├── doc_v2 ├── Identity │ └── Active Directory (on-premises).yaml ├── Others │ ├── Trend Micro Deep Discovery Director Network Analytic SaaS.yaml │ ├── Trend Cloud One - AWS CloudTrail Integration.yaml │ ├── TXOne StellarOne.yaml │ └── TXOne EdgeOne.yaml ├── Network │ ├── Palo Alto Firewall.yaml │ ├── Trend Micro Web Security.yaml │ ├── TippingPoint Security Management System.yaml │ ├── Trend Cloud One - Network Security.yaml │ └── Mobile Network Security.yaml ├── Endpoint │ ├── Trend Micro Apex One On-Premises.yaml │ └── Data Detection and Response.yaml ├── Email │ └── Collaboration sensor.yaml └── Cloud │ ├── XDR for Cloud - AWS VPC Flow Logs.yaml │ ├── File Security Storage.yaml │ └── File Security.yaml ├── .gitignore ├── pages ├── Identity │ └── Active Directory (on-premises).md ├── Others │ └── Trend Micro Deep Discovery Director Network Analytic SaaS.md ├── Network │ └── Palo Alto Firewall.md ├── Endpoint │ └── Trend Micro Apex One On-Premises.md └── index.md ├── doc ├── Cloud Activity Data.yaml └── Container Activity Data.yaml ├── README.md └── LICENSE /doc_v2/Identity/Active Directory (on-premises).yaml: -------------------------------------------------------------------------------- 1 | - Name: netBiosDomainName 2 | ProductCode: 3 | - opa 4 | Description_EN: The NetBIOS domain name 5 | Sample: 6 | - TREND 7 | DL_Type: string 8 | DL_CommonKey: 9 | - DomainName 10 | DL_Searchable: true 11 | DL_Aggregable: false 12 | -------------------------------------------------------------------------------- /doc_v2/Others/Trend Micro Deep Discovery Director Network Analytic SaaS.yaml: -------------------------------------------------------------------------------- 1 | - Name: flowId 2 | ProductCode: 3 | - sna 4 | Description_EN: The connection ID 5 | Sample: 6 | - '6717474604962545666' 7 | - '6915244861077872618' 8 | - '6915244908215815814' 9 | DL_Type: string 10 | DL_CommonKey: 11 | DL_Searchable: true 12 | DL_Aggregable: false 13 | -------------------------------------------------------------------------------- /doc_v2/Network/Palo Alto Firewall.yaml: -------------------------------------------------------------------------------- 1 | - Name: fileHashMd5 2 | ProductCode: 3 | - qpf 4 | Description_EN: The MD5 of the file 5 | Sample: 6 | - d5120786925038601a77c2e1eB9a3a0a 7 | DL_Type: string 8 | DL_CommonKey: 9 | - FileMD5 10 | DL_Searchable: true 11 | DL_Aggregable: false 12 | - Name: requestMethod 13 | ProductCode: 14 | - qpf 15 | Description_EN: The network protocol request method 16 | Sample: 17 | - POST 18 | DL_Type: string 19 | DL_CommonKey: 20 | DL_Searchable: true 21 | DL_Aggregable: true 22 | - Name: sUser1 23 | ProductCode: 24 | - qpf 25 | Description_EN: The latest sign-in user of the source 26 | Sample: 27 | - 000c29edef58 28 | - sample.com\ser-desktopcentral 29 | DL_Type: string 30 | DL_CommonKey: 31 | - UserAccount 32 | DL_Searchable: true 33 | DL_Aggregable: false 34 | - Name: dUser1 35 | ProductCode: 36 | - qpf 37 | Description_EN: The latest logon user of the destination 38 | Sample: 39 | - dhr\m42svc 40 | - altsvc 41 | DL_Type: string 42 | DL_CommonKey: 43 | - UserAccount 44 | DL_Searchable: true 45 | DL_Aggregable: false 46 | - Name: shost 47 | ProductCode: 48 | - qpf 49 | Description_EN: The source hostname 50 | Sample: 51 | - sw_us-east-1a_10-124-17-69 52 | - sw_us-east-1c_10-124-21-139 53 | DL_Type: string 54 | DL_CommonKey: 55 | - DomainName 56 | DL_Searchable: true 57 | DL_Aggregable: false 58 | - Name: dhost 59 | ProductCode: 60 | - qpf 61 | Description_EN: The destination hostname 62 | Sample: 63 | - sw_us-east-1c_10-124-21-139 64 | - 10.10.10.10 65 | DL_Type: string 66 | DL_CommonKey: 67 | - DomainName 68 | DL_Searchable: true 69 | DL_Aggregable: false 70 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider 2 | # Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 3 | 4 | # User-specific stuff 5 | .idea/**/workspace.xml 6 | .idea/**/tasks.xml 7 | .idea/**/usage.statistics.xml 8 | .idea/**/dictionaries 9 | .idea/**/shelf 10 | 11 | # AWS User-specific 12 | .idea/**/aws.xml 13 | 14 | # Generated files 15 | .idea/**/contentModel.xml 16 | 17 | # Sensitive or high-churn files 18 | .idea/**/dataSources/ 19 | .idea/**/dataSources.ids 20 | .idea/**/dataSources.local.xml 21 | .idea/**/sqlDataSources.xml 22 | .idea/**/dynamic.xml 23 | .idea/**/uiDesigner.xml 24 | .idea/**/dbnavigator.xml 25 | 26 | # Gradle 27 | .idea/**/gradle.xml 28 | .idea/**/libraries 29 | 30 | # Gradle and Maven with auto-import 31 | # When using Gradle or Maven with auto-import, you should exclude module files, 32 | # since they will be recreated, and may cause churn. Uncomment if using 33 | # auto-import. 34 | # .idea/artifacts 35 | # .idea/compiler.xml 36 | # .idea/jarRepositories.xml 37 | # .idea/modules.xml 38 | # .idea/*.iml 39 | # .idea/modules 40 | # *.iml 41 | # *.ipr 42 | 43 | # CMake 44 | cmake-build-*/ 45 | 46 | # Mongo Explorer plugin 47 | .idea/**/mongoSettings.xml 48 | 49 | # File-based project format 50 | *.iws 51 | 52 | # IntelliJ 53 | out/ 54 | 55 | # mpeltonen/sbt-idea plugin 56 | .idea_modules/ 57 | 58 | # JIRA plugin 59 | atlassian-ide-plugin.xml 60 | 61 | # Cursive Clojure plugin 62 | .idea/replstate.xml 63 | 64 | # SonarLint plugin 65 | .idea/sonarlint/ 66 | 67 | # Crashlytics plugin (for Android Studio and IntelliJ) 68 | com_crashlytics_export_strings.xml 69 | crashlytics.properties 70 | crashlytics-build.properties 71 | fabric.properties 72 | 73 | # Editor-based Rest Client 74 | .idea/httpRequests 75 | 76 | # Android studio 3.1+ serialized cache file 77 | .idea/caches/build_file_checksums.ser 78 | -------------------------------------------------------------------------------- /doc_v2/Endpoint/Trend Micro Apex One On-Premises.yaml: -------------------------------------------------------------------------------- 1 | - Name: parentSignerFlagsAdhoc 2 | ProductCode: 3 | - xes 4 | - sao 5 | - pao 6 | Description_EN: The list of parent process signature adhoc flags 7 | Sample: [] 8 | DL_Type: dynamic 9 | DL_CommonKey: 10 | DL_Searchable: true 11 | DL_Aggregable: false 12 | - Name: parentSignerFlagsRuntime 13 | ProductCode: 14 | - xes 15 | - sao 16 | - pao 17 | Description_EN: The list of parent process signature runtime flags 18 | Sample: [] 19 | DL_Type: dynamic 20 | DL_CommonKey: 21 | DL_Searchable: true 22 | DL_Aggregable: false 23 | - Name: parentSignerFlagsLibValid 24 | ProductCode: 25 | - xes 26 | - sao 27 | - pao 28 | Description_EN: The list of parent process signature library validation flags 29 | Sample: [] 30 | DL_Type: dynamic 31 | DL_CommonKey: 32 | DL_Searchable: true 33 | DL_Aggregable: false 34 | - Name: objectSignerFlagsAdhoc 35 | ProductCode: 36 | - xes 37 | - sao 38 | - pao 39 | Description_EN: The list of object process signature adhoc flags 40 | Sample: [] 41 | DL_Type: dynamic 42 | DL_CommonKey: 43 | DL_Searchable: true 44 | DL_Aggregable: false 45 | - Name: objectSignerFlagsRuntime 46 | ProductCode: 47 | - xes 48 | - sao 49 | - pao 50 | Description_EN: The list of object process signature runtime flags 51 | Sample: [] 52 | DL_Type: dynamic 53 | DL_CommonKey: 54 | DL_Searchable: true 55 | DL_Aggregable: false 56 | - Name: objectSignerFlagsLibValid 57 | ProductCode: 58 | - xes 59 | - sao 60 | - pao 61 | Description_EN: The list of object process signature library validation flags 62 | Sample: [] 63 | DL_Type: dynamic 64 | DL_CommonKey: 65 | DL_Searchable: true 66 | DL_Aggregable: false 67 | - Name: processSignerFlagsAdhoc 68 | ProductCode: 69 | - xes 70 | - sao 71 | - pao 72 | Description_EN: The list of process signature adhoc flags 73 | Sample: [] 74 | DL_Type: dynamic 75 | DL_CommonKey: 76 | DL_Searchable: true 77 | DL_Aggregable: false 78 | - Name: processSignerFlagsRuntime 79 | ProductCode: 80 | - xes 81 | - sao 82 | - pao 83 | Description_EN: The list of process signature runtime flags 84 | Sample: [] 85 | DL_Type: dynamic 86 | DL_CommonKey: 87 | DL_Searchable: true 88 | DL_Aggregable: false 89 | - Name: processSignerFlagsLibValid 90 | ProductCode: 91 | - xes 92 | - sao 93 | - pao 94 | Description_EN: The list of process signature library validation flags 95 | Sample: [] 96 | DL_Type: dynamic 97 | DL_CommonKey: 98 | DL_Searchable: true 99 | DL_Aggregable: false 100 | - Name: quarantineFilePath 101 | ProductCode: 102 | - sao 103 | - pao 104 | - sds 105 | - pds 106 | Description_EN: The file path of the quarantined object 107 | Sample: 108 | - C:\ProgramData\Trend Micro\AMSP\quarantine\ASLUMVS0.4FC 109 | DL_Type: string 110 | DL_CommonKey: 111 | - FileFullPath 112 | DL_Searchable: true 113 | DL_Aggregable: false 114 | - Name: quarantineFileId 115 | ProductCode: 116 | - sao 117 | - pao 118 | - sds 119 | - pds 120 | Description_EN: The unique identifier of the quarantined object 121 | Sample: 122 | - ASLUMVS0.4FC 123 | DL_Type: string 124 | DL_CommonKey: 125 | DL_Searchable: true 126 | DL_Aggregable: false 127 | - Name: quarantineFileSha256 128 | ProductCode: 129 | - sao 130 | - pao 131 | - sds 132 | - pds 133 | Description_EN: The SHA-256 of the quarantined object 134 | Sample: 135 | - 84B2FA19B05EA88D6E785B4ADB528120485AA3F72F3E5E114DE6D3696B0D151F 136 | DL_Type: string 137 | DL_CommonKey: 138 | - FileSHA2 139 | DL_Searchable: true 140 | DL_Aggregable: false 141 | - Name: detectionNames 142 | ProductCode: 143 | - sao 144 | - pao 145 | - sds 146 | - pds 147 | Description_EN: The rules that triggered the event 148 | Sample: 149 | - [HS_EMOTET.SMAA, HM_AVEDOWN.SMZTIG-A, HE_DOCQRPHISH.SM] 150 | DL_Type: dynamic 151 | DL_Searchable: true 152 | DL_Aggregable: false 153 | - Name: detectionMeta 154 | ProductCode: 155 | - sao 156 | - pao 157 | - sds 158 | - pds 159 | Description_EN: The descriptions of the detected techniques 160 | Sample: 161 | - [T1204 some description about this technique, T1573.001_AES another 162 | description about this technique] 163 | DL_Type: dynamic 164 | DL_Searchable: true 165 | DL_Aggregable: false 166 | -------------------------------------------------------------------------------- /pages/Identity/Active Directory (on-premises).md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: default 3 | title: Active Directory (on-premises) - Identity 4 | --- 5 | 6 | # Active Directory (on-premises) 7 | **Layer:** Identity 8 | 9 | This documentation provides detailed information about all fields available for Active Directory (on-premises). 10 | 11 | 188 | 189 |
190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 |
Field NameTypeSearchableGeneral FieldDescriptionExampleProducts
netBiosDomainNamestringtrueDomainNameThe NetBIOS domain nameTRENDActive Directory (on-premises)
215 |
216 | 217 | ## Field Statistics 218 | - **Total Fields:** 1 219 | - **Layer:** Identity 220 | - **Product:** Active Directory (on-premises) 221 | 222 | --- 223 | *Generated by XDR Common Schema Public Doc Generator V2* 224 | -------------------------------------------------------------------------------- /pages/Others/Trend Micro Deep Discovery Director Network Analytic SaaS.md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: default 3 | title: Trend Micro Deep Discovery Director Network Analytic SaaS - Others 4 | --- 5 | 6 | # Trend Micro Deep Discovery Director Network Analytic SaaS 7 | **Layer:** Others 8 | 9 | This documentation provides detailed information about all fields available for Trend Micro Deep Discovery Director Network Analytic SaaS. 10 | 11 | 188 | 189 |
190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 217 | 218 | 219 | 220 |
Field NameTypeSearchableGeneral FieldDescriptionExampleProducts
flowIdstringtrue-The connection ID 211 |
    212 |
  • 6717474604962545666
    • 213 |
  • 6915244861077872618
    • 214 |
  • 6915244908215815814
    • 215 |
216 | 		Trend Micro Deep Discovery Director Network Analytic SaaS
221 |
222 | 223 | ## Field Statistics 224 | - **Total Fields:** 1 225 | - **Layer:** Others 226 | - **Product:** Trend Micro Deep Discovery Director Network Analytic SaaS 227 | 228 | --- 229 | *Generated by XDR Common Schema Public Doc Generator V2* 230 | -------------------------------------------------------------------------------- /doc_v2/Network/Trend Micro Web Security.yaml: -------------------------------------------------------------------------------- 1 | - Name: userDomain 2 | ProductCode: 3 | - sao 4 | - sws 5 | - sig 6 | Description_EN: The user domain 7 | Sample: 8 | - example.com.pa 9 | - DOMAIN 10 | DL_Type: string 11 | DL_CommonKey: 12 | - EndpointName 13 | - DomainName 14 | - AccountDomain 15 | DL_Searchable: true 16 | DL_Aggregable: false 17 | - Name: suid 18 | ProductCode: 19 | - sds 20 | - sca 21 | - sao 22 | - pdi 23 | - xns 24 | - sws 25 | - pds 26 | - stp 27 | - sig 28 | Description_EN: User name or mailbox 29 | Sample: 30 | - root 31 | - US EXAMPLE\TEST 32 | - sample_email@trendmicro.com 33 | DL_Type: string 34 | DL_CommonKey: 35 | - UserAccount 36 | DL_Searchable: true 37 | DL_Aggregable: false 38 | - Name: malName 39 | ProductCode: 40 | - sao 41 | - sds 42 | - pdi 43 | - xns 44 | - pds 45 | - sws 46 | - pts 47 | - xms 48 | - sfs 49 | - sfc 50 | - sss 51 | - scs 52 | Description_EN: The name of the detected malware 53 | Sample: 54 | - SecurityLevelDrop 55 | - Regla Logs All 56 | - USR_SUSPICIOUS_DOMAIN.UMXX 57 | DL_Type: string 58 | DL_CommonKey: 59 | DL_Searchable: true 60 | DL_Aggregable: false 61 | - Name: act 62 | ProductCode: 63 | - scs 64 | - pdi 65 | - xns 66 | - sao 67 | - sds 68 | - sca 69 | - ptp 70 | - xes 71 | - sws 72 | - sem 73 | - pds 74 | - stp 75 | - sig 76 | - ptn 77 | - szn 78 | - xms 79 | - ams 80 | - mns 81 | - sss 82 | Description_EN: The actions taken to mitigate the event 83 | Sample: 84 | - log 85 | - isolate 86 | - terminate 87 | - not blocked 88 | - Block 89 | - No action 90 | - Reset 91 | - Pass 92 | - User Decision 93 | DL_Type: dynamic 94 | DL_CommonKey: 95 | DL_Searchable: true 96 | DL_Aggregable: true 97 | - Name: pname 98 | ProductCode: 99 | - sds 100 | - pdi 101 | - xns 102 | - sao 103 | - pds 104 | - sca 105 | - sem 106 | - ptp 107 | - xes 108 | - sws 109 | - stp 110 | - sig 111 | - ams 112 | - scs 113 | - xms 114 | Description_EN: The internal product ID 115 | Sample: 116 | - Trend Micro Deep Security 117 | - Deep Discovery Inspector 118 | - Apex One 119 | DL_Type: string 120 | DL_CommonKey: 121 | DL_Searchable: true 122 | DL_Aggregable: false 123 | - Name: requestBase 124 | ProductCode: 125 | - sws 126 | - sig 127 | - szn 128 | Description_EN: The domain of the request URL 129 | Sample: 130 | - weather.service.msn.com 131 | - test.domain.com 132 | DL_Type: string 133 | DL_CommonKey: 134 | - DomainName 135 | - HostDomain 136 | DL_Searchable: true 137 | DL_Aggregable: false 138 | - Name: urlCat 139 | ProductCode: 140 | - pdi 141 | - xns 142 | - sws 143 | - sao 144 | - sig 145 | - sca 146 | - ams 147 | - sds 148 | Description_EN: The requested URL category 149 | Sample: 150 | - Untested 151 | - '158' 152 | - Web Advertisement 153 | DL_Type: dynamic 154 | DL_CommonKey: 155 | DL_Searchable: true 156 | DL_Aggregable: false 157 | - Name: userDepartment 158 | ProductCode: 159 | - sws 160 | - sig 161 | Description_EN: User department 162 | Sample: 163 | - Operations 164 | - BANCA CONSTRUCCION 165 | - CONTACT CENTER 166 | DL_Type: string 167 | DL_CommonKey: 168 | DL_Searchable: true 169 | DL_Aggregable: false 170 | - Name: sender 171 | ProductCode: 172 | - sws 173 | - sig 174 | Description_EN: The roaming users or the gateway where the web traffic passed 175 | Sample: 176 | - test user 177 | - VE C&W - 10.10.10.10 178 | DL_Type: string 179 | DL_CommonKey: 180 | DL_Searchable: true 181 | DL_Aggregable: false 182 | - Name: policyName 183 | ProductCode: 184 | - sao 185 | - sca 186 | - sws 187 | - sem 188 | - sig 189 | - ptn 190 | - scs 191 | - mns 192 | Description_EN: The name of the triggered policy 193 | Sample: 194 | - Steelcase 195 | - Cabot 196 | - Tigre - Medium Policy 197 | - apiPostedPolicy 198 | DL_Type: string 199 | DL_CommonKey: 200 | DL_Searchable: true 201 | DL_Aggregable: false 202 | - Name: principalName 203 | ProductCode: 204 | - sws 205 | - sig 206 | - sca 207 | - szn 208 | Description_EN: The user principal name used to sign in to the proxy 209 | Sample: 210 | - sample_email@trendmicro.com 211 | DL_Type: string 212 | DL_CommonKey: 213 | DL_Searchable: true 214 | DL_Aggregable: false 215 | - Name: profile 216 | ProductCode: 217 | - sws 218 | - sig 219 | Description_EN: The name of the triggered Threat Protection template or Data 220 | Loss Prevention profile 221 | Sample: 222 | - Primary Protection Rule 223 | - Multibak Scaner Threat 224 | - default 225 | DL_Type: string 226 | DL_CommonKey: 227 | DL_Searchable: true 228 | DL_Aggregable: false 229 | - Name: application 230 | ProductCode: 231 | - sws 232 | - sig 233 | - szn 234 | - sao 235 | Description_EN: The name of the requested application 236 | Sample: 237 | - HyperText Transfer Protocol 238 | - DoubleClick 239 | - The Secure HyperText Transfer Protocol 240 | DL_Type: string 241 | DL_CommonKey: 242 | DL_Searchable: true 243 | DL_Aggregable: false 244 | - Name: aggregatedCount 245 | ProductCode: 246 | - pdi 247 | - xns 248 | - sao 249 | - ptp 250 | - sws 251 | - stp 252 | - sig 253 | - pts 254 | - ddr 255 | - sds 256 | Description_EN: The number of aggregated events 257 | Sample: 258 | - '1' 259 | - '2' 260 | - '3' 261 | DL_Type: string 262 | DL_CommonKey: 263 | DL_Searchable: true 264 | DL_Aggregable: false 265 | - Name: detectionType 266 | ProductCode: 267 | - pdi 268 | - xns 269 | - sds 270 | - sws 271 | - sao 272 | - sca 273 | - pds 274 | - sem 275 | - sig 276 | - ams 277 | - szn 278 | - scs 279 | Description_EN: The detection type 280 | Sample: 281 | - '1' 282 | - File 283 | - Process 284 | - net 285 | DL_Type: string 286 | DL_CommonKey: 287 | DL_Searchable: true 288 | DL_Aggregable: false 289 | - Name: rt 290 | ProductCode: 291 | - sds 292 | - pdi 293 | - xns 294 | - sao 295 | - pds 296 | - sca 297 | - sem 298 | - ptp 299 | - xes 300 | - sws 301 | - stp 302 | - sig 303 | - szn 304 | - xms 305 | Description_EN: The Unix time of the log generation 306 | Sample: 307 | - 1656324260000 308 | DL_Type: string 309 | DL_CommonKey: 310 | DL_Searchable: false 311 | DL_Aggregable: false 312 | - Name: logKey 313 | ProductCode: 314 | - sds 315 | - pdi 316 | - xns 317 | - sao 318 | - pds 319 | - sca 320 | - sem 321 | - ptp 322 | - xes 323 | - sws 324 | - stp 325 | - sig 326 | Description_EN: The unique key of the event 327 | Sample: 328 | - 123e4567-e89b-12d3-a456-426614174000 329 | - 987f6543-21ba-43cd-9e8f-123456789abc 330 | - 456789ab-cdef-1234-5678-9abcdef01234 331 | DL_Type: string 332 | DL_CommonKey: 333 | DL_Searchable: true 334 | DL_Aggregable: false 335 | -------------------------------------------------------------------------------- /pages/Network/Palo Alto Firewall.md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: default 3 | title: Palo Alto Firewall - Network 4 | --- 5 | 6 | # Palo Alto Firewall 7 | **Layer:** Network 8 | 9 | This documentation provides detailed information about all fields available for Palo Alto Firewall. 10 | 11 | 188 | 189 |
190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | 276 | 277 | 278 | 279 |
Field NameTypeSearchableGeneral FieldDescriptionExampleProducts
dhoststringtrueDomainNameThe destination hostname 211 |
    212 |
  • sw_us-east-1c_10-124-21-139
    • 213 |
  • 10.10.10.10
    • 214 |
215 | 		Palo Alto Firewall
dUser1stringtrueUserAccountThe latest logon user of the destination 225 |
    226 |
  • dhr\m42svc
    • 227 |
  • altsvc
    • 228 |
229 | 		Palo Alto Firewall
fileHashMd5stringtrueFileMD5The MD5 of the filed5120786925038601a77c2e1eB9a3a0aPalo Alto Firewall
requestMethodstringtrue-The network protocol request methodPOSTPalo Alto Firewall
shoststringtrueDomainNameThe source hostname 257 |
    258 |
  • sw_us-east-1a_10-124-17-69
    • 259 |
  • sw_us-east-1c_10-124-21-139
    • 260 |
261 | 		Palo Alto Firewall
sUser1stringtrueUserAccountThe latest sign-in user of the source 271 |
    272 |
  • 000c29edef58
    • 273 |
  • sample.com\ser-desktopcentral
    • 274 |
275 | 		Palo Alto Firewall
280 |
281 | 282 | ## Field Statistics 283 | - **Total Fields:** 6 284 | - **Layer:** Network 285 | - **Product:** Palo Alto Firewall 286 | 287 | --- 288 | *Generated by XDR Common Schema Public Doc Generator V2* 289 | -------------------------------------------------------------------------------- /doc_v2/Email/Collaboration sensor.yaml: -------------------------------------------------------------------------------- 1 | - Name: applicationId 2 | ProductCode: 3 | - xca 4 | Description_EN: The application ID 5 | Sample: 6 | - 11111111-1111-1111-1111-111111111111 7 | DL_Type: string 8 | DL_CommonKey: 9 | DL_Searchable: true 10 | DL_Aggregable: false 11 | - Name: clientIp 12 | ProductCode: 13 | - xca 14 | Description_EN: The client IP 15 | Sample: 16 | - 10.10.10.10 17 | DL_Type: string 18 | DL_CommonKey: 19 | - IPv4 20 | - IPv6 21 | DL_Searchable: true 22 | DL_Aggregable: true 23 | - Name: correlationId 24 | ProductCode: 25 | - xca 26 | Description_EN: The correlation ID 27 | Sample: 28 | - 11111111-1111-1111-1111-111111111111 29 | DL_Type: string 30 | DL_CommonKey: 31 | DL_Searchable: true 32 | DL_Aggregable: false 33 | - Name: extraInfo 34 | ProductCode: 35 | - xca 36 | Description_EN: The additional information about the sharing action 37 | Sample: 38 | - SPHomePagesWeb 39 | DL_Type: dynamic 40 | DL_CommonKey: 41 | DL_Searchable: true 42 | DL_Aggregable: false 43 | - Name: isExternalAccess 44 | ProductCode: 45 | - xca 46 | Description_EN: Whether the cmdlet was run by an external user (True=external 47 | user, False=internal user in your organization) 48 | Sample: 49 | - true 50 | DL_Type: bool 51 | DL_CommonKey: 52 | DL_Searchable: true 53 | DL_Aggregable: false 54 | - Name: targetType 55 | ProductCode: 56 | - xca 57 | Description_EN: The type of object that was accessed or modified 58 | Sample: 59 | - File 60 | DL_Type: string 61 | DL_CommonKey: 62 | DL_Searchable: true 63 | DL_Aggregable: false 64 | - Name: target 65 | ProductCode: 66 | - xca 67 | Description_EN: The object accessed by a user or application 68 | Sample: 69 | - APCPR000000.PROD.OUTLOOK.COM/Microsoft Exchange Hosted 70 | - Organizations/test.trendmicro.com/test\\testRule001 71 | DL_Type: string 72 | DL_CommonKey: 73 | DL_Searchable: true 74 | DL_Aggregable: false 75 | - Name: actionName 76 | ProductCode: 77 | - xca 78 | Description_EN: The user or service action 79 | Sample: 80 | - UserLoggedIn 81 | DL_Type: string 82 | DL_CommonKey: 83 | DL_Searchable: true 84 | DL_Aggregable: false 85 | - Name: orgName 86 | ProductCode: 87 | - xca 88 | Description_EN: The tenant name 89 | Sample: 90 | - test.trendmicro.com 91 | DL_Type: string 92 | DL_CommonKey: 93 | DL_Searchable: true 94 | DL_Aggregable: false 95 | - Name: originatingServer 96 | ProductCode: 97 | - xca 98 | Description_EN: The server where the operation originated 99 | Sample: 100 | - TY0PR03MB6449 (15.20.5746.023) 101 | DL_Type: string 102 | DL_CommonKey: 103 | DL_Searchable: true 104 | DL_Aggregable: false 105 | - Name: parameters 106 | ProductCode: 107 | - xca 108 | Description_EN: The names and values of all parameters used in the cmdlet 109 | identified in the Operations property 110 | Sample: 111 | - '[{"Name": "AlwaysDeleteOutlookRulesBlob","Value": "False"},{"Name" : "Force","Value": 112 | "False"}]' 113 | DL_Type: string 114 | DL_CommonKey: 115 | DL_Searchable: true 116 | DL_Aggregable: false 117 | - Name: recordType 118 | ProductCode: 119 | - xca 120 | Description_EN: The operation type 121 | Sample: 122 | - 1 123 | - 2 124 | DL_Type: int 125 | DL_CommonKey: 126 | DL_Searchable: true 127 | DL_Aggregable: false 128 | - Name: actResult 129 | ProductCode: 130 | - xca 131 | Description_EN: The action result 132 | Sample: 133 | - Success 134 | DL_Type: dynamic 135 | DL_CommonKey: 136 | DL_Searchable: true 137 | DL_Aggregable: false 138 | - Name: isSensitiveInfo 139 | ProductCode: 140 | - xca 141 | Description_EN: Whether the event contains sensitive information 142 | Sample: 143 | - true 144 | DL_Type: bool 145 | DL_CommonKey: 146 | DL_Searchable: true 147 | DL_Aggregable: false 148 | - Name: userSessionId 149 | ProductCode: 150 | - xca 151 | Description_EN: The user session ID 152 | Sample: 153 | - 11111111-1111-1111-1111-111111111111 154 | DL_Type: string 155 | DL_CommonKey: 156 | DL_Searchable: true 157 | DL_Aggregable: false 158 | - Name: cloudStorageId 159 | ProductCode: 160 | - xca 161 | Description_EN: The file or folder location ID 162 | Sample: 163 | - 11111111-1111-1111-1111-111111111111 164 | DL_Type: string 165 | DL_CommonKey: 166 | DL_Searchable: true 167 | DL_Aggregable: false 168 | - Name: cloudStorageName 169 | ProductCode: 170 | - xca 171 | Description_EN: The file or folder URL 172 | Sample: 173 | - https://test.trendmicro.com/sites/123 174 | DL_Type: string 175 | DL_CommonKey: 176 | DL_Searchable: true 177 | DL_Aggregable: true 178 | - Name: fileExt 179 | ProductCode: 180 | - xca 181 | Description_EN: The file extension (If the object is a folder, there is no 182 | value for this field.) 183 | Sample: 184 | - jpg 185 | DL_Type: string 186 | DL_CommonKey: 187 | DL_Searchable: true 188 | DL_Aggregable: false 189 | - Name: fileName 190 | ProductCode: 191 | - xca 192 | Description_EN: The file or folder name 193 | Sample: 194 | - test.pdf 195 | DL_Type: string 196 | DL_CommonKey: 197 | - FileName 198 | DL_Searchable: true 199 | DL_Aggregable: true 200 | - Name: userAgent 201 | ProductCode: 202 | - xca 203 | Description_EN: The user agent 204 | Sample: 205 | - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like 206 | Gecko) Chrome/119.0.0.0 Safari/537.36 207 | DL_Type: string 208 | DL_CommonKey: 209 | DL_Searchable: true 210 | DL_Aggregable: false 211 | - Name: principalName 212 | ProductCode: 213 | - xca 214 | Description_EN: The User Principal Name 215 | Sample: 216 | - sample_email@trendmicro.com 217 | DL_Type: string 218 | DL_CommonKey: 219 | - UserAccount 220 | DL_Searchable: true 221 | DL_Aggregable: false 222 | - Name: userType 223 | ProductCode: 224 | - xca 225 | Description_EN: The user type 226 | Sample: 227 | - Regular 228 | - Reserved 229 | - Admin 230 | DL_Type: string 231 | DL_CommonKey: 232 | DL_Searchable: true 233 | DL_Aggregable: false 234 | - Name: service 235 | ProductCode: 236 | - xca 237 | Description_EN: The Microsoft 365 service where the activity occurred 238 | Sample: 239 | - SecurityComplianceCenter 240 | - AzureActiveDirectory 241 | - SharePoint 242 | DL_Type: string 243 | DL_CommonKey: 244 | DL_Searchable: true 245 | DL_Aggregable: false 246 | - Name: eventName 247 | ProductCode: 248 | - xca 249 | Description_EN: The event type 250 | Sample: 251 | - COLLABORATION_ACTIVITY 252 | DL_Type: string 253 | DL_CommonKey: 254 | DL_Searchable: true 255 | DL_Aggregable: true 256 | - Name: eventSubName 257 | ProductCode: 258 | - xca 259 | Description_EN: The event type sub-name 260 | Sample: 261 | - Audit.Exchange 262 | - Audit.Sharepoint 263 | - Audit.General 264 | DL_Type: string 265 | DL_CommonKey: 266 | DL_Searchable: true 267 | DL_Aggregable: true 268 | - Name: eventId 269 | ProductCode: 270 | - sca 271 | - sem 272 | - xms 273 | - xca 274 | Description_EN: The event ID 275 | Sample: 276 | - 1 - MESSAGING_EMAIL_META 277 | - 2 - MESSAGING_COLLABORATION_ACTIVITY 278 | DL_Type: int 279 | DL_CommonKey: 280 | DL_Searchable: true 281 | DL_Aggregable: true 282 | -------------------------------------------------------------------------------- /doc_v2/Others/Trend Cloud One - AWS CloudTrail Integration.yaml: -------------------------------------------------------------------------------- 1 | - Name: eventID 2 | ProductCode: 3 | - sct 4 | Description_EN: GUID generated by AWS CloudTrail to identify events 5 | Sample: 6 | - 11111111-1111-1111-1111-111111111111 7 | DL_Type: string 8 | DL_CommonKey: 9 | DL_Searchable: true 10 | DL_Aggregable: false 11 | - Name: eventName 12 | ProductCode: 13 | - sct 14 | Description_EN: The name of the log event 15 | Sample: 16 | - PutObject 17 | - GetObject 18 | - DescribeTable 19 | DL_Type: string 20 | DL_CommonKey: 21 | DL_Searchable: true 22 | DL_Aggregable: true 23 | - Name: eventSource 24 | ProductCode: 25 | - sct 26 | Description_EN: The AWS service the request was made to 27 | Sample: 28 | - s3.amazonaws.com 29 | - dynamodb.amazonaws.com 30 | - xray.amazonaws.com 31 | DL_Type: string 32 | DL_CommonKey: 33 | DL_Searchable: true 34 | DL_Aggregable: true 35 | - Name: readOnly 36 | ProductCode: 37 | - sct 38 | Description_EN: Whether the operation is read-only 39 | Sample: 40 | - true 41 | - false 42 | DL_Type: bool 43 | DL_CommonKey: 44 | DL_Searchable: true 45 | DL_Aggregable: true 46 | - Name: requestParameters 47 | ProductCode: 48 | - sct 49 | Description_EN: The parameters, if any, that were sent with the request 50 | (Parameters are documented in the API reference docs for the appropriate AWS 51 | service) 52 | Sample: 53 | - '{"durationSeconds": 3600, "roleSessionName":"BackplaneAssumeRoleSession"}' 54 | DL_Type: dynamic 55 | DL_CommonKey: 56 | DL_Searchable: true 57 | DL_Aggregable: false 58 | - Name: resources 59 | ProductCode: 60 | - sct 61 | Description_EN: List of resources accessed in the event 62 | Sample: 63 | - '[{"type":"AWS::S3::Object","ARN":"arn:aws:s3:::your-bucket/file.txt"}]' 64 | DL_Type: dynamic 65 | DL_CommonKey: 66 | DL_Searchable: true 67 | DL_Aggregable: false 68 | - Name: responseElements 69 | ProductCode: 70 | - sct 71 | Description_EN: Response elements for actions that made changes (create, 72 | update, or delete actions) 73 | Sample: 74 | - '{"user":{"createDate":"Mar 24, 2014 9:11:59 PM","userName":"Bob","arn":"arn:aws:iam::123456789012:user/Bob","path":"/","userId":"EXAMPLEUSERID"}}' 75 | DL_Type: dynamic 76 | DL_CommonKey: 77 | DL_Searchable: true 78 | DL_Aggregable: false 79 | - Name: sourceIPAddress 80 | ProductCode: 81 | - sct 82 | Description_EN: IP address the request was made from (For actions that 83 | originate from the service console, the address reported is for the 84 | underlying customer resource, not the console web server. For services in 85 | AWS, only the DNS name is displayed.) 86 | Sample: 87 | - 10.10.10.10 88 | - apigateway.amazonaws.com 89 | - config.amazonaws.com 90 | DL_Type: string 91 | DL_CommonKey: 92 | - IPv4 93 | - IPv6 94 | DL_Searchable: true 95 | DL_Aggregable: true 96 | - Name: userAgent 97 | ProductCode: 98 | - sct 99 | Description_EN: The user agent or the agent through which the request was made 100 | Sample: 101 | - signin.amazonaws.com 102 | - console.amazonaws.com 103 | - aws-cli/1.3.23 Python/2.7.6 Linux/2.6.18-164.el5 104 | DL_Type: string 105 | DL_CommonKey: 106 | - CLICommand 107 | DL_Searchable: true 108 | DL_Aggregable: false 109 | - Name: userIdentity 110 | ProductCode: 111 | - sct 112 | Description_EN: Information about the user that made a request 113 | Sample: 114 | - '{"type":"AWSService","invokedBy":"apigateway.amazonaws.com"}' 115 | - '{"type":"AWSService","invokedBy":"lambda.amazonaws.com"}' 116 | DL_Type: dynamic 117 | DL_CommonKey: 118 | DL_Searchable: true 119 | DL_Aggregable: false 120 | - Name: vpcEndpointId 121 | ProductCode: 122 | - sct 123 | Description_EN: VPC endpoint in which requests were made from a VPC to another 124 | AWS service (Such as Amazon S3) 125 | Sample: 126 | - vpce-00000000000000000 127 | DL_Type: string 128 | DL_CommonKey: 129 | DL_Searchable: true 130 | DL_Aggregable: true 131 | - Name: additionalEventData 132 | ProductCode: 133 | - sct 134 | Description_EN: The additional data about the event that was not part of the 135 | request 136 | Sample: 137 | - '{"SignatureVersion":"SigV4","CipherSuite":"ECDHE-RSA-AES128-GCM-SHA256"}' 138 | DL_Type: dynamic 139 | DL_CommonKey: 140 | DL_Searchable: true 141 | DL_Aggregable: false 142 | - Name: apiVersion 143 | ProductCode: 144 | - sct 145 | Description_EN: API version associated with the AwsApiCall eventType value 146 | Sample: 147 | - 2012-08-10 148 | DL_Type: string 149 | DL_CommonKey: 150 | DL_Searchable: true 151 | DL_Aggregable: false 152 | - Name: awsRegion 153 | ProductCode: 154 | - sct 155 | Description_EN: AWS region that the request was made to 156 | Sample: 157 | - us-east-1 158 | - us-east-2 159 | - us-west-1 160 | DL_Type: string 161 | DL_CommonKey: 162 | DL_Searchable: true 163 | DL_Aggregable: false 164 | - Name: errorCode 165 | ProductCode: 166 | - sct 167 | Description_EN: AWS service error code 168 | Sample: 169 | - ThrottlingException 170 | - InvalidParameterValueException 171 | - NoSuchLifecycleConfiguration 172 | DL_Type: string 173 | DL_CommonKey: 174 | DL_Searchable: true 175 | DL_Aggregable: false 176 | - Name: errorMessage 177 | ProductCode: 178 | - sct 179 | Description_EN: Description of the error 180 | Sample: 181 | - The specified bucket does not have a website configuration 182 | - An unknown error occurred 183 | - The lifecycle configuration does not exist 184 | DL_Type: string 185 | DL_CommonKey: 186 | DL_Searchable: true 187 | DL_Aggregable: false 188 | - Name: eventTime 189 | ProductCode: 190 | - sct 191 | Description_EN: The time the agent or product detected the event 192 | Sample: 193 | - 2022-07-06T22:28:06Z 194 | DL_Type: string 195 | DL_CommonKey: 196 | DL_Searchable: true 197 | DL_Aggregable: false 198 | - Name: eventCategory 199 | ProductCode: 200 | - sct 201 | Description_EN: Event category used in LookupEvents calls 202 | Sample: 203 | - Management 204 | - Data 205 | - Insight 206 | DL_Type: string 207 | DL_CommonKey: 208 | DL_Searchable: true 209 | DL_Aggregable: false 210 | - Name: eventType 211 | ProductCode: 212 | - sct 213 | Description_EN: Type of event that generated the event record 214 | Sample: 215 | - AwsApiCall 216 | - AwsServiceEvent 217 | - AwsConsoleAction 218 | DL_Type: string 219 | DL_CommonKey: 220 | DL_Searchable: true 221 | DL_Aggregable: false 222 | - Name: eventVersion 223 | ProductCode: 224 | - sct 225 | Description_EN: Version of the log event format 226 | Sample: 227 | - 1.08 228 | DL_Type: string 229 | DL_CommonKey: 230 | DL_Searchable: true 231 | DL_Aggregable: false 232 | - Name: recipientAccountId 233 | ProductCode: 234 | - sct 235 | Description_EN: Account ID that received the event 236 | Sample: 237 | - 123456789012 238 | DL_Type: string 239 | DL_CommonKey: 240 | DL_Searchable: true 241 | DL_Aggregable: false 242 | - Name: requestID 243 | ProductCode: 244 | - sct 245 | Description_EN: Value that identifies the request (The service being called 246 | generates this value) 247 | Sample: 248 | - 11111111-1111-1111-1111-111111111111 249 | DL_Type: string 250 | DL_CommonKey: 251 | DL_Searchable: true 252 | DL_Aggregable: false 253 | - Name: sharedEventID 254 | ProductCode: 255 | - sct 256 | Description_EN: GUID generated by AWS CloudTrail to uniquely identify 257 | CloudTrail events (From the same AWS action that is sent to different AWS 258 | accounts) 259 | Sample: 260 | - 11111111-1111-1111-1111-111111111111 261 | DL_Type: string 262 | DL_CommonKey: 263 | DL_Searchable: true 264 | DL_Aggregable: false 265 | - Name: serviceEventDetails 266 | ProductCode: 267 | - sct 268 | Description_EN: The service event (including what triggered the event and the 269 | result) 270 | Sample: 271 | - '{"lifecycleEventPolicy":{"policyVersion":1,"policyId":"11111111-1111-1111-1111-111111111111"}}' 272 | DL_Type: dynamic 273 | DL_CommonKey: 274 | DL_Searchable: true 275 | DL_Aggregable: false 276 | -------------------------------------------------------------------------------- /doc_v2/Others/TXOne StellarOne.yaml: -------------------------------------------------------------------------------- 1 | - Name: endpointHostName 2 | ProductCode: 3 | - sds 4 | - pds 5 | - sao 6 | - xes 7 | - sig 8 | - ams 9 | - szn 10 | - pts 11 | - scs 12 | - sss 13 | - ddr 14 | Description_EN: The endpoint hostname or node where the event was detected 15 | Sample: 16 | - 10.10.10.10 (swpos-aws-aza02) [i-0f0f0f0f0f0f0f0f0] 17 | - ip-10-10-10-10.us-west-1.compute.internal 18 | DL_Type: string 19 | DL_CommonKey: 20 | - EndpointName 21 | DL_Searchable: true 22 | DL_Aggregable: true 23 | - Name: endpointGUID 24 | ProductCode: 25 | - sds 26 | - sao 27 | - pds 28 | - xes 29 | - sig 30 | - ams 31 | - szn 32 | - pts 33 | - scs 34 | - ddr 35 | Description_EN: The GUID of the agent which reported the detection 36 | Sample: 37 | - ae4d64aa-f8b8-bb36-b265-f59272ed342f 38 | - 8fb979f6-1376-bed3-227f-f2886e66194e 39 | - ca2b3a7e-8415-c571-cc19-e45f69470026 40 | DL_Type: string 41 | DL_CommonKey: 42 | - EndpointID 43 | DL_Searchable: true 44 | DL_Aggregable: true 45 | - Name: fileName 46 | ProductCode: 47 | - sds 48 | - pdi 49 | - xns 50 | - sao 51 | - pds 52 | - sig 53 | - pts 54 | - sfs 55 | - sfc 56 | - sss 57 | Description_EN: The file name 58 | Sample: 59 | - spoolss 60 | - hosts 61 | - svcrestarttask 62 | DL_Type: dynamic 63 | DL_CommonKey: 64 | - FileName 65 | DL_Searchable: true 66 | DL_Aggregable: true 67 | - Name: filePath 68 | ProductCode: 69 | - sds 70 | - pds 71 | - sao 72 | - pdi 73 | - xns 74 | - pts 75 | - sfs 76 | - sfc 77 | Description_EN: The file path without the file name 78 | Sample: 79 | - security 80 | - /var/log/audit/audit.log 81 | - application 82 | DL_Type: string 83 | DL_CommonKey: 84 | - FileFullPath 85 | DL_Searchable: true 86 | DL_Aggregable: true 87 | - Name: filePathName 88 | ProductCode: 89 | - sds 90 | - pdi 91 | - xns 92 | - pds 93 | - pts 94 | Description_EN: The file path with the file name 95 | Sample: 96 | - vss 97 | - spoolss 98 | - /etc/hosts 99 | DL_Type: string 100 | DL_CommonKey: 101 | - FileFullPath 102 | DL_Searchable: true 103 | DL_Aggregable: false 104 | - Name: techniqueId 105 | ProductCode: 106 | - pts 107 | - pdi 108 | - xns 109 | Description_EN: Technique ID detected by the product agent base on a detection 110 | rule 111 | Sample: [] 112 | DL_Type: dynamic 113 | DL_CommonKey: 114 | - Technique 115 | DL_Searchable: true 116 | DL_Aggregable: false 117 | - Name: malName 118 | ProductCode: 119 | - sao 120 | - sds 121 | - pdi 122 | - xns 123 | - pds 124 | - sws 125 | - pts 126 | - xms 127 | - sfs 128 | - sfc 129 | - sss 130 | - scs 131 | Description_EN: The name of the detected malware 132 | Sample: 133 | - SecurityLevelDrop 134 | - Regla Logs All 135 | - USR_SUSPICIOUS_DOMAIN.UMXX 136 | DL_Type: string 137 | DL_CommonKey: 138 | DL_Searchable: true 139 | DL_Aggregable: false 140 | - Name: eventName 141 | ProductCode: 142 | - sds 143 | - pdi 144 | - xns 145 | - sao 146 | - pds 147 | - ptp 148 | - sca 149 | - sem 150 | - xes 151 | - stp 152 | - sig 153 | - ptn 154 | - szn 155 | - pts 156 | - xms 157 | - sfs 158 | - sfc 159 | - sss 160 | - ams 161 | - mns 162 | - ddr 163 | Description_EN: The event type 164 | Sample: 165 | - LOG_INSPECTION_EVENT 166 | - SECURITY_RISK_DETECTION 167 | - WEB_THREAT_DETECTION 168 | - LOG_INSPECTION_EVENT 169 | - MALWARE_DETECTION 170 | - PROCESS_ACTIVITY 171 | - WEB_POLICY_VIOLATION 172 | - DEEP_PACKET_INSPECTION_EVENT 173 | - INTEGRITY_MONITORING_EVENT 174 | - DISRUPTIVE_APPLICATION_DETECTION 175 | - PRODUCT_SUMMARY 176 | - PRODUCT_UPDATE 177 | - BEHAVIORAL_VIOLATION 178 | - FIREWALL_POLICY_VIOLATION 179 | - SUSPICIOUS_BEHAVIOUR_DETECTION 180 | - DENYLIST_CHANGE 181 | - MACHINE_LEARNING_DETECTION 182 | - DLP_VIOLATION 183 | - MALWARE_OUTBREAK_DETECTION 184 | - SENSITIVE_DATA_DETECTION 185 | DL_Type: string 186 | DL_CommonKey: 187 | DL_Searchable: true 188 | DL_Aggregable: true 189 | - Name: fullPath 190 | ProductCode: 191 | - sds 192 | - sao 193 | - pdi 194 | - xns 195 | - pds 196 | - pts 197 | - sfs 198 | - sfc 199 | - sss 200 | - scs 201 | Description_EN: The combination of the file path and the file name 202 | Sample: 203 | - \etc\hosts 204 | - c:\windows\system32\tasks\microsoft\windows\softwareprotectionplatform\svcrestarttask 205 | - \var\log\auth.log 206 | DL_Type: string 207 | DL_CommonKey: 208 | - FileFullPath 209 | DL_Searchable: true 210 | DL_Aggregable: false 211 | - Name: parentFileHashSha256 212 | ProductCode: 213 | - xes 214 | - pts 215 | Description_EN: The SHA-256 of the subject parent process 216 | Sample: 217 | - 14A1223722D486ABBC88682AB49AF8E56DC65AC4E153027985BFFFF7C815C0EC 218 | - 2EF51284CA9211ADEC3E8E095F386FEC742E0532075894AE99024C65949F935E 219 | - F3FEB95E7BCFB0766A694D93FCA29EDA7E2CA977C2395B4BE75242814EB6D881 220 | DL_Type: string 221 | DL_CommonKey: 222 | - FileSHA2 223 | DL_Searchable: true 224 | DL_Aggregable: false 225 | - Name: actResult 226 | ProductCode: 227 | - sao 228 | - sca 229 | - sds 230 | - pds 231 | - pts 232 | - ams 233 | Description_EN: The result of an action 234 | Sample: 235 | - Dropped 236 | - Successful 237 | - Accepted 238 | DL_Type: dynamic 239 | DL_CommonKey: 240 | DL_Searchable: true 241 | DL_Aggregable: false 242 | - Name: majorVirusType 243 | ProductCode: 244 | - pds 245 | - sds 246 | - ams 247 | - ptn 248 | - pts 249 | - sfc 250 | Description_EN: The virus type 251 | Sample: 252 | - Virus 253 | - Suspicious Activity 254 | - Trojan 255 | - TROJ 256 | DL_Type: string 257 | DL_CommonKey: 258 | DL_Searchable: true 259 | DL_Aggregable: false 260 | - Name: aggregatedCount 261 | ProductCode: 262 | - pdi 263 | - xns 264 | - sao 265 | - ptp 266 | - sws 267 | - stp 268 | - sig 269 | - pts 270 | - ddr 271 | - sds 272 | Description_EN: The number of aggregated events 273 | Sample: 274 | - '1' 275 | - '2' 276 | - '3' 277 | DL_Type: string 278 | DL_CommonKey: 279 | DL_Searchable: true 280 | DL_Aggregable: false 281 | - Name: endpointMacAddress 282 | ProductCode: 283 | - sao 284 | - ptn 285 | - pts 286 | Description_EN: The MAC address of endpoint 287 | Sample: 288 | - 00:00:00:00:00:00 289 | - ff:ff:ff:ff:ff:ff 290 | DL_Type: string 291 | DL_CommonKey: 292 | DL_Searchable: true 293 | DL_Aggregable: false 294 | - Name: eventId 295 | ProductCode: 296 | - sds 297 | - pdi 298 | - xns 299 | - sao 300 | - pds 301 | - sca 302 | - xes 303 | - sem 304 | - pts 305 | - scs 306 | - xms 307 | - sfs 308 | - sfc 309 | - sss 310 | - ams 311 | - mns 312 | - ddr 313 | Description_EN: The event ID from the logs of each product 314 | Sample: 315 | - 100100 316 | - 100101 317 | - 100116 318 | - 100117 319 | - 100119 320 | DL_Type: string 321 | DL_CommonKey: 322 | DL_Searchable: true 323 | DL_Aggregable: true 324 | - Name: eventSubId 325 | ProductCode: 326 | - sds 327 | - pts 328 | Description_EN: The access type 329 | Sample: 330 | - '4' 331 | - '101' 332 | - '102' 333 | DL_Type: int 334 | DL_CommonKey: 335 | DL_Searchable: true 336 | DL_Aggregable: false 337 | - Name: firstSeen 338 | ProductCode: 339 | - sca 340 | - pts 341 | - ddr 342 | Description_EN: The first time the XDR log appeared 343 | Sample: 344 | - 1657195233000 345 | DL_Type: string 346 | DL_CommonKey: 347 | DL_Searchable: true 348 | DL_Aggregable: false 349 | - Name: lastSeen 350 | ProductCode: 351 | - sca 352 | - pts 353 | - ddr 354 | Description_EN: The last time the XDR log appeared 355 | Sample: 356 | - 1657195233000 357 | DL_Type: string 358 | DL_CommonKey: 359 | DL_Searchable: true 360 | DL_Aggregable: false 361 | - Name: quarantineFileName 362 | ProductCode: 363 | - pts 364 | Description_EN: The file path of the quarantined object 365 | Sample: 366 | - C:\Program 367 | Files\TXOne\StellarProtect\private\quarantine\00000000-0000-0000-0000-000000000000 368 | DL_Type: string 369 | DL_CommonKey: 370 | DL_Searchable: true 371 | DL_Aggregable: false 372 | -------------------------------------------------------------------------------- /doc_v2/Cloud/XDR for Cloud - AWS VPC Flow Logs.yaml: -------------------------------------------------------------------------------- 1 | - Name: eventTime 2 | ProductCode: 3 | - sig 4 | - szn 5 | - pdi 6 | - xns 7 | - vpc 8 | - azv 9 | Description_EN: The time the agent or product detected the event 10 | Sample: 11 | - 1657135700000 12 | DL_Type: real 13 | DL_CommonKey: 14 | DL_Searchable: true 15 | DL_Aggregable: false 16 | - Name: dst 17 | ProductCode: 18 | - sig 19 | - szn 20 | - vpc 21 | - azv 22 | Description_EN: The destination IP address (dstaddr) 23 | Sample: 24 | - 10.10.10.10 25 | DL_Type: string 26 | DL_CommonKey: 27 | - IPv4 28 | - IPv6 29 | DL_Searchable: true 30 | DL_Aggregable: true 31 | - Name: src 32 | ProductCode: 33 | - sig 34 | - szn 35 | - vpc 36 | - azv 37 | Description_EN: The source IP address (srcaddr) 38 | Sample: 39 | - 10.10.10.10 40 | DL_Type: string 41 | DL_CommonKey: 42 | - IPv4 43 | - IPv6 44 | DL_Searchable: true 45 | DL_Aggregable: true 46 | - Name: eventName 47 | ProductCode: 48 | - sig 49 | - szn 50 | - pdi 51 | - xns 52 | - vpc 53 | - azv 54 | Description_EN: The name of the log event 55 | Sample: 56 | - SWG_ACTIVITY_LOG 57 | - FIREWALL_ACTIVITY_LOG 58 | - VPC_ACTIVITY_LOG 59 | DL_Type: string 60 | DL_CommonKey: 61 | DL_Searchable: true 62 | DL_Aggregable: true 63 | - Name: pname 64 | ProductCode: 65 | - sig 66 | - pdi 67 | - xns 68 | - vpc 69 | - azv 70 | Description_EN: The product name 71 | Sample: 72 | - Secure Web Gateway 73 | - XDR for Cloud - AWS VPC Flow Logs 74 | DL_Type: string 75 | DL_CommonKey: 76 | DL_Searchable: true 77 | DL_Aggregable: false 78 | - Name: spt 79 | ProductCode: 80 | - szn 81 | - vpc 82 | - azv 83 | Description_EN: The virtual port of the source assigned to the Secure Access 84 | Module (srcport) 85 | Sample: 86 | - 57763 87 | DL_Type: int 88 | DL_CommonKey: 89 | - Port 90 | DL_Searchable: true 91 | DL_Aggregable: true 92 | - Name: dpt 93 | ProductCode: 94 | - szn 95 | - vpc 96 | - azv 97 | Description_EN: The service destination port of the private application server 98 | (dstport) 99 | Sample: 100 | - 443 101 | DL_Type: int 102 | DL_CommonKey: 103 | - Port 104 | DL_Searchable: true 105 | DL_Aggregable: true 106 | - Name: start 107 | ProductCode: 108 | - vpc 109 | Description_EN: The time when the first data packet was received (in Unix 110 | seconds) 111 | Sample: 112 | - 1616729292 113 | DL_Type: real 114 | DL_CommonKey: 115 | DL_Searchable: false 116 | DL_Aggregable: false 117 | - Name: end 118 | ProductCode: 119 | - vpc 120 | Description_EN: The time when the last data packet was received (in Unix 121 | seconds) 122 | Sample: 123 | - 1616729349 124 | DL_Type: long 125 | DL_CommonKey: 126 | DL_Searchable: false 127 | DL_Aggregable: false 128 | - Name: eventId 129 | ProductCode: 130 | - xns 131 | - pdi 132 | - vpc 133 | - azv 134 | Description_EN: The event ID 135 | Sample: 136 | - '200139' 137 | - '200140' 138 | DL_Type: string 139 | DL_CommonKey: 140 | DL_Searchable: true 141 | DL_Aggregable: true 142 | - Name: vpcFlowLogsVersion 143 | ProductCode: 144 | - vpc 145 | - azv 146 | Description_EN: The VPC Flow Logs version (version) 147 | Sample: 148 | - 2 149 | - 3 150 | - 4 151 | - 5 152 | DL_Type: int 153 | DL_CommonKey: 154 | DL_Searchable: false 155 | DL_Aggregable: false 156 | - Name: packets 157 | ProductCode: 158 | - vpc 159 | Description_EN: The number of transmitted data packets 160 | Sample: 161 | - 14 162 | DL_Type: string 163 | DL_CommonKey: 164 | DL_Searchable: true 165 | DL_Aggregable: false 166 | - Name: bytes 167 | ProductCode: 168 | - vpc 169 | Description_EN: The number of transmitted data bytes 170 | Sample: 171 | - 15044 172 | DL_Type: string 173 | DL_CommonKey: 174 | DL_Searchable: true 175 | DL_Aggregable: false 176 | - Name: action 177 | ProductCode: 178 | - vpc 179 | Description_EN: The traffic processing action 180 | Sample: 181 | - ACCEPT 182 | - REJECT 183 | DL_Type: string 184 | DL_CommonKey: 185 | DL_Searchable: true 186 | DL_Aggregable: true 187 | - Name: logStatus 188 | ProductCode: 189 | - vpc 190 | Description_EN: The VPC Flow Log status 191 | Sample: 192 | - OK 193 | - NODATA 194 | - SKIPDATA 195 | DL_Type: string 196 | DL_CommonKey: 197 | DL_Searchable: true 198 | DL_Aggregable: false 199 | - Name: vpcId 200 | ProductCode: 201 | - vpc 202 | Description_EN: The VPC ID 203 | Sample: 204 | - vpc-01234567890abcdef 205 | DL_Type: string 206 | DL_CommonKey: 207 | DL_Searchable: true 208 | DL_Aggregable: true 209 | - Name: subnetId 210 | ProductCode: 211 | - vpc 212 | Description_EN: The subnet ID 213 | Sample: 214 | - subnet-01234567890abcdef 215 | DL_Type: string 216 | DL_CommonKey: 217 | DL_Searchable: true 218 | DL_Aggregable: true 219 | - Name: instanceId 220 | ProductCode: 221 | - vpc 222 | Description_EN: The instance ID 223 | Sample: 224 | - i-01234567890abcdef 225 | DL_Type: string 226 | DL_CommonKey: 227 | DL_Searchable: true 228 | DL_Aggregable: true 229 | - Name: tcpFlags 230 | ProductCode: 231 | - vpc 232 | Description_EN: The bitmask value of the FIN/SYN/RST/SYN-ACK TCP flags 233 | Sample: 234 | - 1 235 | - 2 236 | - 4 237 | - 18 238 | DL_Type: int 239 | DL_CommonKey: 240 | DL_Searchable: true 241 | DL_Aggregable: false 242 | - Name: flowType 243 | ProductCode: 244 | - vpc 245 | Description_EN: The type of traffic (type) 246 | Sample: 247 | - IPv4 248 | - IPv6 249 | - EFA 250 | DL_Type: string 251 | DL_CommonKey: 252 | DL_Searchable: true 253 | DL_Aggregable: false 254 | - Name: pktSrcAddr 255 | ProductCode: 256 | - vpc 257 | Description_EN: The packet level source IP 258 | Sample: 259 | - 10.10.10.10 260 | DL_Type: string 261 | DL_CommonKey: 262 | - IPv4 263 | - IPv6 264 | DL_Searchable: true 265 | DL_Aggregable: false 266 | - Name: pktDstAddr 267 | ProductCode: 268 | - vpc 269 | Description_EN: The packet level destination IP 270 | Sample: 271 | - 10.10.10.10 272 | DL_Type: string 273 | DL_CommonKey: 274 | - IPv4 275 | - IPv6 276 | DL_Searchable: true 277 | DL_Aggregable: false 278 | - Name: azId 279 | ProductCode: 280 | - vpc 281 | Description_EN: The Availability Zone ID 282 | Sample: 283 | - apse2-az3 284 | DL_Type: string 285 | DL_CommonKey: 286 | DL_Searchable: true 287 | DL_Aggregable: false 288 | - Name: subLocationType 289 | ProductCode: 290 | - vpc 291 | Description_EN: The sublocation type 292 | Sample: 293 | - wavelength 294 | - outpost 295 | - localzone 296 | DL_Type: string 297 | DL_CommonKey: 298 | DL_Searchable: true 299 | DL_Aggregable: false 300 | - Name: subLocationId 301 | ProductCode: 302 | - vpc 303 | Description_EN: The sublocation ID 304 | Sample: 305 | - lz-0abcd123efg4567h 306 | - op-0abcd123efg4567h 307 | - wz-0abcd123efg4567h 308 | DL_Type: string 309 | DL_CommonKey: 310 | DL_Searchable: true 311 | DL_Aggregable: false 312 | - Name: pktSrcCloudServiceName 313 | ProductCode: 314 | - vpc 315 | Description_EN: The subset IP address range name for cloud service source IP 316 | (pkt-src-aws-service) 317 | Sample: 318 | - AMAZON 319 | - EC2 320 | - ROUTE53 321 | DL_Type: string 322 | DL_CommonKey: 323 | DL_Searchable: true 324 | DL_Aggregable: false 325 | - Name: pktDstCloudServiceName 326 | ProductCode: 327 | - vpc 328 | Description_EN: The subset IP address range name for cloud service destination 329 | IP (pkt-dst-aws-service) 330 | Sample: 331 | - AMAZON 332 | - EC2 333 | - ROUTE53 334 | DL_Type: string 335 | DL_CommonKey: 336 | DL_Searchable: true 337 | DL_Aggregable: false 338 | - Name: flowDirection 339 | ProductCode: 340 | - vpc 341 | - azv 342 | Description_EN: The network interface traffic direction 343 | Sample: 344 | - ingress 345 | - egress 346 | - I 347 | - O 348 | DL_Type: string 349 | DL_CommonKey: 350 | DL_Searchable: true 351 | DL_Aggregable: false 352 | - Name: trafficPath 353 | ProductCode: 354 | - vpc 355 | Description_EN: The egress traffic path number 356 | Sample: 357 | - 1 358 | - 2 359 | - 8 360 | DL_Type: int 361 | DL_CommonKey: 362 | DL_Searchable: true 363 | DL_Aggregable: false 364 | -------------------------------------------------------------------------------- /doc_v2/Others/TXOne EdgeOne.yaml: -------------------------------------------------------------------------------- 1 | - Name: hostName 2 | ProductCode: 3 | - pdi 4 | - xns 5 | - sds 6 | - pds 7 | - ptn 8 | Description_EN: The computer name of the client host (The hostname from the 9 | suspicious URL detected by Deep Discovery Inspector) 10 | Sample: 11 | - Let's Encrypt 12 | - 10.10.10.10 13 | DL_Type: string 14 | DL_CommonKey: 15 | - DomainName 16 | - HostDomain 17 | DL_Searchable: true 18 | DL_Aggregable: true 19 | - Name: src 20 | ProductCode: 21 | - pdi 22 | - xns 23 | - sao 24 | - sds 25 | - ptp 26 | - pds 27 | - stp 28 | - xes 29 | - sig 30 | - ptn 31 | - szn 32 | - scs 33 | - mns 34 | Description_EN: The source IP 35 | Sample: 36 | - 10.10.10.10 37 | DL_Type: dynamic 38 | DL_CommonKey: 39 | - IPv4 40 | - IPv6 41 | DL_Searchable: true 42 | DL_Aggregable: true 43 | - Name: dst 44 | ProductCode: 45 | - pdi 46 | - xns 47 | - sao 48 | - sds 49 | - ptp 50 | - pds 51 | - stp 52 | - xes 53 | - sig 54 | - ptn 55 | - szn 56 | - scs 57 | - mns 58 | Description_EN: The destination IP 59 | Sample: 60 | - 10.10.10.10 61 | DL_Type: dynamic 62 | DL_CommonKey: 63 | - IPv4 64 | - IPv6 65 | DL_Searchable: true 66 | DL_Aggregable: true 67 | - Name: interestedIp 68 | ProductCode: 69 | - sds 70 | - pdi 71 | - xns 72 | - pds 73 | - sao 74 | - ptp 75 | - stp 76 | - ptn 77 | Description_EN: The IP of the interestedHost 78 | Sample: 79 | - 10.10.10.10 80 | DL_Type: dynamic 81 | DL_CommonKey: 82 | - IPv4 83 | - IPv6 84 | DL_Searchable: true 85 | DL_Aggregable: false 86 | - Name: endpointIp 87 | ProductCode: 88 | - sds 89 | - pds 90 | - sao 91 | - ptp 92 | - stp 93 | - ptn 94 | - sss 95 | - ddr 96 | Description_EN: The IP address of the endpoint on which the event was detected 97 | Sample: 98 | - 10.10.10.10 99 | DL_Type: dynamic 100 | DL_CommonKey: 101 | - IPv4 102 | - IPv6 103 | DL_Searchable: true 104 | DL_Aggregable: true 105 | - Name: dpt 106 | ProductCode: 107 | - pdi 108 | - xns 109 | - sao 110 | - sds 111 | - ptp 112 | - pds 113 | - stp 114 | - xes 115 | - ptn 116 | - szn 117 | - scs 118 | - mns 119 | Description_EN: The destination port 120 | Sample: 121 | - 0 122 | - 445 123 | - 80 124 | DL_Type: int 125 | DL_CommonKey: 126 | - Port 127 | DL_Searchable: true 128 | DL_Aggregable: true 129 | - Name: spt 130 | ProductCode: 131 | - pdi 132 | - xns 133 | - sao 134 | - sds 135 | - ptp 136 | - pds 137 | - stp 138 | - xes 139 | - ptn 140 | - szn 141 | - scs 142 | - mns 143 | Description_EN: The source port 144 | Sample: 145 | - 53 146 | - 0 147 | - 7680 148 | DL_Type: int 149 | DL_CommonKey: 150 | - Port 151 | DL_Searchable: true 152 | DL_Aggregable: true 153 | - Name: eventName 154 | ProductCode: 155 | - sds 156 | - pdi 157 | - xns 158 | - sao 159 | - pds 160 | - ptp 161 | - sca 162 | - sem 163 | - xes 164 | - stp 165 | - sig 166 | - ptn 167 | - szn 168 | - pts 169 | - xms 170 | - sfs 171 | - sfc 172 | - sss 173 | - ams 174 | - mns 175 | - ddr 176 | Description_EN: The event type 177 | Sample: 178 | - LOG_INSPECTION_EVENT 179 | - SECURITY_RISK_DETECTION 180 | - WEB_THREAT_DETECTION 181 | - LOG_INSPECTION_EVENT 182 | - MALWARE_DETECTION 183 | - PROCESS_ACTIVITY 184 | - WEB_POLICY_VIOLATION 185 | - DEEP_PACKET_INSPECTION_EVENT 186 | - INTEGRITY_MONITORING_EVENT 187 | - DISRUPTIVE_APPLICATION_DETECTION 188 | - PRODUCT_SUMMARY 189 | - PRODUCT_UPDATE 190 | - BEHAVIORAL_VIOLATION 191 | - FIREWALL_POLICY_VIOLATION 192 | - SUSPICIOUS_BEHAVIOUR_DETECTION 193 | - DENYLIST_CHANGE 194 | - MACHINE_LEARNING_DETECTION 195 | - DLP_VIOLATION 196 | - MALWARE_OUTBREAK_DETECTION 197 | - SENSITIVE_DATA_DETECTION 198 | DL_Type: string 199 | DL_CommonKey: 200 | DL_Searchable: true 201 | DL_Aggregable: true 202 | - Name: remarks 203 | ProductCode: 204 | - sds 205 | - pdi 206 | - xns 207 | - pds 208 | - sca 209 | - sao 210 | - sem 211 | - stp 212 | - ptn 213 | - xms 214 | - sfs 215 | - sss 216 | - sig 217 | Description_EN: The additional information 218 | Sample: 219 | - 'warning: fork: Resource temporarily unavailable' 220 | - 'pam_unix(cron:session): session opened for user root by (uid=0)' 221 | - "WinEvtLog: Application: AUDIT_FAILURE(18470): MSSQL$SA: (no user): no domain: 222 | EXAMPLE.com: Login failed for user 'example_user'. Reason: The account is disabled. 223 | [CLIENT: 10.10.10.10] " 224 | DL_Type: string 225 | DL_CommonKey: 226 | DL_Searchable: true 227 | DL_Aggregable: false 228 | - Name: act 229 | ProductCode: 230 | - scs 231 | - pdi 232 | - xns 233 | - sao 234 | - sds 235 | - sca 236 | - ptp 237 | - xes 238 | - sws 239 | - sem 240 | - pds 241 | - stp 242 | - sig 243 | - ptn 244 | - szn 245 | - xms 246 | - ams 247 | - mns 248 | - sss 249 | Description_EN: The actions taken to mitigate the event 250 | Sample: 251 | - log 252 | - isolate 253 | - terminate 254 | - not blocked 255 | - Block 256 | - No action 257 | - Reset 258 | - Pass 259 | - User Decision 260 | DL_Type: dynamic 261 | DL_CommonKey: 262 | DL_Searchable: true 263 | DL_Aggregable: true 264 | - Name: policyName 265 | ProductCode: 266 | - sao 267 | - sca 268 | - sws 269 | - sem 270 | - sig 271 | - ptn 272 | - scs 273 | - mns 274 | Description_EN: The name of the triggered policy 275 | Sample: 276 | - Steelcase 277 | - Cabot 278 | - Tigre - Medium Policy 279 | - apiPostedPolicy 280 | DL_Type: string 281 | DL_CommonKey: 282 | DL_Searchable: true 283 | DL_Aggregable: false 284 | - Name: majorVirusType 285 | ProductCode: 286 | - pds 287 | - sds 288 | - ams 289 | - ptn 290 | - pts 291 | - sfc 292 | Description_EN: The virus type 293 | Sample: 294 | - Virus 295 | - Suspicious Activity 296 | - Trojan 297 | - TROJ 298 | DL_Type: string 299 | DL_CommonKey: 300 | DL_Searchable: true 301 | DL_Aggregable: false 302 | - Name: cnt 303 | ProductCode: 304 | - pdi 305 | - xns 306 | - ptn 307 | - mns 308 | Description_EN: The total number of logs 309 | Sample: 310 | - '1' 311 | - '2' 312 | - '3' 313 | DL_Type: string 314 | DL_CommonKey: 315 | DL_Searchable: true 316 | DL_Aggregable: false 317 | - Name: direction 318 | ProductCode: 319 | - sao 320 | - ptn 321 | Description_EN: The direction 322 | Sample: 323 | - Incoming 324 | - Outgoing 325 | - Unknown 326 | DL_Type: string 327 | DL_CommonKey: 328 | DL_Searchable: true 329 | DL_Aggregable: false 330 | - Name: dmac 331 | ProductCode: 332 | - pdi 333 | - xns 334 | - sao 335 | - sds 336 | - pds 337 | - ptn 338 | Description_EN: The MAC address of the destination IP (dest_ip) 339 | Sample: 340 | - 00:00:00:00:00:00 341 | - ff:ff:ff:ff:ff:ff 342 | DL_Type: string 343 | DL_CommonKey: 344 | DL_Searchable: true 345 | DL_Aggregable: false 346 | - Name: endpointMacAddress 347 | ProductCode: 348 | - sao 349 | - ptn 350 | - pts 351 | Description_EN: The MAC address of endpoint 352 | Sample: 353 | - 00:00:00:00:00:00 354 | - ff:ff:ff:ff:ff:ff 355 | DL_Type: string 356 | DL_CommonKey: 357 | DL_Searchable: true 358 | DL_Aggregable: false 359 | - Name: filterName 360 | ProductCode: 361 | - sca 362 | - sem 363 | - sao 364 | - ptn 365 | Description_EN: The filter name 366 | Sample: 367 | - ConnectionFilter 368 | - Virtual Analyzer 369 | - Data Loss Prevention 370 | DL_Type: string 371 | DL_CommonKey: 372 | DL_Searchable: true 373 | DL_Aggregable: false 374 | - Name: filterType 375 | ProductCode: 376 | - sao 377 | - ptn 378 | Description_EN: The filter type 379 | Sample: 380 | - Spam filter 381 | - Size filter 382 | DL_Type: string 383 | DL_CommonKey: 384 | DL_Searchable: true 385 | DL_Aggregable: false 386 | - Name: interestedMacAddress 387 | ProductCode: 388 | - sao 389 | - pdi 390 | - xns 391 | - ptn 392 | Description_EN: The MAC address identified as the log owner's 393 | Sample: 394 | - 00:00:00:00:00:00 395 | - ff:ff:ff:ff:ff:ff 396 | DL_Type: string 397 | DL_CommonKey: 398 | DL_Searchable: true 399 | DL_Aggregable: false 400 | - Name: proto 401 | ProductCode: 402 | - sds 403 | - pds 404 | - ptn 405 | - scs 406 | - mns 407 | - sao 408 | Description_EN: The exploited layer network protocol 409 | Sample: 410 | - '6' 411 | - TCP 412 | - '17' 413 | DL_Type: string 414 | DL_CommonKey: 415 | DL_Searchable: true 416 | DL_Aggregable: false 417 | - Name: smac 418 | ProductCode: 419 | - pdi 420 | - xns 421 | - sao 422 | - sds 423 | - pds 424 | - ptn 425 | Description_EN: The source MAC address 426 | Sample: 427 | - 00:11:22:33:44:55 428 | - 66:77:88:99:AA:BB 429 | - CC:DD:EE:FF:00:11 430 | DL_Type: string 431 | DL_CommonKey: 432 | DL_Searchable: true 433 | DL_Aggregable: false 434 | - Name: vLANId 435 | ProductCode: 436 | - pdi 437 | - xns 438 | - ptn 439 | - mns 440 | - ptp 441 | Description_EN: The virtual LAN ID 442 | Sample: [] 443 | DL_Type: int 444 | DL_CommonKey: 445 | DL_Searchable: false 446 | DL_Aggregable: false 447 | - Name: ruleId64 448 | ProductCode: 449 | - ptn 450 | - mns 451 | Description_EN: The IPS rule ID 452 | Sample: 453 | - '1134268' 454 | - '4026531849' 455 | - '4026531852' 456 | DL_Type: long 457 | DL_CommonKey: 458 | DL_Searchable: true 459 | DL_Aggregable: false 460 | -------------------------------------------------------------------------------- /doc_v2/Cloud/File Security Storage.yaml: -------------------------------------------------------------------------------- 1 | - Name: fileName 2 | ProductCode: 3 | - sds 4 | - pdi 5 | - xns 6 | - sao 7 | - pds 8 | - sig 9 | - pts 10 | - sfs 11 | - sfc 12 | - sss 13 | Description_EN: The file name 14 | Sample: 15 | - spoolss 16 | - hosts 17 | - svcrestarttask 18 | DL_Type: dynamic 19 | DL_CommonKey: 20 | - FileName 21 | DL_Searchable: true 22 | DL_Aggregable: true 23 | - Name: compressedFileName 24 | ProductCode: 25 | - pdi 26 | - xns 27 | - sao 28 | - sfs 29 | - sfc 30 | - sds 31 | - sss 32 | - scs 33 | Description_EN: The file name of the compressed file 34 | Sample: 35 | - /proc/32058/fd/150 36 | - NONAMEFL 37 | - /proc/10006/fd/30 38 | - VirusActionSample/RPF2_OtherMalwareSample-other.exe 39 | DL_Type: string 40 | DL_CommonKey: 41 | - FileName 42 | DL_Searchable: true 43 | DL_Aggregable: false 44 | - Name: filePath 45 | ProductCode: 46 | - sds 47 | - pds 48 | - sao 49 | - pdi 50 | - xns 51 | - pts 52 | - sfs 53 | - sfc 54 | Description_EN: The file path without the file name 55 | Sample: 56 | - security 57 | - /var/log/audit/audit.log 58 | - application 59 | DL_Type: string 60 | DL_CommonKey: 61 | - FileFullPath 62 | DL_Searchable: true 63 | DL_Aggregable: true 64 | - Name: fileHash 65 | ProductCode: 66 | - sds 67 | - pdi 68 | - xns 69 | - pds 70 | - sao 71 | - sig 72 | - sfs 73 | - sfc 74 | - sss 75 | - ddr 76 | Description_EN: The SHA-1 of the file that triggered the rule or policy 77 | Sample: 78 | - DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 79 | - 89CE26EAD139D52B8A6B61BFFC6AF89AF246580F 80 | - 3AD1F4E7CAA11E5199EE80B8983677ADDD065450 81 | DL_Type: string 82 | DL_CommonKey: 83 | - FileSHA1 84 | DL_Searchable: true 85 | DL_Aggregable: true 86 | - Name: compressedFileHash 87 | ProductCode: 88 | - pdi 89 | - xns 90 | - sfs 91 | - sfc 92 | - sds 93 | - sao 94 | - sss 95 | Description_EN: The SHA-1 of the decompressed archive 96 | Sample: 97 | - 6E2ECB34B7798E179CC704111FB9733FBAAD5ACA 98 | - FA71B59F35F0EE44D27F74917EF5A0DA2797E80B 99 | - 14D2302172EB81465CE12E01361AE24CDE170F7B 100 | DL_Type: string 101 | DL_CommonKey: 102 | - FileSHA1 103 | DL_Searchable: true 104 | DL_Aggregable: false 105 | - Name: fileHashSha256 106 | ProductCode: 107 | - pdi 108 | - xns 109 | - sao 110 | - sig 111 | - sds 112 | - sfs 113 | - sfc 114 | - sss 115 | - scs 116 | Description_EN: The SHA-256 of the file (fileName) 117 | Sample: 118 | - 6A6EB2D717CEA041B4444193B45EDFB6CA1287518203B7230B3C4B8FFB031EAB 119 | - BFF703FF836196644586014DA13A097C2EE9A08E4D596DFB7C8E0F685FE01294 120 | - 12327F460AC9CBBC34D39EB3CF89C7FECCA37F08773A04566840F73F6ECC4104 121 | DL_Type: string 122 | DL_CommonKey: 123 | - FileSHA2 124 | DL_Searchable: true 125 | DL_Aggregable: false 126 | - Name: compressedFileHashSha256 127 | ProductCode: 128 | - pdi 129 | - xns 130 | - sfs 131 | - sfc 132 | - sds 133 | - sao 134 | - sss 135 | Description_EN: The SHA-256 of the compressed suspicious file 136 | Sample: 137 | - 60C7C5924DD09F7C6B150120FB92DCEE00AE82DB75C7402FA4D9152CF487A94F 138 | - 482FFC4F87B78C3C7073983CF65B593D9F13F0A3D6DC54B4A3F616F79838F3CE 139 | - 68C0126D9B4B0FC32DE181D0D67DA8FE82E23745F6023317D5E053B6F6ED26CF 140 | DL_Type: string 141 | DL_CommonKey: 142 | - FileSHA2 143 | DL_Searchable: true 144 | DL_Aggregable: false 145 | - Name: malName 146 | ProductCode: 147 | - sao 148 | - sds 149 | - pdi 150 | - xns 151 | - pds 152 | - sws 153 | - pts 154 | - xms 155 | - sfs 156 | - sfc 157 | - sss 158 | - scs 159 | Description_EN: The name of the detected malware 160 | Sample: 161 | - SecurityLevelDrop 162 | - Regla Logs All 163 | - USR_SUSPICIOUS_DOMAIN.UMXX 164 | DL_Type: string 165 | DL_CommonKey: 166 | DL_Searchable: true 167 | DL_Aggregable: false 168 | - Name: eventName 169 | ProductCode: 170 | - sds 171 | - pdi 172 | - xns 173 | - sao 174 | - pds 175 | - ptp 176 | - sca 177 | - sem 178 | - xes 179 | - stp 180 | - sig 181 | - ptn 182 | - szn 183 | - pts 184 | - xms 185 | - sfs 186 | - sfc 187 | - sss 188 | - ams 189 | - mns 190 | - ddr 191 | Description_EN: The event type 192 | Sample: 193 | - LOG_INSPECTION_EVENT 194 | - SECURITY_RISK_DETECTION 195 | - WEB_THREAT_DETECTION 196 | - LOG_INSPECTION_EVENT 197 | - MALWARE_DETECTION 198 | - PROCESS_ACTIVITY 199 | - WEB_POLICY_VIOLATION 200 | - DEEP_PACKET_INSPECTION_EVENT 201 | - INTEGRITY_MONITORING_EVENT 202 | - DISRUPTIVE_APPLICATION_DETECTION 203 | - PRODUCT_SUMMARY 204 | - PRODUCT_UPDATE 205 | - BEHAVIORAL_VIOLATION 206 | - FIREWALL_POLICY_VIOLATION 207 | - SUSPICIOUS_BEHAVIOUR_DETECTION 208 | - DENYLIST_CHANGE 209 | - MACHINE_LEARNING_DETECTION 210 | - DLP_VIOLATION 211 | - MALWARE_OUTBREAK_DETECTION 212 | - SENSITIVE_DATA_DETECTION 213 | DL_Type: string 214 | DL_CommonKey: 215 | DL_Searchable: true 216 | DL_Aggregable: true 217 | - Name: fullPath 218 | ProductCode: 219 | - sds 220 | - sao 221 | - pdi 222 | - xns 223 | - pds 224 | - pts 225 | - sfs 226 | - sfc 227 | - sss 228 | - scs 229 | Description_EN: The combination of the file path and the file name 230 | Sample: 231 | - \etc\hosts 232 | - c:\windows\system32\tasks\microsoft\windows\softwareprotectionplatform\svcrestarttask 233 | - \var\log\auth.log 234 | DL_Type: string 235 | DL_CommonKey: 236 | - FileFullPath 237 | DL_Searchable: true 238 | DL_Aggregable: false 239 | - Name: majorVirusType 240 | ProductCode: 241 | - pds 242 | - sds 243 | - ams 244 | - ptn 245 | - pts 246 | - sfc 247 | Description_EN: The virus type 248 | Sample: 249 | - Virus 250 | - Suspicious Activity 251 | - Trojan 252 | - TROJ 253 | DL_Type: string 254 | DL_CommonKey: 255 | DL_Searchable: true 256 | DL_Aggregable: false 257 | - Name: cloudProvider 258 | ProductCode: 259 | - sds 260 | - sfc 261 | - sss 262 | Description_EN: The service provider of the cloud asset 263 | Sample: 264 | - alibaba cloud 265 | - aws 266 | - azure 267 | - gcp 268 | - oci 269 | DL_Type: string 270 | DL_CommonKey: 271 | DL_Searchable: true 272 | DL_Aggregable: false 273 | - Name: compressedFileSize 274 | ProductCode: 275 | - pdi 276 | - xns 277 | - sfs 278 | - sfc 279 | Description_EN: The file size of the decompressed archive file 280 | Sample: 281 | - '0' 282 | - '265314' 283 | - '175864' 284 | DL_Type: string 285 | DL_CommonKey: 286 | DL_Searchable: true 287 | DL_Aggregable: false 288 | - Name: compressedFileType 289 | ProductCode: 290 | - pdi 291 | - xns 292 | - sfs 293 | - sfc 294 | - sss 295 | Description_EN: The file type of the decompressed archive file 296 | Sample: 297 | - EXE 298 | - JAVA 299 | - PDF 300 | DL_Type: string 301 | DL_CommonKey: 302 | DL_Searchable: true 303 | DL_Aggregable: false 304 | - Name: eventId 305 | ProductCode: 306 | - sds 307 | - pdi 308 | - xns 309 | - sao 310 | - pds 311 | - sca 312 | - xes 313 | - sem 314 | - pts 315 | - scs 316 | - xms 317 | - sfs 318 | - sfc 319 | - sss 320 | - ams 321 | - mns 322 | - ddr 323 | Description_EN: The event ID from the logs of each product 324 | Sample: 325 | - 100100 326 | - 100101 327 | - 100116 328 | - 100117 329 | - 100119 330 | DL_Type: string 331 | DL_CommonKey: 332 | DL_Searchable: true 333 | DL_Aggregable: true 334 | - Name: fileSize 335 | ProductCode: 336 | - pdi 337 | - xns 338 | - sig 339 | - sao 340 | - sfs 341 | - sfc 342 | - sss 343 | Description_EN: The file size of the suspicious file 344 | Sample: 345 | - '0' 346 | - '1255856' 347 | - '1237880' 348 | DL_Type: string 349 | DL_CommonKey: 350 | DL_Searchable: true 351 | DL_Aggregable: false 352 | - Name: fileType 353 | ProductCode: 354 | - pdi 355 | - xns 356 | - sig 357 | - sfs 358 | - sfc 359 | - sss 360 | - scs 361 | Description_EN: The file type of the suspicious file 362 | Sample: 363 | - EXE 364 | - LNK 365 | - MIME 366 | DL_Type: string 367 | DL_CommonKey: 368 | DL_Searchable: true 369 | DL_Aggregable: false 370 | - Name: pver 371 | ProductCode: 372 | - sds 373 | - pdi 374 | - xns 375 | - pds 376 | - sao 377 | - ptp 378 | - stp 379 | - sig 380 | - ams 381 | - scs 382 | - sfs 383 | - sfc 384 | - sss 385 | Description_EN: The product version 386 | Sample: 387 | - 20.0.0.4726 388 | - 20.0.0.4416 389 | - 6.2.1125 390 | DL_Type: string 391 | DL_CommonKey: 392 | DL_Searchable: true 393 | DL_Aggregable: false 394 | - Name: cloudStorageName 395 | ProductCode: 396 | - sfc 397 | Description_EN: The cloud storage name 398 | Sample: 399 | - my-bucket 400 | DL_Type: string 401 | DL_CommonKey: 402 | DL_Searchable: true 403 | DL_Aggregable: true 404 | - Name: cloudAccountId 405 | ProductCode: 406 | - sfc 407 | - sss 408 | Description_EN: The AWS cloud account ID, Google Cloud product ID, or Azure 409 | subscription ID 410 | Sample: 411 | - '123456789012' 412 | - 00000000-0000-0000-0000-000000000000 413 | - ocid1.compartment.oc1..aaaaaaaa54yuau7prqquu3gqs4jcjzvz2yf7vwlqnkqlixq5tcjsdezqmyua 414 | DL_Type: string 415 | DL_CommonKey: 416 | DL_Searchable: true 417 | DL_Aggregable: true 418 | - Name: regionCode 419 | ProductCode: 420 | - sfc 421 | - sss 422 | Description_EN: The cloud provider region code 423 | Sample: 424 | - us-east-1 425 | DL_Type: string 426 | DL_CommonKey: 427 | DL_Searchable: true 428 | DL_Aggregable: false 429 | - Name: awsResourceArn 430 | ProductCode: 431 | - sfc 432 | Description_EN: The Amazon Resource Name 433 | Sample: 434 | - arn:aws:s3:::bucket-name/object-key 435 | - arn:aws:s3:::user-bucket-name/file-name 436 | - arn:aws:s3:::bucket-name/folder-name/file-name 437 | DL_Type: string 438 | DL_CommonKey: 439 | DL_Searchable: false 440 | DL_Aggregable: false 441 | -------------------------------------------------------------------------------- /doc/Cloud Activity Data.yaml: -------------------------------------------------------------------------------- 1 | - Name: uuid 2 | ProductCode: 3 | - ALL 4 | Description_EN: The unique key of the log 5 | Sample: 6 | - 11111111-1111-1111-1111-111111111111 7 | DL_Type: string 8 | DL_CommonKey: 9 | DL_Searchable: true 10 | DL_Aggregable: false 11 | - Name: logReceivedTime 12 | ProductCode: 13 | - ALL 14 | Description_EN: The time when the XDR log was received 15 | Sample: 16 | - 1656324260000 17 | DL_Type: long 18 | DL_CommonKey: 19 | DL_Searchable: true 20 | DL_Aggregable: false 21 | - Name: productCode 22 | ProductCode: 23 | - ALL 24 | Description_EN: The internal product code 25 | Sample: 26 | - sct 27 | DL_Type: string 28 | DL_CommonKey: 29 | DL_Searchable: true 30 | DL_Aggregable: true 31 | - Name: tags 32 | ProductCode: 33 | - ALL 34 | Description_EN: The detected technique ID based on the alert filter 35 | Sample: 36 | - MITREV9.T1090 37 | - MITRE.T1059 38 | - MITREV9.T1059.001 39 | DL_Type: dynamic 40 | DL_CommonKey: 41 | DL_Searchable: true 42 | DL_Aggregable: true 43 | - Name: filterRiskLevel 44 | ProductCode: 45 | - ALL 46 | Description_EN: The top-level risk level of the event 47 | Sample: 48 | - info 49 | - low 50 | - medium 51 | DL_Type: string 52 | DL_CommonKey: 53 | DL_Searchable: true 54 | DL_Aggregable: true 55 | - Name: policyTreePath 56 | ProductCode: 57 | - ALL 58 | Description_EN: The policy tree path (endpoint only) 59 | Sample: 60 | - policyname1/policyname2/policyname3 61 | DL_Type: string 62 | DL_Searchable: true 63 | - Name: eventCase 64 | ProductCode: 65 | - ALL 66 | Description_EN: The AWS service that the request was made to 67 | Sample: 68 | - workspaces.amazonaws.com 69 | - sts.amazonaws.com 70 | - kms.amazonaws.com 71 | DL_Type: string 72 | DL_CommonKey: 73 | DL_Searchable: true 74 | DL_Aggregable: false 75 | - Name: eventSubId 76 | ProductCode: 77 | - ALL 78 | Description_EN: The access type 79 | Sample: 80 | - PutObject 81 | - GetObject 82 | - DescribeTable 83 | DL_Type: string 84 | DL_CommonKey: 85 | DL_Searchable: true 86 | DL_Aggregable: false 87 | - Name: eventID 88 | ProductCode: 89 | - sct 90 | Description_EN: GUID generated by AWS CloudTrail to identify events 91 | Sample: 92 | - 11111111-1111-1111-1111-111111111111 93 | DL_Type: string 94 | DL_CommonKey: 95 | DL_Searchable: true 96 | DL_Aggregable: false 97 | - Name: eventName 98 | ProductCode: 99 | - sct 100 | Description_EN: The name of the log event 101 | Sample: 102 | - PutObject 103 | - GetObject 104 | - DescribeTable 105 | DL_Type: string 106 | DL_CommonKey: 107 | DL_Searchable: true 108 | DL_Aggregable: true 109 | - Name: eventSource 110 | ProductCode: 111 | - sct 112 | Description_EN: The AWS service the request was made to 113 | Sample: 114 | - s3.amazonaws.com 115 | - dynamodb.amazonaws.com 116 | - xray.amazonaws.com 117 | DL_Type: string 118 | DL_CommonKey: 119 | DL_Searchable: true 120 | DL_Aggregable: true 121 | - Name: readOnly 122 | ProductCode: 123 | - sct 124 | Description_EN: Whether the operation is read-only 125 | Sample: 126 | - true 127 | - false 128 | DL_Type: bool 129 | DL_CommonKey: 130 | DL_Searchable: true 131 | DL_Aggregable: true 132 | - Name: requestParameters 133 | ProductCode: 134 | - sct 135 | Description_EN: The parameters, if any, that were sent with the request 136 | (Parameters are documented in the API reference docs for the appropriate AWS 137 | service) 138 | Sample: 139 | - '{"durationSeconds": 3600, "roleSessionName":"BackplaneAssumeRoleSession"}' 140 | DL_Type: dynamic 141 | DL_CommonKey: 142 | DL_Searchable: true 143 | DL_Aggregable: false 144 | - Name: resources 145 | ProductCode: 146 | - sct 147 | Description_EN: List of resources accessed in the event 148 | Sample: 149 | - '[{"type":"AWS::S3::Object","ARN":"arn:aws:s3:::your-bucket/file.txt"}]' 150 | DL_Type: dynamic 151 | DL_CommonKey: 152 | DL_Searchable: true 153 | DL_Aggregable: false 154 | - Name: responseElements 155 | ProductCode: 156 | - sct 157 | Description_EN: Response elements for actions that made changes (create, 158 | update, or delete actions) 159 | Sample: 160 | - '{"user":{"createDate":"Mar 24, 2014 9:11:59 PM","userName":"Bob","arn":"arn:aws:iam::123456789012:user/Bob","path":"/","userId":"EXAMPLEUSERID"}}' 161 | DL_Type: dynamic 162 | DL_CommonKey: 163 | DL_Searchable: true 164 | DL_Aggregable: false 165 | - Name: sourceIPAddress 166 | ProductCode: 167 | - sct 168 | Description_EN: IP address the request was made from (For actions that 169 | originate from the service console, the address reported is for the 170 | underlying customer resource, not the console web server. For services in 171 | AWS, only the DNS name is displayed.) 172 | Sample: 173 | - 10.10.10.10 174 | - apigateway.amazonaws.com 175 | - config.amazonaws.com 176 | DL_Type: string 177 | DL_CommonKey: 178 | - IPv4 179 | - IPv6 180 | DL_Searchable: true 181 | DL_Aggregable: true 182 | - Name: userAgent 183 | ProductCode: 184 | - sct 185 | Description_EN: The user agent or the agent through which the request was made 186 | Sample: 187 | - signin.amazonaws.com 188 | - console.amazonaws.com 189 | - aws-cli/1.3.23 Python/2.7.6 Linux/2.6.18-164.el5 190 | DL_Type: string 191 | DL_CommonKey: 192 | - CLICommand 193 | DL_Searchable: true 194 | DL_Aggregable: false 195 | - Name: userIdentity 196 | ProductCode: 197 | - sct 198 | Description_EN: Information about the user that made a request 199 | Sample: 200 | - '{"type":"AWSService","invokedBy":"apigateway.amazonaws.com"}' 201 | - '{"type":"AWSService","invokedBy":"lambda.amazonaws.com"}' 202 | DL_Type: dynamic 203 | DL_CommonKey: 204 | DL_Searchable: true 205 | DL_Aggregable: false 206 | - Name: vpcEndpointId 207 | ProductCode: 208 | - sct 209 | Description_EN: VPC endpoint in which requests were made from a VPC to another 210 | AWS service (Such as Amazon S3) 211 | Sample: 212 | - vpce-00000000000000000 213 | DL_Type: string 214 | DL_CommonKey: 215 | DL_Searchable: true 216 | DL_Aggregable: true 217 | - Name: additionalEventData 218 | ProductCode: 219 | - sct 220 | Description_EN: The additional data about the event that was not part of the 221 | request 222 | Sample: 223 | - '{"SignatureVersion":"SigV4","CipherSuite":"ECDHE-RSA-AES128-GCM-SHA256"}' 224 | DL_Type: dynamic 225 | DL_CommonKey: 226 | DL_Searchable: true 227 | DL_Aggregable: false 228 | - Name: apiVersion 229 | ProductCode: 230 | - sct 231 | Description_EN: API version associated with the AwsApiCall eventType value 232 | Sample: 233 | - 2012-08-10 234 | DL_Type: string 235 | DL_CommonKey: 236 | DL_Searchable: true 237 | DL_Aggregable: false 238 | - Name: awsRegion 239 | ProductCode: 240 | - sct 241 | Description_EN: AWS region that the request was made to 242 | Sample: 243 | - us-east-1 244 | - us-east-2 245 | - us-west-1 246 | DL_Type: string 247 | DL_CommonKey: 248 | DL_Searchable: true 249 | DL_Aggregable: false 250 | - Name: errorCode 251 | ProductCode: 252 | - sct 253 | Description_EN: AWS service error code 254 | Sample: 255 | - ThrottlingException 256 | - InvalidParameterValueException 257 | - NoSuchLifecycleConfiguration 258 | DL_Type: string 259 | DL_CommonKey: 260 | DL_Searchable: true 261 | DL_Aggregable: false 262 | - Name: errorMessage 263 | ProductCode: 264 | - sct 265 | Description_EN: Description of the error 266 | Sample: 267 | - The specified bucket does not have a website configuration 268 | - An unknown error occurred 269 | - The lifecycle configuration does not exist 270 | DL_Type: string 271 | DL_CommonKey: 272 | DL_Searchable: true 273 | DL_Aggregable: false 274 | - Name: eventTime 275 | ProductCode: 276 | - sct 277 | Description_EN: The time the agent or product detected the event 278 | Sample: 279 | - 2022-07-06T22:28:06Z 280 | DL_Type: string 281 | DL_CommonKey: 282 | DL_Searchable: true 283 | DL_Aggregable: false 284 | - Name: eventCategory 285 | ProductCode: 286 | - sct 287 | Description_EN: Event category used in LookupEvents calls 288 | Sample: 289 | - Management 290 | - Data 291 | - Insight 292 | DL_Type: string 293 | DL_CommonKey: 294 | DL_Searchable: true 295 | DL_Aggregable: false 296 | - Name: eventType 297 | ProductCode: 298 | - sct 299 | Description_EN: Type of event that generated the event record 300 | Sample: 301 | - AwsApiCall 302 | - AwsServiceEvent 303 | - AwsConsoleAction 304 | DL_Type: string 305 | DL_CommonKey: 306 | DL_Searchable: true 307 | DL_Aggregable: false 308 | - Name: eventVersion 309 | ProductCode: 310 | - sct 311 | Description_EN: Version of the log event format 312 | Sample: 313 | - 1.08 314 | DL_Type: string 315 | DL_CommonKey: 316 | DL_Searchable: true 317 | DL_Aggregable: false 318 | - Name: recipientAccountId 319 | ProductCode: 320 | - sct 321 | Description_EN: Account ID that received the event 322 | Sample: 323 | - 123456789012 324 | DL_Type: string 325 | DL_CommonKey: 326 | DL_Searchable: true 327 | DL_Aggregable: false 328 | - Name: requestID 329 | ProductCode: 330 | - sct 331 | Description_EN: Value that identifies the request (The service being called 332 | generates this value) 333 | Sample: 334 | - 11111111-1111-1111-1111-111111111111 335 | DL_Type: string 336 | DL_CommonKey: 337 | DL_Searchable: true 338 | DL_Aggregable: false 339 | - Name: sharedEventID 340 | ProductCode: 341 | - sct 342 | Description_EN: GUID generated by AWS CloudTrail to uniquely identify 343 | CloudTrail events (From the same AWS action that is sent to different AWS 344 | accounts) 345 | Sample: 346 | - 11111111-1111-1111-1111-111111111111 347 | DL_Type: string 348 | DL_CommonKey: 349 | DL_Searchable: true 350 | DL_Aggregable: false 351 | - Name: serviceEventDetails 352 | ProductCode: 353 | - sct 354 | Description_EN: The service event (including what triggered the event and the 355 | result) 356 | Sample: 357 | - '{"lifecycleEventPolicy":{"policyVersion":1,"policyId":"11111111-1111-1111-1111-111111111111"}}' 358 | DL_Type: dynamic 359 | DL_CommonKey: 360 | DL_Searchable: true 361 | DL_Aggregable: false 362 | - Name: groupId 363 | ProductCode: 364 | - ALL 365 | Description_EN: The group ID for the management scope filter 366 | Sample: 367 | - 11111111-1111-1111-1111-111111111111 368 | DL_Type: string 369 | DL_CommonKey: 370 | DL_Searchable: true 371 | DL_Aggregable: false 372 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Preview 2 | - This document is still in preview and Trend Micro does not guarantee any backward compatibility. 3 | 4 | # Background 5 | - These documents provide Trend Vision One log schema details. 6 | 7 | # Folder Structure 8 | - The folder structure is as follows: 9 | ``` 10 | . 11 | ├── README.md 12 | ├── doc (documentation by log type) 13 | │ ├── .yaml 14 | │ └── ... 15 | └── doc_v2 (documentation by layer and product) 16 | ├── 17 | │ ├── .yaml 18 | │ └── ... 19 | └── ... 20 | └── pages (for rendering in GitHub Pages) 21 | ├── 22 | │ ├── .md 23 | │ └── ... 24 | └── ... 25 | ``` 26 | 27 | # Pages 28 | 29 | you can access the rendered pages at: 30 | https://trendmicro.github.io/tm-v1-schema/pages/index 31 | 32 | # User scenario 33 | - Currently, these documents only support the following use cases: 34 | 1. Trend Vision One Search app general and advanced search 35 | 36 | 37 | # Property Description 38 | | Property | Description | 39 | |----------------|------------------------------------------------| 40 | | Name | The log field name | 41 | | ProductCode | The products which send data to this field | 42 | | Description_EN | The field description | 43 | | Sample | The sample values of the field | 44 | | DL_Searchable | Whether logs are searchable by this field | 45 | | DL_Type | The field data type | 46 | | DL_CommonKey | The corresponding field name in General Search | 47 | 48 | # ProductCode Mapping 49 | | Code | Product | 50 | |------|-----------------------------------------------------------| 51 | | ALL | All products | 52 | | aad | Microsoft Entra ID | 53 | | ams | Trend Vision One Mobile Security | 54 | | opa | Microsoft Active Directory | 55 | | pao | Trend Micro Apex One | 56 | | pdi | Trend Micro Deep Discovery Inspector | 57 | | pds | Trend Micro Deep Security | 58 | | ptn | TXOne EdgeOne (on-premises) | 59 | | ptp | TippingPoint Security Management System | 60 | | pts | TXOne Stellar (on-premises) | 61 | | qpf | Palo Alto Networks Next-Generation Firewalls | 62 | | sao | Trend Micro Apex One as a Service | 63 | | sca | Trend Micro Cloud App Security | 64 | | scs | Trend Cloud One - Container Security | 65 | | sct | Trend Cloud One - AWS CloudTrail | 66 | | sds | Trend Cloud One - Endpoint & Workload Security | 67 | | sem | Trend Micro Email Security | 68 | | sfc | Trend Cloud One – File Storage Security | 69 | | sfs | Trend Vision One File Security | 70 | | sig | Trend Vision One Zero Trust Secure Access Internet Access | 71 | | sna | XDR add-on: Deep Discovery Inspector | 72 | | sss | Trend Cloud One - Cloud Sentry | 73 | | stp | Trend Cloud One - Network Security | 74 | | sws | Trend Micro Web Security | 75 | | szn | Trend Vision One Zero Trust Secure Access Private Access | 76 | | vpc | XDR for Cloud - AWS VPC Flow Logs | 77 | | xca | Collaboration Sensor | 78 | | xes | XDR Endpoint Sensor | 79 | | xms | Email Sensor | 80 | | xns | Virtual Network Sensor | 81 | 82 | # EventId, EventSubId Mapping 83 | ## eventId 84 | | eventId | Event Type | 85 | |---------|----------------------------| 86 | | 1 | TELEMETRY_PROCESS | 87 | | 2 | TELEMETRY_FILE | 88 | | 3 | TELEMETRY_CONNECTION | 89 | | 4 | TELEMETRY_DNS | 90 | | 5 | TELEMETRY_REGISTRY | 91 | | 6 | TELEMETRY_ACCOUNT | 92 | | 7 | TELEMETRY_INTERNET | 93 | | 8 | TELEMETRY_MODIFIED_PROCESS | 94 | | 9 | TELEMETRY_WINDOWS_HOOK | 95 | | 10 | TELEMETRY_WINDOWS_EVENT | 96 | | 11 | TELEMETRY_AMSI | 97 | | 12 | TELEMETRY_WMI | 98 | | 13 | TELEMETRY_MEMORY | 99 | | 14 | TELEMETRY_BM | 100 | | 15 | TELEMETRY_APP | 101 | | 16 | TELEMETRY_SYSTEM_EVENT | 102 | | 17 | TELEMETRY_EVENT_PIPE | 103 | | 18 | TELEMETRY_MAC_SYS_LOG | 104 | | 19 | TELEMETRY_DDR | 105 | | 101 | TELEMETRY_ASSOCIATION | 106 | 107 | ## eventSubId 108 | | eventSubId | Event Sub-Type | 109 | |------------|------------------------------------------------| 110 | | 0 | TELEMETRY_NONE | 111 | | 1 | TELEMETRY_PROCESS_OPEN | 112 | | 2 | TELEMETRY_PROCESS_CREATE | 113 | | 3 | TELEMETRY_PROCESS_TERMINATE | 114 | | 4 | TELEMETRY_PROCESS_LOAD_IMAGE | 115 | | 5 | TELEMETRY_PROCESS_EXECUTE | 116 | | 6 | TELEMETRY_PROCESS_CONNECT | 117 | | 7 | TELEMETRY_PROCESS_TRACME | 118 | | 8 | TELEMETRY_PROCESS_LOAD_KERNEL_IMAGE | 119 | | 101 | TELEMETRY_FILE_CREATE | 120 | | 102 | TELEMETRY_FILE_OPEN | 121 | | 103 | TELEMETRY_FILE_DELETE | 122 | | 104 | TELEMETRY_FILE_SET_SECURITY | 123 | | 105 | TELEMETRY_FILE_COPY | 124 | | 106 | TELEMETRY_FILE_MOVE | 125 | | 107 | TELEMETRY_FILE_CLOSE | 126 | | 108 | TELEMETRY_FILE_MODIFY_TIMESTAMP | 127 | | 109 | TELEMETRY_FILE_MODIFY | 128 | | 110 | TELEMETRY_FILE_SET_ATTRIBUTES | 129 | | 111 | TELEMETRY_FILE_ENUMERATE | 130 | | 112 | TELEMETRY_FILE_SET_EXTENDED_ATTRIBUTE | 131 | | 113 | TELEMETRY_FILE_DELETE_EXTENDED_ATTRIBUTE | 132 | | 201 | TELEMETRY_CONNECTION_CONNECT | 133 | | 202 | TELEMETRY_CONNECTION_LISTEN | 134 | | 203 | TELEMETRY_CONNECTION_CONNECT_INBOUND | 135 | | 204 | TELEMETRY_CONNECTION_CONNECT_OUTBOUND | 136 | | 301 | TELEMETRY_DNS_QUERY | 137 | | 401 | TELEMETRY_REGISTRY_CREATE | 138 | | 402 | TELEMETRY_REGISTRY_SET | 139 | | 403 | TELEMETRY_REGISTRY_DELETE | 140 | | 404 | TELEMETRY_REGISTRY_RENAME | 141 | | 405 | TELEMETRY_REGISTRY_ENUMERATE | 142 | | 406 | TELEMETRY_REGISTRY_ENUMERATEVALUE | 143 | | 407 | TELEMETRY_REGISTRY_QUERYVALUE | 144 | | 408 | TELEMETRY_REGISTRY_SAVE | 145 | | 501 | TELEMETRY_ACCOUNT_ADD | 146 | | 502 | TELEMETRY_ACCOUNT_DELETE | 147 | | 503 | TELEMETRY_ACCOUNT_IMPERSONATE | 148 | | 504 | TELEMETRY_ACCOUNT_MODIFY | 149 | | 505 | TELEMETRY_ACCOUNT_LOGIN | 150 | | 506 | TELEMETRY_ACCOUNT_LOGOUT | 151 | | 601 | TELEMETRY_INTERNET_OPEN | 152 | | 602 | TELEMETRY_INTERNET_CONNECT | 153 | | 603 | TELEMETRY_INTERNET_DOWNLOAD | 154 | | 701 | TELEMETRY_MODIFIED_PROCESS_CREATE_REMOTETHREAD | 155 | | 702 | TELEMETRY_MODIFIED_PROCESS_WRITE_MEMORY | 156 | | 703 | TELEMETRY_MODIFIED_PROCESS_WRITE_PROCESS | 157 | | 704 | TELEMETRY_MODIFIED_PROCESS_READ_PROCESS | 158 | | 705 | TELEMETRY_MODIFIED_PROCESS_WRITE_PROCESS_NAME | 159 | | 801 | TELEMETRY_WINDOWS_HOOK_SET | 160 | | 901 | TELEMETRY_AMSI_EXECUTE | 161 | | 1001 | TELEMETRY_MEMORY_MODIFY | 162 | | 1002 | TELEMETRY_MEMORY_MODIFY_PERMISSION | 163 | | 1003 | TELEMETRY_MEMORY_READ | 164 | | 1101 | TELEMETRY_BM_INVOKE | 165 | | 1102 | TELEMETRY_BM_INVOKE_API | 166 | | 1201 | TELEMETRY_APP_START | 167 | | 1202 | TELEMETRY_APP_STOP | 168 | | 1203 | TELEMETRY_APP_INSTALL | 169 | | 1204 | TELEMETRY_APP_UNINSTALL | 170 | | 1205 | TELEMETRY_APP_BEHAVIOR | 171 | | 1301 | TELEMETRY_SYSTEM_EVENT_ENABLE | 172 | | 1302 | TELEMETRY_SYSTEM_EVENT_DISABLE | 173 | | 1303 | TELEMETRY_SYSTEM_CERTIFICATION_INSTALL | 174 | | 1304 | TELEMETRY_SYSTEM_DEVICE_ROOTED | 175 | | 1401 | TELEMETRY_PIPE_CREATE | 176 | | 1402 | TELEMETRY_PIPE_CONNECT | 177 | | 1601 | TELEMETRY_MAC_SYS_LOG_COLLECT | 178 | | 1701 | TELEMETRY_DDR_FILE_COPY | 179 | | 1702 | TELEMETRY_DDR_FILE_MOVE | 180 | | 1703 | TELEMETRY_DDR_FILE_RENAME | 181 | | 1704 | TELEMETRY_DDR_FILE_MODIFY | 182 | | 1705 | TELEMETRY_DDR_FILE_DELETE | 183 | | 1706 | TELEMETRY_DDR_FILE_UNZIP | 184 | | 1707 | TELEMETRY_DDR_FILE_ZIP | 185 | | 1708 | TELEMETRY_DDR_FILE_UPLOAD | 186 | | 1709 | TELEMETRY_DDR_FILE_DOWNLOAD | 187 | | 1710 | TELEMETRY_DDR_FILE_PRINT | 188 | | 10101 | TELEMETRY_ASSOCIATION_PROCESS_IMAGE_FILE | 189 | | 10102 | TELEMETRY_ASSOCIATION_AUTO_RUN_KEY_FULL_PATH | 190 | | 10103 | TELEMETRY_ASSOCIATION_HOST_PROC_CMD_FULL_PATH | 191 | | 10104 | TELEMETRY_ASSOCIATION_SERVICE_DLL | 192 | | 10105 | TELEMETRY_ASSOCIATION_ARCHIVE_FILE | 193 | | 10106 | TELEMETRY_ASSOCIATION_BROWSER_PROCESS | -------------------------------------------------------------------------------- /doc_v2/Network/TippingPoint Security Management System.yaml: -------------------------------------------------------------------------------- 1 | - Name: request 2 | ProductCode: 3 | - pdi 4 | - xns 5 | - sao 6 | - ptp 7 | - sds 8 | - sig 9 | - sca 10 | - stp 11 | - sem 12 | - pds 13 | - ams 14 | - szn 15 | Description_EN: The notable URLs 16 | Sample: 17 | - http://example.page.com/canonical.html 18 | - http://10.10.10.10 19 | - https://drive.google.com/ 20 | DL_Type: string 21 | DL_CommonKey: 22 | - URL 23 | DL_Searchable: true 24 | DL_Aggregable: true 25 | - Name: category 26 | ProductCode: 27 | - ptp 28 | - mns 29 | - sds 30 | Description_EN: The event category 31 | Sample: 32 | - Exploits 33 | - Reconnaissance 34 | - Vulnerabilities 35 | - Security Policy 36 | DL_Type: string 37 | DL_CommonKey: 38 | DL_Searchable: true 39 | DL_Aggregable: true 40 | - Name: src 41 | ProductCode: 42 | - pdi 43 | - xns 44 | - sao 45 | - sds 46 | - ptp 47 | - pds 48 | - stp 49 | - xes 50 | - sig 51 | - ptn 52 | - szn 53 | - scs 54 | - mns 55 | Description_EN: The source IP 56 | Sample: 57 | - 10.10.10.10 58 | DL_Type: dynamic 59 | DL_CommonKey: 60 | - IPv4 61 | - IPv6 62 | DL_Searchable: true 63 | DL_Aggregable: true 64 | - Name: dst 65 | ProductCode: 66 | - pdi 67 | - xns 68 | - sao 69 | - sds 70 | - ptp 71 | - pds 72 | - stp 73 | - xes 74 | - sig 75 | - ptn 76 | - szn 77 | - scs 78 | - mns 79 | Description_EN: The destination IP 80 | Sample: 81 | - 10.10.10.10 82 | DL_Type: dynamic 83 | DL_CommonKey: 84 | - IPv4 85 | - IPv6 86 | DL_Searchable: true 87 | DL_Aggregable: true 88 | - Name: interestedIp 89 | ProductCode: 90 | - sds 91 | - pdi 92 | - xns 93 | - pds 94 | - sao 95 | - ptp 96 | - stp 97 | - ptn 98 | Description_EN: The IP of the interestedHost 99 | Sample: 100 | - 10.10.10.10 101 | DL_Type: dynamic 102 | DL_CommonKey: 103 | - IPv4 104 | - IPv6 105 | DL_Searchable: true 106 | DL_Aggregable: false 107 | - Name: endpointIp 108 | ProductCode: 109 | - sds 110 | - pds 111 | - sao 112 | - ptp 113 | - stp 114 | - ptn 115 | - sss 116 | - ddr 117 | Description_EN: The IP address of the endpoint on which the event was detected 118 | Sample: 119 | - 10.10.10.10 120 | DL_Type: dynamic 121 | DL_CommonKey: 122 | - IPv4 123 | - IPv6 124 | DL_Searchable: true 125 | DL_Aggregable: true 126 | - Name: dpt 127 | ProductCode: 128 | - pdi 129 | - xns 130 | - sao 131 | - sds 132 | - ptp 133 | - pds 134 | - stp 135 | - xes 136 | - ptn 137 | - szn 138 | - scs 139 | - mns 140 | Description_EN: The destination port 141 | Sample: 142 | - 0 143 | - 445 144 | - 80 145 | DL_Type: int 146 | DL_CommonKey: 147 | - Port 148 | DL_Searchable: true 149 | DL_Aggregable: true 150 | - Name: spt 151 | ProductCode: 152 | - pdi 153 | - xns 154 | - sao 155 | - sds 156 | - ptp 157 | - pds 158 | - stp 159 | - xes 160 | - ptn 161 | - szn 162 | - scs 163 | - mns 164 | Description_EN: The source port 165 | Sample: 166 | - 53 167 | - 0 168 | - 7680 169 | DL_Type: int 170 | DL_CommonKey: 171 | - Port 172 | DL_Searchable: true 173 | DL_Aggregable: true 174 | - Name: ruleName 175 | ProductCode: 176 | - sds 177 | - pdi 178 | - xns 179 | - sao 180 | - pds 181 | - sca 182 | - ptp 183 | - xes 184 | - sem 185 | - stp 186 | - szn 187 | - scs 188 | - xms 189 | - mns 190 | - ddr 191 | Description_EN: The name of the rule that triggered the event 192 | Sample: 193 | - Directory Server - Microsoft Windows Active Directory 194 | - Microsoft Windows Events 195 | - Microsoft Windows Security Events - 3 196 | - (T1234) New executable created (chmod) 197 | - Sensitive Files Upload to Personal Cloud 198 | - Multiple Sensitive Files Compression 199 | - Transfer Sensitive Files to Removable Storage 200 | - Move Multiple Sensitive Files to Central Location 201 | - Multiple Sensitive Files Modification 202 | - Multiple Sensitive Files Deletion 203 | - GEN_CCFR_OVERLAY_TEST.A 204 | DL_Type: string 205 | DL_CommonKey: 206 | DL_Searchable: true 207 | DL_Aggregable: true 208 | - Name: eventName 209 | ProductCode: 210 | - sds 211 | - pdi 212 | - xns 213 | - sao 214 | - pds 215 | - ptp 216 | - sca 217 | - sem 218 | - xes 219 | - stp 220 | - sig 221 | - ptn 222 | - szn 223 | - pts 224 | - xms 225 | - sfs 226 | - sfc 227 | - sss 228 | - ams 229 | - mns 230 | - ddr 231 | Description_EN: The event type 232 | Sample: 233 | - LOG_INSPECTION_EVENT 234 | - SECURITY_RISK_DETECTION 235 | - WEB_THREAT_DETECTION 236 | - LOG_INSPECTION_EVENT 237 | - MALWARE_DETECTION 238 | - PROCESS_ACTIVITY 239 | - WEB_POLICY_VIOLATION 240 | - DEEP_PACKET_INSPECTION_EVENT 241 | - INTEGRITY_MONITORING_EVENT 242 | - DISRUPTIVE_APPLICATION_DETECTION 243 | - PRODUCT_SUMMARY 244 | - PRODUCT_UPDATE 245 | - BEHAVIORAL_VIOLATION 246 | - FIREWALL_POLICY_VIOLATION 247 | - SUSPICIOUS_BEHAVIOUR_DETECTION 248 | - DENYLIST_CHANGE 249 | - MACHINE_LEARNING_DETECTION 250 | - DLP_VIOLATION 251 | - MALWARE_OUTBREAK_DETECTION 252 | - SENSITIVE_DATA_DETECTION 253 | DL_Type: string 254 | DL_CommonKey: 255 | DL_Searchable: true 256 | DL_Aggregable: true 257 | - Name: policyId 258 | ProductCode: 259 | - ptp 260 | - sao 261 | - xes 262 | - stp 263 | - sds 264 | - pds 265 | - scs 266 | Description_EN: The policy ID of which the event was detected 267 | Sample: 268 | - 00000001-0001-0001-0001-000000007610 269 | - '007' 270 | - '003' 271 | - TM000001 272 | DL_Type: string 273 | DL_CommonKey: 274 | DL_Searchable: true 275 | DL_Aggregable: true 276 | - Name: act 277 | ProductCode: 278 | - scs 279 | - pdi 280 | - xns 281 | - sao 282 | - sds 283 | - sca 284 | - ptp 285 | - xes 286 | - sws 287 | - sem 288 | - pds 289 | - stp 290 | - sig 291 | - ptn 292 | - szn 293 | - xms 294 | - ams 295 | - mns 296 | - sss 297 | Description_EN: The actions taken to mitigate the event 298 | Sample: 299 | - log 300 | - isolate 301 | - terminate 302 | - not blocked 303 | - Block 304 | - No action 305 | - Reset 306 | - Pass 307 | - User Decision 308 | DL_Type: dynamic 309 | DL_CommonKey: 310 | DL_Searchable: true 311 | DL_Aggregable: true 312 | - Name: pname 313 | ProductCode: 314 | - sds 315 | - pdi 316 | - xns 317 | - sao 318 | - pds 319 | - sca 320 | - sem 321 | - ptp 322 | - xes 323 | - sws 324 | - stp 325 | - sig 326 | - ams 327 | - scs 328 | - xms 329 | Description_EN: The internal product ID 330 | Sample: 331 | - Trend Micro Deep Security 332 | - Deep Discovery Inspector 333 | - Apex One 334 | DL_Type: string 335 | DL_CommonKey: 336 | DL_Searchable: true 337 | DL_Aggregable: false 338 | - Name: deviceGUID 339 | ProductCode: 340 | - pdi 341 | - xns 342 | - sao 343 | - ptp 344 | - xes 345 | - stp 346 | - sig 347 | Description_EN: The GUID of the agent which reported the detection 348 | Sample: 349 | - 00000000-0000-0000-0000-000000000000 350 | - 11111111-1111-1111-1111-111111111111 351 | - 22222222-2222-2222-2222-222222222222 352 | DL_Type: string 353 | DL_CommonKey: 354 | DL_Searchable: true 355 | DL_Aggregable: true 356 | - Name: severity 357 | ProductCode: 358 | - sds 359 | - pdi 360 | - xns 361 | - pds 362 | - sao 363 | - ptp 364 | - stp 365 | - scs 366 | - mns 367 | Description_EN: The severity of the event 368 | Sample: 369 | - 2 370 | - 4 371 | - 6 372 | - 8 373 | DL_Type: int 374 | DL_CommonKey: 375 | DL_Searchable: true 376 | DL_Aggregable: true 377 | - Name: cves 378 | ProductCode: 379 | - ptp 380 | - sds 381 | - pdi 382 | - xns 383 | Description_EN: The CVEs associated with this filter 384 | Sample: 385 | - CVE-2014-3567 386 | - CVE-2016-6304 387 | - CVE-2011-1385 388 | DL_Type: dynamic 389 | DL_CommonKey: 390 | DL_Searchable: true 391 | DL_Aggregable: false 392 | - Name: aggregatedCount 393 | ProductCode: 394 | - pdi 395 | - xns 396 | - sao 397 | - ptp 398 | - sws 399 | - stp 400 | - sig 401 | - pts 402 | - ddr 403 | - sds 404 | Description_EN: The number of aggregated events 405 | Sample: 406 | - '1' 407 | - '2' 408 | - '3' 409 | DL_Type: string 410 | DL_CommonKey: 411 | DL_Searchable: true 412 | DL_Aggregable: false 413 | - Name: mpname 414 | ProductCode: 415 | - sds 416 | - sao 417 | - pds 418 | - ptp 419 | - xes 420 | - stp 421 | Description_EN: The management product name 422 | Sample: 423 | - Cloud One - Workload Security 424 | - Apex Central 425 | - Deep Security Software 426 | DL_Type: string 427 | DL_CommonKey: 428 | DL_Searchable: true 429 | DL_Aggregable: false 430 | - Name: pver 431 | ProductCode: 432 | - sds 433 | - pdi 434 | - xns 435 | - pds 436 | - sao 437 | - ptp 438 | - stp 439 | - sig 440 | - ams 441 | - scs 442 | - sfs 443 | - sfc 444 | - sss 445 | Description_EN: The product version 446 | Sample: 447 | - 20.0.0.4726 448 | - 20.0.0.4416 449 | - 6.2.1125 450 | DL_Type: string 451 | DL_CommonKey: 452 | DL_Searchable: true 453 | DL_Aggregable: false 454 | - Name: rt 455 | ProductCode: 456 | - sds 457 | - pdi 458 | - xns 459 | - sao 460 | - pds 461 | - sca 462 | - sem 463 | - ptp 464 | - xes 465 | - sws 466 | - stp 467 | - sig 468 | - szn 469 | - xms 470 | Description_EN: The Unix time of the log generation 471 | Sample: 472 | - 1656324260000 473 | DL_Type: string 474 | DL_CommonKey: 475 | DL_Searchable: false 476 | DL_Aggregable: false 477 | - Name: vLANId 478 | ProductCode: 479 | - pdi 480 | - xns 481 | - ptn 482 | - mns 483 | - ptp 484 | Description_EN: The virtual LAN ID 485 | Sample: [] 486 | DL_Type: int 487 | DL_CommonKey: 488 | DL_Searchable: false 489 | DL_Aggregable: false 490 | - Name: ruleUuid 491 | ProductCode: 492 | - ptp 493 | - stp 494 | - sca 495 | - szn 496 | Description_EN: The signature UUID from the DV (Digital Vaccine) 497 | Sample: 498 | - 00000001-0001-0001-0001-000000007610 499 | - 00000001-0001-0001-0001-000000007120 500 | - 00000001-0001-0001-0001-000000017056 501 | DL_Type: string 502 | DL_CommonKey: 503 | DL_Searchable: true 504 | DL_Aggregable: false 505 | - Name: overSsl 506 | ProductCode: 507 | - pdi 508 | - xns 509 | - ptp 510 | - stp 511 | Description_EN: Whether the event was triggered by an SSL decryption stream 512 | (Displayed only when SSL Inspection is supported) 513 | Sample: 514 | - Not over SSL/TLS 515 | - '0' 516 | - Over SSL/TLS 517 | DL_Type: string 518 | DL_CommonKey: 519 | DL_Searchable: true 520 | DL_Aggregable: false 521 | - Name: logKey 522 | ProductCode: 523 | - sds 524 | - pdi 525 | - xns 526 | - sao 527 | - pds 528 | - sca 529 | - sem 530 | - ptp 531 | - xes 532 | - sws 533 | - stp 534 | - sig 535 | Description_EN: The unique key of the event 536 | Sample: 537 | - 123e4567-e89b-12d3-a456-426614174000 538 | - 987f6543-21ba-43cd-9e8f-123456789abc 539 | - 456789ab-cdef-1234-5678-9abcdef01234 540 | DL_Type: string 541 | DL_CommonKey: 542 | DL_Searchable: true 543 | DL_Aggregable: false 544 | - Name: peerEndpointGUID 545 | ProductCode: 546 | - pdi 547 | - xns 548 | - stp 549 | - ptp 550 | Description_EN: The endpoint GUID of the agent peer host 551 | Sample: 552 | - 00000000-0000-0000-0000-000000000000 553 | - 11111111-1111-1111-1111-111111111111 554 | - 22222222-2222-2222-2222-222222222222 555 | DL_Type: string 556 | DL_CommonKey: 557 | DL_Searchable: true 558 | DL_Aggregable: true 559 | - Name: ruleSetName 560 | ProductCode: 561 | - scs 562 | - stp 563 | - ptp 564 | - sds 565 | Description_EN: The rule set name 566 | Sample: 567 | - AllRules 568 | DL_Type: string 569 | DL_CommonKey: 570 | DL_Searchable: true 571 | DL_Aggregable: false 572 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright 2023 Trend Micro 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. -------------------------------------------------------------------------------- /doc_v2/Network/Trend Cloud One - Network Security.yaml: -------------------------------------------------------------------------------- 1 | - Name: request 2 | ProductCode: 3 | - pdi 4 | - xns 5 | - sao 6 | - ptp 7 | - sds 8 | - sig 9 | - sca 10 | - stp 11 | - sem 12 | - pds 13 | - ams 14 | - szn 15 | Description_EN: The notable URLs 16 | Sample: 17 | - http://example.page.com/canonical.html 18 | - http://10.10.10.10 19 | - https://drive.google.com/ 20 | DL_Type: string 21 | DL_CommonKey: 22 | - URL 23 | DL_Searchable: true 24 | DL_Aggregable: true 25 | - Name: src 26 | ProductCode: 27 | - pdi 28 | - xns 29 | - sao 30 | - sds 31 | - ptp 32 | - pds 33 | - stp 34 | - xes 35 | - sig 36 | - ptn 37 | - szn 38 | - scs 39 | - mns 40 | Description_EN: The source IP 41 | Sample: 42 | - 10.10.10.10 43 | DL_Type: dynamic 44 | DL_CommonKey: 45 | - IPv4 46 | - IPv6 47 | DL_Searchable: true 48 | DL_Aggregable: true 49 | - Name: dst 50 | ProductCode: 51 | - pdi 52 | - xns 53 | - sao 54 | - sds 55 | - ptp 56 | - pds 57 | - stp 58 | - xes 59 | - sig 60 | - ptn 61 | - szn 62 | - scs 63 | - mns 64 | Description_EN: The destination IP 65 | Sample: 66 | - 10.10.10.10 67 | DL_Type: dynamic 68 | DL_CommonKey: 69 | - IPv4 70 | - IPv6 71 | DL_Searchable: true 72 | DL_Aggregable: true 73 | - Name: interestedIp 74 | ProductCode: 75 | - sds 76 | - pdi 77 | - xns 78 | - pds 79 | - sao 80 | - ptp 81 | - stp 82 | - ptn 83 | Description_EN: The IP of the interestedHost 84 | Sample: 85 | - 10.10.10.10 86 | DL_Type: dynamic 87 | DL_CommonKey: 88 | - IPv4 89 | - IPv6 90 | DL_Searchable: true 91 | DL_Aggregable: false 92 | - Name: endpointIp 93 | ProductCode: 94 | - sds 95 | - pds 96 | - sao 97 | - ptp 98 | - stp 99 | - ptn 100 | - sss 101 | - ddr 102 | Description_EN: The IP address of the endpoint on which the event was detected 103 | Sample: 104 | - 10.10.10.10 105 | DL_Type: dynamic 106 | DL_CommonKey: 107 | - IPv4 108 | - IPv6 109 | DL_Searchable: true 110 | DL_Aggregable: true 111 | - Name: dpt 112 | ProductCode: 113 | - pdi 114 | - xns 115 | - sao 116 | - sds 117 | - ptp 118 | - pds 119 | - stp 120 | - xes 121 | - ptn 122 | - szn 123 | - scs 124 | - mns 125 | Description_EN: The destination port 126 | Sample: 127 | - 0 128 | - 445 129 | - 80 130 | DL_Type: int 131 | DL_CommonKey: 132 | - Port 133 | DL_Searchable: true 134 | DL_Aggregable: true 135 | - Name: spt 136 | ProductCode: 137 | - pdi 138 | - xns 139 | - sao 140 | - sds 141 | - ptp 142 | - pds 143 | - stp 144 | - xes 145 | - ptn 146 | - szn 147 | - scs 148 | - mns 149 | Description_EN: The source port 150 | Sample: 151 | - 53 152 | - 0 153 | - 7680 154 | DL_Type: int 155 | DL_CommonKey: 156 | - Port 157 | DL_Searchable: true 158 | DL_Aggregable: true 159 | - Name: suid 160 | ProductCode: 161 | - sds 162 | - sca 163 | - sao 164 | - pdi 165 | - xns 166 | - sws 167 | - pds 168 | - stp 169 | - sig 170 | Description_EN: User name or mailbox 171 | Sample: 172 | - root 173 | - US EXAMPLE\TEST 174 | - sample_email@trendmicro.com 175 | DL_Type: string 176 | DL_CommonKey: 177 | - UserAccount 178 | DL_Searchable: true 179 | DL_Aggregable: false 180 | - Name: ruleName 181 | ProductCode: 182 | - sds 183 | - pdi 184 | - xns 185 | - sao 186 | - pds 187 | - sca 188 | - ptp 189 | - xes 190 | - sem 191 | - stp 192 | - szn 193 | - scs 194 | - xms 195 | - mns 196 | - ddr 197 | Description_EN: The name of the rule that triggered the event 198 | Sample: 199 | - Directory Server - Microsoft Windows Active Directory 200 | - Microsoft Windows Events 201 | - Microsoft Windows Security Events - 3 202 | - (T1234) New executable created (chmod) 203 | - Sensitive Files Upload to Personal Cloud 204 | - Multiple Sensitive Files Compression 205 | - Transfer Sensitive Files to Removable Storage 206 | - Move Multiple Sensitive Files to Central Location 207 | - Multiple Sensitive Files Modification 208 | - Multiple Sensitive Files Deletion 209 | - GEN_CCFR_OVERLAY_TEST.A 210 | DL_Type: string 211 | DL_CommonKey: 212 | DL_Searchable: true 213 | DL_Aggregable: true 214 | - Name: eventName 215 | ProductCode: 216 | - sds 217 | - pdi 218 | - xns 219 | - sao 220 | - pds 221 | - ptp 222 | - sca 223 | - sem 224 | - xes 225 | - stp 226 | - sig 227 | - ptn 228 | - szn 229 | - pts 230 | - xms 231 | - sfs 232 | - sfc 233 | - sss 234 | - ams 235 | - mns 236 | - ddr 237 | Description_EN: The event type 238 | Sample: 239 | - LOG_INSPECTION_EVENT 240 | - SECURITY_RISK_DETECTION 241 | - WEB_THREAT_DETECTION 242 | - LOG_INSPECTION_EVENT 243 | - MALWARE_DETECTION 244 | - PROCESS_ACTIVITY 245 | - WEB_POLICY_VIOLATION 246 | - DEEP_PACKET_INSPECTION_EVENT 247 | - INTEGRITY_MONITORING_EVENT 248 | - DISRUPTIVE_APPLICATION_DETECTION 249 | - PRODUCT_SUMMARY 250 | - PRODUCT_UPDATE 251 | - BEHAVIORAL_VIOLATION 252 | - FIREWALL_POLICY_VIOLATION 253 | - SUSPICIOUS_BEHAVIOUR_DETECTION 254 | - DENYLIST_CHANGE 255 | - MACHINE_LEARNING_DETECTION 256 | - DLP_VIOLATION 257 | - MALWARE_OUTBREAK_DETECTION 258 | - SENSITIVE_DATA_DETECTION 259 | DL_Type: string 260 | DL_CommonKey: 261 | DL_Searchable: true 262 | DL_Aggregable: true 263 | - Name: subRuleId 264 | ProductCode: 265 | - sds 266 | - pds 267 | - stp 268 | Description_EN: ID of a subordinate rule 269 | Sample: 270 | - '85262' 271 | - '914520' 272 | - '18152' 273 | DL_Type: string 274 | DL_CommonKey: 275 | DL_Searchable: true 276 | DL_Aggregable: false 277 | - Name: remarks 278 | ProductCode: 279 | - sds 280 | - pdi 281 | - xns 282 | - pds 283 | - sca 284 | - sao 285 | - sem 286 | - stp 287 | - ptn 288 | - xms 289 | - sfs 290 | - sss 291 | - sig 292 | Description_EN: The additional information 293 | Sample: 294 | - 'warning: fork: Resource temporarily unavailable' 295 | - 'pam_unix(cron:session): session opened for user root by (uid=0)' 296 | - "WinEvtLog: Application: AUDIT_FAILURE(18470): MSSQL$SA: (no user): no domain: 297 | EXAMPLE.com: Login failed for user 'example_user'. Reason: The account is disabled. 298 | [CLIENT: 10.10.10.10] " 299 | DL_Type: string 300 | DL_CommonKey: 301 | DL_Searchable: true 302 | DL_Aggregable: false 303 | - Name: policyId 304 | ProductCode: 305 | - ptp 306 | - sao 307 | - xes 308 | - stp 309 | - sds 310 | - pds 311 | - scs 312 | Description_EN: The policy ID of which the event was detected 313 | Sample: 314 | - 00000001-0001-0001-0001-000000007610 315 | - '007' 316 | - '003' 317 | - TM000001 318 | DL_Type: string 319 | DL_CommonKey: 320 | DL_Searchable: true 321 | DL_Aggregable: true 322 | - Name: act 323 | ProductCode: 324 | - scs 325 | - pdi 326 | - xns 327 | - sao 328 | - sds 329 | - sca 330 | - ptp 331 | - xes 332 | - sws 333 | - sem 334 | - pds 335 | - stp 336 | - sig 337 | - ptn 338 | - szn 339 | - xms 340 | - ams 341 | - mns 342 | - sss 343 | Description_EN: The actions taken to mitigate the event 344 | Sample: 345 | - log 346 | - isolate 347 | - terminate 348 | - not blocked 349 | - Block 350 | - No action 351 | - Reset 352 | - Pass 353 | - User Decision 354 | DL_Type: dynamic 355 | DL_CommonKey: 356 | DL_Searchable: true 357 | DL_Aggregable: true 358 | - Name: pname 359 | ProductCode: 360 | - sds 361 | - pdi 362 | - xns 363 | - sao 364 | - pds 365 | - sca 366 | - sem 367 | - ptp 368 | - xes 369 | - sws 370 | - stp 371 | - sig 372 | - ams 373 | - scs 374 | - xms 375 | Description_EN: The internal product ID 376 | Sample: 377 | - Trend Micro Deep Security 378 | - Deep Discovery Inspector 379 | - Apex One 380 | DL_Type: string 381 | DL_CommonKey: 382 | DL_Searchable: true 383 | DL_Aggregable: false 384 | - Name: deviceGUID 385 | ProductCode: 386 | - pdi 387 | - xns 388 | - sao 389 | - ptp 390 | - xes 391 | - stp 392 | - sig 393 | Description_EN: The GUID of the agent which reported the detection 394 | Sample: 395 | - 00000000-0000-0000-0000-000000000000 396 | - 11111111-1111-1111-1111-111111111111 397 | - 22222222-2222-2222-2222-222222222222 398 | DL_Type: string 399 | DL_CommonKey: 400 | DL_Searchable: true 401 | DL_Aggregable: true 402 | - Name: severity 403 | ProductCode: 404 | - sds 405 | - pdi 406 | - xns 407 | - pds 408 | - sao 409 | - ptp 410 | - stp 411 | - scs 412 | - mns 413 | Description_EN: The severity of the event 414 | Sample: 415 | - 2 416 | - 4 417 | - 6 418 | - 8 419 | DL_Type: int 420 | DL_CommonKey: 421 | DL_Searchable: true 422 | DL_Aggregable: true 423 | - Name: aggregatedCount 424 | ProductCode: 425 | - pdi 426 | - xns 427 | - sao 428 | - ptp 429 | - sws 430 | - stp 431 | - sig 432 | - pts 433 | - ddr 434 | - sds 435 | Description_EN: The number of aggregated events 436 | Sample: 437 | - '1' 438 | - '2' 439 | - '3' 440 | DL_Type: string 441 | DL_CommonKey: 442 | DL_Searchable: true 443 | DL_Aggregable: false 444 | - Name: mpname 445 | ProductCode: 446 | - sds 447 | - sao 448 | - pds 449 | - ptp 450 | - xes 451 | - stp 452 | Description_EN: The management product name 453 | Sample: 454 | - Cloud One - Workload Security 455 | - Apex Central 456 | - Deep Security Software 457 | DL_Type: string 458 | DL_CommonKey: 459 | DL_Searchable: true 460 | DL_Aggregable: false 461 | - Name: pver 462 | ProductCode: 463 | - sds 464 | - pdi 465 | - xns 466 | - pds 467 | - sao 468 | - ptp 469 | - stp 470 | - sig 471 | - ams 472 | - scs 473 | - sfs 474 | - sfc 475 | - sss 476 | Description_EN: The product version 477 | Sample: 478 | - 20.0.0.4726 479 | - 20.0.0.4416 480 | - 6.2.1125 481 | DL_Type: string 482 | DL_CommonKey: 483 | DL_Searchable: true 484 | DL_Aggregable: false 485 | - Name: rt 486 | ProductCode: 487 | - sds 488 | - pdi 489 | - xns 490 | - sao 491 | - pds 492 | - sca 493 | - sem 494 | - ptp 495 | - xes 496 | - sws 497 | - stp 498 | - sig 499 | - szn 500 | - xms 501 | Description_EN: The Unix time of the log generation 502 | Sample: 503 | - 1656324260000 504 | DL_Type: string 505 | DL_CommonKey: 506 | DL_Searchable: false 507 | DL_Aggregable: false 508 | - Name: ruleUuid 509 | ProductCode: 510 | - ptp 511 | - stp 512 | - sca 513 | - szn 514 | Description_EN: The signature UUID from the DV (Digital Vaccine) 515 | Sample: 516 | - 00000001-0001-0001-0001-000000007610 517 | - 00000001-0001-0001-0001-000000007120 518 | - 00000001-0001-0001-0001-000000017056 519 | DL_Type: string 520 | DL_CommonKey: 521 | DL_Searchable: true 522 | DL_Aggregable: false 523 | - Name: overSsl 524 | ProductCode: 525 | - pdi 526 | - xns 527 | - ptp 528 | - stp 529 | Description_EN: Whether the event was triggered by an SSL decryption stream 530 | (Displayed only when SSL Inspection is supported) 531 | Sample: 532 | - Not over SSL/TLS 533 | - '0' 534 | - Over SSL/TLS 535 | DL_Type: string 536 | DL_CommonKey: 537 | DL_Searchable: true 538 | DL_Aggregable: false 539 | - Name: logKey 540 | ProductCode: 541 | - sds 542 | - pdi 543 | - xns 544 | - sao 545 | - pds 546 | - sca 547 | - sem 548 | - ptp 549 | - xes 550 | - sws 551 | - stp 552 | - sig 553 | Description_EN: The unique key of the event 554 | Sample: 555 | - 123e4567-e89b-12d3-a456-426614174000 556 | - 987f6543-21ba-43cd-9e8f-123456789abc 557 | - 456789ab-cdef-1234-5678-9abcdef01234 558 | DL_Type: string 559 | DL_CommonKey: 560 | DL_Searchable: true 561 | DL_Aggregable: false 562 | - Name: peerEndpointGUID 563 | ProductCode: 564 | - pdi 565 | - xns 566 | - stp 567 | - ptp 568 | Description_EN: The endpoint GUID of the agent peer host 569 | Sample: 570 | - 00000000-0000-0000-0000-000000000000 571 | - 11111111-1111-1111-1111-111111111111 572 | - 22222222-2222-2222-2222-222222222222 573 | DL_Type: string 574 | DL_CommonKey: 575 | DL_Searchable: true 576 | DL_Aggregable: true 577 | - Name: ruleSetName 578 | ProductCode: 579 | - scs 580 | - stp 581 | - ptp 582 | - sds 583 | Description_EN: The rule set name 584 | Sample: 585 | - AllRules 586 | DL_Type: string 587 | DL_CommonKey: 588 | DL_Searchable: true 589 | DL_Aggregable: false 590 | -------------------------------------------------------------------------------- /doc_v2/Cloud/File Security.yaml: -------------------------------------------------------------------------------- 1 | - Name: fileName 2 | ProductCode: 3 | - sds 4 | - pdi 5 | - xns 6 | - sao 7 | - pds 8 | - sig 9 | - pts 10 | - sfs 11 | - sfc 12 | - sss 13 | Description_EN: The file name 14 | Sample: 15 | - spoolss 16 | - hosts 17 | - svcrestarttask 18 | DL_Type: dynamic 19 | DL_CommonKey: 20 | - FileName 21 | DL_Searchable: true 22 | DL_Aggregable: true 23 | - Name: compressedFileName 24 | ProductCode: 25 | - pdi 26 | - xns 27 | - sao 28 | - sfs 29 | - sfc 30 | - sds 31 | - sss 32 | - scs 33 | Description_EN: The file name of the compressed file 34 | Sample: 35 | - /proc/32058/fd/150 36 | - NONAMEFL 37 | - /proc/10006/fd/30 38 | - VirusActionSample/RPF2_OtherMalwareSample-other.exe 39 | DL_Type: string 40 | DL_CommonKey: 41 | - FileName 42 | DL_Searchable: true 43 | DL_Aggregable: false 44 | - Name: filePath 45 | ProductCode: 46 | - sds 47 | - pds 48 | - sao 49 | - pdi 50 | - xns 51 | - pts 52 | - sfs 53 | - sfc 54 | Description_EN: The file path without the file name 55 | Sample: 56 | - security 57 | - /var/log/audit/audit.log 58 | - application 59 | DL_Type: string 60 | DL_CommonKey: 61 | - FileFullPath 62 | DL_Searchable: true 63 | DL_Aggregable: true 64 | - Name: fileHash 65 | ProductCode: 66 | - sds 67 | - pdi 68 | - xns 69 | - pds 70 | - sao 71 | - sig 72 | - sfs 73 | - sfc 74 | - sss 75 | - ddr 76 | Description_EN: The SHA-1 of the file that triggered the rule or policy 77 | Sample: 78 | - DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 79 | - 89CE26EAD139D52B8A6B61BFFC6AF89AF246580F 80 | - 3AD1F4E7CAA11E5199EE80B8983677ADDD065450 81 | DL_Type: string 82 | DL_CommonKey: 83 | - FileSHA1 84 | DL_Searchable: true 85 | DL_Aggregable: true 86 | - Name: compressedFileHash 87 | ProductCode: 88 | - pdi 89 | - xns 90 | - sfs 91 | - sfc 92 | - sds 93 | - sao 94 | - sss 95 | Description_EN: The SHA-1 of the decompressed archive 96 | Sample: 97 | - 6E2ECB34B7798E179CC704111FB9733FBAAD5ACA 98 | - FA71B59F35F0EE44D27F74917EF5A0DA2797E80B 99 | - 14D2302172EB81465CE12E01361AE24CDE170F7B 100 | DL_Type: string 101 | DL_CommonKey: 102 | - FileSHA1 103 | DL_Searchable: true 104 | DL_Aggregable: false 105 | - Name: fileHashSha256 106 | ProductCode: 107 | - pdi 108 | - xns 109 | - sao 110 | - sig 111 | - sds 112 | - sfs 113 | - sfc 114 | - sss 115 | - scs 116 | Description_EN: The SHA-256 of the file (fileName) 117 | Sample: 118 | - 6A6EB2D717CEA041B4444193B45EDFB6CA1287518203B7230B3C4B8FFB031EAB 119 | - BFF703FF836196644586014DA13A097C2EE9A08E4D596DFB7C8E0F685FE01294 120 | - 12327F460AC9CBBC34D39EB3CF89C7FECCA37F08773A04566840F73F6ECC4104 121 | DL_Type: string 122 | DL_CommonKey: 123 | - FileSHA2 124 | DL_Searchable: true 125 | DL_Aggregable: false 126 | - Name: compressedFileHashSha256 127 | ProductCode: 128 | - pdi 129 | - xns 130 | - sfs 131 | - sfc 132 | - sds 133 | - sao 134 | - sss 135 | Description_EN: The SHA-256 of the compressed suspicious file 136 | Sample: 137 | - 60C7C5924DD09F7C6B150120FB92DCEE00AE82DB75C7402FA4D9152CF487A94F 138 | - 482FFC4F87B78C3C7073983CF65B593D9F13F0A3D6DC54B4A3F616F79838F3CE 139 | - 68C0126D9B4B0FC32DE181D0D67DA8FE82E23745F6023317D5E053B6F6ED26CF 140 | DL_Type: string 141 | DL_CommonKey: 142 | - FileSHA2 143 | DL_Searchable: true 144 | DL_Aggregable: false 145 | - Name: objectType 146 | ProductCode: 147 | - sca 148 | - sds 149 | - sao 150 | - sem 151 | - xes 152 | - sfs 153 | Description_EN: The object type 154 | Sample: 155 | - file 156 | - process 157 | - qil 158 | DL_Type: string 159 | DL_CommonKey: 160 | DL_Searchable: true 161 | DL_Aggregable: false 162 | - Name: malName 163 | ProductCode: 164 | - sao 165 | - sds 166 | - pdi 167 | - xns 168 | - pds 169 | - sws 170 | - pts 171 | - xms 172 | - sfs 173 | - sfc 174 | - sss 175 | - scs 176 | Description_EN: The name of the detected malware 177 | Sample: 178 | - SecurityLevelDrop 179 | - Regla Logs All 180 | - USR_SUSPICIOUS_DOMAIN.UMXX 181 | DL_Type: string 182 | DL_CommonKey: 183 | DL_Searchable: true 184 | DL_Aggregable: false 185 | - Name: eventName 186 | ProductCode: 187 | - sds 188 | - pdi 189 | - xns 190 | - sao 191 | - pds 192 | - ptp 193 | - sca 194 | - sem 195 | - xes 196 | - stp 197 | - sig 198 | - ptn 199 | - szn 200 | - pts 201 | - xms 202 | - sfs 203 | - sfc 204 | - sss 205 | - ams 206 | - mns 207 | - ddr 208 | Description_EN: The event type 209 | Sample: 210 | - LOG_INSPECTION_EVENT 211 | - SECURITY_RISK_DETECTION 212 | - WEB_THREAT_DETECTION 213 | - LOG_INSPECTION_EVENT 214 | - MALWARE_DETECTION 215 | - PROCESS_ACTIVITY 216 | - WEB_POLICY_VIOLATION 217 | - DEEP_PACKET_INSPECTION_EVENT 218 | - INTEGRITY_MONITORING_EVENT 219 | - DISRUPTIVE_APPLICATION_DETECTION 220 | - PRODUCT_SUMMARY 221 | - PRODUCT_UPDATE 222 | - BEHAVIORAL_VIOLATION 223 | - FIREWALL_POLICY_VIOLATION 224 | - SUSPICIOUS_BEHAVIOUR_DETECTION 225 | - DENYLIST_CHANGE 226 | - MACHINE_LEARNING_DETECTION 227 | - DLP_VIOLATION 228 | - MALWARE_OUTBREAK_DETECTION 229 | - SENSITIVE_DATA_DETECTION 230 | DL_Type: string 231 | DL_CommonKey: 232 | DL_Searchable: true 233 | DL_Aggregable: true 234 | - Name: remarks 235 | ProductCode: 236 | - sds 237 | - pdi 238 | - xns 239 | - pds 240 | - sca 241 | - sao 242 | - sem 243 | - stp 244 | - ptn 245 | - xms 246 | - sfs 247 | - sss 248 | - sig 249 | Description_EN: The additional information 250 | Sample: 251 | - 'warning: fork: Resource temporarily unavailable' 252 | - 'pam_unix(cron:session): session opened for user root by (uid=0)' 253 | - "WinEvtLog: Application: AUDIT_FAILURE(18470): MSSQL$SA: (no user): no domain: 254 | EXAMPLE.com: Login failed for user 'example_user'. Reason: The account is disabled. 255 | [CLIENT: 10.10.10.10] " 256 | DL_Type: string 257 | DL_CommonKey: 258 | DL_Searchable: true 259 | DL_Aggregable: false 260 | - Name: fullPath 261 | ProductCode: 262 | - sds 263 | - sao 264 | - pdi 265 | - xns 266 | - pds 267 | - pts 268 | - sfs 269 | - sfc 270 | - sss 271 | - scs 272 | Description_EN: The combination of the file path and the file name 273 | Sample: 274 | - \etc\hosts 275 | - c:\windows\system32\tasks\microsoft\windows\softwareprotectionplatform\svcrestarttask 276 | - \var\log\auth.log 277 | DL_Type: string 278 | DL_CommonKey: 279 | - FileFullPath 280 | DL_Searchable: true 281 | DL_Aggregable: false 282 | - Name: scanType 283 | ProductCode: 284 | - sca 285 | - sem 286 | - sds 287 | - sao 288 | - pds 289 | - xms 290 | - sfs 291 | - sss 292 | - scs 293 | Description_EN: The scan type 294 | Sample: 295 | - realtime_mailmeta-exchange 296 | - exchange_mailbox_realtime_detection_logs 297 | - gateway_realtime_blocking_traffic 298 | - malware_schedule_image 299 | - malware_schedule_file 300 | - malware_realtime_image 301 | - malware_realtime_file 302 | DL_Type: string 303 | DL_CommonKey: 304 | DL_Searchable: true 305 | DL_Aggregable: false 306 | - Name: compressedFileSize 307 | ProductCode: 308 | - pdi 309 | - xns 310 | - sfs 311 | - sfc 312 | Description_EN: The file size of the decompressed archive file 313 | Sample: 314 | - '0' 315 | - '265314' 316 | - '175864' 317 | DL_Type: string 318 | DL_CommonKey: 319 | DL_Searchable: true 320 | DL_Aggregable: false 321 | - Name: compressedFileType 322 | ProductCode: 323 | - pdi 324 | - xns 325 | - sfs 326 | - sfc 327 | - sss 328 | Description_EN: The file type of the decompressed archive file 329 | Sample: 330 | - EXE 331 | - JAVA 332 | - PDF 333 | DL_Type: string 334 | DL_CommonKey: 335 | DL_Searchable: true 336 | DL_Aggregable: false 337 | - Name: engType 338 | ProductCode: 339 | - sao 340 | - sfs 341 | Description_EN: The engine type 342 | Sample: 343 | - Virus Scan Engine (Windows XP/Server 2003, x64) 344 | - Virus Scan NT Kernel Engine 345 | - Spyware/Grayware Scan Engine v.6 (64-bit) 346 | DL_Type: string 347 | DL_CommonKey: 348 | DL_Searchable: true 349 | DL_Aggregable: false 350 | - Name: engVer 351 | ProductCode: 352 | - xes 353 | - sca 354 | - sao 355 | - sfs 356 | Description_EN: The engine version 357 | Sample: 358 | - 1.0.0.1123_1.0.0.1101 359 | - 9.0.1004 360 | - 22.540.1001 361 | DL_Type: string 362 | DL_CommonKey: 363 | DL_Searchable: true 364 | DL_Aggregable: false 365 | - Name: eventId 366 | ProductCode: 367 | - sds 368 | - pdi 369 | - xns 370 | - sao 371 | - pds 372 | - sca 373 | - xes 374 | - sem 375 | - pts 376 | - scs 377 | - xms 378 | - sfs 379 | - sfc 380 | - sss 381 | - ams 382 | - mns 383 | - ddr 384 | Description_EN: The event ID from the logs of each product 385 | Sample: 386 | - 100100 387 | - 100101 388 | - 100116 389 | - 100117 390 | - 100119 391 | DL_Type: string 392 | DL_CommonKey: 393 | DL_Searchable: true 394 | DL_Aggregable: true 395 | - Name: fileSize 396 | ProductCode: 397 | - pdi 398 | - xns 399 | - sig 400 | - sao 401 | - sfs 402 | - sfc 403 | - sss 404 | Description_EN: The file size of the suspicious file 405 | Sample: 406 | - '0' 407 | - '1255856' 408 | - '1237880' 409 | DL_Type: string 410 | DL_CommonKey: 411 | DL_Searchable: true 412 | DL_Aggregable: false 413 | - Name: fileType 414 | ProductCode: 415 | - pdi 416 | - xns 417 | - sig 418 | - sfs 419 | - sfc 420 | - sss 421 | - scs 422 | Description_EN: The file type of the suspicious file 423 | Sample: 424 | - EXE 425 | - LNK 426 | - MIME 427 | DL_Type: string 428 | DL_CommonKey: 429 | DL_Searchable: true 430 | DL_Aggregable: false 431 | - Name: malFamily 432 | ProductCode: 433 | - pdi 434 | - xns 435 | - sao 436 | - sds 437 | - sfs 438 | Description_EN: The threat family 439 | Sample: 440 | - EQUATED 441 | - STARTER 442 | - '0' 443 | DL_Type: string 444 | DL_CommonKey: 445 | DL_Searchable: true 446 | DL_Aggregable: false 447 | - Name: malSubType 448 | ProductCode: 449 | - sao 450 | - sfs 451 | Description_EN: The subsidiary virus type 452 | Sample: 453 | - Unknown 454 | DL_Type: string 455 | DL_CommonKey: 456 | DL_Searchable: true 457 | DL_Aggregable: false 458 | - Name: malType 459 | ProductCode: 460 | - pdi 461 | - xns 462 | - sds 463 | - sao 464 | - pds 465 | - sfs 466 | - scs 467 | Description_EN: The risk type for Network Content Correlation Engine rules 468 | Sample: 469 | - OTHERS 470 | - MALWARE 471 | - Others 472 | DL_Type: string 473 | DL_CommonKey: 474 | DL_Searchable: true 475 | DL_Aggregable: false 476 | - Name: malTypeGroup 477 | ProductCode: 478 | - pdi 479 | - xns 480 | - sfs 481 | Description_EN: The risk type group for NCCE (Network Content Correlation 482 | Engine) rules. This field comes from NCCP (Network Content Correlation 483 | Pattern) rule type definitions. 484 | Sample: 485 | - Others 486 | - Malware 487 | - Spyware 488 | DL_Type: string 489 | DL_CommonKey: 490 | DL_Searchable: true 491 | DL_Aggregable: false 492 | - Name: pver 493 | ProductCode: 494 | - sds 495 | - pdi 496 | - xns 497 | - pds 498 | - sao 499 | - ptp 500 | - stp 501 | - sig 502 | - ams 503 | - scs 504 | - sfs 505 | - sfc 506 | - sss 507 | Description_EN: The product version 508 | Sample: 509 | - 20.0.0.4726 510 | - 20.0.0.4416 511 | - 6.2.1125 512 | DL_Type: string 513 | DL_CommonKey: 514 | DL_Searchable: true 515 | DL_Aggregable: false 516 | - Name: confidence 517 | ProductCode: 518 | - sao 519 | - sfs 520 | Description_EN: The confidence rating returned from TrendX Hybrid Model 521 | (predictive machine learning). Values from 1-99. 522 | Sample: 523 | - 94 524 | DL_Type: int 525 | DL_CommonKey: 526 | DL_Searchable: false 527 | DL_Aggregable: false 528 | - Name: reportGUID 529 | ProductCode: 530 | - sca 531 | - sfs 532 | - pdi 533 | - xns 534 | Description_EN: The GUID for Workbench to request report page data 535 | Sample: 536 | - 00000000-0000-0000-0000-000000000000 537 | - 11111111-1111-1111-1111-111111111111 538 | - 22222222-2222-2222-2222-222222222222 539 | DL_Type: string 540 | DL_CommonKey: 541 | DL_Searchable: true 542 | DL_Aggregable: false 543 | - Name: customTags 544 | ProductCode: 545 | - scs 546 | - sfs 547 | Description_EN: The event tags 548 | Sample: 549 | - network 550 | - mitre_discovery 551 | DL_Type: dynamic 552 | DL_CommonKey: 553 | DL_Searchable: true 554 | DL_Aggregable: false 555 | -------------------------------------------------------------------------------- /doc/Container Activity Data.yaml: -------------------------------------------------------------------------------- 1 | - Name: endpointHostName 2 | ProductCode: 3 | - scs 4 | Description_EN: The host name of the container or node 5 | Sample: 6 | - PHILIPSIBE09 7 | - WHAM6WK8XG2 8 | - MacBook-Pro-del-Meno 9 | DL_Type: string 10 | DL_CommonKey: 11 | DL_Searchable: false 12 | DL_Aggregable: false 13 | - Name: eventId 14 | ProductCode: 15 | - scs 16 | Description_EN: Event type 17 | Sample: [] 18 | DL_Type: int 19 | DL_CommonKey: 20 | DL_Searchable: true 21 | DL_Aggregable: true 22 | - Name: eventSubId 23 | ProductCode: 24 | - scs 25 | Description_EN: The access type 26 | Sample: 27 | - 2 - TELEMETRY_PROCESS_CREATE 28 | - 101 - TELEMETRY_FILE_CREATE 29 | - 204 - TELEMETRY_CONNECTION_CONNECT_OUTBOUND 30 | DL_Type: int 31 | DL_CommonKey: 32 | DL_Searchable: true 33 | DL_Aggregable: true 34 | - Name: eventTime 35 | ProductCode: 36 | - scs 37 | Description_EN: The time the agent detected the event 38 | Sample: 39 | - 1657781088000 40 | DL_Type: real 41 | DL_CommonKey: 42 | DL_Searchable: true 43 | DL_Aggregable: false 44 | - Name: objectFilePath 45 | ProductCode: 46 | - scs 47 | Description_EN: The file path of the target process image or target file 48 | Sample: 49 | - /usr/bin/bash 50 | - /bin/bash 51 | - /opt/folder1/probes/system/processes/processes 52 | DL_Type: string 53 | DL_CommonKey: 54 | - FileFullPath 55 | - FileName 56 | DL_Searchable: true 57 | DL_Aggregable: false 58 | - Name: srcFilePath 59 | ProductCode: 60 | - scs 61 | Description_EN: The source file path 62 | Sample: 63 | - \\cnva-apps\megaclockprod\traveler\travelerprint.accdb 64 | - c:\program files\common files\microsoft 65 | shared\clicktorun\officesvcmgrschedule.xml 66 | - q:\a7_dbs\a4_pkg\a4_packaging.accde 67 | DL_Type: string 68 | DL_CommonKey: 69 | - FileFullPath 70 | - FileName 71 | DL_Searchable: true 72 | DL_Aggregable: false 73 | - Name: tags 74 | ProductCode: 75 | - ALL 76 | - scs 77 | Description_EN: The detected ID based on the alert filter 78 | Sample: 79 | - MITREV9.T1057 80 | - MITREV9.T1059.003 81 | - XSAE.F2924 82 | DL_Type: dynamic 83 | DL_CommonKey: 84 | - Technique 85 | - Tactic 86 | DL_Searchable: true 87 | DL_Aggregable: true 88 | - Name: uuid 89 | ProductCode: 90 | - ALL 91 | Description_EN: Unique key of the log 92 | Sample: 93 | - 11111111-1111-1111-1111-111111111111 94 | DL_Type: string 95 | DL_CommonKey: 96 | DL_Searchable: true 97 | DL_Aggregable: false 98 | - Name: productCode 99 | ProductCode: 100 | - ALL 101 | Description_EN: The internal product code 102 | Sample: 103 | - scs 104 | DL_Type: string 105 | DL_CommonKey: 106 | DL_Searchable: true 107 | DL_Aggregable: false 108 | - Name: filterRiskLevel 109 | ProductCode: 110 | - ALL 111 | Description_EN: Top-level risk level of the event 112 | Sample: 113 | - info 114 | - low 115 | - medium 116 | DL_Type: string 117 | DL_CommonKey: 118 | DL_Searchable: true 119 | DL_Aggregable: true 120 | - Name: eventSourceType 121 | ProductCode: 122 | - ALL 123 | Description_EN: The event source type 124 | Sample: 125 | - 8 - EVENT_SOURCE_CONTAINER_ACTIVITY 126 | DL_Type: int 127 | DL_CommonKey: 128 | DL_Searchable: true 129 | DL_Aggregable: false 130 | - Name: logReceivedTime 131 | ProductCode: 132 | - ALL 133 | Description_EN: The time when the XDR log was received 134 | Sample: 135 | - 1656324260000 136 | DL_Type: long 137 | DL_CommonKey: 138 | DL_Searchable: true 139 | DL_Aggregable: false 140 | - Name: pver 141 | ProductCode: 142 | - scs 143 | Description_EN: The product version 144 | Sample: 145 | - 1.2.0.2752 146 | - 1.0.345 147 | - 1.2.0.2657 148 | DL_Type: string 149 | DL_CommonKey: 150 | DL_Searchable: true 151 | DL_Aggregable: false 152 | - Name: groupId 153 | ProductCode: 154 | - ALL 155 | Description_EN: The group ID for the management scope filter 156 | Sample: 157 | - 11111111-1111-1111-1111-111111111111 158 | DL_Type: string 159 | DL_CommonKey: 160 | DL_Searchable: true 161 | DL_Aggregable: false 162 | - Name: clusterId 163 | ProductCode: 164 | - scs 165 | Description_EN: The cluster ID of the container 166 | Sample: 167 | - TestCluster-2HJdImvH6eO1fgTnCBK3xYA7Sph 168 | DL_Type: string 169 | DL_CommonKey: 170 | DL_Searchable: true 171 | DL_Aggregable: true 172 | - Name: clusterName 173 | ProductCode: 174 | - scs 175 | Description_EN: The cluster name of the container 176 | Sample: 177 | - TestCluster 178 | DL_Type: string 179 | DL_CommonKey: 180 | DL_Searchable: true 181 | DL_Aggregable: true 182 | - Name: k8sNamespace 183 | ProductCode: 184 | - scs 185 | Description_EN: The Kubernetes namespace of the container 186 | Sample: 187 | - default 188 | DL_Type: string 189 | DL_CommonKey: 190 | DL_Searchable: true 191 | DL_Aggregable: false 192 | - Name: k8sPodName 193 | ProductCode: 194 | - scs 195 | Description_EN: The Kubernetes pod name of the container 196 | Sample: 197 | - longrunl 198 | DL_Type: string 199 | DL_CommonKey: 200 | DL_Searchable: true 201 | DL_Aggregable: false 202 | - Name: k8sPodId 203 | ProductCode: 204 | - scs 205 | Description_EN: The Kubernetes pod ID of the container 206 | Sample: 207 | - 11111111-1111-1111-1111-111111111111 208 | DL_Type: string 209 | DL_CommonKey: 210 | DL_Searchable: true 211 | DL_Aggregable: false 212 | - Name: containerName 213 | ProductCode: 214 | - scs 215 | Description_EN: The Kubernetes container name 216 | Sample: 217 | - k8s_democon_longrunl_default_11111111-1111-1111-1111-111111111111_0 218 | DL_Type: string 219 | DL_CommonKey: 220 | DL_Searchable: true 221 | DL_Aggregable: true 222 | - Name: containerId 223 | ProductCode: 224 | - scs 225 | Description_EN: The Kubernetes container ID 226 | Sample: 227 | - 7d1e00176d78 228 | DL_Type: string 229 | DL_CommonKey: 230 | DL_Searchable: true 231 | DL_Aggregable: true 232 | - Name: containerImage 233 | ProductCode: 234 | - scs 235 | Description_EN: The Kubernetes container image 236 | Sample: 237 | - debian:latest 238 | DL_Type: string 239 | DL_CommonKey: 240 | DL_Searchable: true 241 | DL_Aggregable: false 242 | - Name: containerImageDigest 243 | ProductCode: 244 | - scs 245 | Description_EN: The Kubernetes container image digest 246 | Sample: 247 | - sha256:bfe6615d017d1eebe19f349669de58cda36c668ef916e618be78071513c690e5 248 | DL_Type: string 249 | DL_CommonKey: 250 | DL_Searchable: false 251 | DL_Aggregable: false 252 | - Name: ruleIdStr 253 | ProductCode: 254 | - scs 255 | Description_EN: The rule ID 256 | Sample: 257 | - TM-00000036 258 | DL_Type: string 259 | DL_CommonKey: 260 | DL_Searchable: false 261 | DL_Aggregable: false 262 | - Name: policyId 263 | ProductCode: 264 | - scs 265 | Description_EN: The policy ID 266 | Sample: 267 | - TestPolicy-2HJe25H4GY4upSuNNAG1pci2BIm 268 | DL_Type: string 269 | DL_CommonKey: 270 | DL_Searchable: false 271 | DL_Aggregable: false 272 | - Name: policyName 273 | ProductCode: 274 | - scs 275 | Description_EN: The name of the triggered policy 276 | Sample: 277 | - TestPolicy 278 | DL_Type: string 279 | DL_CommonKey: 280 | DL_Searchable: false 281 | DL_Aggregable: false 282 | - Name: processCmd 283 | ProductCode: 284 | - scs 285 | Description_EN: Command line entry of subject process 286 | Sample: 287 | - C:\WINDOWS\system32\services.exe 288 | - C:\Windows\system32\services.exe 289 | - /sbin/launchd 290 | DL_Type: string 291 | DL_CommonKey: 292 | - CLICommand 293 | DL_Searchable: true 294 | DL_Aggregable: false 295 | - Name: parentCmd 296 | ProductCode: 297 | - scs 298 | Description_EN: The command line entry of the parent process 299 | Sample: 300 | - C:\WINDOWS\system32\services.exe 301 | - C:\Windows\system32\services.exe 302 | - /sbin/launchd 303 | DL_Type: string 304 | DL_CommonKey: 305 | - CLICommand 306 | DL_Searchable: true 307 | DL_Aggregable: false 308 | - Name: processFilePath 309 | ProductCode: 310 | - scs 311 | Description_EN: The file path of the subject process 312 | Sample: 313 | - c:\windows\system32\services.exe 314 | - /usr/bin/bash 315 | - c:\windows\system32\svchost.exe 316 | DL_Type: string 317 | DL_CommonKey: 318 | - ProcessFullPath 319 | DL_Searchable: true 320 | DL_Aggregable: false 321 | - Name: parentFilePath 322 | ProductCode: 323 | - scs 324 | Description_EN: The file path of the parent process 325 | Sample: 326 | - c:\windows\system32\services.exe 327 | - /usr/bin/bash 328 | - c:\windows\system32\svchost.exe 329 | DL_Type: string 330 | DL_CommonKey: 331 | - FileFullPath 332 | - FileName 333 | DL_Searchable: true 334 | DL_Aggregable: false 335 | - Name: processLaunchTime 336 | ProductCode: 337 | - scs 338 | Description_EN: The time the subject process was launched 339 | Sample: 340 | - '1653614773895' 341 | - '1656118625928' 342 | - '0' 343 | DL_Type: real 344 | DL_CommonKey: 345 | DL_Searchable: false 346 | DL_Aggregable: false 347 | - Name: processName 348 | ProductCode: 349 | - scs 350 | Description_EN: The image name of the process that triggered the event 351 | Sample: 352 | - /usr/bin/bash 353 | - c:\windows\system32\svchost.exe 354 | - c:\windows\system32\lsass.exe 355 | DL_Type: string 356 | DL_CommonKey: 357 | - ProcessName 358 | DL_Searchable: true 359 | DL_Aggregable: true 360 | - Name: parentName 361 | ProductCode: 362 | - scs 363 | Description_EN: The image name of the parent process 364 | Sample: 365 | - /usr/bin/bash 366 | - c:\windows\system32\svchost.exe 367 | - c:\windows\system32\lsass.exe 368 | DL_Type: string 369 | DL_CommonKey: 370 | DL_Searchable: false 371 | DL_Aggregable: false 372 | - Name: parentLaunchTime 373 | ProductCode: 374 | - scs 375 | Description_EN: The time when the parent process was launched 376 | Sample: 377 | - '1653614773895' 378 | - '1656118625928' 379 | - '0' 380 | DL_Type: real 381 | DL_CommonKey: 382 | DL_Searchable: false 383 | DL_Aggregable: false 384 | - Name: processPid 385 | ProductCode: 386 | - scs 387 | Description_EN: The PID of the subject process 388 | Sample: 389 | - 4 390 | - 1 391 | - 784 392 | - 792 393 | DL_Type: int 394 | DL_CommonKey: 395 | DL_Searchable: true 396 | DL_Aggregable: false 397 | - Name: parentPid 398 | ProductCode: 399 | - scs 400 | Description_EN: The PID of the parent process 401 | Sample: 402 | - 4 403 | - 1 404 | - 784 405 | - 792 406 | DL_Type: int 407 | DL_CommonKey: 408 | DL_Searchable: true 409 | DL_Aggregable: false 410 | - Name: dpt 411 | ProductCode: 412 | - scs 413 | Description_EN: The destination port number 414 | Sample: [] 415 | DL_Type: int 416 | DL_CommonKey: 417 | - Port 418 | DL_Searchable: true 419 | DL_Aggregable: true 420 | - Name: dst 421 | ProductCode: 422 | - scs 423 | Description_EN: The destination IP address 424 | Sample: 425 | - '::' 426 | - 10.10.10.10 427 | DL_Type: string 428 | DL_CommonKey: 429 | - IPv4 430 | - IPv6 431 | DL_Searchable: true 432 | DL_Aggregable: true 433 | - Name: spt 434 | ProductCode: 435 | - scs 436 | Description_EN: The source port number 437 | Sample: 438 | - 53 439 | - 5353 440 | - 443 441 | DL_Type: int 442 | DL_CommonKey: 443 | - Port 444 | DL_Searchable: true 445 | DL_Aggregable: true 446 | - Name: src 447 | ProductCode: 448 | - scs 449 | Description_EN: The source address 450 | Sample: 451 | - '::' 452 | - 10.10.10.10 453 | DL_Type: string 454 | DL_CommonKey: 455 | - IPv4 456 | - IPv6 457 | DL_Searchable: true 458 | DL_Aggregable: true 459 | - Name: proto 460 | ProductCode: 461 | - scs 462 | Description_EN: The protocol type 463 | Sample: 464 | - TELEMETRY_CONNECTION_TCP 465 | - TELEMETRY_CONNECTION_UDP 466 | DL_Type: string 467 | DL_CommonKey: 468 | DL_Searchable: false 469 | DL_Aggregable: false 470 | - Name: objectUser 471 | ProductCode: 472 | - scs 473 | Description_EN: The owner name of the target process or the login user name 474 | Sample: 475 | - root 476 | - SYSTEM 477 | - oracle 478 | DL_Type: string 479 | DL_CommonKey: 480 | - UserAccount 481 | DL_Searchable: true 482 | DL_Aggregable: true 483 | - Name: osName 484 | ProductCode: 485 | - scs 486 | Description_EN: The host operating system name 487 | Sample: 488 | - Linux 489 | DL_Type: string 490 | DL_CommonKey: 491 | DL_Searchable: false 492 | DL_Aggregable: false 493 | - Name: customAssetTags 494 | ProductCode: 495 | - scs 496 | Description_EN: The list of custom asset tags 497 | Sample: 498 | - '{"os":["linux", "windows"], "org":["bu1"]}' 499 | DL_Type: dynamic 500 | DL_CommonKey: 501 | DL_Searchable: true 502 | DL_Aggregable: false 503 | - Name: platformAssetTags 504 | ProductCode: 505 | - scs 506 | Description_EN: The list of platform custom asset tags 507 | Sample: 508 | - '{"Asset group":["finance"], "some.ip": ["10.1.0.1"]}' 509 | DL_Type: dynamic 510 | DL_CommonKey: 511 | DL_Searchable: true 512 | DL_Aggregable: false 513 | -------------------------------------------------------------------------------- /pages/Endpoint/Trend Micro Apex One On-Premises.md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: default 3 | title: Trend Micro Apex One On-Premises - Endpoint 4 | --- 5 | 6 | # Trend Micro Apex One On-Premises 7 | **Layer:** Endpoint 8 | 9 | This documentation provides detailed information about all fields available for Trend Micro Apex One On-Premises. 10 | 11 | 188 | 189 |
190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | 273 | 280 | 281 | 282 | 283 | 284 | 285 | 286 | 287 | 288 | 295 | 296 | 297 | 298 | 299 | 300 | 301 | 302 | 303 | 310 | 311 | 312 | 313 | 314 | 315 | 316 | 317 | 318 | 325 | 326 | 327 | 328 | 329 | 330 | 331 | 332 | 333 | 340 | 341 | 342 | 343 | 344 | 345 | 346 | 347 | 348 | 355 | 356 | 357 | 358 | 359 | 360 | 361 | 362 | 363 | 370 | 371 | 372 | 373 | 374 | 375 | 376 | 377 | 378 | 386 | 387 | 388 | 389 | 390 | 391 | 392 | 393 | 394 | 402 | 403 | 404 | 405 | 406 | 407 | 408 | 409 | 410 | 418 | 419 | 420 |
Field NameTypeSearchableGeneral FieldDescriptionExampleProducts
detectionMetadynamictrue-The descriptions of the detected techniques['T1204 some description about this technique', 'T1573.001_AES another description about this technique'] 212 |
    213 |
  • Trend Micro Apex One as a Service
    • 214 |
  • Trend Micro Apex One On-Premises
    • 215 |
  • Trend Cloud One - Endpoint & Workload Security
    • 216 |
  • Trend Micro Deep Security
    • 217 |
218 |
detectionNamesdynamictrue-The rules that triggered the event['HS_EMOTET.SMAA', 'HM_AVEDOWN.SMZTIG-A', 'HE_DOCQRPHISH.SM'] 228 |
    229 |
  • Trend Micro Apex One as a Service
    • 230 |
  • Trend Micro Apex One On-Premises
    • 231 |
  • Trend Cloud One - Endpoint & Workload Security
    • 232 |
  • Trend Micro Deep Security
    • 233 |
234 |
objectSignerFlagsAdhocdynamictrue-The list of object process signature adhoc flags- 244 |
    245 |
  • Endpoint Sensor
    • 246 |
  • Trend Micro Apex One as a Service
    • 247 |
  • Trend Micro Apex One On-Premises
    • 248 |
249 |
objectSignerFlagsLibValiddynamictrue-The list of object process signature library validation flags- 259 |
    260 |
  • Endpoint Sensor
    • 261 |
  • Trend Micro Apex One as a Service
    • 262 |
  • Trend Micro Apex One On-Premises
    • 263 |
264 |
objectSignerFlagsRuntimedynamictrue-The list of object process signature runtime flags- 274 |
    275 |
  • Endpoint Sensor
    • 276 |
  • Trend Micro Apex One as a Service
    • 277 |
  • Trend Micro Apex One On-Premises
    • 278 |
279 |
parentSignerFlagsAdhocdynamictrue-The list of parent process signature adhoc flags- 289 |
    290 |
  • Endpoint Sensor
    • 291 |
  • Trend Micro Apex One as a Service
    • 292 |
  • Trend Micro Apex One On-Premises
    • 293 |
294 |
parentSignerFlagsLibValiddynamictrue-The list of parent process signature library validation flags- 304 |
    305 |
  • Endpoint Sensor
    • 306 |
  • Trend Micro Apex One as a Service
    • 307 |
  • Trend Micro Apex One On-Premises
    • 308 |
309 |
parentSignerFlagsRuntimedynamictrue-The list of parent process signature runtime flags- 319 |
    320 |
  • Endpoint Sensor
    • 321 |
  • Trend Micro Apex One as a Service
    • 322 |
  • Trend Micro Apex One On-Premises
    • 323 |
324 |
processSignerFlagsAdhocdynamictrue-The list of process signature adhoc flags- 334 |
    335 |
  • Endpoint Sensor
    • 336 |
  • Trend Micro Apex One as a Service
    • 337 |
  • Trend Micro Apex One On-Premises
    • 338 |
339 |
processSignerFlagsLibValiddynamictrue-The list of process signature library validation flags- 349 |
    350 |
  • Endpoint Sensor
    • 351 |
  • Trend Micro Apex One as a Service
    • 352 |
  • Trend Micro Apex One On-Premises
    • 353 |
354 |
processSignerFlagsRuntimedynamictrue-The list of process signature runtime flags- 364 |
    365 |
  • Endpoint Sensor
    • 366 |
  • Trend Micro Apex One as a Service
    • 367 |
  • Trend Micro Apex One On-Premises
    • 368 |
369 |
quarantineFileIdstringtrue-The unique identifier of the quarantined objectASLUMVS0.4FC 379 |
    380 |
  • Trend Micro Apex One as a Service
    • 381 |
  • Trend Micro Apex One On-Premises
    • 382 |
  • Trend Cloud One - Endpoint & Workload Security
    • 383 |
  • Trend Micro Deep Security
    • 384 |
385 |
quarantineFilePathstringtrueFileFullPathThe file path of the quarantined objectC:\ProgramData\Trend Micro\AMSP\quarantine\ASLUMVS0.4FC 395 |
    396 |
  • Trend Micro Apex One as a Service
    • 397 |
  • Trend Micro Apex One On-Premises
    • 398 |
  • Trend Cloud One - Endpoint & Workload Security
    • 399 |
  • Trend Micro Deep Security
    • 400 |
401 |
quarantineFileSha256stringtrueFileSHA2The SHA-256 of the quarantined object84B2FA19B05EA88D6E785B4ADB528120485AA3F72F3E5E114DE6D3696B0D151F 411 |
    412 |
  • Trend Micro Apex One as a Service
    • 413 |
  • Trend Micro Apex One On-Premises
    • 414 |
  • Trend Cloud One - Endpoint & Workload Security
    • 415 |
  • Trend Micro Deep Security
    • 416 |
417 |
421 |
422 | 423 | ## Field Statistics 424 | - **Total Fields:** 14 425 | - **Layer:** Endpoint 426 | - **Product:** Trend Micro Apex One On-Premises 427 | 428 | --- 429 | *Generated by XDR Common Schema Public Doc Generator V2* 430 | -------------------------------------------------------------------------------- /doc_v2/Endpoint/Data Detection and Response.yaml: -------------------------------------------------------------------------------- 1 | - Name: endpointHostName 2 | ProductCode: 3 | - sds 4 | - pds 5 | - sao 6 | - xes 7 | - sig 8 | - ams 9 | - szn 10 | - pts 11 | - scs 12 | - sss 13 | - ddr 14 | Description_EN: The endpoint hostname or node where the event was detected 15 | Sample: 16 | - 10.10.10.10 (swpos-aws-aza02) [i-0f0f0f0f0f0f0f0f0] 17 | - ip-10-10-10-10.us-west-1.compute.internal 18 | DL_Type: string 19 | DL_CommonKey: 20 | - EndpointName 21 | DL_Searchable: true 22 | DL_Aggregable: true 23 | - Name: endpointGUID 24 | ProductCode: 25 | - sds 26 | - sao 27 | - pds 28 | - xes 29 | - sig 30 | - ams 31 | - szn 32 | - pts 33 | - scs 34 | - ddr 35 | Description_EN: The GUID of the agent which reported the detection 36 | Sample: 37 | - ae4d64aa-f8b8-bb36-b265-f59272ed342f 38 | - 8fb979f6-1376-bed3-227f-f2886e66194e 39 | - ca2b3a7e-8415-c571-cc19-e45f69470026 40 | DL_Type: string 41 | DL_CommonKey: 42 | - EndpointID 43 | DL_Searchable: true 44 | DL_Aggregable: true 45 | - Name: endpointIp 46 | ProductCode: 47 | - sds 48 | - pds 49 | - sao 50 | - ptp 51 | - stp 52 | - ptn 53 | - sss 54 | - ddr 55 | Description_EN: The IP address of the endpoint on which the event was detected 56 | Sample: 57 | - 10.10.10.10 58 | DL_Type: dynamic 59 | DL_CommonKey: 60 | - IPv4 61 | - IPv6 62 | DL_Searchable: true 63 | DL_Aggregable: true 64 | - Name: fileHash 65 | ProductCode: 66 | - sds 67 | - pdi 68 | - xns 69 | - pds 70 | - sao 71 | - sig 72 | - sfs 73 | - sfc 74 | - sss 75 | - ddr 76 | Description_EN: The SHA-1 of the file that triggered the rule or policy 77 | Sample: 78 | - DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 79 | - 89CE26EAD139D52B8A6B61BFFC6AF89AF246580F 80 | - 3AD1F4E7CAA11E5199EE80B8983677ADDD065450 81 | DL_Type: string 82 | DL_CommonKey: 83 | - FileSHA1 84 | DL_Searchable: true 85 | DL_Aggregable: true 86 | - Name: ruleName 87 | ProductCode: 88 | - sds 89 | - pdi 90 | - xns 91 | - sao 92 | - pds 93 | - sca 94 | - ptp 95 | - xes 96 | - sem 97 | - stp 98 | - szn 99 | - scs 100 | - xms 101 | - mns 102 | - ddr 103 | Description_EN: The name of the rule that triggered the event 104 | Sample: 105 | - Directory Server - Microsoft Windows Active Directory 106 | - Microsoft Windows Events 107 | - Microsoft Windows Security Events - 3 108 | - (T1234) New executable created (chmod) 109 | - Sensitive Files Upload to Personal Cloud 110 | - Multiple Sensitive Files Compression 111 | - Transfer Sensitive Files to Removable Storage 112 | - Move Multiple Sensitive Files to Central Location 113 | - Multiple Sensitive Files Modification 114 | - Multiple Sensitive Files Deletion 115 | - GEN_CCFR_OVERLAY_TEST.A 116 | DL_Type: string 117 | DL_CommonKey: 118 | DL_Searchable: true 119 | DL_Aggregable: true 120 | - Name: eventName 121 | ProductCode: 122 | - sds 123 | - pdi 124 | - xns 125 | - sao 126 | - pds 127 | - ptp 128 | - sca 129 | - sem 130 | - xes 131 | - stp 132 | - sig 133 | - ptn 134 | - szn 135 | - pts 136 | - xms 137 | - sfs 138 | - sfc 139 | - sss 140 | - ams 141 | - mns 142 | - ddr 143 | Description_EN: The event type 144 | Sample: 145 | - LOG_INSPECTION_EVENT 146 | - SECURITY_RISK_DETECTION 147 | - WEB_THREAT_DETECTION 148 | - LOG_INSPECTION_EVENT 149 | - MALWARE_DETECTION 150 | - PROCESS_ACTIVITY 151 | - WEB_POLICY_VIOLATION 152 | - DEEP_PACKET_INSPECTION_EVENT 153 | - INTEGRITY_MONITORING_EVENT 154 | - DISRUPTIVE_APPLICATION_DETECTION 155 | - PRODUCT_SUMMARY 156 | - PRODUCT_UPDATE 157 | - BEHAVIORAL_VIOLATION 158 | - FIREWALL_POLICY_VIOLATION 159 | - SUSPICIOUS_BEHAVIOUR_DETECTION 160 | - DENYLIST_CHANGE 161 | - MACHINE_LEARNING_DETECTION 162 | - DLP_VIOLATION 163 | - MALWARE_OUTBREAK_DETECTION 164 | - SENSITIVE_DATA_DETECTION 165 | DL_Type: string 166 | DL_CommonKey: 167 | DL_Searchable: true 168 | DL_Aggregable: true 169 | - Name: aggregatedCount 170 | ProductCode: 171 | - pdi 172 | - xns 173 | - sao 174 | - ptp 175 | - sws 176 | - stp 177 | - sig 178 | - pts 179 | - ddr 180 | - sds 181 | Description_EN: The number of aggregated events 182 | Sample: 183 | - '1' 184 | - '2' 185 | - '3' 186 | DL_Type: string 187 | DL_CommonKey: 188 | DL_Searchable: true 189 | DL_Aggregable: false 190 | - Name: eventId 191 | ProductCode: 192 | - sds 193 | - pdi 194 | - xns 195 | - sao 196 | - pds 197 | - sca 198 | - xes 199 | - sem 200 | - pts 201 | - scs 202 | - xms 203 | - sfs 204 | - sfc 205 | - sss 206 | - ams 207 | - mns 208 | - ddr 209 | Description_EN: The event ID from the logs of each product 210 | Sample: 211 | - 100100 212 | - 100101 213 | - 100116 214 | - 100117 215 | - 100119 216 | DL_Type: string 217 | DL_CommonKey: 218 | DL_Searchable: true 219 | DL_Aggregable: true 220 | - Name: osName 221 | ProductCode: 222 | - sig 223 | - ams 224 | - szn 225 | - ddr 226 | - sss 227 | Description_EN: The host OS name 228 | Sample: 229 | - Linux 230 | - windows 10.0.22000 231 | - windows 10.0.19044 232 | - windows 10.0.19043 233 | DL_Type: string 234 | DL_CommonKey: 235 | DL_Searchable: true 236 | DL_Aggregable: false 237 | - Name: firstSeen 238 | ProductCode: 239 | - sca 240 | - pts 241 | - ddr 242 | Description_EN: The first time the XDR log appeared 243 | Sample: 244 | - 1657195233000 245 | DL_Type: string 246 | DL_CommonKey: 247 | DL_Searchable: true 248 | DL_Aggregable: false 249 | - Name: lastSeen 250 | ProductCode: 251 | - sca 252 | - pts 253 | - ddr 254 | Description_EN: The last time the XDR log appeared 255 | Sample: 256 | - 1657195233000 257 | DL_Type: string 258 | DL_CommonKey: 259 | DL_Searchable: true 260 | DL_Aggregable: false 261 | - Name: osVer 262 | ProductCode: 263 | - ams 264 | - szn 265 | - ddr 266 | Description_EN: The OS version 267 | Sample: 268 | - '11' 269 | DL_Type: string 270 | DL_CommonKey: 271 | DL_Searchable: true 272 | DL_Aggregable: false 273 | - Name: logonUsers 274 | ProductCode: 275 | - ALL 276 | - ddr 277 | Description_EN: The telemetry events that match the Security Analytics Engine 278 | filter, and logonUsers stores the logonUsers value of the original events 279 | Sample: 280 | - BHBShortJ 281 | DL_Type: dynamic 282 | DL_CommonKey: 283 | DL_Searchable: true 284 | DL_Aggregable: false 285 | - Name: duration 286 | ProductCode: 287 | - ddr 288 | Description_EN: The detection interval (in milliseconds) 289 | Sample: 290 | - 300000 291 | DL_Type: string 292 | DL_CommonKey: 293 | DL_Searchable: true 294 | DL_Aggregable: false 295 | - Name: aggregateUnit 296 | ProductCode: 297 | - ddr 298 | Description_EN: The metric unit 299 | Sample: 300 | - file 301 | DL_Type: string 302 | DL_CommonKey: 303 | DL_Searchable: true 304 | DL_Aggregable: false 305 | - Name: aggregateFunction 306 | ProductCode: 307 | - ddr 308 | Description_EN: The metric aggregator 309 | Sample: 310 | - 0 - sum 311 | - 1 - avg 312 | DL_Type: int 313 | DL_CommonKey: 314 | DL_Searchable: true 315 | DL_Aggregable: false 316 | - Name: uuids 317 | ProductCode: 318 | - ddr 319 | Description_EN: The UUIDs of detection records 320 | Sample: 321 | - [00000000-0000-0000-0000-000000000000] 322 | DL_Type: dynamic 323 | DL_CommonKey: 324 | DL_Searchable: true 325 | DL_Aggregable: false 326 | - Name: lineageId 327 | ProductCode: 328 | - ddr 329 | Description_EN: The lineage ID 330 | Sample: 331 | - 00000000-0000-0000-0000-000000000000 332 | - 11111111-1111-1111-1111-111111111111 333 | - 22222222-2222-2222-2222-222222222222 334 | DL_Type: string 335 | DL_CommonKey: 336 | DL_Searchable: true 337 | DL_Aggregable: false 338 | - Name: matchedPolicies 339 | ProductCode: 340 | - ddr 341 | Description_EN: The matched policies of detection records 342 | Sample: 343 | - [00000000-0000-0000-0000-000000000000] 344 | DL_Type: dynamic 345 | DL_CommonKey: 346 | DL_Searchable: true 347 | DL_Aggregable: false 348 | - Name: detectionFileList 349 | ProductCode: 350 | - ddr 351 | Description_EN: The information about the related files 352 | Sample: 353 | - '{"fileName": "sample.txt", "edgeId": "00000000-0000-0000-0000-000000000000"}' 354 | DL_Type: dynamic 355 | DL_Searchable: true 356 | DL_Aggregable: false 357 | - Name: objectUser 358 | ProductCode: 359 | - sds 360 | - xes 361 | - sao 362 | - ddr 363 | Description_EN: The owner name of the target process or the login user name 364 | Sample: 365 | - root 366 | - SYSTEM 367 | - oracle 368 | DL_Type: string 369 | DL_CommonKey: 370 | - UserAccount 371 | DL_Searchable: true 372 | DL_Aggregable: true 373 | - Name: dpt 374 | ProductCode: 375 | - sds 376 | - xes 377 | - sao 378 | - ddr 379 | Description_EN: The destination port number 380 | Sample: [] 381 | DL_Type: int 382 | DL_CommonKey: 383 | - Port 384 | DL_Searchable: true 385 | DL_Aggregable: true 386 | - Name: dst 387 | ProductCode: 388 | - sds 389 | - xes 390 | - sao 391 | - ddr 392 | Description_EN: The destination IP address 393 | Sample: 394 | - '::' 395 | - 10.10.10.10 396 | DL_Type: string 397 | DL_CommonKey: 398 | - IPv4 399 | - IPv6 400 | DL_Searchable: true 401 | DL_Aggregable: true 402 | - Name: spt 403 | ProductCode: 404 | - sds 405 | - xes 406 | - sao 407 | - ddr 408 | Description_EN: The source port number 409 | Sample: 410 | - 53 411 | - 5353 412 | - 443 413 | DL_Type: int 414 | DL_CommonKey: 415 | - Port 416 | DL_Searchable: true 417 | DL_Aggregable: true 418 | - Name: src 419 | ProductCode: 420 | - sds 421 | - xes 422 | - sao 423 | - ddr 424 | Description_EN: The source address 425 | Sample: 426 | - '::' 427 | - 10.10.10.10 428 | DL_Type: string 429 | DL_CommonKey: 430 | - IPv4 431 | - IPv6 432 | DL_Searchable: true 433 | DL_Aggregable: true 434 | - Name: objectFileSize 435 | ProductCode: 436 | - xes 437 | - sao 438 | - sds 439 | - ddr 440 | Description_EN: The file size of the object file 441 | Sample: 442 | - 0 443 | - 59456 444 | - 60 445 | DL_Type: string 446 | DL_CommonKey: 447 | DL_Searchable: true 448 | DL_Aggregable: false 449 | - Name: srcFileSize 450 | ProductCode: 451 | - xes 452 | - sao 453 | - sds 454 | - ddr 455 | Description_EN: The file size of the source file 456 | Sample: 457 | - '0' 458 | - '131072' 459 | - '196608' 460 | DL_Type: string 461 | DL_CommonKey: 462 | DL_Searchable: true 463 | DL_Aggregable: false 464 | - Name: ruleIdStr 465 | ProductCode: 466 | - ddr 467 | Description_EN: The rule ID 468 | Sample: 469 | - 0000000-0000-0000-0000-000000000000 470 | DL_Type: string 471 | DL_CommonKey: 472 | DL_Searchable: true 473 | DL_Aggregable: false 474 | - Name: objectUri 475 | ProductCode: 476 | - ddr 477 | Description_EN: Path of target file 478 | Sample: 479 | - C://path/of/file.txt 480 | DL_Type: string 481 | DL_CommonKey: 482 | DL_Searchable: true 483 | DL_Aggregable: false 484 | - Name: objectFileHash 485 | ProductCode: 486 | - ddr 487 | Description_EN: The cryptographic hash of the target process image or file, 488 | with the specific hash algorithm to be determined 489 | Sample: 490 | - 1ca71017d2fa4775253670e1e55e26912bfdc156 491 | DL_Type: string 492 | DL_CommonKey: 493 | DL_Searchable: true 494 | DL_Aggregable: false 495 | - Name: objectServiceType 496 | ProductCode: 497 | - ddr 498 | Description_EN: Type of target file 499 | Sample: 500 | - local 501 | - smb 502 | - web 503 | DL_Type: string 504 | DL_CommonKey: 505 | DL_Searchable: true 506 | DL_Aggregable: false 507 | - Name: srcUri 508 | ProductCode: 509 | - ddr 510 | Description_EN: Path of source file 511 | Sample: 512 | - C://path/of/file.txt 513 | DL_Type: string 514 | DL_CommonKey: 515 | DL_Searchable: true 516 | DL_Aggregable: false 517 | - Name: srcFileHash 518 | ProductCode: 519 | - ddr 520 | Description_EN: The cryptographic hash of the source process image or file, 521 | with the specific hash algorithm to be determined. 522 | Sample: 523 | - 1ca71017d2fa4775253670e1e55e26912bfdc156 524 | DL_Type: string 525 | DL_CommonKey: 526 | DL_Searchable: true 527 | DL_Aggregable: false 528 | - Name: srcServiceType 529 | ProductCode: 530 | - ddr 531 | Description_EN: Type of source file 532 | Sample: 533 | - local 534 | - smb 535 | - web 536 | DL_Type: string 537 | DL_CommonKey: 538 | DL_Searchable: true 539 | DL_Aggregable: false 540 | - Name: srcUser 541 | ProductCode: 542 | - ddr 543 | Description_EN: The owner name of the source process or the login user name 544 | Sample: 545 | - root 546 | - SYSTEM 547 | - oracle 548 | DL_Type: string 549 | DL_CommonKey: 550 | DL_Searchable: true 551 | DL_Aggregable: false 552 | - Name: policyIds 553 | ProductCode: 554 | - ddr 555 | Description_EN: The Ids of DDR’s data policy 556 | Sample: 557 | - 11111111-1111-1111-1111-111111111111 558 | DL_Type: string 559 | DL_CommonKey: 560 | DL_Searchable: true 561 | DL_Aggregable: false 562 | - Name: metaSrcExtra 563 | ProductCode: 564 | - ddr 565 | Description_EN: The meta for identifying the source of events 566 | Sample: 567 | - "[{'metaSrcUri': ...]" 568 | DL_Type: string 569 | DL_CommonKey: 570 | DL_Searchable: true 571 | DL_Aggregable: false 572 | -------------------------------------------------------------------------------- /pages/index.md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: default 3 | title: TM V1 Schema (Commercial) - Field Documentation Index 4 | --- 5 | 6 | # TM V1 Schema (Commercial) 7 | ## Field Documentation Index 8 | 9 | This page provides links to detailed field documentation for all products organized by layer. 10 | 11 | 113 | 114 | 115 |
116 |

📊 Documentation Summary

117 |
118 |
119 | 6 120 |
Layers
121 |
122 |
123 | 30 124 |
Products
125 |
126 |
127 | 2786 128 |
Total Fields
129 |
130 |
131 |
132 | 133 | ## 📋 Products by Layer 134 | 135 | 136 |
137 |

🔹 Cloud

138 | 180 |
181 | 182 |
183 |

🔹 Email

184 | 218 |
219 | 220 |
221 |

🔹 Endpoint

222 | 272 |
273 | 274 |
275 |

🔹 Identity

276 | 294 |
295 | 296 |
297 |

🔹 Network

298 | 364 |
365 | 366 |
367 |

🔹 Others

368 | 410 |
411 | 412 | --- 413 | 414 | ## 🔗 Quick Navigation 415 | 416 | - **Browse by Layer**: Use the sections above to find products within specific layers 417 | - **Field Count**: Each product shows the number of documented fields 418 | - **Direct Links**: Click on any product name to view its detailed field documentation 419 | 420 | **Last Updated**: TM V1 Schema (Commercial) documentation 421 | **Generated**: By XDR Common Schema Public Doc Generator V2 422 | 423 | --- 424 | *This index was automatically generated from the XDR Common Schema documentation.* 425 | -------------------------------------------------------------------------------- /doc_v2/Network/Mobile Network Security.yaml: -------------------------------------------------------------------------------- 1 | - Name: shost 2 | ProductCode: 3 | - sds 4 | - pdi 5 | - xns 6 | - pds 7 | - mns 8 | Description_EN: The source hostname 9 | Sample: 10 | - dns.google 11 | - sw_us-east-1a_10-124-17-69 12 | - sw_us-east-1c_10-124-21-139 13 | DL_Type: string 14 | DL_CommonKey: 15 | - DomainName 16 | DL_Searchable: true 17 | DL_Aggregable: false 18 | - Name: dhost 19 | ProductCode: 20 | - pdi 21 | - xns 22 | - mns 23 | Description_EN: The destination hostname 24 | Sample: 25 | - 10.10.10.10 26 | DL_Type: string 27 | DL_CommonKey: 28 | - DomainName 29 | DL_Searchable: true 30 | DL_Aggregable: false 31 | - Name: category 32 | ProductCode: 33 | - ptp 34 | - mns 35 | - sds 36 | Description_EN: The event category 37 | Sample: 38 | - Exploits 39 | - Reconnaissance 40 | - Vulnerabilities 41 | - Security Policy 42 | DL_Type: string 43 | DL_CommonKey: 44 | DL_Searchable: true 45 | DL_Aggregable: true 46 | - Name: src 47 | ProductCode: 48 | - pdi 49 | - xns 50 | - sao 51 | - sds 52 | - ptp 53 | - pds 54 | - stp 55 | - xes 56 | - sig 57 | - ptn 58 | - szn 59 | - scs 60 | - mns 61 | Description_EN: The source IP 62 | Sample: 63 | - 10.10.10.10 64 | DL_Type: dynamic 65 | DL_CommonKey: 66 | - IPv4 67 | - IPv6 68 | DL_Searchable: true 69 | DL_Aggregable: true 70 | - Name: dst 71 | ProductCode: 72 | - pdi 73 | - xns 74 | - sao 75 | - sds 76 | - ptp 77 | - pds 78 | - stp 79 | - xes 80 | - sig 81 | - ptn 82 | - szn 83 | - scs 84 | - mns 85 | Description_EN: The destination IP 86 | Sample: 87 | - 10.10.10.10 88 | DL_Type: dynamic 89 | DL_CommonKey: 90 | - IPv4 91 | - IPv6 92 | DL_Searchable: true 93 | DL_Aggregable: true 94 | - Name: dpt 95 | ProductCode: 96 | - pdi 97 | - xns 98 | - sao 99 | - sds 100 | - ptp 101 | - pds 102 | - stp 103 | - xes 104 | - ptn 105 | - szn 106 | - scs 107 | - mns 108 | Description_EN: The destination port 109 | Sample: 110 | - 0 111 | - 445 112 | - 80 113 | DL_Type: int 114 | DL_CommonKey: 115 | - Port 116 | DL_Searchable: true 117 | DL_Aggregable: true 118 | - Name: spt 119 | ProductCode: 120 | - pdi 121 | - xns 122 | - sao 123 | - sds 124 | - ptp 125 | - pds 126 | - stp 127 | - xes 128 | - ptn 129 | - szn 130 | - scs 131 | - mns 132 | Description_EN: The source port 133 | Sample: 134 | - 53 135 | - 0 136 | - 7680 137 | DL_Type: int 138 | DL_CommonKey: 139 | - Port 140 | DL_Searchable: true 141 | DL_Aggregable: true 142 | - Name: ruleName 143 | ProductCode: 144 | - sds 145 | - pdi 146 | - xns 147 | - sao 148 | - pds 149 | - sca 150 | - ptp 151 | - xes 152 | - sem 153 | - stp 154 | - szn 155 | - scs 156 | - xms 157 | - mns 158 | - ddr 159 | Description_EN: The name of the rule that triggered the event 160 | Sample: 161 | - Directory Server - Microsoft Windows Active Directory 162 | - Microsoft Windows Events 163 | - Microsoft Windows Security Events - 3 164 | - (T1234) New executable created (chmod) 165 | - Sensitive Files Upload to Personal Cloud 166 | - Multiple Sensitive Files Compression 167 | - Transfer Sensitive Files to Removable Storage 168 | - Move Multiple Sensitive Files to Central Location 169 | - Multiple Sensitive Files Modification 170 | - Multiple Sensitive Files Deletion 171 | - GEN_CCFR_OVERLAY_TEST.A 172 | DL_Type: string 173 | DL_CommonKey: 174 | DL_Searchable: true 175 | DL_Aggregable: true 176 | - Name: ruleId 177 | ProductCode: 178 | - sds 179 | - pdi 180 | - xns 181 | - pds 182 | - sao 183 | - mns 184 | Description_EN: The rule ID 185 | Sample: 186 | - 1002795 187 | - 1003802 188 | DL_Type: int 189 | DL_CommonKey: 190 | DL_Searchable: true 191 | DL_Aggregable: false 192 | - Name: eventName 193 | ProductCode: 194 | - sds 195 | - pdi 196 | - xns 197 | - sao 198 | - pds 199 | - ptp 200 | - sca 201 | - sem 202 | - xes 203 | - stp 204 | - sig 205 | - ptn 206 | - szn 207 | - pts 208 | - xms 209 | - sfs 210 | - sfc 211 | - sss 212 | - ams 213 | - mns 214 | - ddr 215 | Description_EN: The event type 216 | Sample: 217 | - LOG_INSPECTION_EVENT 218 | - SECURITY_RISK_DETECTION 219 | - WEB_THREAT_DETECTION 220 | - LOG_INSPECTION_EVENT 221 | - MALWARE_DETECTION 222 | - PROCESS_ACTIVITY 223 | - WEB_POLICY_VIOLATION 224 | - DEEP_PACKET_INSPECTION_EVENT 225 | - INTEGRITY_MONITORING_EVENT 226 | - DISRUPTIVE_APPLICATION_DETECTION 227 | - PRODUCT_SUMMARY 228 | - PRODUCT_UPDATE 229 | - BEHAVIORAL_VIOLATION 230 | - FIREWALL_POLICY_VIOLATION 231 | - SUSPICIOUS_BEHAVIOUR_DETECTION 232 | - DENYLIST_CHANGE 233 | - MACHINE_LEARNING_DETECTION 234 | - DLP_VIOLATION 235 | - MALWARE_OUTBREAK_DETECTION 236 | - SENSITIVE_DATA_DETECTION 237 | DL_Type: string 238 | DL_CommonKey: 239 | DL_Searchable: true 240 | DL_Aggregable: true 241 | - Name: act 242 | ProductCode: 243 | - scs 244 | - pdi 245 | - xns 246 | - sao 247 | - sds 248 | - sca 249 | - ptp 250 | - xes 251 | - sws 252 | - sem 253 | - pds 254 | - stp 255 | - sig 256 | - ptn 257 | - szn 258 | - xms 259 | - ams 260 | - mns 261 | - sss 262 | Description_EN: The actions taken to mitigate the event 263 | Sample: 264 | - log 265 | - isolate 266 | - terminate 267 | - not blocked 268 | - Block 269 | - No action 270 | - Reset 271 | - Pass 272 | - User Decision 273 | DL_Type: dynamic 274 | DL_CommonKey: 275 | DL_Searchable: true 276 | DL_Aggregable: true 277 | - Name: malSrc 278 | ProductCode: 279 | - sao 280 | - mns 281 | Description_EN: The malware infection source 282 | Sample: 283 | - \\10.172.1.33\kortiz 284 | - \\10.240.0.148\wbind 285 | - \\10.240.1.69\MT26933059 286 | DL_Type: string 287 | DL_CommonKey: 288 | - FileFullPath 289 | DL_Searchable: true 290 | DL_Aggregable: false 291 | - Name: severity 292 | ProductCode: 293 | - sds 294 | - pdi 295 | - xns 296 | - pds 297 | - sao 298 | - ptp 299 | - stp 300 | - scs 301 | - mns 302 | Description_EN: The severity of the event 303 | Sample: 304 | - 2 305 | - 4 306 | - 6 307 | - 8 308 | DL_Type: int 309 | DL_CommonKey: 310 | DL_Searchable: true 311 | DL_Aggregable: true 312 | - Name: policyName 313 | ProductCode: 314 | - sao 315 | - sca 316 | - sws 317 | - sem 318 | - sig 319 | - ptn 320 | - scs 321 | - mns 322 | Description_EN: The name of the triggered policy 323 | Sample: 324 | - Steelcase 325 | - Cabot 326 | - Tigre - Medium Policy 327 | - apiPostedPolicy 328 | DL_Type: string 329 | DL_CommonKey: 330 | DL_Searchable: true 331 | DL_Aggregable: false 332 | - Name: cnt 333 | ProductCode: 334 | - pdi 335 | - xns 336 | - ptn 337 | - mns 338 | Description_EN: The total number of logs 339 | Sample: 340 | - '1' 341 | - '2' 342 | - '3' 343 | DL_Type: string 344 | DL_CommonKey: 345 | DL_Searchable: true 346 | DL_Aggregable: false 347 | - Name: dOSName 348 | ProductCode: 349 | - pdi 350 | - xns 351 | - mns 352 | Description_EN: The destination host OS 353 | Sample: 354 | - Windows 355 | - Windows 10 356 | - Android 357 | DL_Type: string 358 | DL_CommonKey: 359 | DL_Searchable: true 360 | DL_Aggregable: false 361 | - Name: dstGroup 362 | ProductCode: 363 | - pdi 364 | - xns 365 | - mns 366 | Description_EN: The group name defined by the administrator of the destination 367 | Sample: 368 | - Default 369 | - Data Center Services DL_Deployed Block 370 | - Rede Wifi Visitantes-Pacientes 371 | DL_Type: string 372 | DL_CommonKey: 373 | DL_Searchable: true 374 | DL_Aggregable: false 375 | - Name: eventId 376 | ProductCode: 377 | - sds 378 | - pdi 379 | - xns 380 | - sao 381 | - pds 382 | - sca 383 | - xes 384 | - sem 385 | - pts 386 | - scs 387 | - xms 388 | - sfs 389 | - sfc 390 | - sss 391 | - ams 392 | - mns 393 | - ddr 394 | Description_EN: The event ID from the logs of each product 395 | Sample: 396 | - 100100 397 | - 100101 398 | - 100116 399 | - 100117 400 | - 100119 401 | DL_Type: string 402 | DL_CommonKey: 403 | DL_Searchable: true 404 | DL_Aggregable: true 405 | - Name: proto 406 | ProductCode: 407 | - sds 408 | - pds 409 | - ptn 410 | - scs 411 | - mns 412 | - sao 413 | Description_EN: The exploited layer network protocol 414 | Sample: 415 | - '6' 416 | - TCP 417 | - '17' 418 | DL_Type: string 419 | DL_CommonKey: 420 | DL_Searchable: true 421 | DL_Aggregable: false 422 | - Name: sOSName 423 | ProductCode: 424 | - pdi 425 | - xns 426 | - mns 427 | Description_EN: The source OS 428 | Sample: 429 | - Windows 430 | - Windows 10 431 | - Windows XP 432 | DL_Type: string 433 | DL_CommonKey: 434 | DL_Searchable: true 435 | DL_Aggregable: false 436 | - Name: srcGroup 437 | ProductCode: 438 | - pdi 439 | - xns 440 | - mns 441 | Description_EN: The group named defined by the source administrator 442 | Sample: 443 | - Default 444 | - Rede DATACENTER example/example - AD example CORP 445 | DL_Type: string 446 | DL_CommonKey: 447 | DL_Searchable: true 448 | DL_Aggregable: false 449 | - Name: vLANId 450 | ProductCode: 451 | - pdi 452 | - xns 453 | - ptn 454 | - mns 455 | - ptp 456 | Description_EN: The virtual LAN ID 457 | Sample: [] 458 | DL_Type: int 459 | DL_CommonKey: 460 | DL_Searchable: false 461 | DL_Aggregable: false 462 | - Name: instanceId 463 | ProductCode: 464 | - sao 465 | - xes 466 | - sds 467 | - sss 468 | - mns 469 | Description_EN: The ID of the instance that indicates the meta-cloud or data 470 | center VM 471 | Sample: 472 | - 52294e7b-f732-c6e9-b2c3-7a6b6f50d101 473 | - 00030912-c5e7-4348-9012-7c684751c531 474 | - 0008ae58-db0c-34ee-3e5c-5dfc9b10a739 475 | - i-0b22a22eec53b9321 476 | - /subscriptions/bae4f362-e3a0-482f-ba7a-f883d8b410ce/resourceGroups/avtd-csf-sg-lzniibr0/providers/Microsoft.Compute/virtualMachines/avtd-csf-scanner-lzniibr0 477 | - ocid1.instance.oc1.us-ashburn-1.an2g6ljrgs553pqcjuokzvvwpmwxh564f6f5sx3jpi2sowt6as44uejmsrzq 478 | DL_Type: string 479 | DL_CommonKey: 480 | DL_Searchable: true 481 | DL_Aggregable: false 482 | - Name: instanceName 483 | ProductCode: 484 | - mns 485 | Description_EN: The name of the instance that indicates the meta-cloud or data 486 | center VM 487 | Sample: 488 | - instapecot-1 489 | DL_Type: string 490 | DL_CommonKey: 491 | DL_Searchable: true 492 | DL_Aggregable: false 493 | - Name: ruleId64 494 | ProductCode: 495 | - ptn 496 | - mns 497 | Description_EN: The IPS rule ID 498 | Sample: 499 | - '1134268' 500 | - '4026531849' 501 | - '4026531852' 502 | DL_Type: long 503 | DL_CommonKey: 504 | DL_Searchable: true 505 | DL_Aggregable: false 506 | - Name: icmpType 507 | ProductCode: 508 | - mns 509 | Description_EN: The ICMP protocol type 510 | Sample: 511 | - 0 512 | - 3 513 | DL_Type: int 514 | DL_CommonKey: 515 | DL_Searchable: true 516 | DL_Aggregable: true 517 | - Name: icmpCode 518 | ProductCode: 519 | - mns 520 | Description_EN: The ICMP protocol code field 521 | Sample: 522 | - 0 523 | DL_Type: int 524 | DL_CommonKey: 525 | DL_Searchable: true 526 | DL_Aggregable: true 527 | - Name: srcSubscriberId 528 | ProductCode: 529 | - mns 530 | Description_EN: The source IMSI 531 | Sample: 532 | - 466686007810478 533 | DL_Type: string 534 | DL_CommonKey: 535 | DL_Searchable: true 536 | DL_Aggregable: true 537 | - Name: srcEquipmentId 538 | ProductCode: 539 | - mns 540 | Description_EN: The source IMEI 541 | Sample: 542 | - 350548054087659 543 | DL_Type: string 544 | DL_CommonKey: 545 | DL_Searchable: true 546 | DL_Aggregable: true 547 | - Name: srcSubscriberDirNum 548 | ProductCode: 549 | - mns 550 | Description_EN: The source MSISDN 551 | Sample: 552 | - 8618687654321 553 | DL_Type: string 554 | DL_CommonKey: 555 | DL_Searchable: true 556 | DL_Aggregable: true 557 | - Name: dstSubscriberId 558 | ProductCode: 559 | - mns 560 | Description_EN: The destination IMSI 561 | Sample: 562 | - 466686007810478 563 | DL_Type: string 564 | DL_CommonKey: 565 | DL_Searchable: true 566 | DL_Aggregable: true 567 | - Name: dstEquipmentId 568 | ProductCode: 569 | - mns 570 | Description_EN: The destination IMEI 571 | Sample: 572 | - 350548054087659 573 | DL_Type: string 574 | DL_CommonKey: 575 | DL_Searchable: true 576 | DL_Aggregable: true 577 | - Name: dstSubscriberDirNum 578 | ProductCode: 579 | - mns 580 | Description_EN: The destination MSISDN 581 | Sample: 582 | - 8618687654321 583 | DL_Type: string 584 | DL_CommonKey: 585 | DL_Searchable: true 586 | DL_Aggregable: true 587 | - Name: srcFamily 588 | ProductCode: 589 | - mns 590 | Description_EN: The source device family 591 | Sample: 592 | - Computer 593 | DL_Type: string 594 | DL_CommonKey: 595 | DL_Searchable: true 596 | DL_Aggregable: false 597 | - Name: srcType 598 | ProductCode: 599 | - mns 600 | Description_EN: The source device type 601 | Sample: 602 | - Desktop/Laptop 603 | DL_Type: string 604 | DL_CommonKey: 605 | DL_Searchable: true 606 | DL_Aggregable: false 607 | - Name: sOSClass 608 | ProductCode: 609 | - mns 610 | Description_EN: The source device OS class 611 | Sample: 612 | - Linux 613 | DL_Type: string 614 | DL_CommonKey: 615 | DL_Searchable: true 616 | DL_Aggregable: false 617 | - Name: sOSVendor 618 | ProductCode: 619 | - mns 620 | Description_EN: The source device OS vendor 621 | Sample: 622 | - Others 623 | DL_Type: string 624 | DL_CommonKey: 625 | DL_Searchable: true 626 | DL_Aggregable: false 627 | - Name: dstFamily 628 | ProductCode: 629 | - mns 630 | Description_EN: The destination device family 631 | Sample: 632 | - Computer 633 | DL_Type: string 634 | DL_CommonKey: 635 | DL_Searchable: true 636 | DL_Aggregable: false 637 | - Name: dstType 638 | ProductCode: 639 | - mns 640 | Description_EN: The destination device type 641 | Sample: 642 | - Desktop/Laptop 643 | DL_Type: string 644 | DL_CommonKey: 645 | DL_Searchable: true 646 | DL_Aggregable: false 647 | - Name: dOSClass 648 | ProductCode: 649 | - mns 650 | Description_EN: The destination device OS class 651 | Sample: 652 | - Linux 653 | DL_Type: string 654 | DL_CommonKey: 655 | DL_Searchable: true 656 | DL_Aggregable: false 657 | - Name: dOSVendor 658 | ProductCode: 659 | - mns 660 | Description_EN: The destination device OS vendor 661 | Sample: 662 | - Others 663 | DL_Type: string 664 | DL_CommonKey: 665 | DL_Searchable: true 666 | DL_Aggregable: false 667 | --------------------------------------------------------------------------------