| act |
dynamic |
true |
- |
The actions taken to mitigate the event |
- log
- isolate
- terminate
- not blocked
- Block
- No action
- Reset
- Pass
- User Decision
|
- Trend Vision One Container Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Cloud App Security
- TippingPoint Security Management System
- Endpoint Sensor
- Trend Micro Web Security
- Trend Micro Email Security
- Trend Micro Deep Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
- TXOne EdgeOne
- Zero Trust Secure Access - Private Access
- Email Sensor
- Trend Vision One Mobile Security
- Mobile Network Security
- Agentless Vulnerability & Threat Detection
|
| actResult |
dynamic |
true |
- |
The result of an action |
- Dropped
- Successful
- Accepted
|
- Trend Micro Apex One as a Service
- Trend Micro Cloud App Security
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- TXOne StellarOne
- Trend Vision One Mobile Security
|
| aggregatedCount |
string |
true |
- |
The number of aggregated events |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- TippingPoint Security Management System
- Trend Micro Web Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
- TXOne StellarOne
- Data Detection and Response
- Trend Cloud One - Endpoint & Workload Security
|
| behaviorCat |
string |
true |
- |
The matched policy category |
- Policy Enforcement
- Grey-Detection
- Threat-Detection
|
- Trend Micro Apex One as a Service
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| cat |
int |
false |
- |
The weighted priority of the incident |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
|
| category |
string |
true |
- |
The event category |
- Exploits
- Reconnaissance
- Vulnerabilities
- Security Policy
|
- TippingPoint Security Management System
- Mobile Network Security
- Trend Cloud One - Endpoint & Workload Security
|
| censusMaturityValue |
int |
true |
- |
The CENSUS maturity value |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| censusPrevalenceValue |
int |
true |
- |
The CENSUS prevalence value |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| cloudProvider |
string |
true |
- |
The service provider of the cloud asset |
- alibaba cloud
- aws
- azure
- gcp
- oci
|
- Trend Cloud One - Endpoint & Workload Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
|
| cloudProvider |
string |
true |
- |
The service provider of the cloud asset |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
|
| compressedFileHash |
string |
true |
FileSHA1 |
The SHA-1 of the decompressed archive |
- 6E2ECB34B7798E179CC704111FB9733FBAAD5ACA
- FA71B59F35F0EE44D27F74917EF5A0DA2797E80B
- 14D2302172EB81465CE12E01361AE24CDE170F7B
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- File Security
- File Security Storage
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Agentless Vulnerability & Threat Detection
|
| compressedFileHashSha256 |
string |
true |
FileSHA2 |
The SHA-256 of the compressed suspicious file |
- 60C7C5924DD09F7C6B150120FB92DCEE00AE82DB75C7402FA4D9152CF487A94F
- 482FFC4F87B78C3C7073983CF65B593D9F13F0A3D6DC54B4A3F616F79838F3CE
- 68C0126D9B4B0FC32DE181D0D67DA8FE82E23745F6023317D5E053B6F6ED26CF
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- File Security
- File Security Storage
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Agentless Vulnerability & Threat Detection
|
| compressedFileName |
string |
true |
FileName |
The file name of the compressed file |
- /proc/32058/fd/150
- NONAMEFL
- /proc/10006/fd/30
- VirusActionSample/RPF2_OtherMalwareSample-other.exe
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- File Security
- File Security Storage
- Trend Cloud One - Endpoint & Workload Security
- Agentless Vulnerability & Threat Detection
- Trend Vision One Container Security
|
| customAssetTags |
dynamic |
true |
- |
The list of custom asset tags |
{"os":["linux", "windows"], "org":["bu1"]} |
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Vision One Container Security
|
| customAssetTags |
dynamic |
true |
- |
The list of custom asset tags |
{"os":["linux", "windows"], "org":["bu1"]} |
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| cves |
dynamic |
true |
- |
The CVEs associated with this filter |
- CVE-2014-3567
- CVE-2016-6304
- CVE-2011-1385
|
- TippingPoint Security Management System
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| dceArtifactActions |
dynamic |
true |
- |
The actions performed on Damage Cleanup Engine artifacts |
- folder_backup
- objproc_dump
- subproc_dump
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| detectedActions |
dynamic |
true |
- |
The actions performed on detected artifacts |
- folder_backup
- objproc_dump
- subproc_dump
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| detectedBackupArtifacts |
dynamic |
true |
- |
The information about detected artifacts |
{"objectArtifactId": "025d9f2a-ac9c-4cdf-b9e4-cf20c6e40281_0.dmp", "action": "object_process_dump", "status": 0, "processCreationTime": "1627574338077", "processImageFileName": "C:\Program Files\aaa\bbb\objprocess.exe"} |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| detectedBackupArtifactsStatus |
dynamic |
true |
- |
The backup status of detected artifacts |
['0', '-67'] |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| detectedBackupFolder |
string |
true |
- |
The folder path for detected backup folders |
C:\\Program Files (x86)\\Trend Micro\\artifact\\DCE |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Endpoint Sensor
|
| detectedPattern |
string |
true |
- |
The detected pattern |
dct.virus |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| detectionAggregationIds |
dynamic |
true |
- |
The list of detection aggregation IDs |
['11111111-1111-1111-1111-111111111111'] |
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| detectionAggressivenessLevel |
int |
false |
- |
The detection aggressiveness level |
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| detectionEngineVersion |
string |
true |
- |
The detection engine version |
7.6.0 |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| detectionMeta |
dynamic |
true |
- |
The descriptions of the detected techniques |
['T1204 some description about this technique', 'T1573.001_AES another description about this technique'] |
- Trend Micro Apex One as a Service
- Trend Micro Apex One On-Premises
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| detectionNames |
dynamic |
true |
- |
The rules that triggered the event |
['HS_EMOTET.SMAA', 'HM_AVEDOWN.SMZTIG-A', 'HE_DOCQRPHISH.SM'] |
- Trend Micro Apex One as a Service
- Trend Micro Apex One On-Premises
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| detectionType |
string |
true |
- |
The detection type |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Web Security
- Trend Micro Apex One as a Service
- Trend Micro Cloud App Security
- Trend Micro Deep Security
- Trend Micro Email Security
- Zero Trust Secure Access - Internet Access
- Trend Vision One Mobile Security
- Zero Trust Secure Access - Private Access
- Trend Vision One Container Security
|
| dmac |
string |
true |
- |
The MAC address of the destination IP (dest_ip) |
- 00:00:00:00:00:00
- ff:ff:ff:ff:ff:ff
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- TXOne EdgeOne
|
| dpt |
int |
true |
Port |
The destination port |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- TippingPoint Security Management System
- Trend Micro Deep Security
- Trend Cloud One - Network Security
- Endpoint Sensor
- TXOne EdgeOne
- Zero Trust Secure Access - Private Access
- Trend Vision One Container Security
- Mobile Network Security
|
| dpt |
int |
true |
Port |
The destination port number |
- |
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Data Detection and Response
|
| dst |
dynamic |
true |
|
The destination IP |
10.10.10.10 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- TippingPoint Security Management System
- Trend Micro Deep Security
- Trend Cloud One - Network Security
- Endpoint Sensor
- Zero Trust Secure Access - Internet Access
- TXOne EdgeOne
- Zero Trust Secure Access - Private Access
- Trend Vision One Container Security
- Mobile Network Security
|
| dst |
string |
true |
|
The destination IP address |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Data Detection and Response
|
| duser |
dynamic |
true |
EmailRecipient |
The email recipient |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Trend Micro Email Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Email Sensor
|
| endpointGUID |
string |
true |
EndpointID |
The GUID of the agent which reported the detection |
- ae4d64aa-f8b8-bb36-b265-f59272ed342f
- 8fb979f6-1376-bed3-227f-f2886e66194e
- ca2b3a7e-8415-c571-cc19-e45f69470026
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Endpoint Sensor
- Zero Trust Secure Access - Internet Access
- Trend Vision One Mobile Security
- Zero Trust Secure Access - Private Access
- TXOne StellarOne
- Trend Vision One Container Security
- Data Detection and Response
|
| endpointGuid |
string |
true |
EndpointID |
Host GUID of the endpoint on which the event was detected |
11111111-1111-1111-1111-111111111111 |
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| endpointHostName |
string |
true |
EndpointName |
The endpoint hostname or node where the event was detected |
- 10.10.10.10 (swpos-aws-aza02) [i-0f0f0f0f0f0f0f0f0]
- ip-10-10-10-10.us-west-1.compute.internal
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- Endpoint Sensor
- Zero Trust Secure Access - Internet Access
- Trend Vision One Mobile Security
- Zero Trust Secure Access - Private Access
- TXOne StellarOne
- Trend Vision One Container Security
- Agentless Vulnerability & Threat Detection
- Data Detection and Response
|
| endpointHostName |
string |
true |
EndpointName |
The host name of the endpoint on which the event was detected |
- PHILIPSIBE09
- WHAM6WK8XG2
- MacBook-Pro-del-Meno
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| endpointIp |
dynamic |
true |
|
The IP address of the endpoint on which the event was detected |
10.10.10.10 |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- TippingPoint Security Management System
- Trend Cloud One - Network Security
- TXOne EdgeOne
- Agentless Vulnerability & Threat Detection
- Data Detection and Response
|
| endpointIp |
dynamic |
true |
|
IP address of the endpoint on which the event was detected |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| endpointMacAddress |
dynamic |
true |
- |
The host MAC address |
- 0-0-0-0-0-0-0-e0
- 00:00:00:ff:ff:ff
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| endTime |
long |
true |
- |
The time when the last event was received (in Unix milliseconds) |
1750983926000 |
Trend Cloud One - Endpoint & Workload Security |
| eventHashId |
string |
true |
- |
The event hash ID |
- -8406473586387535914
- 138486453338666581
- -7909265752378976284
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| eventId |
string |
true |
- |
The event ID from the logs of each product |
- 100100
- 100101
- 100116
- 100117
- 100119
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Endpoint Sensor
- Trend Micro Email Security
- TXOne StellarOne
- Trend Vision One Container Security
- Email Sensor
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Trend Vision One Mobile Security
- Mobile Network Security
- Data Detection and Response
|
| eventId |
int |
true |
- |
Event type |
- |
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| eventName |
string |
true |
- |
The event type |
- LOG_INSPECTION_EVENT
- SECURITY_RISK_DETECTION
- WEB_THREAT_DETECTION
- LOG_INSPECTION_EVENT
- MALWARE_DETECTION
- PROCESS_ACTIVITY
- WEB_POLICY_VIOLATION
- DEEP_PACKET_INSPECTION_EVENT
- INTEGRITY_MONITORING_EVENT
- DISRUPTIVE_APPLICATION_DETECTION
- PRODUCT_SUMMARY
- PRODUCT_UPDATE
- BEHAVIORAL_VIOLATION
- FIREWALL_POLICY_VIOLATION
- SUSPICIOUS_BEHAVIOUR_DETECTION
- DENYLIST_CHANGE
- MACHINE_LEARNING_DETECTION
- DLP_VIOLATION
- MALWARE_OUTBREAK_DETECTION
- SENSITIVE_DATA_DETECTION
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- TippingPoint Security Management System
- Trend Micro Cloud App Security
- Trend Micro Email Security
- Endpoint Sensor
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
- TXOne EdgeOne
- Zero Trust Secure Access - Private Access
- TXOne StellarOne
- Email Sensor
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Trend Vision One Mobile Security
- Mobile Network Security
- Data Detection and Response
|
| eventSubId |
int |
true |
- |
The access type |
|
- Trend Cloud One - Endpoint & Workload Security
- TXOne StellarOne
|
| eventSubId |
int |
true |
- |
The access type |
- 2 - TELEMETRY_PROCESS_CREATE
- 101 - TELEMETRY_FILE_CREATE
- 204 - TELEMETRY_CONNECTION_CONNECT_OUTBOUND
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| eventSubName |
string |
true |
- |
The event type sub-name |
- IPS Detection
- Personal Firewall
- Attack Discovery
|
- Trend Micro Apex One as a Service
- Trend Micro Cloud App Security
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Email Security
- Endpoint Sensor
- Zero Trust Secure Access - Internet Access
- Agentless Vulnerability & Threat Detection
|
| eventTime |
real |
true |
- |
The time the agent detected the event |
1657781088000 |
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| fileHash |
string |
true |
FileSHA1 |
The SHA-1 of the file that triggered the rule or policy |
- DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
- 89CE26EAD139D52B8A6B61BFFC6AF89AF246580F
- 3AD1F4E7CAA11E5199EE80B8983677ADDD065450
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- Zero Trust Secure Access - Internet Access
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Data Detection and Response
|
| fileHashSha256 |
string |
true |
FileSHA2 |
The SHA-256 of the file (fileName) |
- 6A6EB2D717CEA041B4444193B45EDFB6CA1287518203B7230B3C4B8FFB031EAB
- BFF703FF836196644586014DA13A097C2EE9A08E4D596DFB7C8E0F685FE01294
- 12327F460AC9CBBC34D39EB3CF89C7FECCA37F08773A04566840F73F6ECC4104
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Zero Trust Secure Access - Internet Access
- Trend Cloud One - Endpoint & Workload Security
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Trend Vision One Container Security
|
| fileName |
dynamic |
true |
FileName |
The file name |
- spoolss
- hosts
- svcrestarttask
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Zero Trust Secure Access - Internet Access
- TXOne StellarOne
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
|
| fileOperation |
string |
true |
- |
The operation of the file |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| filePath |
string |
true |
FileFullPath |
The file path without the file name |
- security
- /var/log/audit/audit.log
- application
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Discovery Inspector
- Network Sensor
- TXOne StellarOne
- File Security
- File Security Storage
|
| filePathName |
string |
true |
FileFullPath |
The file path with the file name |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- TXOne StellarOne
|
| firstAct |
string |
true |
- |
The first scan action |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| firstActResult |
string |
true |
- |
The first scan action result |
- File passed
- Unable to quarantine file
- File quarantined
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| firstSeen |
real |
false |
- |
The first time the event was seen |
1656355418449 |
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| fullPath |
string |
true |
FileFullPath |
The combination of the file path and the file name |
- \etc\hosts
- c:\windows\system32\tasks\microsoft\windows\softwareprotectionplatform\svcrestarttask
- \var\log\auth.log
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- TXOne StellarOne
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Trend Vision One Container Security
|
| groups |
string |
true |
- |
The OSSEC rule group names |
- auditd,audit,
- dirservice_log,authentication_failure,
- windows,authentication_failures,
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| hostId |
int |
false |
- |
The host ID |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| hostName |
string |
true |
|
The computer name of the client host (The hostname from the suspicious URL detected by Deep Discovery Inspector) |
- Let's Encrypt
- 10.10.10.10
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- TXOne EdgeOne
|
| hostName |
string |
true |
|
The domain name |
- localhost
- wpad
- settings-win.data.microsoft.com
|
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| httpReferer |
string |
true |
URL |
The HTTP referer |
- http://172.16.58.233/
- http://example/page1/
- https://www.google.com/
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| instanceId |
string |
true |
- |
The ID of the instance that indicates the meta-cloud or data center VM |
- 52294e7b-f732-c6e9-b2c3-7a6b6f50d101
- 00030912-c5e7-4348-9012-7c684751c531
- 0008ae58-db0c-34ee-3e5c-5dfc9b10a739
- i-0b22a22eec53b9321
- /subscriptions/bae4f362-e3a0-482f-ba7a-f883d8b410ce/resourceGroups/avtd-csf-sg-lzniibr0/providers/Microsoft.Compute/virtualMachines/avtd-csf-scanner-lzniibr0
- ocid1.instance.oc1.us-ashburn-1.an2g6ljrgs553pqcjuokzvvwpmwxh564f6f5sx3jpi2sowt6as44uejmsrzq
|
- Trend Micro Apex One as a Service
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Agentless Vulnerability & Threat Detection
- Mobile Network Security
|
| instanceId |
string |
true |
- |
The virtual machine instance ID on the cloud platform |
i-01234567890abcdef |
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
|
| interestedHost |
string |
true |
DomainName |
The endpoint hostname (For example, if an intranet host accesses a suspicious internet host, the intranet host is the "peerHost" and the internet host is the "interestedHost") |
- 10.10.10.10 (swpos-aws-aza02) [i-0f0f0f0f0f0f0f0f0]
- es-dtc-w-dc02.example.corp
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
|
| interestedIp |
dynamic |
true |
|
The IP of the interestedHost |
10.10.10.10 |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- TippingPoint Security Management System
- Trend Cloud One - Network Security
- TXOne EdgeOne
|
| isEntity |
string |
true |
- |
The current entity (or after change/modification) |
- {"key":"<example>","type":"Service","attributes":[{"friendlyValue":null,"name":"binaryPathName","value":"C:\\Windows\\system32\\vssvc.exe"},{"friendlyValue":"manual","name":"startType","value":"3"},{"friendlyValue":"running","name":"state","value":"4"}]}
- {"key":"<example>":"Service","attributes":[{"friendlyValue":null,"name":"binaryPathName","value":"C:\\Windows\\system32\\vssvc.exe"},{"friendlyValue":"manual","name":"startType","value":"3"},{"friendlyValue":"stopped","name":"state","value":"1"}]}
- {"key":"<example>","type":"File","attributes":[]}
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| isProxy |
bool |
true |
- |
Whether something is a proxy |
False |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| lastSeen |
real |
false |
- |
The last time the event was seen |
1656355418449 |
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| logKey |
string |
true |
- |
The unique key of the event |
- 123e4567-e89b-12d3-a456-426614174000
- 987f6543-21ba-43cd-9e8f-123456789abc
- 456789ab-cdef-1234-5678-9abcdef01234
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Trend Micro Email Security
- TippingPoint Security Management System
- Endpoint Sensor
- Trend Micro Web Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
|
| logonUser |
dynamic |
true |
UserAccount |
The logon user name |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| majorVirusType |
string |
true |
- |
The virus type |
- Virus
- Suspicious Activity
- Trojan
- TROJ
|
- Trend Micro Deep Security
- Trend Cloud One - Endpoint & Workload Security
- Trend Vision One Mobile Security
- TXOne EdgeOne
- TXOne StellarOne
- File Security Storage
|
| malFamily |
string |
true |
- |
The threat family |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- File Security
|
| malName |
string |
true |
- |
The name of the detected malware |
- SecurityLevelDrop
- Regla Logs All
- USR_SUSPICIOUS_DOMAIN.UMXX
|
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Web Security
- TXOne StellarOne
- Email Sensor
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Trend Vision One Container Security
|
| malType |
string |
true |
- |
The risk type for Network Content Correlation Engine rules |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- File Security
- Trend Vision One Container Security
|
| mDeviceGUID |
string |
true |
- |
The GUID of the agent host |
- C5B09EDD-C725-907F-29D9-B8C30D18C48F
- C05B75AB-B518-BDD0-D2B5-E9CB631C539F
- 9C28ACD3-D0EC-22A4-B08D-5B0BEFF501FC
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| mitreVersion |
string |
true |
- |
The MITRE version |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| moduleScanType |
string |
true |
- |
The module scan type |
traditional |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| mpname |
string |
true |
- |
The management product name |
- Cloud One - Workload Security
- Apex Central
- Deep Security Software
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- TippingPoint Security Management System
- Endpoint Sensor
- Trend Cloud One - Network Security
|
| mpver |
string |
true |
- |
The product version |
- Microsoft-Windows-Security-Auditing
- Level -- Medium security
- TASK1
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- Endpoint Sensor
|
| objectAppName |
string |
true |
- |
Name of the app involved in the AMSI event |
- Exchange Server 2016
- PowerShell_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.19041.1
- PowerShell_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.14393.0
|
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| objectArtifactIds |
dynamic |
true |
- |
The artifact IDs generated by objectAction |
- 00000000-0000-0000-0000-000000000000_0.dmp
- 11111111-1111-1111-1111-111111111111_2.bak
|
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| objectAttributes |
string |
true |
- |
The object attributes |
attribute |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| objectBmData |
string |
true |
- |
The data of BM event |
- {"provider":"ORCA","schema_version":1,"data":[{"str":"Access /proc/<pid>/*"}]}
- {"provider":"ORCA","schema_version":1,"data":[{"str":"source '/etc/profile.d/lang.sh'"}]}
- {"provider":"ORCA","schema_version":1,"data":[{"str":"source '/etc/profile.d/bash_completion.sh'"}]}
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
|
| objectCmd |
dynamic |
true |
CLICommand |
The object process command line |
- C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding
- "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -NoLogo -Noninteractive -NoProfile -ExecutionPolicy Bypass "& 'C:\WINDOWS\CCM\SystemTemp\afd6f0e5-e491-4764-a20a-9f1d9edf3cce.ps1'"
- C:\WINDOWS\system32\lsass.exe
|
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
|
| objectCmd |
string |
true |
CLICommand |
Command line entry of target process |
- wc -l
- runc init
- docker-init --version
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| objectContentName |
string |
true |
- |
The AMSI object content name |
- C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.2\PowerShellGet.psd1
- c:\synclog\BLAST_SCAN.vbs
|
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| objectCurrentFileSize |
long |
true |
- |
Previous size of modified object file |
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| objectCurrentPosixPermission |
string |
true |
- |
The new POSIX permission file used in file events and CHMOD events |
1050180 |
Trend Cloud One - Endpoint & Workload Security |
| objectFileAccess |
string |
true |
- |
The object file access details |
1717658631000 |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| objectFileCreation |
string |
true |
- |
The UTC time that the object was created |
- 2014-11-22T01:45:51-06:00
- 2009-07-13T23:31:13-05:00
- 2014-11-21T02:43:28-05:00
|
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| objectFileCreation |
string |
true |
- |
The time the object file was created |
- 1652131848000
- 1577865600000
- 1648279273000
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| objectFileGroupName |
string |
true |
- |
The object file user group name |
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| objectFileHashId |
string |
true |
- |
The object file hash ID |
- 2141057820373638746
- -6516669617381620295
- -4912169863817247597
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| objectFileHashMd5 |
string |
true |
FileMD5 |
The MD5 of the object |
- 801E8003C257C8F540B20F1E0DECD3A6
- CDA48FC75952AD12D99E526D0B6BF70A
- D5120786925038601A77C2E1EB9A3A0A
|
- Trend Micro Apex One as a Service
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
|
| objectFileHashMd5 |
string |
true |
FileMD5 |
The md5 hash of target process image or target file |
- 7ac47235c7bb452a03d3afd872f44c9e
- c9873d83a969645a97f21adc1b164cc5
- 3b32b378c8b288de6f15e1607a8c2145
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| objectFileHashSha1 |
string |
true |
FileSHA1 |
The SHA-1 of the objectFilePath object |
- 51B8646308EE0B68AD1F7F1291B85395434DE49A
- 36C5D12033B2EAF251BAE61C00690FFB17FDDC87
- 2586528000199793730B05D3F169BCF139E4D7A1
|
- Trend Micro Apex One as a Service
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
|
| objectFileHashSha1 |
string |
true |
FileSHA1 |
The SHA1 hash of target process image or target file |
- ded3833f145989fd86c1f4811b61497298ebc7fd
- c4fa06404142f1994431f9eef3df2cbe0f1998f1
- 3c01d486ed5aa1ecc2d8f33dc24b0ed59b3e609e
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| objectFileHashSha256 |
string |
true |
FileSHA2 |
The SHA-256 of the object (objectFilePath) |
- A75C85F3B089993E9C042FB82ECB7757E8F460ED8065FC7991CAA38A6DE0F50C
- 908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53
- 1A2ABAAD8A166B66CA35AB51C7432C5A7E46996472C8174281842896408D7F96
|
- Trend Micro Apex One as a Service
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
|
| objectFileHashSha256 |
string |
true |
FileSHA2 |
The SHA256 hash of target process image or target file |
- 39109eef00821658893b45634fe2f4664f880da9242712df907f1327d4ceefb8
- 49fa3e206abf6a1f4546417dbe09f3f06b38847866a4a66de75bd90f39cb6c1c
- 0969321ad5a0923f0f03896ad2c10e49290515c44b721d773942a37f62a24893
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| objectFileIsRemoteAccess |
bool |
true |
- |
The remote access to the object file |
- |
- Trend Micro Apex One as a Service
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
|
| objectFileModified |
string |
true |
- |
The UTC time that the object was modified |
- 2024-10-10T10:10:10.0000000Z
- 2024-11-11T11:11:11.0000000Z
|
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| objectFileModifiedTime |
string |
true |
- |
The time the object file was modified |
- 1652131848000
- 1577865600000
- 1648279273000
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| objectFileName |
string |
true |
FileName |
The object file name |
- powershell.exe
- wmiprvse.exe
- dismhost.exe
|
- Trend Micro Apex One as a Service
- Trend Vision One Container Security
- Trend Cloud One - Endpoint & Workload Security
|
| objectFileOriginalName |
string |
true |
FileName |
The original file name of the object image |
- Taskmgr.exe
- WINLOGON.EXE
- svchost.exe
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| objectFileOwnerName |
string |
true |
- |
The object file owner name |
- root
- NT SERVICE\TrustedInstaller
- BUILTIN\Administrators
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| objectFilePath |
string |
true |
FileFullPath |
The file path of the target process image or target file |
- c:\windows\system32\windowspowershell\v1.0\powershell.exe
- zwwritevirtualmemory
- c:\windows\system32\wbem\wmiprvse.exe
|
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Vision One Container Security
|
| objectFilePath |
string |
true |
|
The file path of the target process image or target file |
- /usr/bin/bash
- /bin/bash
- /opt/folder1/probes/system/processes/processes
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| objectFileSize |
long |
true |
- |
The object file size |
|
Trend Cloud One - Endpoint & Workload Security |
| objectFileSize |
string |
true |
- |
The file size of the object file |
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- Data Detection and Response
|
| objectFirstSeen |
string |
true |
- |
The first time the object was seen |
- 1656458063638
- 1656260547165
- 0
|
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| objectHashId |
long |
false |
- |
The object hash ID |
- 8576474808125313522
- -599270888483415002
- 2177864258235728980
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| objectIp |
dynamic |
true |
|
The IP address of the domain |
10.10.10.10 |
Trend Cloud One - Endpoint & Workload Security |
| objectIps |
dynamic |
true |
|
IP address list of internet event |
- ::1
- 10.10.10.10
- ::ffff:10.10.10.10
|
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| objectLastSeen |
string |
true |
- |
The last time the object was seen |
- 1656458354730
- 1656260580722
- 0
|
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| objectLaunchTime |
string |
true |
- |
The object launch time of the Windows event |
- 1616412892557
- 1620778597056
- 1616414113105
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| objectName |
string |
true |
- |
The base name of the object file or process |
net.exe |
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| objectName |
string |
true |
- |
The object name |
- /usr/bin/bash
- /bin/bash
- /opt/folder1/probes/system/processes/processes
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| objectPid |
int |
false |
- |
The object process PID |
|
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
|
| objectPid |
int |
true |
- |
The PID of target process |
- |
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| objectPosixPermission |
string |
true |
- |
The current POSIX permission for the file |
1050112 |
Trend Cloud One - Endpoint & Workload Security |
| objectPosixPermissionHashId |
string |
true |
- |
The POSIX permission hash ID |
-8931783023607715387 |
Trend Cloud One - Endpoint & Workload Security |
| objectProcessHashId |
long |
true |
- |
FNV of target process |
- 1415699552492662761
- -100650285065767982
- -1139416698673814436
|
- Trend Micro Apex One as a Service
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
|
| objectRawDataSize |
dynamic |
true |
- |
The raw data size of the Windows event object |
|
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| objectRawDataStr |
dynamic |
true |
- |
The data contents of the AMSI event |
- $global:?
- 0
- $servicename = "WinRM"
$arrService = Get-Service $servicename
if ($arrService.Status -ne "Running")
{
Restart-Service $servicename
}
|
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| objectRegistryData |
string |
true |
RegistryValueData |
The registry data contents |
C:\Program Files\AlertMedia\AlertMedia Desktop Notifications\AlertMedia.exe |
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| objectRegistryData |
string |
true |
RegistryValueData |
The registry value data |
- {11111111-1111-1111-1111-111111111111}
- 1
- 0
|
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| objectRegistryKeyHandle |
string |
true |
RegistryKey |
The registry key path |
- HKCR\CID\{00000000-0000-0000-0000-000000000001}
- HKLM\SOFTWARE\WOW6432Node\Eos
- HKCU\SOFTWARE\Cerner\InstantAccess
|
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| objectRegistryKeyHandle |
string |
true |
RegistryKey |
The registry key |
- HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- HKLM\system\currentcontrolset\services\w32time\config
- HKLM\system\currentcontrolset\services\tcpip\parameters
|
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| objectRegistryRoot |
string |
true |
- |
The name of the object registry root key |
|
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
|
| objectRegistryRoot |
int |
false |
- |
The Windows Registry Root ID |
|
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| objectRegistryValue |
string |
true |
RegistryValue |
The registry value name |
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| objectRegistryValue |
string |
true |
RegistryValue |
Registry value name |
- lastknowngoodtime
- threadingmodel
- epoch
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| objectRegType |
int |
false |
- |
The Windows Registry Type ID |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| objectRunAsLocalAccount |
bool |
true |
- |
The "runas" command uses a local account |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| objectSessionId |
string |
true |
- |
The object session ID |
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| objectSigner |
dynamic |
true |
- |
Certificate signer of object process or file |
- Microsoft Windows
- Software Signing;Apple Code Signing Certification Authority;Apple Root CA;
- Microsoft Corporation
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| objectSignerValid |
dynamic |
true |
- |
Validity of certificate signer |
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| objectSubTrueType |
int |
true |
- |
File object's true sub-type |
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| objectTrueType |
int |
true |
- |
File object's true major type |
|
- Trend Micro Apex One as a Service
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
|
| objectType |
string |
true |
- |
The object type |
|
- Trend Micro Cloud App Security
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Email Security
- Endpoint Sensor
- File Security
|
| objectUser |
string |
true |
UserAccount |
The owner name of the target process or the login user name |
|
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| objectUser |
string |
true |
UserAccount |
The owner name of the target process or the login user name |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Data Detection and Response
|
| objectUserDomain |
string |
true |
- |
The owner domain of the target process |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| objectUserDomain |
string |
false |
- |
The object user domain |
- NT AUTHORITY
- AUTORIDADE NT
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| objectUserGroup |
string |
true |
- |
The user group name |
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| oldFileHash |
string |
true |
FileSHA1 |
The SHA-1 of the target process image or target file (wasEntity from an IM event) |
- DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
- 89CE26EAD139D52B8A6B61BFFC6AF89AF246580F
- 57247B810B0EE61DD86CE24AC14097B9B5405EEC
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| originalFileHashes |
dynamic |
true |
FileSHA1 |
The hashes of the original file |
- ba4700bfd55741c657a99fbe416787835fb384da
- 639dfe4a69c1e6aace1e4eece3b3bb25af6a1392
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| originalFilePaths |
dynamic |
true |
|
The paths of the original file |
C:\\Users\\user_name\\Downloads\\run.exe |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| osDescription |
string |
true |
- |
The OS version |
- Windows 10 (64 bit)
- Windows 10 Pro (64 bit) build 19044
- Amazon Linux 2 (64 bit) (5.4.188-104.359.amzn2.x86_64)
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| osName |
string |
true |
- |
The host operating system name |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| osType |
string |
true |
- |
The host operating system type |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| osVer |
string |
true |
- |
The version of the host operating system |
- Amazon Linux 2
- 10.0.19044
- 10.0.19042
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| out |
string |
true |
- |
The IP datagram length (in bytes) |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| parentCmd |
string |
true |
CLICommand |
The command line entry of the parent process |
- C:\WINDOWS\system32\services.exe
- C:\Windows\system32\services.exe
- /sbin/launchd
|
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| parentFileCreation |
string |
true |
- |
The time the parent file was created |
- 1652131848000
- 1577865600000
- 1635172968000
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| parentFileGroupName |
string |
true |
- |
The name of the parent file user group |
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| parentFileHashId |
long |
true |
- |
The parent file hash ID |
- -4092577940452904134
- 2141057820373638746
- -821808160829839906
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| parentFileHashMd5 |
string |
true |
FileMD5 |
The md5 hash of parent process |
- d8e577bf078c45954f4531885478d5a9
- cd10cb894be2128fca0bf0e2b0c27c16
- cfd65bed18a1fae631091c3a4c4dd533
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| parentFileHashSha1 |
string |
true |
FileSHA1 |
The SHA1 hash of parent process |
- d7a213f3cfee2a8a191769eb33847953be51de54
- 1f912d4bec338ef10b7c9f19976286f8acc4eb97
- 9ad737cbd8bbdddc96726156dbd3bc03936bf02f
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| parentFileHashSha256 |
string |
true |
FileSHA2 |
The SHA256 hash of parent process |
- dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674
- f3feb95e7bcfb0766a694d93fca29eda7e2ca977c2395b4be75242814eb6d881
- 00f8cbc5b3a6640af5ac18d01bc5a666f6f583b1379b9491e0bcc28ba78c92e9
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| parentFileModifiedTime |
string |
true |
- |
The time the parent file was modified |
- 1652131848000
- 1577865600000
- 1635172968000
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| parentFileOriginalName |
string |
true |
FileName |
The original file name of the parent image |
- Taskmgr.exe
- WINLOGON.EXE
- svchost.exe
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| parentFileOwnerName |
string |
true |
- |
The owner name of the parent file |
- root
- cit
- BUILTIN\Administrators
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| parentFilePath |
string |
true |
|
The file path of the parent process |
- c:\windows\system32\services.exe
- /usr/bin/bash
- c:\windows\system32\svchost.exe
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| parentFileSize |
string |
true |
- |
The file size of the parent file |
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| parentHashId |
long |
true |
- |
The parent hash ID |
- -865367326691173681
- -2903238741593506113
- -4358168316031740439
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| parentLaunchTime |
real |
true |
- |
The time when the parent process was launched |
- 1653614773895
- 1656118625928
- 0
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| parentName |
string |
true |
- |
The image name of the parent process |
- c:\windows\system32\services.exe
- /usr/bin/bash
- c:\windows\system32\svchost.exe
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| parentPid |
int |
true |
- |
The PID of the parent process |
- |
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Deep Security
- Trend Vision One Container Security
|
| parentPid |
int |
true |
- |
The PID of the parent process |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| parentSessionId |
int |
false |
- |
The parent session ID |
- |
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| parentSigner |
dynamic |
true |
- |
The signer of the parent file |
- Microsoft Windows Publisher
- Microsoft Windows
- Software Signing;Apple Code Signing Certification Authority;Apple Root CA;
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| parentSignerValid |
dynamic |
true |
- |
The validity of the parent signer |
- |
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| parentSubTrueType |
int |
true |
- |
The true file subtype of the parent file |
- |
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| parentTrueType |
int |
true |
- |
The true file type of the parent file |
- |
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| parentUser |
string |
true |
- |
The account name of the parent process |
Administrator |
Trend Cloud One - Endpoint & Workload Security |
| parentUser |
string |
true |
- |
The type of user that executed the parent process |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| parentUserDomain |
string |
true |
- |
The domain name of the parent process |
builtindomain |
Trend Cloud One - Endpoint & Workload Security |
| parentUserDomain |
string |
true |
- |
The user domain of the parent process |
- NT AUTHORITY
- AUTORIDADE NT
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| plang |
int |
false |
- |
The product language |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| platformAssetTags |
dynamic |
true |
- |
The list of platform custom asset tags |
{"Asset group":["finance"], "some.ip": ["10.1.0.1"]} |
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Vision One Container Security
|
| platformAssetTags |
dynamic |
true |
- |
The list of platform custom asset tags |
{"Asset group":["finance"], "some.ip": ["10.1.0.1"]} |
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| pname |
string |
true |
- |
The internal product ID |
- Trend Micro Deep Security
- Deep Discovery Inspector
- Apex One
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Trend Micro Email Security
- TippingPoint Security Management System
- Endpoint Sensor
- Trend Micro Web Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
- Trend Vision One Mobile Security
- Trend Vision One Container Security
- Email Sensor
|
| pname |
string |
true |
- |
Internal product ID (Deprecated, use productCode) |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| policyId |
string |
true |
- |
The policy ID of which the event was detected |
- 00000001-0001-0001-0001-000000007610
- 007
- 003
- TM000001
|
- TippingPoint Security Management System
- Trend Micro Apex One as a Service
- Endpoint Sensor
- Trend Cloud One - Network Security
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Vision One Container Security
|
| pplat |
int |
false |
- |
The product platform |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| processArtifactIds |
dynamic |
true |
- |
The artifact IDs generated by processAction |
- 00000000-0000-0000-0000-000000000000_1.dmp
- 11111111-1111-1111-1111-111111111111_2.bak
|
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| processCmd |
string |
true |
CLICommand |
The subject process command line |
- "C:\Program Files (x86)\AADM\AADM.exe"
- /usr/lib/inet/sendmail -bl -q15m
- ComDir
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- Trend Vision One Container Security
|
| processCmd |
string |
true |
CLICommand |
The command line entry of the subject process |
- C:\Windows\system32\lsass.exe
- C:\WINDOWS\system32\lsass.exe
- nimbus(processes)
|
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| processFileCreation |
string |
true |
- |
The Unix time of object creation |
- 1645828113585
- 1655412594237
- 1647162053219
|
Trend Cloud One - Endpoint & Workload Security |
| processFileCreation |
string |
true |
- |
The time the process file was created |
- 1652131848000
- 1577865600000
- 1635172906000
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| processFileGroupName |
string |
true |
- |
The name of the process file user group |
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| processFileHashId |
long |
true |
- |
The file hash of the process |
- 2141057820373638746
- -821808160829839906
- 5222963427542927736
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| processFileHashMd5 |
string |
true |
FileMD5 |
The MD5 of the subject process |
- D07ADD0CE6E000D3CD20193B891E8ED3
- 1a9ba93ebe4cb60030831f8ce9e7d5f9
- EEE6691B48D2FB604DDF0CBC90D75B0E
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
|
| processFileHashMd5 |
string |
true |
FileMD5 |
The MD5 hash of the subject process image |
- cd10cb894be2128fca0bf0e2b0c27c16
- 7ac47235c7bb452a03d3afd872f44c9e
- cfd65bed18a1fae631091c3a4c4dd533
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| processFileHashSha1 |
string |
true |
FileSHA1 |
The SHA-1 of the subject process |
- C0885381EBAC94AB20E78936434FA208F6B65352
- ac373ed32b491da22924e2e11e36574e5d582a35
- DF93F7DF887E86C3B56539B5046B286001C6F150
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| processFileHashSha1 |
string |
true |
FileSHA1 |
The SHA1 hash of subject process image |
- 1f912d4bec338ef10b7c9f19976286f8acc4eb97
- ded3833f145989fd86c1f4811b61497298ebc7fd
- 9ad737cbd8bbdddc96726156dbd3bc03936bf02f
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| processFileHashSha256 |
string |
true |
FileSHA2 |
The SHA-256 of the subject process |
- 4314A869B8DAE1BD3FFF810B1366E90FB7C961D4A3424260692377FDD87361D2
- 7824c45fc033696603fe97d8f193a1872dfb2b5db75f0cda21df27017b3cb623
- 1A6D5986EFEAE89308D9EE11B4A7907012603392E0E66D0E529DB09DF1B4CB64
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
|
| processFileHashSha256 |
string |
true |
FileSHA2 |
The SHA256 hash of subject process image |
- f3feb95e7bcfb0766a694d93fca29eda7e2ca977c2395b4be75242814eb6d881
- 39109eef00821658893b45634fe2f4664f880da9242712df907f1327d4ceefb8
- 00f8cbc5b3a6640af5ac18d01bc5a666f6f583b1379b9491e0bcc28ba78c92e9
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| processFileModifiedTime |
string |
true |
- |
The time the process file was modified |
- 1652131848000
- 1633413236462
- 1414554708877
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| processFileOriginalName |
string |
true |
FileName |
The original file name of the process image |
- Taskmgr.exe
- WINLOGON.EXE
- svchost.exe
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| processFileOwnerName |
string |
true |
- |
The process file owner name |
- root
- cit
- BUILTIN\Administrators
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| processFilePath |
string |
true |
- ProcessFullPath
- FileFullPath
- FileName
|
The file path of the subject process |
- c:\windows\system32\svchost.exe
- c:\windows\system32\windowspowershell\v1.0\powershell.exe
- c:\windows\syswow64\srts\wmipr.exe
|
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
|
| processFilePath |
string |
true |
- ProcessFullPath
- ProcessName
- FileFullPath
- FileName
|
The file path of the subject process |
- /usr/bin/bash
- c:\windows\system32\svchost.exe
- c:\windows\system32\lsass.exe
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| processFileSize |
string |
true |
- |
The file size of the process file |
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| processHashId |
long |
true |
- |
The FNV of subject process |
- 7114696589795796819
- 1307755369266815004
- -5015325378148567246
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| processImageFileNames |
dynamic |
true |
- |
The process image file names of detected backup artifacts |
- C:\Program Files\aaa\bbb\objprocess.exe
- C:\Program Files\ccc\ddd\sample.exe
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| processImagePath |
string |
true |
- |
The process triggered by the file event |
- c:\windows\system32\svchost.exe
- /usr/bin/python2.7
- /usr/bin/sed
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Deep Security
- Trend Vision One Container Security
|
| processLaunchTime |
string |
true |
- |
The time the subject process was launched |
- 1656400286556
- 1656566610259
- 1656587180493
|
Trend Cloud One - Endpoint & Workload Security |
| processLaunchTime |
real |
true |
- |
The time the subject process was launched |
- 1653614775212
- 1656118626642
- 1652098160298
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| processName |
string |
true |
ProcessName |
The image name of the process that triggered the event |
- c:\windows\system32\svchost.exe
- /usr/bin/python2.7
- /usr/bin/sed
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Deep Security
- Trend Vision One Container Security
- Trend Micro Apex One as a Service
|
| processName |
string |
true |
ProcessName |
The image name of the process that triggered the event |
- /usr/bin/bash
- c:\windows\system32\svchost.exe
- c:\windows\system32\lsass.exe
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| processPid |
int |
true |
- |
The PID of the subject process |
- |
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Vision One Container Security
|
| processPid |
int |
true |
- |
The PID of the subject process |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| processSigner |
dynamic |
true |
- |
The signer name list of the subject process |
- Microsoft Windows
- Microsoft Windows Publisher
|
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
|
| processSigner |
dynamic |
true |
- |
The process file signer |
- Microsoft Windows
- Microsoft Windows Publisher
- Microsoft Corporation
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| processSignerValid |
dynamic |
true |
- |
The validity of the process signer |
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| processSubTrueType |
int |
true |
- |
The true file subtype of the process |
- |
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| processTrueType |
int |
true |
- |
The true file type of the process |
- |
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| processUser |
string |
true |
UserAccount |
The user name of the process or the file creator |
- SYSTEM
- SVC_JENKINS_CODE_DEV
- NETWORK SERVICE
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| processUser |
string |
true |
UserAccount |
The owner name of subject process image |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| processUserDomain |
string |
true |
- |
The owner domain of the subject process image |
- NT AUTHORITY
- DOMAINBA
- PAEDMZ
|
Trend Cloud One - Endpoint & Workload Security |
| processUserDomain |
string |
true |
- |
The process user domain |
- NT AUTHORITY
- AUTORIDADE NT
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| processUserGroupId |
string |
true |
- |
The process user group ID or file creator |
|
Trend Cloud One - Endpoint & Workload Security |
| processUserGroupName |
string |
true |
- |
The process user group name or file creator |
|
Trend Cloud One - Endpoint & Workload Security |
| processUserId |
string |
true |
- |
The process user ID or file creator |
|
Trend Cloud One - Endpoint & Workload Security |
| proto |
string |
true |
- |
The exploited layer network protocol |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- TXOne EdgeOne
- Trend Vision One Container Security
- Mobile Network Security
|
| proto |
int |
false |
- |
The protocol type |
- TELEMETRY_CONNECTION_TCP
- TELEMETRY_CONNECTION_UDP
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| protoFlag |
string |
true |
- |
The data flags |
- ACK PSH DF=1
- ACK DF=1
- DF=1
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| pver |
string |
true |
- |
The product version |
- 20.0.0.4726
- 20.0.0.4416
- 6.2.1125
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- TippingPoint Security Management System
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
- Trend Vision One Mobile Security
- Trend Vision One Container Security
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
|
| pver |
string |
true |
- |
The product version |
- 1.2.0.2752
- 1.0.345
- 1.2.0.2657
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| quarantineFileId |
string |
true |
- |
The unique identifier of the quarantined object |
ASLUMVS0.4FC |
- Trend Micro Apex One as a Service
- Trend Micro Apex One On-Premises
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| quarantineFilePath |
string |
true |
FileFullPath |
The file path of the quarantined object |
C:\ProgramData\Trend Micro\AMSP\quarantine\ASLUMVS0.4FC |
- Trend Micro Apex One as a Service
- Trend Micro Apex One On-Premises
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| quarantineFileSha256 |
string |
true |
FileSHA2 |
The SHA-256 of the quarantined object |
84B2FA19B05EA88D6E785B4ADB528120485AA3F72F3E5E114DE6D3696B0D151F |
- Trend Micro Apex One as a Service
- Trend Micro Apex One On-Premises
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| regionId |
string |
true |
- |
The cloud asset region |
- US East (N. Virginia)
- Europe (Frankfurt)
|
Trend Cloud One - Endpoint & Workload Security |
| regionId |
string |
true |
- |
The cloud asset region |
- US East (N. Virginia)
- Europe (Frankfurt)
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
|
| remarks |
string |
true |
- |
The additional information |
- warning: fork: Resource temporarily unavailable
- pam_unix(cron:session): session opened for user root by (uid=0)
- WinEvtLog: Application: AUDIT_FAILURE(18470): MSSQL$SA: (no user): no domain: EXAMPLE.com: Login failed for user 'example_user'. Reason: The account is disabled. [CLIENT: 10.10.10.10]
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Trend Micro Apex One as a Service
- Trend Micro Email Security
- Trend Cloud One - Network Security
- TXOne EdgeOne
- Email Sensor
- File Security
- Agentless Vulnerability & Threat Detection
|
| request |
string |
true |
URL |
The notable URLs |
- http://example.page.com/canonical.html
- http://10.10.10.10
- https://drive.google.com/
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- TippingPoint Security Management System
- Trend Cloud One - Endpoint & Workload Security
- Zero Trust Secure Access - Internet Access
- Trend Micro Cloud App Security
- Trend Cloud One - Network Security
- Trend Micro Email Security
- Trend Micro Deep Security
- Trend Vision One Mobile Security
- Zero Trust Secure Access - Private Access
|
| requestClientApplication |
string |
true |
- |
The protocol user agent information |
- Microsoft-Delivery-Optimization/10.0
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
- example Software GmbH
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| requestMethod |
string |
true |
- |
The network protocol request method |
|
- Trend Micro Apex One as a Service
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
|
| riskLevel |
string |
true |
- |
The risk level |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Cloud App Security
- Endpoint Sensor
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| rt |
string |
false |
- |
The Unix time of the log generation |
1656324260000 |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Trend Micro Email Security
- TippingPoint Security Management System
- Endpoint Sensor
- Trend Micro Web Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
- Zero Trust Secure Access - Private Access
- Email Sensor
|
| rtDate |
string |
true |
- |
The date of the log generation |
1655337600000 |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| rtHour |
int |
false |
- |
The hour of the log generation |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| rtWeekDay |
string |
true |
- |
The weekday of the log generation |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| ruleId |
int |
true |
- |
The rule ID |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- Mobile Network Security
|
| ruleName |
string |
true |
- |
The name of the rule that triggered the event |
- Directory Server - Microsoft Windows Active Directory
- Microsoft Windows Events
- Microsoft Windows Security Events - 3
- (T1234) New executable created (chmod)
- Sensitive Files Upload to Personal Cloud
- Multiple Sensitive Files Compression
- Transfer Sensitive Files to Removable Storage
- Move Multiple Sensitive Files to Central Location
- Multiple Sensitive Files Modification
- Multiple Sensitive Files Deletion
- GEN_CCFR_OVERLAY_TEST.A
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- TippingPoint Security Management System
- Endpoint Sensor
- Trend Micro Email Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Private Access
- Trend Vision One Container Security
- Email Sensor
- Mobile Network Security
- Data Detection and Response
|
| ruleSetName |
string |
true |
- |
The rule set name |
AllRules |
- Trend Vision One Container Security
- Trend Cloud One - Network Security
- TippingPoint Security Management System
- Trend Cloud One - Endpoint & Workload Security
|
| ruleType |
string |
true |
- |
The access rule type |
- udso
- point of entry
- unknown
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Cloud App Security
- Zero Trust Secure Access - Private Access
- Trend Vision One Container Security
|
| ruleVer |
string |
true |
- |
The rule version |
- 202207060001
- 202207190001
|
- Trend Micro Cloud App Security
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Email Security
- Email Sensor
|
| scanType |
string |
true |
- |
The scan type |
- realtime_mailmeta-exchange
- exchange_mailbox_realtime_detection_logs
- gateway_realtime_blocking_traffic
- malware_schedule_image
- malware_schedule_file
- malware_realtime_image
- malware_realtime_file
|
- Trend Micro Cloud App Security
- Trend Micro Email Security
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Email Sensor
- File Security
- Agentless Vulnerability & Threat Detection
- Trend Vision One Container Security
|
| score |
int |
false |
- |
The Web Reputation Services URL rating |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Cloud App Security
- Trend Vision One Mobile Security
- Trend Cloud One - Endpoint & Workload Security
|
| secondAct |
string |
true |
- |
The second scan action |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| secondActResult |
string |
true |
- |
The result of the second scan action |
- Unknown
- N/A
- Access denied
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| senderGUID |
string |
true |
- |
The sender GUID |
- 346648FC-9862-D2F0-F94C-FAB1A838ABD7
- 36E5239E-EEBA-0100-C10E-C057E0455E1D
- 9606BBD5-38A7-9024-83C8-9C88A2AF90CC
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| sessionId |
int |
false |
- |
The session ID |
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| severity |
int |
true |
- |
The severity of the event |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- TippingPoint Security Management System
- Trend Cloud One - Network Security
- Trend Vision One Container Security
- Mobile Network Security
|
| shost |
string |
true |
DomainName |
The source hostname |
- dns.google
- sw_us-east-1a_10-124-17-69
- sw_us-east-1c_10-124-21-139
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Mobile Network Security
|
| smac |
string |
true |
- |
The source MAC address |
- 00:11:22:33:44:55
- 66:77:88:99:AA:BB
- CC:DD:EE:FF:00:11
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- TXOne EdgeOne
|
| sproc |
string |
true |
- |
The OSSEC program name |
- postfix/sendmail
- CRON
- sshd
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| spt |
int |
true |
Port |
The source port |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- TippingPoint Security Management System
- Trend Micro Deep Security
- Trend Cloud One - Network Security
- Endpoint Sensor
- TXOne EdgeOne
- Zero Trust Secure Access - Private Access
- Trend Vision One Container Security
- Mobile Network Security
|
| spt |
int |
true |
Port |
The source port number |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Data Detection and Response
|
| src |
dynamic |
true |
|
The source IP |
10.10.10.10 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- TippingPoint Security Management System
- Trend Micro Deep Security
- Trend Cloud One - Network Security
- Endpoint Sensor
- Zero Trust Secure Access - Internet Access
- TXOne EdgeOne
- Zero Trust Secure Access - Private Access
- Trend Vision One Container Security
- Mobile Network Security
|
| src |
string |
true |
|
The source address |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Data Detection and Response
|
| srcFileCreation |
string |
true |
- |
The time the source file was created |
- 1577865600000
- 1626201752000
- 1626201750000
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| srcFileGroupName |
string |
true |
- |
The source file user group name |
- wheel
- staff
- NT SERVICE\TrustedInstaller
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| srcFileHashId |
long |
false |
- |
The source file hash ID |
- 1102079405020678318
- -6926286289273504319
- 8528955148329941480
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| srcFileIsRemoteAccess |
bool |
true |
- |
The remote access of the source file |
- |
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| srcFileModifiedTime |
string |
true |
- |
The time the source file was modified |
- 1626201752000
- 1626201750000
- 1577865600000
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| srcFileOwnerName |
string |
true |
- |
The source file owner name |
- root
- NT SERVICE\TrustedInstaller
- NT AUTHORITY\SYSTEM
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| srcFilePath |
string |
true |
|
The source file path |
- \\cnva-apps\megaclockprod\traveler\travelerprint.accdb
- c:\program files\common files\microsoft shared\clicktorun\officesvcmgrschedule.xml
- q:\a7_dbs\a4_pkg\a4_packaging.accde
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| srcFileSize |
string |
true |
- |
The file size of the source file |
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- Data Detection and Response
|
| srcFirstSeen |
string |
true |
- |
The first time the source file was seen |
- 0
- 1656355418449
- 1656714760440
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| srcHashId |
long |
false |
- |
The source hash ID |
- 4070054759888344851
- 2177864258235728980
- 3476454206648023552
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| srcLastSeen |
string |
true |
- |
The last time the source file was seen |
- 0
- 1656355418449
- 1656715147313
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| srcSubTrueType |
int |
false |
- |
The true file subtype of the source file |
- |
- Trend Micro Apex One as a Service
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
|
| srcTrueType |
int |
false |
- |
The true file type of the source file |
- |
- Trend Micro Apex One as a Service
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
|
| startTime |
long |
true |
- |
The time when the first event was received (in Unix milliseconds) |
1750983848000 |
Trend Cloud One - Endpoint & Workload Security |
| status |
string |
true |
- |
The HTTP response status code |
|
- Trend Micro Apex One as a Service
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
|
| subRuleId |
string |
true |
- |
ID of a subordinate rule |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Cloud One - Network Security
|
| subRuleName |
string |
true |
- |
The subrule name |
- Pre-authentication failed.
- ATTACK T1070.002,T1070.004: Indicator Removal on Host : Clear Linux or Mac System Logs,File Deletion
- ATTACK T1110: Multiple Windows Logon Failures
- invisible_url_domain
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Trend Micro Email Security
- Email Sensor
|
| suid |
string |
true |
UserAccount |
User name or mailbox |
- root
- US EXAMPLE\TEST
- sample_email@trendmicro.com
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Cloud App Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Web Security
- Trend Micro Deep Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
|
| tags |
dynamic |
true |
|
The detected technique ID based on the alert filter |
- MITREV9.T1090
- MITRE.T1071
- MITREV9.T1059.001
|
- ALL
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| target |
string |
true |
- |
The target object for the behavior |
- c:\windows\system32\windowspowershell\v1.0\powershell.exe
- zwwritevirtualmemory
- /proc/211296/exe
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| targetType |
string |
true |
- |
The target object type |
- File System
- Uncategorized
- Exploit
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| timezone |
string |
true |
- |
The host time zone |
- UTC+00:00
- UTC-05:00
- UTC-03:00
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| trigger |
string |
true |
- |
The action trigger |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| triggerInfo |
dynamic |
true |
- |
The trigger information |
[{'triggerModule': 'ODS', 'triggerReason': 'System Schedule Scan'}] |
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| triggerReason |
string |
true |
- |
The cause of the triggered action |
- FILEMETA.T1027.009.TRICKBOT.SMITRE1B2, T1027.009
- ST002
- Scheduled Scan (custom)
- Scheduled Scan (system)
- Remote Scan: the user triggered the Apex One agent from the Trend Vision One console
- Manual Scan: the user triggered the local agent
|
- Endpoint Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
|
| urlCat |
dynamic |
true |
- |
The requested URL category |
- Untested
- 158
- Web Advertisement
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Web Security
- Trend Micro Apex One as a Service
- Zero Trust Secure Access - Internet Access
- Trend Micro Cloud App Security
- Trend Vision One Mobile Security
- Trend Cloud One - Endpoint & Workload Security
|
| userDomain |
dynamic |
true |
- |
The user domain name |
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| vpcId |
string |
true |
- |
The virtual private cloud that contains the cloud asset |
- vpc-01234567890abcdef
- avtd-vnet-ozyww04h
- ocid1.vnic.oc1.iad.abuwcljs4szq5rylkxikcthyegnqn5mjhkyn3xwtoa3uvbonxqn52nofibgq
|
- Trend Cloud One - Endpoint & Workload Security
- Agentless Vulnerability & Threat Detection
|
| vpcId |
string |
true |
- |
The virtual private cloud that contains the cloud asset |
vpc-01234567890abcdef |
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
|
| wasEntity |
string |
true |
- |
The entity before change/modification |
- {"key":"<example>","type":"Service","attributes":[{"friendlyValue":null,"name":"binaryPathName","value":"C:\\Windows\\system32\\vssvc.exe"},{"friendlyValue":"manual","name":"startType","value":"3"},{"friendlyValue":"stopped","name":"state","value":"1"}]}
- {"key":"<example>","type":"Service","attributes":[{"friendlyValue":null,"name":"binaryPathName","value":"C:\\Windows\\system32\\vssvc.exe"},{"friendlyValue":"manual","name":"startType","value":"3"},{"friendlyValue":"running","name":"state","value":"4"}]}
- {"key":"<example>","type":"File","attributes":[]}
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| winEventId |
int |
true |
- |
The Windows Event ID |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|