tm-v1-schema

Apex One as a Service

Layer: Endpoint

This documentation provides detailed information about all fields available for Apex One as a Service.

Field Name	Type	Searchable	General Field	Description	Example	Products
accessPermission	string	true	-	The access permission type	Modify Read and execute List device content only Block	Apex One as a Service Endpoint & Workload Security
act	dynamic	true	-	The actions taken to mitigate the event	log isolate terminate not blocked Block No action Reset Pass User Decision	Container Security Deep Discovery Inspector Network Sensor Apex One as a Service Endpoint & Workload Security Cloud App Security TippingPoint Security Management System Endpoint Sensor Web Security Email Security Deep Security Cloud One Network Security Zero Trust Secure Access - Internet Access TXOne EdgeOne Zero Trust Secure Access - Private Access Email Sensor Mobile Security Mobile Network Security Agentless Vulnerability & Threat Detection
actResult	dynamic	true	-	The result of an action	Dropped Successful Accepted	Apex One as a Service Cloud App Security Endpoint & Workload Security Deep Security TXOne StellarOne Mobile Security
additionalInfo	string	true	-	The filter rule info	Default	Endpoint Sensor Apex One as a Service
aggregatedCount	string	true	-	The number of aggregated events	1 2 3	Deep Discovery Inspector Network Sensor Apex One as a Service TippingPoint Security Management System Web Security Cloud One Network Security Zero Trust Secure Access - Internet Access TXOne StellarOne Data Detection and Response Endpoint & Workload Security
application	string	true	-	The name of the requested application	HyperText Transfer Protocol DoubleClick The Secure HyperText Transfer Protocol	Web Security Zero Trust Secure Access - Internet Access Zero Trust Secure Access - Private Access Apex One as a Service
authId	string	true	-	The authorization ID	999 996 997	Endpoint Sensor Apex One as a Service
behaviorCat	string	true	-	The matched policy category	Policy Enforcement Grey-Detection Threat-Detection	Apex One as a Service Endpoint Sensor Endpoint & Workload Security Deep Security
blocking	string	true	-	The blocking type	Web reputation Web Server	Apex One as a Service
bmGroup	string	true	-	The one-to-many data structure	logGenLocalDatetime:2022-07-08T09:21:11+00:00, act:Assessment, behaviorType:Registry, riskConfidenceLevel:1, ruleId:7, ruleName:New Service, behaviorCategory:Policy Enforcement, processFilePath:C:\Windows\SysWOW64\srts\wmipr.exe, aegisOperation:Set Key, objectFilePath:HKLM\SYSTEM\CurrentControlSet\Services\DpsiBSvc\Start, policyId:007, objectFileHashSha1:null, objectCmd:null, processFileHashSha1:null, processCmd:null, objectRegistryData:null, objectRegistryKeyHandle:null, objectRegistryValue:null	Apex One as a Service
cat	int	false	-	The weighted priority of the incident	100 200	Endpoint & Workload Security Deep Security Apex One as a Service
cccaDetection	string	true	-	Is this log identified as a C&C callback address detection	Yes	Apex One as a Service Deep Discovery Inspector Network Sensor
cccaDetectionSource	string	true	-	Which list defines this CCCA detection rule	CCCA_GLOBAL_LIST (0) GLOBAL_INTELLIGENCE USER_DEFINED	Apex One as a Service Deep Discovery Inspector Network Sensor
cccaRiskLevel	int	true	-	The severity level of the threat actors associated with the C&C servers	1 2	Apex One as a Service Deep Discovery Inspector Network Sensor
censusMaturityValue	int	true	-	The CENSUS maturity value	1 2	Endpoint & Workload Security Apex One as a Service
censusPrevalenceValue	int	true	-	The CENSUS prevalence value	1 2	Endpoint & Workload Security Apex One as a Service
channel	string	true	-	The channel through which the demanded WinEvent is delivered	Local file or network drive Local file	Apex One as a Service
channel	string	true	-	The Windows event channel	Security Microsoft-Windows-WMI-Activity/Trace Microsoft-Windows-TaskScheduler/Operational	Endpoint Sensor Apex One as a Service
clientStatus	string	true	-	The client status when the event occurred	Rebuilding database Online Offline	Apex One as a Service
compressedFileHash	string	true	FileSHA1	The SHA-1 of the decompressed archive	6E2ECB34B7798E179CC704111FB9733FBAAD5ACA FA71B59F35F0EE44D27F74917EF5A0DA2797E80B 14D2302172EB81465CE12E01361AE24CDE170F7B	Deep Discovery Inspector Network Sensor File Security File Security Storage Endpoint & Workload Security Apex One as a Service Agentless Vulnerability & Threat Detection
compressedFileHashSha256	string	true	FileSHA2	The SHA-256 of the compressed suspicious file	60C7C5924DD09F7C6B150120FB92DCEE00AE82DB75C7402FA4D9152CF487A94F 482FFC4F87B78C3C7073983CF65B593D9F13F0A3D6DC54B4A3F616F79838F3CE 68C0126D9B4B0FC32DE181D0D67DA8FE82E23745F6023317D5E053B6F6ED26CF	Deep Discovery Inspector Network Sensor File Security File Security Storage Endpoint & Workload Security Apex One as a Service Agentless Vulnerability & Threat Detection
compressedFileName	string	true	FileName	The file name of the compressed file	/proc/32058/fd/150 NONAMEFL /proc/10006/fd/30 VirusActionSample/RPF2_OtherMalwareSample-other.exe	Deep Discovery Inspector Network Sensor Apex One as a Service File Security File Security Storage Endpoint & Workload Security Agentless Vulnerability & Threat Detection Container Security
computerDomain	string	true	-	The computer domain	COMCEL_DOMINIO HDWA RANDON	Apex One as a Service
confidence	int	false	-	The confidence rating returned from TrendX Hybrid Model (predictive machine learning). Values from 1-99.	94	Apex One as a Service File Security
correlationData	dynamic	true	-	The data for correlation	-	Endpoint Sensor Apex One as a Service
customAssetTags	dynamic	true	-	The list of custom asset tags	{"os":["linux", "windows"], "org":["bu1"]}	Endpoint Sensor Endpoint & Workload Security Apex One as a Service Container Security
customAssetTags	dynamic	true	-	The list of custom asset tags	{"os":["linux", "windows"], "org":["bu1"]}	Endpoint Sensor Endpoint & Workload Security Apex One as a Service
dacDeviceType	string	true	-	The device type	USB storage device Mobile devices Floppy disks Network driver	Apex One as a Service Endpoint & Workload Security
dceArtifactActions	dynamic	true	-	The actions performed on Damage Cleanup Engine artifacts	folder_backup objproc_dump subproc_dump	Endpoint & Workload Security Apex One as a Service
destinationPath	string	true	-	The intended destination of the file containing the digital asset or channel	Cloud Storage (OneDrive) Printer example.sharepoint.com/personal/page_path/onedrive.aspx	Apex One as a Service
detailTrace	int	false	-	Whether the detection comes with a detailed trace footprint	-	Apex One as a Service
detectedActions	dynamic	true	-	The actions performed on detected artifacts	folder_backup objproc_dump subproc_dump	Endpoint & Workload Security Apex One as a Service
detectedBackupArtifacts	dynamic	true	-	The information about detected artifacts	{"objectArtifactId": "025d9f2a-ac9c-4cdf-b9e4-cf20c6e40281_0.dmp", "action": "object_process_dump", "status": 0, "processCreationTime": "1627574338077", "processImageFileName": "C:\Program Files\aaa\bbb\objprocess.exe"}	Endpoint & Workload Security Apex One as a Service
detectedBackupArtifactsStatus	dynamic	true	-	The backup status of detected artifacts	['0', '-67']	Endpoint & Workload Security Apex One as a Service
detectedBackupFolder	string	true	-	The folder path for detected backup folders	C:\\Program Files (x86)\\Trend Micro\\artifact\\DCE	Endpoint & Workload Security Apex One as a Service Endpoint Sensor
detectedPattern	string	true	-	The detected pattern	dct.virus	Endpoint & Workload Security Apex One as a Service
detectionAggregationIds	dynamic	true	-	The list of detection aggregation IDs	['11111111-1111-1111-1111-111111111111']	Apex One as a Service Endpoint & Workload Security
detectionAggressivenessLevel	int	false	-	The detection aggressiveness level	1 2 3 4	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
detectionEngineVersion	string	true	-	The detection engine version	7.6.0	Endpoint & Workload Security Apex One as a Service
detectionMeta	dynamic	true	-	The descriptions of the detected techniques	['T1204 some description about this technique', 'T1573.001_AES another description about this technique']	Apex One as a Service Apex One Endpoint & Workload Security Deep Security
detectionName	string	true	-	The general name for the detection	Troj.Win32.TRX.XXPE50F13017 Troj.Win32.TRX.XXPE50FFF059	Apex One as a Service Mobile Security
detectionNames	dynamic	true	-	The rules that triggered the event	['HS_EMOTET.SMAA', 'HM_AVEDOWN.SMZTIG-A', 'HE_DOCQRPHISH.SM']	Apex One as a Service Apex One Endpoint & Workload Security Deep Security
detectionType	string	true	-	The detection type	1 File Process net	Deep Discovery Inspector Network Sensor Endpoint & Workload Security Web Security Apex One as a Service Cloud App Security Deep Security Email Security Zero Trust Secure Access - Internet Access Mobile Security Zero Trust Secure Access - Private Access Container Security
deviceGUID	string	true	-	The GUID of the agent which reported the detection	00000000-0000-0000-0000-000000000000 11111111-1111-1111-1111-111111111111 22222222-2222-2222-2222-222222222222	Deep Discovery Inspector Network Sensor Apex One as a Service TippingPoint Security Management System Endpoint Sensor Cloud One Network Security Zero Trust Secure Access - Internet Access Deep Discovery Analyzer
deviceModel	string	true	-	The device model number	c96a	Apex One as a Service Endpoint & Workload Security
deviceSerial	string	true	-	The device serial ID	000000063a2e8f	Apex One as a Service Endpoint & Workload Security
direction	string	true	-	The direction	Incoming Outgoing Unknown	Apex One as a Service TXOne EdgeOne
dmac	string	true	-	The MAC address of the destination IP (dest_ip)	00:00:00:00:00:00 ff:ff:ff:ff:ff:ff	Deep Discovery Inspector Network Sensor Apex One as a Service Endpoint & Workload Security Deep Security TXOne EdgeOne Deep Discovery Analyzer
domainName	string	true	DomainName	The detected domain name	http://10.10.10.10 example.domain.com	Deep Discovery Inspector Network Sensor Apex One as a Service Cloud App Security
dpt	int	true	Port	The destination port	445 80	Deep Discovery Inspector Network Sensor Apex One as a Service Endpoint & Workload Security TippingPoint Security Management System Deep Security Cloud One Network Security Endpoint Sensor TXOne EdgeOne Zero Trust Secure Access - Private Access Container Security Mobile Network Security Deep Discovery Analyzer
dpt	int	true	Port	The destination port number	-	Endpoint & Workload Security Endpoint Sensor Apex One as a Service Data Detection and Response
dst	dynamic	true	IPv4 IPv6	The destination IP	10.10.10.10	Deep Discovery Inspector Network Sensor Apex One as a Service Endpoint & Workload Security TippingPoint Security Management System Deep Security Cloud One Network Security Endpoint Sensor Zero Trust Secure Access - Internet Access TXOne EdgeOne Zero Trust Secure Access - Private Access Container Security Mobile Network Security Deep Discovery Analyzer
dst	string	true	IPv4 IPv6	The destination IP address	:: 10.10.10.10	Endpoint & Workload Security Endpoint Sensor Apex One as a Service Data Detection and Response
duser	dynamic	true	EmailRecipient	The email recipient	(no user) SYSTEM SYSTEM	Endpoint & Workload Security Deep Security Cloud App Security Email Security Deep Discovery Inspector Network Sensor Apex One as a Service Email Sensor Deep Discovery Analyzer
dvchost	string	true	-	The computer which installed the Trend Micro product	CU-PRO1-9039-2 LTPF32PMNN	Apex One as a Service Deep Discovery Inspector Network Sensor Deep Discovery Analyzer
endpointGUID	string	true	EndpointID	The GUID of the agent which reported the detection	ae4d64aa-f8b8-bb36-b265-f59272ed342f 8fb979f6-1376-bed3-227f-f2886e66194e ca2b3a7e-8415-c571-cc19-e45f69470026	Endpoint & Workload Security Apex One as a Service Deep Security Endpoint Sensor Zero Trust Secure Access - Internet Access Mobile Security Zero Trust Secure Access - Private Access TXOne StellarOne Container Security Data Detection and Response
endpointGuid	string	true	EndpointID	Host GUID of the endpoint on which the event was detected	11111111-1111-1111-1111-111111111111	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
endpointHostName	string	true	EndpointName	The endpoint hostname or node where the event was detected	10.10.10.10 (swpos-aws-aza02) [i-0f0f0f0f0f0f0f0f0] ip-10-10-10-10.us-west-1.compute.internal	Endpoint & Workload Security Deep Security Apex One as a Service Endpoint Sensor Zero Trust Secure Access - Internet Access Mobile Security Zero Trust Secure Access - Private Access TXOne StellarOne Container Security Agentless Vulnerability & Threat Detection Data Detection and Response
endpointHostName	string	true	EndpointName	The host name of the endpoint on which the event was detected	PHILIPSIBE09 WHAM6WK8XG2 MacBook-Pro-del-Meno	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
endpointIp	dynamic	true	IPv4 IPv6	The IP address of the endpoint on which the event was detected	10.10.10.10	Endpoint & Workload Security Deep Security Apex One as a Service TippingPoint Security Management System Cloud One Network Security TXOne EdgeOne Agentless Vulnerability & Threat Detection Data Detection and Response
endpointIp	dynamic	true	IPv4 IPv6	IP address of the endpoint on which the event was detected	10.10.10.10 ::1 fe80::1	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
endpointMacAddress	string	true	-	The MAC address of endpoint	00:00:00:00:00:00 ff:ff:ff:ff:ff:ff	Apex One as a Service TXOne EdgeOne TXOne StellarOne
endpointMacAddress	dynamic	true	-	The host MAC address	0-0-0-0-0-0-0-e0 00:00:00:ff:ff:ff	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
engineOperation	string	true	-	The operation of the engine event	Set Key Invoke API Create	Apex One as a Service Endpoint Sensor
engType	string	true	-	The engine type	Virus Scan Engine (Windows XP/Server 2003, x64) Virus Scan NT Kernel Engine Spyware/Grayware Scan Engine v.6 (64-bit)	Apex One as a Service File Security Deep Discovery Analyzer
engVer	string	true	-	The engine version	1.0.0.1123_1.0.0.1101 9.0.1004 22.540.1001	Endpoint Sensor Cloud App Security Apex One as a Service File Security
eventDataAccessList	string	true	-	The list of requested access rights	%%4416 %%4417 %%4418	Endpoint Sensor Apex One as a Service
eventDataAccessMask	string	true	-	The hexadecimal value of the requested or used permissions during an access attempt	16 2147483648 1048576	Endpoint Sensor Apex One as a Service
eventDataActionName	string	true	-	The action performed	Language Components Installer Group Policy Background Processing C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe	Apex One as a Service Endpoint Sensor
eventDataAuthenticationPackageName	string	true	-	The authentication package name of the Windows event data	NTLM Negotiate MICROSOFT_AUTHENTICATION_PACKAGE_V1_0	Endpoint Sensor Apex One as a Service
eventDataElevatedToken	string	true	-	Whether the session is elevated and has administrator privileges	%%1842 %%1843	Endpoint Sensor Apex One as a Service
eventDataFullyQualifiedAssemblyName	string	true	-	The fully qualified .NET assembly name	System.Runtime, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 System.Diagnostics.Process, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a	Endpoint Sensor Apex One as a Service
eventDataImpersonationLevel	string	true	-	The sign-in session impersonation level	%%1830 %%1832 %%1833	Endpoint Sensor Apex One as a Service
eventDataIpAddress	string	true	-	The IP address for Windows event 4624 which is "An account was successfully logged on"	- 10.10.10.10	Endpoint Sensor Apex One as a Service
eventDataJobOwner	string	true	-	The name of the account that initiated the event	BEI\holdej NT AUTHORITY\SYSTEM	Apex One as a Service
eventDataLogonProcessName	string	true	-	The name of the Windows event sign in process name	NtLmSsp Advapi Advapi	Endpoint Sensor Apex One as a Service
eventDataLogonType	string	true	-	The logon type for Windows event 4624 which is "An account was successfully logged on"	3 5 2	Endpoint Sensor Apex One as a Service
eventDataModuleILPath	string	true	-	The CIL image path of the module or the dynamic module name	C:\Program Files\Cymulate\Agent\System.Threading.dll C:\windows\system32\tzsync.exe C:\Program.exe	Endpoint Sensor Apex One as a Service
eventDataObjectName	string	true	-	The identifying information about the object for which access was requested	\Device\HarddiskVolume2\Windows\System32\lsass.exe C:\Windows\System32\osk.exe	Endpoint Sensor Apex One as a Service
eventDataObjectType	string	true	-	The object type	Process File	Endpoint Sensor Apex One as a Service
eventDataOperation	string	true	-	Windows event 11	Start IWbemServices::ExecQuery - root\ccm : select * from SMS_Authority Start IWbemServices::ExecQuery - root\cimv2 : select * from win32_process Start IWbemServices::ExecQuery - root\ccm : SELECT * FROM SMS_Authority	Endpoint Sensor Apex One as a Service
eventDataPath	string	true	-	The path of the Windows event data	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\officesvcmgr.exe taskhostw.exe gpupdate.exe	Endpoint Sensor Apex One as a Service
eventDataProcessPath	string	true	-	The process path that initiated the event	C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Apex One as a Service
eventDataScriptBlockText	string	true	-	Windows event 4104, Creating Scriptblock text	$global:? 0 { Set-StrictMode -Version 1; $_.PSMessageDetails }	Apex One as a Service
eventDataStatus	string	true	-	The Windows event data status	0xc000006d -1073741715 0xc000006e	Endpoint Sensor Apex One as a Service
eventDataSubjectUserName	string	true	-	The account name	dadmin Alex london$	Endpoint Sensor Apex One as a Service
eventDataSubStatus	string	true	-	The Windows event data sub status	0xc0000064 0xc000006a -1073741724	Endpoint Sensor Apex One as a Service
eventDataTargetDomainName	string	true	-	The target sign-in account domain or computer name	NT AUTHORITY Builtin SHOCKWAVE	Endpoint Sensor Apex One as a Service
eventDataTargetName	string	true	-	The service, application, or network resource name	Microsoft_RssPlatform_* WindowsLive:target=virtualapp/didlogical MicrosoftOffice*	Endpoint Sensor Apex One as a Service
eventDataTargetUserName	string	true	-	The user name of the Windows event data target	Offer Remote Assistance Helpers Administrators Administradores	Apex One as a Service
eventDataTaskName	string	true	-	The task name logged by the Windows event	\Microsoft\Windows\LanguageComponentsInstaller\Installation \Microsoft\Office\Office Serviceability Manager \MicrosoftEdgeUpdateTaskMachineUA	Endpoint Sensor Apex One as a Service
eventDataTicketEncryptionType	string	true	-	The cryptographic suite used for the Kerberos TGS	0x12 0x17 0x18	Endpoint Sensor Apex One as a Service
eventDataTicketOptions	string	true	-	The authentication request Kerberos ticket behavior and permissions flags	0x40810000 0x40810010	Endpoint Sensor Apex One as a Service
eventDataUserContext	string	true	-	The user context of the Windows event data	MP\MPBSA179345$ MP\MPBSASPU179370$ MP\MPBSA4025625$	Endpoint Sensor Apex One as a Service
eventDataWorkstationName	string	true	-	The name of the computer used in the sign-in attempt	WIN-GG82ULGC9GO DESKTOP-123ABC CLIENT01	Endpoint Sensor Apex One as a Service
eventHashId	string	true	-	The event hash ID	-8406473586387535914 138486453338666581 -7909265752378976284	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
eventId	string	true	-	The event ID from the logs of each product	100100 100101 100116 100117 100119	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Apex One as a Service Deep Security Cloud App Security Endpoint Sensor Email Security TXOne StellarOne Container Security Email Sensor File Security File Security Storage Agentless Vulnerability & Threat Detection Mobile Security Mobile Network Security Data Detection and Response Deep Discovery Analyzer
eventId	int	true	-	Event type	-	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
eventMessage	string	true	-	The event message	[0x13bb4e2a0] activating connection: mach=true listener=false peer=false name=com.apple.airportd	Endpoint Sensor Apex One as a Service
eventName	string	true	-	The event type	LOG_INSPECTION_EVENT SECURITY_RISK_DETECTION WEB_THREAT_DETECTION LOG_INSPECTION_EVENT MALWARE_DETECTION PROCESS_ACTIVITY WEB_POLICY_VIOLATION DEEP_PACKET_INSPECTION_EVENT INTEGRITY_MONITORING_EVENT DISRUPTIVE_APPLICATION_DETECTION PRODUCT_SUMMARY PRODUCT_UPDATE BEHAVIORAL_VIOLATION FIREWALL_POLICY_VIOLATION SUSPICIOUS_BEHAVIOUR_DETECTION DENYLIST_CHANGE MACHINE_LEARNING_DETECTION DLP_VIOLATION MALWARE_OUTBREAK_DETECTION SENSITIVE_DATA_DETECTION	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Apex One as a Service Deep Security TippingPoint Security Management System Cloud App Security Email Security Endpoint Sensor Cloud One Network Security Zero Trust Secure Access - Internet Access TXOne EdgeOne Zero Trust Secure Access - Private Access TXOne StellarOne Email Sensor File Security File Security Storage Agentless Vulnerability & Threat Detection Mobile Security Mobile Network Security Data Detection and Response Deep Discovery Analyzer
eventSubId	int	true	-	The access type	2 - TELEMETRY_PROCESS_CREATE 101 - TELEMETRY_FILE_CREATE 204 - TELEMETRY_CONNECTION_CONNECT_OUTBOUND	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
eventSubName	string	true	-	The event type sub-name	IPS Detection Personal Firewall Attack Discovery	Apex One as a Service Cloud App Security Endpoint & Workload Security Email Security Endpoint Sensor Zero Trust Secure Access - Internet Access Agentless Vulnerability & Threat Detection
eventTime	real	true	-	The time the agent detected the event	1657781088000	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
extraInfo	dynamic	true	-	The network application name	N/A Web Client Common DCERPC Services	Apex One as a Service
fileCreation	string	true	-	The file creation date	1595918517000	Apex One as a Service
fileDesc	string	true	-	The file description	Atualiza PJRO Carpeta de archivos 7z Setup SFX (x86)	Apex One as a Service Container Security
fileHash	string	true	FileSHA1	The SHA-1 of the file that triggered the rule or policy	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 89CE26EAD139D52B8A6B61BFFC6AF89AF246580F 3AD1F4E7CAA11E5199EE80B8983677ADDD065450	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Deep Security Apex One as a Service Zero Trust Secure Access - Internet Access File Security File Security Storage Agentless Vulnerability & Threat Detection Data Detection and Response Deep Discovery Analyzer
fileHashSha256	string	true	FileSHA2	The SHA-256 of the file (fileName)	6A6EB2D717CEA041B4444193B45EDFB6CA1287518203B7230B3C4B8FFB031EAB BFF703FF836196644586014DA13A097C2EE9A08E4D596DFB7C8E0F685FE01294 12327F460AC9CBBC34D39EB3CF89C7FECCA37F08773A04566840F73F6ECC4104	Deep Discovery Inspector Network Sensor Apex One as a Service Zero Trust Secure Access - Internet Access Endpoint & Workload Security File Security File Security Storage Agentless Vulnerability & Threat Detection Container Security Deep Discovery Analyzer
fileName	dynamic	true	FileName	The file name	spoolss hosts svcrestarttask	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Apex One as a Service Deep Security Zero Trust Secure Access - Internet Access TXOne StellarOne File Security File Security Storage Agentless Vulnerability & Threat Detection Deep Discovery Analyzer
filePath	string	true	FileFullPath	The file path without the file name	security /var/log/audit/audit.log application	Endpoint & Workload Security Deep Security Apex One as a Service Deep Discovery Inspector Network Sensor TXOne StellarOne File Security File Security Storage
fileSize	string	true	-	The file size of the suspicious file	0 1255856 1237880	Deep Discovery Inspector Network Sensor Zero Trust Secure Access - Internet Access Apex One as a Service File Security File Security Storage Agentless Vulnerability & Threat Detection Deep Discovery Analyzer
fileVer	string	true	-	The file version	10.0.19041.1 10.0.19041.1766 10.0.18362.1	Apex One as a Service
filterName	string	true	-	The filter name	ConnectionFilter Virtual Analyzer Data Loss Prevention	Cloud App Security Email Security Apex One as a Service TXOne EdgeOne
filterType	string	true	-	The filter type	Spam filter Size filter	Apex One as a Service TXOne EdgeOne
firstAct	string	true	-	The first scan action	Pass Quarantine Clean	Endpoint & Workload Security Apex One as a Service Deep Security
firstActResult	string	true	-	The first scan action result	File passed Unable to quarantine file File quarantined	Endpoint & Workload Security Apex One as a Service Deep Security
firstSeen	real	false	-	The first time the event was seen	1656355418449	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
forensicFileHash	string	true	-	The hash value of the forensic data file	177844c5927d0f20da06d79d986c7e7f8c7a3b6a da39a3ee5e6b4b0d3255bfef95601890afd80709 8dab234ab6cd96301f9452994f015a449d629edd	Apex One as a Service
forensicFilePath	string	true	-	The file path of the forensic file (When a Data Loss Prevention policy is triggered, the file is encrypted and copied to the OfficeScan server for post-mortem analysis)	C:\Program Files (x86)\Trend Micro\OfficeScan Client\dlplite\forensic\frnsc_200411DC0594_xml_00000000000_20220314_132326281 C:\Program Files (x86)\Trend Micro\OfficeScan Client\dlplite\forensic\frnsc_CIL-OPRCOGEN_docx_00000000000_20211025_225445873 C:\Program Files (x86)\Trend Micro\OfficeScan Client\dlplite\forensic\frnsc_SHA-ESHOU_h265_00000000000_20220601_082417865	Apex One as a Service
ftpUser	string	true	-	The FTP login user name	USER\TREND User ftpuser_service	Apex One as a Service
fullPath	string	true	FileFullPath	The combination of the file path and the file name	\etc\hosts c:\windows\system32\tasks\microsoft\windows\softwareprotectionplatform\svcrestarttask \var\log\auth.log	Endpoint & Workload Security Apex One as a Service Deep Discovery Inspector Network Sensor Deep Security TXOne StellarOne File Security File Security Storage Agentless Vulnerability & Threat Detection Container Security
hookId	string	true	-	The hook ID	-1 5 4	Apex One as a Service
hostName	string	true	DomainName HostDomain	The domain name	localhost wpad settings-win.data.microsoft.com	Endpoint Sensor Endpoint & Workload Security Apex One as a Service
httpReferer	string	true	URL	The HTTP referer	http://172.16.58.233/ http://example/page1/ https://www.google.com/	Deep Discovery Inspector Network Sensor Endpoint & Workload Security Apex One as a Service
httpReferer	string	true	URL	The HTTP header referer	http://10.10.10.10/ http://fake/home/ http://fake.com/page/Test.jsp	Apex One as a Service Endpoint Sensor
instanceId	string	true	-	The ID of the instance that indicates the meta-cloud or data center VM	52294e7b-f732-c6e9-b2c3-7a6b6f50d101 00030912-c5e7-4348-9012-7c684751c531 0008ae58-db0c-34ee-3e5c-5dfc9b10a739 i-0b22a22eec53b9321 /subscriptions/bae4f362-e3a0-482f-ba7a-f883d8b410ce/resourceGroups/avtd-csf-sg-lzniibr0/providers/Microsoft.Compute/virtualMachines/avtd-csf-scanner-lzniibr0 ocid1.instance.oc1.us-ashburn-1.an2g6ljrgs553pqcjuokzvvwpmwxh564f6f5sx3jpi2sowt6as44uejmsrzq	Apex One as a Service Endpoint Sensor Endpoint & Workload Security Agentless Vulnerability & Threat Detection Mobile Network Security
integrityLevel	int	true	-	The integrity level of a process	-	Endpoint Sensor Apex One as a Service
interestedHost	string	true	DomainName	The endpoint hostname (For example, if an intranet host accesses a suspicious internet host, the intranet host is the "peerHost" and the internet host is the "interestedHost")	10.10.10.10 (swpos-aws-aza02) [i-0f0f0f0f0f0f0f0f0] es-dtc-w-dc02.example.corp	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Deep Security Apex One as a Service
interestedIp	dynamic	true	IPv4 IPv6	The IP of the interestedHost	10.10.10.10	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Deep Security Apex One as a Service TippingPoint Security Management System Cloud One Network Security TXOne EdgeOne
interestedMacAddress	string	true	-	The MAC address identified as the log owner's	00:00:00:00:00:00 ff:ff:ff:ff:ff:ff	Apex One as a Service Deep Discovery Inspector Network Sensor TXOne EdgeOne
isHidden	string	true	-	Whether the detection log generated a grey rule match	Yes	Deep Discovery Inspector Network Sensor Apex One as a Service
isProxy	bool	true	-	Whether something is a proxy	False	Endpoint & Workload Security Apex One as a Service
lastSeen	real	false	-	The last time the event was seen	1656355418449	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
logKey	string	true	-	The unique key of the event	123e4567-e89b-12d3-a456-426614174000 987f6543-21ba-43cd-9e8f-123456789abc 456789ab-cdef-1234-5678-9abcdef01234	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Apex One as a Service Deep Security Cloud App Security Email Security TippingPoint Security Management System Endpoint Sensor Web Security Cloud One Network Security Zero Trust Secure Access - Internet Access
logonUser	dynamic	true	UserAccount	The logon user name	root SISTEMA oracle	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
mailDeliveryTime	string	true	-	The mail delivery time	1900-1-1 00:00:00	Apex One as a Service
mailMsgSubject	string	true	EmailSubject	The email subject	FW. mail subject ManageEngine	Cloud App Security Deep Discovery Inspector Network Sensor Email Security Apex One as a Service Email Sensor Deep Discovery Analyzer
malDst	string	true	-	The malware infection destination	3334_02W3P7 2666_02N413 3334_02NHEL	Apex One as a Service
malFamily	string	true	-	The threat family	EQUATED STARTER 0	Deep Discovery Inspector Network Sensor Apex One as a Service Endpoint & Workload Security File Security
malName	string	true	-	The name of the detected malware	SecurityLevelDrop Regla Logs All USR_SUSPICIOUS_DOMAIN.UMXX	Apex One as a Service Endpoint & Workload Security Deep Discovery Inspector Network Sensor Deep Security Web Security TXOne StellarOne Email Sensor File Security File Security Storage Agentless Vulnerability & Threat Detection Container Security Deep Discovery Analyzer
malSrc	string	true	FileFullPath	The malware infection source	\\10.172.1.33\kortiz \\10.240.0.148\wbind \\10.240.1.69\MT26933059	Apex One as a Service Mobile Network Security
malSubType	string	true	-	The subsidiary virus type	Unknown	Apex One as a Service File Security
malType	string	true	-	The risk type for Network Content Correlation Engine rules	OTHERS MALWARE Others	Deep Discovery Inspector Network Sensor Endpoint & Workload Security Apex One as a Service Deep Security File Security Container Security
matchedContent	dynamic	true	-	The one-to-many data structure	['matchedContentEx:client_id=00000000-0000-0000-0000-000000000000&redirect_uri=https://example.page.com, matchedInfo:0,6|0,6'] ['matchedContentEx:example string, matchedInfo:0,6']	Apex One as a Service
mDevice	dynamic	true	-	IP of the source	10.10.10.10 fe80::1234:5678:9abc:def0	Apex One as a Service
mDeviceGUID	string	true	-	The GUID of the agent host	C5B09EDD-C725-907F-29D9-B8C30D18C48F C05B75AB-B518-BDD0-D2B5-E9CB631C539F 9C28ACD3-D0EC-22A4-B08D-5B0BEFF501FC	Endpoint & Workload Security Apex One as a Service Deep Security
messageType	string	true	-	The message type	Default	Endpoint Sensor Apex One as a Service
moduleName	string	false	-	The module where a hook procedure was set up	c:\program files (x86)\desktopcentral_agent\bin\dcusbsummary.exe c:\program files\common files\microsoft shared\clicktorun\officesvcmgr.exe c:\program files (x86)\sharp\sharp pen software\prsnspttool.exe	Apex One as a Service
moduleScanType	string	true	-	The module scan type	traditional	Endpoint & Workload Security Apex One as a Service
mpname	string	true	-	The management product name	Cloud One - Workload Security Apex Central Deep Security Software	Endpoint & Workload Security Apex One as a Service Deep Security TippingPoint Security Management System Endpoint Sensor Cloud One Network Security
mpver	string	true	-	The product version	Microsoft-Windows-Security-Auditing Level -- Medium security TASK1	Endpoint & Workload Security Deep Security Apex One as a Service Endpoint Sensor
msgAct	string	true	-	The message action	Quarantine Deliver	Apex One as a Service
msgId	string	true	EmailMessageID	The internet message ID	66.6.00.0006 example.test.com dameware1svr	Cloud App Security Email Security Deep Discovery Inspector Network Sensor Apex One as a Service Email Sensor Deep Discovery Analyzer
objectAppName	string	true	-	Name of the app involved in the AMSI event	Exchange Server 2016 PowerShell_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.19041.1 PowerShell_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.14393.0	Endpoint Sensor Endpoint & Workload Security Apex One as a Service
objectArtifactIds	dynamic	true	-	The artifact IDs generated by objectAction	00000000-0000-0000-0000-000000000000_0.dmp 11111111-1111-1111-1111-111111111111_2.bak	Endpoint Sensor Endpoint & Workload Security Apex One as a Service
objectAttributes	string	true	-	The object attributes	attribute	Endpoint & Workload Security Apex One as a Service
objectAuthId	string	true	-	The object authorization ID	999 996 997	Endpoint Sensor Apex One as a Service
objectCmd	dynamic	true	CLICommand	The object process command line	C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -NoLogo -Noninteractive -NoProfile -ExecutionPolicy Bypass "& 'C:\WINDOWS\CCM\SystemTemp\afd6f0e5-e491-4764-a20a-9f1d9edf3cce.ps1'" C:\WINDOWS\system32\lsass.exe	Apex One as a Service Endpoint & Workload Security Endpoint Sensor
objectCmd	string	true	CLICommand	Command line entry of target process	wc -l runc init docker-init --version	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
objectContentName	string	true	-	The AMSI object content name	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.2\PowerShellGet.psd1 c:\synclog\BLAST_SCAN.vbs	Endpoint Sensor Endpoint & Workload Security Apex One as a Service
objectCurrentFileSize	long	true	-	Previous size of modified object file	59456 60	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
objectEntityName	string	true	-	The object entity name	any_process exe_file powershell	Apex One as a Service
objectFileAccess	string	true	-	The object file access details	1717658631000	Endpoint & Workload Security Apex One as a Service
objectFileCreation	string	true	-	The UTC time that the object was created	2014-11-22T01:45:51-06:00 2009-07-13T23:31:13-05:00 2014-11-21T02:43:28-05:00	Apex One as a Service Endpoint & Workload Security Container Security
objectFileCreation	string	true	-	The time the object file was created	1652131848000 1577865600000 1648279273000	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
objectFileCurrentOwnerName	string	true	-	The current owner name of the object file	NT AUTHORITY\SYSTEM BUILTIN\Administrators BUILTIN\Administradores	Endpoint Sensor Apex One as a Service
objectFileCurrentOwnerSid	string	true	-	The current security identifier owner of the object file	S-1-5-18 S-1-5-32-544 S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464	Endpoint Sensor Apex One as a Service
objectFileDaclString	string	true	-	The discretionary access control list of the object file	D:(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BU)(A;;0x1200a9;;;AC)(A;;0x1200a9;;;S-1-15-2-2) D:(A;OICI;GA;;;SY)(A;OICI;0xa0120000;;;WD)(A;OICI;GA;;;BA) D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)	Endpoint Sensor Apex One as a Service
objectFileExtendedAttribute	string	true	-	The extended attributes of the file	com.apple.quarantine com.apple.metadata:kMDItemWhereFroms	Endpoint Sensor Apex One as a Service
objectFileGroupName	string	true	-	The object file user group name	wheel staff admin	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
objectFileGroupSid	string	true	-	The security identifier of the object file group	S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 S-1-5-18 S-1-5-21-397955417-626881126-188441444-513	Endpoint Sensor Apex One as a Service
objectFileHashId	string	true	-	The object file hash ID	2141057820373638746 -6516669617381620295 -4912169863817247597	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
objectFileHashMd5	string	true	FileMD5	The MD5 of the object	801E8003C257C8F540B20F1E0DECD3A6 CDA48FC75952AD12D99E526D0B6BF70A D5120786925038601A77C2E1EB9A3A0A	Apex One as a Service Endpoint Sensor Endpoint & Workload Security
objectFileHashMd5	string	true	FileMD5	The md5 hash of target process image or target file	7ac47235c7bb452a03d3afd872f44c9e c9873d83a969645a97f21adc1b164cc5 3b32b378c8b288de6f15e1607a8c2145	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
objectFileHashSha1	string	true	FileSHA1	The SHA-1 of the objectFilePath object	51B8646308EE0B68AD1F7F1291B85395434DE49A 36C5D12033B2EAF251BAE61C00690FFB17FDDC87 2586528000199793730B05D3F169BCF139E4D7A1	Apex One as a Service Endpoint Sensor Endpoint & Workload Security Container Security
objectFileHashSha1	string	true	FileSHA1	The SHA1 hash of target process image or target file	ded3833f145989fd86c1f4811b61497298ebc7fd c4fa06404142f1994431f9eef3df2cbe0f1998f1 3c01d486ed5aa1ecc2d8f33dc24b0ed59b3e609e	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
objectFileHashSha256	string	true	FileSHA2	The SHA-256 of the object (objectFilePath)	A75C85F3B089993E9C042FB82ECB7757E8F460ED8065FC7991CAA38A6DE0F50C 908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53 1A2ABAAD8A166B66CA35AB51C7432C5A7E46996472C8174281842896408D7F96	Apex One as a Service Endpoint Sensor Endpoint & Workload Security Container Security
objectFileHashSha256	string	true	FileSHA2	The SHA256 hash of target process image or target file	39109eef00821658893b45634fe2f4664f880da9242712df907f1327d4ceefb8 49fa3e206abf6a1f4546417dbe09f3f06b38847866a4a66de75bd90f39cb6c1c 0969321ad5a0923f0f03896ad2c10e49290515c44b721d773942a37f62a24893	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
objectFileIsRemoteAccess	bool	true	-	The remote access to the object file	-	Apex One as a Service Endpoint Sensor Endpoint & Workload Security
objectFileModified	string	true	-	The UTC time that the object was modified	2024-10-10T10:10:10.0000000Z 2024-11-11T11:11:11.0000000Z	Apex One as a Service Endpoint & Workload Security
objectFileModifiedTime	string	true	-	The time the object file was modified	1652131848000 1577865600000 1648279273000	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
objectFileName	string	true	FileName	The object file name	powershell.exe wmiprvse.exe dismhost.exe	Apex One as a Service Container Security Endpoint & Workload Security
objectFileOriginalName	string	true	FileName	The original file name of the object image	Taskmgr.exe WINLOGON.EXE svchost.exe	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
objectFileOwnerName	string	true	-	The object file owner name	root NT SERVICE\TrustedInstaller BUILTIN\Administrators	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
objectFileOwnerSid	string	true	-	The security identifier of the object file owner	S-1-5-32-544 S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 S-1-5-18	Endpoint Sensor Apex One as a Service
objectFilePath	string	true	FileFullPath	The file path of the target process image or target file	c:\windows\system32\windowspowershell\v1.0\powershell.exe zwwritevirtualmemory c:\windows\system32\wbem\wmiprvse.exe	Apex One as a Service Endpoint & Workload Security Endpoint Sensor Container Security
objectFilePath	string	true	FileFullPath FileName	The file path of the target process image or target file	/usr/bin/bash /bin/bash /opt/folder1/probes/system/processes/processes	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
objectFileRemoteAccess	bool	true	-	The remote access for the object file	-	Endpoint Sensor Apex One as a Service
objectFileSaclString	string	true	-	The system access control list of the object file	S:NO_ACCESS_CONTROL S:(AU;SAFA;DCLCRPCRSDWDWO;;;WD) S:(AU;SAFA;0x1f0116;;;WD)	Apex One as a Service Endpoint Sensor
objectFileSize	string	true	-	The file size of the object file	59456 60	Endpoint Sensor Apex One as a Service Endpoint & Workload Security Data Detection and Response
objectFirstRecorded	string	true	-	The first time that the object appeared	-	Apex One as a Service
objectFirstSeen	string	true	-	The first time the object was seen	1656458063638 1656260547165 0	Endpoint Sensor Endpoint & Workload Security Apex One as a Service
objectHashId	long	false	-	The object hash ID	8576474808125313522 -599270888483415002 2177864258235728980	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
objectHostName	string	true	DomainName	Server name where Internet event was detected	10.10.10.10 sample.test.org	Apex One as a Service Endpoint Sensor
objectId	string	true	-	The UUID of the object	3 2	Apex One as a Service Zero Trust Secure Access - Private Access
objectIntegrityLevel	int	true	-	Integrity level of target process	-	Endpoint Sensor Apex One as a Service
objectIp	string	true	IPv4 IPv6	IP address of internet event	10.10.10.10	Apex One as a Service Endpoint Sensor
objectIps	dynamic	true	IPv4 IPv6	IP address list of internet event	::1 10.10.10.10 ::ffff:10.10.10.10	Endpoint Sensor Endpoint & Workload Security Apex One as a Service
objectLastSeen	string	true	-	The last time the object was seen	1656458354730 1656260580722 0	Endpoint Sensor Endpoint & Workload Security Apex One as a Service
objectLaunchTime	string	true	-	The object launch time of the Windows event	1616412892557 1620778597056 1616414113105	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
objectLoginOutFailureMessage	string	true	-	The sign-in/sign-out error message	Login incorrect	Endpoint Sensor Apex One as a Service
objectLoginOutFirstSeen	long	true	-	The first time the object sign-in/sign-out was seen	1713903612	Endpoint Sensor Apex One as a Service
objectLoginOutHashId	long	true	-	The FNV of the object sign-in/sign-out meta	-8981232070268295229	Endpoint Sensor Apex One as a Service
objectLoginOutLastSeen	long	true	-	The last time the object sign-in/sign-out was seen	1713903612	Endpoint Sensor Apex One as a Service
objectLoginOutMetaType	int	true	-	The sign-in/sign-out meta	1 - LOGIN_OUT_META_TYPE_OPENSSH	Endpoint Sensor Apex One as a Service
objectLoginOutSessionId	long	true	-	The sign-in/sign-out session ID	260	Endpoint Sensor Apex One as a Service
objectLoginOutSourceAddress	string	true	-	The sign-in/sign-out source IP	10.10.10.10	Endpoint Sensor Apex One as a Service
objectLoginOutStatus	int	true	-	The sign-in/sign-out status	-1	Endpoint Sensor Apex One as a Service
objectName	string	true	-	The base name of the object file or process	net.exe	Endpoint Sensor Endpoint & Workload Security Apex One as a Service
objectName	string	true	-	The object name	/usr/bin/bash /bin/bash /opt/folder1/probes/system/processes/processes	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
objectPid	int	false	-	The object process PID	17000 22000	Apex One as a Service Endpoint & Workload Security Endpoint Sensor
objectPid	int	true	-	The PID of target process	-	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
objectPort	int	true	Port	The port number used by internet event	-	Apex One as a Service Endpoint Sensor
objectProcessHashId	long	true	-	FNV of target process	1415699552492662761 -100650285065767982 -1139416698673814436	Apex One as a Service Endpoint Sensor Endpoint & Workload Security
objectRawDataSize	dynamic	true	-	The raw data size of the Windows event object	9 1 564	Endpoint Sensor Endpoint & Workload Security Apex One as a Service
objectRawDataStr	dynamic	true	-	The data contents of the AMSI event	$global:? 0 $servicename = "WinRM" $arrService = Get-Service $servicename if ($arrService.Status -ne "Running") { Restart-Service $servicename }	Endpoint Sensor Endpoint & Workload Security Apex One as a Service
objectRegistryData	string	true	RegistryValueData	The registry data contents	C:\Program Files\AlertMedia\AlertMedia Desktop Notifications\AlertMedia.exe	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
objectRegistryData	string	true	RegistryValueData	The registry value data	{11111111-1111-1111-1111-111111111111} 1 0	Endpoint Sensor Endpoint & Workload Security Apex One as a Service
objectRegistryKeyHandle	string	true	RegistryKey	The registry key path	HKCR\CID\{00000000-0000-0000-0000-000000000001} HKLM\SOFTWARE\WOW6432Node\Eos HKCU\SOFTWARE\Cerner\InstantAccess	Endpoint Sensor Endpoint & Workload Security Apex One as a Service
objectRegistryKeyHandle	string	true	RegistryKey	The registry key	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters HKLM\system\currentcontrolset\services\w32time\config HKLM\system\currentcontrolset\services\tcpip\parameters	Endpoint Sensor Endpoint & Workload Security Apex One as a Service
objectRegistryRoot	int	false	-	The Windows Registry Root ID	3 1 2	Endpoint Sensor Endpoint & Workload Security Apex One as a Service
objectRegistryValue	string	true	RegistryValue	The registry value name	1 key reg	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
objectRegistryValue	string	true	RegistryValue	Registry value name	lastknowngoodtime threadingmodel epoch	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
objectRegType	int	false	-	The Windows Registry Type ID	1 11 4	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
objectRunAsLocalAccount	bool	true	-	The "runas" command uses a local account	1	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
objectSessionId	string	true	-	The object session ID	0 1 2	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
objectSigner	dynamic	true	-	The list of object process signers	Microsoft Windows Microsoft Windows Publisher SecureWorks Inc	Apex One as a Service Endpoint Sensor
objectSigner	dynamic	true	-	Certificate signer of object process or file	Microsoft Windows Software Signing;Apple Code Signing Certification Authority;Apple Root CA; Microsoft Corporation	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
objectSignerFlagsAdhoc	dynamic	true	-	The list of object process signature adhoc flags	-	Endpoint Sensor Apex One as a Service Apex One
objectSignerFlagsAdhoc	dynamic	true	-	The list of object process or file signature adhoc flags	-	Endpoint Sensor Apex One as a Service
objectSignerFlagsLibValid	dynamic	true	-	The list of object process signature library validation flags	-	Endpoint Sensor Apex One as a Service Apex One
objectSignerFlagsLibValid	dynamic	true	-	The list of object process or file signature library validation flags	-	Endpoint Sensor Apex One as a Service
objectSignerFlagsRuntime	dynamic	true	-	The list of object process signature runtime flags	-	Endpoint Sensor Apex One as a Service Apex One
objectSignerFlagsRuntime	dynamic	true	-	The list of object process or file signature runtime flags	-	Endpoint Sensor Apex One as a Service
objectSignerValid	dynamic	true	-	Validity of certificate signer	1	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
objectSubTrueType	int	true	-	File object's true sub-type	5000 18000 28001	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
objectThreadId	string	true	-	The object process thread ID	10196 10104 10004	Apex One as a Service
objectTrueType	int	true	-	File object's true major type	7 5 18 4051	Apex One as a Service Endpoint Sensor Endpoint & Workload Security
objectType	string	true	-	The object type	file process qil	Cloud App Security Endpoint & Workload Security Apex One as a Service Email Security Endpoint Sensor File Security
objectUser	string	true	UserAccount	The owner name of the target process or the login user name	Système SYSTEM SISTEMA	Apex One as a Service Endpoint & Workload Security
objectUser	string	true	UserAccount	The owner name of the target process or the login user name	root SYSTEM oracle	Endpoint & Workload Security Endpoint Sensor Apex One as a Service Data Detection and Response
objectUserDomain	string	true	-	The owner domain of the target process	NT AUTHORITY UNEB	Endpoint & Workload Security Apex One as a Service
objectUserDomain	string	false	-	The object user domain	NT AUTHORITY AUTORIDADE NT	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
objectUserGroup	string	true	-	The user group name	staff _spotlight wheel	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
online	string	true	-	The flag to identify whether the endpoint is online	Yes No	Apex One as a Service
operationLevel	int	false	-	The level that is used to indicate the handler layer at SOC	1 3	Apex One as a Service
originalFileHashes	dynamic	true	FileSHA1	The hashes of the original file	ba4700bfd55741c657a99fbe416787835fb384da 639dfe4a69c1e6aace1e4eece3b3bb25af6a1392	Endpoint & Workload Security Apex One as a Service
originalFilePaths	dynamic	true	FileFullPath FileName	The paths of the original file	C:\\Users\\user_name\\Downloads\\run.exe	Endpoint & Workload Security Apex One as a Service
osDescription	string	true	-	The OS version	Windows 10 (64 bit) Windows 10 Pro (64 bit) build 19044 Amazon Linux 2 (64 bit) (5.4.188-104.359.amzn2.x86_64)	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
osName	string	true	-	The host operating system name	Windows Linux macOS	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
osType	string	true	-	The host operating system type	0x00000030 4	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
osVer	string	true	-	The version of the host operating system	Amazon Linux 2 10.0.19044 10.0.19042	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
parentAuthId	string	true	-	The parent authorization ID	999 996 997	Endpoint Sensor Apex One as a Service
parentCmd	string	true	CLICommand	The command line entry of the parent process	C:\WINDOWS\system32\services.exe C:\Windows\system32\services.exe /sbin/launchd	Endpoint Sensor Endpoint & Workload Security Apex One as a Service
parentFileCreation	string	true	-	The time the parent file was created	1652131848000 1577865600000 1635172968000	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
parentFileCurrentOwnerName	string	true	-	The current owner name of the parent file	NT AUTHORITY\SYSTEM BUILTIN\Administradores BUILTIN\Administrators	Endpoint Sensor Apex One as a Service
parentFileCurrentOwnerSid	string	true	-	The current security identifier owner of the parent file	S-1-5-32-544 S-1-5-18 S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464	Endpoint Sensor Apex One as a Service
parentFileDaclString	string	true	-	The discretionary access control list of the parent file	D:(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BU)(A;;0x1200a9;;;AC)(A;;0x1200a9;;;S-1-15-2-2) D:(A;OICI;GA;;;SY)(A;OICI;0xa0120000;;;WD)(A;OICI;GA;;;BA) D:(A;ID;0x1200a9;;;AC)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;S-1-15-2-2)	Endpoint Sensor Apex One as a Service
parentFileGroupName	string	true	-	The name of the parent file user group	wheel admin staff	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
parentFileGroupSid	string	true	-	The security identifier of the parent process file group	S-1-5-18 S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 S-1-5-32-544	Endpoint Sensor Apex One as a Service
parentFileHashId	long	true	-	The parent file hash ID	-4092577940452904134 2141057820373638746 -821808160829839906	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
parentFileHashMd5	string	true	FileMD5	The md5 hash of parent process	d8e577bf078c45954f4531885478d5a9 cd10cb894be2128fca0bf0e2b0c27c16 cfd65bed18a1fae631091c3a4c4dd533	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
parentFileHashSha1	string	true	FileSHA1	The SHA1 hash of parent process	d7a213f3cfee2a8a191769eb33847953be51de54 1f912d4bec338ef10b7c9f19976286f8acc4eb97 9ad737cbd8bbdddc96726156dbd3bc03936bf02f	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
parentFileHashSha256	string	true	FileSHA2	The SHA256 hash of parent process	dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674 f3feb95e7bcfb0766a694d93fca29eda7e2ca977c2395b4be75242814eb6d881 00f8cbc5b3a6640af5ac18d01bc5a666f6f583b1379b9491e0bcc28ba78c92e9	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
parentFileModifiedTime	string	true	-	The time the parent file was modified	1652131848000 1577865600000 1635172968000	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
parentFileOriginalName	string	true	FileName	The original file name of the parent image	Taskmgr.exe WINLOGON.EXE svchost.exe	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
parentFileOwnerName	string	true	-	The owner name of the parent file	root cit BUILTIN\Administrators	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
parentFileOwnerSid	string	true	-	The security identifier of the parent file owner	S-1-5-32-544 S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 S-1-5-18	Endpoint Sensor Apex One as a Service
parentFilePath	string	true	FileFullPath FileName	The file path of the parent process	c:\windows\system32\services.exe /usr/bin/bash c:\windows\system32\svchost.exe	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
parentFileRemoteAccess	bool	true	-	The remote access to the parent file	-	Endpoint Sensor Apex One as a Service
parentFileSaclString	string	true	-	The system access control list of the parent file	S:(AU;SAFA;DCLCRPCRSDWDWO;;;WD) S:NO_ACCESS_CONTROL S:(AU;IDSAFA;DCLCRPSDWDWO;;;AU)	Apex One as a Service Endpoint Sensor
parentFileSize	string	true	-	The file size of the parent file	714856 59952 5114880	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
parentHashId	long	true	-	The parent hash ID	-865367326691173681 -2903238741593506113 -4358168316031740439	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
parentIntegrityLevel	int	true	-	The integrity level of a parent	-	Endpoint Sensor Apex One as a Service
parentLaunchTime	real	true	-	The time when the parent process was launched	1653614773895 1656118625928 0	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
parentName	string	true	-	The image name of the parent process	c:\windows\system32\services.exe /usr/bin/bash c:\windows\system32\svchost.exe	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
parentPid	int	true	-	The PID of the parent process	1 976 920	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
parentSessionId	int	false	-	The parent session ID	-	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
parentSigner	dynamic	true	-	The signer of the parent file	Microsoft Windows Publisher Microsoft Windows Software Signing;Apple Code Signing Certification Authority;Apple Root CA;	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
parentSignerFlagsAdhoc	dynamic	true	-	The list of parent process signature adhoc flags	-	Endpoint Sensor Apex One as a Service Apex One
parentSignerFlagsAdhoc	dynamic	true	-	The list of parent process signature adhoc flags	-	Endpoint Sensor Apex One as a Service
parentSignerFlagsLibValid	dynamic	true	-	The list of parent process signature library validation flags	-	Endpoint Sensor Apex One as a Service Apex One
parentSignerFlagsLibValid	dynamic	true	-	The list of parent process signature library validation flags	-	Endpoint Sensor Apex One as a Service
parentSignerFlagsRuntime	dynamic	true	-	The list of parent process signature runtime flags	-	Endpoint Sensor Apex One as a Service Apex One
parentSignerFlagsRuntime	dynamic	true	-	The list of parent process signature runtime flags	-	Endpoint Sensor Apex One as a Service
parentSignerValid	dynamic	true	-	The validity of the parent signer	-	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
parentSubTrueType	int	true	-	The true file subtype of the parent file	-	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
parentTrueType	int	true	-	The true file type of the parent file	-	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
parentUser	string	true	-	The type of user that executed the parent process	root SYSTEM SISTEMA	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
parentUserDomain	string	true	-	The user domain of the parent process	NT AUTHORITY AUTORIDADE NT	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
patType	string	true	-	The pattern type	NCIE CNC Pattern NCIE RR Pattern NCIE User Define Block List	Apex One as a Service
patVer	string	true	-	The version of the behavior pattern	35.1053.00 630 35.1071.00	Apex One as a Service Endpoint Sensor Cloud App Security
pComp	string	true	-	The component that made the detection	CAV NCIE TMUFE	Deep Discovery Inspector Network Sensor Apex One as a Service
peerIp	dynamic	true	IPv4 IPv6	The IP of peerHost	10.10.10.10	Deep Discovery Inspector Network Sensor Apex One as a Service
plang	int	false	-	The product language	1	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
platformAssetTags	dynamic	true	-	The list of platform custom asset tags	{"Asset group":["finance"], "some.ip": ["10.1.0.1"]}	Endpoint Sensor Endpoint & Workload Security Apex One as a Service Container Security
platformAssetTags	dynamic	true	-	The list of platform custom asset tags	{"Asset group":["finance"], "some.ip": ["10.1.0.1"]}	Endpoint Sensor Endpoint & Workload Security Apex One as a Service
pname	string	true	-	The internal product ID	Trend Micro Deep Security Deep Discovery Inspector Apex One	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Apex One as a Service Deep Security Cloud App Security Email Security TippingPoint Security Management System Endpoint Sensor Web Security Cloud One Network Security Zero Trust Secure Access - Internet Access Mobile Security Container Security Email Sensor Deep Discovery Analyzer
pname	string	true	-	Internal product ID (Deprecated, use productCode)	2200 751 533	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
policyId	string	true	-	The policy ID of which the event was detected	00000001-0001-0001-0001-000000007610 007 003 TM000001	TippingPoint Security Management System Apex One as a Service Endpoint Sensor Cloud One Network Security Endpoint & Workload Security Deep Security Container Security
policyName	string	true	-	The name of the triggered policy	Steelcase Cabot Tigre - Medium Policy apiPostedPolicy	Apex One as a Service Cloud App Security Web Security Email Security Zero Trust Secure Access - Internet Access TXOne EdgeOne Container Security Mobile Network Security
policyTemplate	dynamic	true	-	The one-to-many data structure	policyName:Monitoreo All Files, template:Managed - All files policyName:HSS DLP, template:All File Extension India: Mobile Numbers	Apex One as a Service Cloud App Security Zero Trust Secure Access - Internet Access
pplat	int	false	-	The product platform	5889 9217	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
processArtifactIds	dynamic	true	-	The artifact IDs generated by processAction	00000000-0000-0000-0000-000000000000_1.dmp 11111111-1111-1111-1111-111111111111_2.bak	Endpoint Sensor Endpoint & Workload Security Apex One as a Service
processCmd	string	true	CLICommand	The subject process command line	"C:\Program Files (x86)\AADM\AADM.exe" /usr/lib/inet/sendmail -bl -q15m ComDir	Endpoint & Workload Security Endpoint Sensor Deep Security Apex One as a Service Container Security
processCmd	string	true	CLICommand	The command line entry of the subject process	C:\Windows\system32\lsass.exe C:\WINDOWS\system32\lsass.exe nimbus(processes)	Endpoint Sensor Endpoint & Workload Security Apex One as a Service
processFileCreation	string	true	-	The time the process file was created	1652131848000 1577865600000 1635172906000	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
processFileCurrentOwnerName	string	true	-	The current owner name of the process file	NT AUTHORITY\SYSTEM BUILTIN\Administrators BUILTIN\Administradores	Endpoint Sensor Apex One as a Service
processFileCurrentOwnerSid	string	true	-	The owner of the process file current security identifier	S-1-5-18 S-1-5-32-544 S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464	Endpoint Sensor Apex One as a Service
processFileDaclString	string	true	-	The discretionary access control list of the process file	D:(A;ID;0x1200a9;;;AC)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;S-1-15-2-2) D:(A;ID;FA;;;SY) D:(A;ID;FA;;;BA)(A;ID;FA;;;SY)	Endpoint Sensor Apex One as a Service
processFileGroupName	string	true	-	The name of the process file user group	wheel admin staff	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
processFileGroupSid	string	true	-	The security identifier of the process file group	S-1-5-18 S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 S-1-5-32-544	Endpoint Sensor Apex One as a Service
processFileHashId	long	true	-	The file hash of the process	2141057820373638746 -821808160829839906 5222963427542927736	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
processFileHashMd5	string	true	FileMD5	The MD5 hash of the subject process image	cd10cb894be2128fca0bf0e2b0c27c16 7ac47235c7bb452a03d3afd872f44c9e cfd65bed18a1fae631091c3a4c4dd533	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
processFileHashSha1	string	true	FileSHA1	The SHA-1 of the subject process	C0885381EBAC94AB20E78936434FA208F6B65352 ac373ed32b491da22924e2e11e36574e5d582a35 DF93F7DF887E86C3B56539B5046B286001C6F150	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
processFileHashSha1	string	true	FileSHA1	The SHA1 hash of subject process image	1f912d4bec338ef10b7c9f19976286f8acc4eb97 ded3833f145989fd86c1f4811b61497298ebc7fd 9ad737cbd8bbdddc96726156dbd3bc03936bf02f	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
processFileHashSha256	string	true	FileSHA2	The SHA256 hash of subject process image	f3feb95e7bcfb0766a694d93fca29eda7e2ca977c2395b4be75242814eb6d881 39109eef00821658893b45634fe2f4664f880da9242712df907f1327d4ceefb8 00f8cbc5b3a6640af5ac18d01bc5a666f6f583b1379b9491e0bcc28ba78c92e9	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
processFileModifiedTime	string	true	-	The time the process file was modified	1652131848000 1633413236462 1414554708877	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
processFileOriginalName	string	true	FileName	The original file name of the process image	Taskmgr.exe WINLOGON.EXE svchost.exe	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
processFileOwnerName	string	true	-	The process file owner name	root cit BUILTIN\Administrators	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
processFileOwnerSid	string	true	-	The security identifier of the process file owner	S-1-5-32-544 S-1-5-18 S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464	Endpoint Sensor Apex One as a Service
processFilePath	string	true	ProcessFullPath FileFullPath FileName	The file path of the subject process	c:\windows\system32\svchost.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe c:\windows\syswow64\srts\wmipr.exe	Apex One as a Service Endpoint & Workload Security Endpoint Sensor
processFilePath	string	true	ProcessFullPath ProcessName FileFullPath FileName	The file path of the subject process	/usr/bin/bash c:\windows\system32\svchost.exe c:\windows\system32\lsass.exe	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
processFileRemoteAccess	bool	true	-	The remote access to the process file	-	Endpoint Sensor Apex One as a Service
processFileSaclString	string	true	-	The system access control list of the process file	S:(AU;SAFA;DCLCRPCRSDWDWO;;;WD) S:(AU;IDSAFA;DCLCRPSDWDWO;;;AU) S:NO_ACCESS_CONTROL	Apex One as a Service Endpoint Sensor
processFileSize	string	true	-	The file size of the process file	59952 59456 47024	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
processHashId	long	true	-	The FNV of subject process	7114696589795796819 1307755369266815004 -5015325378148567246	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
processImageFileNames	dynamic	true	-	The process image file names of detected backup artifacts	C:\Program Files\aaa\bbb\objprocess.exe C:\Program Files\ccc\ddd\sample.exe	Endpoint & Workload Security Apex One as a Service
processLaunchTime	real	true	-	The time the subject process was launched	1653614775212 1656118626642 1652098160298	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
processName	string	true	ProcessName	The image name of the process that triggered the event	c:\windows\system32\svchost.exe /usr/bin/python2.7 /usr/bin/sed	Endpoint & Workload Security Endpoint Sensor Deep Security Container Security Apex One as a Service
processName	string	true	ProcessName	The image name of the process that triggered the event	/usr/bin/bash c:\windows\system32\svchost.exe c:\windows\system32\lsass.exe	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
processPid	int	true	-	The PID of the subject process	-	Endpoint & Workload Security Endpoint Sensor Container Security Apex One as a Service
processPid	int	true	-	The PID of the subject process	4 1 784 792	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
processSigner	dynamic	true	-	The process file signer	Microsoft Windows Microsoft Windows Publisher Microsoft Corporation	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
processSignerFlagsAdhoc	dynamic	true	-	The list of process signature adhoc flags	-	Endpoint Sensor Apex One as a Service Apex One
processSignerFlagsAdhoc	dynamic	true	-	The list of process signature adhoc flags	-	Endpoint Sensor Apex One as a Service
processSignerFlagsLibValid	dynamic	true	-	The list of process signature library validation flags	-	Endpoint Sensor Apex One as a Service Apex One
processSignerFlagsLibValid	dynamic	true	-	The list of process signature library validation flags	-	Endpoint Sensor Apex One as a Service
processSignerFlagsRuntime	dynamic	true	-	The list of process signature runtime flags	-	Endpoint Sensor Apex One as a Service Apex One
processSignerFlagsRuntime	dynamic	true	-	The list of process signature runtime flags	-	Endpoint Sensor Apex One as a Service
processSignerValid	dynamic	true	-	The validity of the process signer	1	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
processSubTrueType	int	true	-	The true file subtype of the process	-	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
processTrueType	int	true	-	The true file type of the process	-	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
processUser	string	true	UserAccount	The user name of the process or the file creator	SYSTEM SVC_JENKINS_CODE_DEV NETWORK SERVICE	Endpoint & Workload Security Apex One as a Service Container Security
processUser	string	true	UserAccount	The owner name of subject process image	root SYSTEM SISTEMA	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
processUserDomain	string	true	-	The owner domain of the subject process image	NT AUTHORITY DOMAINBA PAEDMZ	Endpoint & Workload Security Apex One as a Service
processUserDomain	string	true	-	The process user domain	NT AUTHORITY AUTORIDADE NT	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
proto	string	true	-	The exploited layer network protocol	6 TCP 17	Endpoint & Workload Security Deep Security TXOne EdgeOne Container Security Mobile Network Security Apex One as a Service
proto	int	false	-	The protocol type	TELEMETRY_CONNECTION_TCP TELEMETRY_CONNECTION_UDP	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
providerGUID	string	true	-	The GUID of the Windows event provider	{11111111-1111-1111-1111-111111111111}	Endpoint Sensor Apex One as a Service
providerName	string	true	-	The name of the Windows event provider	Microsoft-Windows-Security-Auditing Microsoft-Windows-WMI-Activity Microsoft-Windows-TaskScheduler	Endpoint Sensor Apex One as a Service
proxy	string	true	-	The proxy address	proxy.sample:8080 10.10.10.10:8080	Endpoint Sensor Apex One as a Service
pver	string	true	-	The product version	20.0.0.4726 20.0.0.4416 6.2.1125	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Deep Security Apex One as a Service TippingPoint Security Management System Cloud One Network Security Zero Trust Secure Access - Internet Access Mobile Security Container Security File Security File Security Storage Agentless Vulnerability & Threat Detection Deep Discovery Analyzer
pver	string	true	-	The product version	1.2.0.2752 1.0.345 1.2.0.2657	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
quarantineFileId	string	true	-	The unique identifier of the quarantined object	ASLUMVS0.4FC	Apex One as a Service Apex One Endpoint & Workload Security Deep Security
quarantineFilePath	string	true	FileFullPath	The file path of the quarantined object	C:\ProgramData\Trend Micro\AMSP\quarantine\ASLUMVS0.4FC	Apex One as a Service Apex One Endpoint & Workload Security Deep Security
quarantineFileSha256	string	true	FileSHA2	The SHA-256 of the quarantined object	84B2FA19B05EA88D6E785B4ADB528120485AA3F72F3E5E114DE6D3696B0D151F	Apex One as a Service Apex One Endpoint & Workload Security Deep Security
quarantineType	string	true	-	The descriptive name for the quarantine area	0 1 538	Apex One as a Service
rating	string	true	-	The credibility level	Safe Unknown Dangerous	Apex One as a Service Deep Discovery Inspector Network Sensor
rawDataSize	string	true	-	The size of the Windows event log	1128 1129 1127	Endpoint Sensor Apex One as a Service
rawDataStr	string	true	-	Windows event raw contents	{ "EventData" : { "LogonType" : "", "TargetDomainName" : "", "TargetLogonId" : "", "TargetUserName" : "", "TargetUserSid" : "" } } { "EventData" : { "LogonType" : "10", "TargetDomainName" : "AFASADV", "TargetLogonId" : "14941011731", "TargetUserName" : "administrator", "TargetUserSid" : "S-1-5-21-1507008304-2416677881-2121376573-500" } } { "EventData" : { "LogonType" : "10", "TargetDomainName" : "AIS", "TargetLogonId" : "216921070", "TargetUserName" : "MWoodr01", "TargetUserSid" : "S-1-5-21-1873864278-1756520048-3043165120-15057" } }	Endpoint Sensor Apex One as a Service
remarks	string	true	-	The additional information	warning: fork: Resource temporarily unavailable pam_unix(cron:session): session opened for user root by (uid=0) WinEvtLog: Application: AUDIT_FAILURE(18470): MSSQL$SA: (no user): no domain: EXAMPLE.com: Login failed for user 'example_user'. Reason: The account is disabled. [CLIENT: 10.10.10.10]	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Deep Security Cloud App Security Apex One as a Service Email Security Cloud One Network Security TXOne EdgeOne Email Sensor File Security Agentless Vulnerability & Threat Detection Zero Trust Secure Access - Internet Access
request	string	true	URL	The notable URLs	http://example.page.com/canonical.html http://10.10.10.10 https://drive.google.com/	Deep Discovery Inspector Network Sensor Apex One as a Service TippingPoint Security Management System Endpoint & Workload Security Zero Trust Secure Access - Internet Access Cloud App Security Cloud One Network Security Email Security Deep Security Mobile Security Zero Trust Secure Access - Private Access Deep Discovery Analyzer
request	string	true	URL	Request URL	http://10.10.10.10/fake/site http:///fake/param.cgi?action=list&group=Alarm.Status http://fake.com/	Apex One as a Service Endpoint Sensor
requestClientApplication	string	true	-	The protocol user agent information	Microsoft-Delivery-Optimization/10.0 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) example Software GmbH	Deep Discovery Inspector Network Sensor Endpoint & Workload Security Apex One as a Service Deep Discovery Analyzer
requestMethod	string	true	-	The network protocol request method	GET POST PUT	Apex One as a Service Endpoint Sensor Endpoint & Workload Security
riskConfidenceLevel	string	true	-	The risk confidence level	0 1 2	Apex One as a Service Cloud App Security
riskLevel	string	true	-	The risk level	1 high No Risk	Endpoint & Workload Security Apex One as a Service Cloud App Security Endpoint Sensor Deep Discovery Inspector Network Sensor
rt	string	false	-	The Unix time of the log generation	1656324260000	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Apex One as a Service Deep Security Cloud App Security Email Security TippingPoint Security Management System Endpoint Sensor Web Security Cloud One Network Security Zero Trust Secure Access - Internet Access Zero Trust Secure Access - Private Access Email Sensor Deep Discovery Analyzer
rt	string	false	-	The event time	1657781088000	Endpoint Sensor Apex One as a Service
rtDate	string	true	-	The date of the log generation	1655337600000	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Apex One as a Service Deep Security
rtHour	int	false	-	The hour of the log generation	9 8	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Apex One as a Service Deep Security
rtWeekDay	string	true	-	The weekday of the log generation	Monday Tuesday Friday	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Apex One as a Service Deep Security
ruleId	int	true	-	The rule ID	1002795 1003802	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Deep Security Apex One as a Service Mobile Network Security
ruleId	int	true	-	The rule ID	1005566	Endpoint Sensor Apex One as a Service
ruleIdStr	string	true	-	The rule ID	TM-00000043	Container Security Apex One as a Service
ruleName	string	true	-	The name of the rule that triggered the event	Directory Server - Microsoft Windows Active Directory Microsoft Windows Events Microsoft Windows Security Events - 3 (T1234) New executable created (chmod) Sensitive Files Upload to Personal Cloud Multiple Sensitive Files Compression Transfer Sensitive Files to Removable Storage Move Multiple Sensitive Files to Central Location Multiple Sensitive Files Modification Multiple Sensitive Files Deletion GEN_CCFR_OVERLAY_TEST.A	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Apex One as a Service Deep Security Cloud App Security TippingPoint Security Management System Endpoint Sensor Email Security Cloud One Network Security Zero Trust Secure Access - Private Access Container Security Email Sensor Mobile Network Security Data Detection and Response
ruleType	string	true	-	The access rule type	udso point of entry unknown	Endpoint & Workload Security Apex One as a Service Cloud App Security Zero Trust Secure Access - Private Access Container Security
scanType	string	true	-	The scan type	realtime_mailmeta-exchange exchange_mailbox_realtime_detection_logs gateway_realtime_blocking_traffic malware_schedule_image malware_schedule_file malware_realtime_image malware_realtime_file	Cloud App Security Email Security Endpoint & Workload Security Apex One as a Service Deep Security Email Sensor File Security Agentless Vulnerability & Threat Detection Container Security
score	int	false	-	The Web Reputation Services URL rating	71 81	Deep Discovery Inspector Network Sensor Apex One as a Service Cloud App Security Mobile Security Endpoint & Workload Security
secondAct	string	true	-	The second scan action	Unknown N/A Deny Access	Endpoint & Workload Security Apex One as a Service Deep Security
secondActResult	string	true	-	The result of the second scan action	Unknown N/A Access denied	Endpoint & Workload Security Apex One as a Service Deep Security
senderGUID	string	true	-	The sender GUID	346648FC-9862-D2F0-F94C-FAB1A838ABD7 36E5239E-EEBA-0100-C10E-C057E0455E1D 9606BBD5-38A7-9024-83C8-9C88A2AF90CC	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Apex One as a Service Deep Security
senderIp	dynamic	true	-	The sender IP	10.10.10.10	Deep Discovery Inspector Network Sensor Apex One as a Service Email Security
sessionId	int	false	-	The session ID	1 2	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
severity	int	true	-	The severity of the event	2 4 6 8	Endpoint & Workload Security Deep Discovery Inspector Network Sensor Deep Security Apex One as a Service TippingPoint Security Management System Cloud One Network Security Container Security Mobile Network Security Deep Discovery Analyzer
signer	string	true	-	The signer of the file	Shenzhen Smartspace Software technology Co.,Limited;Symantec Class 3 SHA256 Code Signing CA;1429491600;1492649999	Apex One as a Service
smac	string	true	-	The source MAC address	00:11:22:33:44:55 66:77:88:99:AA:BB CC:DD:EE:FF:00:11	Deep Discovery Inspector Network Sensor Apex One as a Service Endpoint & Workload Security Deep Security TXOne EdgeOne Deep Discovery Analyzer
sourceType	string	true	-	The source type	user defined sandbox syscall	Apex One as a Service Container Security Endpoint Sensor
spt	int	true	Port	The source port	53 7680	Deep Discovery Inspector Network Sensor Apex One as a Service Endpoint & Workload Security TippingPoint Security Management System Deep Security Cloud One Network Security Endpoint Sensor TXOne EdgeOne Zero Trust Secure Access - Private Access Container Security Mobile Network Security Deep Discovery Analyzer
spt	int	true	Port	The source port number	53 5353 443	Endpoint & Workload Security Endpoint Sensor Apex One as a Service Data Detection and Response
src	dynamic	true	IPv4 IPv6	The source IP	10.10.10.10	Deep Discovery Inspector Network Sensor Apex One as a Service Endpoint & Workload Security TippingPoint Security Management System Deep Security Cloud One Network Security Endpoint Sensor Zero Trust Secure Access - Internet Access TXOne EdgeOne Zero Trust Secure Access - Private Access Container Security Mobile Network Security Deep Discovery Analyzer
src	string	true	IPv4 IPv6	The source address	:: 10.10.10.10	Endpoint & Workload Security Endpoint Sensor Apex One as a Service Data Detection and Response
srcFileCreation	string	true	-	The time the source file was created	1577865600000 1626201752000 1626201750000	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
srcFileCurrentOwnerName	string	true	-	The current owner name of the source file	NT AUTHORITY\SYSTEM BUILTIN\Administrators AUTORIDADE NT\SISTEMA	Apex One as a Service Endpoint Sensor
srcFileCurrentOwnerSid	string	true	-	The current security identifier owner of the source file	S-1-5-18 S-1-5-32-544 S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464	Apex One as a Service Endpoint Sensor
srcFileDaclString	string	true	-	The discretionary access control list of the source file	D:(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BU)(A;;0x1200a9;;;AC)(A;;0x1200a9;;;S-1-15-2-2) D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2) D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)	Endpoint Sensor Apex One as a Service
srcFileGroupName	string	true	-	The source file user group name	wheel staff NT SERVICE\TrustedInstaller	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
srcFileGroupSid	string	true	-	The security identifier of the source file group	S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 S-1-5-18 S-1-5-21-3770350686-3666354711-3866293128-513	Apex One as a Service Endpoint Sensor
srcFileHashId	long	false	-	The source file hash ID	1102079405020678318 -6926286289273504319 8528955148329941480	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
srcFileHashMd5	string	true	FileMD5	The md5 hash of source file	e5d5e9c1f65b8ec7aa5b7f1b1acdd731 a6779bf446db07e4c4ba3516b273c496 4bb7334fdadc6eccb8e6ab402aae013b	Apex One as a Service Endpoint Sensor
srcFileHashSha1	string	true	FileSHA1	The SHA1 hash of source file	5d34902fecc1760138212ada36be1e742bda5e52 dbb14dcda6502ab1d23a7c77d405dafbcbeb439e 2292f8109cd756e790c068a52d50f1b0858f503b	Apex One as a Service Endpoint Sensor
srcFileHashSha256	string	true	FileSHA2	The SHA256 hash of source file	4eaa002225f4ea2dedcd19b7f1337d7c58ea7dd6d4571c12468dde95e6bcfdaf e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80 16b20a3ad485b4fbbe3028c7e743b226db21ea93cacc8b3d7d7d4a731bf02333	Apex One as a Service Endpoint Sensor
srcFileIsRemoteAccess	bool	true	-	The remote access of the source file	-	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
srcFileModifiedTime	string	true	-	The time the source file was modified	1626201752000 1626201750000 1577865600000	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
srcFileOwnerName	string	true	-	The source file owner name	root NT SERVICE\TrustedInstaller NT AUTHORITY\SYSTEM	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
srcFileOwnerSid	string	true	-	The security identifier of the source file owner	S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 S-1-5-18 S-1-5-32-544	Apex One as a Service Endpoint Sensor
srcFilePath	string	true	FileFullPath FileName	The source file path	\\cnva-apps\megaclockprod\traveler\travelerprint.accdb c:\program files\common files\microsoft shared\clicktorun\officesvcmgrschedule.xml q:\a7_dbs\a4_pkg\a4_packaging.accde	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
srcFileSaclString	string	true	-	The system access control list of the source file	S:NO_ACCESS_CONTROL S:(AU;SAFA;DCLCRPCRSDWDWO;;;WD) S:(AU;IDSAFA;DCLCRPSDWDWO;;;AU)	Apex One as a Service Endpoint Sensor
srcFileSize	string	true	-	The file size of the source file	0 131072 196608	Endpoint Sensor Apex One as a Service Endpoint & Workload Security Data Detection and Response
srcFirstSeen	string	true	-	The first time the source file was seen	0 1656355418449 1656714760440	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
srcHashId	long	false	-	The source hash ID	4070054759888344851 2177864258235728980 3476454206648023552	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
srcLastSeen	string	true	-	The last time the source file was seen	0 1656355418449 1656715147313	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
srcSigner	dynamic	true	-	The signer of the source file	Microsoft Windows Microsoft Corporation Google LLC	Apex One as a Service Endpoint Sensor
srcSignerFlagsAdhoc	dynamic	true	-	The list of source file signature adhoc flags	-	Endpoint Sensor Apex One as a Service
srcSignerFlagsLibValid	dynamic	true	-	The list of source file signature library validation flags	-	Endpoint Sensor Apex One as a Service
srcSignerFlagsRuntime	dynamic	true	-	The list of source file signature runtime flags	-	Endpoint Sensor Apex One as a Service
srcSignerValid	dynamic	true	-	The validity of the source file signer	-	Apex One as a Service Endpoint Sensor
srcSubTrueType	int	false	-	The true file subtype of the source file	-	Apex One as a Service Endpoint Sensor Endpoint & Workload Security
srcTrueType	int	false	-	The true file type of the source file	-	Apex One as a Service Endpoint Sensor Endpoint & Workload Security
status	string	true	-	The HTTP response status code	200 500 403	Apex One as a Service Endpoint Sensor Endpoint & Workload Security
subSystem	string	true	-	The sub system information	com.apple.xpc	Endpoint Sensor Apex One as a Service
suid	string	true	UserAccount	User name or mailbox	root US EXAMPLE\TEST sample_email@trendmicro.com	Endpoint & Workload Security Cloud App Security Apex One as a Service Deep Discovery Inspector Network Sensor Web Security Deep Security Cloud One Network Security Zero Trust Secure Access - Internet Access
suser	dynamic	true	EmailSender	The email sender	sample_email@trendmicro.com	Cloud App Security Email Security Deep Discovery Inspector Network Sensor Apex One as a Service Email Sensor Deep Discovery Analyzer
tacticId	dynamic	true	Tactic	The list of MITRE tactic IDs	TA0011 TA0008 TA0001	Deep Discovery Inspector Network Sensor Endpoint Sensor Apex One as a Service
tags	dynamic	true	Technique Tactic	The detected technique ID based on the alert filter	MITREV9.T1090 MITRE.T1071 MITREV9.T1059.001	ALL Endpoint & Workload Security Apex One as a Service Deep Discovery Inspector Network Sensor Endpoint Sensor
threatName	string	true	-	The threat name	Malicious_CnC_access_on_UDP_blocked Malicious_CnC_access_on_TCP_blocked Other protected file	Cloud App Security Apex One as a Service Deep Discovery Inspector Network Sensor
threatType	string	true	-	The log threat type	2 99 5	Deep Discovery Inspector Network Sensor Apex One as a Service Agentless Vulnerability & Threat Detection
timezone	string	true	-	The host time zone	UTC+00:00 UTC-05:00 UTC-03:00	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
trigger	string	true	-	The action trigger	ATSE On-demand scan	Endpoint & Workload Security Apex One as a Service
triggerInfo	dynamic	true	-	The trigger information	[{'triggerModule': 'ODS', 'triggerReason': 'System Schedule Scan'}]	Apex One as a Service Endpoint & Workload Security
triggerReason	string	true	-	The cause of the triggered action	FILEMETA.T1027.009.TRICKBOT.SMITRE1B2, T1027.009 ST002 Scheduled Scan (custom) Scheduled Scan (system) Remote Scan: the user triggered the Apex One agent from the Trend Vision One console Manual Scan: the user triggered the local agent	Endpoint Sensor Apex One as a Service Endpoint & Workload Security
urlCat	dynamic	true	-	The requested URL category	Untested 158 Web Advertisement	Deep Discovery Inspector Network Sensor Web Security Apex One as a Service Zero Trust Secure Access - Internet Access Cloud App Security Mobile Security Endpoint & Workload Security
userDomain	string	true	EndpointName DomainName AccountDomain	The user domain	example.com.pa DOMAIN	Apex One as a Service Web Security Zero Trust Secure Access - Internet Access
userDomain	dynamic	true	-	The user domain name	CORP AUTORIDADE NT	Endpoint & Workload Security Endpoint Sensor Apex One as a Service
vendor	string	true	-	The device vendor	adata	Apex One as a Service Endpoint & Workload Security
winEventId	int	true	-	Event ID of Windows event	11 4624 4670	Endpoint Sensor Apex One as a Service

Field Statistics

• Total Fields: 437
• Layer: Endpoint
• Product: Apex One as a Service

---

Generated by XDR Common Schema Public Doc Generator V2

This site is open source. Improve this page.