Layer: Network
This documentation provides detailed information about all fields available for Deep Discovery Inspector.
| Field Name | Type | Searchable | General Field | Description | Example | Products |
|---|---|---|---|---|---|---|
| act | dynamic | true | - | The actions taken to mitigate the event |
|
|
| aggregatedCount | string | true | - | The number of aggregated events |
|
|
| app | string | true | - | The network protocol | HTTP |
|
| appGroup | string | true | - | The app category of the event |
|
|
| aptCampaigns | dynamic | true | - | The related APT campaigns |
|
|
| aptRelated | string | true | - | The event is related to an APT |
|
|
| archFiles | dynamic | true | - | The file information extracted from detected files | None |
|
| attachmentFileHash | string | true | FileSHA1 | The SHA-1 of the email attachment |
|
|
| attachmentFileHashSha256 | string | true | FileSHA2 | The SHA-256 of the attached file (attachementFileName) |
|
|
| attachmentFileName | dynamic | true | FileName | The file name of an attachment |
|
|
| attachmentFileSize | string | true | - | The file size of the email attachment |
|
|
| attachmentFileType | string | true | - | The file type of the email attachment |
|
|
| botCmd | string | true | CLICommand | The bot command |
|
|
| botUrl | string | true | URL | The bot URL |
|
|
| cccaDestination | string | true | URL | The destination domain, IP, URL, or recipient |
|
|
| cccaDestinationFormat | string | true | - | C&C server access format |
|
|
| cccaDetection | string | true | - | Is this log identified as a C&C callback address detection | Yes |
|
| cccaDetectionSource | string | true | - | Which list defines this CCCA detection rule |
|
|
| cccaRiskLevel | int | true | - | The severity level of the threat actors associated with the C&C servers |
|
|
| clientFlag | string | true | - | Whether the client is a source or destination |
|
|
| clientGroup | string | true | - | The client IP network group |
|
|
| clientIp | string | true |
|
The endpoint IP address | 10.10.10.10 |
|
| clientMAC | string | true | - | The client MAC address | 00-00-00-ff-ff-ff |
|
| clientPort | int | true | Port | The client port number | 5566 |
|
| clientTls | string | true | - | The transport layer security of the client | TLS 1.2 |
|
| cnt | string | true | - | The total number of logs |
|
|
| compressedFileHash | string | true | FileSHA1 | The SHA-1 of the decompressed archive |
|
|
| compressedFileHashSha256 | string | true | FileSHA2 | The SHA-256 of the compressed suspicious file |
|
|
| compressedFileName | string | true | FileName | The file name of the compressed file |
|
|
| compressedFileSize | string | true | - | The file size of the decompressed archive file |
|
|
| compressedFileType | string | true | - | The file type of the decompressed archive file |
|
|
| correlationCat | string | true | - | The correlation category |
|
|
| cve | string | true | - | The CVE identifier |
|
|
| cves | dynamic | true | - | The CVEs associated with this filter |
|
|
| data0 | string | true | - | The value of the DDI Correlation log |
|
|
| data0Name | string | true | - | The name of the DDI Correlation log |
|
|
| data1 | string | true | - | The Deep Discover Inspector correlation log metadata | 10.10.10.10 |
|
| data1Name | string | true | - | The name of the DDI Correlation log |
|
|
| data2 | string | true | - | The value of the DDI Correlation log |
|
|
| data2Name | string | true | - | The name of the DDI Correlation log |
|
|
| data3 | string | true | - | The value of the DDI Correlation log |
|
|
| data4 | string | true | - | The value of the DDI Correlation log | 10.10.10.10 |
|
| dceHash1 | string | true | - | The Trend Micro Threat Mitigation Server requires the log, but the Trend Micro Threat Mitigation Server is EOL. | 0 |
|
| dceHash2 | string | true | - | The Trend Micro Threat Mitigation Server requires the log, but the Trend Micro Threat Mitigation Server is EOL. | 0 |
|
| denyListFileHash | string | true | FileSHA1 | The SHA-1 of the Virtual Analyzer Suspicious Object |
|
|
| denyListFileHashSha256 | string | true | - | The SHA-256 of User-Defined Suspicious Object | 757E5C8823CAA7406030A7E26AED2A2C95D16F69C5A14C884C8CAA72A0C001C3 |
|
| denyListHost | string | true | DomainName | The domain of the Virtual Analyzer Suspicious Object |
|
|
| denyListIp | dynamic | true |
|
The IP of the Virtual Analyzer Suspicious Object | 10.10.10.10 |
|
| denyListRequest | string | true | - | Block list event request |
|
|
| denyListType | string | true | - | Block list type |
|
|
| detectionType | string | true | - | The detection type |
|
|
| deviceDirection | string | true | - | Device Direction. If the source IP is in the internal network (the network monitored by Deep Discovery Inspector) it is tagged as outbound. All other cases are inbound. Internal-to-internal is also tagged as outbound. |
|
|
| deviceGUID | string | true | - | The GUID of the agent which reported the detection |
|
|
| deviceGUID | string | true | - | The non-endpoint object such as a network appliance | 11111111-1111-1111-1111-111111111111 |
|
| deviceMacAddress | string | true | - | The device mac address |
|
|
| devicePayloadId | string | true | - | The device payload ID |
|
|
| deviceRiskConfidenceLevel | int | false | - | The confidence level of device risk | - |
|
| dhost | string | true | DomainName | The destination hostname | 10.10.10.10 |
|
| direction | string | true | - | The object transfer direction | Download |
|
| dmac | string | true | - | The MAC address of the destination IP (dest_ip) |
|
|
| dnsQueryType | string | true | - | The record type requested by the DNS protocol | A |
|
| domainName | string | true | DomainName | The detected domain name |
|
|
| dOSName | string | true | - | The destination host OS |
|
|
| dpt | int | true | Port | The destination port |
|
|
| dst | dynamic | true |
|
The destination IP | 10.10.10.10 |
|
| dstGroup | string | true | - | The group name defined by the administrator of the destination |
|
|
| dstZone | string | true | - | The network zone defined by the destination administrator |
|
|
| duser | dynamic | true | EmailRecipient | The email recipient |
|
|
| duser | dynamic | true | EmailRecipient | The email recipient | sample_email@trendmicro.com |
|
| dUser1 | string | true | UserAccount | The latest sign-in user of the destination | user\example |
|
| dvc | dynamic | true | - | The IP address of the Deep Discover Inspector appliance | 10.10.10.10 |
|
| dvc | dynamic | true | - | The IP address of the Deep Discovery Inspector or Virtual Network Sensor appliance | 10.10.10.10 |
|
| dvchost | string | true | - | The computer which installed the Trend Micro product |
|
|
| dvchost | string | true | - | The network device hostname |
|
|
| eventClass | string | true | - | The event category |
|
|
| eventId | string | true | - | The event ID from the logs of each product |
|
|
| eventId | string | true | - | The event ID |
|
|
| eventName | string | true | - | The event type |
|
|
| eventName | string | true | - | The name of the log event |
|
|
| eventSubClass | string | true | - | The category of sub-event class |
|
|
| eventTime | real | true | - | The time the agent or product detected the event | 1657135700000 |
|
| fileExt | string | true | - | The file extension of the suspicious file |
|
|
| fileHash | string | true | FileSHA1 | The SHA-1 of the file that triggered the rule or policy |
|
|
| fileHash | string | true | FileSHA1 | The SHA-1 of the file that violated the policy | 1e15bf99022a9164708cebb3eace8fd61ad45cba |
|
| fileHashSha256 | string | true | FileSHA2 | The SHA-256 of the file (fileName) |
|
|
| fileHashSha256 | string | true | FileSHA2 | The SHA-256 of the file that violated the policy | ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93 |
|
| fileName | dynamic | true | FileName | The file name |
|
|
| fileName | string | true |
|
The name of the file that violated the policy | word.doc |
|
| filePath | string | true | FileFullPath | The file path without the file name |
|
|
| filePathName | string | true | FileFullPath | The file path with the file name |
|
|
| fileSize | string | true | - | The file size of the suspicious file |
|
|
| fileSize | string | true | - | The size of the file that is violating the policy | 12134 |
|
| fileType | string | true | - | The file type of the suspicious file |
|
|
| fileType | string | true | - | The type of file which is violating the policy | Microsoft Words |
|
| filterRiskLevel | string | true | - | The top level filter risk of the event |
|
|
| firmalware | dynamic | true | - | The firmware version of Deep Discover Inspector |
|
|
| flowId | string | true | - | The network analysis flow ID | 6837014561409730558 |
|
| ftpTrans | dynamic | true | - | The transaction information of the FTP protocol | None |
|
| fullPath | string | true | FileFullPath | The combination of the file path and the file name |
|
|
| hasdtasres | string | true | - | Whether the log contains a report from Virtual Analyzer |
|
|
| heurFlag | int | false | - | Whether it has an Advanced Threat Scan Engine detection |
|
|
| hostName | string | true |
|
The computer name of the client host (The hostname from the suspicious URL detected by Deep Discovery Inspector) |
|
|
| hostName | string | true |
|
The host name | NJ-EFFY-ZHAO1 |
|
| hostSeverity | int | true | - | The severity of the threat (specific to the interestedIp) |
|
|
| hotFix | dynamic | true | - | The applied Deep Discover Inspector hotfix version |
|
|
| httpLocation | string | true | URL | The HTTP location header | www.google.com.tw |
|
| httpReferer | string | true | URL | The HTTP referer |
|
|
| httpReferer | string | true | URL | The HTTP referrer header | www.google.com.tw |
|
| httpXForwardedFor | string | true | - | The HTTP X-Forwarded-For header | 10.10.10.10, 10.10.10.11, 10.10.10.12 |
|
| httpXForwardedForGroup | string | true | - | The X-Forwarded-For IP network group |
|
|
| httpXForwardedForIp | string | true |
|
The x-forwarded-for IP used by the network appliance | 10.10.10.10 |
|
| httpXForwardedForPort | int | false | - | The patched HTTP server port when the network appliance selects an x-forwarded-for IP address to use | 65535 |
|
| interestedGroup | string | true | - | The network group associated with the user-defined source IP or destination IP |
|
|
| interestedHost | string | true | DomainName | The endpoint hostname (For example, if an intranet host accesses a suspicious internet host, the intranet host is the "peerHost" and the internet host is the "interestedHost") |
|
|
| interestedIp | dynamic | true |
|
The IP of the interestedHost | 10.10.10.10 |
|
| interestedMacAddress | string | true | - | The MAC address identified as the log owner's |
|
|
| ircChannelName | string | true | - | The IRC channel name |
|
|
| ircUserName | string | true | - | The IRC user name |
|
|
| isHidden | string | true | - | Whether the detection log generated a grey rule match | Yes |
|
| ja3Hash | string | true | - | The fingerprint of an SSL/TLS client application as detected via a network sensor or device |
|
|
| ja3Hash | string | true | - | The JA3 hash | 478e74fad764c966f19c5232c7cdfc5a |
|
| ja3sHash | string | true | - | The fingerprint of an SSL/TLS server application as detected via a network sensor or device |
|
|
| ja3sHash | string | true | - | The JA3S hash | 6d37fb1b3306d6e9f875650d8eb74b4f |
|
| logKey | string | true | - | The unique key of the event |
|
|
| mailMsgSubject | string | true | EmailSubject | The email subject |
|
|
| mailMsgSubject | string | true | EmailSubject | The email subject | test |
|
| malFamily | string | true | - | The threat family |
|
|
| malName | string | true | - | The name of the detected malware |
|
|
| malType | string | true | - | The risk type for Network Content Correlation Engine rules |
|
|
| malTypeGroup | string | true | - | The risk type group for NCCE (Network Content Correlation Engine) rules. This field comes from NCCP (Network Content Correlation Pattern) rule type definitions. |
|
|
| mimeType | string | true | - | The MIME type or content type of the response body | text/html |
|
| mitigationTaskId | string | true | - | The unique ID to identify the mitigation request |
|
|
| mitreMapping | dynamic | true | - | The MITRE tags |
|
|
| mitreVersion | string | true | - | The MITRE version |
|
|
| msgId | string | true | EmailMessageID | The internet message ID |
|
|
| msgId | string | true | EmailMessageID | The service provider message ID | <sample_email@trendmicro.com> |
|
| objectIps | dynamic | true |
|
The IP address resolved by the DNS protocol | 10.10.10.10 |
|
| overSsl | string | true | - | Whether the event was triggered by an SSL decryption stream (Displayed only when SSL Inspection is supported) |
|
|
| overSsl | string | true | - | SSL protocol connection | YES |
|
| pAttackPhase | string | true | - | The category of the primary Attack Phase |
|
|
| pcapUUID | string | true | - | The PCAP file UUID |
|
|
| pComp | string | true | - | The component that made the detection |
|
|
| peerEndpointGUID | string | true | - | The endpoint GUID of the agent peer host |
|
|
| peerGroup | string | true | - | The peer IP group |
|
|
| peerHost | string | true | DomainName | The hostname of peerIp |
|
|
| peerIp | dynamic | true |
|
The IP of peerHost | 10.10.10.10 |
|
| pname | string | true | - | The internal product ID |
|
|
| pname | string | true | - | The product name |
|
|
| potentialRisk | string | true | - | The tag if it's a potential risk according to heuristics |
|
|
| pver | string | true | - | The product version |
|
|
| rating | string | true | - | The credibility level |
|
|
| rawDataStr | string | false | - | The JSON string that contains additional information |
|
|
| rawDataStr | string | false | - | The raw data string that contains additional information | [{ "oid": "1.2.3.4", "value_type": 4, "value": "MANUFACTURER:SAMPLE\ nMODEL:SAMPLE C1234", "parse": 1}] |
|
| rawDstIp | string | true |
|
The destination IP without replacement | 10.10.10.10 |
|
| rawDstPort | int | true | Port | The destination port number without replacement | 33186 |
|
| rawSrcIp | string | true |
|
The source IP without replacement | 10.10.10.10 |
|
| rawSrcPort | int | true | Port | The source port number without replacement | 80 |
|
| remarks | string | true | - | The additional information |
|
|
| reportGUID | string | true | - | The GUID for Workbench to request report page data |
|
|
| reqAppVersion | string | true | - | The client application version number | SSH-2.0-OPENSSH_9.0 |
|
| reqDataSize | string | true | - | The data volume transmitted over the transport layer by the client (in bytes) | 15688 |
|
| reqScannedBytes | string | true | - | The data volume transmitted by the client (in bytes) | 4655 |
|
| request | string | true | URL | The notable URLs |
|
|
| request | string | true | URL | The destination URL that the user is accessing |
|
|
| requestClientApplication | string | true | - | The protocol user agent information |
|
|
| requestClientApplication | string | true | - | The HTTP user agent | Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 |
|
| requestDate | string | true | - | The HTTP date header | Fri, 20 Oct 2017 06:02:09 GMT |
|
| requestHeaders | string | true | - | All HTTP headers without sensitive information | Host: 10.10.10.10:8080 User-Agent: curl/7.78.0 Accept: */* |
|
| requestMethod | string | true | - | The network protocol request method | POST |
|
| requestMimeType | string | true | - | The type of request content | application/json; charset=utf-8 |
|
| requests | dynamic | true | URL | The URLs of the request | www.google.com.tw |
|
| resolvedUrlGroup | string | true | - | The IP address FQDN network group |
|
|
| resolvedUrlIp | string | true |
|
The IP address of the FQDN | 10.10.10.10 |
|
| resolvedUrlPort | int | true | Port | The HTTP server port | 443 |
|
| respAppVersion | string | true | - | The server application version number | SSH-2.0-OPENSSH_8.7 |
|
| respArchFiles | dynamic | true | - | The file information extracted from files detected in response direction | None |
|
| respCode | string | true | - | The network protocol response code |
|
|
| respDataSize | string | true | - | The data volume transmitted over the transport layer by the server (in bytes) | 7856 |
|
| respDate | string | true | - | The HTTP response date header | Fri, 20 Oct 2017 06:02:09 GMT |
|
| respFileHash | string | true | FileSHA1 | The SHA-1 of the file detected in the response direction | f17d9c55dea88f9aec8f74363f01e918cffb4142 |
|
| respFileHashSha256 | string | true | FileSHA2 | The SHA-256 of the file detected in the response direction | 5ad4396d67f0c9d54572f051e28e9e62f4010c269a953d25259b17ad5fab4fd5 |
|
| respFileType | string | true | - | The file type detected in the response direction | PKZIP |
|
| respHeaders | string | true | - | All HTTP response headers without sensitive information | Accept-Ranges: bytes Content-Length: 68 Content-Type: - text/plain; charset=utf-8 Last-Modified: Thu, 19 Aug 2021 06:23:54 GMT Date: Thu, 19 Aug 2021 06:24:00 GMT |
|
| respMethod | string | true | - | The response method |
|
|
| respScannedBytes | string | true | - | The data volume transmitted by the server (in bytes) | 6654 |
|
| riskLevel | string | true | - | The risk level |
|
|
| rozRating | string | true | - | The VA overall rating |
|
|
| rt | string | false | - | The Unix time of the log generation | 1656324260000 |
|
| rtDate | string | true | - | The date of the log generation | 1655337600000 |
|
| rtHour | int | false | - | The hour of the log generation |
|
|
| rtWeekDay | string | true | - | The weekday of the log generation |
|
|
| ruleId | int | true | - | The rule ID |
|
|
| ruleName | string | true | - | The name of the rule that triggered the event |
|
|
| sAttackPhase | string | true | - | The category of the second Attack Phase |
|
|
| scanTs | string | true | - | The mail scan time | - |
|
| score | int | false | - | The Web Reputation Services URL rating |
|
|
| senderGUID | string | true | - | The sender GUID |
|
|
| senderIp | dynamic | true | - | The sender IP | 10.10.10.10 |
|
| serverGroup | string | true | - | The server IP network group |
|
|
| serverIp | string | true |
|
The server IP address | 10.10.10.10 |
|
| serverMAC | string | true | - | The server MAC address | 00-00-00-ff-ff-ff |
|
| serverPort | int | true | Port | The server port number | 443 |
|
| serverTls | string | true | - | The TLS version between the client and server | TLS 1.2 |
|
| sessionEnd | string | true | - | The session end time, in seconds | 1575462989 |
|
| sessionEndReason | string | true | - | The reason why a session was terminated |
|
|
| sessionStart | string | true | - | The session start time (in seconds) | 1575462989 |
|
| severity | int | true | - | The severity of the event |
|
|
| shost | string | true | DomainName | The source hostname |
|
|
| smac | string | true | - | The source MAC address |
|
|
| sOSName | string | true | - | The source OS |
|
|
| spt | int | true | Port | The source port |
|
|
| src | dynamic | true |
|
The source IP | 10.10.10.10 |
|
| srcGroup | string | true | - | The group named defined by the source administrator |
|
|
| srcZone | string | true | - | The network zone defined by the source administrator |
|
|
| sshHassh | string | true | - | The SSH client application fingerprint |
|
|
| sshHassh | string | true | - | The SSH hassh | 45e3942372f42899a63e9080ef25b0ae |
|
| sshHasshServer | string | true | - | The SSH server application fingerprint |
|
|
| sshHasshServer | string | true | - | The SSH hassh server | 4ceb58cad0f415b8fb16de236fa70ec5 |
|
| sslCertCommonName | string | true |
|
The subject common name | settings-win.data.microsoft.com |
|
| sslCertCommonName | string | true |
|
The certificate common name | *.www.sample.com |
|
| sslCertFingerprint | string | true | - | The certificate fingerprint | 3914af80223c833f26df001cbf342eff8a31aba1 |
|
| sslCertIssuer | string | true | - | The issuer of the certificate | /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA |
|
| sslCertIssuerCommonName | string | true | - | The issuer common name | Microsoft Azure TLS Issuing CA 05 |
|
| sslCertIssuerOrgName | string | true | - | The issuer organization name | Microsoft Corporation |
|
| sslCertOrgName | string | true | - | The subject organization name | Microsoft |
|
| sslCertSANs | dynamic | true | - | The Subject Alternative Name of the certificate |
|
|
| sslCertSerialNumber | string | true | - | The certificate serial number | 0888b1ad2a593310593f47565a5a5a4a |
|
| sslCertValidFrom | string | true | - | The certificate validity start time | 2014-11-21T02:43:28 |
|
| sslCertValidUntil | string | true | - | The certificate validity end time | 2018-11-21T02:43:28 |
|
| status | string | true | - | The network analysis flow session status | 2 |
|
| suid | string | true | UserAccount | User name or mailbox |
|
|
| suid | string | true | UserAccount | The user name or IP address (IPv4) |
|
|
| suser | dynamic | true | EmailSender | The email sender | sample_email@trendmicro.com |
|
| suser | string | true | EmailSender | The email sender | sample_email@trendmicro.com |
|
| sUser1 | string | true | UserAccount | The latest sign-in user of the source |
|
|
| tacticId | dynamic | true | Tactic | The list of MITRE tactic IDs |
|
|
| tags | dynamic | true |
|
The detected technique ID based on the alert filter |
|
|
| targetShare | string | true | FileFullPath | For HTTPS protocol: Subject State or Province Name; For SMB protocol: Shared folder |
|
|
| techniqueId | dynamic | true | Technique | Technique ID detected by the product agent base on a detection rule | - |
|
| threatName | string | true | - | The threat name |
|
|
| threatNames | dynamic | true | - | The associated threats |
|
|
| threatType | string | true | - | The log threat type |
|
|
| tlsJA3Fingerprint | string | true | - | The JA3 fingerprint | - |
|
| tlsJA3SFingerprint | string | true | - | The raw JA3S | 771,157,65281-15 |
|
| tlsSelectedCipher | string | true | - | The selected cipher of the TLS protocol | c02f |
|
| urlCat | dynamic | true | - | The requested URL category |
|
|
| userDomain | string | true |
|
Active directory domain, domain of username for logging in TMAS adminportal adminportal | trendmicro.com |
|
| vLANId | int | false | - | The virtual LAN ID | - |
|
| vLANId | int | true | - | The virtual LAN ID | 4095 |
|
Generated by XDR Common Schema Public Doc Generator V2