| act |
dynamic |
true |
- |
The actions taken to mitigate the event |
- log
- isolate
- terminate
- not blocked
- Block
- No action
- Reset
- Pass
- User Decision
|
- Trend Vision One Container Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Cloud App Security
- TippingPoint Security Management System
- Endpoint Sensor
- Trend Micro Web Security
- Trend Micro Email Security
- Trend Micro Deep Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
- TXOne EdgeOne
- Zero Trust Secure Access - Private Access
- Email Sensor
- Trend Vision One Mobile Security
- Mobile Network Security
- Agentless Vulnerability & Threat Detection
|
| actResult |
dynamic |
true |
- |
The result of an action |
- Dropped
- Successful
- Accepted
|
- Trend Micro Apex One as a Service
- Trend Micro Cloud App Security
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- TXOne StellarOne
- Trend Vision One Mobile Security
|
| behaviorCat |
string |
true |
- |
The matched policy category |
- Policy Enforcement
- Grey-Detection
- Threat-Detection
|
- Trend Micro Apex One as a Service
- Endpoint Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| cat |
int |
false |
- |
The weighted priority of the incident |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
|
| detectionMeta |
dynamic |
true |
- |
The descriptions of the detected techniques |
['T1204 some description about this technique', 'T1573.001_AES another description about this technique'] |
- Trend Micro Apex One as a Service
- Trend Micro Apex One On-Premises
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| detectionNames |
dynamic |
true |
- |
The rules that triggered the event |
['HS_EMOTET.SMAA', 'HM_AVEDOWN.SMZTIG-A', 'HE_DOCQRPHISH.SM'] |
- Trend Micro Apex One as a Service
- Trend Micro Apex One On-Premises
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| detectionType |
string |
true |
- |
The detection type |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Web Security
- Trend Micro Apex One as a Service
- Trend Micro Cloud App Security
- Trend Micro Deep Security
- Trend Micro Email Security
- Zero Trust Secure Access - Internet Access
- Trend Vision One Mobile Security
- Zero Trust Secure Access - Private Access
- Trend Vision One Container Security
|
| deviceDirection |
string |
true |
- |
Device Direction. If the source IP is in the internal network (the network monitored by Deep Discovery Inspector) it is tagged as outbound. All other cases are inbound. Internal-to-internal is also tagged as outbound. |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
|
| dmac |
string |
true |
- |
The MAC address of the destination IP (dest_ip) |
- 00:00:00:00:00:00
- ff:ff:ff:ff:ff:ff
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- TXOne EdgeOne
|
| dpt |
int |
true |
Port |
The destination port |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- TippingPoint Security Management System
- Trend Micro Deep Security
- Trend Cloud One - Network Security
- Endpoint Sensor
- TXOne EdgeOne
- Zero Trust Secure Access - Private Access
- Trend Vision One Container Security
- Mobile Network Security
|
| dst |
dynamic |
true |
|
The destination IP |
10.10.10.10 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- TippingPoint Security Management System
- Trend Micro Deep Security
- Trend Cloud One - Network Security
- Endpoint Sensor
- Zero Trust Secure Access - Internet Access
- TXOne EdgeOne
- Zero Trust Secure Access - Private Access
- Trend Vision One Container Security
- Mobile Network Security
|
| duser |
dynamic |
true |
EmailRecipient |
The email recipient |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Trend Micro Email Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Email Sensor
|
| endpointGUID |
string |
true |
EndpointID |
The GUID of the agent which reported the detection |
- ae4d64aa-f8b8-bb36-b265-f59272ed342f
- 8fb979f6-1376-bed3-227f-f2886e66194e
- ca2b3a7e-8415-c571-cc19-e45f69470026
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Endpoint Sensor
- Zero Trust Secure Access - Internet Access
- Trend Vision One Mobile Security
- Zero Trust Secure Access - Private Access
- TXOne StellarOne
- Trend Vision One Container Security
- Data Detection and Response
|
| endpointHostName |
string |
true |
EndpointName |
The endpoint hostname or node where the event was detected |
- 10.10.10.10 (swpos-aws-aza02) [i-0f0f0f0f0f0f0f0f0]
- ip-10-10-10-10.us-west-1.compute.internal
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- Endpoint Sensor
- Zero Trust Secure Access - Internet Access
- Trend Vision One Mobile Security
- Zero Trust Secure Access - Private Access
- TXOne StellarOne
- Trend Vision One Container Security
- Agentless Vulnerability & Threat Detection
- Data Detection and Response
|
| endpointIp |
dynamic |
true |
|
The IP address of the endpoint on which the event was detected |
10.10.10.10 |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- TippingPoint Security Management System
- Trend Cloud One - Network Security
- TXOne EdgeOne
- Agentless Vulnerability & Threat Detection
- Data Detection and Response
|
| eventId |
string |
true |
- |
The event ID from the logs of each product |
- 100100
- 100101
- 100116
- 100117
- 100119
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Endpoint Sensor
- Trend Micro Email Security
- TXOne StellarOne
- Trend Vision One Container Security
- Email Sensor
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Trend Vision One Mobile Security
- Mobile Network Security
- Data Detection and Response
|
| eventName |
string |
true |
- |
The event type |
- LOG_INSPECTION_EVENT
- SECURITY_RISK_DETECTION
- WEB_THREAT_DETECTION
- LOG_INSPECTION_EVENT
- MALWARE_DETECTION
- PROCESS_ACTIVITY
- WEB_POLICY_VIOLATION
- DEEP_PACKET_INSPECTION_EVENT
- INTEGRITY_MONITORING_EVENT
- DISRUPTIVE_APPLICATION_DETECTION
- PRODUCT_SUMMARY
- PRODUCT_UPDATE
- BEHAVIORAL_VIOLATION
- FIREWALL_POLICY_VIOLATION
- SUSPICIOUS_BEHAVIOUR_DETECTION
- DENYLIST_CHANGE
- MACHINE_LEARNING_DETECTION
- DLP_VIOLATION
- MALWARE_OUTBREAK_DETECTION
- SENSITIVE_DATA_DETECTION
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- TippingPoint Security Management System
- Trend Micro Cloud App Security
- Trend Micro Email Security
- Endpoint Sensor
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
- TXOne EdgeOne
- Zero Trust Secure Access - Private Access
- TXOne StellarOne
- Email Sensor
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Trend Vision One Mobile Security
- Mobile Network Security
- Data Detection and Response
|
| fileHash |
string |
true |
FileSHA1 |
The SHA-1 of the file that triggered the rule or policy |
- DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
- 89CE26EAD139D52B8A6B61BFFC6AF89AF246580F
- 3AD1F4E7CAA11E5199EE80B8983677ADDD065450
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- Zero Trust Secure Access - Internet Access
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Data Detection and Response
|
| fileName |
dynamic |
true |
FileName |
The file name |
- spoolss
- hosts
- svcrestarttask
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Zero Trust Secure Access - Internet Access
- TXOne StellarOne
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
|
| fileOperation |
string |
true |
- |
The operation of the file |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| filePath |
string |
true |
FileFullPath |
The file path without the file name |
- security
- /var/log/audit/audit.log
- application
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Discovery Inspector
- Network Sensor
- TXOne StellarOne
- File Security
- File Security Storage
|
| filePathName |
string |
true |
FileFullPath |
The file path with the file name |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- TXOne StellarOne
|
| firstAct |
string |
true |
- |
The first scan action |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| firstActResult |
string |
true |
- |
The first scan action result |
- File passed
- Unable to quarantine file
- File quarantined
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| fullPath |
string |
true |
FileFullPath |
The combination of the file path and the file name |
- \etc\hosts
- c:\windows\system32\tasks\microsoft\windows\softwareprotectionplatform\svcrestarttask
- \var\log\auth.log
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- TXOne StellarOne
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Trend Vision One Container Security
|
| groups |
string |
true |
- |
The OSSEC rule group names |
- auditd,audit,
- dirservice_log,authentication_failure,
- windows,authentication_failures,
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| hostId |
int |
false |
- |
The host ID |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| hostName |
string |
true |
|
The computer name of the client host (The hostname from the suspicious URL detected by Deep Discovery Inspector) |
- Let's Encrypt
- 10.10.10.10
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- TXOne EdgeOne
|
| interestedHost |
string |
true |
DomainName |
The endpoint hostname (For example, if an intranet host accesses a suspicious internet host, the intranet host is the "peerHost" and the internet host is the "interestedHost") |
- 10.10.10.10 (swpos-aws-aza02) [i-0f0f0f0f0f0f0f0f0]
- es-dtc-w-dc02.example.corp
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
|
| interestedIp |
dynamic |
true |
|
The IP of the interestedHost |
10.10.10.10 |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- TippingPoint Security Management System
- Trend Cloud One - Network Security
- TXOne EdgeOne
|
| isEntity |
string |
true |
- |
The current entity (or after change/modification) |
- {"key":"<example>","type":"Service","attributes":[{"friendlyValue":null,"name":"binaryPathName","value":"C:\\Windows\\system32\\vssvc.exe"},{"friendlyValue":"manual","name":"startType","value":"3"},{"friendlyValue":"running","name":"state","value":"4"}]}
- {"key":"<example>":"Service","attributes":[{"friendlyValue":null,"name":"binaryPathName","value":"C:\\Windows\\system32\\vssvc.exe"},{"friendlyValue":"manual","name":"startType","value":"3"},{"friendlyValue":"stopped","name":"state","value":"1"}]}
- {"key":"<example>","type":"File","attributes":[]}
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| logKey |
string |
true |
- |
The unique key of the event |
- 123e4567-e89b-12d3-a456-426614174000
- 987f6543-21ba-43cd-9e8f-123456789abc
- 456789ab-cdef-1234-5678-9abcdef01234
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Trend Micro Email Security
- TippingPoint Security Management System
- Endpoint Sensor
- Trend Micro Web Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
|
| majorVirusType |
string |
true |
- |
The virus type |
- Virus
- Suspicious Activity
- Trojan
- TROJ
|
- Trend Micro Deep Security
- Trend Cloud One - Endpoint & Workload Security
- Trend Vision One Mobile Security
- TXOne EdgeOne
- TXOne StellarOne
- File Security Storage
|
| malName |
string |
true |
- |
The name of the detected malware |
- SecurityLevelDrop
- Regla Logs All
- USR_SUSPICIOUS_DOMAIN.UMXX
|
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Web Security
- TXOne StellarOne
- Email Sensor
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Trend Vision One Container Security
|
| malType |
string |
true |
- |
The risk type for Network Content Correlation Engine rules |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- File Security
- Trend Vision One Container Security
|
| mDeviceGUID |
string |
true |
- |
The GUID of the agent host |
- C5B09EDD-C725-907F-29D9-B8C30D18C48F
- C05B75AB-B518-BDD0-D2B5-E9CB631C539F
- 9C28ACD3-D0EC-22A4-B08D-5B0BEFF501FC
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| mitreVersion |
string |
true |
- |
The MITRE version |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| mpname |
string |
true |
- |
The management product name |
- Cloud One - Workload Security
- Apex Central
- Deep Security Software
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- TippingPoint Security Management System
- Endpoint Sensor
- Trend Cloud One - Network Security
|
| mpver |
string |
true |
- |
The product version |
- Microsoft-Windows-Security-Auditing
- Level -- Medium security
- TASK1
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- Endpoint Sensor
|
| oldFileHash |
string |
true |
FileSHA1 |
The SHA-1 of the target process image or target file (wasEntity from an IM event) |
- DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
- 89CE26EAD139D52B8A6B61BFFC6AF89AF246580F
- 57247B810B0EE61DD86CE24AC14097B9B5405EEC
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| out |
string |
true |
- |
The IP datagram length (in bytes) |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| parentPid |
int |
true |
- |
The PID of the parent process |
- |
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Deep Security
- Trend Vision One Container Security
|
| pname |
string |
true |
- |
The internal product ID |
- Trend Micro Deep Security
- Deep Discovery Inspector
- Apex One
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Trend Micro Email Security
- TippingPoint Security Management System
- Endpoint Sensor
- Trend Micro Web Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
- Trend Vision One Mobile Security
- Trend Vision One Container Security
- Email Sensor
|
| policyId |
string |
true |
- |
The policy ID of which the event was detected |
- 00000001-0001-0001-0001-000000007610
- 007
- 003
- TM000001
|
- TippingPoint Security Management System
- Trend Micro Apex One as a Service
- Endpoint Sensor
- Trend Cloud One - Network Security
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Vision One Container Security
|
| processCmd |
string |
true |
CLICommand |
The subject process command line |
- "C:\Program Files (x86)\AADM\AADM.exe"
- /usr/lib/inet/sendmail -bl -q15m
- ComDir
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- Trend Vision One Container Security
|
| processImagePath |
string |
true |
- |
The process triggered by the file event |
- c:\windows\system32\svchost.exe
- /usr/bin/python2.7
- /usr/bin/sed
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Deep Security
- Trend Vision One Container Security
|
| processName |
string |
true |
ProcessName |
The image name of the process that triggered the event |
- c:\windows\system32\svchost.exe
- /usr/bin/python2.7
- /usr/bin/sed
|
- Trend Cloud One - Endpoint & Workload Security
- Endpoint Sensor
- Trend Micro Deep Security
- Trend Vision One Container Security
- Trend Micro Apex One as a Service
|
| proto |
string |
true |
- |
The exploited layer network protocol |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- TXOne EdgeOne
- Trend Vision One Container Security
- Mobile Network Security
|
| protoFlag |
string |
true |
- |
The data flags |
- ACK PSH DF=1
- ACK DF=1
- DF=1
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| pTags |
string |
true |
- |
The event tagging system |
- attack-T1059.001, mitre attack detection
- suppress_alert
- SMB
|
Trend Micro Deep Security |
| pver |
string |
true |
- |
The product version |
- 20.0.0.4726
- 20.0.0.4416
- 6.2.1125
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- TippingPoint Security Management System
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
- Trend Vision One Mobile Security
- Trend Vision One Container Security
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
|
| quarantineFileId |
string |
true |
- |
The unique identifier of the quarantined object |
ASLUMVS0.4FC |
- Trend Micro Apex One as a Service
- Trend Micro Apex One On-Premises
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| quarantineFilePath |
string |
true |
FileFullPath |
The file path of the quarantined object |
C:\ProgramData\Trend Micro\AMSP\quarantine\ASLUMVS0.4FC |
- Trend Micro Apex One as a Service
- Trend Micro Apex One On-Premises
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| quarantineFileSha256 |
string |
true |
FileSHA2 |
The SHA-256 of the quarantined object |
84B2FA19B05EA88D6E785B4ADB528120485AA3F72F3E5E114DE6D3696B0D151F |
- Trend Micro Apex One as a Service
- Trend Micro Apex One On-Premises
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| remarks |
string |
true |
- |
The additional information |
- warning: fork: Resource temporarily unavailable
- pam_unix(cron:session): session opened for user root by (uid=0)
- WinEvtLog: Application: AUDIT_FAILURE(18470): MSSQL$SA: (no user): no domain: EXAMPLE.com: Login failed for user 'example_user'. Reason: The account is disabled. [CLIENT: 10.10.10.10]
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Trend Micro Apex One as a Service
- Trend Micro Email Security
- Trend Cloud One - Network Security
- TXOne EdgeOne
- Email Sensor
- File Security
- Agentless Vulnerability & Threat Detection
|
| request |
string |
true |
URL |
The notable URLs |
- http://example.page.com/canonical.html
- http://10.10.10.10
- https://drive.google.com/
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- TippingPoint Security Management System
- Trend Cloud One - Endpoint & Workload Security
- Zero Trust Secure Access - Internet Access
- Trend Micro Cloud App Security
- Trend Cloud One - Network Security
- Trend Micro Email Security
- Trend Micro Deep Security
- Trend Vision One Mobile Security
- Zero Trust Secure Access - Private Access
|
| rt |
string |
false |
- |
The Unix time of the log generation |
1656324260000 |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Trend Micro Email Security
- TippingPoint Security Management System
- Endpoint Sensor
- Trend Micro Web Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
- Zero Trust Secure Access - Private Access
- Email Sensor
|
| rtDate |
string |
true |
- |
The date of the log generation |
1655337600000 |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| rtHour |
int |
false |
- |
The hour of the log generation |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| rtWeekDay |
string |
true |
- |
The weekday of the log generation |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| ruleId |
int |
true |
- |
The rule ID |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- Mobile Network Security
|
| ruleName |
string |
true |
- |
The name of the rule that triggered the event |
- Directory Server - Microsoft Windows Active Directory
- Microsoft Windows Events
- Microsoft Windows Security Events - 3
- (T1234) New executable created (chmod)
- Sensitive Files Upload to Personal Cloud
- Multiple Sensitive Files Compression
- Transfer Sensitive Files to Removable Storage
- Move Multiple Sensitive Files to Central Location
- Multiple Sensitive Files Modification
- Multiple Sensitive Files Deletion
- GEN_CCFR_OVERLAY_TEST.A
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- TippingPoint Security Management System
- Endpoint Sensor
- Trend Micro Email Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Private Access
- Trend Vision One Container Security
- Email Sensor
- Mobile Network Security
- Data Detection and Response
|
| scanType |
string |
true |
- |
The scan type |
- realtime_mailmeta-exchange
- exchange_mailbox_realtime_detection_logs
- gateway_realtime_blocking_traffic
- malware_schedule_image
- malware_schedule_file
- malware_realtime_image
- malware_realtime_file
|
- Trend Micro Cloud App Security
- Trend Micro Email Security
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Email Sensor
- File Security
- Agentless Vulnerability & Threat Detection
- Trend Vision One Container Security
|
| secondAct |
string |
true |
- |
The second scan action |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| secondActResult |
string |
true |
- |
The result of the second scan action |
- Unknown
- N/A
- Access denied
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| senderGUID |
string |
true |
- |
The sender GUID |
- 346648FC-9862-D2F0-F94C-FAB1A838ABD7
- 36E5239E-EEBA-0100-C10E-C057E0455E1D
- 9606BBD5-38A7-9024-83C8-9C88A2AF90CC
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| severity |
int |
true |
- |
The severity of the event |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- TippingPoint Security Management System
- Trend Cloud One - Network Security
- Trend Vision One Container Security
- Mobile Network Security
|
| shost |
string |
true |
DomainName |
The source hostname |
- dns.google
- sw_us-east-1a_10-124-17-69
- sw_us-east-1c_10-124-21-139
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Mobile Network Security
|
| smac |
string |
true |
- |
The source MAC address |
- 00:11:22:33:44:55
- 66:77:88:99:AA:BB
- CC:DD:EE:FF:00:11
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- TXOne EdgeOne
|
| sproc |
string |
true |
- |
The OSSEC program name |
- postfix/sendmail
- CRON
- sshd
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| spt |
int |
true |
Port |
The source port |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- TippingPoint Security Management System
- Trend Micro Deep Security
- Trend Cloud One - Network Security
- Endpoint Sensor
- TXOne EdgeOne
- Zero Trust Secure Access - Private Access
- Trend Vision One Container Security
- Mobile Network Security
|
| src |
dynamic |
true |
|
The source IP |
10.10.10.10 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- TippingPoint Security Management System
- Trend Micro Deep Security
- Trend Cloud One - Network Security
- Endpoint Sensor
- Zero Trust Secure Access - Internet Access
- TXOne EdgeOne
- Zero Trust Secure Access - Private Access
- Trend Vision One Container Security
- Mobile Network Security
|
| subRuleId |
string |
true |
- |
ID of a subordinate rule |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Cloud One - Network Security
|
| subRuleName |
string |
true |
- |
The subrule name |
- Pre-authentication failed.
- ATTACK T1070.002,T1070.004: Indicator Removal on Host : Clear Linux or Mac System Logs,File Deletion
- ATTACK T1110: Multiple Windows Logon Failures
- invisible_url_domain
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Trend Micro Email Security
- Email Sensor
|
| suid |
string |
true |
UserAccount |
User name or mailbox |
- root
- US EXAMPLE\TEST
- sample_email@trendmicro.com
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Cloud App Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Web Security
- Trend Micro Deep Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
|
| target |
string |
true |
- |
The target object for the behavior |
- c:\windows\system32\windowspowershell\v1.0\powershell.exe
- zwwritevirtualmemory
- /proc/211296/exe
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| targetType |
string |
true |
- |
The target object type |
- File System
- Uncategorized
- Exploit
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| wasEntity |
string |
true |
- |
The entity before change/modification |
- {"key":"<example>","type":"Service","attributes":[{"friendlyValue":null,"name":"binaryPathName","value":"C:\\Windows\\system32\\vssvc.exe"},{"friendlyValue":"manual","name":"startType","value":"3"},{"friendlyValue":"stopped","name":"state","value":"1"}]}
- {"key":"<example>","type":"Service","attributes":[{"friendlyValue":null,"name":"binaryPathName","value":"C:\\Windows\\system32\\vssvc.exe"},{"friendlyValue":"manual","name":"startType","value":"3"},{"friendlyValue":"running","name":"state","value":"4"}]}
- {"key":"<example>","type":"File","attributes":[]}
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| winEventId |
int |
true |
- |
The Windows Event ID |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|