tm-v1-schema

Container Security

Layer: Cloud

This documentation provides detailed information about all fields available for Container Security.

Field Name	Type	Searchable	General Field	Description	Example	Products
act	dynamic	true	-	The actions taken to mitigate the event	log isolate terminate not blocked Block No action Reset Pass User Decision	Container Security Deep Discovery Inspector Network Sensor Apex One as a Service Endpoint & Workload Security Cloud App Security TippingPoint Security Management System Endpoint Sensor Web Security Email Security Deep Security Cloud One Network Security Zero Trust Secure Access - Internet Access TXOne EdgeOne Zero Trust Secure Access - Private Access Email Sensor Mobile Security Mobile Network Security Agentless Vulnerability & Threat Detection
actionName	string	true	-	The action being taken	get list create	Container Security
clusterId	string	true	-	The cluster ID of the container	TestCluster-2HJdImvH6eO1fgTnCBK3xYA7Sph	Container Security
clusterId	string	true	-	The cluster ID of the container	ben_eks_test-20k90A3jGa4d3YMYfrdGIgs7g9u	Container Security
clusterName	string	true	-	The cluster name of the container	TestCluster	Container Security
clusterName	string	true	-	The cluster name of the container	ben_eks_test	Container Security
compressedFileName	string	true	FileName	The file name of the compressed file	/proc/32058/fd/150 NONAMEFL /proc/10006/fd/30 VirusActionSample/RPF2_OtherMalwareSample-other.exe	Deep Discovery Inspector Network Sensor Apex One as a Service File Security File Security Storage Endpoint & Workload Security Agentless Vulnerability & Threat Detection Container Security
containerId	string	true	-	The Kubernetes container ID	7d1e00176d78	Container Security
containerId	string	true	-	The Kubernetes container ID	4102001853b8	Container Security
containerImage	string	true	-	The Kubernetes container image	debian:latest	Container Security
containerImage	string	true	-	The Kubernetes container image	dockerhub.io/ubuntu:latest	Container Security
containerImageDigest	string	false	-	The Kubernetes container image digest	sha256:bfe6615d017d1eebe19f349669de58cda36c668ef916e618be78071513c690e5	Container Security
containerImageDigest	string	true	-	The Kubernetes container image digest	sha256:626ffe58f6e7566e00254b638eb7e0f3b11d4da9675088f4781a50ae288f3322	Container Security
containerName	string	true	-	The Kubernetes container name	k8s_democon_longrunl_default_11111111-1111-1111-1111-111111111111_0	Container Security
containerName	string	true	-	The Kubernetes container name	k8s_ubuntu_ubuntu-ds-fp2jk_default_00000000-0000-0000-0000-000000000000_2	Container Security
customAssetTags	dynamic	true	-	The list of custom asset tags	{"os":["linux", "windows"], "org":["bu1"]}	Container Security
customAssetTags	dynamic	true	-	The list of custom asset tags	{"os":["linux", "windows"], "org":["bu1"]}	Endpoint Sensor Endpoint & Workload Security Apex One as a Service Container Security
customTags	dynamic	true	-	The event tags	network mitre_discovery	Container Security File Security
detectionType	string	true	-	The detection type	1 File Process net	Deep Discovery Inspector Network Sensor Endpoint & Workload Security Web Security Apex One as a Service Cloud App Security Deep Security Email Security Zero Trust Secure Access - Internet Access Mobile Security Zero Trust Secure Access - Private Access Container Security
dpt	int	true	Port	The destination port number	-	Container Security
dpt	int	true	Port	The destination port	445 80	Deep Discovery Inspector Network Sensor Apex One as a Service Endpoint & Workload Security TippingPoint Security Management System Deep Security Cloud One Network Security Endpoint Sensor TXOne EdgeOne Zero Trust Secure Access - Private Access Container Security Mobile Network Security Deep Discovery Analyzer
dst	string	true	IPv4 IPv6	The destination IP address	:: 10.10.10.10	Container Security
dst	dynamic	true	IPv4 IPv6	The destination IP	10.10.10.10	Deep Discovery Inspector Network Sensor Apex One as a Service Endpoint & Workload Security TippingPoint Security Management System Deep Security Cloud One Network Security Endpoint Sensor Zero Trust Secure Access - Internet Access TXOne EdgeOne Zero Trust Secure Access - Private Access Container Security Mobile Network Security Deep Discovery Analyzer
endpointGUID	string	true	EndpointID	The GUID of the agent which reported the detection	ae4d64aa-f8b8-bb36-b265-f59272ed342f 8fb979f6-1376-bed3-227f-f2886e66194e ca2b3a7e-8415-c571-cc19-e45f69470026	Endpoint & Workload Security Apex One as a Service Deep Security Endpoint Sensor Zero Trust Secure Access - Internet Access Mobile Security Zero Trust Secure Access - Private Access TXOne StellarOne Container Security Data Detection and Response
endpointHostName	string	false	-	The host name of the container or node	PHILIPSIBE09 WHAM6WK8XG2 MacBook-Pro-del-Meno	Container Security
endpointHostName	string	true	EndpointName	The endpoint hostname or node where the event was detected	10.10.10.10 (swpos-aws-aza02) [i-0f0f0f0f0f0f0f0f0] ip-10-10-10-10.us-west-1.compute.internal	Endpoint & Workload Security Deep Security Apex One as a Service Endpoint Sensor Zero Trust Secure Access - Internet Access Mobile Security Zero Trust Secure Access - Private Access TXOne StellarOne Container Security Agentless Vulnerability & Threat Detection Data Detection and Response
eventId	int	true	-	Event type	-	Container Security
eventId	string	true	-	The event ID from the logs of each product	100100 100101 100116 100117 100119	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Apex One as a Service Deep Security Cloud App Security Endpoint Sensor Email Security TXOne StellarOne Container Security Email Sensor File Security File Security Storage Agentless Vulnerability & Threat Detection Mobile Security Mobile Network Security Data Detection and Response Deep Discovery Analyzer
eventSubId	int	true	-	The access type	2 - TELEMETRY_PROCESS_CREATE 101 - TELEMETRY_FILE_CREATE 204 - TELEMETRY_CONNECTION_CONNECT_OUTBOUND	Container Security
eventTime	real	true	-	The time the agent detected the event	1657781088000	Container Security
fileDesc	string	true	-	The file description	Atualiza PJRO Carpeta de archivos 7z Setup SFX (x86)	Apex One as a Service Container Security
fileHashSha256	string	true	FileSHA2	The SHA-256 of the file (fileName)	6A6EB2D717CEA041B4444193B45EDFB6CA1287518203B7230B3C4B8FFB031EAB BFF703FF836196644586014DA13A097C2EE9A08E4D596DFB7C8E0F685FE01294 12327F460AC9CBBC34D39EB3CF89C7FECCA37F08773A04566840F73F6ECC4104	Deep Discovery Inspector Network Sensor Apex One as a Service Zero Trust Secure Access - Internet Access Endpoint & Workload Security File Security File Security Storage Agentless Vulnerability & Threat Detection Container Security Deep Discovery Analyzer
fileOperation	string	true	-	The operation of the file	Created Updated Deleted	Endpoint & Workload Security Deep Security Container Security
fileType	string	true	-	The file type of the suspicious file	EXE LNK MIME	Deep Discovery Inspector Network Sensor Zero Trust Secure Access - Internet Access File Security File Security Storage Agentless Vulnerability & Threat Detection Container Security Deep Discovery Analyzer
fullPath	string	true	FileFullPath	The combination of the file path and the file name	\etc\hosts c:\windows\system32\tasks\microsoft\windows\softwareprotectionplatform\svcrestarttask \var\log\auth.log	Endpoint & Workload Security Apex One as a Service Deep Discovery Inspector Network Sensor Deep Security TXOne StellarOne File Security File Security Storage Agentless Vulnerability & Threat Detection Container Security
isEntity	string	true	-	The current entity (or after change/modification)	{"key":"<example>","type":"Service","attributes":[{"friendlyValue":null,"name":"binaryPathName","value":"C:\\Windows\\system32\\vssvc.exe"},{"friendlyValue":"manual","name":"startType","value":"3"},{"friendlyValue":"running","name":"state","value":"4"}]} {"key":"<example>":"Service","attributes":[{"friendlyValue":null,"name":"binaryPathName","value":"C:\\Windows\\system32\\vssvc.exe"},{"friendlyValue":"manual","name":"startType","value":"3"},{"friendlyValue":"stopped","name":"state","value":"1"}]} {"key":"<example>","type":"File","attributes":[]}	Endpoint & Workload Security Deep Security Container Security
k8sNamespace	string	true	-	The Kubernetes namespace of the container	default	Container Security
k8sNamespace	string	true	-	The Kubernetes namespace of the container	default	Container Security
k8sPodId	string	true	-	The Kubernetes pod ID of the container	11111111-1111-1111-1111-111111111111	Container Security
k8sPodId	string	true	-	The Kubernetes pod ID of the container	00000000-0000-0000-0000-000000000000 11111111-1111-1111-1111-111111111111 22222222-2222-2222-2222-222222222222	Container Security
k8sPodName	string	true	-	The Kubernetes pod name of the container	longrunl	Container Security
k8sPodName	string	true	-	The Kubernetes pod name of the container	ubuntu-ds-fp2jk	Container Security
malName	string	true	-	The name of the detected malware	SecurityLevelDrop Regla Logs All USR_SUSPICIOUS_DOMAIN.UMXX	Apex One as a Service Endpoint & Workload Security Deep Discovery Inspector Network Sensor Deep Security Web Security TXOne StellarOne Email Sensor File Security File Security Storage Agentless Vulnerability & Threat Detection Container Security Deep Discovery Analyzer
malType	string	true	-	The risk type for Network Content Correlation Engine rules	OTHERS MALWARE Others	Deep Discovery Inspector Network Sensor Endpoint & Workload Security Apex One as a Service Deep Security File Security Container Security
objectFileCreation	string	true	-	The UTC time that the object was created	2014-11-22T01:45:51-06:00 2009-07-13T23:31:13-05:00 2014-11-21T02:43:28-05:00	Apex One as a Service Endpoint & Workload Security Container Security
objectFileHashSha1	string	true	FileSHA1	The SHA-1 of the objectFilePath object	51B8646308EE0B68AD1F7F1291B85395434DE49A 36C5D12033B2EAF251BAE61C00690FFB17FDDC87 2586528000199793730B05D3F169BCF139E4D7A1	Apex One as a Service Endpoint Sensor Endpoint & Workload Security Container Security
objectFileHashSha256	string	true	FileSHA2	The SHA-256 of the object (objectFilePath)	A75C85F3B089993E9C042FB82ECB7757E8F460ED8065FC7991CAA38A6DE0F50C 908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53 1A2ABAAD8A166B66CA35AB51C7432C5A7E46996472C8174281842896408D7F96	Apex One as a Service Endpoint Sensor Endpoint & Workload Security Container Security
objectFileModifiedTime	string	true	-	The time the object file was modified	1652131848000 1577865600000 1648279273000	Container Security
objectFileName	string	true	FileName	The object file name	powershell.exe wmiprvse.exe dismhost.exe	Apex One as a Service Container Security Endpoint & Workload Security
objectFilePath	string	true	FileFullPath FileName	The file path of the target process image or target file	/usr/bin/bash /bin/bash /opt/folder1/probes/system/processes/processes	Container Security
objectFilePath	string	true	FileFullPath	The file path of the target process image or target file	c:\windows\system32\windowspowershell\v1.0\powershell.exe zwwritevirtualmemory c:\windows\system32\wbem\wmiprvse.exe	Apex One as a Service Endpoint & Workload Security Endpoint Sensor Container Security
objectFileSize	long	true	-	The object file size	0 59456 60	Endpoint & Workload Security Container Security
objectUser	string	true	UserAccount	The owner name of the target process or the login user name	root SYSTEM oracle	Container Security
osName	string	false	-	The host operating system name	Linux	Container Security
parentCmd	string	true	CLICommand	The command line entry of the parent process	C:\WINDOWS\system32\services.exe C:\Windows\system32\services.exe /sbin/launchd	Container Security
parentCmd	string	true	CLICommand	The command line of the subject parent process	"C:\Tiburon\CommandCAD\Test\Startup.exe" C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s Appinfo	Endpoint Sensor Container Security
parentFilePath	string	true	FileFullPath FileName	The file path of the parent process	c:\windows\system32\services.exe /usr/bin/bash c:\windows\system32\svchost.exe	Container Security
parentLaunchTime	real	false	-	The time when the parent process was launched	1653614773895 1656118625928 0	Container Security
parentName	string	false	-	The image name of the parent process	/usr/bin/bash c:\windows\system32\svchost.exe c:\windows\system32\lsass.exe	Container Security
parentName	string	true	-	The image name of the parent process	explorer.exe startup.exe svchost.exe	Endpoint Sensor Container Security
parentPid	int	true	-	The PID of the parent process	4 1 784 792	Container Security
parentPid	int	true	-	The PID of the parent process	-	Endpoint & Workload Security Endpoint Sensor Deep Security Container Security
platformAssetTags	dynamic	true	-	The list of platform custom asset tags	{"Asset group":["finance"], "some.ip": ["10.1.0.1"]}	Container Security
platformAssetTags	dynamic	true	-	The list of platform custom asset tags	{"Asset group":["finance"], "some.ip": ["10.1.0.1"]}	Endpoint Sensor Endpoint & Workload Security Apex One as a Service Container Security
pname	string	true	-	The internal product ID	Trend Micro Deep Security Deep Discovery Inspector Apex One	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Apex One as a Service Deep Security Cloud App Security Email Security TippingPoint Security Management System Endpoint Sensor Web Security Cloud One Network Security Zero Trust Secure Access - Internet Access Mobile Security Container Security Email Sensor Deep Discovery Analyzer
policyId	string	false	-	The policy ID	TestPolicy-2HJe25H4GY4upSuNNAG1pci2BIm	Container Security
policyId	string	true	-	The policy ID of which the event was detected	00000001-0001-0001-0001-000000007610 007 003 TM000001	TippingPoint Security Management System Apex One as a Service Endpoint Sensor Cloud One Network Security Endpoint & Workload Security Deep Security Container Security
policyName	string	false	-	The name of the triggered policy	TestPolicy	Container Security
policyName	string	true	-	The name of the triggered policy	Steelcase Cabot Tigre - Medium Policy apiPostedPolicy	Apex One as a Service Cloud App Security Web Security Email Security Zero Trust Secure Access - Internet Access TXOne EdgeOne Container Security Mobile Network Security
principalName	string	true	-	The user principal name used to sign in to the proxy	sample_email@trendmicro.com	Web Security Zero Trust Secure Access - Internet Access Cloud App Security Zero Trust Secure Access - Private Access Container Security
processCmd	string	true	CLICommand	Command line entry of subject process	C:\WINDOWS\system32\services.exe C:\Windows\system32\services.exe /sbin/launchd	Container Security
processCmd	string	true	CLICommand	The subject process command line	"C:\Program Files (x86)\AADM\AADM.exe" /usr/lib/inet/sendmail -bl -q15m ComDir	Endpoint & Workload Security Endpoint Sensor Deep Security Apex One as a Service Container Security
processFilePath	string	true	ProcessFullPath	The file path of the subject process	c:\windows\system32\services.exe /usr/bin/bash c:\windows\system32\svchost.exe	Container Security
processImagePath	string	true	-	The process triggered by the file event	c:\windows\system32\svchost.exe /usr/bin/python2.7 /usr/bin/sed	Endpoint & Workload Security Endpoint Sensor Deep Security Container Security
processLaunchTime	real	false	-	The time the subject process was launched	1653614773895 1656118625928 0	Container Security
processName	string	true	ProcessName	The image name of the process that triggered the event	/usr/bin/bash c:\windows\system32\svchost.exe c:\windows\system32\lsass.exe	Container Security
processName	string	true	ProcessName	The image name of the process that triggered the event	c:\windows\system32\svchost.exe /usr/bin/python2.7 /usr/bin/sed	Endpoint & Workload Security Endpoint Sensor Deep Security Container Security Apex One as a Service
processPid	int	true	-	The PID of the subject process	4 1 784 792	Container Security
processPid	int	true	-	The PID of the subject process	-	Endpoint & Workload Security Endpoint Sensor Container Security Apex One as a Service
processUser	string	true	UserAccount	The user name of the process or the file creator	SYSTEM SVC_JENKINS_CODE_DEV NETWORK SERVICE	Endpoint & Workload Security Apex One as a Service Container Security
proto	string	false	-	The protocol type	TELEMETRY_CONNECTION_TCP TELEMETRY_CONNECTION_UDP	Container Security
proto	string	true	-	The exploited layer network protocol	6 TCP 17	Endpoint & Workload Security Deep Security TXOne EdgeOne Container Security Mobile Network Security Apex One as a Service
pver	string	true	-	The product version	1.2.0.2752 1.0.345 1.2.0.2657	Container Security
pver	string	true	-	The product version	20.0.0.4726 20.0.0.4416 6.2.1125	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Deep Security Apex One as a Service TippingPoint Security Management System Cloud One Network Security Zero Trust Secure Access - Internet Access Mobile Security Container Security File Security File Security Storage Agentless Vulnerability & Threat Detection Deep Discovery Analyzer
rawDataStr	string	false	-	The JSON string that contains additional information	{"TLS version": "0x0303", "Cipher Suite": "0xc030"} {"Scanned ports": "23, 80, 443"} {"HTTP Content-Type": "application/hal+json", "HTTP Content-Body": "{\\"_links\\": {\\"type\\": {\\"href\\": \\"http://10.10.10.10/rest/type/node/INVALID_VALUE\\"}}, \\"type\\": {\\"target_id\\": \\"article\\"}, \\"title\\": {\\"value\\": \\"My Article\\"}, \\"body\\": {\\"value\\": \\"\\"}}"}	Deep Discovery Inspector Network Sensor Container Security Network Sensor
requestDecision	string	true	-	Whether the request was allowed or denied by the authorization system	allow/deny	Container Security
resourceCategory	string	true	-	The category of the object	roles	Container Security
resourceName	string	true	-	The specific name of the object	pod-reader	Container Security
resourceNamespace	string	true	-	The namespace where the referenced resource exists	default kube-system	Container Security
respCode	string	true	-	The network protocol response code	302 200	Cloud App Security Email Security Container Security
ruleIdStr	string	false	-	The rule ID	TM-00000036	Container Security
ruleIdStr	string	true	-	The rule ID	TM-00000043	Container Security Apex One as a Service
ruleName	string	true	-	The name of the rule that triggered the event	Directory Server - Microsoft Windows Active Directory Microsoft Windows Events Microsoft Windows Security Events - 3 (T1234) New executable created (chmod) Sensitive Files Upload to Personal Cloud Multiple Sensitive Files Compression Transfer Sensitive Files to Removable Storage Move Multiple Sensitive Files to Central Location Multiple Sensitive Files Modification Multiple Sensitive Files Deletion GEN_CCFR_OVERLAY_TEST.A	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Apex One as a Service Deep Security Cloud App Security TippingPoint Security Management System Endpoint Sensor Email Security Cloud One Network Security Zero Trust Secure Access - Private Access Container Security Email Sensor Mobile Network Security Data Detection and Response
ruleSetId	string	true	-	The rule set ID	AllRules-1zSSZPsDqfqkcOt5vNsD6f383HN	Container Security
ruleSetName	string	true	-	The rule set name	AllRules	Container Security Cloud One Network Security TippingPoint Security Management System Endpoint & Workload Security
ruleType	string	true	-	The access rule type	udso point of entry unknown	Endpoint & Workload Security Apex One as a Service Cloud App Security Zero Trust Secure Access - Private Access Container Security
scanType	string	true	-	The scan type	realtime_mailmeta-exchange exchange_mailbox_realtime_detection_logs gateway_realtime_blocking_traffic malware_schedule_image malware_schedule_file malware_realtime_image malware_realtime_file	Cloud App Security Email Security Endpoint & Workload Security Apex One as a Service Deep Security Email Sensor File Security Agentless Vulnerability & Threat Detection Container Security
severity	int	true	-	The severity of the event	2 4 6 8	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Deep Security Apex One as a Service TippingPoint Security Management System Cloud One Network Security Container Security Mobile Network Security Deep Discovery Analyzer
sourceType	string	true	-	The source type	user defined sandbox syscall	Apex One as a Service Container Security Endpoint Sensor
spt	int	true	Port	The source port number	53 5353 443	Container Security
spt	int	true	Port	The source port	53 7680	Deep Discovery Inspector Network Sensor Apex One as a Service Endpoint & Workload Security TippingPoint Security Management System Deep Security Cloud One Network Security Endpoint Sensor TXOne EdgeOne Zero Trust Secure Access - Private Access Container Security Mobile Network Security Deep Discovery Analyzer
src	string	true	IPv4 IPv6	The source address	:: 10.10.10.10	Container Security
src	dynamic	true	IPv4 IPv6	The source IP	10.10.10.10	Deep Discovery Inspector Network Sensor Apex One as a Service Endpoint & Workload Security TippingPoint Security Management System Deep Security Cloud One Network Security Endpoint Sensor Zero Trust Secure Access - Internet Access TXOne EdgeOne Zero Trust Secure Access - Private Access Container Security Mobile Network Security Deep Discovery Analyzer
srcFileHashSha1	string	true	FileSHA1	The SHA-1 of the source file	-	Container Security
srcFileHashSha256	string	true	FileSHA2	The SHA-256 of the source file	-	Container Security
srcFileModifiedTime	string	true	-	The time the source file was modified	1652131848000 1577865600000 1648279273000	Container Security
srcFilePath	string	true	FileFullPath FileName	The source file path	\\cnva-apps\megaclockprod\traveler\travelerprint.accdb c:\program files\common files\microsoft shared\clicktorun\officesvcmgrschedule.xml q:\a7_dbs\a4_pkg\a4_packaging.accde	Container Security
srcFileSize	string	true	-	The file size of the source file	1255856 1237880	Container Security
tags	dynamic	true	Technique Tactic	The detected ID based on the alert filter	MITREV9.T1057 MITREV9.T1059.003 XSAE.F2924	ALL Container Security
userDefinedFields	dynamic	true	-	The user-defined field for custom detection rules	{"message": "There is a shell process running in the container with ID \"1234567890abcdef\"."}	Container Security
wasEntity	string	true	-	The entity before change/modification	{"key":"<example>","type":"Service","attributes":[{"friendlyValue":null,"name":"binaryPathName","value":"C:\\Windows\\system32\\vssvc.exe"},{"friendlyValue":"manual","name":"startType","value":"3"},{"friendlyValue":"stopped","name":"state","value":"1"}]} {"key":"<example>","type":"Service","attributes":[{"friendlyValue":null,"name":"binaryPathName","value":"C:\\Windows\\system32\\vssvc.exe"},{"friendlyValue":"manual","name":"startType","value":"3"},{"friendlyValue":"running","name":"state","value":"4"}]} {"key":"<example>","type":"File","attributes":[]}	Endpoint & Workload Security Deep Security Container Security

Field Statistics

Total Fields: 111
Layer: Cloud
Product: Container Security

Generated by XDR Common Schema Public Doc Generator V2

This site is open source. Improve this page.