| act |
dynamic |
true |
- |
The actions taken to mitigate the event |
- log
- isolate
- terminate
- not blocked
- Block
- No action
- Reset
- Pass
- User Decision
|
- Trend Vision One Container Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Cloud App Security
- TippingPoint Security Management System
- Endpoint Sensor
- Trend Micro Web Security
- Trend Micro Email Security
- Trend Micro Deep Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
- TXOne EdgeOne
- Zero Trust Secure Access - Private Access
- Email Sensor
- Trend Vision One Mobile Security
- Mobile Network Security
- Agentless Vulnerability & Threat Detection
|
| aggregatedCount |
string |
true |
- |
The number of aggregated events |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- TippingPoint Security Management System
- Trend Micro Web Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
- TXOne StellarOne
- Data Detection and Response
- Trend Cloud One - Endpoint & Workload Security
|
| app |
string |
true |
- |
The network protocol |
HTTP |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| appGroup |
string |
true |
- |
The app category of the event |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| aptCampaigns |
dynamic |
true |
- |
The related APT campaigns |
- POSSIBLE LSTUDIO
- WEB LURKER
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| aptRelated |
string |
true |
- |
The event is related to an APT |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| archFiles |
dynamic |
true |
- |
The file information extracted from detected files |
None |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| attachmentFileHash |
string |
true |
FileSHA1 |
The SHA-1 of the email attachment |
- C9877617DB6715792F9D5C959C1E8D4E56D0C281
- 0340A8EE3AD2990E3EDCDB2E471EAA45B4286722
- 0E56D9540B07ED15EF745348D35C72A6A00A0BD9
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Email Sensor
|
| attachmentFileHashSha256 |
string |
true |
FileSHA2 |
The SHA-256 of the attached file (attachementFileName) |
- D81D4C14DDEB8CA390FFADA69265AAD46CDEDD72CDD332CB8AA17D924626B397
- 01DE1FC697D2D0850F0468474A3E1E0BF4D78B23F0633908CF82E504E0DCBFF9
- 02D16D9970AB635A7B05C3A268E23F5B41C419DD022F1054E9FD912BE130BDB0
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Email Security
|
| attachmentFileName |
dynamic |
true |
FileName |
The file name of an attachment |
- Mail Body
- image001.png
- image002.png
|
- Trend Micro Cloud App Security
- Trend Micro Email Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Email Sensor
|
| attachmentFileSize |
string |
true |
- |
The file size of the email attachment |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Email Sensor
|
| attachmentFileType |
string |
true |
- |
The file type of the email attachment |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| botCmd |
string |
true |
CLICommand |
The bot command |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| botUrl |
string |
true |
URL |
The bot URL |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| cccaDestination |
string |
true |
URL |
The destination domain, IP, URL, or recipient |
- 10.10.10.10:443
- www.example.dns04.com
- example.ru
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| cccaDestinationFormat |
string |
true |
- |
C&C server access format |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| cccaDetection |
string |
true |
- |
Is this log identified as a C&C callback address detection |
Yes |
- Trend Micro Apex One as a Service
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| cccaDetectionSource |
string |
true |
- |
Which list defines this CCCA detection rule |
- CCCA_GLOBAL_LIST (0)
- GLOBAL_INTELLIGENCE
- USER_DEFINED
|
- Trend Micro Apex One as a Service
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| cccaRiskLevel |
int |
true |
- |
The severity level of the threat actors associated with the C&C servers |
|
- Trend Micro Apex One as a Service
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| clientFlag |
string |
true |
- |
Whether the client is a source or destination |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| clientGroup |
string |
true |
- |
The client IP network group |
|
- Network Sensor
- Trend Micro Deep Discovery Inspector
|
| clientIp |
string |
true |
|
The endpoint IP address |
10.10.10.10 |
- Zero Trust Secure Access - Internet Access
- Zero Trust Secure Access - Private Access
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| clientMAC |
string |
true |
- |
The client MAC address |
00-00-00-ff-ff-ff |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| clientPort |
int |
true |
Port |
The client port number |
5566 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| cnt |
string |
true |
- |
The total number of logs |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- TXOne EdgeOne
- Mobile Network Security
|
| compressedFileHash |
string |
true |
FileSHA1 |
The SHA-1 of the decompressed archive |
- 6E2ECB34B7798E179CC704111FB9733FBAAD5ACA
- FA71B59F35F0EE44D27F74917EF5A0DA2797E80B
- 14D2302172EB81465CE12E01361AE24CDE170F7B
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- File Security
- File Security Storage
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Agentless Vulnerability & Threat Detection
|
| compressedFileHashSha256 |
string |
true |
FileSHA2 |
The SHA-256 of the compressed suspicious file |
- 60C7C5924DD09F7C6B150120FB92DCEE00AE82DB75C7402FA4D9152CF487A94F
- 482FFC4F87B78C3C7073983CF65B593D9F13F0A3D6DC54B4A3F616F79838F3CE
- 68C0126D9B4B0FC32DE181D0D67DA8FE82E23745F6023317D5E053B6F6ED26CF
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- File Security
- File Security Storage
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Agentless Vulnerability & Threat Detection
|
| compressedFileName |
string |
true |
FileName |
The file name of the compressed file |
- /proc/32058/fd/150
- NONAMEFL
- /proc/10006/fd/30
- VirusActionSample/RPF2_OtherMalwareSample-other.exe
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- File Security
- File Security Storage
- Trend Cloud One - Endpoint & Workload Security
- Agentless Vulnerability & Threat Detection
- Trend Vision One Container Security
|
| compressedFileSize |
string |
true |
- |
The file size of the decompressed archive file |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- File Security
- File Security Storage
|
| compressedFileType |
string |
true |
- |
The file type of the decompressed archive file |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
|
| correlationCat |
string |
true |
- |
The correlation category |
- Suspicious Traffic
- Authentication
- Reconnaissance
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| cve |
string |
true |
- |
The CVE identifier |
- MS17-010
- CVE-2021-45046
- CVE-2021-44228
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| cves |
dynamic |
true |
- |
The CVEs associated with this filter |
- CVE-2014-3567
- CVE-2016-6304
- CVE-2011-1385
|
- TippingPoint Security Management System
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| data0 |
string |
true |
- |
The value of the DDI Correlation log |
- 1
- USR_SUSPICIOUS_IP.UMXX
- USR_SUSPICIOUS_URL.UMXX
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| data0Name |
string |
true |
- |
The name of the DDI Correlation log |
- Malware Name
- Attacked this IP
- IP Address under Attack
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| data1 |
string |
true |
- |
The Deep Discover Inspector correlation log metadata |
10.10.10.10 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| data1Name |
string |
true |
- |
The name of the DDI Correlation log |
- Port Used
- Malicious File Transferred To This IP Address
- Malware Server IP Address
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| data2 |
string |
true |
- |
The value of the DDI Correlation log |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| data2Name |
string |
true |
- |
The name of the DDI Correlation log |
- Number of Malware Files Downloaded
- Protocol
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| data3 |
string |
true |
- |
The value of the DDI Correlation log |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| data4 |
string |
true |
- |
The value of the DDI Correlation log |
10.10.10.10 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| dceHash1 |
string |
true |
- |
The Trend Micro Threat Mitigation Server requires the log, but the Trend Micro Threat Mitigation Server is EOL. |
0 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| dceHash2 |
string |
true |
- |
The Trend Micro Threat Mitigation Server requires the log, but the Trend Micro Threat Mitigation Server is EOL. |
0 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| denyListFileHash |
string |
true |
FileSHA1 |
The SHA-1 of the Virtual Analyzer Suspicious Object |
- 746C4D6048A409F33446463B28CA21CB2C5DD941
- DAA66CE3C1F08144885BB0E99837030C5231DE60
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| denyListFileHashSha256 |
string |
true |
- |
The SHA-256 of User-Defined Suspicious Object |
757E5C8823CAA7406030A7E26AED2A2C95D16F69C5A14C884C8CAA72A0C001C3 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| denyListHost |
string |
true |
DomainName |
The domain of the Virtual Analyzer Suspicious Object |
- www.example.dns01.com
- example.com
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| denyListIp |
dynamic |
true |
|
The IP of the Virtual Analyzer Suspicious Object |
10.10.10.10 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| denyListRequest |
string |
true |
- |
Block list event request |
- *
- test.url.com
- https://example.com:443/gfx/flags/ua.png
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| denyListType |
string |
true |
- |
Block list type |
- Deny List URL
- Deny List File SHA1
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| detectionType |
string |
true |
- |
The detection type |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Web Security
- Trend Micro Apex One as a Service
- Trend Micro Cloud App Security
- Trend Micro Deep Security
- Trend Micro Email Security
- Zero Trust Secure Access - Internet Access
- Trend Vision One Mobile Security
- Zero Trust Secure Access - Private Access
- Trend Vision One Container Security
|
| deviceDirection |
string |
true |
- |
Device Direction. If the source IP is in the internal network (the network monitored by Deep Discovery Inspector) it is tagged as outbound. All other cases are inbound. Internal-to-internal is also tagged as outbound. |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
|
| deviceGUID |
string |
true |
- |
The GUID of the agent which reported the detection |
- 00000000-0000-0000-0000-000000000000
- 11111111-1111-1111-1111-111111111111
- 22222222-2222-2222-2222-222222222222
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- TippingPoint Security Management System
- Endpoint Sensor
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
|
| deviceGUID |
string |
true |
- |
The non-endpoint object such as a network appliance |
11111111-1111-1111-1111-111111111111 |
- Zero Trust Secure Access - Internet Access
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| deviceMacAddress |
string |
true |
- |
The device mac address |
- 00:00:00:00:00:00
- ff:ff:ff:ff:ff:ff
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| devicePayloadId |
string |
true |
- |
The device payload ID |
- 0:14343219::F:S
- 0:94174860::F:
- 0:9665982::F:
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| deviceRiskConfidenceLevel |
int |
false |
- |
The confidence level of device risk |
- |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| dhost |
string |
true |
DomainName |
The destination hostname |
10.10.10.10 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Mobile Network Security
|
| direction |
string |
true |
- |
The object transfer direction |
Download |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| dmac |
string |
true |
- |
The MAC address of the destination IP (dest_ip) |
- 00:00:00:00:00:00
- ff:ff:ff:ff:ff:ff
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- TXOne EdgeOne
|
| dnsQueryType |
string |
true |
- |
The record type requested by the DNS protocol |
A |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| domainName |
string |
true |
DomainName |
The detected domain name |
- http://10.10.10.10
- example.domain.com
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Cloud App Security
|
| dOSName |
string |
true |
- |
The destination host OS |
- Windows
- Windows 10
- Android
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Mobile Network Security
|
| dpt |
int |
true |
Port |
The destination port |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- TippingPoint Security Management System
- Trend Micro Deep Security
- Trend Cloud One - Network Security
- Endpoint Sensor
- TXOne EdgeOne
- Zero Trust Secure Access - Private Access
- Trend Vision One Container Security
- Mobile Network Security
|
| dst |
dynamic |
true |
|
The destination IP |
10.10.10.10 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- TippingPoint Security Management System
- Trend Micro Deep Security
- Trend Cloud One - Network Security
- Endpoint Sensor
- Zero Trust Secure Access - Internet Access
- TXOne EdgeOne
- Zero Trust Secure Access - Private Access
- Trend Vision One Container Security
- Mobile Network Security
|
| dstGroup |
string |
true |
- |
The group name defined by the administrator of the destination |
- Default
- Data Center Services DL_Deployed Block
- Rede Wifi Visitantes-Pacientes
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Mobile Network Security
|
| dstZone |
string |
true |
- |
The network zone defined by the destination administrator |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| duser |
dynamic |
true |
EmailRecipient |
The email recipient |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Trend Micro Email Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Email Sensor
|
| duser |
dynamic |
true |
EmailRecipient |
The email recipient |
sample_email@trendmicro.com |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| dUser1 |
string |
true |
UserAccount |
The latest sign-in user of the destination |
user\example |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| dvc |
dynamic |
true |
- |
The IP address of the Deep Discover Inspector appliance |
10.10.10.10 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| dvc |
dynamic |
true |
- |
The IP address of the Deep Discovery Inspector or Virtual Network Sensor appliance |
10.10.10.10 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| dvchost |
string |
true |
- |
The computer which installed the Trend Micro product |
- CU-PRO1-9039-2
- LTPF32PMNN
|
- Trend Micro Apex One as a Service
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| dvchost |
string |
true |
- |
The network device hostname |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| eventClass |
string |
true |
- |
The event category |
- Suspicious Traffic
- Authentication
- Reconnaissance
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| eventId |
string |
true |
- |
The event ID from the logs of each product |
- 100100
- 100101
- 100116
- 100117
- 100119
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Endpoint Sensor
- Trend Micro Email Security
- TXOne StellarOne
- Trend Vision One Container Security
- Email Sensor
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Trend Vision One Mobile Security
- Mobile Network Security
- Data Detection and Response
|
| eventId |
string |
true |
- |
The event ID |
|
- Network Sensor
- Trend Micro Deep Discovery Inspector
- XDR for Cloud - AWS VPC Flow Logs
- azv
|
| eventName |
string |
true |
- |
The event type |
- LOG_INSPECTION_EVENT
- SECURITY_RISK_DETECTION
- WEB_THREAT_DETECTION
- LOG_INSPECTION_EVENT
- MALWARE_DETECTION
- PROCESS_ACTIVITY
- WEB_POLICY_VIOLATION
- DEEP_PACKET_INSPECTION_EVENT
- INTEGRITY_MONITORING_EVENT
- DISRUPTIVE_APPLICATION_DETECTION
- PRODUCT_SUMMARY
- PRODUCT_UPDATE
- BEHAVIORAL_VIOLATION
- FIREWALL_POLICY_VIOLATION
- SUSPICIOUS_BEHAVIOUR_DETECTION
- DENYLIST_CHANGE
- MACHINE_LEARNING_DETECTION
- DLP_VIOLATION
- MALWARE_OUTBREAK_DETECTION
- SENSITIVE_DATA_DETECTION
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- TippingPoint Security Management System
- Trend Micro Cloud App Security
- Trend Micro Email Security
- Endpoint Sensor
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
- TXOne EdgeOne
- Zero Trust Secure Access - Private Access
- TXOne StellarOne
- Email Sensor
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Trend Vision One Mobile Security
- Mobile Network Security
- Data Detection and Response
|
| eventName |
string |
true |
- |
The name of the log event |
- SWG_ACTIVITY_LOG
- FIREWALL_ACTIVITY_LOG
- VPC_ACTIVITY_LOG
|
- Zero Trust Secure Access - Internet Access
- Zero Trust Secure Access - Private Access
- Trend Micro Deep Discovery Inspector
- Network Sensor
- XDR for Cloud - AWS VPC Flow Logs
- azv
|
| eventSubClass |
string |
true |
- |
The category of sub-event class |
- DNS
- Port Mis-use
- Port Scanning
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| eventTime |
real |
true |
- |
The time the agent or product detected the event |
1657135700000 |
- Zero Trust Secure Access - Internet Access
- Zero Trust Secure Access - Private Access
- Trend Micro Deep Discovery Inspector
- Network Sensor
- XDR for Cloud - AWS VPC Flow Logs
- azv
|
| fileExt |
string |
true |
- |
The file extension of the suspicious file |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| fileHash |
string |
true |
FileSHA1 |
The SHA-1 of the file that triggered the rule or policy |
- DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
- 89CE26EAD139D52B8A6B61BFFC6AF89AF246580F
- 3AD1F4E7CAA11E5199EE80B8983677ADDD065450
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- Zero Trust Secure Access - Internet Access
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Data Detection and Response
|
| fileHash |
string |
true |
FileSHA1 |
The SHA-1 of the file that violated the policy |
1e15bf99022a9164708cebb3eace8fd61ad45cba |
- Zero Trust Secure Access - Internet Access
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| fileHashSha256 |
string |
true |
FileSHA2 |
The SHA-256 of the file (fileName) |
- 6A6EB2D717CEA041B4444193B45EDFB6CA1287518203B7230B3C4B8FFB031EAB
- BFF703FF836196644586014DA13A097C2EE9A08E4D596DFB7C8E0F685FE01294
- 12327F460AC9CBBC34D39EB3CF89C7FECCA37F08773A04566840F73F6ECC4104
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Zero Trust Secure Access - Internet Access
- Trend Cloud One - Endpoint & Workload Security
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Trend Vision One Container Security
|
| fileHashSha256 |
string |
true |
FileSHA2 |
The SHA-256 of the file that violated the policy |
ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93 |
- Zero Trust Secure Access - Internet Access
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| fileName |
dynamic |
true |
FileName |
The file name |
- spoolss
- hosts
- svcrestarttask
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Zero Trust Secure Access - Internet Access
- TXOne StellarOne
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
|
| fileName |
string |
true |
|
The name of the file that violated the policy |
word.doc |
- Zero Trust Secure Access - Internet Access
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| filePath |
string |
true |
FileFullPath |
The file path without the file name |
- security
- /var/log/audit/audit.log
- application
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Discovery Inspector
- Network Sensor
- TXOne StellarOne
- File Security
- File Security Storage
|
| filePathName |
string |
true |
FileFullPath |
The file path with the file name |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- TXOne StellarOne
|
| fileSize |
string |
true |
- |
The file size of the suspicious file |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Zero Trust Secure Access - Internet Access
- Trend Micro Apex One as a Service
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
|
| fileSize |
string |
true |
- |
The size of the file that is violating the policy |
12134 |
- Zero Trust Secure Access - Internet Access
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| fileType |
string |
true |
- |
The file type of the suspicious file |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Zero Trust Secure Access - Internet Access
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Trend Vision One Container Security
|
| fileType |
string |
true |
- |
The type of file which is violating the policy |
Microsoft Words |
- Zero Trust Secure Access - Internet Access
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| filterRiskLevel |
string |
true |
- |
The top level filter risk of the event |
|
- ALL
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| firmalware |
dynamic |
true |
- |
The firmware version of Deep Discover Inspector |
- 2017-12-01 15:05:07-05:00 3.83.1170 5.0.1555
- 2020-11-13 18:04:29-05:00 5.0.1555 5.5.1200
- 2020-11-13 18:43:30-05:00 5.5.1200 5.7.1178
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| flowId |
string |
true |
- |
The network analysis flow ID |
6837014561409730558 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| ftpTrans |
dynamic |
true |
- |
The transaction information of the FTP protocol |
None |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| fullPath |
string |
true |
FileFullPath |
The combination of the file path and the file name |
- \etc\hosts
- c:\windows\system32\tasks\microsoft\windows\softwareprotectionplatform\svcrestarttask
- \var\log\auth.log
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- TXOne StellarOne
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Trend Vision One Container Security
|
| hasdtasres |
string |
true |
- |
Whether the log contains a report from Virtual Analyzer |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| heurFlag |
int |
false |
- |
Whether it has an Advanced Threat Scan Engine detection |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| hostName |
string |
true |
|
The computer name of the client host (The hostname from the suspicious URL detected by Deep Discovery Inspector) |
- Let's Encrypt
- 10.10.10.10
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- TXOne EdgeOne
|
| hostName |
string |
true |
|
The host name |
NJ-EFFY-ZHAO1 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| hostSeverity |
int |
true |
- |
The severity of the threat (specific to the interestedIp) |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| hotFix |
dynamic |
true |
- |
The applied Deep Discover Inspector hotfix version |
- 2021-07-22 15:08:01+08:00 Hotfix 1042 hfb1042 Apply
- 2021-12-22 09:03:42-06:00 Hotfix 1211 hfb1211 Apply
- 2022-03-30 13:16:28-07:00 Hotfix 1218 hfb1218 Apply
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| httpLocation |
string |
true |
URL |
The HTTP location header |
www.google.com.tw |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| httpReferer |
string |
true |
URL |
The HTTP referer |
- http://172.16.58.233/
- http://example/page1/
- https://www.google.com/
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| httpReferer |
string |
true |
URL |
The HTTP referrer header |
www.google.com.tw |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| httpXForwardedFor |
string |
true |
- |
The HTTP X-Forwarded-For header |
10.10.10.10, 10.10.10.11, 10.10.10.12 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| httpXForwardedForGroup |
string |
true |
- |
The X-Forwarded-For IP network group |
|
- Network Sensor
- Trend Micro Deep Discovery Inspector
|
| httpXForwardedForIp |
string |
true |
|
The x-forwarded-for IP used by the network appliance |
10.10.10.10 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| httpXForwardedForPort |
int |
false |
- |
The patched HTTP server port when the network appliance selects an x-forwarded-for IP address to use |
65535 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| interestedGroup |
string |
true |
- |
The network group associated with the user-defined source IP or destination IP |
- Default
- Rede DATACENTER Lumen/FORTIGATE - AD ESTACIO CORP
- Data Center Services DL_Deployed Block
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| interestedHost |
string |
true |
DomainName |
The endpoint hostname (For example, if an intranet host accesses a suspicious internet host, the intranet host is the "peerHost" and the internet host is the "interestedHost") |
- 10.10.10.10 (swpos-aws-aza02) [i-0f0f0f0f0f0f0f0f0]
- es-dtc-w-dc02.example.corp
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
|
| interestedIp |
dynamic |
true |
|
The IP of the interestedHost |
10.10.10.10 |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- TippingPoint Security Management System
- Trend Cloud One - Network Security
- TXOne EdgeOne
|
| interestedMacAddress |
string |
true |
- |
The MAC address identified as the log owner's |
- 00:00:00:00:00:00
- ff:ff:ff:ff:ff:ff
|
- Trend Micro Apex One as a Service
- Trend Micro Deep Discovery Inspector
- Network Sensor
- TXOne EdgeOne
|
| ircChannelName |
string |
true |
- |
The IRC channel name |
- ManageEngine
- unknown
- Global Product Delivery Group
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| ircUserName |
string |
true |
- |
The IRC user name |
- R3
- ManageEngineCA
- DigiCert TLS RSA SHA256 2020 CA1
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| isHidden |
string |
true |
- |
Whether the detection log generated a grey rule match |
Yes |
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
|
| ja3Hash |
string |
true |
- |
The fingerprint of an SSL/TLS client application as detected via a network sensor or device |
- 72a589da586844d7f0818ce684948eea
- cd08e31494f9531f560d64c695473da9
- 6dca00d8741247e245e4f2a632f1e62b
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| ja3Hash |
string |
true |
- |
The JA3 hash |
478e74fad764c966f19c5232c7cdfc5a |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| ja3sHash |
string |
true |
- |
The fingerprint of an SSL/TLS server application as detected via a network sensor or device |
- e54965894d6b45ecb4323c7ea3d6c115
- ec74a5c51106f0419184d0dd08fb05bc
- ba1b42efc7dc57bb43bf81de59791c1b
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| ja3sHash |
string |
true |
- |
The JA3S hash |
6d37fb1b3306d6e9f875650d8eb74b4f |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| logKey |
string |
true |
- |
The unique key of the event |
- 123e4567-e89b-12d3-a456-426614174000
- 987f6543-21ba-43cd-9e8f-123456789abc
- 456789ab-cdef-1234-5678-9abcdef01234
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Trend Micro Email Security
- TippingPoint Security Management System
- Endpoint Sensor
- Trend Micro Web Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
|
| mailMsgSubject |
string |
true |
EmailSubject |
The email subject |
- FW. mail subject
- ManageEngine
|
- Trend Micro Cloud App Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Email Security
- Trend Micro Apex One as a Service
- Email Sensor
|
| mailMsgSubject |
string |
true |
EmailSubject |
The email subject |
test |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| malFamily |
string |
true |
- |
The threat family |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- File Security
|
| malName |
string |
true |
- |
The name of the detected malware |
- SecurityLevelDrop
- Regla Logs All
- USR_SUSPICIOUS_DOMAIN.UMXX
|
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Web Security
- TXOne StellarOne
- Email Sensor
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
- Trend Vision One Container Security
|
| malType |
string |
true |
- |
The risk type for Network Content Correlation Engine rules |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- File Security
- Trend Vision One Container Security
|
| malTypeGroup |
string |
true |
- |
The risk type group for NCCE (Network Content Correlation Engine) rules. This field comes from NCCP (Network Content Correlation Pattern) rule type definitions. |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- File Security
|
| mimeType |
string |
true |
- |
The MIME type or content type of the response body |
text/html |
- Zero Trust Secure Access - Internet Access
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| mitigationTaskId |
string |
true |
- |
The unique ID to identify the mitigation request |
- 09dcd06f-2f9c-4bab-8114-f823620fecb6
- 0ed72c3c-05af-4c16-b2c4-789eaeccb944
- 0f29cfc3-954a-4fd9-954e-bf14f7253d20
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| mitreMapping |
dynamic |
true |
- |
The MITRE tags |
- T1090 (TA0011)
- T1071 (TA0011)
- T1071.001 (TA0011)
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| mitreVersion |
string |
true |
- |
The MITRE version |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
|
| msgId |
string |
true |
EmailMessageID |
The internet message ID |
- 66.6.00.0006
- example.test.com
- dameware1svr
|
- Trend Micro Cloud App Security
- Trend Micro Email Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Email Sensor
|
| msgId |
string |
true |
EmailMessageID |
The service provider message ID |
<sample_email@trendmicro.com> |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| objectIps |
dynamic |
true |
|
The IP address resolved by the DNS protocol |
10.10.10.10 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| overSsl |
string |
true |
- |
Whether the event was triggered by an SSL decryption stream (Displayed only when SSL Inspection is supported) |
- Not over SSL/TLS
- 0
- Over SSL/TLS
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- TippingPoint Security Management System
- Trend Cloud One - Network Security
|
| overSsl |
string |
true |
- |
SSL protocol connection |
YES |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| pAttackPhase |
string |
true |
- |
The category of the primary Attack Phase |
- Lateral Movement
- Point of Entry
- Asset and Data Discovery
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| pcapUUID |
string |
true |
- |
The PCAP file UUID |
- 00000000-0000-0000-0000-000000000000
- 11111111-1111-1111-1111-111111111111
- 22222222-2222-2222-2222-222222222222
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| pComp |
string |
true |
- |
The component that made the detection |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
|
| peerEndpointGUID |
string |
true |
- |
The endpoint GUID of the agent peer host |
- 00000000-0000-0000-0000-000000000000
- 11111111-1111-1111-1111-111111111111
- 22222222-2222-2222-2222-222222222222
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Cloud One - Network Security
- TippingPoint Security Management System
|
| peerGroup |
string |
true |
- |
The peer IP group |
- Default
- Rede DATACENTER Lumen/PALOALTO VPNSSL - VPN CLIENT
- UHS
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| peerHost |
string |
true |
DomainName |
The hostname of peerIp |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| peerIp |
dynamic |
true |
|
The IP of peerHost |
10.10.10.10 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
|
| pname |
string |
true |
- |
The internal product ID |
- Trend Micro Deep Security
- Deep Discovery Inspector
- Apex One
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Trend Micro Email Security
- TippingPoint Security Management System
- Endpoint Sensor
- Trend Micro Web Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
- Trend Vision One Mobile Security
- Trend Vision One Container Security
- Email Sensor
|
| pname |
string |
true |
- |
The product name |
- Secure Web Gateway
- XDR for Cloud - AWS VPC Flow Logs
|
- Zero Trust Secure Access - Internet Access
- Trend Micro Deep Discovery Inspector
- Network Sensor
- XDR for Cloud - AWS VPC Flow Logs
- azv
|
| potentialRisk |
string |
true |
- |
The tag if it's a potential risk according to heuristics |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| pver |
string |
true |
- |
The product version |
- 20.0.0.4726
- 20.0.0.4416
- 6.2.1125
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- TippingPoint Security Management System
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
- Trend Vision One Mobile Security
- Trend Vision One Container Security
- File Security
- File Security Storage
- Agentless Vulnerability & Threat Detection
|
| rating |
string |
true |
- |
The credibility level |
|
- Trend Micro Apex One as a Service
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| rawDataStr |
string |
false |
- |
The JSON string that contains additional information |
- {"TLS version": "0x0303", "Cipher Suite": "0xc030"}
- {"Scanned ports": "23, 80, 443"}
- {"HTTP Content-Type": "application/hal+json", "HTTP Content-Body": "{\\"_links\\": {\\"type\\": {\\"href\\": \\"http://10.10.10.10/rest/type/node/INVALID_VALUE\\"}}, \\"type\\": {\\"target_id\\": \\"article\\"}, \\"title\\": {\\"value\\": \\"My Article\\"}, \\"body\\": {\\"value\\": \\"\\"}}"}
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Vision One Container Security
- Network Sensor
|
| rawDataStr |
string |
false |
- |
The raw data string that contains additional information |
[{ "oid": "1.2.3.4", "value_type": 4, "value": "MANUFACTURER:SAMPLE\ nMODEL:SAMPLE C1234", "parse": 1}] |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| rawDstIp |
string |
true |
|
The destination IP without replacement |
10.10.10.10 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| rawDstPort |
int |
true |
Port |
The destination port number without replacement |
33186 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| rawSrcIp |
string |
true |
|
The source IP without replacement |
10.10.10.10 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| rawSrcPort |
int |
true |
Port |
The source port number without replacement |
80 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| remarks |
string |
true |
- |
The additional information |
- warning: fork: Resource temporarily unavailable
- pam_unix(cron:session): session opened for user root by (uid=0)
- WinEvtLog: Application: AUDIT_FAILURE(18470): MSSQL$SA: (no user): no domain: EXAMPLE.com: Login failed for user 'example_user'. Reason: The account is disabled. [CLIENT: 10.10.10.10]
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Trend Micro Apex One as a Service
- Trend Micro Email Security
- Trend Cloud One - Network Security
- TXOne EdgeOne
- Email Sensor
- File Security
- Agentless Vulnerability & Threat Detection
- Zero Trust Secure Access - Internet Access
|
| reportGUID |
string |
true |
- |
The GUID for Workbench to request report page data |
- 00000000-0000-0000-0000-000000000000
- 11111111-1111-1111-1111-111111111111
- 22222222-2222-2222-2222-222222222222
|
- Trend Micro Cloud App Security
- File Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| reqAppVersion |
string |
true |
- |
The client application version number |
SSH-2.0-OPENSSH_9.0 |
- Network Sensor
- Trend Micro Deep Discovery Inspector
|
| reqDataSize |
string |
true |
- |
The data volume transmitted over the transport layer by the client (in bytes) |
15688 |
- Network Sensor
- Trend Micro Deep Discovery Inspector
|
| reqScannedBytes |
string |
true |
- |
The data volume transmitted by the client (in bytes) |
4655 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| request |
string |
true |
URL |
The notable URLs |
- http://example.page.com/canonical.html
- http://10.10.10.10
- https://drive.google.com/
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- TippingPoint Security Management System
- Trend Cloud One - Endpoint & Workload Security
- Zero Trust Secure Access - Internet Access
- Trend Micro Cloud App Security
- Trend Cloud One - Network Security
- Trend Micro Email Security
- Trend Micro Deep Security
- Trend Vision One Mobile Security
- Zero Trust Secure Access - Private Access
|
| request |
string |
true |
URL |
The destination URL that the user is accessing |
- https://google.com/
- https://api/example/v1/testit
|
- Zero Trust Secure Access - Internet Access
- Zero Trust Secure Access - Private Access
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| requestClientApplication |
string |
true |
- |
The protocol user agent information |
- Microsoft-Delivery-Optimization/10.0
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
- example Software GmbH
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
|
| requestClientApplication |
string |
true |
- |
The HTTP user agent |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| requestDate |
string |
true |
- |
The HTTP date header |
Fri, 20 Oct 2017 06:02:09 GMT |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| requestHeaders |
string |
true |
- |
All HTTP headers without sensitive information |
Host: 10.10.10.10:8080
User-Agent: curl/7.78.0
Accept: */*
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| requestMethod |
string |
true |
- |
The network protocol request method |
POST |
- Zero Trust Secure Access - Internet Access
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| requestMimeType |
string |
true |
- |
The type of request content |
application/json; charset=utf-8 |
- Zero Trust Secure Access - Internet Access
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| requests |
dynamic |
true |
URL |
The URLs of the request |
www.google.com.tw |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| resolvedUrlGroup |
string |
true |
- |
The IP address FQDN network group |
|
- Network Sensor
- Trend Micro Deep Discovery Inspector
|
| resolvedUrlIp |
string |
true |
|
The IP address of the FQDN |
10.10.10.10 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| resolvedUrlPort |
int |
true |
Port |
The HTTP server port |
443 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| respAppVersion |
string |
true |
- |
The server application version number |
SSH-2.0-OPENSSH_8.7 |
- Network Sensor
- Trend Micro Deep Discovery Inspector
|
| respArchFiles |
dynamic |
true |
- |
The file information extracted from files detected in response direction |
None |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| respCode |
string |
true |
- |
The network protocol response code |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| respDataSize |
string |
true |
- |
The data volume transmitted over the transport layer by the server (in bytes) |
7856 |
- Network Sensor
- Trend Micro Deep Discovery Inspector
|
| respDate |
string |
true |
- |
The HTTP response date header |
Fri, 20 Oct 2017 06:02:09 GMT |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| respFileHash |
string |
true |
FileSHA1 |
The SHA-1 of the file detected in the response direction |
f17d9c55dea88f9aec8f74363f01e918cffb4142 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| respFileHashSha256 |
string |
true |
FileSHA2 |
The SHA-256 of the file detected in the response direction |
5ad4396d67f0c9d54572f051e28e9e62f4010c269a953d25259b17ad5fab4fd5 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| respFileType |
string |
true |
- |
The file type detected in the response direction |
PKZIP |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| respHeaders |
string |
true |
- |
All HTTP response headers without sensitive information |
Accept-Ranges: bytes
Content-Length: 68
Content-Type: - text/plain; charset=utf-8
Last-Modified: Thu, 19 Aug 2021 06:23:54 GMT
Date: Thu, 19 Aug 2021 06:24:00 GMT
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| respMethod |
string |
true |
- |
The response method |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| respScannedBytes |
string |
true |
- |
The data volume transmitted by the server (in bytes) |
6654 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| riskLevel |
string |
true |
- |
The risk level |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Cloud App Security
- Endpoint Sensor
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| rozRating |
string |
true |
- |
The VA overall rating |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| rt |
string |
false |
- |
The Unix time of the log generation |
1656324260000 |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- Trend Micro Email Security
- TippingPoint Security Management System
- Endpoint Sensor
- Trend Micro Web Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
- Zero Trust Secure Access - Private Access
- Email Sensor
|
| rtDate |
string |
true |
- |
The date of the log generation |
1655337600000 |
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| rtHour |
int |
false |
- |
The hour of the log generation |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| rtWeekDay |
string |
true |
- |
The weekday of the log generation |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| ruleId |
int |
true |
- |
The rule ID |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- Mobile Network Security
|
| ruleName |
string |
true |
- |
The name of the rule that triggered the event |
- Directory Server - Microsoft Windows Active Directory
- Microsoft Windows Events
- Microsoft Windows Security Events - 3
- (T1234) New executable created (chmod)
- Sensitive Files Upload to Personal Cloud
- Multiple Sensitive Files Compression
- Transfer Sensitive Files to Removable Storage
- Move Multiple Sensitive Files to Central Location
- Multiple Sensitive Files Modification
- Multiple Sensitive Files Deletion
- GEN_CCFR_OVERLAY_TEST.A
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
- Trend Micro Cloud App Security
- TippingPoint Security Management System
- Endpoint Sensor
- Trend Micro Email Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Private Access
- Trend Vision One Container Security
- Email Sensor
- Mobile Network Security
- Data Detection and Response
|
| sAttackPhase |
string |
true |
- |
The category of the second Attack Phase |
- Lateral Movement
- Command and Control Communication
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| scanTs |
string |
true |
- |
The mail scan time |
- |
- Trend Micro Cloud App Security
- Trend Micro Email Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| score |
int |
false |
- |
The Web Reputation Services URL rating |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Cloud App Security
- Trend Vision One Mobile Security
- Trend Cloud One - Endpoint & Workload Security
|
| senderGUID |
string |
true |
- |
The sender GUID |
- 346648FC-9862-D2F0-F94C-FAB1A838ABD7
- 36E5239E-EEBA-0100-C10E-C057E0455E1D
- 9606BBD5-38A7-9024-83C8-9C88A2AF90CC
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Deep Security
|
| senderIp |
dynamic |
true |
- |
The sender IP |
10.10.10.10 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Micro Email Security
|
| serverGroup |
string |
true |
- |
The server IP network group |
|
- Network Sensor
- Trend Micro Deep Discovery Inspector
|
| serverIp |
string |
true |
|
The server IP address |
10.10.10.10 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| serverMAC |
string |
true |
- |
The server MAC address |
00-00-00-ff-ff-ff |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| serverPort |
int |
true |
Port |
The server port number |
443 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| sessionEnd |
string |
true |
- |
The session end time, in seconds |
1575462989 |
- Zero Trust Secure Access - Private Access
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| sessionEndReason |
string |
true |
- |
The reason why a session was terminated |
- tcp-fin
- tcp-rst-from-server
|
- Network Sensor
- Trend Micro Deep Discovery Inspector
|
| sessionStart |
string |
true |
- |
The session start time (in seconds) |
1575462989 |
- Zero Trust Secure Access - Private Access
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| severity |
int |
true |
- |
The severity of the event |
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Trend Micro Apex One as a Service
- TippingPoint Security Management System
- Trend Cloud One - Network Security
- Trend Vision One Container Security
- Mobile Network Security
|
| shost |
string |
true |
DomainName |
The source hostname |
- dns.google
- sw_us-east-1a_10-124-17-69
- sw_us-east-1c_10-124-21-139
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Deep Security
- Mobile Network Security
|
| smac |
string |
true |
- |
The source MAC address |
- 00:11:22:33:44:55
- 66:77:88:99:AA:BB
- CC:DD:EE:FF:00:11
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Deep Security
- TXOne EdgeOne
|
| sOSName |
string |
true |
- |
The source OS |
- Windows
- Windows 10
- Windows XP
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Mobile Network Security
|
| spt |
int |
true |
Port |
The source port |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- TippingPoint Security Management System
- Trend Micro Deep Security
- Trend Cloud One - Network Security
- Endpoint Sensor
- TXOne EdgeOne
- Zero Trust Secure Access - Private Access
- Trend Vision One Container Security
- Mobile Network Security
|
| src |
dynamic |
true |
|
The source IP |
10.10.10.10 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Trend Cloud One - Endpoint & Workload Security
- TippingPoint Security Management System
- Trend Micro Deep Security
- Trend Cloud One - Network Security
- Endpoint Sensor
- Zero Trust Secure Access - Internet Access
- TXOne EdgeOne
- Zero Trust Secure Access - Private Access
- Trend Vision One Container Security
- Mobile Network Security
|
| srcGroup |
string |
true |
- |
The group named defined by the source administrator |
- Default
- Rede DATACENTER example/example - AD example CORP
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Mobile Network Security
|
| srcZone |
string |
true |
- |
The network zone defined by the source administrator |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| sshHassh |
string |
true |
- |
The SSH client application fingerprint |
- 45e3942372f42899a63e9080ef25b0ae
- 3cd1e0adbf5008e6566f6b807296cca0
- b526d4ea3a96b2ebc6f3c23d014b231b
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| sshHassh |
string |
true |
- |
The SSH hassh |
45e3942372f42899a63e9080ef25b0ae |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| sshHasshServer |
string |
true |
- |
The SSH server application fingerprint |
- 4ceb58cad0f415b8fb16de236fa70ec5
- 2475e2f09ec3177a79355ab3ebe95ba5
- 67b87b58168b7ae9ffbfd31a59b84005
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| sshHasshServer |
string |
true |
- |
The SSH hassh server |
4ceb58cad0f415b8fb16de236fa70ec5 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| sslCertCommonName |
string |
true |
|
The subject common name |
settings-win.data.microsoft.com |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| sslCertCommonName |
string |
true |
|
The certificate common name |
*.www.sample.com |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| sslCertFingerprint |
string |
true |
- |
The certificate fingerprint |
3914af80223c833f26df001cbf342eff8a31aba1 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| sslCertIssuer |
string |
true |
- |
The issuer of the certificate |
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| sslCertIssuerCommonName |
string |
true |
- |
The issuer common name |
Microsoft Azure TLS Issuing CA 05 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| sslCertIssuerOrgName |
string |
true |
- |
The issuer organization name |
Microsoft Corporation |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| sslCertOrgName |
string |
true |
- |
The subject organization name |
Microsoft |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| sslCertSANs |
dynamic |
true |
- |
The Subject Alternative Name of the certificate |
- *.www.sample.com
- add.my.sample.com
- au.sample.com
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| sslCertSerialNumber |
string |
true |
- |
The certificate serial number |
0888b1ad2a593310593f47565a5a5a4a |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| sslCertValidFrom |
string |
true |
- |
The certificate validity start time |
2014-11-21T02:43:28 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| sslCertValidUntil |
string |
true |
- |
The certificate validity end time |
2018-11-21T02:43:28 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| status |
string |
true |
- |
The network analysis flow session status |
2 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| suid |
string |
true |
UserAccount |
User name or mailbox |
- root
- US EXAMPLE\TEST
- sample_email@trendmicro.com
|
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Cloud App Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Web Security
- Trend Micro Deep Security
- Trend Cloud One - Network Security
- Zero Trust Secure Access - Internet Access
|
| suid |
string |
true |
UserAccount |
The user name or IP address (IPv4) |
- Sample User Name
- 10.10.10.10
|
- Zero Trust Secure Access - Internet Access
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| suser |
dynamic |
true |
EmailSender |
The email sender |
sample_email@trendmicro.com |
- Trend Micro Cloud App Security
- Trend Micro Email Security
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Email Sensor
|
| suser |
string |
true |
EmailSender |
The email sender |
sample_email@trendmicro.com |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| sUser1 |
string |
true |
UserAccount |
The latest sign-in user of the source |
- example\admin
- example.us.com\account
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| tacticId |
dynamic |
true |
Tactic |
The list of MITRE tactic IDs |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Endpoint Sensor
- Trend Micro Apex One as a Service
|
| tags |
dynamic |
true |
|
The detected technique ID based on the alert filter |
- MITREV9.T1090
- MITRE.T1071
- MITREV9.T1059.001
|
- ALL
- Trend Cloud One - Endpoint & Workload Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| targetShare |
string |
true |
FileFullPath |
For HTTPS protocol: Subject State or Province Name; For SMB protocol: Shared folder |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| techniqueId |
dynamic |
true |
Technique |
Technique ID detected by the product agent base on a detection rule |
- |
- TXOne StellarOne
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| threatName |
string |
true |
- |
The threat name |
- Malicious_CnC_access_on_UDP_blocked
- Malicious_CnC_access_on_TCP_blocked
- Other protected file
|
- Trend Micro Cloud App Security
- Trend Micro Apex One as a Service
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| threatNames |
dynamic |
true |
- |
The associated threats |
- HM_GERAL.MIP00000001
- HM_JADTRE.MIP00000001
- VAN_BOT.UMXX
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| threatType |
string |
true |
- |
The log threat type |
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Apex One as a Service
- Agentless Vulnerability & Threat Detection
|
| tlsJA3Fingerprint |
string |
true |
- |
The JA3 fingerprint |
- |
- Zero Trust Secure Access - Internet Access
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| tlsJA3SFingerprint |
string |
true |
- |
The raw JA3S |
771,157,65281-15 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| tlsSelectedCipher |
string |
true |
- |
The selected cipher of the TLS protocol |
c02f |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| urlCat |
dynamic |
true |
- |
The requested URL category |
- Untested
- 158
- Web Advertisement
|
- Trend Micro Deep Discovery Inspector
- Network Sensor
- Trend Micro Web Security
- Trend Micro Apex One as a Service
- Zero Trust Secure Access - Internet Access
- Trend Micro Cloud App Security
- Trend Vision One Mobile Security
- Trend Cloud One - Endpoint & Workload Security
|
| userDomain |
string |
true |
|
Active directory domain, domain of username for logging in TMAS adminportal adminportal |
trendmicro.com |
- Zero Trust Secure Access - Internet Access
- Trend Micro Deep Discovery Inspector
- Network Sensor
|
| vLANId |
int |
false |
- |
The virtual LAN ID |
- |
- Trend Micro Deep Discovery Inspector
- Network Sensor
- TXOne EdgeOne
- Mobile Network Security
- TippingPoint Security Management System
|
| vLANId |
int |
true |
- |
The virtual LAN ID |
4095 |
- Trend Micro Deep Discovery Inspector
- Network Sensor
|