Trend Micro Vision One
editTrend Micro Vision One
editVersion |
1.23.0 (View all) |
Compatible Kibana version(s) |
8.13.0 or higher |
Supported Serverless project types |
Security |
Subscription level |
Basic |
Level of support |
Elastic |
Overview
editThe Trend Micro Vision One integration allows you to monitor Alert, Audit, and Detection activity. Trend Micro Vision One refers to the ability to do detection and response across email, endpoints, servers, cloud workloads, and networks via a single Trend Micro Vision One platform or the managed Trend Micro Vision One service.
Use the Trend Micro Vision One integration to collects and parses data from the REST APIs. Then visualize that data in Kibana.
Data streams
editThe Trend Micro Vision One integration collects logs for three types of events: Alert, Audit, and Detection.
Alert Displays information about workbench alerts. See more details in the doc https://automation.trendmicro.com/xdr/api-v3#tag/Workbench/paths/1v3.01workbench~1alerts/get[here].
Audit Displays log entries that match the specified search criteria. See more details in the doc here.
Detection Displays search results from the Detection Data source. See more details in the doc https://automation.trendmicro.com/xdr/api-v3#tag/Search/paths/1v3.01search~1detections/get[here].
Requirements
editYou need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your hardware.
This module has been tested against Trend Micro Vision One API version 3.0.
The authentication token generated by a user expires one year after being generated.
Setup
editTo collect data from Trend Micro Vision One APIs, the user must have API Token. To create an API token follow the below steps:
edit- Log on to the Trend Micro Vision One console.
- On the Trend Vision One console, go to Administration → API Keys.
-
Generate a new authentication token. Click Add API key. Specify the settings of the new API key.
- Name: A meaningful name that can help you identify the API key.
-
Role: The user role assigned to the key. API keys can use either predefined or custom user roles. Custom roles can be created by navigating to Administration → User Roles → Add Role. The role must have appropriate API access permission to fetch relevant data. The following table outlines the access permissions to apps and features needed to fetch relevant data from Trend Vision API.
Datastream App Permissions Alert
Workbench
View, filter, and search.Audit
Audit Logs
View, filter, and search,Export and Download.Detection
Search
View, filter, and search.Refer to Account Role Permissions for more details.
- Expiration time: The time the API key remains valid. By default, authentication tokens expire one year after creation. However, a master administrator can delete and re-generate tokens at any time.
- Status: Whether the API key is enabled.
-
Details: Extra information about the API key.
Click Add.
- Copy the Authentication token.
Refer to Obtain authentication tokens for more details on setting up API Token.
Logs Reference
editalert
editThis is the alert dataset.
Example
An example event for alert looks as following:
{
"@timestamp": "2023-04-30T00:01:16.000Z",
"agent": {
"ephemeral_id": "332ba8f3-c3fa-4c28-a2db-d290177c13e5",
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "trend_micro_vision_one.alert",
"namespace": "19452",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"email"
],
"created": "2024-06-12T03:27:26.911Z",
"dataset": "trend_micro_vision_one.alert",
"id": "WB-9002-20200427-0002",
"ingested": "2024-06-12T03:27:38Z",
"kind": "alert",
"original": "{\"alertProvider\":\"SAE\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"id\":\"WB-9002-20200427-0002\",\"impactScope\":{\"accountCount\":0,\"desktopCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"entityType\":\"host\",\"entityValue\":\"user@email.com\",\"provenance\":[\"Alert\"],\"relatedEntities\":[\"CODERED\\\\\\\\\\user\"],\"relatedIndicatorIds\":[1]}],\"serverCount\":0},\"indicators\":[{\"field\":\"request url\",\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"],\"id\":1,\"provenance\":[\"Alert\"],\"relatedEntities\":[\"user@example.com\"],\"type\":\"url\",\"value\":\"http://www.example.com/ab001.zip\"}],\"investigationStatus\":\"New\",\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"matchedEvents\":[{\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\",\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\"}],\"mitreTechniqueIds\":[\"T1192\"],\"name\":\"(T1192) Spearphishing Link\"}],\"name\":\"Possible SpearPhishing Email\"}],\"model\":\"Possible APT Attack\",\"schemaVersion\":\"1.0\",\"score\":63,\"severity\":\"critical\",\"updatedDateTime\":\"2023-04-30T00:01:16Z\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\"}",
"severity": 63,
"type": [
"info"
]
},
"input": {
"type": "httpjson"
},
"log": {
"level": "critical"
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"trend_micro_vision_one-alert"
],
"trend_micro_vision_one": {
"alert": {
"alert_provider": "SAE",
"created_date": "2020-04-30T00:01:15.000Z",
"description": "A backdoor was possibly implanted after a user received a possible spear phishing email message.",
"id": "WB-9002-20200427-0002",
"impact_scope": {
"account_count": 0,
"desktop_count": 0,
"email_address_count": 0,
"entities": [
{
"id": "5257b401-2fd7-469c-94fa-39a4f11eb925",
"provenance": [
"Alert"
],
"related_entities": [
"CODERED\\\\\user"
],
"related_indicator_id": [
1
],
"type": "host",
"value": {
"account_value": "user@email.com"
}
}
],
"server_count": 0
},
"indicators": [
{
"field": "request url",
"filter_id": [
"f862df72-7f5e-4b2b-9f7f-9148e875f908"
],
"id": 1,
"provenance": [
"Alert"
],
"related_entities": [
"user@example.com"
],
"type": "url",
"value": "http://www.example.com/ab001.zip"
}
],
"investigation_status": "New",
"matched_rule": [
{
"filter": [
{
"date": "2019-08-02T04:00:01.000Z",
"events": [
{
"date": "2019-08-02T04:00:01.000Z",
"type": "TELEMETRY_REGISTRY",
"uuid": "fa9ff47c-e1b8-459e-a3d0-a5b104b854a5"
}
],
"id": "ccf86fc1-688f-4131-a46f-1d7a6ee2f88e",
"mitre_technique_id": [
"T1192"
],
"name": "(T1192) Spearphishing Link"
}
],
"id": "5f52d1f1-53e7-411a-b74f-745ee81fa30b",
"name": "Possible SpearPhishing Email"
}
],
"model": "Possible APT Attack",
"schema_version": "1.0",
"score": 63,
"severity": "critical",
"workbench_link": "https://THE_WORKBENCH_URL"
}
},
"url": {
"original": "https://THE_WORKBENCH_URL",
"scheme": "https"
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Event timestamp. |
date |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
data_stream.dataset |
Data stream dataset. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
event.dataset |
Event dataset. |
constant_keyword |
event.module |
Event module. |
constant_keyword |
host.containerized |
If the host is a container. |
boolean |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
input.type |
Input type |
keyword |
log.offset |
Log offset |
long |
trend_micro_vision_one.alert.alert_provider |
Alert provider. |
keyword |
trend_micro_vision_one.alert.campaign |
An object-ref to a campaign object. |
keyword |
trend_micro_vision_one.alert.created_by |
Created by. |
keyword |
trend_micro_vision_one.alert.created_date |
Datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC) that indicates the created date time of the alert. |
date |
trend_micro_vision_one.alert.description |
Description of the detection model that triggered the alert. |
keyword |
trend_micro_vision_one.alert.id |
Workbench ID. |
keyword |
trend_micro_vision_one.alert.impact_scope.account_count |
Count of affected account. |
long |
trend_micro_vision_one.alert.impact_scope.desktop_count |
Count of affected desktop. |
long |
trend_micro_vision_one.alert.impact_scope.email_address_count |
Count of affected email address. |
long |
trend_micro_vision_one.alert.impact_scope.entities.id |
keyword |
|
trend_micro_vision_one.alert.impact_scope.entities.provenance |
keyword |
|
trend_micro_vision_one.alert.impact_scope.entities.related_entities |
keyword |
|
trend_micro_vision_one.alert.impact_scope.entities.related_indicator_id |
keyword |
|
trend_micro_vision_one.alert.impact_scope.entities.type |
keyword |
|
trend_micro_vision_one.alert.impact_scope.entities.value.account_value |
Account or emailAddress. |
keyword |
trend_micro_vision_one.alert.impact_scope.entities.value.guid |
GUID. |
keyword |
trend_micro_vision_one.alert.impact_scope.entities.value.id |
Impact scope entity id. |
keyword |
trend_micro_vision_one.alert.impact_scope.entities.value.ips |
Set of IPs. |
ip |
trend_micro_vision_one.alert.impact_scope.entities.value.name |
Host name. |
keyword |
trend_micro_vision_one.alert.impact_scope.entities.value.related_entities |
Related entities. |
keyword |
trend_micro_vision_one.alert.impact_scope.entities.value.related_indicator_id |
Related indicator ids. |
long |
trend_micro_vision_one.alert.impact_scope.entities.value.type |
Impact scope entity type. |
keyword |
trend_micro_vision_one.alert.impact_scope.server_count |
Count of affected server. |
long |
trend_micro_vision_one.alert.indicators.field |
Detailed description of the indicator. |
keyword |
trend_micro_vision_one.alert.indicators.fields |
Detailed description of the indicator. |
keyword |
trend_micro_vision_one.alert.indicators.filter_id |
Related matched filter ids. |
keyword |
trend_micro_vision_one.alert.indicators.first_seen_date |
First seen date times from related entities, datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). |
date |
trend_micro_vision_one.alert.indicators.id |
Indicator ID. |
keyword |
trend_micro_vision_one.alert.indicators.last_seen_date |
Last seen date times from related entities, datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). |
date |
trend_micro_vision_one.alert.indicators.matched_indicator.pattern_id |
Matched indicator pattern ids. |
keyword |
trend_micro_vision_one.alert.indicators.provenance |
Provenance. |
keyword |
trend_micro_vision_one.alert.indicators.related_entities |
Related entities. |
keyword |
trend_micro_vision_one.alert.indicators.type |
Indicator type. |
keyword |
trend_micro_vision_one.alert.indicators.value |
Indicator value. |
keyword |
trend_micro_vision_one.alert.industry |
Industry. |
keyword |
trend_micro_vision_one.alert.investigation_status |
Workbench alert status. |
keyword |
trend_micro_vision_one.alert.matched_indicator_count |
Matched indicator pattern count. |
long |
trend_micro_vision_one.alert.matched_indicators_pattern.id |
Pattern ID. |
keyword |
trend_micro_vision_one.alert.matched_indicators_pattern.matched_log |
Pattern matched log. |
keyword |
trend_micro_vision_one.alert.matched_indicators_pattern.pattern |
STIX indicator will be a pattern. |
keyword |
trend_micro_vision_one.alert.matched_indicators_pattern.tags |
Tags defined by STIX. |
keyword |
trend_micro_vision_one.alert.matched_rule.filter.date |
Datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). |
date |
trend_micro_vision_one.alert.matched_rule.filter.events.date |
Matched event date. |
date |
trend_micro_vision_one.alert.matched_rule.filter.events.type |
Matched event type. |
keyword |
trend_micro_vision_one.alert.matched_rule.filter.events.uuid |
Matched event uuid. |
keyword |
trend_micro_vision_one.alert.matched_rule.filter.id |
Matched filter id. |
keyword |
trend_micro_vision_one.alert.matched_rule.filter.mitre_technique_id |
Mitre technique id. |
keyword |
trend_micro_vision_one.alert.matched_rule.filter.name |
Filter name. |
keyword |
trend_micro_vision_one.alert.matched_rule.id |
The rules are triggered. |
keyword |
trend_micro_vision_one.alert.matched_rule.name |
Matched rule name. |
keyword |
trend_micro_vision_one.alert.model |
Name of the detection model that triggered the alert. |
keyword |
trend_micro_vision_one.alert.region_and_country |
region/country. |
keyword |
trend_micro_vision_one.alert.report_link |
A refrerence url which links to the report details analysis. For TrendMico research report, the link would link to trend blog. |
keyword |
trend_micro_vision_one.alert.schema_version |
The version of the JSON schema, not the version of alert trigger content. |
keyword |
trend_micro_vision_one.alert.score |
Overall severity assigned to the alert based on the severity of the matched detection model and the impact scope. |
long |
trend_micro_vision_one.alert.severity |
Workbench alert severity. |
keyword |
trend_micro_vision_one.alert.total_indicator_count |
Total indicator pattern count. |
long |
trend_micro_vision_one.alert.workbench_link |
Workbench URL. |
keyword |
audit
editThis is the audit dataset.
Example
An example event for audit looks as following:
{
"@timestamp": "2022-02-24T07:29:48.000Z",
"agent": {
"ephemeral_id": "652abe8f-556a-4a24-9e9d-dc2990f84a38",
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "trend_micro_vision_one.audit",
"namespace": "46929",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"authentication"
],
"created": "2024-06-12T03:28:27.263Z",
"dataset": "trend_micro_vision_one.audit",
"ingested": "2024-06-12T03:28:39Z",
"kind": "event",
"original": "{\"accessType\":\"Console\",\"activity\":\"string\",\"category\":\"Logon and Logoff\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"},\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedRole\":\"Master Administrator\",\"loggedUser\":\"Root Account\",\"result\":\"Unsuccessful\"}",
"outcome": "failure",
"type": [
"info"
]
},
"input": {
"type": "httpjson"
},
"related": {
"user": [
"Root Account"
]
},
"source": {
"user": {
"name": "Root Account",
"roles": [
"Master Administrator"
]
}
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"trend_micro_vision_one-audit"
],
"trend_micro_vision_one": {
"audit": {
"access_type": "Console",
"activity": "string",
"category": "Logon and Logoff",
"details": {
"property1": "string",
"property2": "string"
},
"logged_role": "Master Administrator",
"logged_user": "Root Account",
"result": "Unsuccessful"
}
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Event timestamp. |
date |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
data_stream.dataset |
Data stream dataset. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
event.dataset |
Event dataset. |
constant_keyword |
event.module |
Event module. |
constant_keyword |
host.containerized |
If the host is a container. |
boolean |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
input.type |
Input type |
keyword |
log.offset |
Log offset |
long |
trend_micro_vision_one.audit.access_type |
Source of the activity. |
keyword |
trend_micro_vision_one.audit.activity |
The activity that was performed. |
keyword |
trend_micro_vision_one.audit.category |
Category. |
keyword |
trend_micro_vision_one.audit.details |
Object that contains a list of elements to be retrieved from the "details" field. |
flattened |
trend_micro_vision_one.audit.logged_role |
Role of the account. |
keyword |
trend_micro_vision_one.audit.logged_user |
The account that was used to perform the activity. |
keyword |
trend_micro_vision_one.audit.result |
Result. |
keyword |
detection
editThis is the detection dataset.
Example
An example event for detection looks as following:
{
"@timestamp": "2020-10-15T01:16:32.000Z",
"agent": {
"ephemeral_id": "b136ddab-1cc6-49c5-b9c2-4a4fcf650fe2",
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "trend_micro_vision_one.detection",
"namespace": "99796",
"type": "logs"
},
"destination": {
"domain": "Workgroup",
"ip": [
"81.2.69.142"
],
"port": 53
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"action": "clean",
"agent_id_status": "verified",
"category": [
"intrusion_detection"
],
"created": "2024-06-12T03:29:29.064Z",
"dataset": "trend_micro_vision_one.detection",
"id": "100117",
"ingested": "2024-06-12T03:29:41Z",
"kind": "event",
"original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\\\Users\\\\\\\\\\user1\\\\\\\\\\Downloads\\\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\\\Program Files (x86)\\\\\\\\\\Microsoft\\\\\\\\\\Edge\\\\\\\\\\Application\\\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\\\Users\\\\\\\\\\user1\\\\\\\\\\Downloads\\\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\\\os\\\\\\\\\\system32\\\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\\\os\\\\\\\\\\System32\\\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\\\Program Files (x86)\\\\\\\\\\os\\\\\\\\\\Application\\\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}",
"severity": 50,
"type": [
"info"
]
},
"file": {
"hash": {
"md5": "761AEFF7E6B110970285B9C20C9E1DCA",
"sha1": "00496B4D53CEFE031B9702B3385C9F4430999932",
"sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7"
},
"name": [
"Unconfirmed 145081.crdownload"
],
"path": "/etc/systemd/system/snap-xxxx-1246.xxxx",
"size": 0
},
"host": {
"hostname": "samplehost",
"id": "1234-1234-1234",
"ip": [
"81.2.69.142"
],
"mac": [
"00-00-5E-00-53-23"
],
"name": "abc-docker"
},
"http": {
"request": {
"referrer": "http://www.example.com/"
}
},
"input": {
"type": "httpjson"
},
"network": {
"direction": "outbound",
"protocol": "http"
},
"observer": {
"hostname": "samplehost",
"mac": [
"00-00-5E-00-53-23"
]
},
"process": {
"command_line": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca",
"name": "string",
"pid": 0
},
"related": {
"hash": [
"761AEFF7E6B110970285B9C20C9E1DCA",
"00496B4D53CEFE031B9702B3385C9F4430999932",
"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7",
"3395856ce81f2b7382dee72602f798b642f14140"
],
"hosts": [
"samplehost",
"abc-docker"
],
"ip": [
"81.2.69.142",
"81.2.69.192"
]
},
"source": {
"ip": "81.2.69.192",
"port": 58871
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"trend_micro_vision_one-detection"
],
"threat": {
"tactic": {
"id": [
"TA0005"
]
}
},
"trend_micro_vision_one": {
"detection": {
"action": "Clean",
"action_result": "Quarantined successfully",
"behavior_category": "Grey-Detection",
"block": "Web reputation",
"client_flag": "dst",
"component_version": [
"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00"
],
"compressed_file_size": 0,
"destination": {
"ip": [
"81.2.69.142"
],
"ip_group": "Default",
"port": 53
},
"detection": "Yes",
"detection_source": "GLOBAL_INTELLIGENCE",
"detection_type": "File",
"device": {
"direction": "outbound",
"guid": "C5B09EDD-C725-907F-29D9-B8C30D18C48F",
"host": "samplehost",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"ip": [
"81.2.69.192"
],
"mac": "00-00-5E-00-53-23",
"process_name": "/snap/core/10126/usr/lib/snapd/snapd"
},
"domain": {
"name": "Workgroup"
},
"end_time": "2021-09-30T17:40:04.000Z",
"endpoint": {
"guid": "1234-1234-1234",
"hostname": "abc-docker",
"ip": [
"81.2.69.142"
],
"mac": "00-00-5E-00-53-23"
},
"engine_type": "Virus Scan Engine (OS 2003, x64)",
"engine_version": "12.500.1004",
"event_id": "100117",
"event_name": "INTEGRITY_MONITORING_EVENT",
"event_time_dt": "2021-06-10T01:38:38.000Z",
"file_hash": "3395856ce81f2b7382dee72602f798b642f14140",
"file_name": [
"Unconfirmed 145081.crdownload"
],
"file_operation": "Deleted",
"file_path": "/etc/systemd/system",
"file_path_name": "/etc/systemd/system/snap-xxxx-1246.xxxx",
"file_size": 0,
"first_action": "Clean",
"first_action_result": "Unable to clean file",
"full_path": "C:\\\\\Users\\\\\user1\\\\\Downloads\\\\\Unconfirmed 145081.crdownload",
"hostname": "samplehost",
"http_referer": "http://www.example.com/",
"interested": {
"host": "abc-docker",
"ip": [
"81.2.69.192"
],
"mac": "00-00-5E-00-53-23"
},
"malware_name": "Eicar_test_1",
"malware_type": "Virus/Malware",
"mproduct": {
"name": "Cloud One - Workload Security",
"version": "Deep Security/20.0.222"
},
"object": {
"cmd": [
"C:\\\\\Program Files (x86)\\\\\Microsoft\\\\\Edge\\\\\Application\\\\\msedge.exe --profile-directory=Default"
],
"file": {
"hash": {
"md5": "761AEFF7E6B110970285B9C20C9E1DCA",
"sha1": "00496B4D53CEFE031B9702B3385C9F4430999932",
"sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7"
},
"name": "Unconfirmed 142899.crdownload:SmartScreen",
"path": "C:\\\\\Users\\\\\user1\\\\\Downloads\\\\\Unconfirmed 142899.crdownload:SmartScreen"
},
"name": "CloudEndpointService.exe",
"pid": 7660,
"signer": [
"OS"
]
},
"parent": {
"cmd": "C:\\\\\os\\\\\system32\\\\\svchost.exe -k DcomLaunch -p",
"file": {
"hash": {
"sha1": "00496B4D53CEFE031B9702B3385C9F4430999932",
"sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7"
},
"path": "C:\\\\\os\\\\\System32\\\\\svchost.exe"
}
},
"peer": {
"host": "samplehost",
"ip": [
"81.2.69.192"
]
},
"process": {
"cmd": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca",
"file": {
"hash": {
"md5": "761AEFF7E6B110970285B9C20C9E1DCA",
"sha1": "00496B4D53CEFE031B9702B3385C9F4430999932",
"sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7"
},
"path": "C:\\\\\Program Files (x86)\\\\\os\\\\\Application\\\\\msedge.exe"
},
"name": "string",
"pid": 0,
"signer": "OS Publisher"
},
"product": {
"code": "sao",
"name": "Apex One",
"version": "20.0.0.877"
},
"protocol": "HTTP",
"protocol_group": "HTTP",
"related_apt": false,
"request": "https://example.com",
"request_client_application": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",
"risk_level": 3,
"rt": "2020-10-15T01:16:32.000Z",
"rt_utc": "2020-10-15T01:16:32.000Z",
"search_data_lake": "DDL",
"security_analytics": {
"engine": {
"name": [
"T1090 (TA0005)"
],
"version": "v6"
}
},
"severity_level": 50,
"source": {
"group": "Default",
"ip": "81.2.69.192",
"port": 58871
},
"sub_name": "Attack Discovery",
"tactic_id": [
"TA0005"
],
"tags": [
"XSAE.F2140",
"XSAE.F3066"
],
"threat_name": "Malicious_identified_CnC_querying_on_UDP_detected",
"total_count": 1,
"uuid": "1234-1234-1234"
}
},
"url": {
"domain": "example.com",
"original": "https://example.com",
"scheme": "https"
},
"user_agent": {
"device": {
"name": "iPhone"
},
"name": "Mobile Safari",
"original": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",
"os": {
"full": "iOS 12.1",
"name": "iOS",
"version": "12.1"
},
"version": "12.0"
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Event timestamp. |
date |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
data_stream.dataset |
Data stream dataset. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
event.dataset |
Event dataset. |
constant_keyword |
event.module |
Event module. |
constant_keyword |
host.containerized |
If the host is a container. |
boolean |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
input.type |
Input type |
keyword |
log.offset |
Log offset |
long |
trend_micro_vision_one.detection.action |
Action by detect product. |
keyword |
trend_micro_vision_one.detection.action_result |
Action result by detect product. |
keyword |
trend_micro_vision_one.detection.aggregated_count |
Aggregated count. |
long |
trend_micro_vision_one.detection.behavior_category |
The matched policy category (policy section) in the BM patterns, which will always Grey-Detection here. |
keyword |
trend_micro_vision_one.detection.block |
blocking Reason. |
keyword |
trend_micro_vision_one.detection.client_flag |
0:Unknown 1:src 2:dst. |
keyword |
trend_micro_vision_one.detection.client_ip |
Client IP. |
ip |
trend_micro_vision_one.detection.component_version |
Product component version. |
keyword |
trend_micro_vision_one.detection.compressed_file_size |
File size after compressed. |
long |
trend_micro_vision_one.detection.destination.ip |
Destination IP address. |
ip |
trend_micro_vision_one.detection.destination.ip_group |
Destination IP address group. |
keyword |
trend_micro_vision_one.detection.destination.port |
Destination port. |
long |
trend_micro_vision_one.detection.detection |
Yes (Tag it when it appears and the value is 1). |
keyword |
trend_micro_vision_one.detection.detection_source |
Detection source use by Deep Discovery Inspector. |
keyword |
trend_micro_vision_one.detection.detection_type |
Product detection type. |
keyword |
trend_micro_vision_one.detection.device.direction |
0: inbound 1: outbound 2: unknown (If cannot be parsed correctly, 2 is assigned). |
keyword |
trend_micro_vision_one.detection.device.guid |
Device GUID. |
keyword |
trend_micro_vision_one.detection.device.host |
device host. |
keyword |
trend_micro_vision_one.detection.device.id |
Device identity. |
keyword |
trend_micro_vision_one.detection.device.ip |
Devices ip list. |
ip |
trend_micro_vision_one.detection.device.mac |
Mac address. |
keyword |
trend_micro_vision_one.detection.device.process_name |
Process name in device. |
keyword |
trend_micro_vision_one.detection.domain.name |
Domain name. |
keyword |
trend_micro_vision_one.detection.end_time |
End time. |
date |
trend_micro_vision_one.detection.endpoint.guid |
endpoint GUID for identity. |
keyword |
trend_micro_vision_one.detection.endpoint.hostname |
Hostname of the endpoint on which the event was generated. |
keyword |
trend_micro_vision_one.detection.endpoint.ip |
Endpoint IP address list. |
ip |
trend_micro_vision_one.detection.endpoint.mac |
Endpoint Mac address. |
keyword |
trend_micro_vision_one.detection.engine_type |
Product scan engine type. |
keyword |
trend_micro_vision_one.detection.engine_version |
Product scan engine version. |
keyword |
trend_micro_vision_one.detection.event_id |
Event ID. |
keyword |
trend_micro_vision_one.detection.event_name |
Predefined event enumerator. |
keyword |
trend_micro_vision_one.detection.event_time_dt |
Detect time. |
date |
trend_micro_vision_one.detection.file_hash |
Detect file hash value. |
keyword |
trend_micro_vision_one.detection.file_name |
Detect file name. |
keyword |
trend_micro_vision_one.detection.file_operation |
Operation for detect file. |
keyword |
trend_micro_vision_one.detection.file_path |
Full file path without file name. |
keyword |
trend_micro_vision_one.detection.file_path_name |
Full file path. |
keyword |
trend_micro_vision_one.detection.file_size |
Detect file size. |
long |
trend_micro_vision_one.detection.file_type |
Detect file type. |
keyword |
trend_micro_vision_one.detection.first_action |
First action. |
keyword |
trend_micro_vision_one.detection.first_action_result |
First action result. |
keyword |
trend_micro_vision_one.detection.full_path |
File full path. |
keyword |
trend_micro_vision_one.detection.hostname |
host name. |
keyword |
trend_micro_vision_one.detection.http_referer |
http referer url. |
keyword |
trend_micro_vision_one.detection.interested.host |
Highlighted indicator for incident response members. |
keyword |
trend_micro_vision_one.detection.interested.ip |
Highlighted indicator for incident response members. |
ip |
trend_micro_vision_one.detection.interested.mac |
Highlighted indicator for incident response members. |
keyword |
trend_micro_vision_one.detection.malware_name |
Malware name. |
keyword |
trend_micro_vision_one.detection.malware_type |
Malware type. |
keyword |
trend_micro_vision_one.detection.mime_type |
Mime type. |
keyword |
trend_micro_vision_one.detection.mproduct.name |
Product name. |
keyword |
trend_micro_vision_one.detection.mproduct.version |
Product Version. |
keyword |
trend_micro_vision_one.detection.object.cmd |
The command line that a process detected by Attack Discovery uses to execute other processes. |
keyword |
trend_micro_vision_one.detection.object.file.hash.md5 |
File Hash Md5 value. |
keyword |
trend_micro_vision_one.detection.object.file.hash.sha1 |
File Hash Sha1 value. |
keyword |
trend_micro_vision_one.detection.object.file.hash.sha256 |
File Hash Sha256 value. |
keyword |
trend_micro_vision_one.detection.object.file.name |
File name. |
keyword |
trend_micro_vision_one.detection.object.file.path |
File path. |
keyword |
trend_micro_vision_one.detection.object.name |
Detect object name. |
keyword |
trend_micro_vision_one.detection.object.pid |
Detect object Pid. |
long |
trend_micro_vision_one.detection.object.signer |
Signer. |
keyword |
trend_micro_vision_one.detection.os.name |
Supported values: Linux, Windows, macOS, macOSX. |
keyword |
trend_micro_vision_one.detection.parent.cmd |
The command line that parent process. |
keyword |
trend_micro_vision_one.detection.parent.file.hash.sha1 |
Parent file sha1. |
keyword |
trend_micro_vision_one.detection.parent.file.hash.sha256 |
Parent file sha256. |
keyword |
trend_micro_vision_one.detection.parent.file.path |
Parent file path. |
keyword |
trend_micro_vision_one.detection.peer.host |
Peer host name. |
keyword |
trend_micro_vision_one.detection.peer.ip |
Peer ip list. |
ip |
trend_micro_vision_one.detection.policy.logkey |
Policy logkey. |
keyword |
trend_micro_vision_one.detection.policy.name |
Policy name. |
keyword |
trend_micro_vision_one.detection.policy.uuid |
Policy uuid. |
keyword |
trend_micro_vision_one.detection.principal_name |
Principal name. |
keyword |
trend_micro_vision_one.detection.process.cmd |
The command line used to launch this process. |
keyword |
trend_micro_vision_one.detection.process.file.hash.md5 |
Process file hash MD5 value. |
keyword |
trend_micro_vision_one.detection.process.file.hash.sha1 |
Process file hash Sha1 value. |
keyword |
trend_micro_vision_one.detection.process.file.hash.sha256 |
Process file hash Sha256 value. |
keyword |
trend_micro_vision_one.detection.process.file.path |
The process file path. |
keyword |
trend_micro_vision_one.detection.process.name |
Process name. |
keyword |
trend_micro_vision_one.detection.process.pid |
Process Pid. |
long |
trend_micro_vision_one.detection.process.signer |
Process signer. |
keyword |
trend_micro_vision_one.detection.product.code |
Product code name. |
keyword |
trend_micro_vision_one.detection.product.name |
product name. |
keyword |
trend_micro_vision_one.detection.product.version |
Product version. |
keyword |
trend_micro_vision_one.detection.profile |
Profile |
keyword |
trend_micro_vision_one.detection.protocol |
Protocol detect by Deep Discovery Inspector. |
keyword |
trend_micro_vision_one.detection.protocol_group |
Protocol group detect by Deep Discovery Inspector. |
keyword |
trend_micro_vision_one.detection.related_apt |
0:False, 1:True. |
boolean |
trend_micro_vision_one.detection.request |
URL. |
keyword |
trend_micro_vision_one.detection.request_base |
Request base. |
keyword |
trend_micro_vision_one.detection.request_client_application |
Browser user agent. |
keyword |
trend_micro_vision_one.detection.risk_level |
SLF_CCCA_RISKLEVEL_UNKNOWN (0) SLF_CCCA_RISKLEVEL_LOW (1) SLF_CCCA_RISKLEVEL_MEDIUM (2) SLF_CCCA_RISKLEVEL_HIGH (3). |
long |
trend_micro_vision_one.detection.rt |
Detect time. |
date |
trend_micro_vision_one.detection.rt_utc |
Detect utc time. |
date |
trend_micro_vision_one.detection.search_data_lake |
Datalake name. |
keyword |
trend_micro_vision_one.detection.security_analytics.engine.name |
Security Analytics Engine. |
keyword |
trend_micro_vision_one.detection.security_analytics.engine.version |
Security Analytics Engine version. |
keyword |
trend_micro_vision_one.detection.sender |
Sender. |
keyword |
trend_micro_vision_one.detection.severity_level |
severity score. |
long |
trend_micro_vision_one.detection.source.group |
Source IP address group. |
keyword |
trend_micro_vision_one.detection.source.ip |
Source IP address. |
ip |
trend_micro_vision_one.detection.source.port |
Source port. |
long |
trend_micro_vision_one.detection.sub_name |
Detect event subscribe name. |
keyword |
trend_micro_vision_one.detection.suid |
Suid. |
keyword |
trend_micro_vision_one.detection.tactic_id |
Security Agent or product policy. |
keyword |
trend_micro_vision_one.detection.tags |
Detected by Security Analytics Engine filters. |
keyword |
trend_micro_vision_one.detection.threat_name |
Threat name. |
keyword |
trend_micro_vision_one.detection.total_count |
total count. |
long |
trend_micro_vision_one.detection.url_cat |
URL cat. |
keyword |
trend_micro_vision_one.detection.user.domain |
User domain. |
keyword |
trend_micro_vision_one.detection.uuid |
Log unique id. |
keyword |
Changelog
editChangelog
| Version | Details | Kibana version(s) |
|---|---|---|
1.23.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.22.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.21.1 |
Bug fix (View pull request) |
8.13.0 or higher |
1.21.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.20.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.19.1 |
Bug fix (View pull request) |
8.12.0 or higher |
1.19.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.18.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.17.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.16.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.15.1 |
Enhancement (View pull request) |
8.7.1 or higher |
1.15.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.14.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.13.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.12.2 |
Bug fix (View pull request) |
8.7.1 or higher |
1.12.1 |
Bug fix (View pull request) |
8.7.1 or higher |
1.12.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.11.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.10.0 |
Bug fix (View pull request) |
8.7.1 or higher |
1.9.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.8.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.7.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.6.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.5.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.4.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.3.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.2.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.1.0 |
Enhancement (View pull request) |
8.4.0 or higher |
1.0.0 |
Enhancement (View pull request) |
8.4.0 or higher |
0.3.1 |
Enhancement (View pull request) |
— |
0.3.0 |
Enhancement (View pull request) |
— |
0.2.2 |
Bug fix (View pull request) |
— |
0.2.1 |
Enhancement (View pull request) |
— |
0.2.0 |
Enhancement (View pull request) |
— |
0.1.0 |
Enhancement (View pull request) |
— |