Document toolboxDocument toolbox

xdr.trend_micro

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
3 min read
[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

The tags beginning with xdr.trend_micro identify events generated by Trendmicro.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as xdr.trend_micro. The third level identifies the type of events sent, and the fourth level indicates the event subtype.  

Technology

Brand

Type

Subtype

Technology

Brand

Type

Subtype

xdr

trend_micro

  • vision_one

  • alerts

  • audit

  • observed_attacks_techniques

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

Tag

Data table

xdr.trend_micro.vision_one.alerts

xdr.trend_micro.vision_one.alerts

xdr.trend_micro.vision_one.audit

xdr.trend_micro.vision_one.audit

xdr.trend_micro.vision_one.observed_attack_techniques

xdr.trend_micro.vision_one.observed_attack_techniques

Table structure

This is the set displayed by these tables.

xdr.trend_micro.vision_one.alerts

Field

Type

Extra Label

Field

Type

Extra Label

eventdate

timestamp

-

hostname

str

-

schema_version

str

-

id

str

-

investigation_status

str

-

workbench_link

str

-

alert_provider

str

-

model

str

-

score

int4

-

severity

str

-

created_date_time

timestamp

-

updated_date_time

timestamp

-

impact_scope__desktop_count

int4

-

impact_scope__server_count

int4

-

impact_scope__account_count

int4

-

impact_scope__email_address_count

int4

-

impact_scope__entities

str

-

description

str

-

matched_rules

str

-

indicators__id

int4

-

indicators__type

str

-

indicators__field

str

-

indicators__value

str

-

indicators__related_entities

str

-

indicators__filter_ids

str

-

indicators__provenance

str

-

indicators_found

int4

-

indicators_id

int4

-

devo_pulling_id

str

-

hostchain

str

tag

str

rawMessage

str

xdr.trend_micro.vision_one.audit

Field

Type

Extra Label

Field

Type

Extra Label

eventdate

timestamp

-

hostname

str

-

logged_date_time

timestamp

-

logged_user

str

-

logged_role

str

-

category

str

-

activity

str

-

access_type

str

-

result

str

-

devo_pull_request

str

-

details__ip_addr_str

str

-

details__ip_addr_ipv4

ip4

-

details__ip_addr_ipv6

ip6

-

details__mailbox

str

-

details__trace_id

str

-

details__command_id

str

-

details__action

str

-

details__group_id

str

-

details__group_name

str

-

details__app

str

-

details__product

str

-

details__reason

str

-

details__removed_agents

str

-

details__target_group

str

-

details__feature

str

-

details__affected_child_groups

str

-

details__parent_group_id

str

-

details__path

str

-

details__group_description

str

-

details__quota

int4

-

details__role

str

-

details__from

str

-

details__to

str

-

details__user

str

-

details__status

bool

-

hostchain

str

tag

str

rawMessage

str

xdr.trend_micro.vision_one.observed_attack_techniques

Field

Type

Extra Label

Field

Type

Extra Label

eventdate

timestamp

-

hostname

str

-

source

str

-

uuid

str

-

detected_date_time

timestamp

-

detail__version

str

-

detail__event_time

timestamp

-

detail__tags

str

-

detail__uuid

str

-

detail__product_code

str

-

detail__package_trace_id

str

-

detail__filter_risk_level

str

-

detail__event_id

str

-

detail__event_sub_id

int4

-

detail__event_hash_id

str

-

detail__first_seen

timestamp

-

detail__last_seen

timestamp

-

detail__endpoint_guid

str

-

detail__endpoint_host_name

str

-

detail__endpoint_ip

str

-

detail__endpoint_mac_address

str

-

detail__timezone

str

-

detail__pname

str

-

detail__pver

str

-

detail__plang

int4

-

detail__pplat

int4

-

detail__os_name

str

-

detail__os_ver

str

-

detail__os_description

str

-

detail__os_type

str

-

detail__process_hash_id

str

-

detail__process_name

str

-

detail__process_pid

int4

-

detail__session_id

int4

-

detail__process_user

str

-

detail__process_user_domain

str

-

detail__process_launch_time

timestamp

-

detail__process_cmd

str

-

detail__auth_id

str

-

detail__integrity_level

int4

-

detail__process_file_hash_id

str

-

detail__process_file_path

str

-

detail__process_file_hash_sha1

str

-

detail__process_file_hash_sha256

str

-

detail__process_file_hash_md5

str

-

detail__process_signer

str

-

detail__process_signer_valid

str

-

detail__process_file_size

str

-

detail__process_file_creation

timestamp

-

detail__process_file_modified_time

timestamp

-

detail__process_true_type

int4

-

detail__parent_hash_id

str

-

detail__parent_name

str

-

detail__parent_pid

int4

-

detail__parent_session_id

int4

-

detail__parent_user

str

-

detail__parent_user_domain

str

-

detail__parent_launch_time

timestamp

-

detail__parent_cmd

str

-

detail__parent_auth_id

str

-

detail__parent_integrity_level

int4

-

detail__parent_file_hash_id

str

-

detail__parent_file_path

str

-

detail__parent_file_hash_sha1

str

-

detail__parent_file_hash_sha256

str

-

detail__parent_file_hash_md5

str

-

detail__parent_signer

str

-

detail__parent_signer_valid

str

-

detail__parent_file_size

str

-

detail__parent_file_creation

timestamp

-

detail__parent_file_modified_time

timestamp

-

detail__parent_true_type

int4

-

detail__object_hash_id

str

-

detail__object_user

str

-

detail__object_user_domain

str

-

detail__object_session_id

str

-

detail__object_file_path

str

-

detail__object_file_hash_sha1

str

-

detail__object_file_hash_sha256

str

-

detail__object_file_hash_md5

str

-

detail__object_signer

str

-

detail__object_signer_valid

str

-

detail__object_file_size

str

-

detail__object_file_creation

timestamp

-

detail__object_file_modified_time

timestamp

-

detail__object_true_type

int4

-

detail__object_name

str

-

detail__object_pid

int4

-

detail__object_launch_time

timestamp

-

detail__object_cmd

str

-

detail__object_auth_id

str

-

detail__object_integrity_level

int4

-

detail__object_file_hash_id

str

-

detail__object_run_as_local_account

bool

-

ingested_date_time

timestamp

-

entity_type

str

-

entity_name

str

-

endpoint__ips

str

-

endpoint__agent_guid

str

-

endpoint__endpoint_name

str

-

filters__id

str

-

filters__name

str

-

filters__description

str

-

filters__highlighted_objects

str

-

filters__mitre_tactic_ids

str

-

filters__mitre_technique_ids

str

-

filters__risk_level

str

-

filters_found

int4

-

filters_id

int4

-

devo_pulling_id

str

-

hostchain

str

tag

str

rawMessage

str