tm-v1-schema

Data Detection and Response

Layer: Endpoint

This documentation provides detailed information about all fields available for Data Detection and Response.

Field Name Type Searchable General Field Description Example Products
aggregatedCount string true - The number of aggregated events
  • 1
  • 2
  • 3
  • Deep Discovery Inspector
  • Network Sensor
  • Apex One as a Service
  • TippingPoint Security Management System
  • Web Security
  • Cloud One Network Security
  • Zero Trust Secure Access - Internet Access
  • TXOne StellarOne
  • Data Detection and Response
  • Endpoint & Workload Security
aggregateFunction int true - The metric aggregator
  • 0 - sum
  • 1 - avg
 Data Detection and Response
aggregateUnit string true - The metric unit file Data Detection and Response
detectionFileList dynamic true - The information about the related files {"fileName": "sample.txt", "edgeId": "00000000-0000-0000-0000-000000000000"} Data Detection and Response
dpt int true Port The destination port number -
  • Endpoint & Workload Security
  • Endpoint Sensor
  • Apex One as a Service
  • Data Detection and Response
dst string true
  • IPv4
  • IPv6
 The destination IP address
  • ::
  • 10.10.10.10
  • Endpoint & Workload Security
  • Endpoint Sensor
  • Apex One as a Service
  • Data Detection and Response
duration string true - The detection interval (in milliseconds) 300000 Data Detection and Response
endpointGUID string true EndpointID The GUID of the agent which reported the detection
  • ae4d64aa-f8b8-bb36-b265-f59272ed342f
  • 8fb979f6-1376-bed3-227f-f2886e66194e
  • ca2b3a7e-8415-c571-cc19-e45f69470026
  • Endpoint & Workload Security
  • Apex One as a Service
  • Deep Security
  • Endpoint Sensor
  • Zero Trust Secure Access - Internet Access
  • Mobile Security
  • Zero Trust Secure Access - Private Access
  • TXOne StellarOne
  • Container Security
  • Data Detection and Response
endpointHostName string true EndpointName The endpoint hostname or node where the event was detected
  • 10.10.10.10 (swpos-aws-aza02) [i-0f0f0f0f0f0f0f0f0]
  • ip-10-10-10-10.us-west-1.compute.internal
  • Endpoint & Workload Security
  • Deep Security
  • Apex One as a Service
  • Endpoint Sensor
  • Zero Trust Secure Access - Internet Access
  • Mobile Security
  • Zero Trust Secure Access - Private Access
  • TXOne StellarOne
  • Container Security
  • Agentless Vulnerability & Threat Detection
  • Data Detection and Response
endpointIp dynamic true
  • IPv4
  • IPv6
 The IP address of the endpoint on which the event was detected 10.10.10.10
  • Endpoint & Workload Security
  • Deep Security
  • Apex One as a Service
  • TippingPoint Security Management System
  • Cloud One Network Security
  • TXOne EdgeOne
  • Agentless Vulnerability & Threat Detection
  • Data Detection and Response
eventId string true - The event ID from the logs of each product
  • 100100
  • 100101
  • 100116
  • 100117
  • 100119
  • Endpoint & Workload Security
  • Deep Discovery Inspector
  • Network Sensor
  • Apex One as a Service
  • Deep Security
  • Cloud App Security
  • Endpoint Sensor
  • Email Security
  • TXOne StellarOne
  • Container Security
  • Email Sensor
  • File Security
  • File Security Storage
  • Agentless Vulnerability & Threat Detection
  • Mobile Security
  • Mobile Network Security
  • Data Detection and Response
  • Deep Discovery Analyzer
eventName string true - The event type
  • LOG_INSPECTION_EVENT
  • SECURITY_RISK_DETECTION
  • WEB_THREAT_DETECTION
  • LOG_INSPECTION_EVENT
  • MALWARE_DETECTION
  • PROCESS_ACTIVITY
  • WEB_POLICY_VIOLATION
  • DEEP_PACKET_INSPECTION_EVENT
  • INTEGRITY_MONITORING_EVENT
  • DISRUPTIVE_APPLICATION_DETECTION
  • PRODUCT_SUMMARY
  • PRODUCT_UPDATE
  • BEHAVIORAL_VIOLATION
  • FIREWALL_POLICY_VIOLATION
  • SUSPICIOUS_BEHAVIOUR_DETECTION
  • DENYLIST_CHANGE
  • MACHINE_LEARNING_DETECTION
  • DLP_VIOLATION
  • MALWARE_OUTBREAK_DETECTION
  • SENSITIVE_DATA_DETECTION
  • Endpoint & Workload Security
  • Deep Discovery Inspector
  • Network Sensor
  • Apex One as a Service
  • Deep Security
  • TippingPoint Security Management System
  • Cloud App Security
  • Email Security
  • Endpoint Sensor
  • Cloud One Network Security
  • Zero Trust Secure Access - Internet Access
  • TXOne EdgeOne
  • Zero Trust Secure Access - Private Access
  • TXOne StellarOne
  • Email Sensor
  • File Security
  • File Security Storage
  • Agentless Vulnerability & Threat Detection
  • Mobile Security
  • Mobile Network Security
  • Data Detection and Response
  • Deep Discovery Analyzer
fileHash string true FileSHA1 The SHA-1 of the file that triggered the rule or policy
  • DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • 89CE26EAD139D52B8A6B61BFFC6AF89AF246580F
  • 3AD1F4E7CAA11E5199EE80B8983677ADDD065450
  • Endpoint & Workload Security
  • Deep Discovery Inspector
  • Network Sensor
  • Deep Security
  • Apex One as a Service
  • Zero Trust Secure Access - Internet Access
  • File Security
  • File Security Storage
  • Agentless Vulnerability & Threat Detection
  • Data Detection and Response
  • Deep Discovery Analyzer
firstSeen string true - The first time the XDR log appeared 1657195233000
  • Cloud App Security
  • TXOne StellarOne
  • Data Detection and Response
lastSeen string true - The last time the XDR log appeared 1657195233000
  • Cloud App Security
  • TXOne StellarOne
  • Data Detection and Response
lineageId string true - The lineage ID
  • 00000000-0000-0000-0000-000000000000
  • 11111111-1111-1111-1111-111111111111
  • 22222222-2222-2222-2222-222222222222
 Data Detection and Response
logonUsers dynamic true - The telemetry events that match the Security Analytics Engine filter, and logonUsers stores the logonUsers value of the original events BHBShortJ
  • ALL
  • Data Detection and Response
matchedPolicies dynamic true - The matched policies of detection records ['00000000-0000-0000-0000-000000000000'] Data Detection and Response
metaSrcExtra string true - The meta for identifying the source of events [{'metaSrcUri': ...] Data Detection and Response
objectFileHash string true - The cryptographic hash of the target process image or file, with the specific hash algorithm to be determined 1ca71017d2fa4775253670e1e55e26912bfdc156 Data Detection and Response
objectFileSize string true - The file size of the object file
  • 59456
  • 60
  • Endpoint Sensor
  • Apex One as a Service
  • Endpoint & Workload Security
  • Data Detection and Response
objectServiceType string true - Type of target file
  • local
  • smb
  • web
 Data Detection and Response
objectUri string true - Path of target file C://path/of/file.txt Data Detection and Response
objectUser string true UserAccount The owner name of the target process or the login user name
  • root
  • SYSTEM
  • oracle
  • Endpoint & Workload Security
  • Endpoint Sensor
  • Apex One as a Service
  • Data Detection and Response
osName string true - The host OS name
  • Linux
  • windows 10.0.22000
  • windows 10.0.19044
  • windows 10.0.19043
  • Zero Trust Secure Access - Internet Access
  • Mobile Security
  • Zero Trust Secure Access - Private Access
  • Data Detection and Response
  • Agentless Vulnerability & Threat Detection
osVer string true - The OS version 11
  • Mobile Security
  • Zero Trust Secure Access - Private Access
  • Data Detection and Response
policyIds string true - The Ids of DDR’s data policy 11111111-1111-1111-1111-111111111111 Data Detection and Response
ruleIdStr string true - The rule ID 0000000-0000-0000-0000-000000000000 Data Detection and Response
ruleName string true - The name of the rule that triggered the event
  • Directory Server - Microsoft Windows Active Directory
  • Microsoft Windows Events
  • Microsoft Windows Security Events - 3
  • (T1234) New executable created (chmod)
  • Sensitive Files Upload to Personal Cloud
  • Multiple Sensitive Files Compression
  • Transfer Sensitive Files to Removable Storage
  • Move Multiple Sensitive Files to Central Location
  • Multiple Sensitive Files Modification
  • Multiple Sensitive Files Deletion
  • GEN_CCFR_OVERLAY_TEST.A
  • Endpoint & Workload Security
  • Deep Discovery Inspector
  • Network Sensor
  • Apex One as a Service
  • Deep Security
  • Cloud App Security
  • TippingPoint Security Management System
  • Endpoint Sensor
  • Email Security
  • Cloud One Network Security
  • Zero Trust Secure Access - Private Access
  • Container Security
  • Email Sensor
  • Mobile Network Security
  • Data Detection and Response
spt int true Port The source port number
  • 53
  • 5353
  • 443
  • Endpoint & Workload Security
  • Endpoint Sensor
  • Apex One as a Service
  • Data Detection and Response
src string true
  • IPv4
  • IPv6
 The source address
  • ::
  • 10.10.10.10
  • Endpoint & Workload Security
  • Endpoint Sensor
  • Apex One as a Service
  • Data Detection and Response
srcFileHash string true - The cryptographic hash of the source process image or file, with the specific hash algorithm to be determined. 1ca71017d2fa4775253670e1e55e26912bfdc156 Data Detection and Response
srcFileSize string true - The file size of the source file
  • 0
  • 131072
  • 196608
  • Endpoint Sensor
  • Apex One as a Service
  • Endpoint & Workload Security
  • Data Detection and Response
srcServiceType string true - Type of source file
  • local
  • smb
  • web
 Data Detection and Response
srcUri string true - Path of source file C://path/of/file.txt Data Detection and Response
srcUser string true - The owner name of the source process or the login user name
  • root
  • SYSTEM
  • oracle
 Data Detection and Response
uuids dynamic true - The UUIDs of detection records ['00000000-0000-0000-0000-000000000000'] Data Detection and Response

Field Statistics

Generated by XDR Common Schema Public Doc Generator V2

This site is open source. Improve this page.