tm-v1-schema

Endpoint Sensor

Layer: Endpoint

This documentation provides detailed information about all fields available for Endpoint Sensor.

Field Name Type Searchable General Field Description Example Products
act dynamic true - The actions taken to mitigate the event
  • log
  • isolate
  • terminate
  • not blocked
  • Block
  • No action
  • Reset
  • Pass
  • User Decision
  • Trend Vision One Container Security
  • Trend Micro Deep Discovery Inspector
  • Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Cloud App Security
  • TippingPoint Security Management System
  • Endpoint Sensor
  • Trend Micro Web Security
  • Trend Micro Email Security
  • Trend Micro Deep Security
  • Trend Cloud One - Network Security
  • Zero Trust Secure Access - Internet Access
  • TXOne EdgeOne
  • Zero Trust Secure Access - Private Access
  • Email Sensor
  • Trend Vision One Mobile Security
  • Mobile Network Security
  • Agentless Vulnerability & Threat Detection
additionalInfo string true - The filter rule info Default
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
app string true - The layer-7 network protocol being exploited protocol SMB Endpoint Sensor
authId string true - The authorization ID
  • 999
  • 996
  • 997
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
azId string true - The Avaliability Zone ID of the virtual machine that made the request
  • us-east-1b
  • us-west-2a
 Endpoint Sensor
behaviorCat string true - The matched policy category
  • Policy Enforcement
  • Grey-Detection
  • Threat-Detection
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
channel string true - The Windows event channel
  • Security
  • Microsoft-Windows-WMI-Activity/Trace
  • Microsoft-Windows-TaskScheduler/Operational
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
cloudIdentityAccountId string true - The Cloud Identity account ID used for authorization 111111111111 Endpoint Sensor
cloudIdentityId string true - The Cloud Identity ID used for authorization arn:aws:sts::111111111111:assumed-role/eksctl-aws-test-nodegroup-ng-21d38-NodeInstanceRole-3wPxVEo4zHlK/i-01234567890abcdef Endpoint Sensor
cloudIdentityName string true - The Cloud Identity name used for authorization AWSsampleToken Endpoint Sensor
cloudProvider string true - The service provider of the cloud asset
  • aws
  • azure
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
cloudServiceApiName string true - The cloud service API
  • AssumeRole
  • GetCallerIdentity
  • ListBuckets
 Endpoint Sensor
cloudServiceName string true - The cloud service
  • s3.us-east-1.amazonaws.com
  • dynamodb.us-west-2.amazonaws.com
 Endpoint Sensor
codeIntegrityOptionEnabled bool true - Whether the system enforced signed kernel loading according to DSE(driver signature enforcement)
  • 1
 Endpoint Sensor
codeIntegrityOptionTestsign bool true - Whether the system bypassed DSE(driver signature enforcement) checks and permitted loading of test-signed drivers
  • 1
 Endpoint Sensor
correlationData dynamic true - The data for correlation -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
customAssetTags dynamic true - The list of custom asset tags {"os":["linux", "windows"], "org":["bu1"]}
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Vision One Container Security
customAssetTags dynamic true - The list of custom asset tags {"os":["linux", "windows"], "org":["bu1"]}
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
detectedBackupFolder string true - The folder path for detected backup folders C:\\Program Files (x86)\\Trend Micro\\artifact\\DCE
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
detectionAggregationId string true - The correlation key for detection logs and artifacts
  • 00000000-0000-0000-0000-000000000000
  • 11111111-1111-1111-1111-111111111111
  • 22222222-2222-2222-2222-222222222222
 Endpoint Sensor
detectionAggressivenessLevel int false - The detection aggressiveness level
  • 1
  • 2
  • 3
  • 4
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
deviceGUID string true - The GUID of the agent which reported the detection
  • 00000000-0000-0000-0000-000000000000
  • 11111111-1111-1111-1111-111111111111
  • 22222222-2222-2222-2222-222222222222
  • Trend Micro Deep Discovery Inspector
  • Network Sensor
  • Trend Micro Apex One as a Service
  • TippingPoint Security Management System
  • Endpoint Sensor
  • Trend Cloud One - Network Security
  • Zero Trust Secure Access - Internet Access
deviceType int true - The disk drive type
  • TELEMETRY_DEVICE_TYPE_UNKNOWN
  • TELEMETRY_DEVICE_TYPE_REMOVABLE
 Endpoint Sensor
dpt int true Port The destination port
  • 445
  • 80
  • Trend Micro Deep Discovery Inspector
  • Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • TippingPoint Security Management System
  • Trend Micro Deep Security
  • Trend Cloud One - Network Security
  • Endpoint Sensor
  • TXOne EdgeOne
  • Zero Trust Secure Access - Private Access
  • Trend Vision One Container Security
  • Mobile Network Security
dpt int true Port The destination port number -
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Data Detection and Response
dst dynamic true
  • IPv4
  • IPv6
 The destination IP 10.10.10.10
  • Trend Micro Deep Discovery Inspector
  • Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • TippingPoint Security Management System
  • Trend Micro Deep Security
  • Trend Cloud One - Network Security
  • Endpoint Sensor
  • Zero Trust Secure Access - Internet Access
  • TXOne EdgeOne
  • Zero Trust Secure Access - Private Access
  • Trend Vision One Container Security
  • Mobile Network Security
dst string true
  • IPv4
  • IPv6
 The destination IP address
  • ::
  • 10.10.10.10
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Data Detection and Response
endpointGUID string true EndpointID The GUID of the agent which reported the detection
  • ae4d64aa-f8b8-bb36-b265-f59272ed342f
  • 8fb979f6-1376-bed3-227f-f2886e66194e
  • ca2b3a7e-8415-c571-cc19-e45f69470026
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
  • Endpoint Sensor
  • Zero Trust Secure Access - Internet Access
  • Trend Vision One Mobile Security
  • Zero Trust Secure Access - Private Access
  • TXOne StellarOne
  • Trend Vision One Container Security
  • Data Detection and Response
endpointGuid string true EndpointID Host GUID of the endpoint on which the event was detected 11111111-1111-1111-1111-111111111111
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
endpointHostName string true EndpointName The endpoint hostname or node where the event was detected
  • 10.10.10.10 (swpos-aws-aza02) [i-0f0f0f0f0f0f0f0f0]
  • ip-10-10-10-10.us-west-1.compute.internal
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
  • Zero Trust Secure Access - Internet Access
  • Trend Vision One Mobile Security
  • Zero Trust Secure Access - Private Access
  • TXOne StellarOne
  • Trend Vision One Container Security
  • Agentless Vulnerability & Threat Detection
  • Data Detection and Response
endpointHostName string true EndpointName The host name of the endpoint on which the event was detected
  • PHILIPSIBE09
  • WHAM6WK8XG2
  • MacBook-Pro-del-Meno
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
endpointIp dynamic true
  • IPv4
  • IPv6
 IP address of the endpoint on which the event was detected
  • 10.10.10.10
  • ::1
  • fe80::1
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
endpointMacAddress dynamic true - The host MAC address
  • 0-0-0-0-0-0-0-e0
  • 00:00:00:ff:ff:ff
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
engineOperation string true - The operation of the engine event
  • Set Key
  • Invoke API
  • Create
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
engVer string true - The engine version
  • 1.0.0.1123_1.0.0.1101
  • 9.0.1004
  • 22.540.1001
  • Endpoint Sensor
  • Trend Micro Cloud App Security
  • Trend Micro Apex One as a Service
  • File Security
eventDataAccessList string true - The list of requested access rights
  • %%4416
  • %%4417
  • %%4418
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataAccessMask string true - The hexadecimal value of the requested or used permissions during an access attempt
  • 16
  • 2147483648
  • 1048576
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataActionName string true - The action performed
  • Language Components Installer
  • Group Policy Background Processing
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
eventDataAuthenticationPackageName string true - The authentication package name of the Windows event data
  • NTLM
  • Negotiate
  • MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataConsumer string true - The recipient of the reported event
  • HealthDriverEventConsumer="Health Event Consumer"
  • MemoryEventConsumer="Memory Event Consumer"
  • SysEventConsumer="System Event Consumer"
 Endpoint Sensor
eventDataElevatedToken string true - Whether the session is elevated and has administrator privileges
  • %%1842
  • %%1843
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataFullyQualifiedAssemblyName string true - The fully qualified .NET assembly name
  • System.Runtime, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
  • System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
  • System.Diagnostics.Process, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataImpersonationLevel string true - The sign-in session impersonation level
  • %%1830
  • %%1832
  • %%1833
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataIpAddress string true - The IP address for Windows event 4624 which is "An account was successfully logged on"
  • -
  • 10.10.10.10
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataLogonProcessName string true - The name of the Windows event sign in process name
  • NtLmSsp
  • Advapi
  • Advapi
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataLogonType string true - The logon type for Windows event 4624 which is "An account was successfully logged on"
  • 3
  • 5
  • 2
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataModuleILPath string true - The CIL image path of the module or the dynamic module name
  • C:\Program Files\Cymulate\Agent\System.Threading.dll
  • C:\windows\system32\tzsync.exe
  • C:\Program.exe
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataObjectName string true - The identifying information about the object for which access was requested
  • \Device\HarddiskVolume2\Windows\System32\lsass.exe
  • C:\Windows\System32\osk.exe
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataObjectType string true - The object type
  • Process
  • File
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataOperation string true - Windows event 11
  • Start IWbemServices::ExecQuery - root\ccm : select * from SMS_Authority
  • Start IWbemServices::ExecQuery - root\cimv2 : select * from win32_process
  • Start IWbemServices::ExecQuery - root\ccm : SELECT * FROM SMS_Authority
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataPath string true - The path of the Windows event data
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\officesvcmgr.exe
  • taskhostw.exe
  • gpupdate.exe
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataProviderName string true - The name of the Windows event data provider
  • SmsClientMethodProvider
  • MS_NT_EVENTLOG_PROVIDER
  • RegProv
 Endpoint Sensor
eventDataProviderPath string true - The file path of the Windows event data provider
  • %systemroot%\system32\wbem\ntevt.dll
  • %systemroot%\system32\wbem\stdprov.dll
  • C:\WINDOWS\CCM\smsclient.dll
 Endpoint Sensor
eventDataServiceFileName string true - The full file path of the service executable file
  • %SystemRoot%\PSEXESVC.exe
  • C:\Windows\System32\svchost.exe -k WinSysRestoreGroup
 Endpoint Sensor
eventDataServiceName string true - The service name
  • PSEXESVC
  • WinResSvc
 Endpoint Sensor
eventDataStatus string true - The Windows event data status
  • 0xc000006d
  • -1073741715
  • 0xc000006e
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataSubjectUserName string true - The account name
  • dadmin
  • Alex
  • london$
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataSubStatus string true - The Windows event data sub status
  • 0xc0000064
  • 0xc000006a
  • -1073741724
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataTargetDomainName string true - The target sign-in account domain or computer name
  • NT AUTHORITY
  • Builtin
  • SHOCKWAVE
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataTargetName string true - The service, application, or network resource name
  • Microsoft_RssPlatform_*
  • WindowsLive:target=virtualapp/didlogical
  • MicrosoftOffice*
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataTaskName string true - The task name logged by the Windows event
  • \Microsoft\Windows\LanguageComponentsInstaller\Installation
  • \Microsoft\Office\Office Serviceability Manager
  • \MicrosoftEdgeUpdateTaskMachineUA
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataTicketEncryptionType string true - The cryptographic suite used for the Kerberos TGS
  • 0x12
  • 0x17
  • 0x18
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataTicketOptions string true - The authentication request Kerberos ticket behavior and permissions flags
  • 0x40810000
  • 0x40810010
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataUserContext string true - The user context of the Windows event data
  • MP\MPBSA179345$
  • MP\MPBSASPU179370$
  • MP\MPBSA4025625$
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventDataWorkstationName string true - The name of the computer used in the sign-in attempt
  • WIN-GG82ULGC9GO
  • DESKTOP-123ABC
  • CLIENT01
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventHashId string true - The event hash ID
  • -8406473586387535914
  • 138486453338666581
  • -7909265752378976284
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventId string true - The event ID from the logs of each product
  • 100100
  • 100101
  • 100116
  • 100117
  • 100119
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
  • Trend Micro Cloud App Security
  • Endpoint Sensor
  • Trend Micro Email Security
  • TXOne StellarOne
  • Trend Vision One Container Security
  • Email Sensor
  • File Security
  • File Security Storage
  • Agentless Vulnerability & Threat Detection
  • Trend Vision One Mobile Security
  • Mobile Network Security
  • Data Detection and Response
eventId int true - Event type -
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventMessage string true - The event message [0x13bb4e2a0] activating connection: mach=true listener=false peer=false name=com.apple.airportd
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventName string true - The event type
  • LOG_INSPECTION_EVENT
  • SECURITY_RISK_DETECTION
  • WEB_THREAT_DETECTION
  • LOG_INSPECTION_EVENT
  • MALWARE_DETECTION
  • PROCESS_ACTIVITY
  • WEB_POLICY_VIOLATION
  • DEEP_PACKET_INSPECTION_EVENT
  • INTEGRITY_MONITORING_EVENT
  • DISRUPTIVE_APPLICATION_DETECTION
  • PRODUCT_SUMMARY
  • PRODUCT_UPDATE
  • BEHAVIORAL_VIOLATION
  • FIREWALL_POLICY_VIOLATION
  • SUSPICIOUS_BEHAVIOUR_DETECTION
  • DENYLIST_CHANGE
  • MACHINE_LEARNING_DETECTION
  • DLP_VIOLATION
  • MALWARE_OUTBREAK_DETECTION
  • SENSITIVE_DATA_DETECTION
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
  • TippingPoint Security Management System
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • Endpoint Sensor
  • Trend Cloud One - Network Security
  • Zero Trust Secure Access - Internet Access
  • TXOne EdgeOne
  • Zero Trust Secure Access - Private Access
  • TXOne StellarOne
  • Email Sensor
  • File Security
  • File Security Storage
  • Agentless Vulnerability & Threat Detection
  • Trend Vision One Mobile Security
  • Mobile Network Security
  • Data Detection and Response
eventSubId int true - The access type
  • 2 - TELEMETRY_PROCESS_CREATE
  • 101 - TELEMETRY_FILE_CREATE
  • 204 - TELEMETRY_CONNECTION_CONNECT_OUTBOUND
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
eventSubName string true - The event type sub-name
  • IPS Detection
  • Personal Firewall
  • Attack Discovery
  • Trend Micro Apex One as a Service
  • Trend Micro Cloud App Security
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Email Security
  • Endpoint Sensor
  • Zero Trust Secure Access - Internet Access
  • Agentless Vulnerability & Threat Detection
eventTime real true - The time the agent detected the event 1657781088000
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
firstSeen real false - The first time the event was seen 1656355418449
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
hostName string true
  • DomainName
  • HostDomain
 The domain name
  • localhost
  • wpad
  • settings-win.data.microsoft.com
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
httpReferer string true URL The HTTP header referer
  • http://10.10.10.10/
  • http://fake/home/
  • http://fake.com/page/Test.jsp
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
importTable dynamic true - The imported table information - Endpoint Sensor
importTableFileName dynamic true - The library file name which has imported functions
  • KERNEL32.dll
  • ADVAPI32.dll
 Endpoint Sensor
importTableFunctionName dynamic true - The imported function file name
  • SwitchToThread/GetSystemInfo
  • OpenProcessToken
 Endpoint Sensor
instanceAccountId string true - The cloud account ID of the virtual machine that made the request 111111111111 Endpoint Sensor
instanceId string true - The ID of the instance that indicates the meta-cloud or data center VM
  • 52294e7b-f732-c6e9-b2c3-7a6b6f50d101
  • 00030912-c5e7-4348-9012-7c684751c531
  • 0008ae58-db0c-34ee-3e5c-5dfc9b10a739
  • i-0b22a22eec53b9321
  • /subscriptions/bae4f362-e3a0-482f-ba7a-f883d8b410ce/resourceGroups/avtd-csf-sg-lzniibr0/providers/Microsoft.Compute/virtualMachines/avtd-csf-scanner-lzniibr0
  • ocid1.instance.oc1.us-ashburn-1.an2g6ljrgs553pqcjuokzvvwpmwxh564f6f5sx3jpi2sowt6as44uejmsrzq
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Agentless Vulnerability & Threat Detection
  • Mobile Network Security
instanceId string true - The virtual machine instance ID on the cloud platform i-01234567890abcdef
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
instanceName string true - The virtual machine that made the request ec2-123-124-0-12.us-west-2.compute.amazonaws.com Endpoint Sensor
integrityLevel int true - The integrity level of a process 16384 Endpoint Sensor
integrityLevel int true - The integrity level of a process -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
lastSeen real false - The last time the event was seen 1656355418449
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
logKey string true - The unique key of the event
  • 123e4567-e89b-12d3-a456-426614174000
  • 987f6543-21ba-43cd-9e8f-123456789abc
  • 456789ab-cdef-1234-5678-9abcdef01234
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • TippingPoint Security Management System
  • Endpoint Sensor
  • Trend Micro Web Security
  • Trend Cloud One - Network Security
  • Zero Trust Secure Access - Internet Access
logonUser dynamic true UserAccount The logon user name
  • root
  • SISTEMA
  • oracle
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
messageType string true - The message type Default
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
mpname string true - The management product name
  • Cloud One - Workload Security
  • Apex Central
  • Deep Security Software
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
  • TippingPoint Security Management System
  • Endpoint Sensor
  • Trend Cloud One - Network Security
mpver string true - The product version
  • Microsoft-Windows-Security-Auditing
  • Level -- Medium security
  • TASK1
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
nativeDeviceCharacteristics int false - Additional driver device information
  • 393217
  • 131072
  • 131088
 Endpoint Sensor
nativeDeviceType int false - The underlying hardware type of the driver
  • 2
  • 7
  • 20
 Endpoint Sensor
nativeStorageDeviceBusType int false - The bus type to which the device is connected
  • 2
  • 17
 Endpoint Sensor
networkInterfaceId string true - The network interface of the virtual machine that made the request eni-01234567890abcdef Endpoint Sensor
objectActionResults dynamic true - The object process action results
  • success
  • failure
  • N/A
 Endpoint Sensor
objectActionReturnCodes dynamic true - The object process action return codes
  • SUCCESS
  • ErrorProcessNotFound
  • N/A
 Endpoint Sensor
objectActions dynamic true - The object process actions
  • ProcessDump
  • FileCollection
 Endpoint Sensor
objectApiHookNum int false - The API hook number of the object 1 Endpoint Sensor
objectApiName string true - The API name GetIpNetTable Endpoint Sensor
objectApiName string true - The name of the executed API GetIpNetTable Endpoint Sensor
objectApiRvInNum string true - The API telemetry return value 0 Endpoint Sensor
objectAppName string true - Name of the app involved in the AMSI event
  • Exchange Server 2016
  • PowerShell_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.19041.1
  • PowerShell_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.14393.0
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectArtifactIds dynamic true - The artifact IDs generated by objectAction
  • 00000000-0000-0000-0000-000000000000_0.dmp
  • 11111111-1111-1111-1111-111111111111_2.bak
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectAuthId string true - The object authorization ID
  • 999
  • 996
  • 997
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectBmData string true - The data of BM event
  • {"provider":"ORCA","schema_version":1,"data":[{"str":"Access /proc/<pid>/*"}]}
  • {"provider":"ORCA","schema_version":1,"data":[{"str":"source '/etc/profile.d/lang.sh'"}]}
  • {"provider":"ORCA","schema_version":1,"data":[{"str":"source '/etc/profile.d/bash_completion.sh'"}]}
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
objectCmd dynamic true CLICommand The object process command line
  • C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding
  • "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -NoLogo -Noninteractive -NoProfile -ExecutionPolicy Bypass "& 'C:\WINDOWS\CCM\SystemTemp\afd6f0e5-e491-4764-a20a-9f1d9edf3cce.ps1'"
  • C:\WINDOWS\system32\lsass.exe
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
objectCmd string true CLICommand Command line entry of target process
  • wc -l
  • runc init
  • docker-init --version
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectContentName string true - The AMSI object content name
  • C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.2\PowerShellGet.psd1
  • c:\synclog\BLAST_SCAN.vbs
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectCreateDispositions int false - The disposition of CreateFile - Endpoint Sensor
objectCurrentFileSize long true - Previous size of modified object file
  • 59456
  • 60
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectDesiredAccess int false - The desired access of the event - Endpoint Sensor
objectFileAttributes int false - The new file attributes
  • 2
  • 32
  • 8192
 Endpoint Sensor
objectFileAttributesHashId string true - The hash ID of the file attribute meta information
  • 1626660901647460150
  • -3744588546027069975
  • 8709345175736065179
 Endpoint Sensor
objectFileCreation string true - The time the object file was created
  • 1652131848000
  • 1577865600000
  • 1648279273000
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectFileCurrentAttributes int false - The original file attributes
  • 34
  • 8224
 Endpoint Sensor
objectFileCurrentOwnerName string true - The current owner name of the object file
  • NT AUTHORITY\SYSTEM
  • BUILTIN\Administrators
  • BUILTIN\Administradores
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileCurrentOwnerSid string true - The current security identifier owner of the object file
  • S-1-5-18
  • S-1-5-32-544
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileDaclString string true - The discretionary access control list of the object file
  • D:(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BU)(A;;0x1200a9;;;AC)(A;;0x1200a9;;;S-1-15-2-2)
  • D:(A;OICI;GA;;;SY)(A;OICI;0xa0120000;;;WD)(A;OICI;GA;;;BA)
  • D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileExtendedAttribute string true - The extended attributes of the file
  • com.apple.quarantine
  • com.apple.metadata:kMDItemWhereFroms
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileGroupName string true - The object file user group name
  • wheel
  • staff
  • admin
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectFileGroupSid string true - The security identifier of the object file group
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • S-1-5-18
  • S-1-5-21-397955417-626881126-188441444-513
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileHashId string true - The object file hash ID
  • 2141057820373638746
  • -6516669617381620295
  • -4912169863817247597
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileHashMd5 string true FileMD5 The MD5 of the object
  • 801E8003C257C8F540B20F1E0DECD3A6
  • CDA48FC75952AD12D99E526D0B6BF70A
  • D5120786925038601A77C2E1EB9A3A0A
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
objectFileHashMd5 string true FileMD5 The md5 hash of target process image or target file
  • 7ac47235c7bb452a03d3afd872f44c9e
  • c9873d83a969645a97f21adc1b164cc5
  • 3b32b378c8b288de6f15e1607a8c2145
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileHashSha1 string true FileSHA1 The SHA-1 of the objectFilePath object
  • 51B8646308EE0B68AD1F7F1291B85395434DE49A
  • 36C5D12033B2EAF251BAE61C00690FFB17FDDC87
  • 2586528000199793730B05D3F169BCF139E4D7A1
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
objectFileHashSha1 string true FileSHA1 The SHA1 hash of target process image or target file
  • ded3833f145989fd86c1f4811b61497298ebc7fd
  • c4fa06404142f1994431f9eef3df2cbe0f1998f1
  • 3c01d486ed5aa1ecc2d8f33dc24b0ed59b3e609e
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileHashSha256 string true FileSHA2 The SHA-256 of the object (objectFilePath)
  • A75C85F3B089993E9C042FB82ECB7757E8F460ED8065FC7991CAA38A6DE0F50C
  • 908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53
  • 1A2ABAAD8A166B66CA35AB51C7432C5A7E46996472C8174281842896408D7F96
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
objectFileHashSha256 string true FileSHA2 The SHA256 hash of target process image or target file
  • 39109eef00821658893b45634fe2f4664f880da9242712df907f1327d4ceefb8
  • 49fa3e206abf6a1f4546417dbe09f3f06b38847866a4a66de75bd90f39cb6c1c
  • 0969321ad5a0923f0f03896ad2c10e49290515c44b721d773942a37f62a24893
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileIsRemoteAccess bool true - The remote access to the object file -
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
objectFileModifiedTime string true - The time the object file was modified
  • 1652131848000
  • 1577865600000
  • 1648279273000
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectFileOriginalName string true FileName The original file name of the object image
  • Taskmgr.exe
  • WINLOGON.EXE
  • svchost.exe
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectFileOwnerName string true - The object file owner name
  • root
  • NT SERVICE\TrustedInstaller
  • BUILTIN\Administrators
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectFileOwnerSid string true - The security identifier of the object file owner
  • S-1-5-32-544
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • S-1-5-18
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFilePath string true FileFullPath The file path of the target process image or target file
  • c:\windows\system32\windowspowershell\v1.0\powershell.exe
  • zwwritevirtualmemory
  • c:\windows\system32\wbem\wmiprvse.exe
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Vision One Container Security
objectFilePath string true
  • FileFullPath
  • FileName
 The file path of the target process image or target file
  • /usr/bin/bash
  • /bin/bash
  • /opt/folder1/probes/system/processes/processes
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileRemoteAccess bool true - The remote access for the object file -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectFileSaclString string true - The system access control list of the object file
  • S:NO_ACCESS_CONTROL
  • S:(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
  • S:(AU;SAFA;0x1f0116;;;WD)
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
objectFileSize string true - The file size of the object file
  • 59456
  • 60
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • Data Detection and Response
objectFirstSeen string true - The first time the object was seen
  • 1656458063638
  • 1656260547165
  • 0
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectHashId long false - The object hash ID
  • 8576474808125313522
  • -599270888483415002
  • 2177864258235728980
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectHostName string true DomainName Server name where Internet event was detected
  • 10.10.10.10
  • sample.test.org
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
objectIntegrityLevel int true - Integrity level of target process -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectIp string true
  • IPv4
  • IPv6
 IP address of internet event 10.10.10.10
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
objectIps dynamic true
  • IPv4
  • IPv6
 IP address list of internet event
  • ::1
  • 10.10.10.10
  • ::ffff:10.10.10.10
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectLastSeen string true - The last time the object was seen
  • 1656458354730
  • 1656260580722
  • 0
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectLaunchTime string true - The object launch time of the Windows event
  • 1616412892557
  • 1620778597056
  • 1616414113105
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectLoginOutFailureMessage string true - The sign-in/sign-out error message Login incorrect
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectLoginOutFirstSeen long true - The first time the object sign-in/sign-out was seen 1713903612
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectLoginOutHashId long true - The FNV of the object sign-in/sign-out meta -8981232070268295229
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectLoginOutLastSeen long true - The last time the object sign-in/sign-out was seen 1713903612
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectLoginOutMetaType int true - The sign-in/sign-out meta 1 - LOGIN_OUT_META_TYPE_OPENSSH
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectLoginOutSessionId long true - The sign-in/sign-out session ID 260
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectLoginOutSourceAddress string true - The sign-in/sign-out source IP 10.10.10.10
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectLoginOutStatus int true - The sign-in/sign-out status -1
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectName string true - The base name of the object file or process net.exe
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectName string true - The object name
  • /usr/bin/bash
  • /bin/bash
  • /opt/folder1/probes/system/processes/processes
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectPid int false - The object process PID
  • 17000
  • 22000
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
objectPid int true - The PID of target process -
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectPipeName string true - The object pipe name \\.\pipe\F451F406BD Endpoint Sensor
objectPipeName string true - The named pipe of the event
  • \\.\pipe\name1
  • \\serverHostName\pipe\name1
  • \\serverIp\pipe\name1
 Endpoint Sensor
objectPort int true Port The port number used by internet event -
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
objectProcessHashId long true - FNV of target process
  • 1415699552492662761
  • -100650285065767982
  • -1139416698673814436
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
objectRawDataSize dynamic true - The raw data size of the Windows event object
  • 9
  • 1
  • 564
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectRawDataStr dynamic true - The data contents of the AMSI event
  • $global:?
  • 0
  • $servicename = "WinRM" $arrService = Get-Service $servicename if ($arrService.Status -ne "Running") { Restart-Service $servicename }
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectRegistryData string true RegistryValueData The registry data contents C:\Program Files\AlertMedia\AlertMedia Desktop Notifications\AlertMedia.exe
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectRegistryData string true RegistryValueData The registry value data
  • {11111111-1111-1111-1111-111111111111}
  • 1
  • 0
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectRegistryKeyHandle string true RegistryKey The registry key path
  • HKCR\CID\{00000000-0000-0000-0000-000000000001}
  • HKLM\SOFTWARE\WOW6432Node\Eos
  • HKCU\SOFTWARE\Cerner\InstantAccess
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectRegistryKeyHandle string true RegistryKey The registry key
  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  • HKLM\system\currentcontrolset\services\w32time\config
  • HKLM\system\currentcontrolset\services\tcpip\parameters
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectRegistryRoot string true - The name of the object registry root key
  • HKCR
  • HKLM
  • HKCU
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
objectRegistryRoot int false - The Windows Registry Root ID
  • 3
  • 1
  • 2
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
objectRegistryValue string true RegistryValue The registry value name
  • 1
  • key
  • reg
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectRegistryValue string true RegistryValue Registry value name
  • lastknowngoodtime
  • threadingmodel
  • epoch
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectRegType int false - The registry value type - Endpoint Sensor
objectRegType int false - The Windows Registry Type ID
  • 1
  • 11
  • 4
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectRunAsLocalAccount bool true - The "runas" command uses a local account
  • 1
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectSessionId string true - The object session ID
  • 0
  • 1
  • 2
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectSigner dynamic true - The list of object process signers
  • Microsoft Windows
  • Microsoft Windows Publisher
  • SecureWorks Inc
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
objectSigner dynamic true - Certificate signer of object process or file
  • Microsoft Windows
  • Software Signing;Apple Code Signing Certification Authority;Apple Root CA;
  • Microsoft Corporation
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectSignerFlagsAdhoc dynamic true - The list of object process signature adhoc flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Apex One On-Premises
objectSignerFlagsAdhoc dynamic true - The list of object process or file signature adhoc flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectSignerFlagsLibValid dynamic true - The list of object process signature library validation flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Apex One On-Premises
objectSignerFlagsLibValid dynamic true - The list of object process or file signature library validation flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectSignerFlagsRuntime dynamic true - The list of object process signature runtime flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Apex One On-Premises
objectSignerFlagsRuntime dynamic true - The list of object process or file signature runtime flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
objectSignerValid dynamic true - Whether each signer of the object process is valid - Endpoint Sensor
objectSignerValid dynamic true - Validity of certificate signer
  • 1
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectSubTrueType int true - File object's true sub-type
  • 5000
  • 18000
  • 28001
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectTrueType int true - File object's true major type
  • 7
  • 5
  • 18
  • 4051
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
objectType string true - The object type
  • file
  • process
  • qil
  • Trend Micro Cloud App Security
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Micro Email Security
  • Endpoint Sensor
  • File Security
objectUser string true UserAccount The owner name of the target process or the login user name
  • root
  • SYSTEM
  • oracle
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Data Detection and Response
objectUserDomain string false - The object user domain
  • NT AUTHORITY
  • AUTORIDADE NT
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectUserGroup string true - The user group name
  • staff
  • _spotlight
  • wheel
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
objectUserGroupSids dynamic true - The user group SIDs of the object
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • S-1-5-18
  • S-1-5-21-3770350686-3666354711-3866293128-513
 Endpoint Sensor
osDescription string true - The OS version
  • Windows 10 (64 bit)
  • Windows 10 Pro (64 bit) build 19044
  • Amazon Linux 2 (64 bit) (5.4.188-104.359.amzn2.x86_64)
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
osName string true - The host operating system name
  • Windows
  • Linux
  • macOS
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
osType string true - The host operating system type
  • 0x00000030
  • 4
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
osVer string true - The version of the host operating system
  • Amazon Linux 2
  • 10.0.19044
  • 10.0.19042
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentAuthId string true - The parent authorization ID
  • 999
  • 996
  • 997
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentCmd string true CLICommand The command line of the subject parent process
  • "C:\Tiburon\CommandCAD\Test\Startup.exe"
  • C:\WINDOWS\Explorer.EXE
  • C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s Appinfo
  • Endpoint Sensor
  • Trend Vision One Container Security
parentCmd string true CLICommand The command line entry of the parent process
  • C:\WINDOWS\system32\services.exe
  • C:\Windows\system32\services.exe
  • /sbin/launchd
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
parentFileCreation string true - The time the parent file was created
  • 1652131848000
  • 1577865600000
  • 1635172968000
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentFileCurrentOwnerName string true - The current owner name of the parent file
  • NT AUTHORITY\SYSTEM
  • BUILTIN\Administradores
  • BUILTIN\Administrators
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFileCurrentOwnerSid string true - The current security identifier owner of the parent file
  • S-1-5-32-544
  • S-1-5-18
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFileDaclString string true - The discretionary access control list of the parent file
  • D:(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BU)(A;;0x1200a9;;;AC)(A;;0x1200a9;;;S-1-15-2-2)
  • D:(A;OICI;GA;;;SY)(A;OICI;0xa0120000;;;WD)(A;OICI;GA;;;BA)
  • D:(A;ID;0x1200a9;;;AC)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;S-1-15-2-2)
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFileGroupName string true - The name of the parent file user group
  • wheel
  • admin
  • staff
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentFileGroupSid string true - The security identifier of the parent process file group
  • S-1-5-18
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • S-1-5-32-544
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFileHashId long true - The parent file hash ID
  • -4092577940452904134
  • 2141057820373638746
  • -821808160829839906
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFileHashMd5 string true FileMD5 The MD5 of the subject parent process
  • 7B9E6D992AA86F0D2ECDF8F65A6BB792
  • 2B47C89252BB932B292122E54C3DAF25
  • CD10CB894BE2128FCA0BF0E2B0C27C16
 Endpoint Sensor
parentFileHashMd5 string true FileMD5 The md5 hash of parent process
  • d8e577bf078c45954f4531885478d5a9
  • cd10cb894be2128fca0bf0e2b0c27c16
  • cfd65bed18a1fae631091c3a4c4dd533
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFileHashSha1 string true FileSHA1 The SHA-1 of the subject parent process
  • 9CF40F19A625F7033689D04F4C8E1CC6A8FA4F5B
  • 799AB02945EDB9A37A42A3F742DE73165F4A9665
  • 1F912D4BEC338EF10B7C9F19976286F8ACC4EB97
 Endpoint Sensor
parentFileHashSha1 string true FileSHA1 The SHA1 hash of parent process
  • d7a213f3cfee2a8a191769eb33847953be51de54
  • 1f912d4bec338ef10b7c9f19976286f8acc4eb97
  • 9ad737cbd8bbdddc96726156dbd3bc03936bf02f
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFileHashSha256 string true FileSHA2 The SHA-256 of the subject parent process
  • 14A1223722D486ABBC88682AB49AF8E56DC65AC4E153027985BFFFF7C815C0EC
  • 2EF51284CA9211ADEC3E8E095F386FEC742E0532075894AE99024C65949F935E
  • F3FEB95E7BCFB0766A694D93FCA29EDA7E2CA977C2395B4BE75242814EB6D881
  • Endpoint Sensor
  • TXOne StellarOne
parentFileHashSha256 string true FileSHA2 The SHA256 hash of parent process
  • dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674
  • f3feb95e7bcfb0766a694d93fca29eda7e2ca977c2395b4be75242814eb6d881
  • 00f8cbc5b3a6640af5ac18d01bc5a666f6f583b1379b9491e0bcc28ba78c92e9
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFileModifiedTime string true - The time the parent file was modified
  • 1652131848000
  • 1577865600000
  • 1635172968000
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentFileOriginalName string true FileName The original file name of the parent image
  • Taskmgr.exe
  • WINLOGON.EXE
  • svchost.exe
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentFileOwnerName string true - The owner name of the parent file
  • root
  • cit
  • BUILTIN\Administrators
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentFileOwnerSid string true - The security identifier of the parent file owner
  • S-1-5-32-544
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • S-1-5-18
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFilePath string true FileFullPath The full file path of the parent process
  • c:\windows\explorer.exe
  • c:\tiburon\commandcad\test\startup.exe
  • c:\windows\system32\svchost.exe
 Endpoint Sensor
parentFilePath string true
  • FileFullPath
  • FileName
 The file path of the parent process
  • c:\windows\system32\services.exe
  • /usr/bin/bash
  • c:\windows\system32\svchost.exe
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFileRemoteAccess bool true - The remote access to the parent file -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentFileSaclString string true - The system access control list of the parent file
  • S:(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
  • S:NO_ACCESS_CONTROL
  • S:(AU;IDSAFA;DCLCRPSDWDWO;;;AU)
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
parentFileSize string true - The file size of the parent file
  • 714856
  • 59952
  • 5114880
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentHashId string true - The FNV of the parent process
  • -1364311042632324339
  • 1879227689087156956
  • 4246064157470561345
 Endpoint Sensor
parentHashId long true - The parent hash ID
  • -865367326691173681
  • -2903238741593506113
  • -4358168316031740439
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentIntegrityLevel int true - The integrity level of a parent 16384 Endpoint Sensor
parentIntegrityLevel int true - The integrity level of a parent -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentLaunchTime real true - The time when the parent process was launched
  • 1653614773895
  • 1656118625928
  • 0
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentName string true - The image name of the parent process
  • explorer.exe
  • startup.exe
  • svchost.exe
  • Endpoint Sensor
  • Trend Vision One Container Security
parentName string true - The image name of the parent process
  • c:\windows\system32\services.exe
  • /usr/bin/bash
  • c:\windows\system32\svchost.exe
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentPayloadSigner dynamic true - The signer name list of the parent process payload
  • Microsoft Windows
  • Microsoft Windows Publisher
 Endpoint Sensor
parentPayloadSignerFlagsAdhoc dynamic true - The list of parent process payload signature adhoc flags - Endpoint Sensor
parentPayloadSignerFlagsLibValid dynamic true - The list of parent process payload signature library validation flags - Endpoint Sensor
parentPayloadSignerFlagsRuntime dynamic true - The list of parent process payload signature runtime flags - Endpoint Sensor
parentPayloadSignerValid dynamic true - Whether each signer of the parent process payload is valid - Endpoint Sensor
parentPid int true - The PID of the parent process -
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Deep Security
  • Trend Vision One Container Security
parentPid int true - The PID of the parent process
  • 1
  • 976
  • 920
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentSessionId int false - The parent session ID -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentSigner dynamic true - The signers of the parent process
  • Microsoft Windows
  • Microsoft Windows Publisher
  • Azul Systems, Inc.
 Endpoint Sensor
parentSigner dynamic true - The signer of the parent file
  • Microsoft Windows Publisher
  • Microsoft Windows
  • Software Signing;Apple Code Signing Certification Authority;Apple Root CA;
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentSignerFlagsAdhoc dynamic true - The list of parent process signature adhoc flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Apex One On-Premises
parentSignerFlagsAdhoc dynamic true - The list of parent process signature adhoc flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentSignerFlagsLibValid dynamic true - The list of parent process signature library validation flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Apex One On-Premises
parentSignerFlagsLibValid dynamic true - The list of parent process signature library validation flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentSignerFlagsRuntime dynamic true - The list of parent process signature runtime flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Apex One On-Premises
parentSignerFlagsRuntime dynamic true - The list of parent process signature runtime flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentSignerValid dynamic true - Whether each signer of the parent process is valid - Endpoint Sensor
parentSignerValid dynamic true - The validity of the parent signer -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentSubTrueType int true - The true file subtype of the parent file -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentTrueType int true - The true file type of the parent file -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentUser string true - The type of user that executed the parent process
  • root
  • SYSTEM
  • SISTEMA
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
parentUserDomain string true - The user domain of the parent process
  • NT AUTHORITY
  • AUTORIDADE NT
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
parentUserGroupSids dynamic true - The SIDs of the parent user group
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • S-1-5-18
  • S-1-5-21-3770350686-3666354711-3866293128-513
 Endpoint Sensor
patVer string true - The version of the behavior pattern
  • 35.1053.00
  • 630
  • 35.1071.00
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
  • Trend Micro Cloud App Security
plang int false - The product language
  • 1
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
platformAssetTags dynamic true - The list of platform custom asset tags {"Asset group":["finance"], "some.ip": ["10.1.0.1"]}
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Vision One Container Security
platformAssetTags dynamic true - The list of platform custom asset tags {"Asset group":["finance"], "some.ip": ["10.1.0.1"]}
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
pname string true - The internal product ID
  • Trend Micro Deep Security
  • Deep Discovery Inspector
  • Apex One
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • TippingPoint Security Management System
  • Endpoint Sensor
  • Trend Micro Web Security
  • Trend Cloud One - Network Security
  • Zero Trust Secure Access - Internet Access
  • Trend Vision One Mobile Security
  • Trend Vision One Container Security
  • Email Sensor
pname string true - Internal product ID (Deprecated, use productCode)
  • 2200
  • 751
  • 533
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
policyId string true - The policy ID of which the event was detected
  • 00000001-0001-0001-0001-000000007610
  • 007
  • 003
  • TM000001
  • TippingPoint Security Management System
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
  • Trend Cloud One - Network Security
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Security
  • Trend Vision One Container Security
pplat int false - The product platform
  • 5889
  • 9217
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processActionResults dynamic true - The process action results
  • success
  • failure
  • N/A
 Endpoint Sensor
processActionReturnCodes dynamic true - The process action return codes
  • SUCCESS
  • ErrorProcessNotFound
  • N/A
 Endpoint Sensor
processActions dynamic true - The process actions
  • ProcessDump
  • FileCollection
 Endpoint Sensor
processArtifactIds dynamic true - The artifact IDs generated by processAction
  • 00000000-0000-0000-0000-000000000000_1.dmp
  • 11111111-1111-1111-1111-111111111111_2.bak
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
processCmd string true CLICommand The subject process command line
  • "C:\Program Files (x86)\AADM\AADM.exe"
  • /usr/lib/inet/sendmail -bl -q15m
  • ComDir
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Deep Security
  • Trend Micro Apex One as a Service
  • Trend Vision One Container Security
processCmd string true CLICommand The command line entry of the subject process
  • C:\Windows\system32\lsass.exe
  • C:\WINDOWS\system32\lsass.exe
  • nimbus(processes)
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
processFileCreation string true - The time the process file was created
  • 1652131848000
  • 1577865600000
  • 1635172906000
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processFileCurrentOwnerName string true - The current owner name of the process file
  • NT AUTHORITY\SYSTEM
  • BUILTIN\Administrators
  • BUILTIN\Administradores
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileCurrentOwnerSid string true - The owner of the process file current security identifier
  • S-1-5-18
  • S-1-5-32-544
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileDaclString string true - The discretionary access control list of the process file
  • D:(A;ID;0x1200a9;;;AC)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;S-1-15-2-2)
  • D:(A;ID;FA;;;SY)
  • D:(A;ID;FA;;;BA)(A;ID;FA;;;SY)
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileGroupName string true - The name of the process file user group
  • wheel
  • admin
  • staff
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processFileGroupSid string true - The security identifier of the process file group
  • S-1-5-18
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • S-1-5-32-544
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileHashId long true - The file hash of the process
  • 2141057820373638746
  • -821808160829839906
  • 5222963427542927736
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileHashMd5 string true FileMD5 The MD5 of the subject process
  • D07ADD0CE6E000D3CD20193B891E8ED3
  • 1a9ba93ebe4cb60030831f8ce9e7d5f9
  • EEE6691B48D2FB604DDF0CBC90D75B0E
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
processFileHashMd5 string true FileMD5 The MD5 hash of the subject process image
  • cd10cb894be2128fca0bf0e2b0c27c16
  • 7ac47235c7bb452a03d3afd872f44c9e
  • cfd65bed18a1fae631091c3a4c4dd533
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileHashSha1 string true FileSHA1 The SHA-1 of the subject process
  • C0885381EBAC94AB20E78936434FA208F6B65352
  • ac373ed32b491da22924e2e11e36574e5d582a35
  • DF93F7DF887E86C3B56539B5046B286001C6F150
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileHashSha1 string true FileSHA1 The SHA1 hash of subject process image
  • 1f912d4bec338ef10b7c9f19976286f8acc4eb97
  • ded3833f145989fd86c1f4811b61497298ebc7fd
  • 9ad737cbd8bbdddc96726156dbd3bc03936bf02f
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileHashSha256 string true FileSHA2 The SHA-256 of the subject process
  • 4314A869B8DAE1BD3FFF810B1366E90FB7C961D4A3424260692377FDD87361D2
  • 7824c45fc033696603fe97d8f193a1872dfb2b5db75f0cda21df27017b3cb623
  • 1A6D5986EFEAE89308D9EE11B4A7907012603392E0E66D0E529DB09DF1B4CB64
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
processFileHashSha256 string true FileSHA2 The SHA256 hash of subject process image
  • f3feb95e7bcfb0766a694d93fca29eda7e2ca977c2395b4be75242814eb6d881
  • 39109eef00821658893b45634fe2f4664f880da9242712df907f1327d4ceefb8
  • 00f8cbc5b3a6640af5ac18d01bc5a666f6f583b1379b9491e0bcc28ba78c92e9
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileModifiedTime string true - The time the process file was modified
  • 1652131848000
  • 1633413236462
  • 1414554708877
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processFileOriginalName string true FileName The original file name of the process image
  • Taskmgr.exe
  • WINLOGON.EXE
  • svchost.exe
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processFileOwnerName string true - The process file owner name
  • root
  • cit
  • BUILTIN\Administrators
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processFileOwnerSid string true - The security identifier of the process file owner
  • S-1-5-32-544
  • S-1-5-18
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processFilePath string true
  • ProcessFullPath
  • FileFullPath
  • FileName
 The file path of the subject process
  • c:\windows\system32\svchost.exe
  • c:\windows\system32\windowspowershell\v1.0\powershell.exe
  • c:\windows\syswow64\srts\wmipr.exe
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
processFilePath string true
  • ProcessFullPath
  • ProcessName
  • FileFullPath
  • FileName
 The file path of the subject process
  • /usr/bin/bash
  • c:\windows\system32\svchost.exe
  • c:\windows\system32\lsass.exe
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileRemoteAccess bool true - The remote access to the process file -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processFileSaclString string true - The system access control list of the process file
  • S:(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
  • S:(AU;IDSAFA;DCLCRPSDWDWO;;;AU)
  • S:NO_ACCESS_CONTROL
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
processFileSize string true - The file size of the process file
  • 59952
  • 59456
  • 47024
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processHashId string true - The FNV of the subject process
  • -2965450813604216022
  • 7111735426732308768
  • -7600358934761747729
 Endpoint Sensor
processHashId long true - The FNV of subject process
  • 7114696589795796819
  • 1307755369266815004
  • -5015325378148567246
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processImagePath string true - The process triggered by the file event
  • c:\windows\system32\svchost.exe
  • /usr/bin/python2.7
  • /usr/bin/sed
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Deep Security
  • Trend Vision One Container Security
processLaunchTime real true - The time the subject process was launched
  • 1653614775212
  • 1656118626642
  • 1652098160298
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processName string true ProcessName The image name of the process that triggered the event
  • c:\windows\system32\svchost.exe
  • /usr/bin/python2.7
  • /usr/bin/sed
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Deep Security
  • Trend Vision One Container Security
  • Trend Micro Apex One as a Service
processName string true ProcessName The image name of the process that triggered the event
  • /usr/bin/bash
  • c:\windows\system32\svchost.exe
  • c:\windows\system32\lsass.exe
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processPayloadSigner dynamic true - The signer name list of the process payload
  • Microsoft Windows
  • Microsoft Windows Publisher
 Endpoint Sensor
processPayloadSignerFlagsAdhoc dynamic true - The list of process payload signature adhoc flags - Endpoint Sensor
processPayloadSignerFlagsLibValid dynamic true - The list of process payload signature library validation flags - Endpoint Sensor
processPayloadSignerFlagsRuntime dynamic true - The list of process payload signature runtime flags - Endpoint Sensor
processPayloadSignerValid dynamic true - Whether each signer of the process payload is valid - Endpoint Sensor
processPid int true - The PID of the subject process -
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Vision One Container Security
processPid int true - The PID of the subject process
  • 4
  • 1
  • 784
  • 792
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processPkgName string true - The process package name
  • MSTeams
  • Microsoft.SkypeApp
 Endpoint Sensor
processSigner dynamic true - The signer name list of the subject process
  • Microsoft Windows
  • Microsoft Windows Publisher
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
processSigner dynamic true - The process file signer
  • Microsoft Windows
  • Microsoft Windows Publisher
  • Microsoft Corporation
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processSignerFlagsAdhoc dynamic true - The list of process signature adhoc flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Apex One On-Premises
processSignerFlagsAdhoc dynamic true - The list of process signature adhoc flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processSignerFlagsLibValid dynamic true - The list of process signature library validation flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Apex One On-Premises
processSignerFlagsLibValid dynamic true - The list of process signature library validation flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processSignerFlagsRuntime dynamic true - The list of process signature runtime flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Apex One On-Premises
processSignerFlagsRuntime dynamic true - The list of process signature runtime flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processSignerValid dynamic true - The validity of the process signer
  • 1
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processStackTrace string true - The process stack trace of the telemetry event C:\Windows\System32\ntdll.dll?NtCreateUserProcess|ZwCreateUserProcess, C:\Windows\System32\kernelbase.dll!CreateProcessInternalW Endpoint Sensor
processSubTrueType int true - The true file subtype of the process -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processTrueType int true - The true file type of the process -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processUser string true UserAccount The owner name of subject process image
  • root
  • SYSTEM
  • SISTEMA
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
processUserDomain string true - The process user domain
  • NT AUTHORITY
  • AUTORIDADE NT
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
processUserGroupSids dynamic true - The user group SIDs of the process
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • S-1-5-18
  • S-1-5-21-3770350686-3666354711-3866293128-513
 Endpoint Sensor
proto int false - The protocol type
  • TELEMETRY_CONNECTION_TCP
  • TELEMETRY_CONNECTION_UDP
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
providerGUID string true - The GUID of the Windows event provider {11111111-1111-1111-1111-111111111111}
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
providerName string true - The name of the Windows event provider
  • Microsoft-Windows-Security-Auditing
  • Microsoft-Windows-WMI-Activity
  • Microsoft-Windows-TaskScheduler
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
proxy string true - The proxy address
  • proxy.sample:8080
  • 10.10.10.10:8080
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
publicSpt int true Port The public port of the endpoint making the request 57163 Endpoint Sensor
publicSrc string true
  • IPv4
  • IPv6
 The public ip of the endpoint making the request 10.10.10.10 Endpoint Sensor
pver string true - The product version
  • 1.2.0.2752
  • 1.0.345
  • 1.2.0.2657
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
rawDataSize string true - The size of the Windows event log
  • 1128
  • 1129
  • 1127
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
rawDataStr string true - Windows event raw contents
  • { "EventData" : { "LogonType" : "", "TargetDomainName" : "", "TargetLogonId" : "", "TargetUserName" : "", "TargetUserSid" : "" } }
  • { "EventData" : { "LogonType" : "10", "TargetDomainName" : "AFASADV", "TargetLogonId" : "14941011731", "TargetUserName" : "administrator", "TargetUserSid" : "S-1-5-21-1507008304-2416677881-2121376573-500" } }
  • { "EventData" : { "LogonType" : "10", "TargetDomainName" : "AIS", "TargetLogonId" : "216921070", "TargetUserName" : "MWoodr01", "TargetUserSid" : "S-1-5-21-1873864278-1756520048-3043165120-15057" } }
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
regionId string true - The cloud asset region
  • US East (N. Virginia)
  • Europe (Frankfurt)
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
request string true URL Request URL
  • http://10.10.10.10/fake/site
  • http:///fake/param.cgi?action=list&group=Alarm.Status
  • http://fake.com/
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
requestMethod string true - The network protocol request method
  • GET
  • POST
  • PUT
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
riskLevel string true - The risk level
  • 1
  • high
  • No Risk
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Apex One as a Service
  • Trend Micro Cloud App Security
  • Endpoint Sensor
  • Trend Micro Deep Discovery Inspector
  • Network Sensor
rt string false - The Unix time of the log generation 1656324260000
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
  • Trend Micro Cloud App Security
  • Trend Micro Email Security
  • TippingPoint Security Management System
  • Endpoint Sensor
  • Trend Micro Web Security
  • Trend Cloud One - Network Security
  • Zero Trust Secure Access - Internet Access
  • Zero Trust Secure Access - Private Access
  • Email Sensor
rt string false - The event time 1657781088000
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
ruleId int true - The rule ID 1005566
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
ruleName string true - The name of the rule that triggered the event
  • Directory Server - Microsoft Windows Active Directory
  • Microsoft Windows Events
  • Microsoft Windows Security Events - 3
  • (T1234) New executable created (chmod)
  • Sensitive Files Upload to Personal Cloud
  • Multiple Sensitive Files Compression
  • Transfer Sensitive Files to Removable Storage
  • Move Multiple Sensitive Files to Central Location
  • Multiple Sensitive Files Modification
  • Multiple Sensitive Files Deletion
  • GEN_CCFR_OVERLAY_TEST.A
  • Trend Cloud One - Endpoint & Workload Security
  • Trend Micro Deep Discovery Inspector
  • Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Micro Deep Security
  • Trend Micro Cloud App Security
  • TippingPoint Security Management System
  • Endpoint Sensor
  • Trend Micro Email Security
  • Trend Cloud One - Network Security
  • Zero Trust Secure Access - Private Access
  • Trend Vision One Container Security
  • Email Sensor
  • Mobile Network Security
  • Data Detection and Response
sessionId int false - The session ID
  • 1
  • 2
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
smbSharedName string true - The shared folder name for the server that contains the files to be opened C:\sharedfolder Endpoint Sensor
smbSharedName string true - The shared folder name for the server that contains the files sharedfolder Endpoint Sensor
sourceType string true - The source type
  • user defined
  • sandbox
  • syscall
  • Trend Micro Apex One as a Service
  • Trend Vision One Container Security
  • Endpoint Sensor
spt int true Port The source port
  • 53
  • 7680
  • Trend Micro Deep Discovery Inspector
  • Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • TippingPoint Security Management System
  • Trend Micro Deep Security
  • Trend Cloud One - Network Security
  • Endpoint Sensor
  • TXOne EdgeOne
  • Zero Trust Secure Access - Private Access
  • Trend Vision One Container Security
  • Mobile Network Security
spt int true Port The source port number
  • 53
  • 5353
  • 443
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Data Detection and Response
src dynamic true
  • IPv4
  • IPv6
 The source IP 10.10.10.10
  • Trend Micro Deep Discovery Inspector
  • Network Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • TippingPoint Security Management System
  • Trend Micro Deep Security
  • Trend Cloud One - Network Security
  • Endpoint Sensor
  • Zero Trust Secure Access - Internet Access
  • TXOne EdgeOne
  • Zero Trust Secure Access - Private Access
  • Trend Vision One Container Security
  • Mobile Network Security
src string true
  • IPv4
  • IPv6
 The source address
  • ::
  • 10.10.10.10
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Data Detection and Response
srcFileCreation string true - The time the source file was created
  • 1577865600000
  • 1626201752000
  • 1626201750000
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
srcFileCurrentOwnerName string true - The current owner name of the source file
  • NT AUTHORITY\SYSTEM
  • BUILTIN\Administrators
  • AUTORIDADE NT\SISTEMA
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
srcFileCurrentOwnerSid string true - The current security identifier owner of the source file
  • S-1-5-18
  • S-1-5-32-544
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
srcFileDaclString string true - The discretionary access control list of the source file
  • D:(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BU)(A;;0x1200a9;;;AC)(A;;0x1200a9;;;S-1-15-2-2)
  • D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
  • D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
srcFileGroupName string true - The source file user group name
  • wheel
  • staff
  • NT SERVICE\TrustedInstaller
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
srcFileGroupSid string true - The security identifier of the source file group
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • S-1-5-18
  • S-1-5-21-3770350686-3666354711-3866293128-513
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
srcFileHashId long false - The source file hash ID
  • 1102079405020678318
  • -6926286289273504319
  • 8528955148329941480
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
srcFileHashMd5 string true FileMD5 The md5 hash of source file
  • e5d5e9c1f65b8ec7aa5b7f1b1acdd731
  • a6779bf446db07e4c4ba3516b273c496
  • 4bb7334fdadc6eccb8e6ab402aae013b
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
srcFileHashSha1 string true FileSHA1 The SHA1 hash of source file
  • 5d34902fecc1760138212ada36be1e742bda5e52
  • dbb14dcda6502ab1d23a7c77d405dafbcbeb439e
  • 2292f8109cd756e790c068a52d50f1b0858f503b
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
srcFileHashSha256 string true FileSHA2 The SHA256 hash of source file
  • 4eaa002225f4ea2dedcd19b7f1337d7c58ea7dd6d4571c12468dde95e6bcfdaf
  • e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80
  • 16b20a3ad485b4fbbe3028c7e743b226db21ea93cacc8b3d7d7d4a731bf02333
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
srcFileIsRemoteAccess bool true - The remote access of the source file -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
srcFileModifiedTime string true - The time the source file was modified
  • 1626201752000
  • 1626201750000
  • 1577865600000
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
srcFileOwnerName string true - The source file owner name
  • root
  • NT SERVICE\TrustedInstaller
  • NT AUTHORITY\SYSTEM
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
srcFileOwnerSid string true - The security identifier of the source file owner
  • S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
  • S-1-5-18
  • S-1-5-32-544
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
srcFilePath string true
  • FileFullPath
  • FileName
 The source file path
  • \\cnva-apps\megaclockprod\traveler\travelerprint.accdb
  • c:\program files\common files\microsoft shared\clicktorun\officesvcmgrschedule.xml
  • q:\a7_dbs\a4_pkg\a4_packaging.accde
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
srcFileSaclString string true - The system access control list of the source file
  • S:NO_ACCESS_CONTROL
  • S:(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
  • S:(AU;IDSAFA;DCLCRPSDWDWO;;;AU)
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
srcFileSize string true - The file size of the source file
  • 0
  • 131072
  • 196608
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
  • Data Detection and Response
srcFirstSeen string true - The first time the source file was seen
  • 0
  • 1656355418449
  • 1656714760440
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
srcHashId long false - The source hash ID
  • 4070054759888344851
  • 2177864258235728980
  • 3476454206648023552
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
srcLastSeen string true - The last time the source file was seen
  • 0
  • 1656355418449
  • 1656715147313
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
srcSigner dynamic true - The signer of the source file
  • Microsoft Windows
  • Microsoft Corporation
  • Google LLC
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
srcSignerFlagsAdhoc dynamic true - The list of source file signature adhoc flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
srcSignerFlagsLibValid dynamic true - The list of source file signature library validation flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
srcSignerFlagsRuntime dynamic true - The list of source file signature runtime flags -
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
srcSignerValid dynamic true - The validity of the source file signer -
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
srcSubTrueType int false - The true file subtype of the source file -
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
srcTrueType int false - The true file type of the source file -
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
status string true - The HTTP response status code
  • 200
  • 500
  • 403
  • Trend Micro Apex One as a Service
  • Endpoint Sensor
  • Trend Cloud One - Endpoint & Workload Security
subnetId string true - The subnet ID of the virtual machine that made the request subnet-01234567890abcdef Endpoint Sensor
subSystem string true - The sub system information com.apple.xpc
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
suspiciousObject string true - The matched suspicious object 36ba9de3da9e6f8abfffdda7787ab0ecc16724bb Endpoint Sensor
suspiciousObjectType string true - The matched suspicious object type sha1 Endpoint Sensor
tacticId dynamic true Tactic The list of MITRE tactic IDs
  • TA0011
  • TA0008
  • TA0001
  • Trend Micro Deep Discovery Inspector
  • Network Sensor
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
timezone string true - The host time zone
  • UTC+00:00
  • UTC-05:00
  • UTC-03:00
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
triggerReason string true - The cause of the triggered action
  • FILEMETA.T1027.009.TRICKBOT.SMITRE1B2, T1027.009
  • ST002
  • Scheduled Scan (custom)
  • Scheduled Scan (system)
  • Remote Scan: the user triggered the Apex One agent from the Trend Vision One console
  • Manual Scan: the user triggered the local agent
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
  • Trend Cloud One - Endpoint & Workload Security
userDomain dynamic true - The user domain name
  • CORP
  • AUTORIDADE NT
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
  • Trend Micro Apex One as a Service
vpcId string true - The virtual private cloud that contains the cloud asset vpc-01234567890abcdef
  • Trend Cloud One - Endpoint & Workload Security
  • Endpoint Sensor
winEventId int true - Event ID of Windows event
  • 11
  • 4624
  • 4670
  • Endpoint Sensor
  • Trend Micro Apex One as a Service

Field Statistics

Generated by XDR Common Schema Public Doc Generator V2

This site is open source. Improve this page.