Trend Micro Vision One
<div class="condensed-table">
| | |
| --- | --- |
| Version | 1.24.1 (View all) |
| Compatible Kibana version(s) | 8.13.0 or higher |
| Supported Serverless project types
What’s this? | Security
Observability |
| Subscription level
What’s this? | Basic |
| Level of support
What’s this? | Elastic |
</div>
The Trend Micro Vision One integration allows you to monitor Alert, Audit, and Detection activity. Trend Micro Vision One refers to the ability to do detection and response across email, endpoints, servers, cloud workloads, and networks via a single Trend Micro Vision One platform or the managed Trend Micro Vision One service.
Use the Trend Micro Vision One integration to collects and parses data from the REST APIs. Then visualize that data in Kibana.
The Trend Micro Vision One integration collects logs for three types of events: Alert, Audit, and Detection.
Alert Displays information about workbench alerts. See more details in the doc here.
Audit Displays log entries that match the specified search criteria. See more details in the doc here.
Detection Displays search results from the Detection Data source. See more details in the doc here.
You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your hardware.
This module has been tested against Trend Micro Vision One API version 3.0.
Note
The authentication token generated by a user expires one year after being generated.
Log on to the Trend Micro Vision One console.
On the Trend Vision One console, go to Administration → API Keys.
Generate a new authentication token. Click Add API key. Specify the settings of the new API key.
Name: A meaningful name that can help you identify the API key.
Role*: The user role assigned to the key. API keys can use either predefined or custom user roles. Custom roles can be created by navigating to *Administration → User Roles → Add Role. The role must have appropriate API access permission to fetch relevant data. The following table outlines the access permissions to apps and features needed to fetch relevant data from Trend Vision API.
Datastream App Permissions Alert Workbench View, filter, and search.Audit Audit Logs View, filter, and search,Export and Download.Detection Search View, filter, and search.Refer to Account Role Permissions for more details.
Expiration time: The time the API key remains valid. By default, authentication tokens expire one year after creation. However, a master administrator can delete and re-generate tokens at any time.
Status: Whether the API key is enabled.
Details: Extra information about the API key.
Click Add.
Copy the Authentication token.
Refer to Obtain authentication tokens for more details on setting up API Token.
This is the alert dataset.
**Example**
An example event for alert looks as following:
{
"@timestamp": "2023-04-30T00:01:16.000Z",
"agent": {
"ephemeral_id": "332ba8f3-c3fa-4c28-a2db-d290177c13e5",
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "trend_micro_vision_one.alert",
"namespace": "19452",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"email"
],
"created": "2024-06-12T03:27:26.911Z",
"dataset": "trend_micro_vision_one.alert",
"id": "WB-9002-20200427-0002",
"ingested": "2024-06-12T03:27:38Z",
"kind": "alert",
"original": "{\"alertProvider\":\"SAE\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"id\":\"WB-9002-20200427-0002\",\"impactScope\":{\"accountCount\":0,\"desktopCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"entityType\":\"host\",\"entityValue\":\"user@email.com\",\"provenance\":[\"Alert\"],\"relatedEntities\":[\"CODERED\\\\\\\\\\user\"],\"relatedIndicatorIds\":[1]}],\"serverCount\":0},\"indicators\":[{\"field\":\"request url\",\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"],\"id\":1,\"provenance\":[\"Alert\"],\"relatedEntities\":[\"user@example.com\"],\"type\":\"url\",\"value\":\"http://www.example.com/ab001.zip\"}],\"investigationStatus\":\"New\",\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"matchedEvents\":[{\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\",\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\"}],\"mitreTechniqueIds\":[\"T1192\"],\"name\":\"(T1192) Spearphishing Link\"}],\"name\":\"Possible SpearPhishing Email\"}],\"model\":\"Possible APT Attack\",\"schemaVersion\":\"1.0\",\"score\":63,\"severity\":\"critical\",\"updatedDateTime\":\"2023-04-30T00:01:16Z\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\"}",
"severity": 63,
"type": [
"info"
]
},
"input": {
"type": "httpjson"
},
"log": {
"level": "critical"
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"trend_micro_vision_one-alert"
],
"trend_micro_vision_one": {
"alert": {
"alert_provider": "SAE",
"created_date": "2020-04-30T00:01:15.000Z",
"description": "A backdoor was possibly implanted after a user received a possible spear phishing email message.",
"id": "WB-9002-20200427-0002",
"impact_scope": {
"account_count": 0,
"desktop_count": 0,
"email_address_count": 0,
"entities": [
{
"id": "5257b401-2fd7-469c-94fa-39a4f11eb925",
"provenance": [
"Alert"
],
"related_entities": [
"CODERED\\\\\user"
],
"related_indicator_id": [
1
],
"type": "host",
"value": {
"account_value": "user@email.com"
}
}
],
"server_count": 0
},
"indicators": [
{
"field": "request url",
"filter_id": [
"f862df72-7f5e-4b2b-9f7f-9148e875f908"
],
"id": 1,
"provenance": [
"Alert"
],
"related_entities": [
"user@example.com"
],
"type": "url",
"value": "http://www.example.com/ab001.zip"
}
],
"investigation_status": "New",
"matched_rule": [
{
"filter": [
{
"date": "2019-08-02T04:00:01.000Z",
"events": [
{
"date": "2019-08-02T04:00:01.000Z",
"type": "TELEMETRY_REGISTRY",
"uuid": "fa9ff47c-e1b8-459e-a3d0-a5b104b854a5"
}
],
"id": "ccf86fc1-688f-4131-a46f-1d7a6ee2f88e",
"mitre_technique_id": [
"T1192"
],
"name": "(T1192) Spearphishing Link"
}
],
"id": "5f52d1f1-53e7-411a-b74f-745ee81fa30b",
"name": "Possible SpearPhishing Email"
}
],
"model": "Possible APT Attack",
"schema_version": "1.0",
"score": 63,
"severity": "critical",
"workbench_link": "https://THE_WORKBENCH_URL"
}
},
"url": {
"original": "https://THE_WORKBENCH_URL",
"scheme": "https"
}
}
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
| trend_micro_vision_one.alert.alert_provider | Alert provider. | keyword |
| trend_micro_vision_one.alert.campaign | An object-ref to a campaign object. | keyword |
| trend_micro_vision_one.alert.created_by | Created by. | keyword |
| trend_micro_vision_one.alert.created_date | Datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC) that indicates the created date time of the alert. | date |
| trend_micro_vision_one.alert.description | Description of the detection model that triggered the alert. | keyword |
| trend_micro_vision_one.alert.id | Workbench ID. | keyword |
| trend_micro_vision_one.alert.impact_scope.account_count | Count of affected account. | long |
| trend_micro_vision_one.alert.impact_scope.desktop_count | Count of affected desktop. | long |
| trend_micro_vision_one.alert.impact_scope.email_address_count | Count of affected email address. | long |
| trend_micro_vision_one.alert.impact_scope.entities.id | keyword | |
| trend_micro_vision_one.alert.impact_scope.entities.provenance | keyword | |
| trend_micro_vision_one.alert.impact_scope.entities.related_entities | keyword | |
| trend_micro_vision_one.alert.impact_scope.entities.related_indicator_id | keyword | |
| trend_micro_vision_one.alert.impact_scope.entities.type | keyword | |
| trend_micro_vision_one.alert.impact_scope.entities.value.account_value | Account or emailAddress. | keyword |
| trend_micro_vision_one.alert.impact_scope.entities.value.guid | GUID. | keyword |
| trend_micro_vision_one.alert.impact_scope.entities.value.id | Impact scope entity id. | keyword |
| trend_micro_vision_one.alert.impact_scope.entities.value.ips | Set of IPs. | ip |
| trend_micro_vision_one.alert.impact_scope.entities.value.name | Host name. | keyword |
| trend_micro_vision_one.alert.impact_scope.entities.value.related_entities | Related entities. | keyword |
| trend_micro_vision_one.alert.impact_scope.entities.value.related_indicator_id | Related indicator ids. | long |
| trend_micro_vision_one.alert.impact_scope.entities.value.type | Impact scope entity type. | keyword |
| trend_micro_vision_one.alert.impact_scope.server_count | Count of affected server. | long |
| trend_micro_vision_one.alert.indicators.field | Detailed description of the indicator. | keyword |
| trend_micro_vision_one.alert.indicators.fields | Detailed description of the indicator. | keyword |
| trend_micro_vision_one.alert.indicators.filter_id | Related matched filter ids. | keyword |
| trend_micro_vision_one.alert.indicators.first_seen_date | First seen date times from related entities, datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). | date |
| trend_micro_vision_one.alert.indicators.id | Indicator ID. | keyword |
| trend_micro_vision_one.alert.indicators.last_seen_date | Last seen date times from related entities, datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). | date |
| trend_micro_vision_one.alert.indicators.matched_indicator.pattern_id | Matched indicator pattern ids. | keyword |
| trend_micro_vision_one.alert.indicators.provenance | Provenance. | keyword |
| trend_micro_vision_one.alert.indicators.related_entities | Related entities. | keyword |
| trend_micro_vision_one.alert.indicators.type | Indicator type. | keyword |
| trend_micro_vision_one.alert.indicators.value | Indicator value. | keyword |
| trend_micro_vision_one.alert.industry | Industry. | keyword |
| trend_micro_vision_one.alert.investigation_status | Workbench alert status. | keyword |
| trend_micro_vision_one.alert.matched_indicator_count | Matched indicator pattern count. | long |
| trend_micro_vision_one.alert.matched_indicators_pattern.id | Pattern ID. | keyword |
| trend_micro_vision_one.alert.matched_indicators_pattern.matched_log | Pattern matched log. | keyword |
| trend_micro_vision_one.alert.matched_indicators_pattern.pattern | STIX indicator will be a pattern. | keyword |
| trend_micro_vision_one.alert.matched_indicators_pattern.tags | Tags defined by STIX. | keyword |
| trend_micro_vision_one.alert.matched_rule.filter.date | Datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). | date |
| trend_micro_vision_one.alert.matched_rule.filter.events.date | Matched event date. | date |
| trend_micro_vision_one.alert.matched_rule.filter.events.type | Matched event type. | keyword |
| trend_micro_vision_one.alert.matched_rule.filter.events.uuid | Matched event uuid. | keyword |
| trend_micro_vision_one.alert.matched_rule.filter.id | Matched filter id. | keyword |
| trend_micro_vision_one.alert.matched_rule.filter.mitre_technique_id | Mitre technique id. | keyword |
| trend_micro_vision_one.alert.matched_rule.filter.name | Filter name. | keyword |
| trend_micro_vision_one.alert.matched_rule.id | The rules are triggered. | keyword |
| trend_micro_vision_one.alert.matched_rule.name | Matched rule name. | keyword |
| trend_micro_vision_one.alert.model | Name of the detection model that triggered the alert. | keyword |
| trend_micro_vision_one.alert.region_and_country | region/country. | keyword |
| trend_micro_vision_one.alert.report_link | A refrerence url which links to the report details analysis. For TrendMico research report, the link would link to trend blog. | keyword |
| trend_micro_vision_one.alert.schema_version | The version of the JSON schema, not the version of alert trigger content. | keyword |
| trend_micro_vision_one.alert.score | Overall severity assigned to the alert based on the severity of the matched detection model and the impact scope. | long |
| trend_micro_vision_one.alert.severity | Workbench alert severity. | keyword |
| trend_micro_vision_one.alert.total_indicator_count | Total indicator pattern count. | long |
| trend_micro_vision_one.alert.workbench_link | Workbench URL. | keyword |
This is the audit dataset.
**Example**
An example event for audit looks as following:
{
"@timestamp": "2022-02-24T07:29:48.000Z",
"agent": {
"ephemeral_id": "652abe8f-556a-4a24-9e9d-dc2990f84a38",
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "trend_micro_vision_one.audit",
"namespace": "46929",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"authentication"
],
"created": "2024-06-12T03:28:27.263Z",
"dataset": "trend_micro_vision_one.audit",
"ingested": "2024-06-12T03:28:39Z",
"kind": "event",
"original": "{\"accessType\":\"Console\",\"activity\":\"string\",\"category\":\"Logon and Logoff\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"},\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedRole\":\"Master Administrator\",\"loggedUser\":\"Root Account\",\"result\":\"Unsuccessful\"}",
"outcome": "failure",
"type": [
"info"
]
},
"input": {
"type": "httpjson"
},
"related": {
"user": [
"Root Account"
]
},
"source": {
"user": {
"name": "Root Account",
"roles": [
"Master Administrator"
]
}
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"trend_micro_vision_one-audit"
],
"trend_micro_vision_one": {
"audit": {
"access_type": "Console",
"activity": "string",
"category": "Logon and Logoff",
"details": {
"property1": "string",
"property2": "string"
},
"logged_role": "Master Administrator",
"logged_user": "Root Account",
"result": "Unsuccessful"
}
}
}
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
| trend_micro_vision_one.audit.access_type | Source of the activity. | keyword |
| trend_micro_vision_one.audit.activity | The activity that was performed. | keyword |
| trend_micro_vision_one.audit.category | Category. | keyword |
| trend_micro_vision_one.audit.details | Object that contains a list of elements to be retrieved from the "details" field. | flattened |
| trend_micro_vision_one.audit.logged_role | Role of the account. | keyword |
| trend_micro_vision_one.audit.logged_user | The account that was used to perform the activity. | keyword |
| trend_micro_vision_one.audit.result | Result. | keyword |
This is the detection dataset.
**Example**
An example event for detection looks as following:
{
"@timestamp": "2020-10-15T01:16:32.000Z",
"agent": {
"ephemeral_id": "b136ddab-1cc6-49c5-b9c2-4a4fcf650fe2",
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "trend_micro_vision_one.detection",
"namespace": "99796",
"type": "logs"
},
"destination": {
"domain": "Workgroup",
"ip": [
"81.2.69.142"
],
"port": 53
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"action": "clean",
"agent_id_status": "verified",
"category": [
"intrusion_detection"
],
"created": "2024-06-12T03:29:29.064Z",
"dataset": "trend_micro_vision_one.detection",
"id": "100117",
"ingested": "2024-06-12T03:29:41Z",
"kind": "event",
"original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\\\Users\\\\\\\\\\user1\\\\\\\\\\Downloads\\\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\\\Program Files (x86)\\\\\\\\\\Microsoft\\\\\\\\\\Edge\\\\\\\\\\Application\\\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\\\Users\\\\\\\\\\user1\\\\\\\\\\Downloads\\\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\\\os\\\\\\\\\\system32\\\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\\\os\\\\\\\\\\System32\\\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\\\Program Files (x86)\\\\\\\\\\os\\\\\\\\\\Application\\\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}",
"severity": 50,
"type": [
"info"
]
},
"file": {
"hash": {
"md5": "761AEFF7E6B110970285B9C20C9E1DCA",
"sha1": "00496B4D53CEFE031B9702B3385C9F4430999932",
"sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7"
},
"name": [
"Unconfirmed 145081.crdownload"
],
"path": "/etc/systemd/system/snap-xxxx-1246.xxxx",
"size": 0
},
"host": {
"hostname": "samplehost",
"id": "1234-1234-1234",
"ip": [
"81.2.69.142"
],
"mac": [
"00-00-5E-00-53-23"
],
"name": "abc-docker"
},
"http": {
"request": {
"referrer": "http://www.example.com/"
}
},
"input": {
"type": "httpjson"
},
"network": {
"direction": "outbound",
"protocol": "http"
},
"observer": {
"hostname": "samplehost",
"mac": [
"00-00-5E-00-53-23"
]
},
"process": {
"command_line": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca",
"name": "string",
"pid": 0
},
"related": {
"hash": [
"761AEFF7E6B110970285B9C20C9E1DCA",
"00496B4D53CEFE031B9702B3385C9F4430999932",
"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7",
"3395856ce81f2b7382dee72602f798b642f14140"
],
"hosts": [
"samplehost",
"abc-docker"
],
"ip": [
"81.2.69.142",
"81.2.69.192"
]
},
"source": {
"ip": "81.2.69.192",
"port": 58871
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"trend_micro_vision_one-detection"
],
"threat": {
"tactic": {
"id": [
"TA0005"
]
}
},
"trend_micro_vision_one": {
"detection": {
"action": "Clean",
"action_result": "Quarantined successfully",
"behavior_category": "Grey-Detection",
"block": "Web reputation",
"client_flag": "dst",
"component_version": [
"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00"
],
"compressed_file_size": 0,
"destination": {
"ip": [
"81.2.69.142"
],
"ip_group": "Default",
"port": 53
},
"detection": "Yes",
"detection_source": "GLOBAL_INTELLIGENCE",
"detection_type": "File",
"device": {
"direction": "outbound",
"guid": "C5B09EDD-C725-907F-29D9-B8C30D18C48F",
"host": "samplehost",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"ip": [
"81.2.69.192"
],
"mac": "00-00-5E-00-53-23",
"process_name": "/snap/core/10126/usr/lib/snapd/snapd"
},
"domain": {
"name": "Workgroup"
},
"end_time": "2021-09-30T17:40:04.000Z",
"endpoint": {
"guid": "1234-1234-1234",
"hostname": "abc-docker",
"ip": [
"81.2.69.142"
],
"mac": "00-00-5E-00-53-23"
},
"engine_type": "Virus Scan Engine (OS 2003, x64)",
"engine_version": "12.500.1004",
"event_id": "100117",
"event_name": "INTEGRITY_MONITORING_EVENT",
"event_time_dt": "2021-06-10T01:38:38.000Z",
"file_hash": "3395856ce81f2b7382dee72602f798b642f14140",
"file_name": [
"Unconfirmed 145081.crdownload"
],
"file_operation": "Deleted",
"file_path": "/etc/systemd/system",
"file_path_name": "/etc/systemd/system/snap-xxxx-1246.xxxx",
"file_size": 0,
"first_action": "Clean",
"first_action_result": "Unable to clean file",
"full_path": "C:\\\\\Users\\\\\user1\\\\\Downloads\\\\\Unconfirmed 145081.crdownload",
"hostname": "samplehost",
"http_referer": "http://www.example.com/",
"interested": {
"host": "abc-docker",
"ip": [
"81.2.69.192"
],
"mac": "00-00-5E-00-53-23"
},
"malware_name": "Eicar_test_1",
"malware_type": "Virus/Malware",
"mproduct": {
"name": "Cloud One - Workload Security",
"version": "Deep Security/20.0.222"
},
"object": {
"cmd": [
"C:\\\\\Program Files (x86)\\\\\Microsoft\\\\\Edge\\\\\Application\\\\\msedge.exe --profile-directory=Default"
],
"file": {
"hash": {
"md5": "761AEFF7E6B110970285B9C20C9E1DCA",
"sha1": "00496B4D53CEFE031B9702B3385C9F4430999932",
"sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7"
},
"name": "Unconfirmed 142899.crdownload:SmartScreen",
"path": "C:\\\\\Users\\\\\user1\\\\\Downloads\\\\\Unconfirmed 142899.crdownload:SmartScreen"
},
"name": "CloudEndpointService.exe",
"pid": 7660,
"signer": [
"OS"
]
},
"parent": {
"cmd": "C:\\\\\os\\\\\system32\\\\\svchost.exe -k DcomLaunch -p",
"file": {
"hash": {
"sha1": "00496B4D53CEFE031B9702B3385C9F4430999932",
"sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7"
},
"path": "C:\\\\\os\\\\\System32\\\\\svchost.exe"
}
},
"peer": {
"host": "samplehost",
"ip": [
"81.2.69.192"
]
},
"process": {
"cmd": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca",
"file": {
"hash": {
"md5": "761AEFF7E6B110970285B9C20C9E1DCA",
"sha1": "00496B4D53CEFE031B9702B3385C9F4430999932",
"sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7"
},
"path": "C:\\\\\Program Files (x86)\\\\\os\\\\\Application\\\\\msedge.exe"
},
"name": "string",
"pid": 0,
"signer": "OS Publisher"
},
"product": {
"code": "sao",
"name": "Apex One",
"version": "20.0.0.877"
},
"protocol": "HTTP",
"protocol_group": "HTTP",
"related_apt": false,
"request": "https://example.com",
"request_client_application": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",
"risk_level": 3,
"rt": "2020-10-15T01:16:32.000Z",
"rt_utc": "2020-10-15T01:16:32.000Z",
"search_data_lake": "DDL",
"security_analytics": {
"engine": {
"name": [
"T1090 (TA0005)"
],
"version": "v6"
}
},
"severity_level": 50,
"source": {
"group": "Default",
"ip": "81.2.69.192",
"port": 58871
},
"sub_name": "Attack Discovery",
"tactic_id": [
"TA0005"
],
"tags": [
"XSAE.F2140",
"XSAE.F3066"
],
"threat_name": "Malicious_identified_CnC_querying_on_UDP_detected",
"total_count": 1,
"uuid": "1234-1234-1234"
}
},
"url": {
"domain": "example.com",
"original": "https://example.com",
"scheme": "https"
},
"user_agent": {
"device": {
"name": "iPhone"
},
"name": "Mobile Safari",
"original": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",
"os": {
"full": "iOS 12.1",
"name": "iOS",
"version": "12.1"
},
"version": "12.0"
}
}
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
| trend_micro_vision_one.detection.action | Action by detect product. | keyword |
| trend_micro_vision_one.detection.action_result | Action result by detect product. | keyword |
| trend_micro_vision_one.detection.aggregated_count | Aggregated count. | long |
| trend_micro_vision_one.detection.behavior_category | The matched policy category (policy section) in the BM patterns, which will always Grey-Detection here. | keyword |
| trend_micro_vision_one.detection.block | blocking Reason. | keyword |
| trend_micro_vision_one.detection.client_flag | 0:Unknown 1:src 2:dst. | keyword |
| trend_micro_vision_one.detection.client_ip | Client IP. | ip |
| trend_micro_vision_one.detection.component_version | Product component version. | keyword |
| trend_micro_vision_one.detection.compressed_file_size | File size after compressed. | long |
| trend_micro_vision_one.detection.destination.ip | Destination IP address. | ip |
| trend_micro_vision_one.detection.destination.ip_group | Destination IP address group. | keyword |
| trend_micro_vision_one.detection.destination.port | Destination port. | long |
| trend_micro_vision_one.detection.detection | Yes (Tag it when it appears and the value is 1). | keyword |
| trend_micro_vision_one.detection.detection_source | Detection source use by Deep Discovery Inspector. | keyword |
| trend_micro_vision_one.detection.detection_type | Product detection type. | keyword |
| trend_micro_vision_one.detection.device.direction | 0: inbound 1: outbound 2: unknown (If cannot be parsed correctly, 2 is assigned). | keyword |
| trend_micro_vision_one.detection.device.guid | Device GUID. | keyword |
| trend_micro_vision_one.detection.device.host | device host. | keyword |
| trend_micro_vision_one.detection.device.id | Device identity. | keyword |
| trend_micro_vision_one.detection.device.ip | Devices ip list. | ip |
| trend_micro_vision_one.detection.device.mac | Mac address. | keyword |
| trend_micro_vision_one.detection.device.process_name | Process name in device. | keyword |
| trend_micro_vision_one.detection.domain.name | Domain name. | keyword |
| trend_micro_vision_one.detection.end_time | End time. | date |
| trend_micro_vision_one.detection.endpoint.guid | endpoint GUID for identity. | keyword |
| trend_micro_vision_one.detection.endpoint.hostname | Hostname of the endpoint on which the event was generated. | keyword |
| trend_micro_vision_one.detection.endpoint.ip | Endpoint IP address list. | ip |
| trend_micro_vision_one.detection.endpoint.mac | Endpoint Mac address. | keyword |
| trend_micro_vision_one.detection.engine_type | Product scan engine type. | keyword |
| trend_micro_vision_one.detection.engine_version | Product scan engine version. | keyword |
| trend_micro_vision_one.detection.event_id | Event ID. | keyword |
| trend_micro_vision_one.detection.event_name | Predefined event enumerator. | keyword |
| trend_micro_vision_one.detection.event_time_dt | Detect time. | date |
| trend_micro_vision_one.detection.file_hash | Detect file hash value. | keyword |
| trend_micro_vision_one.detection.file_name | Detect file name. | keyword |
| trend_micro_vision_one.detection.file_operation | Operation for detect file. | keyword |
| trend_micro_vision_one.detection.file_path | Full file path without file name. | keyword |
| trend_micro_vision_one.detection.file_path_name | Full file path. | keyword |
| trend_micro_vision_one.detection.file_size | Detect file size. | long |
| trend_micro_vision_one.detection.file_type | Detect file type. | keyword |
| trend_micro_vision_one.detection.first_action | First action. | keyword |
| trend_micro_vision_one.detection.first_action_result | First action result. | keyword |
| trend_micro_vision_one.detection.full_path | File full path. | keyword |
| trend_micro_vision_one.detection.hostname | host name. | keyword |
| trend_micro_vision_one.detection.http_referer | http referer url. | keyword |
| trend_micro_vision_one.detection.interested.host | Highlighted indicator for incident response members. | keyword |
| trend_micro_vision_one.detection.interested.ip | Highlighted indicator for incident response members. | ip |
| trend_micro_vision_one.detection.interested.mac | Highlighted indicator for incident response members. | keyword |
| trend_micro_vision_one.detection.malware_name | Malware name. | keyword |
| trend_micro_vision_one.detection.malware_type | Malware type. | keyword |
| trend_micro_vision_one.detection.mime_type | Mime type. | keyword |
| trend_micro_vision_one.detection.mproduct.name | Product name. | keyword |
| trend_micro_vision_one.detection.mproduct.version | Product Version. | keyword |
| trend_micro_vision_one.detection.object.cmd | The command line that a process detected by Attack Discovery uses to execute other processes. | keyword |
| trend_micro_vision_one.detection.object.file.hash.md5 | File Hash Md5 value. | keyword |
| trend_micro_vision_one.detection.object.file.hash.sha1 | File Hash Sha1 value. | keyword |
| trend_micro_vision_one.detection.object.file.hash.sha256 | File Hash Sha256 value. | keyword |
| trend_micro_vision_one.detection.object.file.name | File name. | keyword |
| trend_micro_vision_one.detection.object.file.path | File path. | keyword |
| trend_micro_vision_one.detection.object.name | Detect object name. | keyword |
| trend_micro_vision_one.detection.object.pid | Detect object Pid. | long |
| trend_micro_vision_one.detection.object.signer | Signer. | keyword |
| trend_micro_vision_one.detection.os.name | Supported values: Linux, Windows, macOS, macOSX. | keyword |
| trend_micro_vision_one.detection.parent.cmd | The command line that parent process. | keyword |
| trend_micro_vision_one.detection.parent.file.hash.sha1 | Parent file sha1. | keyword |
| trend_micro_vision_one.detection.parent.file.hash.sha256 | Parent file sha256. | keyword |
| trend_micro_vision_one.detection.parent.file.path | Parent file path. | keyword |
| trend_micro_vision_one.detection.peer.host | Peer host name. | keyword |
| trend_micro_vision_one.detection.peer.ip | Peer ip list. | ip |
| trend_micro_vision_one.detection.policy.logkey | Policy logkey. | keyword |
| trend_micro_vision_one.detection.policy.name | Policy name. | keyword |
| trend_micro_vision_one.detection.policy.uuid | Policy uuid. | keyword |
| trend_micro_vision_one.detection.principal_name | Principal name. | keyword |
| trend_micro_vision_one.detection.process.cmd | The command line used to launch this process. | keyword |
| trend_micro_vision_one.detection.process.file.hash.md5 | Process file hash MD5 value. | keyword |
| trend_micro_vision_one.detection.process.file.hash.sha1 | Process file hash Sha1 value. | keyword |
| trend_micro_vision_one.detection.process.file.hash.sha256 | Process file hash Sha256 value. | keyword |
| trend_micro_vision_one.detection.process.file.path | The process file path. | keyword |
| trend_micro_vision_one.detection.process.name | Process name. | keyword |
| trend_micro_vision_one.detection.process.pid | Process Pid. | long |
| trend_micro_vision_one.detection.process.signer | Process signer. | keyword |
| trend_micro_vision_one.detection.product.code | Product code name. | keyword |
| trend_micro_vision_one.detection.product.name | product name. | keyword |
| trend_micro_vision_one.detection.product.version | Product version. | keyword |
| trend_micro_vision_one.detection.profile | Profile | keyword |
| trend_micro_vision_one.detection.protocol | Protocol detect by Deep Discovery Inspector. | keyword |
| trend_micro_vision_one.detection.protocol_group | Protocol group detect by Deep Discovery Inspector. | keyword |
| trend_micro_vision_one.detection.related_apt | 0:False, 1:True. | boolean |
| trend_micro_vision_one.detection.request | URL. | keyword |
| trend_micro_vision_one.detection.request_base | Request base. | keyword |
| trend_micro_vision_one.detection.request_client_application | Browser user agent. | keyword |
| trend_micro_vision_one.detection.risk_level | SLF_CCCA_RISKLEVEL_UNKNOWN (0) SLF_CCCA_RISKLEVEL_LOW (1) SLF_CCCA_RISKLEVEL_MEDIUM (2) SLF_CCCA_RISKLEVEL_HIGH (3). | long |
| trend_micro_vision_one.detection.rt | Detect time. | date |
| trend_micro_vision_one.detection.rt_utc | Detect utc time. | date |
| trend_micro_vision_one.detection.search_data_lake | Datalake name. | keyword |
| trend_micro_vision_one.detection.security_analytics.engine.name | Security Analytics Engine. | keyword |
| trend_micro_vision_one.detection.security_analytics.engine.version | Security Analytics Engine version. | keyword |
| trend_micro_vision_one.detection.sender | Sender. | keyword |
| trend_micro_vision_one.detection.severity_level | severity score. | long |
| trend_micro_vision_one.detection.source.group | Source IP address group. | keyword |
| trend_micro_vision_one.detection.source.ip | Source IP address. | ip |
| trend_micro_vision_one.detection.source.port | Source port. | long |
| trend_micro_vision_one.detection.sub_name | Detect event subscribe name. | keyword |
| trend_micro_vision_one.detection.suid | Suid. | keyword |
| trend_micro_vision_one.detection.tactic_id | Security Agent or product policy. | keyword |
| trend_micro_vision_one.detection.tags | Detected by Security Analytics Engine filters. | keyword |
| trend_micro_vision_one.detection.threat_name | Threat name. | keyword |
| trend_micro_vision_one.detection.total_count | total count. | long |
| trend_micro_vision_one.detection.url_cat | URL cat. | keyword |
| trend_micro_vision_one.detection.user.domain | User domain. | keyword |
| trend_micro_vision_one.detection.uuid | Log unique id. | keyword |
**Changelog**
| Version | Details | Kibana version(s) |
|---|---|---|
| 1.24.1 | pass:[] Bug fix (View pull request) Fixed inconsistent time interval issue leading to data loss in the detections data stream. |
8.13.0 or higher |
| 1.24.0 | pass:[] Enhancement (View pull request) Add configurable page size option for the detection and audit data streams. |
8.13.0 or higher |
| 1.23.0 | pass:[] Enhancement (View pull request) Do not remove event.original in main ingest pipeline. |
8.13.0 or higher |
| 1.22.0 | pass:[] Enhancement (View pull request) Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error". |
8.13.0 or higher |
| 1.21.1 | pass:[] Bug fix (View pull request) Add missing regional URL documentation. |
8.13.0 or higher |
| 1.21.0 | pass:[] Enhancement (View pull request) Update doc for setting up API Keys. |
8.13.0 or higher |
| 1.20.0 | pass:[] Enhancement (View pull request) Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. |
8.13.0 or higher |
| 1.19.1 | pass:[] Bug fix (View pull request) Fix sample event. |
8.12.0 or higher |
| 1.19.0 | pass:[] Enhancement (View pull request) Make host.mac field conform to ECS field definition. |
8.12.0 or higher |
| 1.18.0 | pass:[] Enhancement (View pull request) Improve handling of empty responses. |
8.12.0 or higher |
| 1.17.0 | pass:[] Enhancement (View pull request) Update manifest format version to v3.0.3. |
8.12.0 or higher |
| 1.16.0 | pass:[] Enhancement (View pull request) Set sensitive values as secret. |
8.12.0 or higher |
| 1.15.1 | pass:[] Enhancement (View pull request) Changed owners |
8.7.1 or higher |
| 1.15.0 | pass:[] Enhancement (View pull request) Limit request tracer log count to five. |
8.7.1 or higher |
| 1.14.0 | pass:[] Enhancement (View pull request) ECS version updated to 8.11.0. |
8.7.1 or higher |
| 1.13.0 | pass:[] Enhancement (View pull request) Improve event.original check to avoid errors if set. |
8.7.1 or higher |
| 1.12.2 | pass:[] Bug fix (View pull request) Fix missing request issue in pipeline |
8.7.1 or higher |
| 1.12.1 | pass:[] Bug fix (View pull request) Fix Detection API header |
8.7.1 or higher |
| 1.12.0 | pass:[] Enhancement (View pull request) Update the package format_version to 3.0.0. |
8.7.1 or higher |
| 1.11.0 | pass:[] Enhancement (View pull request) Handle detection documents that have a requests array instead of a request field. |
8.7.1 or higher |
| 1.10.0 | pass:[] Bug fix (View pull request) Correct invalid ECS field usages at root-level. |
8.7.1 or higher |
| 1.9.0 | pass:[] Enhancement (View pull request) ECS version updated to 8.10.0. |
8.7.1 or higher |
| 1.8.0 | pass:[] Enhancement (View pull request) Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. |
8.7.1 or higher |
| 1.7.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.9.0. |
8.7.1 or higher |
| 1.6.0 | pass:[] Enhancement (View pull request) Document duration units. |
8.7.1 or higher |
| 1.5.0 | pass:[] Enhancement (View pull request) Update package to package-spec 2.9.0. |
8.7.1 or higher |
| 1.4.0 | pass:[] Enhancement (View pull request) Ensure event.kind is correctly set for pipeline errors. |
8.7.1 or higher |
| 1.3.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.8.0. |
8.7.1 or higher |
| 1.2.0 | pass:[] Enhancement (View pull request) Add a new flag to enable request tracing |
8.7.1 or higher |
| 1.1.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.7.0. |
8.4.0 or higher |
| 1.0.0 | pass:[] Enhancement (View pull request) Release Trend Micro Vision One as GA. |
8.4.0 or higher |
| 0.3.1 | pass:[] Enhancement (View pull request) Added categories and/or subcategories. |
— |
| 0.3.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.6.0. |
— |
| 0.2.2 | pass:[] Bug fix (View pull request) Added processor to drop empty documents when there are no events |
— |
| 0.2.1 | pass:[] Enhancement (View pull request) Update the pagination termination condition. |
— |
| 0.2.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.5.0. |
— |
| 0.1.0 | pass:[] Enhancement (View pull request) Initial Release. |
— |