| Table of Contents | ||||||
|---|---|---|---|---|---|---|
|
Introduction
The tags beginning with xdr.trend_micro micro identify events generated by Trendmicro Trend Micro.
Valid tags and data tables
The full tag must have 4 levels. The first two are fixed asxdr.trend_micro. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
...
Technology
...
Brand
...
Type
...
Subtype
...
...
trend_micro
...
vision_one
...
alerts
audit
observed_attacks_techniques
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product/Service | Tag | Data table |
|---|---|---|
Trend Micro |
|
|
|
| |
|
|
For more information, read more About Devo tags.
Table structure
This is the set displayed by these tables.:
...
xdr.trend_micro.vision_one.alerts
...
xdr.trend_micro.vision_one.alerts
Field | Type | Extra |
|---|
fields | |
|---|---|
eventdate |
|
hostname |
|
-
schema_version |
|
id |
|
investigation_status |
|
-
workbench_link |
|
alert_provider |
|
-
model |
|
-
score |
|
-
severity |
|
-
created_date_time |
|
updated_date_time |
|
-
impact_scope__desktop_count |
|
-
impact_scope__server_count |
|
-
impact_scope__account_count |
|
-
impact_scope__email_address_count |
|
-
impact_scope__entities |
|
description |
|
-
matched_rules |
|
-
indicators__id |
|
indicators__type |
|
indicators__field |
|
-
indicators__value |
|
-
indicators__related_entities |
|
-
indicators__filter_ids |
|
-
indicators__provenance |
|
-
indicators_found |
|
indicators_id |
|
devo_pulling_id |
|
-
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
...
xdr.trend_micro.vision_one.audit
...
xdr.trend_micro.vision_one.audit
...
Field
Type
Field | Type | Field Transformation | Source field name | Extra fields |
|---|---|---|---|---|
eventdate |
|
|
| |
hostname |
|
|
| |
logged_date_time |
|
|
| |
logged_user |
|
|
| |
logged_role |
|
|
| |
category |
|
|
| |
activity |
|
|
| |
access_type |
|
|
| |
result |
|
|
| |
devo_pull_request |
|
|
| |
details__ip_addr_str |
|
|
| |
details__ip_addr_ipv4 |
|
| details__ip_addr_str | ||||
details__ip_addr_ipv6 |
|
| details__ip_addr_str | ||||
details__mailbox |
|
|
| |
details__trace_id |
|
|
| |
details__command_id |
|
|
| |
details__action |
|
|
| |
details__group_id |
|
|
| |
details__group_name |
|
|
| |
details__app |
|
|
| |
details__product |
|
|
| |
details__reason |
|
|
| |
details__removed_agents |
|
|
| |
details__target_group |
|
|
| |
details__feature |
|
|
| |
details__affected_child_groups |
|
|
| |
details__parent_group_id |
|
|
| |
details__path |
|
|
| ||
details__group_description |
|
|
| |
details__quota |
|
|
| |
details__role |
|
|
| |
details__from |
|
|
| |
details__to |
|
|
| |
details__user |
|
|
| |
details__status |
|
|
| |||
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
|
...
| ✓ |
xdr.trend_micro.vision_one.observed_attack_techniques
Field | Type | Extra |
|---|
fields | |
|---|---|
eventdate |
|
-
hostname |
|
source |
|
uuid |
|
-
detected_date_time |
|
-
detail__version |
|
-
detail__event_time |
|
detail__tags |
|
detail__uuid |
|
-
detail__product_code |
|
-
detail__package_trace_id |
|
-
detail__filter_risk_level |
|
-
detail__event_id |
|
-
detail__event_sub_id |
|
detail__event_hash_id |
|
-
detail__first_seen |
|
-
detail__last_seen |
|
detail__endpoint_guid |
|
-
detail__endpoint_host_name |
|
-
detail__endpoint_ip |
|
-
detail__endpoint_mac_address |
|
-
detail__timezone |
|
-
detail__pname |
|
detail__pver |
|
detail__plang |
|
-
detail__pplat |
|
detail__os_name |
|
detail__os_ver |
|
-
detail__os_description |
|
-
detail__os_type |
|
-
detail__process_hash_id |
|
-
detail__process_name |
|
-
detail__process_pid |
|
detail__session_id |
|
detail__process_user |
|
-
detail__process_user_domain |
|
detail__process_launch_time |
|
-
detail__process_cmd |
|
detail__auth_id |
|
detail__integrity_level |
|
-
detail__process_file_hash_id |
|
detail__process_file_path |
|
-
detail__process_file_hash_sha1 |
|
-
detail__process_file_hash_sha256 |
|
-
detail__process_file_hash_md5 |
|
-
detail__process_signer |
|
detail__process_signer_valid |
|
-
detail__process_file_size |
|
-
detail__process_file_creation |
|
-
detail__process_file_modified_time |
|
-
detail__process_true_type |
|
-
detail__parent_hash_id |
|
detail__parent_name |
|
-
detail__parent_pid |
|
-
detail__parent_session_id |
|
detail__parent_user |
|
detail__parent_user_domain |
|
-
detail__parent_launch_time |
|
-
detail__parent_cmd |
|
-
detail__parent_auth_id |
|
-
detail__parent_integrity_level |
|
-
detail__parent_file_hash_id |
|
detail__parent_file_path |
|
detail__parent_file_hash_sha1 |
|
-
detail__parent_file_hash_sha256 |
|
detail__parent_file_hash_md5 |
|
-
detail__parent_signer |
|
-
detail__parent_signer_valid |
|
-
detail__parent_file_size |
|
-
detail__parent_file_creation |
|
-
detail__parent_file_modified_time |
|
detail__parent_true_type |
|
detail__object_hash_id |
|
-
detail__object_user |
|
detail__object_user_domain |
|
detail__object_session_id |
|
-
detail__object_file_path |
|
detail__object_file_hash_sha1 |
|
-
detail__object_file_hash_sha256 |
|
detail__object_file_hash_md5 |
|
detail__object_signer |
|
-
detail__object_signer_valid |
|
-
detail__object_file_size |
|
-
detail__object_file_creation |
|
detail__object_file_modified_time |
|
detail__object_true_type |
|
-
detail__object_name |
|
-
detail__object_pid |
|
-
detail__object_launch_time |
|
-
detail__object_cmd |
|
-
detail__object_auth_id |
|
detail__object_integrity_level |
|
-
detail__object_file_hash_id |
|
-
detail__object_run_as_local_account |
|
ingested_date_time |
|
-
entity_type |
|
-
entity_name |
|
-
endpoint__ips |
|
-
endpoint__agent_guid |
|
-
endpoint__endpoint_name |
|
filters__id |
|
filters__name |
|
-
filters__description |
|
filters__highlighted_objects |
|
filters__mitre_tactic_ids |
|
-
filters__mitre_technique_ids |
|
-
filters__risk_level |
|
-
filters_found |
|
-
filters_id |
|
-
devo_pulling_id |
|
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |