xdr.trend_micro

Introduction

The tags beginning with xdr.trend_micro identify events generated by Trend Micro.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as xdr.trend_micro. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product/Service	Tag	Data table
Trend Micro	`xdr.trend_micro.vision_one.alerts`	`xdr.trend_micro.vision_one.alerts`
	`xdr.trend_micro.vision_one.audit`	`xdr.trend_micro.vision_one.audit`
	`xdr.trend_micro.vision_one.observed_attack_techniques`	`xdr.trend_micro.vision_one.observed_attack_techniques`

For more information, read more About Devo tags.

Table structure

This is the set displayed by these tables:

xdr.trend_micro.vision_one.alerts

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
schema_version	`str`
id	`str`
investigation_status	`str`
workbench_link	`str`
alert_provider	`str`
model	`str`
score	`int4`
severity	`str`
created_date_time	`timestamp`
updated_date_time	`timestamp`
impact_scope__desktop_count	`int4`
impact_scope__server_count	`int4`
impact_scope__account_count	`int4`
impact_scope__email_address_count	`int4`
impact_scope__entities	`str`
description	`str`
matched_rules	`str`
indicators__id	`int4`
indicators__type	`str`
indicators__field	`str`
indicators__value	`str`
indicators__related_entities	`str`
indicators__filter_ids	`str`
indicators__provenance	`str`
indicators_found	`int4`
indicators_id	`int4`
devo_pulling_id	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

xdr.trend_micro.vision_one.audit

Field	Type	Field Transformation	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`
logged_date_time	`timestamp`
logged_user	`str`
logged_role	`str`
category	`str`
activity	`str`
access_type	`str`
result	`str`
devo_pull_request	`str`
details__ip_addr_str	`str`
details__ip_addr_ipv4	`ip4`	ip4(details__ip_addr_str)	details__ip_addr_str
details__ip_addr_ipv6	`ip6`	ip6(details__ip_addr_str)	details__ip_addr_str
details__mailbox	`str`
details__trace_id	`str`
details__command_id	`str`
details__action	`str`
details__group_id	`str`
details__group_name	`str`
details__app	`str`
details__product	`str`
details__reason	`str`
details__removed_agents	`str`
details__target_group	`str`
details__feature	`str`
details__affected_child_groups	`str`
details__parent_group_id	`str`
details__path	`str`
details__group_description	`str`
details__quota	`int4`
details__role	`str`
details__from	`str`
details__to	`str`
details__user	`str`
details__status	`bool`
hostchain	`str`			✓
tag	`str`			✓
rawMessage	`str`			✓

xdr.trend_micro.vision_one.observed_attack_techniques

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
source	`str`
uuid	`str`
detected_date_time	`timestamp`
detail__version	`str`
detail__event_time	`timestamp`
detail__tags	`str`
detail__uuid	`str`
detail__product_code	`str`
detail__package_trace_id	`str`
detail__filter_risk_level	`str`
detail__event_id	`str`
detail__event_sub_id	`int4`
detail__event_hash_id	`str`
detail__first_seen	`timestamp`
detail__last_seen	`timestamp`
detail__endpoint_guid	`str`
detail__endpoint_host_name	`str`
detail__endpoint_ip	`str`
detail__endpoint_mac_address	`str`
detail__timezone	`str`
detail__pname	`str`
detail__pver	`str`
detail__plang	`int4`
detail__pplat	`int4`
detail__os_name	`str`
detail__os_ver	`str`
detail__os_description	`str`
detail__os_type	`str`
detail__process_hash_id	`str`
detail__process_name	`str`
detail__process_pid	`int4`
detail__session_id	`int4`
detail__process_user	`str`
detail__process_user_domain	`str`
detail__process_launch_time	`timestamp`
detail__process_cmd	`str`
detail__auth_id	`str`
detail__integrity_level	`int4`
detail__process_file_hash_id	`str`
detail__process_file_path	`str`
detail__process_file_hash_sha1	`str`
detail__process_file_hash_sha256	`str`
detail__process_file_hash_md5	`str`
detail__process_signer	`str`
detail__process_signer_valid	`str`
detail__process_file_size	`str`
detail__process_file_creation	`timestamp`
detail__process_file_modified_time	`timestamp`
detail__process_true_type	`int4`
detail__parent_hash_id	`str`
detail__parent_name	`str`
detail__parent_pid	`int4`
detail__parent_session_id	`int4`
detail__parent_user	`str`
detail__parent_user_domain	`str`
detail__parent_launch_time	`timestamp`
detail__parent_cmd	`str`
detail__parent_auth_id	`str`
detail__parent_integrity_level	`int4`
detail__parent_file_hash_id	`str`
detail__parent_file_path	`str`
detail__parent_file_hash_sha1	`str`
detail__parent_file_hash_sha256	`str`
detail__parent_file_hash_md5	`str`
detail__parent_signer	`str`
detail__parent_signer_valid	`str`
detail__parent_file_size	`str`
detail__parent_file_creation	`timestamp`
detail__parent_file_modified_time	`timestamp`
detail__parent_true_type	`int4`
detail__object_hash_id	`str`
detail__object_user	`str`
detail__object_user_domain	`str`
detail__object_session_id	`str`
detail__object_file_path	`str`
detail__object_file_hash_sha1	`str`
detail__object_file_hash_sha256	`str`
detail__object_file_hash_md5	`str`
detail__object_signer	`str`
detail__object_signer_valid	`str`
detail__object_file_size	`str`
detail__object_file_creation	`timestamp`
detail__object_file_modified_time	`timestamp`
detail__object_true_type	`int4`
detail__object_name	`str`
detail__object_pid	`int4`
detail__object_launch_time	`timestamp`
detail__object_cmd	`str`
detail__object_auth_id	`str`
detail__object_integrity_level	`int4`
detail__object_file_hash_id	`str`
detail__object_run_as_local_account	`bool`
ingested_date_time	`timestamp`
entity_type	`str`
entity_name	`str`
endpoint__ips	`str`
endpoint__agent_guid	`str`
endpoint__endpoint_name	`str`
filters__id	`str`
filters__name	`str`
filters__description	`str`
filters__highlighted_objects	`str`
filters__mitre_tactic_ids	`str`
filters__mitre_technique_ids	`str`
filters__risk_level	`str`
filters_found	`int4`
filters_id	`int4`
devo_pulling_id	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓