |
|
|
|
direction |
- |
The object transfer direction |
|
|
|
archFiles |
- |
- |
|
|
|
hostName |
|
The host name |
|
|
|
tlsSelectedCipher |
- |
The selected cipher of TLS protocol |
|
|
|
sslCertCommonName |
- |
The common name of the certificate |
|
|
|
sslCertIssuer |
- |
The issuer of the certificate |
|
|
|
sslCertValidFrom |
- |
The time that the certificate starts to be valid |
|
|
|
sslCertValidUntil |
- |
The time that the certificate stops being valid |
|
|
|
sslCertSerialNumber |
- |
The serial number of the certificate |
|
|
|
sslCertSANs |
- |
The subject alternative name of the certificate |
|
|
|
sslCertFingerprint |
- |
The fingerprint of the certificate |
|
|
|
ja3Hash |
- |
JA3 hash |
|
|
|
ja3sHash |
- |
JA3S hash |
|
|
|
tlsJA3SFingerprint |
- |
JA3S raw |
|
|
|
ftpTrans |
- |
Transaction information of the FTP protocol |
|
|
|
customFilterTags |
|
The filter ID matched by XDR based on custom filters |
|
|
|
customFilterRiskLevel |
- |
The top-level risk level of the event by custom filter |
|
|
|
e2eLatency |
- |
The latency time of the E2E traffic, in milliseconds |
|
|
