.
├── README.md
├── doc (documentation by log type)
│ ├── <log_type_name>.yaml
│ └── ...
└── doc_v2 (documentation by layer and product)
├── <layer_name>
│ ├── <product_name>.yaml
│ └── ...
└── ...
└── pages (for rendering in GitHub Pages)
├── <layer_name>
│ ├── <product_name>.md
│ └── ...
└── ...
you can access the rendered pages at: https://trendmicro.github.io/tm-v1-schema/pages/index
| Property | Description | |—————-|————————————————| | Name | The log field name | | ProductCode | The products which send data to this field | | Description_EN | The field description | | Sample | The sample values of the field | | DL_Searchable | Whether logs are searchable by this field | | DL_Type | The field data type | | DL_CommonKey | The corresponding field name in General Search |
| Code | Product | |——|———————————————————–| | ALL | All products | | aad | Microsoft Entra ID | | ams | Trend Vision One Mobile Security | | opa | Microsoft Active Directory | | pao | Trend Micro Apex One | | pdi | Trend Micro Deep Discovery Inspector | | pds | Trend Micro Deep Security | | ptn | TXOne EdgeOne (on-premises) | | ptp | TippingPoint Security Management System | | pts | TXOne Stellar (on-premises) | | qpf | Palo Alto Networks Next-Generation Firewalls | | sao | Trend Micro Apex One as a Service | | sca | Trend Micro Cloud App Security | | scs | Trend Cloud One - Container Security | | sct | Trend Cloud One - AWS CloudTrail | | sds | Trend Cloud One - Endpoint & Workload Security | | sem | Trend Micro Email Security | | sfc | Trend Cloud One – File Storage Security | | sfs | Trend Vision One File Security | | sig | Trend Vision One Zero Trust Secure Access Internet Access | | sna | XDR add-on: Deep Discovery Inspector | | sss | Trend Cloud One - Cloud Sentry | | stp | Trend Cloud One - Network Security | | sws | Trend Micro Web Security | | szn | Trend Vision One Zero Trust Secure Access Private Access | | vpc | XDR for Cloud - AWS VPC Flow Logs | | xca | Collaboration Sensor | | xes | XDR Endpoint Sensor | | xms | Email Sensor | | xns | Virtual Network Sensor |
| eventId | Event Type | |———|—————————-| | 1 | TELEMETRY_PROCESS | | 2 | TELEMETRY_FILE | | 3 | TELEMETRY_CONNECTION | | 4 | TELEMETRY_DNS | | 5 | TELEMETRY_REGISTRY | | 6 | TELEMETRY_ACCOUNT | | 7 | TELEMETRY_INTERNET | | 8 | TELEMETRY_MODIFIED_PROCESS | | 9 | TELEMETRY_WINDOWS_HOOK | | 10 | TELEMETRY_WINDOWS_EVENT | | 11 | TELEMETRY_AMSI | | 12 | TELEMETRY_WMI | | 13 | TELEMETRY_MEMORY | | 14 | TELEMETRY_BM | | 15 | TELEMETRY_APP | | 16 | TELEMETRY_SYSTEM_EVENT | | 17 | TELEMETRY_EVENT_PIPE | | 18 | TELEMETRY_MAC_SYS_LOG | | 19 | TELEMETRY_DDR | | 101 | TELEMETRY_ASSOCIATION |
| eventSubId | Event Sub-Type | |————|————————————————| | 0 | TELEMETRY_NONE | | 1 | TELEMETRY_PROCESS_OPEN | | 2 | TELEMETRY_PROCESS_CREATE | | 3 | TELEMETRY_PROCESS_TERMINATE | | 4 | TELEMETRY_PROCESS_LOAD_IMAGE | | 5 | TELEMETRY_PROCESS_EXECUTE | | 6 | TELEMETRY_PROCESS_CONNECT | | 7 | TELEMETRY_PROCESS_TRACME | | 8 | TELEMETRY_PROCESS_LOAD_KERNEL_IMAGE | | 101 | TELEMETRY_FILE_CREATE | | 102 | TELEMETRY_FILE_OPEN | | 103 | TELEMETRY_FILE_DELETE | | 104 | TELEMETRY_FILE_SET_SECURITY | | 105 | TELEMETRY_FILE_COPY | | 106 | TELEMETRY_FILE_MOVE | | 107 | TELEMETRY_FILE_CLOSE | | 108 | TELEMETRY_FILE_MODIFY_TIMESTAMP | | 109 | TELEMETRY_FILE_MODIFY | | 110 | TELEMETRY_FILE_SET_ATTRIBUTES | | 111 | TELEMETRY_FILE_ENUMERATE | | 112 | TELEMETRY_FILE_SET_EXTENDED_ATTRIBUTE | | 113 | TELEMETRY_FILE_DELETE_EXTENDED_ATTRIBUTE | | 201 | TELEMETRY_CONNECTION_CONNECT | | 202 | TELEMETRY_CONNECTION_LISTEN | | 203 | TELEMETRY_CONNECTION_CONNECT_INBOUND | | 204 | TELEMETRY_CONNECTION_CONNECT_OUTBOUND | | 301 | TELEMETRY_DNS_QUERY | | 401 | TELEMETRY_REGISTRY_CREATE | | 402 | TELEMETRY_REGISTRY_SET | | 403 | TELEMETRY_REGISTRY_DELETE | | 404 | TELEMETRY_REGISTRY_RENAME | | 405 | TELEMETRY_REGISTRY_ENUMERATE | | 406 | TELEMETRY_REGISTRY_ENUMERATEVALUE | | 407 | TELEMETRY_REGISTRY_QUERYVALUE | | 408 | TELEMETRY_REGISTRY_SAVE | | 501 | TELEMETRY_ACCOUNT_ADD | | 502 | TELEMETRY_ACCOUNT_DELETE | | 503 | TELEMETRY_ACCOUNT_IMPERSONATE | | 504 | TELEMETRY_ACCOUNT_MODIFY | | 505 | TELEMETRY_ACCOUNT_LOGIN | | 506 | TELEMETRY_ACCOUNT_LOGOUT | | 601 | TELEMETRY_INTERNET_OPEN | | 602 | TELEMETRY_INTERNET_CONNECT | | 603 | TELEMETRY_INTERNET_DOWNLOAD | | 701 | TELEMETRY_MODIFIED_PROCESS_CREATE_REMOTETHREAD | | 702 | TELEMETRY_MODIFIED_PROCESS_WRITE_MEMORY | | 703 | TELEMETRY_MODIFIED_PROCESS_WRITE_PROCESS | | 704 | TELEMETRY_MODIFIED_PROCESS_READ_PROCESS | | 705 | TELEMETRY_MODIFIED_PROCESS_WRITE_PROCESS_NAME | | 801 | TELEMETRY_WINDOWS_HOOK_SET | | 901 | TELEMETRY_AMSI_EXECUTE | | 1001 | TELEMETRY_MEMORY_MODIFY | | 1002 | TELEMETRY_MEMORY_MODIFY_PERMISSION | | 1003 | TELEMETRY_MEMORY_READ | | 1101 | TELEMETRY_BM_INVOKE | | 1102 | TELEMETRY_BM_INVOKE_API | | 1201 | TELEMETRY_APP_START | | 1202 | TELEMETRY_APP_STOP | | 1203 | TELEMETRY_APP_INSTALL | | 1204 | TELEMETRY_APP_UNINSTALL | | 1205 | TELEMETRY_APP_BEHAVIOR | | 1301 | TELEMETRY_SYSTEM_EVENT_ENABLE | | 1302 | TELEMETRY_SYSTEM_EVENT_DISABLE | | 1303 | TELEMETRY_SYSTEM_CERTIFICATION_INSTALL | | 1304 | TELEMETRY_SYSTEM_DEVICE_ROOTED | | 1401 | TELEMETRY_PIPE_CREATE | | 1402 | TELEMETRY_PIPE_CONNECT | | 1601 | TELEMETRY_MAC_SYS_LOG_COLLECT | | 1701 | TELEMETRY_DDR_FILE_COPY | | 1702 | TELEMETRY_DDR_FILE_MOVE | | 1703 | TELEMETRY_DDR_FILE_RENAME | | 1704 | TELEMETRY_DDR_FILE_MODIFY | | 1705 | TELEMETRY_DDR_FILE_DELETE | | 1706 | TELEMETRY_DDR_FILE_UNZIP | | 1707 | TELEMETRY_DDR_FILE_ZIP | | 1708 | TELEMETRY_DDR_FILE_UPLOAD | | 1709 | TELEMETRY_DDR_FILE_DOWNLOAD | | 1710 | TELEMETRY_DDR_FILE_PRINT | | 10101 | TELEMETRY_ASSOCIATION_PROCESS_IMAGE_FILE | | 10102 | TELEMETRY_ASSOCIATION_AUTO_RUN_KEY_FULL_PATH | | 10103 | TELEMETRY_ASSOCIATION_HOST_PROC_CMD_FULL_PATH | | 10104 | TELEMETRY_ASSOCIATION_SERVICE_DLL | | 10105 | TELEMETRY_ASSOCIATION_ARCHIVE_FILE | | 10106 | TELEMETRY_ASSOCIATION_BROWSER_PROCESS |