Document toolboxDocument toolbox

xdr.trend_micro

Introduction

The tags beginning with xdr.trend_micro identify events generated by Trend Micro.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as xdr.trend_micro. The third level identifies the type of events sent, and the fourth level indicates the event subtype.  

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product/Service

Tag

Data table

Product/Service

Tag

Data table

Trend Micro

xdr.trend_micro.vision_one.alerts

xdr.trend_micro.vision_one.alerts

xdr.trend_micro.vision_one.audit

xdr.trend_micro.vision_one.audit

xdr.trend_micro.vision_one.observed_attack_techniques

xdr.trend_micro.vision_one.observed_attack_techniques

For more information, read more About Devo tags.

Table structure

This is the set displayed by these tables:

xdr.trend_micro.vision_one.alerts

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

schema_version

str

 

id

str

 

investigation_status

str

 

workbench_link

str

 

alert_provider

str

 

model

str

 

score

int4

 

severity

str

 

created_date_time

timestamp

 

updated_date_time

timestamp

 

impact_scope__desktop_count

int4

 

impact_scope__server_count

int4

 

impact_scope__account_count

int4

 

impact_scope__email_address_count

int4

 

impact_scope__entities

str

 

description

str

 

matched_rules

str

 

indicators__id

int4

 

indicators__type

str

 

indicators__field

str

 

indicators__value

str

 

indicators__related_entities

str

 

indicators__filter_ids

str

 

indicators__provenance

str

 

indicators_found

int4

 

indicators_id

int4

 

devo_pulling_id

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

xdr.trend_micro.vision_one.audit

Field

Type

Field Transformation

Source field name

Extra fields

Field

Type

Field Transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

logged_date_time

timestamp

 

 

 

logged_user

str

 

 

 

logged_role

str

 

 

 

category

str

 

 

 

activity

str

 

 

 

access_type

str

 

 

 

result

str

 

 

 

devo_pull_request

str

 

 

 

details__ip_addr_str

str

 

 

 

details__ip_addr_ipv4

ip4

ip4(details__ip_addr_str)

details__ip_addr_str

 

details__ip_addr_ipv6

ip6

ip6(details__ip_addr_str)

details__ip_addr_str

 

details__mailbox

str

 

 

 

details__trace_id

str

 

 

 

details__command_id

str

 

 

 

details__action

str

 

 

 

details__group_id

str

 

 

 

details__group_name

str

 

 

 

details__app

str

 

 

 

details__product

str

 

 

 

details__reason

str

 

 

 

details__removed_agents

str

 

 

 

details__target_group

str

 

 

 

details__feature

str

 

 

 

details__affected_child_groups

str

 

 

 

details__parent_group_id

str

 

 

 

details__path

str

 

 

 

details__group_description

str

 

 

 

details__quota

int4

 

 

 

details__role

str

 

 

 

details__from

str

 

 

 

details__to

str

 

 

 

details__user

str

 

 

 

details__status

bool

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

xdr.trend_micro.vision_one.observed_attack_techniques

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

source

str

 

uuid

str

 

detected_date_time

timestamp

 

detail__version

str

 

detail__event_time

timestamp

 

detail__tags

str

 

detail__uuid

str

 

detail__product_code

str

 

detail__package_trace_id

str

 

detail__filter_risk_level

str

 

detail__event_id

str

 

detail__event_sub_id

int4

 

detail__event_hash_id

str

 

detail__first_seen

timestamp

 

detail__last_seen

timestamp

 

detail__endpoint_guid

str

 

detail__endpoint_host_name

str

 

detail__endpoint_ip

str

 

detail__endpoint_mac_address

str

 

detail__timezone

str

 

detail__pname

str

 

detail__pver

str

 

detail__plang

int4

 

detail__pplat

int4

 

detail__os_name

str

 

detail__os_ver

str

 

detail__os_description

str

 

detail__os_type

str

 

detail__process_hash_id

str

 

detail__process_name

str

 

detail__process_pid

int4

 

detail__session_id

int4

 

detail__process_user

str

 

detail__process_user_domain

str

 

detail__process_launch_time

timestamp

 

detail__process_cmd

str

 

detail__auth_id

str

 

detail__integrity_level

int4

 

detail__process_file_hash_id

str

 

detail__process_file_path

str

 

detail__process_file_hash_sha1

str

 

detail__process_file_hash_sha256

str

 

detail__process_file_hash_md5

str

 

detail__process_signer

str

 

detail__process_signer_valid

str

 

detail__process_file_size

str

 

detail__process_file_creation

timestamp

 

detail__process_file_modified_time

timestamp

 

detail__process_true_type

int4

 

detail__parent_hash_id

str

 

detail__parent_name

str

 

detail__parent_pid

int4

 

detail__parent_session_id

int4

 

detail__parent_user

str

 

detail__parent_user_domain

str

 

detail__parent_launch_time

timestamp

 

detail__parent_cmd

str

 

detail__parent_auth_id

str

 

detail__parent_integrity_level

int4

 

detail__parent_file_hash_id

str

 

detail__parent_file_path

str

 

detail__parent_file_hash_sha1

str

 

detail__parent_file_hash_sha256

str

 

detail__parent_file_hash_md5

str

 

detail__parent_signer

str

 

detail__parent_signer_valid

str

 

detail__parent_file_size

str

 

detail__parent_file_creation

timestamp

 

detail__parent_file_modified_time

timestamp

 

detail__parent_true_type

int4

 

detail__object_hash_id

str

 

detail__object_user

str

 

detail__object_user_domain

str

 

detail__object_session_id

str

 

detail__object_file_path

str

 

detail__object_file_hash_sha1

str

 

detail__object_file_hash_sha256

str

 

detail__object_file_hash_md5

str

 

detail__object_signer

str

 

detail__object_signer_valid

str

 

detail__object_file_size

str

 

detail__object_file_creation

timestamp

 

detail__object_file_modified_time

timestamp

 

detail__object_true_type

int4

 

detail__object_name

str

 

detail__object_pid

int4

 

detail__object_launch_time

timestamp

 

detail__object_cmd

str

 

detail__object_auth_id

str

 

detail__object_integrity_level

int4

 

detail__object_file_hash_id

str

 

detail__object_run_as_local_account

bool

 

ingested_date_time

timestamp

 

entity_type

str

 

entity_name

str

 

endpoint__ips

str

 

endpoint__agent_guid

str

 

endpoint__endpoint_name

str

 

filters__id

str

 

filters__name

str

 

filters__description

str

 

filters__highlighted_objects

str

 

filters__mitre_tactic_ids

str

 

filters__mitre_technique_ids

str

 

filters__risk_level

str

 

filters_found

int4

 

filters_id

int4

 

devo_pulling_id

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓