tm-v1-schema

Trend Micro Apex One as a Service

Layer: Endpoint

This documentation provides detailed information about all fields available for Trend Micro Apex One as a Service.

Field Name	Type	Searchable	General Field	Description	Example	Products
accessPermission	string	true	-	The access permission type	Modify Read and execute List device content only Block	Trend Micro Apex One as a Service
act	dynamic	true	-	The actions taken to mitigate the event	log isolate terminate not blocked Block No action Reset Pass User Decision	Trend Vision One Container Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security Trend Micro Cloud App Security TippingPoint Security Management System Endpoint Sensor Trend Micro Web Security Trend Micro Email Security Trend Micro Deep Security Trend Cloud One - Network Security Zero Trust Secure Access - Internet Access TXOne EdgeOne Zero Trust Secure Access - Private Access Email Sensor Trend Vision One Mobile Security Mobile Network Security Agentless Vulnerability & Threat Detection
actResult	dynamic	true	-	The result of an action	Dropped Successful Accepted	Trend Micro Apex One as a Service Trend Micro Cloud App Security Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Security TXOne StellarOne Trend Vision One Mobile Security
additionalInfo	string	true	-	The filter rule info	Default	Endpoint Sensor Trend Micro Apex One as a Service
aggregatedCount	string	true	-	The number of aggregated events	1 2 3	Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service TippingPoint Security Management System Trend Micro Web Security Trend Cloud One - Network Security Zero Trust Secure Access - Internet Access TXOne StellarOne Data Detection and Response Trend Cloud One - Endpoint & Workload Security
application	string	true	-	The name of the requested application	HyperText Transfer Protocol DoubleClick The Secure HyperText Transfer Protocol	Trend Micro Web Security Zero Trust Secure Access - Internet Access Zero Trust Secure Access - Private Access Trend Micro Apex One as a Service
authId	string	true	-	The authorization ID	999 996 997	Endpoint Sensor Trend Micro Apex One as a Service
behaviorCat	string	true	-	The matched policy category	Policy Enforcement Grey-Detection Threat-Detection	Trend Micro Apex One as a Service Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Security
blocking	string	true	-	The blocking type	Web reputation Web Server	Trend Micro Apex One as a Service
bmGroup	string	true	-	The one-to-many data structure	logGenLocalDatetime:2022-07-08T09:21:11+00:00, act:Assessment, behaviorType:Registry, riskConfidenceLevel:1, ruleId:7, ruleName:New Service, behaviorCategory:Policy Enforcement, processFilePath:C:\Windows\SysWOW64\srts\wmipr.exe, aegisOperation:Set Key, objectFilePath:HKLM\SYSTEM\CurrentControlSet\Services\DpsiBSvc\Start, policyId:007, objectFileHashSha1:null, objectCmd:null, processFileHashSha1:null, processCmd:null, objectRegistryData:null, objectRegistryKeyHandle:null, objectRegistryValue:null	Trend Micro Apex One as a Service
cat	int	false	-	The weighted priority of the incident	100 200	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Security Trend Micro Apex One as a Service
cccaDetection	string	true	-	Is this log identified as a C&C callback address detection	Yes	Trend Micro Apex One as a Service Trend Micro Deep Discovery Inspector Network Sensor
cccaDetectionSource	string	true	-	Which list defines this CCCA detection rule	CCCA_GLOBAL_LIST (0) GLOBAL_INTELLIGENCE USER_DEFINED	Trend Micro Apex One as a Service Trend Micro Deep Discovery Inspector Network Sensor
cccaRiskLevel	int	true	-	The severity level of the threat actors associated with the C&C servers	1 2	Trend Micro Apex One as a Service Trend Micro Deep Discovery Inspector Network Sensor
censusMaturityValue	int	true	-	The CENSUS maturity value	1 2	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
censusPrevalenceValue	int	true	-	The CENSUS prevalence value	1 2	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
channel	string	true	-	The channel through which the demanded WinEvent is delivered	Local file or network drive Local file	Trend Micro Apex One as a Service
channel	string	true	-	The Windows event channel	Security Microsoft-Windows-WMI-Activity/Trace Microsoft-Windows-TaskScheduler/Operational	Endpoint Sensor Trend Micro Apex One as a Service
clientStatus	string	true	-	The client status when the event occurred	Rebuilding database Online Offline	Trend Micro Apex One as a Service
compressedFileHash	string	true	FileSHA1	The SHA-1 of the decompressed archive	6E2ECB34B7798E179CC704111FB9733FBAAD5ACA FA71B59F35F0EE44D27F74917EF5A0DA2797E80B 14D2302172EB81465CE12E01361AE24CDE170F7B	Trend Micro Deep Discovery Inspector Network Sensor File Security File Security Storage Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service Agentless Vulnerability & Threat Detection
compressedFileHashSha256	string	true	FileSHA2	The SHA-256 of the compressed suspicious file	60C7C5924DD09F7C6B150120FB92DCEE00AE82DB75C7402FA4D9152CF487A94F 482FFC4F87B78C3C7073983CF65B593D9F13F0A3D6DC54B4A3F616F79838F3CE 68C0126D9B4B0FC32DE181D0D67DA8FE82E23745F6023317D5E053B6F6ED26CF	Trend Micro Deep Discovery Inspector Network Sensor File Security File Security Storage Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service Agentless Vulnerability & Threat Detection
compressedFileName	string	true	FileName	The file name of the compressed file	/proc/32058/fd/150 NONAMEFL /proc/10006/fd/30 VirusActionSample/RPF2_OtherMalwareSample-other.exe	Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service File Security File Security Storage Trend Cloud One - Endpoint & Workload Security Agentless Vulnerability & Threat Detection Trend Vision One Container Security
computerDomain	string	true	-	The computer domain	COMCEL_DOMINIO HDWA RANDON	Trend Micro Apex One as a Service
confidence	int	false	-	The confidence rating returned from TrendX Hybrid Model (predictive machine learning). Values from 1-99.	94	Trend Micro Apex One as a Service File Security
correlationData	dynamic	true	-	The data for correlation	-	Endpoint Sensor Trend Micro Apex One as a Service
customAssetTags	dynamic	true	-	The list of custom asset tags	{"os":["linux", "windows"], "org":["bu1"]}	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service Trend Vision One Container Security
customAssetTags	dynamic	true	-	The list of custom asset tags	{"os":["linux", "windows"], "org":["bu1"]}	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
dacDeviceType	string	true	-	The device type	USB storage device Mobile devices Floppy disks Network driver	Trend Micro Apex One as a Service
dceArtifactActions	dynamic	true	-	The actions performed on Damage Cleanup Engine artifacts	folder_backup objproc_dump subproc_dump	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
destinationPath	string	true	-	The intended destination of the file containing the digital asset or channel	Cloud Storage (OneDrive) Printer example.sharepoint.com/personal/page_path/onedrive.aspx	Trend Micro Apex One as a Service
detailTrace	int	false	-	Whether the detection comes with a detailed trace footprint	-	Trend Micro Apex One as a Service
detectedActions	dynamic	true	-	The actions performed on detected artifacts	folder_backup objproc_dump subproc_dump	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
detectedBackupArtifacts	dynamic	true	-	The information about detected artifacts	{"objectArtifactId": "025d9f2a-ac9c-4cdf-b9e4-cf20c6e40281_0.dmp", "action": "object_process_dump", "status": 0, "processCreationTime": "1627574338077", "processImageFileName": "C:\Program Files\aaa\bbb\objprocess.exe"}	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
detectedBackupArtifactsStatus	dynamic	true	-	The backup status of detected artifacts	['0', '-67']	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
detectedBackupFolder	string	true	-	The folder path for detected backup folders	C:\\Program Files (x86)\\Trend Micro\\artifact\\DCE	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service Endpoint Sensor
detectedPattern	string	true	-	The detected pattern	dct.virus	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
detectionAggregationIds	dynamic	true	-	The list of detection aggregation IDs	['11111111-1111-1111-1111-111111111111']	Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
detectionAggressivenessLevel	int	false	-	The detection aggressiveness level	1 2 3 4	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
detectionEngineVersion	string	true	-	The detection engine version	7.6.0	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
detectionMeta	dynamic	true	-	The descriptions of the detected techniques	['T1204 some description about this technique', 'T1573.001_AES another description about this technique']	Trend Micro Apex One as a Service Trend Micro Apex One On-Premises Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Security
detectionName	string	true	-	The general name for the detection	Troj.Win32.TRX.XXPE50F13017 Troj.Win32.TRX.XXPE50FFF059	Trend Micro Apex One as a Service Trend Vision One Mobile Security
detectionNames	dynamic	true	-	The rules that triggered the event	['HS_EMOTET.SMAA', 'HM_AVEDOWN.SMZTIG-A', 'HE_DOCQRPHISH.SM']	Trend Micro Apex One as a Service Trend Micro Apex One On-Premises Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Security
detectionType	string	true	-	The detection type	1 File Process net	Trend Micro Deep Discovery Inspector Network Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Web Security Trend Micro Apex One as a Service Trend Micro Cloud App Security Trend Micro Deep Security Trend Micro Email Security Zero Trust Secure Access - Internet Access Trend Vision One Mobile Security Zero Trust Secure Access - Private Access Trend Vision One Container Security
deviceGUID	string	true	-	The GUID of the agent which reported the detection	00000000-0000-0000-0000-000000000000 11111111-1111-1111-1111-111111111111 22222222-2222-2222-2222-222222222222	Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service TippingPoint Security Management System Endpoint Sensor Trend Cloud One - Network Security Zero Trust Secure Access - Internet Access
deviceModel	string	true	-	The device model number	c96a	Trend Micro Apex One as a Service
deviceSerial	string	true	-	The device serial ID	000000063a2e8f	Trend Micro Apex One as a Service
direction	string	true	-	The direction	Incoming Outgoing Unknown	Trend Micro Apex One as a Service TXOne EdgeOne
dmac	string	true	-	The MAC address of the destination IP (dest_ip)	00:00:00:00:00:00 ff:ff:ff:ff:ff:ff	Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Security TXOne EdgeOne
domainName	string	true	DomainName	The detected domain name	http://10.10.10.10 example.domain.com	Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Micro Cloud App Security
dpt	int	true	Port	The destination port	445 80	Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security TippingPoint Security Management System Trend Micro Deep Security Trend Cloud One - Network Security Endpoint Sensor TXOne EdgeOne Zero Trust Secure Access - Private Access Trend Vision One Container Security Mobile Network Security
dpt	int	true	Port	The destination port number	-	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service Data Detection and Response
dst	dynamic	true	IPv4 IPv6	The destination IP	10.10.10.10	Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security TippingPoint Security Management System Trend Micro Deep Security Trend Cloud One - Network Security Endpoint Sensor Zero Trust Secure Access - Internet Access TXOne EdgeOne Zero Trust Secure Access - Private Access Trend Vision One Container Security Mobile Network Security
dst	string	true	IPv4 IPv6	The destination IP address	:: 10.10.10.10	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service Data Detection and Response
duser	dynamic	true	EmailRecipient	The email recipient	(no user) SYSTEM SYSTEM	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Security Trend Micro Cloud App Security Trend Micro Email Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Email Sensor
dvchost	string	true	-	The computer which installed the Trend Micro product	CU-PRO1-9039-2 LTPF32PMNN	Trend Micro Apex One as a Service Trend Micro Deep Discovery Inspector Network Sensor
endpointGUID	string	true	EndpointID	The GUID of the agent which reported the detection	ae4d64aa-f8b8-bb36-b265-f59272ed342f 8fb979f6-1376-bed3-227f-f2886e66194e ca2b3a7e-8415-c571-cc19-e45f69470026	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service Trend Micro Deep Security Endpoint Sensor Zero Trust Secure Access - Internet Access Trend Vision One Mobile Security Zero Trust Secure Access - Private Access TXOne StellarOne Trend Vision One Container Security Data Detection and Response
endpointGuid	string	true	EndpointID	Host GUID of the endpoint on which the event was detected	11111111-1111-1111-1111-111111111111	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
endpointHostName	string	true	EndpointName	The endpoint hostname or node where the event was detected	10.10.10.10 (swpos-aws-aza02) [i-0f0f0f0f0f0f0f0f0] ip-10-10-10-10.us-west-1.compute.internal	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Security Trend Micro Apex One as a Service Endpoint Sensor Zero Trust Secure Access - Internet Access Trend Vision One Mobile Security Zero Trust Secure Access - Private Access TXOne StellarOne Trend Vision One Container Security Agentless Vulnerability & Threat Detection Data Detection and Response
endpointHostName	string	true	EndpointName	The host name of the endpoint on which the event was detected	PHILIPSIBE09 WHAM6WK8XG2 MacBook-Pro-del-Meno	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
endpointIp	dynamic	true	IPv4 IPv6	The IP address of the endpoint on which the event was detected	10.10.10.10	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Security Trend Micro Apex One as a Service TippingPoint Security Management System Trend Cloud One - Network Security TXOne EdgeOne Agentless Vulnerability & Threat Detection Data Detection and Response
endpointIp	dynamic	true	IPv4 IPv6	IP address of the endpoint on which the event was detected	10.10.10.10 ::1 fe80::1	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
endpointMacAddress	string	true	-	The MAC address of endpoint	00:00:00:00:00:00 ff:ff:ff:ff:ff:ff	Trend Micro Apex One as a Service TXOne EdgeOne TXOne StellarOne
endpointMacAddress	dynamic	true	-	The host MAC address	0-0-0-0-0-0-0-e0 00:00:00:ff:ff:ff	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
engineOperation	string	true	-	The operation of the engine event	Set Key Invoke API Create	Trend Micro Apex One as a Service Endpoint Sensor
engType	string	true	-	The engine type	Virus Scan Engine (Windows XP/Server 2003, x64) Virus Scan NT Kernel Engine Spyware/Grayware Scan Engine v.6 (64-bit)	Trend Micro Apex One as a Service File Security
engVer	string	true	-	The engine version	1.0.0.1123_1.0.0.1101 9.0.1004 22.540.1001	Endpoint Sensor Trend Micro Cloud App Security Trend Micro Apex One as a Service File Security
eventDataAccessList	string	true	-	The list of requested access rights	%%4416 %%4417 %%4418	Endpoint Sensor Trend Micro Apex One as a Service
eventDataAccessMask	string	true	-	The hexadecimal value of the requested or used permissions during an access attempt	16 2147483648 1048576	Endpoint Sensor Trend Micro Apex One as a Service
eventDataActionName	string	true	-	The action performed	Language Components Installer Group Policy Background Processing C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe	Trend Micro Apex One as a Service Endpoint Sensor
eventDataAuthenticationPackageName	string	true	-	The authentication package name of the Windows event data	NTLM Negotiate MICROSOFT_AUTHENTICATION_PACKAGE_V1_0	Endpoint Sensor Trend Micro Apex One as a Service
eventDataElevatedToken	string	true	-	Whether the session is elevated and has administrator privileges	%%1842 %%1843	Endpoint Sensor Trend Micro Apex One as a Service
eventDataFullyQualifiedAssemblyName	string	true	-	The fully qualified .NET assembly name	System.Runtime, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 System.Diagnostics.Process, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a	Endpoint Sensor Trend Micro Apex One as a Service
eventDataImpersonationLevel	string	true	-	The sign-in session impersonation level	%%1830 %%1832 %%1833	Endpoint Sensor Trend Micro Apex One as a Service
eventDataIpAddress	string	true	-	The IP address for Windows event 4624 which is "An account was successfully logged on"	- 10.10.10.10	Endpoint Sensor Trend Micro Apex One as a Service
eventDataJobOwner	string	true	-	The name of the account that initiated the event	BEI\holdej NT AUTHORITY\SYSTEM	Trend Micro Apex One as a Service
eventDataLogonProcessName	string	true	-	The name of the Windows event sign in process name	NtLmSsp Advapi Advapi	Endpoint Sensor Trend Micro Apex One as a Service
eventDataLogonType	string	true	-	The logon type for Windows event 4624 which is "An account was successfully logged on"	3 5 2	Endpoint Sensor Trend Micro Apex One as a Service
eventDataModuleILPath	string	true	-	The CIL image path of the module or the dynamic module name	C:\Program Files\Cymulate\Agent\System.Threading.dll C:\windows\system32\tzsync.exe C:\Program.exe	Endpoint Sensor Trend Micro Apex One as a Service
eventDataObjectName	string	true	-	The identifying information about the object for which access was requested	\Device\HarddiskVolume2\Windows\System32\lsass.exe C:\Windows\System32\osk.exe	Endpoint Sensor Trend Micro Apex One as a Service
eventDataObjectType	string	true	-	The object type	Process File	Endpoint Sensor Trend Micro Apex One as a Service
eventDataOperation	string	true	-	Windows event 11	Start IWbemServices::ExecQuery - root\ccm : select * from SMS_Authority Start IWbemServices::ExecQuery - root\cimv2 : select * from win32_process Start IWbemServices::ExecQuery - root\ccm : SELECT * FROM SMS_Authority	Endpoint Sensor Trend Micro Apex One as a Service
eventDataPath	string	true	-	The path of the Windows event data	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\officesvcmgr.exe taskhostw.exe gpupdate.exe	Endpoint Sensor Trend Micro Apex One as a Service
eventDataProcessPath	string	true	-	The process path that initiated the event	C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Trend Micro Apex One as a Service
eventDataScriptBlockText	string	true	-	Windows event 4104, Creating Scriptblock text	$global:? 0 { Set-StrictMode -Version 1; $_.PSMessageDetails }	Trend Micro Apex One as a Service
eventDataStatus	string	true	-	The Windows event data status	0xc000006d -1073741715 0xc000006e	Endpoint Sensor Trend Micro Apex One as a Service
eventDataSubjectUserName	string	true	-	The account name	dadmin Alex london$	Endpoint Sensor Trend Micro Apex One as a Service
eventDataSubStatus	string	true	-	The Windows event data sub status	0xc0000064 0xc000006a -1073741724	Endpoint Sensor Trend Micro Apex One as a Service
eventDataTargetDomainName	string	true	-	The target sign-in account domain or computer name	NT AUTHORITY Builtin SHOCKWAVE	Endpoint Sensor Trend Micro Apex One as a Service
eventDataTargetName	string	true	-	The service, application, or network resource name	Microsoft_RssPlatform_* WindowsLive:target=virtualapp/didlogical MicrosoftOffice*	Endpoint Sensor Trend Micro Apex One as a Service
eventDataTargetUserName	string	true	-	The user name of the Windows event data target	Offer Remote Assistance Helpers Administrators Administradores	Trend Micro Apex One as a Service
eventDataTaskName	string	true	-	The task name logged by the Windows event	\Microsoft\Windows\LanguageComponentsInstaller\Installation \Microsoft\Office\Office Serviceability Manager \MicrosoftEdgeUpdateTaskMachineUA	Endpoint Sensor Trend Micro Apex One as a Service
eventDataTicketEncryptionType	string	true	-	The cryptographic suite used for the Kerberos TGS	0x12 0x17 0x18	Endpoint Sensor Trend Micro Apex One as a Service
eventDataTicketOptions	string	true	-	The authentication request Kerberos ticket behavior and permissions flags	0x40810000 0x40810010	Endpoint Sensor Trend Micro Apex One as a Service
eventDataUserContext	string	true	-	The user context of the Windows event data	MP\MPBSA179345$ MP\MPBSASPU179370$ MP\MPBSA4025625$	Endpoint Sensor Trend Micro Apex One as a Service
eventDataWorkstationName	string	true	-	The name of the computer used in the sign-in attempt	WIN-GG82ULGC9GO DESKTOP-123ABC CLIENT01	Endpoint Sensor Trend Micro Apex One as a Service
eventHashId	string	true	-	The event hash ID	-8406473586387535914 138486453338666581 -7909265752378976284	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
eventId	string	true	-	The event ID from the logs of each product	100100 100101 100116 100117 100119	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Micro Deep Security Trend Micro Cloud App Security Endpoint Sensor Trend Micro Email Security TXOne StellarOne Trend Vision One Container Security Email Sensor File Security File Security Storage Agentless Vulnerability & Threat Detection Trend Vision One Mobile Security Mobile Network Security Data Detection and Response
eventId	int	true	-	Event type	-	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
eventMessage	string	true	-	The event message	[0x13bb4e2a0] activating connection: mach=true listener=false peer=false name=com.apple.airportd	Endpoint Sensor Trend Micro Apex One as a Service
eventName	string	true	-	The event type	LOG_INSPECTION_EVENT SECURITY_RISK_DETECTION WEB_THREAT_DETECTION LOG_INSPECTION_EVENT MALWARE_DETECTION PROCESS_ACTIVITY WEB_POLICY_VIOLATION DEEP_PACKET_INSPECTION_EVENT INTEGRITY_MONITORING_EVENT DISRUPTIVE_APPLICATION_DETECTION PRODUCT_SUMMARY PRODUCT_UPDATE BEHAVIORAL_VIOLATION FIREWALL_POLICY_VIOLATION SUSPICIOUS_BEHAVIOUR_DETECTION DENYLIST_CHANGE MACHINE_LEARNING_DETECTION DLP_VIOLATION MALWARE_OUTBREAK_DETECTION SENSITIVE_DATA_DETECTION	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Micro Deep Security TippingPoint Security Management System Trend Micro Cloud App Security Trend Micro Email Security Endpoint Sensor Trend Cloud One - Network Security Zero Trust Secure Access - Internet Access TXOne EdgeOne Zero Trust Secure Access - Private Access TXOne StellarOne Email Sensor File Security File Security Storage Agentless Vulnerability & Threat Detection Trend Vision One Mobile Security Mobile Network Security Data Detection and Response
eventSubId	int	true	-	The access type	2 - TELEMETRY_PROCESS_CREATE 101 - TELEMETRY_FILE_CREATE 204 - TELEMETRY_CONNECTION_CONNECT_OUTBOUND	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
eventSubName	string	true	-	The event type sub-name	IPS Detection Personal Firewall Attack Discovery	Trend Micro Apex One as a Service Trend Micro Cloud App Security Trend Cloud One - Endpoint & Workload Security Trend Micro Email Security Endpoint Sensor Zero Trust Secure Access - Internet Access Agentless Vulnerability & Threat Detection
eventTime	real	true	-	The time the agent detected the event	1657781088000	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
extraInfo	dynamic	true	-	The network application name	N/A Web Client Common DCERPC Services	Trend Micro Apex One as a Service
fileCreation	string	true	-	The file creation date	1595918517000	Trend Micro Apex One as a Service
fileDesc	string	true	-	The file description	Atualiza PJRO Carpeta de archivos 7z Setup SFX (x86)	Trend Micro Apex One as a Service Trend Vision One Container Security
fileHash	string	true	FileSHA1	The SHA-1 of the file that triggered the rule or policy	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 89CE26EAD139D52B8A6B61BFFC6AF89AF246580F 3AD1F4E7CAA11E5199EE80B8983677ADDD065450	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Deep Security Trend Micro Apex One as a Service Zero Trust Secure Access - Internet Access File Security File Security Storage Agentless Vulnerability & Threat Detection Data Detection and Response
fileHashSha256	string	true	FileSHA2	The SHA-256 of the file (fileName)	6A6EB2D717CEA041B4444193B45EDFB6CA1287518203B7230B3C4B8FFB031EAB BFF703FF836196644586014DA13A097C2EE9A08E4D596DFB7C8E0F685FE01294 12327F460AC9CBBC34D39EB3CF89C7FECCA37F08773A04566840F73F6ECC4104	Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Zero Trust Secure Access - Internet Access Trend Cloud One - Endpoint & Workload Security File Security File Security Storage Agentless Vulnerability & Threat Detection Trend Vision One Container Security
fileName	dynamic	true	FileName	The file name	spoolss hosts svcrestarttask	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Micro Deep Security Zero Trust Secure Access - Internet Access TXOne StellarOne File Security File Security Storage Agentless Vulnerability & Threat Detection
filePath	string	true	FileFullPath	The file path without the file name	security /var/log/audit/audit.log application	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Security Trend Micro Apex One as a Service Trend Micro Deep Discovery Inspector Network Sensor TXOne StellarOne File Security File Security Storage
fileSize	string	true	-	The file size of the suspicious file	0 1255856 1237880	Trend Micro Deep Discovery Inspector Network Sensor Zero Trust Secure Access - Internet Access Trend Micro Apex One as a Service File Security File Security Storage Agentless Vulnerability & Threat Detection
fileVer	string	true	-	The file version	10.0.19041.1 10.0.19041.1766 10.0.18362.1	Trend Micro Apex One as a Service
filterName	string	true	-	The filter name	ConnectionFilter Virtual Analyzer Data Loss Prevention	Trend Micro Cloud App Security Trend Micro Email Security Trend Micro Apex One as a Service TXOne EdgeOne
filterType	string	true	-	The filter type	Spam filter Size filter	Trend Micro Apex One as a Service TXOne EdgeOne
firstAct	string	true	-	The first scan action	Pass Quarantine Clean	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service Trend Micro Deep Security
firstActResult	string	true	-	The first scan action result	File passed Unable to quarantine file File quarantined	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service Trend Micro Deep Security
firstSeen	real	false	-	The first time the event was seen	1656355418449	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
forensicFileHash	string	true	-	The hash value of the forensic data file	177844c5927d0f20da06d79d986c7e7f8c7a3b6a da39a3ee5e6b4b0d3255bfef95601890afd80709 8dab234ab6cd96301f9452994f015a449d629edd	Trend Micro Apex One as a Service
forensicFilePath	string	true	-	The file path of the forensic file (When a Data Loss Prevention policy is triggered, the file is encrypted and copied to the OfficeScan server for post-mortem analysis)	C:\Program Files (x86)\Trend Micro\OfficeScan Client\dlplite\forensic\frnsc_200411DC0594_xml_00000000000_20220314_132326281 C:\Program Files (x86)\Trend Micro\OfficeScan Client\dlplite\forensic\frnsc_CIL-OPRCOGEN_docx_00000000000_20211025_225445873 C:\Program Files (x86)\Trend Micro\OfficeScan Client\dlplite\forensic\frnsc_SHA-ESHOU_h265_00000000000_20220601_082417865	Trend Micro Apex One as a Service
ftpUser	string	true	-	The FTP login user name	USER\TREND User ftpuser_service	Trend Micro Apex One as a Service
fullPath	string	true	FileFullPath	The combination of the file path and the file name	\etc\hosts c:\windows\system32\tasks\microsoft\windows\softwareprotectionplatform\svcrestarttask \var\log\auth.log	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Deep Security TXOne StellarOne File Security File Security Storage Agentless Vulnerability & Threat Detection Trend Vision One Container Security
hookId	string	true	-	The hook ID	-1 5 4	Trend Micro Apex One as a Service
hostName	string	true	DomainName HostDomain	The domain name	localhost wpad settings-win.data.microsoft.com	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
httpReferer	string	true	URL	The HTTP referer	http://172.16.58.233/ http://example/page1/ https://www.google.com/	Trend Micro Deep Discovery Inspector Network Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
httpReferer	string	true	URL	The HTTP header referer	http://10.10.10.10/ http://fake/home/ http://fake.com/page/Test.jsp	Trend Micro Apex One as a Service Endpoint Sensor
instanceId	string	true	-	The ID of the instance that indicates the meta-cloud or data center VM	52294e7b-f732-c6e9-b2c3-7a6b6f50d101 00030912-c5e7-4348-9012-7c684751c531 0008ae58-db0c-34ee-3e5c-5dfc9b10a739 i-0b22a22eec53b9321 /subscriptions/bae4f362-e3a0-482f-ba7a-f883d8b410ce/resourceGroups/avtd-csf-sg-lzniibr0/providers/Microsoft.Compute/virtualMachines/avtd-csf-scanner-lzniibr0 ocid1.instance.oc1.us-ashburn-1.an2g6ljrgs553pqcjuokzvvwpmwxh564f6f5sx3jpi2sowt6as44uejmsrzq	Trend Micro Apex One as a Service Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Agentless Vulnerability & Threat Detection Mobile Network Security
integrityLevel	int	true	-	The integrity level of a process	-	Endpoint Sensor Trend Micro Apex One as a Service
interestedHost	string	true	DomainName	The endpoint hostname (For example, if an intranet host accesses a suspicious internet host, the intranet host is the "peerHost" and the internet host is the "interestedHost")	10.10.10.10 (swpos-aws-aza02) [i-0f0f0f0f0f0f0f0f0] es-dtc-w-dc02.example.corp	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Deep Security Trend Micro Apex One as a Service
interestedIp	dynamic	true	IPv4 IPv6	The IP of the interestedHost	10.10.10.10	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Deep Security Trend Micro Apex One as a Service TippingPoint Security Management System Trend Cloud One - Network Security TXOne EdgeOne
interestedMacAddress	string	true	-	The MAC address identified as the log owner's	00:00:00:00:00:00 ff:ff:ff:ff:ff:ff	Trend Micro Apex One as a Service Trend Micro Deep Discovery Inspector Network Sensor TXOne EdgeOne
isHidden	string	true	-	Whether the detection log generated a grey rule match	Yes	Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service
isProxy	bool	true	-	Whether something is a proxy	False	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
lastSeen	real	false	-	The last time the event was seen	1656355418449	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
logKey	string	true	-	The unique key of the event	123e4567-e89b-12d3-a456-426614174000 987f6543-21ba-43cd-9e8f-123456789abc 456789ab-cdef-1234-5678-9abcdef01234	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Micro Deep Security Trend Micro Cloud App Security Trend Micro Email Security TippingPoint Security Management System Endpoint Sensor Trend Micro Web Security Trend Cloud One - Network Security Zero Trust Secure Access - Internet Access
logonUser	dynamic	true	UserAccount	The logon user name	root SISTEMA oracle	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
mailDeliveryTime	string	true	-	The mail delivery time	1900-1-1 00:00:00	Trend Micro Apex One as a Service
mailMsgSubject	string	true	EmailSubject	The email subject	FW. mail subject ManageEngine	Trend Micro Cloud App Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Email Security Trend Micro Apex One as a Service Email Sensor
malDst	string	true	-	The malware infection destination	3334_02W3P7 2666_02N413 3334_02NHEL	Trend Micro Apex One as a Service
malFamily	string	true	-	The threat family	EQUATED STARTER 0	Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security File Security
malName	string	true	-	The name of the detected malware	SecurityLevelDrop Regla Logs All USR_SUSPICIOUS_DOMAIN.UMXX	Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Deep Security Trend Micro Web Security TXOne StellarOne Email Sensor File Security File Security Storage Agentless Vulnerability & Threat Detection Trend Vision One Container Security
malSrc	string	true	FileFullPath	The malware infection source	\\10.172.1.33\kortiz \\10.240.0.148\wbind \\10.240.1.69\MT26933059	Trend Micro Apex One as a Service Mobile Network Security
malSubType	string	true	-	The subsidiary virus type	Unknown	Trend Micro Apex One as a Service File Security
malType	string	true	-	The risk type for Network Content Correlation Engine rules	OTHERS MALWARE Others	Trend Micro Deep Discovery Inspector Network Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service Trend Micro Deep Security File Security Trend Vision One Container Security
matchedContent	dynamic	true	-	The one-to-many data structure	['matchedContentEx:client_id=00000000-0000-0000-0000-000000000000&redirect_uri=https://example.page.com, matchedInfo:0,6|0,6'] ['matchedContentEx:example string, matchedInfo:0,6']	Trend Micro Apex One as a Service
mDevice	dynamic	true	-	IP of the source	10.10.10.10 fe80::1234:5678:9abc:def0	Trend Micro Apex One as a Service
mDeviceGUID	string	true	-	The GUID of the agent host	C5B09EDD-C725-907F-29D9-B8C30D18C48F C05B75AB-B518-BDD0-D2B5-E9CB631C539F 9C28ACD3-D0EC-22A4-B08D-5B0BEFF501FC	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service Trend Micro Deep Security
messageType	string	true	-	The message type	Default	Endpoint Sensor Trend Micro Apex One as a Service
moduleName	string	false	-	The module where a hook procedure was set up	c:\program files (x86)\desktopcentral_agent\bin\dcusbsummary.exe c:\program files\common files\microsoft shared\clicktorun\officesvcmgr.exe c:\program files (x86)\sharp\sharp pen software\prsnspttool.exe	Trend Micro Apex One as a Service
moduleScanType	string	true	-	The module scan type	traditional	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
mpname	string	true	-	The management product name	Cloud One - Workload Security Apex Central Deep Security Software	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service Trend Micro Deep Security TippingPoint Security Management System Endpoint Sensor Trend Cloud One - Network Security
mpver	string	true	-	The product version	Microsoft-Windows-Security-Auditing Level -- Medium security TASK1	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Security Trend Micro Apex One as a Service Endpoint Sensor
msgAct	string	true	-	The message action	Quarantine Deliver	Trend Micro Apex One as a Service
msgId	string	true	EmailMessageID	The internet message ID	66.6.00.0006 example.test.com dameware1svr	Trend Micro Cloud App Security Trend Micro Email Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Email Sensor
objectAppName	string	true	-	Name of the app involved in the AMSI event	Exchange Server 2016 PowerShell_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.19041.1 PowerShell_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.14393.0	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
objectArtifactIds	dynamic	true	-	The artifact IDs generated by objectAction	00000000-0000-0000-0000-000000000000_0.dmp 11111111-1111-1111-1111-111111111111_2.bak	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
objectAttributes	string	true	-	The object attributes	attribute	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
objectAuthId	string	true	-	The object authorization ID	999 996 997	Endpoint Sensor Trend Micro Apex One as a Service
objectCmd	dynamic	true	CLICommand	The object process command line	C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding "C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" -NoLogo -Noninteractive -NoProfile -ExecutionPolicy Bypass "& 'C:\WINDOWS\CCM\SystemTemp\afd6f0e5-e491-4764-a20a-9f1d9edf3cce.ps1'" C:\WINDOWS\system32\lsass.exe	Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security Endpoint Sensor
objectCmd	string	true	CLICommand	Command line entry of target process	wc -l runc init docker-init --version	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
objectContentName	string	true	-	The AMSI object content name	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.2\PowerShellGet.psd1 c:\synclog\BLAST_SCAN.vbs	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
objectCurrentFileSize	long	true	-	Previous size of modified object file	59456 60	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
objectEntityName	string	true	-	The object entity name	any_process exe_file powershell	Trend Micro Apex One as a Service
objectFileAccess	string	true	-	The object file access details	1717658631000	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
objectFileCreation	string	true	-	The UTC time that the object was created	2014-11-22T01:45:51-06:00 2009-07-13T23:31:13-05:00 2014-11-21T02:43:28-05:00	Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
objectFileCreation	string	true	-	The time the object file was created	1652131848000 1577865600000 1648279273000	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
objectFileCurrentOwnerName	string	true	-	The current owner name of the object file	NT AUTHORITY\SYSTEM BUILTIN\Administrators BUILTIN\Administradores	Endpoint Sensor Trend Micro Apex One as a Service
objectFileCurrentOwnerSid	string	true	-	The current security identifier owner of the object file	S-1-5-18 S-1-5-32-544 S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464	Endpoint Sensor Trend Micro Apex One as a Service
objectFileDaclString	string	true	-	The discretionary access control list of the object file	D:(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BU)(A;;0x1200a9;;;AC)(A;;0x1200a9;;;S-1-15-2-2) D:(A;OICI;GA;;;SY)(A;OICI;0xa0120000;;;WD)(A;OICI;GA;;;BA) D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)	Endpoint Sensor Trend Micro Apex One as a Service
objectFileExtendedAttribute	string	true	-	The extended attributes of the file	com.apple.quarantine com.apple.metadata:kMDItemWhereFroms	Endpoint Sensor Trend Micro Apex One as a Service
objectFileGroupName	string	true	-	The object file user group name	wheel staff admin	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
objectFileGroupSid	string	true	-	The security identifier of the object file group	S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 S-1-5-18 S-1-5-21-397955417-626881126-188441444-513	Endpoint Sensor Trend Micro Apex One as a Service
objectFileHashId	string	true	-	The object file hash ID	2141057820373638746 -6516669617381620295 -4912169863817247597	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
objectFileHashMd5	string	true	FileMD5	The MD5 of the object	801E8003C257C8F540B20F1E0DECD3A6 CDA48FC75952AD12D99E526D0B6BF70A D5120786925038601A77C2E1EB9A3A0A	Trend Micro Apex One as a Service Endpoint Sensor Trend Cloud One - Endpoint & Workload Security
objectFileHashMd5	string	true	FileMD5	The md5 hash of target process image or target file	7ac47235c7bb452a03d3afd872f44c9e c9873d83a969645a97f21adc1b164cc5 3b32b378c8b288de6f15e1607a8c2145	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
objectFileHashSha1	string	true	FileSHA1	The SHA-1 of the objectFilePath object	51B8646308EE0B68AD1F7F1291B85395434DE49A 36C5D12033B2EAF251BAE61C00690FFB17FDDC87 2586528000199793730B05D3F169BCF139E4D7A1	Trend Micro Apex One as a Service Endpoint Sensor Trend Cloud One - Endpoint & Workload Security
objectFileHashSha1	string	true	FileSHA1	The SHA1 hash of target process image or target file	ded3833f145989fd86c1f4811b61497298ebc7fd c4fa06404142f1994431f9eef3df2cbe0f1998f1 3c01d486ed5aa1ecc2d8f33dc24b0ed59b3e609e	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
objectFileHashSha256	string	true	FileSHA2	The SHA-256 of the object (objectFilePath)	A75C85F3B089993E9C042FB82ECB7757E8F460ED8065FC7991CAA38A6DE0F50C 908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53 1A2ABAAD8A166B66CA35AB51C7432C5A7E46996472C8174281842896408D7F96	Trend Micro Apex One as a Service Endpoint Sensor Trend Cloud One - Endpoint & Workload Security
objectFileHashSha256	string	true	FileSHA2	The SHA256 hash of target process image or target file	39109eef00821658893b45634fe2f4664f880da9242712df907f1327d4ceefb8 49fa3e206abf6a1f4546417dbe09f3f06b38847866a4a66de75bd90f39cb6c1c 0969321ad5a0923f0f03896ad2c10e49290515c44b721d773942a37f62a24893	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
objectFileIsRemoteAccess	bool	true	-	The remote access to the object file	-	Trend Micro Apex One as a Service Endpoint Sensor Trend Cloud One - Endpoint & Workload Security
objectFileModified	string	true	-	The UTC time that the object was modified	2024-10-10T10:10:10.0000000Z 2024-11-11T11:11:11.0000000Z	Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
objectFileModifiedTime	string	true	-	The time the object file was modified	1652131848000 1577865600000 1648279273000	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
objectFileName	string	true	FileName	The object file name	powershell.exe wmiprvse.exe dismhost.exe	Trend Micro Apex One as a Service Trend Vision One Container Security Trend Cloud One - Endpoint & Workload Security
objectFileOriginalName	string	true	FileName	The original file name of the object image	Taskmgr.exe WINLOGON.EXE svchost.exe	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
objectFileOwnerName	string	true	-	The object file owner name	root NT SERVICE\TrustedInstaller BUILTIN\Administrators	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
objectFileOwnerSid	string	true	-	The security identifier of the object file owner	S-1-5-32-544 S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 S-1-5-18	Endpoint Sensor Trend Micro Apex One as a Service
objectFilePath	string	true	FileFullPath	The file path of the target process image or target file	c:\windows\system32\windowspowershell\v1.0\powershell.exe zwwritevirtualmemory c:\windows\system32\wbem\wmiprvse.exe	Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Vision One Container Security
objectFilePath	string	true	FileFullPath FileName	The file path of the target process image or target file	/usr/bin/bash /bin/bash /opt/folder1/probes/system/processes/processes	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
objectFileRemoteAccess	bool	true	-	The remote access for the object file	-	Endpoint Sensor Trend Micro Apex One as a Service
objectFileSaclString	string	true	-	The system access control list of the object file	S:NO_ACCESS_CONTROL S:(AU;SAFA;DCLCRPCRSDWDWO;;;WD) S:(AU;SAFA;0x1f0116;;;WD)	Trend Micro Apex One as a Service Endpoint Sensor
objectFileSize	string	true	-	The file size of the object file	59456 60	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security Data Detection and Response
objectFirstRecorded	string	true	-	The first time that the object appeared	-	Trend Micro Apex One as a Service
objectFirstSeen	string	true	-	The first time the object was seen	1656458063638 1656260547165 0	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
objectHashId	long	false	-	The object hash ID	8576474808125313522 -599270888483415002 2177864258235728980	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
objectHostName	string	true	DomainName	Server name where Internet event was detected	10.10.10.10 sample.test.org	Trend Micro Apex One as a Service Endpoint Sensor
objectId	string	true	-	The UUID of the object	3 2	Trend Micro Apex One as a Service Zero Trust Secure Access - Private Access
objectIntegrityLevel	int	true	-	Integrity level of target process	-	Endpoint Sensor Trend Micro Apex One as a Service
objectIp	string	true	IPv4 IPv6	IP address of internet event	10.10.10.10	Trend Micro Apex One as a Service Endpoint Sensor
objectIps	dynamic	true	IPv4 IPv6	IP address list of internet event	::1 10.10.10.10 ::ffff:10.10.10.10	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
objectLastSeen	string	true	-	The last time the object was seen	1656458354730 1656260580722 0	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
objectLaunchTime	string	true	-	The object launch time of the Windows event	1616412892557 1620778597056 1616414113105	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
objectLoginOutFailureMessage	string	true	-	The sign-in/sign-out error message	Login incorrect	Endpoint Sensor Trend Micro Apex One as a Service
objectLoginOutFirstSeen	long	true	-	The first time the object sign-in/sign-out was seen	1713903612	Endpoint Sensor Trend Micro Apex One as a Service
objectLoginOutHashId	long	true	-	The FNV of the object sign-in/sign-out meta	-8981232070268295229	Endpoint Sensor Trend Micro Apex One as a Service
objectLoginOutLastSeen	long	true	-	The last time the object sign-in/sign-out was seen	1713903612	Endpoint Sensor Trend Micro Apex One as a Service
objectLoginOutMetaType	int	true	-	The sign-in/sign-out meta	1 - LOGIN_OUT_META_TYPE_OPENSSH	Endpoint Sensor Trend Micro Apex One as a Service
objectLoginOutSessionId	long	true	-	The sign-in/sign-out session ID	260	Endpoint Sensor Trend Micro Apex One as a Service
objectLoginOutSourceAddress	string	true	-	The sign-in/sign-out source IP	10.10.10.10	Endpoint Sensor Trend Micro Apex One as a Service
objectLoginOutStatus	int	true	-	The sign-in/sign-out status	-1	Endpoint Sensor Trend Micro Apex One as a Service
objectName	string	true	-	The base name of the object file or process	net.exe	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
objectName	string	true	-	The object name	/usr/bin/bash /bin/bash /opt/folder1/probes/system/processes/processes	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
objectPid	int	false	-	The object process PID	17000 22000	Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security Endpoint Sensor
objectPid	int	true	-	The PID of target process	-	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
objectPort	int	true	Port	The port number used by internet event	-	Trend Micro Apex One as a Service Endpoint Sensor
objectProcessHashId	long	true	-	FNV of target process	1415699552492662761 -100650285065767982 -1139416698673814436	Trend Micro Apex One as a Service Endpoint Sensor Trend Cloud One - Endpoint & Workload Security
objectRawDataSize	dynamic	true	-	The raw data size of the Windows event object	9 1 564	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
objectRawDataStr	dynamic	true	-	The data contents of the AMSI event	$global:? 0 $servicename = "WinRM" $arrService = Get-Service $servicename if ($arrService.Status -ne "Running") { Restart-Service $servicename }	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
objectRegistryData	string	true	RegistryValueData	The registry data contents	C:\Program Files\AlertMedia\AlertMedia Desktop Notifications\AlertMedia.exe	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
objectRegistryData	string	true	RegistryValueData	The registry value data	{11111111-1111-1111-1111-111111111111} 1 0	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
objectRegistryKeyHandle	string	true	RegistryKey	The registry key path	HKCR\CID\{00000000-0000-0000-0000-000000000001} HKLM\SOFTWARE\WOW6432Node\Eos HKCU\SOFTWARE\Cerner\InstantAccess	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
objectRegistryKeyHandle	string	true	RegistryKey	The registry key	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters HKLM\system\currentcontrolset\services\w32time\config HKLM\system\currentcontrolset\services\tcpip\parameters	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
objectRegistryRoot	int	false	-	The Windows Registry Root ID	3 1 2	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
objectRegistryValue	string	true	RegistryValue	The registry value name	1 key reg	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
objectRegistryValue	string	true	RegistryValue	Registry value name	lastknowngoodtime threadingmodel epoch	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
objectRegType	int	false	-	The Windows Registry Type ID	1 11 4	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
objectRunAsLocalAccount	bool	true	-	The "runas" command uses a local account	1	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
objectSessionId	string	true	-	The object session ID	0 1 2	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
objectSigner	dynamic	true	-	The list of object process signers	Microsoft Windows Microsoft Windows Publisher SecureWorks Inc	Trend Micro Apex One as a Service Endpoint Sensor
objectSigner	dynamic	true	-	Certificate signer of object process or file	Microsoft Windows Software Signing;Apple Code Signing Certification Authority;Apple Root CA; Microsoft Corporation	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
objectSignerFlagsAdhoc	dynamic	true	-	The list of object process signature adhoc flags	-	Endpoint Sensor Trend Micro Apex One as a Service Trend Micro Apex One On-Premises
objectSignerFlagsAdhoc	dynamic	true	-	The list of object process or file signature adhoc flags	-	Endpoint Sensor Trend Micro Apex One as a Service
objectSignerFlagsLibValid	dynamic	true	-	The list of object process signature library validation flags	-	Endpoint Sensor Trend Micro Apex One as a Service Trend Micro Apex One On-Premises
objectSignerFlagsLibValid	dynamic	true	-	The list of object process or file signature library validation flags	-	Endpoint Sensor Trend Micro Apex One as a Service
objectSignerFlagsRuntime	dynamic	true	-	The list of object process signature runtime flags	-	Endpoint Sensor Trend Micro Apex One as a Service Trend Micro Apex One On-Premises
objectSignerFlagsRuntime	dynamic	true	-	The list of object process or file signature runtime flags	-	Endpoint Sensor Trend Micro Apex One as a Service
objectSignerValid	dynamic	true	-	Validity of certificate signer	1	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
objectSubTrueType	int	true	-	File object's true sub-type	5000 18000 28001	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
objectThreadId	string	true	-	The object process thread ID	10196 10104 10004	Trend Micro Apex One as a Service
objectTrueType	int	true	-	File object's true major type	7 5 18 4051	Trend Micro Apex One as a Service Endpoint Sensor Trend Cloud One - Endpoint & Workload Security
objectType	string	true	-	The object type	file process qil	Trend Micro Cloud App Security Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service Trend Micro Email Security Endpoint Sensor File Security
objectUser	string	true	UserAccount	The owner name of the target process or the login user name	Système SYSTEM SISTEMA	Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
objectUser	string	true	UserAccount	The owner name of the target process or the login user name	root SYSTEM oracle	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service Data Detection and Response
objectUserDomain	string	true	-	The owner domain of the target process	NT AUTHORITY UNEB	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
objectUserDomain	string	false	-	The object user domain	NT AUTHORITY AUTORIDADE NT	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
objectUserGroup	string	true	-	The user group name	staff _spotlight wheel	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
online	string	true	-	The flag to identify whether the endpoint is online	Yes No	Trend Micro Apex One as a Service
operationLevel	int	false	-	The level that is used to indicate the handler layer at SOC	1 3	Trend Micro Apex One as a Service
originalFileHashes	dynamic	true	FileSHA1	The hashes of the original file	ba4700bfd55741c657a99fbe416787835fb384da 639dfe4a69c1e6aace1e4eece3b3bb25af6a1392	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
originalFilePaths	dynamic	true	FileFullPath FileName	The paths of the original file	C:\\Users\\user_name\\Downloads\\run.exe	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
osDescription	string	true	-	The OS version	Windows 10 (64 bit) Windows 10 Pro (64 bit) build 19044 Amazon Linux 2 (64 bit) (5.4.188-104.359.amzn2.x86_64)	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
osName	string	true	-	The host operating system name	Windows Linux macOS	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
osType	string	true	-	The host operating system type	0x00000030 4	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
osVer	string	true	-	The version of the host operating system	Amazon Linux 2 10.0.19044 10.0.19042	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
parentAuthId	string	true	-	The parent authorization ID	999 996 997	Endpoint Sensor Trend Micro Apex One as a Service
parentCmd	string	true	CLICommand	The command line entry of the parent process	C:\WINDOWS\system32\services.exe C:\Windows\system32\services.exe /sbin/launchd	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
parentFileCreation	string	true	-	The time the parent file was created	1652131848000 1577865600000 1635172968000	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
parentFileCurrentOwnerName	string	true	-	The current owner name of the parent file	NT AUTHORITY\SYSTEM BUILTIN\Administradores BUILTIN\Administrators	Endpoint Sensor Trend Micro Apex One as a Service
parentFileCurrentOwnerSid	string	true	-	The current security identifier owner of the parent file	S-1-5-32-544 S-1-5-18 S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464	Endpoint Sensor Trend Micro Apex One as a Service
parentFileDaclString	string	true	-	The discretionary access control list of the parent file	D:(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BU)(A;;0x1200a9;;;AC)(A;;0x1200a9;;;S-1-15-2-2) D:(A;OICI;GA;;;SY)(A;OICI;0xa0120000;;;WD)(A;OICI;GA;;;BA) D:(A;ID;0x1200a9;;;AC)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;S-1-15-2-2)	Endpoint Sensor Trend Micro Apex One as a Service
parentFileGroupName	string	true	-	The name of the parent file user group	wheel admin staff	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
parentFileGroupSid	string	true	-	The security identifier of the parent process file group	S-1-5-18 S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 S-1-5-32-544	Endpoint Sensor Trend Micro Apex One as a Service
parentFileHashId	long	true	-	The parent file hash ID	-4092577940452904134 2141057820373638746 -821808160829839906	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
parentFileHashMd5	string	true	FileMD5	The md5 hash of parent process	d8e577bf078c45954f4531885478d5a9 cd10cb894be2128fca0bf0e2b0c27c16 cfd65bed18a1fae631091c3a4c4dd533	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
parentFileHashSha1	string	true	FileSHA1	The SHA1 hash of parent process	d7a213f3cfee2a8a191769eb33847953be51de54 1f912d4bec338ef10b7c9f19976286f8acc4eb97 9ad737cbd8bbdddc96726156dbd3bc03936bf02f	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
parentFileHashSha256	string	true	FileSHA2	The SHA256 hash of parent process	dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674 f3feb95e7bcfb0766a694d93fca29eda7e2ca977c2395b4be75242814eb6d881 00f8cbc5b3a6640af5ac18d01bc5a666f6f583b1379b9491e0bcc28ba78c92e9	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
parentFileModifiedTime	string	true	-	The time the parent file was modified	1652131848000 1577865600000 1635172968000	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
parentFileOriginalName	string	true	FileName	The original file name of the parent image	Taskmgr.exe WINLOGON.EXE svchost.exe	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
parentFileOwnerName	string	true	-	The owner name of the parent file	root cit BUILTIN\Administrators	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
parentFileOwnerSid	string	true	-	The security identifier of the parent file owner	S-1-5-32-544 S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 S-1-5-18	Endpoint Sensor Trend Micro Apex One as a Service
parentFilePath	string	true	FileFullPath FileName	The file path of the parent process	c:\windows\system32\services.exe /usr/bin/bash c:\windows\system32\svchost.exe	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
parentFileRemoteAccess	bool	true	-	The remote access to the parent file	-	Endpoint Sensor Trend Micro Apex One as a Service
parentFileSaclString	string	true	-	The system access control list of the parent file	S:(AU;SAFA;DCLCRPCRSDWDWO;;;WD) S:NO_ACCESS_CONTROL S:(AU;IDSAFA;DCLCRPSDWDWO;;;AU)	Trend Micro Apex One as a Service Endpoint Sensor
parentFileSize	string	true	-	The file size of the parent file	714856 59952 5114880	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
parentHashId	long	true	-	The parent hash ID	-865367326691173681 -2903238741593506113 -4358168316031740439	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
parentIntegrityLevel	int	true	-	The integrity level of a parent	-	Endpoint Sensor Trend Micro Apex One as a Service
parentLaunchTime	real	true	-	The time when the parent process was launched	1653614773895 1656118625928 0	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
parentName	string	true	-	The image name of the parent process	c:\windows\system32\services.exe /usr/bin/bash c:\windows\system32\svchost.exe	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
parentPid	int	true	-	The PID of the parent process	1 976 920	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
parentSessionId	int	false	-	The parent session ID	-	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
parentSigner	dynamic	true	-	The signer of the parent file	Microsoft Windows Publisher Microsoft Windows Software Signing;Apple Code Signing Certification Authority;Apple Root CA;	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
parentSignerFlagsAdhoc	dynamic	true	-	The list of parent process signature adhoc flags	-	Endpoint Sensor Trend Micro Apex One as a Service Trend Micro Apex One On-Premises
parentSignerFlagsAdhoc	dynamic	true	-	The list of parent process signature adhoc flags	-	Endpoint Sensor Trend Micro Apex One as a Service
parentSignerFlagsLibValid	dynamic	true	-	The list of parent process signature library validation flags	-	Endpoint Sensor Trend Micro Apex One as a Service Trend Micro Apex One On-Premises
parentSignerFlagsLibValid	dynamic	true	-	The list of parent process signature library validation flags	-	Endpoint Sensor Trend Micro Apex One as a Service
parentSignerFlagsRuntime	dynamic	true	-	The list of parent process signature runtime flags	-	Endpoint Sensor Trend Micro Apex One as a Service Trend Micro Apex One On-Premises
parentSignerFlagsRuntime	dynamic	true	-	The list of parent process signature runtime flags	-	Endpoint Sensor Trend Micro Apex One as a Service
parentSignerValid	dynamic	true	-	The validity of the parent signer	-	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
parentSubTrueType	int	true	-	The true file subtype of the parent file	-	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
parentTrueType	int	true	-	The true file type of the parent file	-	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
parentUser	string	true	-	The type of user that executed the parent process	root SYSTEM SISTEMA	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
parentUserDomain	string	true	-	The user domain of the parent process	NT AUTHORITY AUTORIDADE NT	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
patType	string	true	-	The pattern type	NCIE CNC Pattern NCIE RR Pattern NCIE User Define Block List	Trend Micro Apex One as a Service
patVer	string	true	-	The version of the behavior pattern	35.1053.00 630 35.1071.00	Trend Micro Apex One as a Service Endpoint Sensor Trend Micro Cloud App Security
pComp	string	true	-	The component that made the detection	CAV NCIE TMUFE	Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service
peerIp	dynamic	true	IPv4 IPv6	The IP of peerHost	10.10.10.10	Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service
plang	int	false	-	The product language	1	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
platformAssetTags	dynamic	true	-	The list of platform custom asset tags	{"Asset group":["finance"], "some.ip": ["10.1.0.1"]}	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service Trend Vision One Container Security
platformAssetTags	dynamic	true	-	The list of platform custom asset tags	{"Asset group":["finance"], "some.ip": ["10.1.0.1"]}	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
pname	string	true	-	The internal product ID	Trend Micro Deep Security Deep Discovery Inspector Apex One	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Micro Deep Security Trend Micro Cloud App Security Trend Micro Email Security TippingPoint Security Management System Endpoint Sensor Trend Micro Web Security Trend Cloud One - Network Security Zero Trust Secure Access - Internet Access Trend Vision One Mobile Security Trend Vision One Container Security Email Sensor
pname	string	true	-	Internal product ID (Deprecated, use productCode)	2200 751 533	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
policyId	string	true	-	The policy ID of which the event was detected	00000001-0001-0001-0001-000000007610 007 003 TM000001	TippingPoint Security Management System Trend Micro Apex One as a Service Endpoint Sensor Trend Cloud One - Network Security Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Security Trend Vision One Container Security
policyName	string	true	-	The name of the triggered policy	Steelcase Cabot Tigre - Medium Policy apiPostedPolicy	Trend Micro Apex One as a Service Trend Micro Cloud App Security Trend Micro Web Security Trend Micro Email Security Zero Trust Secure Access - Internet Access TXOne EdgeOne Trend Vision One Container Security Mobile Network Security
policyTemplate	dynamic	true	-	The one-to-many data structure	policyName:Monitoreo All Files, template:Managed - All files policyName:HSS DLP, template:All File Extension India: Mobile Numbers	Trend Micro Apex One as a Service Trend Micro Cloud App Security Zero Trust Secure Access - Internet Access
pplat	int	false	-	The product platform	5889 9217	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
processArtifactIds	dynamic	true	-	The artifact IDs generated by processAction	00000000-0000-0000-0000-000000000000_1.dmp 11111111-1111-1111-1111-111111111111_2.bak	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
processCmd	string	true	CLICommand	The subject process command line	"C:\Program Files (x86)\AADM\AADM.exe" /usr/lib/inet/sendmail -bl -q15m ComDir	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Deep Security Trend Micro Apex One as a Service Trend Vision One Container Security
processCmd	string	true	CLICommand	The command line entry of the subject process	C:\Windows\system32\lsass.exe C:\WINDOWS\system32\lsass.exe nimbus(processes)	Endpoint Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
processFileCreation	string	true	-	The time the process file was created	1652131848000 1577865600000 1635172906000	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
processFileCurrentOwnerName	string	true	-	The current owner name of the process file	NT AUTHORITY\SYSTEM BUILTIN\Administrators BUILTIN\Administradores	Endpoint Sensor Trend Micro Apex One as a Service
processFileCurrentOwnerSid	string	true	-	The owner of the process file current security identifier	S-1-5-18 S-1-5-32-544 S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464	Endpoint Sensor Trend Micro Apex One as a Service
processFileDaclString	string	true	-	The discretionary access control list of the process file	D:(A;ID;0x1200a9;;;AC)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;S-1-15-2-2) D:(A;ID;FA;;;SY) D:(A;ID;FA;;;BA)(A;ID;FA;;;SY)	Endpoint Sensor Trend Micro Apex One as a Service
processFileGroupName	string	true	-	The name of the process file user group	wheel admin staff	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
processFileGroupSid	string	true	-	The security identifier of the process file group	S-1-5-18 S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 S-1-5-32-544	Endpoint Sensor Trend Micro Apex One as a Service
processFileHashId	long	true	-	The file hash of the process	2141057820373638746 -821808160829839906 5222963427542927736	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
processFileHashMd5	string	true	FileMD5	The MD5 hash of the subject process image	cd10cb894be2128fca0bf0e2b0c27c16 7ac47235c7bb452a03d3afd872f44c9e cfd65bed18a1fae631091c3a4c4dd533	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
processFileHashSha1	string	true	FileSHA1	The SHA-1 of the subject process	C0885381EBAC94AB20E78936434FA208F6B65352 ac373ed32b491da22924e2e11e36574e5d582a35 DF93F7DF887E86C3B56539B5046B286001C6F150	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
processFileHashSha1	string	true	FileSHA1	The SHA1 hash of subject process image	1f912d4bec338ef10b7c9f19976286f8acc4eb97 ded3833f145989fd86c1f4811b61497298ebc7fd 9ad737cbd8bbdddc96726156dbd3bc03936bf02f	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
processFileHashSha256	string	true	FileSHA2	The SHA256 hash of subject process image	f3feb95e7bcfb0766a694d93fca29eda7e2ca977c2395b4be75242814eb6d881 39109eef00821658893b45634fe2f4664f880da9242712df907f1327d4ceefb8 00f8cbc5b3a6640af5ac18d01bc5a666f6f583b1379b9491e0bcc28ba78c92e9	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
processFileModifiedTime	string	true	-	The time the process file was modified	1652131848000 1633413236462 1414554708877	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
processFileOriginalName	string	true	FileName	The original file name of the process image	Taskmgr.exe WINLOGON.EXE svchost.exe	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
processFileOwnerName	string	true	-	The process file owner name	root cit BUILTIN\Administrators	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
processFileOwnerSid	string	true	-	The security identifier of the process file owner	S-1-5-32-544 S-1-5-18 S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464	Endpoint Sensor Trend Micro Apex One as a Service
processFilePath	string	true	ProcessFullPath FileFullPath FileName	The file path of the subject process	c:\windows\system32\svchost.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe c:\windows\syswow64\srts\wmipr.exe	Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security Endpoint Sensor
processFilePath	string	true	ProcessFullPath ProcessName FileFullPath FileName	The file path of the subject process	/usr/bin/bash c:\windows\system32\svchost.exe c:\windows\system32\lsass.exe	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
processFileRemoteAccess	bool	true	-	The remote access to the process file	-	Endpoint Sensor Trend Micro Apex One as a Service
processFileSaclString	string	true	-	The system access control list of the process file	S:(AU;SAFA;DCLCRPCRSDWDWO;;;WD) S:(AU;IDSAFA;DCLCRPSDWDWO;;;AU) S:NO_ACCESS_CONTROL	Trend Micro Apex One as a Service Endpoint Sensor
processFileSize	string	true	-	The file size of the process file	59952 59456 47024	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
processHashId	long	true	-	The FNV of subject process	7114696589795796819 1307755369266815004 -5015325378148567246	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
processImageFileNames	dynamic	true	-	The process image file names of detected backup artifacts	C:\Program Files\aaa\bbb\objprocess.exe C:\Program Files\ccc\ddd\sample.exe	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
processLaunchTime	real	true	-	The time the subject process was launched	1653614775212 1656118626642 1652098160298	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
processName	string	true	ProcessName	The image name of the process that triggered the event	c:\windows\system32\svchost.exe /usr/bin/python2.7 /usr/bin/sed	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Deep Security Trend Vision One Container Security Trend Micro Apex One as a Service
processName	string	true	ProcessName	The image name of the process that triggered the event	/usr/bin/bash c:\windows\system32\svchost.exe c:\windows\system32\lsass.exe	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
processPid	int	true	-	The PID of the subject process	4 1 784 792	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
processSigner	dynamic	true	-	The process file signer	Microsoft Windows Microsoft Windows Publisher Microsoft Corporation	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
processSignerFlagsAdhoc	dynamic	true	-	The list of process signature adhoc flags	-	Endpoint Sensor Trend Micro Apex One as a Service Trend Micro Apex One On-Premises
processSignerFlagsAdhoc	dynamic	true	-	The list of process signature adhoc flags	-	Endpoint Sensor Trend Micro Apex One as a Service
processSignerFlagsLibValid	dynamic	true	-	The list of process signature library validation flags	-	Endpoint Sensor Trend Micro Apex One as a Service Trend Micro Apex One On-Premises
processSignerFlagsLibValid	dynamic	true	-	The list of process signature library validation flags	-	Endpoint Sensor Trend Micro Apex One as a Service
processSignerFlagsRuntime	dynamic	true	-	The list of process signature runtime flags	-	Endpoint Sensor Trend Micro Apex One as a Service Trend Micro Apex One On-Premises
processSignerFlagsRuntime	dynamic	true	-	The list of process signature runtime flags	-	Endpoint Sensor Trend Micro Apex One as a Service
processSignerValid	dynamic	true	-	The validity of the process signer	1	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
processSubTrueType	int	true	-	The true file subtype of the process	-	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
processTrueType	int	true	-	The true file type of the process	-	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
processUser	string	true	UserAccount	The user name of the process or the file creator	SYSTEM SVC_JENKINS_CODE_DEV NETWORK SERVICE	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
processUser	string	true	UserAccount	The owner name of subject process image	root SYSTEM SISTEMA	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
processUserDomain	string	true	-	The process user domain	NT AUTHORITY AUTORIDADE NT	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
proto	int	false	-	The protocol type	TELEMETRY_CONNECTION_TCP TELEMETRY_CONNECTION_UDP	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
providerGUID	string	true	-	The GUID of the Windows event provider	{11111111-1111-1111-1111-111111111111}	Endpoint Sensor Trend Micro Apex One as a Service
providerName	string	true	-	The name of the Windows event provider	Microsoft-Windows-Security-Auditing Microsoft-Windows-WMI-Activity Microsoft-Windows-TaskScheduler	Endpoint Sensor Trend Micro Apex One as a Service
proxy	string	true	-	The proxy address	proxy.sample:8080 10.10.10.10:8080	Endpoint Sensor Trend Micro Apex One as a Service
pver	string	true	-	The product version	20.0.0.4726 20.0.0.4416 6.2.1125	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Deep Security Trend Micro Apex One as a Service TippingPoint Security Management System Trend Cloud One - Network Security Zero Trust Secure Access - Internet Access Trend Vision One Mobile Security Trend Vision One Container Security File Security File Security Storage Agentless Vulnerability & Threat Detection
pver	string	true	-	The product version	1.2.0.2752 1.0.345 1.2.0.2657	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
quarantineFileId	string	true	-	The unique identifier of the quarantined object	ASLUMVS0.4FC	Trend Micro Apex One as a Service Trend Micro Apex One On-Premises Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Security
quarantineFilePath	string	true	FileFullPath	The file path of the quarantined object	C:\ProgramData\Trend Micro\AMSP\quarantine\ASLUMVS0.4FC	Trend Micro Apex One as a Service Trend Micro Apex One On-Premises Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Security
quarantineFileSha256	string	true	FileSHA2	The SHA-256 of the quarantined object	84B2FA19B05EA88D6E785B4ADB528120485AA3F72F3E5E114DE6D3696B0D151F	Trend Micro Apex One as a Service Trend Micro Apex One On-Premises Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Security
quarantineType	string	true	-	The descriptive name for the quarantine area	0 1 538	Trend Micro Apex One as a Service
rating	string	true	-	The credibility level	Safe Unknown Dangerous	Trend Micro Apex One as a Service Trend Micro Deep Discovery Inspector Network Sensor
rawDataSize	string	true	-	The size of the Windows event log	1128 1129 1127	Endpoint Sensor Trend Micro Apex One as a Service
rawDataStr	string	true	-	Windows event raw contents	{ "EventData" : { "LogonType" : "", "TargetDomainName" : "", "TargetLogonId" : "", "TargetUserName" : "", "TargetUserSid" : "" } } { "EventData" : { "LogonType" : "10", "TargetDomainName" : "AFASADV", "TargetLogonId" : "14941011731", "TargetUserName" : "administrator", "TargetUserSid" : "S-1-5-21-1507008304-2416677881-2121376573-500" } } { "EventData" : { "LogonType" : "10", "TargetDomainName" : "AIS", "TargetLogonId" : "216921070", "TargetUserName" : "MWoodr01", "TargetUserSid" : "S-1-5-21-1873864278-1756520048-3043165120-15057" } }	Endpoint Sensor Trend Micro Apex One as a Service
remarks	string	true	-	The additional information	warning: fork: Resource temporarily unavailable pam_unix(cron:session): session opened for user root by (uid=0) WinEvtLog: Application: AUDIT_FAILURE(18470): MSSQL$SA: (no user): no domain: EXAMPLE.com: Login failed for user 'example_user'. Reason: The account is disabled. [CLIENT: 10.10.10.10]	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Deep Security Trend Micro Cloud App Security Trend Micro Apex One as a Service Trend Micro Email Security Trend Cloud One - Network Security TXOne EdgeOne Email Sensor File Security Agentless Vulnerability & Threat Detection
request	string	true	URL	The notable URLs	http://example.page.com/canonical.html http://10.10.10.10 https://drive.google.com/	Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service TippingPoint Security Management System Trend Cloud One - Endpoint & Workload Security Zero Trust Secure Access - Internet Access Trend Micro Cloud App Security Trend Cloud One - Network Security Trend Micro Email Security Trend Micro Deep Security Trend Vision One Mobile Security Zero Trust Secure Access - Private Access
request	string	true	URL	Request URL	http://10.10.10.10/fake/site http:///fake/param.cgi?action=list&group=Alarm.Status http://fake.com/	Trend Micro Apex One as a Service Endpoint Sensor
requestClientApplication	string	true	-	The protocol user agent information	Microsoft-Delivery-Optimization/10.0 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) example Software GmbH	Trend Micro Deep Discovery Inspector Network Sensor Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
requestMethod	string	true	-	The network protocol request method	GET POST PUT	Trend Micro Apex One as a Service Endpoint Sensor Trend Cloud One - Endpoint & Workload Security
riskConfidenceLevel	string	true	-	The risk confidence level	0 1 2	Trend Micro Apex One as a Service Trend Micro Cloud App Security
riskLevel	string	true	-	The risk level	1 high No Risk	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service Trend Micro Cloud App Security Endpoint Sensor Trend Micro Deep Discovery Inspector Network Sensor
rt	string	false	-	The Unix time of the log generation	1656324260000	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Micro Deep Security Trend Micro Cloud App Security Trend Micro Email Security TippingPoint Security Management System Endpoint Sensor Trend Micro Web Security Trend Cloud One - Network Security Zero Trust Secure Access - Internet Access Zero Trust Secure Access - Private Access Email Sensor
rt	string	false	-	The event time	1657781088000	Endpoint Sensor Trend Micro Apex One as a Service
rtDate	string	true	-	The date of the log generation	1655337600000	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Micro Deep Security
rtHour	int	false	-	The hour of the log generation	9 8	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Micro Deep Security
rtWeekDay	string	true	-	The weekday of the log generation	Monday Tuesday Friday	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Micro Deep Security
ruleId	int	true	-	The rule ID	1002795 1003802	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Deep Security Trend Micro Apex One as a Service Mobile Network Security
ruleId	int	true	-	The rule ID	1005566	Endpoint Sensor Trend Micro Apex One as a Service
ruleName	string	true	-	The name of the rule that triggered the event	Directory Server - Microsoft Windows Active Directory Microsoft Windows Events Microsoft Windows Security Events - 3 (T1234) New executable created (chmod) Sensitive Files Upload to Personal Cloud Multiple Sensitive Files Compression Transfer Sensitive Files to Removable Storage Move Multiple Sensitive Files to Central Location Multiple Sensitive Files Modification Multiple Sensitive Files Deletion GEN_CCFR_OVERLAY_TEST.A	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Micro Deep Security Trend Micro Cloud App Security TippingPoint Security Management System Endpoint Sensor Trend Micro Email Security Trend Cloud One - Network Security Zero Trust Secure Access - Private Access Trend Vision One Container Security Email Sensor Mobile Network Security Data Detection and Response
ruleType	string	true	-	The access rule type	udso point of entry unknown	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service Trend Micro Cloud App Security Zero Trust Secure Access - Private Access Trend Vision One Container Security
scanType	string	true	-	The scan type	realtime_mailmeta-exchange exchange_mailbox_realtime_detection_logs gateway_realtime_blocking_traffic malware_schedule_image malware_schedule_file malware_realtime_image malware_realtime_file	Trend Micro Cloud App Security Trend Micro Email Security Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service Trend Micro Deep Security Email Sensor File Security Agentless Vulnerability & Threat Detection Trend Vision One Container Security
score	int	false	-	The Web Reputation Services URL rating	71 81	Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Micro Cloud App Security Trend Vision One Mobile Security Trend Cloud One - Endpoint & Workload Security
secondAct	string	true	-	The second scan action	Unknown N/A Deny Access	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service Trend Micro Deep Security
secondActResult	string	true	-	The result of the second scan action	Unknown N/A Access denied	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service Trend Micro Deep Security
senderGUID	string	true	-	The sender GUID	346648FC-9862-D2F0-F94C-FAB1A838ABD7 36E5239E-EEBA-0100-C10E-C057E0455E1D 9606BBD5-38A7-9024-83C8-9C88A2AF90CC	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Micro Deep Security
senderIp	dynamic	true	-	The sender IP	10.10.10.10	Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Micro Email Security
sessionId	int	false	-	The session ID	1 2	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
severity	int	true	-	The severity of the event	2 4 6 8	Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Deep Security Trend Micro Apex One as a Service TippingPoint Security Management System Trend Cloud One - Network Security Trend Vision One Container Security Mobile Network Security
signer	string	true	-	The signer of the file	Shenzhen Smartspace Software technology Co.,Limited;Symantec Class 3 SHA256 Code Signing CA;1429491600;1492649999	Trend Micro Apex One as a Service
smac	string	true	-	The source MAC address	00:11:22:33:44:55 66:77:88:99:AA:BB CC:DD:EE:FF:00:11	Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security Trend Micro Deep Security TXOne EdgeOne
sourceType	string	true	-	The source type	user defined sandbox syscall	Trend Micro Apex One as a Service Trend Vision One Container Security Endpoint Sensor
spt	int	true	Port	The source port	53 7680	Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security TippingPoint Security Management System Trend Micro Deep Security Trend Cloud One - Network Security Endpoint Sensor TXOne EdgeOne Zero Trust Secure Access - Private Access Trend Vision One Container Security Mobile Network Security
spt	int	true	Port	The source port number	53 5353 443	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service Data Detection and Response
src	dynamic	true	IPv4 IPv6	The source IP	10.10.10.10	Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security TippingPoint Security Management System Trend Micro Deep Security Trend Cloud One - Network Security Endpoint Sensor Zero Trust Secure Access - Internet Access TXOne EdgeOne Zero Trust Secure Access - Private Access Trend Vision One Container Security Mobile Network Security
src	string	true	IPv4 IPv6	The source address	:: 10.10.10.10	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service Data Detection and Response
srcFileCreation	string	true	-	The time the source file was created	1577865600000 1626201752000 1626201750000	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
srcFileCurrentOwnerName	string	true	-	The current owner name of the source file	NT AUTHORITY\SYSTEM BUILTIN\Administrators AUTORIDADE NT\SISTEMA	Trend Micro Apex One as a Service Endpoint Sensor
srcFileCurrentOwnerSid	string	true	-	The current security identifier owner of the source file	S-1-5-18 S-1-5-32-544 S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464	Trend Micro Apex One as a Service Endpoint Sensor
srcFileDaclString	string	true	-	The discretionary access control list of the source file	D:(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BU)(A;;0x1200a9;;;AC)(A;;0x1200a9;;;S-1-15-2-2) D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2) D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)	Endpoint Sensor Trend Micro Apex One as a Service
srcFileGroupName	string	true	-	The source file user group name	wheel staff NT SERVICE\TrustedInstaller	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
srcFileGroupSid	string	true	-	The security identifier of the source file group	S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 S-1-5-18 S-1-5-21-3770350686-3666354711-3866293128-513	Trend Micro Apex One as a Service Endpoint Sensor
srcFileHashId	long	false	-	The source file hash ID	1102079405020678318 -6926286289273504319 8528955148329941480	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
srcFileHashMd5	string	true	FileMD5	The md5 hash of source file	e5d5e9c1f65b8ec7aa5b7f1b1acdd731 a6779bf446db07e4c4ba3516b273c496 4bb7334fdadc6eccb8e6ab402aae013b	Trend Micro Apex One as a Service Endpoint Sensor
srcFileHashSha1	string	true	FileSHA1	The SHA1 hash of source file	5d34902fecc1760138212ada36be1e742bda5e52 dbb14dcda6502ab1d23a7c77d405dafbcbeb439e 2292f8109cd756e790c068a52d50f1b0858f503b	Trend Micro Apex One as a Service Endpoint Sensor
srcFileHashSha256	string	true	FileSHA2	The SHA256 hash of source file	4eaa002225f4ea2dedcd19b7f1337d7c58ea7dd6d4571c12468dde95e6bcfdaf e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80 16b20a3ad485b4fbbe3028c7e743b226db21ea93cacc8b3d7d7d4a731bf02333	Trend Micro Apex One as a Service Endpoint Sensor
srcFileIsRemoteAccess	bool	true	-	The remote access of the source file	-	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
srcFileModifiedTime	string	true	-	The time the source file was modified	1626201752000 1626201750000 1577865600000	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
srcFileOwnerName	string	true	-	The source file owner name	root NT SERVICE\TrustedInstaller NT AUTHORITY\SYSTEM	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
srcFileOwnerSid	string	true	-	The security identifier of the source file owner	S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 S-1-5-18 S-1-5-32-544	Trend Micro Apex One as a Service Endpoint Sensor
srcFilePath	string	true	FileFullPath FileName	The source file path	\\cnva-apps\megaclockprod\traveler\travelerprint.accdb c:\program files\common files\microsoft shared\clicktorun\officesvcmgrschedule.xml q:\a7_dbs\a4_pkg\a4_packaging.accde	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
srcFileSaclString	string	true	-	The system access control list of the source file	S:NO_ACCESS_CONTROL S:(AU;SAFA;DCLCRPCRSDWDWO;;;WD) S:(AU;IDSAFA;DCLCRPSDWDWO;;;AU)	Trend Micro Apex One as a Service Endpoint Sensor
srcFileSize	string	true	-	The file size of the source file	0 131072 196608	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security Data Detection and Response
srcFirstSeen	string	true	-	The first time the source file was seen	0 1656355418449 1656714760440	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
srcHashId	long	false	-	The source hash ID	4070054759888344851 2177864258235728980 3476454206648023552	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
srcLastSeen	string	true	-	The last time the source file was seen	0 1656355418449 1656715147313	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
srcSigner	dynamic	true	-	The signer of the source file	Microsoft Windows Microsoft Corporation Google LLC	Trend Micro Apex One as a Service Endpoint Sensor
srcSignerFlagsAdhoc	dynamic	true	-	The list of source file signature adhoc flags	-	Endpoint Sensor Trend Micro Apex One as a Service
srcSignerFlagsLibValid	dynamic	true	-	The list of source file signature library validation flags	-	Endpoint Sensor Trend Micro Apex One as a Service
srcSignerFlagsRuntime	dynamic	true	-	The list of source file signature runtime flags	-	Endpoint Sensor Trend Micro Apex One as a Service
srcSignerValid	dynamic	true	-	The validity of the source file signer	-	Trend Micro Apex One as a Service Endpoint Sensor
srcSubTrueType	int	false	-	The true file subtype of the source file	-	Trend Micro Apex One as a Service Endpoint Sensor Trend Cloud One - Endpoint & Workload Security
srcTrueType	int	false	-	The true file type of the source file	-	Trend Micro Apex One as a Service Endpoint Sensor Trend Cloud One - Endpoint & Workload Security
status	string	true	-	The HTTP response status code	200 500 403	Trend Micro Apex One as a Service Endpoint Sensor Trend Cloud One - Endpoint & Workload Security
subSystem	string	true	-	The sub system information	com.apple.xpc	Endpoint Sensor Trend Micro Apex One as a Service
suid	string	true	UserAccount	User name or mailbox	root US EXAMPLE\TEST sample_email@trendmicro.com	Trend Cloud One - Endpoint & Workload Security Trend Micro Cloud App Security Trend Micro Apex One as a Service Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Web Security Trend Micro Deep Security Trend Cloud One - Network Security Zero Trust Secure Access - Internet Access
suser	dynamic	true	EmailSender	The email sender	sample_email@trendmicro.com	Trend Micro Cloud App Security Trend Micro Email Security Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Email Sensor
tacticId	dynamic	true	Tactic	The list of MITRE tactic IDs	TA0011 TA0008 TA0001	Trend Micro Deep Discovery Inspector Network Sensor Endpoint Sensor Trend Micro Apex One as a Service
tags	dynamic	true	Technique Tactic	The detected technique ID based on the alert filter	MITREV9.T1090 MITRE.T1071 MITREV9.T1059.001	ALL Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service Trend Micro Deep Discovery Inspector Network Sensor
threatName	string	true	-	The threat name	Malicious_CnC_access_on_UDP_blocked Malicious_CnC_access_on_TCP_blocked Other protected file	Trend Micro Cloud App Security Trend Micro Apex One as a Service Trend Micro Deep Discovery Inspector Network Sensor
threatType	string	true	-	The log threat type	2 99 5	Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Apex One as a Service Agentless Vulnerability & Threat Detection
timezone	string	true	-	The host time zone	UTC+00:00 UTC-05:00 UTC-03:00	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
trigger	string	true	-	The action trigger	ATSE On-demand scan	Trend Cloud One - Endpoint & Workload Security Trend Micro Apex One as a Service
triggerInfo	dynamic	true	-	The trigger information	[{'triggerModule': 'ODS', 'triggerReason': 'System Schedule Scan'}]	Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
triggerReason	string	true	-	The cause of the triggered action	FILEMETA.T1027.009.TRICKBOT.SMITRE1B2, T1027.009 ST002 Scheduled Scan (custom) Scheduled Scan (system) Remote Scan: the user triggered the Apex One agent from the Trend Vision One console Manual Scan: the user triggered the local agent	Endpoint Sensor Trend Micro Apex One as a Service Trend Cloud One - Endpoint & Workload Security
urlCat	dynamic	true	-	The requested URL category	Untested 158 Web Advertisement	Trend Micro Deep Discovery Inspector Network Sensor Trend Micro Web Security Trend Micro Apex One as a Service Zero Trust Secure Access - Internet Access Trend Micro Cloud App Security Trend Vision One Mobile Security Trend Cloud One - Endpoint & Workload Security
userDomain	string	true	EndpointName DomainName AccountDomain	The user domain	example.com.pa DOMAIN	Trend Micro Apex One as a Service Trend Micro Web Security Zero Trust Secure Access - Internet Access
userDomain	dynamic	true	-	The user domain name	CORP AUTORIDADE NT	Trend Cloud One - Endpoint & Workload Security Endpoint Sensor Trend Micro Apex One as a Service
vendor	string	true	-	The device vendor	adata	Trend Micro Apex One as a Service
winEventId	int	true	-	Event ID of Windows event	11 4624 4670	Endpoint Sensor Trend Micro Apex One as a Service

Field Statistics

• Total Fields: 433
• Layer: Endpoint
• Product: Trend Micro Apex One as a Service

---

Generated by XDR Common Schema Public Doc Generator V2

This site is open source. Improve this page.