xdr.trend_micro
Introduction
The tags beginning with xdr.trend_micro
 identify events generated by Trend Micro.
Valid tags and data tables
The full tag must have 4 levels. The first two are fixed as xdr.trend_micro
. The third level identifies the type of events sent, and the fourth level indicates the event subtype. Â
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product/Service | Tag | Data table |
---|---|---|
Trend Micro |
|
|
|
| |
|
|
For more information, read more About Devo tags.
Table structure
This is the set displayed by these tables:
xdr.trend_micro.vision_one.alerts
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
hostname |
| Â |
schema_version |
| Â |
id |
| Â |
investigation_status |
| Â |
workbench_link |
| Â |
alert_provider |
| Â |
model |
| Â |
score |
| Â |
severity |
| Â |
created_date_time |
| Â |
updated_date_time |
| Â |
impact_scope__desktop_count |
| Â |
impact_scope__server_count |
| Â |
impact_scope__account_count |
| Â |
impact_scope__email_address_count |
| Â |
impact_scope__entities |
| Â |
description |
| Â |
matched_rules |
| Â |
indicators__id |
| Â |
indicators__type |
| Â |
indicators__field |
| Â |
indicators__value |
| Â |
indicators__related_entities |
| Â |
indicators__filter_ids |
| Â |
indicators__provenance |
| Â |
indicators_found |
| Â |
indicators_id |
| Â |
devo_pulling_id |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
xdr.trend_micro.vision_one.audit
Field | Type | Field Transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
hostname |
| Â | Â | Â |
logged_date_time |
| Â | Â | Â |
logged_user |
| Â | Â | Â |
logged_role |
| Â | Â | Â |
category |
| Â | Â | Â |
activity |
| Â | Â | Â |
access_type |
| Â | Â | Â |
result |
| Â | Â | Â |
devo_pull_request |
| Â | Â | Â |
details__ip_addr_str |
| Â | Â | Â |
details__ip_addr_ipv4 |
| ip4(details__ip_addr_str) | details__ip_addr_str | Â |
details__ip_addr_ipv6 |
| ip6(details__ip_addr_str) | details__ip_addr_str | Â |
details__mailbox |
| Â | Â | Â |
details__trace_id |
| Â | Â | Â |
details__command_id |
| Â | Â | Â |
details__action |
| Â | Â | Â |
details__group_id |
| Â | Â | Â |
details__group_name |
| Â | Â | Â |
details__app |
| Â | Â | Â |
details__product |
| Â | Â | Â |
details__reason |
| Â | Â | Â |
details__removed_agents |
| Â | Â | Â |
details__target_group |
| Â | Â | Â |
details__feature |
| Â | Â | Â |
details__affected_child_groups |
| Â | Â | Â |
details__parent_group_id |
| Â | Â | Â |
details__path |
| Â | Â | Â |
details__group_description |
| Â | Â | Â |
details__quota |
| Â | Â | Â |
details__role |
| Â | Â | Â |
details__from |
| Â | Â | Â |
details__to |
| Â | Â | Â |
details__user |
| Â | Â | Â |
details__status |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  |  | ✓ |
xdr.trend_micro.vision_one.observed_attack_techniques
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
hostname |
| Â |
source |
| Â |
uuid |
| Â |
detected_date_time |
| Â |
detail__version |
| Â |
detail__event_time |
| Â |
detail__tags |
| Â |
detail__uuid |
| Â |
detail__product_code |
| Â |
detail__package_trace_id |
| Â |
detail__filter_risk_level |
| Â |
detail__event_id |
| Â |
detail__event_sub_id |
| Â |
detail__event_hash_id |
| Â |
detail__first_seen |
| Â |
detail__last_seen |
| Â |
detail__endpoint_guid |
| Â |
detail__endpoint_host_name |
| Â |
detail__endpoint_ip |
| Â |
detail__endpoint_mac_address |
| Â |
detail__timezone |
| Â |
detail__pname |
| Â |
detail__pver |
| Â |
detail__plang |
| Â |
detail__pplat |
| Â |
detail__os_name |
| Â |
detail__os_ver |
| Â |
detail__os_description |
| Â |
detail__os_type |
| Â |
detail__process_hash_id |
| Â |
detail__process_name |
| Â |
detail__process_pid |
| Â |
detail__session_id |
| Â |
detail__process_user |
| Â |
detail__process_user_domain |
| Â |
detail__process_launch_time |
| Â |
detail__process_cmd |
| Â |
detail__auth_id |
| Â |
detail__integrity_level |
| Â |
detail__process_file_hash_id |
| Â |
detail__process_file_path |
| Â |
detail__process_file_hash_sha1 |
| Â |
detail__process_file_hash_sha256 |
| Â |
detail__process_file_hash_md5 |
| Â |
detail__process_signer |
| Â |
detail__process_signer_valid |
| Â |
detail__process_file_size |
| Â |
detail__process_file_creation |
| Â |
detail__process_file_modified_time |
| Â |
detail__process_true_type |
| Â |
detail__parent_hash_id |
| Â |
detail__parent_name |
| Â |
detail__parent_pid |
| Â |
detail__parent_session_id |
| Â |
detail__parent_user |
| Â |
detail__parent_user_domain |
| Â |
detail__parent_launch_time |
| Â |
detail__parent_cmd |
| Â |
detail__parent_auth_id |
| Â |
detail__parent_integrity_level |
| Â |
detail__parent_file_hash_id |
| Â |
detail__parent_file_path |
| Â |
detail__parent_file_hash_sha1 |
| Â |
detail__parent_file_hash_sha256 |
| Â |
detail__parent_file_hash_md5 |
| Â |
detail__parent_signer |
| Â |
detail__parent_signer_valid |
| Â |
detail__parent_file_size |
| Â |
detail__parent_file_creation |
| Â |
detail__parent_file_modified_time |
| Â |
detail__parent_true_type |
| Â |
detail__object_hash_id |
| Â |
detail__object_user |
| Â |
detail__object_user_domain |
| Â |
detail__object_session_id |
| Â |
detail__object_file_path |
| Â |
detail__object_file_hash_sha1 |
| Â |
detail__object_file_hash_sha256 |
| Â |
detail__object_file_hash_md5 |
| Â |
detail__object_signer |
| Â |
detail__object_signer_valid |
| Â |
detail__object_file_size |
| Â |
detail__object_file_creation |
| Â |
detail__object_file_modified_time |
| Â |
detail__object_true_type |
| Â |
detail__object_name |
| Â |
detail__object_pid |
| Â |
detail__object_launch_time |
| Â |
detail__object_cmd |
| Â |
detail__object_auth_id |
| Â |
detail__object_integrity_level |
| Â |
detail__object_file_hash_id |
| Â |
detail__object_run_as_local_account |
| Â |
ingested_date_time |
| Â |
entity_type |
| Â |
entity_name |
| Â |
endpoint__ips |
| Â |
endpoint__agent_guid |
| Â |
endpoint__endpoint_name |
| Â |
filters__id |
| Â |
filters__name |
| Â |
filters__description |
| Â |
filters__highlighted_objects |
| Â |
filters__mitre_tactic_ids |
| Â |
filters__mitre_technique_ids |
| Â |
filters__risk_level |
| Â |
filters_found |
| Â |
filters_id |
| Â |
devo_pulling_id |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |