| aggregatedCount |
string |
true |
- |
The number of aggregated events |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- TippingPoint Security Management System
- Trend Micro Web Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
- TXOne StellarOne
- Data Detection and Response
- Trend Cloud One - Endpoint & Workload Security
|
| aggregateFunction |
int |
true |
- |
The metric aggregator |
|
Data Detection and Response |
| aggregateUnit |
string |
true |
- |
The metric unit |
file |
Data Detection and Response |
| detectionFileList |
dynamic |
true |
- |
The information about the related files |
{"fileName": "sample.txt", "edgeId": "00000000-0000-0000-0000-000000000000"} |
Data Detection and Response |
| dpt |
int |
true |
Port |
The destination port number |
- |
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Data Detection and Response
|
| dst |
string |
true |
|
The destination IP address |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Data Detection and Response
|
| duration |
string |
true |
- |
The detection interval (in milliseconds) |
300000 |
Data Detection and Response |
| endpointGUID |
string |
true |
EndpointID |
The GUID of the agent which reported the detection |
- ae4d64aa-f8b8-bb36-b265-f59272ed342f
- 8fb979f6-1376-bed3-227f-f2886e66194e
- ca2b3a7e-8415-c571-cc19-e45f69470026
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Endpoint Sensor
- Zero Trust Secure Access - Internet Access
- Trend Vision One Mobile Security
- Zero Trust Secure Access - Private Access
- TXOne StellarOne
- Trend Vision One Container Security
- Data Detection and Response
|
| endpointHostName |
string |
true |
EndpointName |
The endpoint hostname or node where the event was detected |
- 10.10.10.10 (swpos-aws-aza02) [i-0f0f0f0f0f0f0f0f0]
- ip-10-10-10-10.us-west-1.compute.internal
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- Endpoint Sensor
- Zero Trust Secure Access - Internet Access
- Trend Vision One Mobile Security
- Zero Trust Secure Access - Private Access
- TXOne StellarOne
- Trend Vision One Container Security
- Agentless Vulnerability & Threat Detection
- Data Detection and Response
|
| endpointIp |
dynamic |
true |
|
The IP address of the endpoint on which the event was detected |
10.10.10.10 |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- TippingPoint Security Management System
- Trend Cloud One - Network Security
- TXOne EdgeOne
- Agentless Vulnerability & Threat Detection
- Data Detection and Response
|
| eventId |
string |
true |
- |
The event ID from the logs of each product |
- 100100
- 100101
- 100116
- 100117
- 100119
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Endpoint Sensor
- Trend Micro Email Security
- TXOne StellarOne
- Trend Vision One Container Security
- Email Sensor
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Trend Vision One Mobile Security
- Mobile Network Security
- Data Detection and Response
|
| eventName |
string |
true |
- |
The event type |
- LOG_INSPECTION_EVENT
- SECURITY_RISK_DETECTION
- WEB_THREAT_DETECTION
- LOG_INSPECTION_EVENT
- MALWARE_DETECTION
- PROCESS_ACTIVITY
- WEB_POLICY_VIOLATION
- DEEP_PACKET_INSPECTION_EVENT
- INTEGRITY_MONITORING_EVENT
- DISRUPTIVE_APPLICATION_DETECTION
- PRODUCT_SUMMARY
- PRODUCT_UPDATE
- BEHAVIORAL_VIOLATION
- FIREWALL_POLICY_VIOLATION
- SUSPICIOUS_BEHAVIOUR_DETECTION
- DENYLIST_CHANGE
- MACHINE_LEARNING_DETECTION
- DLP_VIOLATION
- MALWARE_OUTBREAK_DETECTION
- SENSITIVE_DATA_DETECTION
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- TippingPoint Security Management System
- Trend Micro Cloud App Security
- Trend Micro Email Security
- Endpoint Sensor
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
- TXOne EdgeOne
- Zero Trust Secure Access - Private Access
- TXOne StellarOne
- Email Sensor
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Trend Vision One Mobile Security
- Mobile Network Security
- Data Detection and Response
|
| fileHash |
string |
true |
FileSHA1 |
The SHA-1 of the file that triggered the rule or policy |
- DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
- 89CE26EAD139D52B8A6B61BFFC6AF89AF246580F
- 3AD1F4E7CAA11E5199EE80B8983677ADDD065450
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- Zero Trust Secure Access - Internet Access
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Data Detection and Response
|
| firstSeen |
string |
true |
- |
The first time the XDR log appeared |
1657195233000 |
- Trend Micro Cloud App Security
- TXOne StellarOne
- Data Detection and Response
|
| lastSeen |
string |
true |
- |
The last time the XDR log appeared |
1657195233000 |
- Trend Micro Cloud App Security
- TXOne StellarOne
- Data Detection and Response
|
| lineageId |
string |
true |
- |
The lineage ID |
- 00000000-0000-0000-0000-000000000000
- 11111111-1111-1111-1111-111111111111
- 22222222-2222-2222-2222-222222222222
|
Data Detection and Response |
| logonUsers |
dynamic |
true |
- |
The telemetry events that match the Security Analytics Engine filter, and logonUsers stores the logonUsers value of the original events |
BHBShortJ |
- ALL
- Data Detection and Response
|
| matchedPolicies |
dynamic |
true |
- |
The matched policies of detection records |
['00000000-0000-0000-0000-000000000000'] |
Data Detection and Response |
| metaSrcExtra |
string |
true |
- |
The meta for identifying the source of events |
[{'metaSrcUri': ...] |
Data Detection and Response |
| objectFileHash |
string |
true |
- |
The cryptographic hash of the target process image or file, with the specific hash algorithm to be determined |
1ca71017d2fa4775253670e1e55e26912bfdc156 |
Data Detection and Response |
| objectFileSize |
string |
true |
- |
The file size of the object file |
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- Data Detection and Response
|
| objectServiceType |
string |
true |
- |
Type of target file |
|
Data Detection and Response |
| objectUri |
string |
true |
- |
Path of target file |
C://path/of/file.txt |
Data Detection and Response |
| objectUser |
string |
true |
UserAccount |
The owner name of the target process or the login user name |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Data Detection and Response
|
| osName |
string |
true |
- |
The host OS name |
- Linux
- windows 10.0.22000
- windows 10.0.19044
- windows 10.0.19043
|
- Zero Trust Secure Access - Internet Access
- Trend Vision One Mobile Security
- Zero Trust Secure Access - Private Access
- Data Detection and Response
- Agentless Vulnerability & Threat Detection
|
| osVer |
string |
true |
- |
The OS version |
11 |
- Trend Vision One Mobile Security
- Zero Trust Secure Access - Private Access
- Data Detection and Response
|
| policyIds |
string |
true |
- |
The Ids of DDR’s data policy |
11111111-1111-1111-1111-111111111111 |
Data Detection and Response |
| ruleIdStr |
string |
true |
- |
The rule ID |
0000000-0000-0000-0000-000000000000 |
Data Detection and Response |
| ruleName |
string |
true |
- |
The name of the rule that triggered the event |
- Directory Server - Microsoft Windows Active Directory
- Microsoft Windows Events
- Microsoft Windows Security Events - 3
- (T1234) New executable created (chmod)
- Sensitive Files Upload to Personal Cloud
- Multiple Sensitive Files Compression
- Transfer Sensitive Files to Removable Storage
- Move Multiple Sensitive Files to Central Location
- Multiple Sensitive Files Modification
- Multiple Sensitive Files Deletion
- GEN_CCFR_OVERLAY_TEST.A
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- TippingPoint Security Management System
- Endpoint Sensor
- Trend Micro Email Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Private Access
- Trend Vision One Container Security
- Email Sensor
- Mobile Network Security
- Data Detection and Response
|
| spt |
int |
true |
Port |
The source port number |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Data Detection and Response
|
| src |
string |
true |
|
The source address |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Data Detection and Response
|
| srcFileHash |
string |
true |
- |
The cryptographic hash of the source process image or file, with the specific hash algorithm to be determined. |
1ca71017d2fa4775253670e1e55e26912bfdc156 |
Data Detection and Response |
| srcFileSize |
string |
true |
- |
The file size of the source file |
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- Data Detection and Response
|
| srcServiceType |
string |
true |
- |
Type of source file |
|
Data Detection and Response |
| srcUri |
string |
true |
- |
Path of source file |
C://path/of/file.txt |
Data Detection and Response |
| srcUser |
string |
true |
- |
The owner name of the source process or the login user name |
|
Data Detection and Response |
| uuids |
dynamic |
true |
- |
The UUIDs of detection records |
['00000000-0000-0000-0000-000000000000'] |
Data Detection and Response |