diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index ea772efe4bc..b568977c389 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -168,6 +168,7 @@ /packages/ti_threatq @elastic/security-external-integrations /packages/tomcat @elastic/security-external-integrations /packages/traefik @elastic/obs-service-integrations +/packages/trend_micro_vision_one @elastic/security-external-integrations /packages/udp @elastic/security-external-integrations /packages/vsphere @elastic/obs-service-integrations /packages/websphere_application_server @elastic/obs-service-integrations diff --git a/packages/trend_micro_vision_one/_dev/build/build.yml b/packages/trend_micro_vision_one/_dev/build/build.yml new file mode 100644 index 00000000000..8d9e4bf7ac8 --- /dev/null +++ b/packages/trend_micro_vision_one/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@v8.4.0 diff --git a/packages/trend_micro_vision_one/_dev/build/docs/README.md b/packages/trend_micro_vision_one/_dev/build/docs/README.md new file mode 100644 index 00000000000..b8b389f5954 --- /dev/null +++ b/packages/trend_micro_vision_one/_dev/build/docs/README.md @@ -0,0 +1,68 @@ +# Trend Micro Vision One + +## Overview + +The [Trend Micro Vision One](https://www.trendmicro.com/en_in/business/products/detection-response.html) integration allows you to monitor Alert, Audit, and Detection activity. Trend Micro Vision One refers to the ability to do detection and response across email, endpoints, servers, cloud workloads, and networks via a single Trend Micro Vision One platform or the managed Trend Micro Vision One service. + +Use the Trend Micro Vision One integration to collects and parses data from the REST APIs. Then visualize that data in Kibana. + +## Data streams + +The Trend Micro Vision One integration collects logs for three types of events: Alert, Audit, and Detection. + +**Alert** Displays information about workbench alerts. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Workbench/paths/~1v3.0~1workbench~1alerts/get). + +**Audit** Displays log entries that match the specified search criteria. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Audit-Logs). + +**Detection** Displays search results from the Detection Data source. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Search/paths/~1v3.0~1search~1detections/get). + +## Requirements + +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your hardware. + +This module has been tested against `Trend Micro Vision One API version 3.0`. + +**Note:** The authentication token generated by a user expires one year after being generated. + +## Setup + +### To collect data from Trend Micro Vision One APIs, the user must have API Token. To create an API token follow the below steps: + +1. Log on to the Trend Micro Vision One console. +2. Go to **Administration -> User Accounts**. +![Trend Micro Vision One console](../img/trend-micro-vision-one-console.png) +3. Click on the account name having appropriate API access permission to generate an API token. +![Trend Micro Vision One generate API token ](../img/trend-micro-vision-one-api-token-generate.png) +4. Copy the Authentication token. + +## Logs Reference + +### alert + +This is the `alert` dataset. + +#### Example + +{{event "alert"}} + +{{fields "alert"}} + +### audit + +This is the `audit` dataset. + +#### Example + +{{event "audit"}} + +{{fields "audit"}} + +### detection + +This is the `detection` dataset. + +#### Example + +{{event "detection"}} + +{{fields "detection"}} diff --git a/packages/trend_micro_vision_one/_dev/deploy/docker/docker-compose.yml b/packages/trend_micro_vision_one/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..1fb2d8d880a --- /dev/null +++ b/packages/trend_micro_vision_one/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,15 @@ +version: '2.3' +services: + trend_micro_vision_one: + image: docker.elastic.co/observability/stream:v0.8.0 + hostname: trend_micro_vision_one + ports: + - 8080 + volumes: + - ./files:/files:ro + environment: + PORT: '8080' + command: + - http-server + - --addr=:8080 + - --config=/files/config.yml diff --git a/packages/trend_micro_vision_one/_dev/deploy/docker/files/config.yml b/packages/trend_micro_vision_one/_dev/deploy/docker/files/config.yml new file mode 100644 index 00000000000..6570e38b9e2 --- /dev/null +++ b/packages/trend_micro_vision_one/_dev/deploy/docker/files/config.yml @@ -0,0 +1,19 @@ +rules: + - path: /v3.0/workbench/alerts + methods: ['GET'] + responses: + - status_code: 200 + body: | + {"totalCount":100,"count":10,"items":[{"schemaVersion":"1.0","id":"WB-9002-20200427-0002","investigationStatus":"New","workbenchLink":"https://THE_WORKBENCH_URL","alertProvider":"SAE","model":"Possible APT Attack","score":63,"severity":"critical","impactScope":{"desktopCount":0,"serverCount":0,"accountCount":0,"emailAddressCount":0,"entities":[{"entityType":"host","entityValue":"user@email.com","entityId":"5257b401-2fd7-469c-94fa-39a4f11eb925","relatedEntities":["CODERED\\\\user"],"relatedIndicatorIds":[1],"provenance":["Alert"]}]},"createdDateTime":"2020-04-30T00:01:15Z","updatedDateTime":"2030-04-30T00:01:16Z","description":"A backdoor was possibly implanted after a user received a possible spear phishing email message.","indicators":[{"id":1,"type":"url","field":"request url","value":"http://www.example.com/ab001.zip","relatedEntities":["user@example.com"],"provenance":["Alert"],"filterIds":["f862df72-7f5e-4b2b-9f7f-9148e875f908"]}],"matchedRules":[{"id":"5f52d1f1-53e7-411a-b74f-745ee81fa30b","name":"Possible SpearPhishing Email","matchedFilters":[{"id":"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e","name":"(T1192) Spearphishing Link","matchedDateTime":"2019-08-02T04:00:01Z","mitreTechniqueIds":["T1192"],"matchedEvents":[{"uuid":"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5","matchedDateTime":"2019-08-02T04:00:01Z","type":"TELEMETRY_REGISTRY"}]}]}]}],"nextLink":"https://api.xdr.trendmicro.com/v3.0/workbench/alerts?skipToken=MTA=&orderBy=score%20desc"} + - path: /v3.0/audit/logs + methods: ['GET'] + responses: + - status_code: 200 + body: | + {"items":[{"loggedDateTime":"2022-02-24T07:29:48Z","loggedUser":"Root Account","loggedRole":"Master Administrator","accessType":"Console","category":"Logon and Logoff","activity":"string","result":"Unsuccessful","details":{"property1":"string","property2":"string"}}],"nextLink":"https://api.xdr.trendmicro.com/v3.0/audit/logs?skipToken=","labels":{"property1":"string","property2":"string"}} + - path: /v3.0/search/detections + methods: ['GET'] + responses: + - status_code: 200 + body: | + {"nextLink":"https://api.xdr.trendmicro.com/v3.0/endpointActivities?...&skipToken=ewogICJvdXRlcl9zbGl...","progressRate":30,"items":[{"act":"Clean","actResult":"Quarantined successfully","app":"HTTP","appGroup":"HTTP","aptRelated":"0","behaviorCat":"Grey-Detection","blocking":"Web reputation","cat":50,"cccaDetection":"Yes","cccaDetectionSource":"GLOBAL_INTELLIGENCE","cccaRiskLevel":3,"clientFlag":"dst","cnt":"1","component":["PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00"],"compressedFileSize":"0","detectionType":"File","deviceDirection":"outbound","deviceGUID":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","deviceProcessName":"/snap/core/10126/usr/lib/snapd/snapd","deviceMacAddress":"00-00-5E-00-53-23","dhost":"samplehost","domainName":"Workgroup","dpt":53,"dst":["81.2.69.142"],"dstGroup":"Default","end":"2021-09-30T09:40:04-08:00","endpointGUID":"1234-1234-1234","endpointHostName":"abc-docker","endpointIp":["81.2.69.142"],"endpointMacAddress":"00-00-5E-00-53-23","engType":"Virus Scan Engine (OS 2003, x64)","engVer":"12.500.1004","eventId":"100117","eventName":"INTEGRITY_MONITORING_EVENT","eventSubName":"Attack Discovery","eventTime":1602724592000,"eventTimeDT":"2021-06-10T01:38:38+00:00","fileHash":"3395856ce81f2b7382dee72602f798b642f14140","fileName":["Unconfirmed 145081.crdownload"],"fileOperation":"Deleted","filePath":"/etc/systemd/system","filePathName":"/etc/systemd/system/snap-xxxx-1246.xxxx","fileSize":"0","firstAct":"Clean","firstActResult":"Unable to clean file","fullPath":"C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 145081.crdownload","hostName":"samplehost","httpReferer":"http://www.example.com/","interestedHost":"abc-docker","interestedIp":["81.2.69.192"],"interestedMacAddress":"00-00-5E-00-53-23","malName":"Eicar_test_1","malType":"Virus/Malware","mDevice":["81.2.69.192"],"mDeviceGUID":"C5B09EDD-C725-907F-29D9-B8C30D18C48F","mitreMapping":["T1090 (TA0005)"],"mitreVersion":"v6","mpname":"Cloud One - Workload Security","mpver":"Deep Security/20.0.222","objectCmd":["C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe --profile-directory=Default"],"objectFileHashMd5":"761AEFF7E6B110970285B9C20C9E1DCA","objectFileHashSha1":"00496B4D53CEFE031B9702B3385C9F4430999932","objectFileHashSha256":"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7","objectFileName":"Unconfirmed 142899.crdownload:SmartScreen","objectFilePath":"C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 142899.crdownload:SmartScreen","objectName":"CloudEndpointService.exe","objectPid":7660,"objectSigner":["OS"],"parentCmd":"C:\\\\os\\\\system32\\\\svchost.exe -k DcomLaunch -p","parentFileHashSha1":"00496B4D53CEFE031B9702B3385C9F4430999932","parentFileHashSha256":"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7","parentFilePath":"C:\\\\os\\\\System32\\\\svchost.exe","peerHost":"samplehost","peerIp":["81.2.69.192"],"pname":"Apex One","processCmd":"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca","processFileHashMd5":"761AEFF7E6B110970285B9C20C9E1DCA","processFileHashSha1":"00496B4D53CEFE031B9702B3385C9F4430999932","processFileHashSha256":"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7","processFilePath":"C:\\\\Program Files (x86)\\\\os\\\\Application\\\\msedge.exe","processName":"string","processPid":0,"processSigner":"OS Publisher","productCode":"sao","pver":"20.0.0.877","request":"https://example.com","requestClientApplication":"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1","rt":"2020-10-15T01:16:32.000Z","rt_utc":"2020-10-15T01:16:32.000Z","searchDL":"DDL","spt":58871,"src":"81.2.69.192","srcGroup":"Default","tacticId":["TA0005"],"tags":["XSAE.F2140","XSAE.F3066"],"threatName":"Malicious_identified_CnC_querying_on_UDP_detected","uuid":"1234-1234-1234"}]} diff --git a/packages/trend_micro_vision_one/changelog.yml b/packages/trend_micro_vision_one/changelog.yml new file mode 100644 index 00000000000..a4f25398761 --- /dev/null +++ b/packages/trend_micro_vision_one/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: '0.1.0' + changes: + - description: Initial Release. + type: enhancement + link: https://github.com/elastic/integrations/pull/3963 diff --git a/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-common-config.yml b/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..be41bb0d476 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields diff --git a/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log b/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log new file mode 100644 index 00000000000..18719bf581c --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log @@ -0,0 +1,4 @@ +{"schemaVersion":"1.0","id":"WB-9002-20200427-0002","investigationStatus":"In Progress","workbenchLink":"https://THE_WORKBENCH_URL","alertProvider":"SAE","model":"Possible APT Attack","description":"Suspicious email followed by a possible backdoor implantation","score":63,"severity":"critical","createdDateTime":"2020-04-30T00:01:15Z","updatedDateTime":"2030-04-30T00:01:16Z","impactScope":{"desktopCount":10,"serverCount":0,"accountCount":1,"emailAddressCount":0,"entities":[{"entityType":"emailAddress","entityValue":"loki@jaguartm.onmicrosoft.com","entityId":"loki@jaguartm.onmicrosoft.com","relatedEntities":["CODERED\\\\loki"],"relatedIndicatorIds":[1]}]},"indicators":[{"id":1,"type":"url","field":"url","value":"http://www.DVftYKDtEi.com/ds7002.zip","relatedEntities":["loki@jaguartm.onmicrosoft.com"],"filterIds":["f862df72-7f5e-4b2b-9f7f-9148e875f908"]},{"id":2,"type":"url","field":"url","value":"http://www.DVftYKDtEi.com/ds7555.zip","relatedEntities":["loki@jaguartm.onmicrosoft.com"],"filterIds":["f862df72-7f5e-4b2b-9f7f-9148e875f908"]}],"matchedRules":[{"id":"5f52d1f1-53e7-411a-b74f-745ee81fa30b","name":"Possible SpearPhishing Email","matchedFilters":[{"id":"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e","name":"(T1192) Spearphishing Link","matchedDateTime":"2019-08-02T04:00:01Z","mitreTechniqueIds":["T1192"],"matchedEvents":[{"uuid":"123abc-123abc-123abc","matchedDateTime":"2019-08-02T04:00:01Z"}]}]}]} +{"schemaVersion":"1.1","id":"WB-9002-20200427-0002","investigationStatus":"In Progress","workbenchLink":"https://portal-int.visionone.trendmicro.com/index.html#/workbench?workbenchId=WB-9002-20200427-0002","alertProvider":"TI","model":"Desktop, Mobile Phishing Campaign Targets South Korean Websites, Steals Credentials Via Watering Hole","campaign":"Soula","industry":null,"regionAndCountry":"eastern-asia/Korea (the Republic of)","createdBy":"Trend Micro Research","totalIndicatorCount":6,"matchedIndicatorCount":2,"reportLink":"https://THE_WORKBENCH_URL","score":63,"severity":"critical","createdDateTime":"2020-04-30T00:01:15Z","updatedDateTime":"2030-04-30T00:01:16Z","impactScope":{"desktopCount":10,"serverCount":0,"accountCount":1,"emailAddressCount":0,"entities":[{"entityType":"host","entityValue":{"name":"CODERED\\\\bonus-PC","ips":["89.160.20.128","89.160.20.112"],"guid":"5257b401-2fd7-469c-94fa-39a4f11eb925"},"entityId":"5257b401-2fd7-469c-94fa-39a4f11eb925","relatedEntities":["4257b401-2fd7-469c-94fa-39a4f11eb925"],"relatedIndicatorIds":[1]}]},"indicators":[{"id":1,"type":"url","fields":[["objectField-ip","objectField-ip"]],"value":"http://www.DVftYKDtEi.com/ds7002.zip","relatedEntities":["5257b401-2fd7-469c-94fa-39a4f11eb925","5257b401-2fd7-469c-94fa-39a4f11eb925"],"matchedIndicatorPatternIds":["74f7eb0f-1ca3-491a-b4cf-f4d54c83c87d"],"firstSeenDateTimes":["2020-04-30T00:01:15Z","2020-04-30T00:01:15Z"],"lastSeenDateTimes":["2019-06-14T18:25:55Z","2019-06-14T18:25:55Z"]}],"matchedIndicatorPatterns":[{"id":"74f7eb0f-1ca3-491a-b4cf-f4d54c83c87d","pattern":"[network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'oauth20.xyz']","tags":["STIX2.malicious-activity"],"matchedLogs":["Lengthy log string"]}]} +{"schemaVersion":"1.11","id":"WB-123-123-00001","investigationStatus":"New","workbenchLink":"https://portal-int.visionone.trendmicro.com/index.html#/workbench?workbenchId=WB-9002-20200427-0002","alertProvider":"SAE","model":"Credential Dumping via Mimikatz","score":64,"severity":"high","createdDateTime":"2022-07-08T07:16:08Z","updatedDateTime":"2022-07-15T12:46:13Z","impactScope":{"desktopCount":1,"serverCount":0,"accountCount":1,"emailAddressCount":0,"entities":[{"entityType":"account","entityValue":"desktop-example\\dummy","entityId":"desktop-example\\dummy","relatedEntities":["ABC-123-ABC-123-ABC-123"],"relatedIndicatorIds":[]},{"entityType":"host","entityValue":{"guid":"ABC-123-123-ABC","name":"desktop-EXAMPLE","ips":["81.2.69.192"]},"entityId":"ABC-123-123-ABC","relatedEntities":["desktop-example\\dummy"],"relatedIndicatorIds":[1,2,3,4,5,6,7,8,9,10,11,12]}]},"description":"A user obtained account logon information that can be used to access remote systems via Mimikatz.","matchedRules":[{"id":"123123-456456-789789","name":"Potential Credential Dumping via Mimikatz","matchedFilters":[{"id":"123-456-789","name":"Possible Credential Dumping via Mimikatz","matchedDateTime":"2022-07-08T07:06:35.113Z","mitreTechniqueIds":["V9.T1123.001","V9.T1124.002","V9.T1125"],"matchedEvents":[{"uuid":"123-456-789","matchedDateTime":"2022-07-08T07:06:35.113Z"},{"uuid":"abcd-abcd-abcd","matchedDateTime":"2022-07-08T07:14:06.159Z"}]},{"id":"abcd-abcd-1234-1234","name":"Possible Credential Dumping via Mimikatz","matchedDateTime":"2022-07-08T07:14:06.159Z","mitreTechniqueIds":["V9.T1123.001","V9.T1124.002","V9.T1125"],"matchedEvents":[{"uuid":"1234-1234-1234","matchedDateTime":"2022-07-08T07:06:35.113Z"},{"uuid":"abcd-abcd-abcd","matchedDateTime":"2022-07-08T07:14:06.159Z"}]}]}],"indicators":[{"id":1,"type":"command_line","field":"objectCmd","value":"\"example\" ","relatedEntities":["ABC-ABC-123-123"],"filterIds":["ABC-ABC-123-123"]},{"id":2,"type":"command_line","field":"processCmd","value":"example","relatedEntities":["ABC-ABC-ABC"],"filterIds":["abc-abc-abc-123-123"]},{"id":3,"type":"command_line","field":"objectCmd","value":"\"example","relatedEntities":["ABC-ABC-ABC"],"filterIds":["abcd-abcd-abcd"]},{"id":4,"type":"command_line","field":"processCmd","value":"example","relatedEntities":["ABCD-ABCD-ABCD"],"filterIds":["abcd-123-abcd-123"]},{"id":5,"type":"file_sha1","field":"objectFileHashSha1","value":"H1E2L3L4O5","relatedEntities":["ABCDE1ABCDE2"],"filterIds":["abcd-1234-abcd-1234"]},{"id":6,"type":"file_sha1","field":"objectFileHashSha1","value":"H1E2L3L4O5","relatedEntities":["ABCDE-12345-ABCDE-12345"],"filterIds":["abcd-1234-abcd-1234"]},{"id":7,"type":"fullpath","field":"objectFilePath","value":"example","relatedEntities":["ABCDE-12345-ABCDE-12345"],"filterIds":["abcde-12345-abcde-12345"]},{"id":8,"type":"fullpath","field":"processFilePath","value":"example","relatedEntities":["ABCDE-12345-ABCDE-12345"],"filterIds":["abcde-1234-abcde-1234"]},{"id":9,"type":"fullpath","field":"objectFilePath","value":"example","relatedEntities":["ABCDE-12345-ABCDE-12345"],"filterIds":["abcd-1234-abcd-1234"]},{"id":10,"type":"fullpath","field":"processFilePath","value":"example","relatedEntities":["ABCDE-1234-ABCDE-1234"],"filterIds":["abcde-1234-abcd-1234"]}]} +{"schemaVersion":"1.0","id":"WB-9002-20200427-0002","investigationStatus":"New","workbenchLink":"https://THE_WORKBENCH_URL","alertProvider":"SAE","model":"Possible APT Attack","score":63,"severity":"critical","impactScope":{"desktopCount":0,"serverCount":0,"accountCount":0,"emailAddressCount":0,"entities":[{"entityType":"host","entityValue":"loki@jaguartm.onmicrosoft.com","entityId":"5257b401-2fd7-469c-94fa-39a4f11eb925","relatedEntities":["CODERED\\\\loki"],"relatedIndicatorIds":[1],"provenance":["Alert"]}]},"createdDateTime":"2020-04-30T00:01:15Z","updatedDateTime":"2030-04-30T00:01:16Z","description":"A backdoor was possibly implanted after a user received a possible spear phishing email message.","indicators":[{"id":1,"type":"url","field":"request url","value":"http://www.DVftYKDtEi.com/ds7002.zip","relatedEntities":["loki@jaguartm.onmicrosoft.com"],"provenance":["Alert"],"filterIds":["f862df72-7f5e-4b2b-9f7f-9148e875f908"]}],"matchedRules":[{"id":"5f52d1f1-53e7-411a-b74f-745ee81fa30b","name":"Possible SpearPhishing Email","matchedFilters":[{"id":"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e","name":"(T1192) Spearphishing Link","matchedDateTime":"2019-08-02T04:00:01Z","mitreTechniqueIds":["T1192"],"matchedEvents":[{"uuid":"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5","matchedDateTime":"2019-08-02T04:00:01Z","type":"TELEMETRY_REGISTRY"}]}]}]} diff --git a/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json b/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json new file mode 100644 index 00000000000..dc09cd74fb9 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json @@ -0,0 +1,612 @@ +{ + "expected": [ + { + "@timestamp": "2030-04-30T00:01:16.000Z", + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": [ + "email" + ], + "id": "WB-9002-20200427-0002", + "kind": "alert", + "original": "{\"schemaVersion\":\"1.0\",\"id\":\"WB-9002-20200427-0002\",\"investigationStatus\":\"In Progress\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\",\"alertProvider\":\"SAE\",\"model\":\"Possible APT Attack\",\"description\":\"Suspicious email followed by a possible backdoor implantation\",\"score\":63,\"severity\":\"critical\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"updatedDateTime\":\"2030-04-30T00:01:16Z\",\"impactScope\":{\"desktopCount\":10,\"serverCount\":0,\"accountCount\":1,\"emailAddressCount\":0,\"entities\":[{\"entityType\":\"emailAddress\",\"entityValue\":\"loki@jaguartm.onmicrosoft.com\",\"entityId\":\"loki@jaguartm.onmicrosoft.com\",\"relatedEntities\":[\"CODERED\\\\\\\\loki\"],\"relatedIndicatorIds\":[1]}]},\"indicators\":[{\"id\":1,\"type\":\"url\",\"field\":\"url\",\"value\":\"http://www.DVftYKDtEi.com/ds7002.zip\",\"relatedEntities\":[\"loki@jaguartm.onmicrosoft.com\"],\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"]},{\"id\":2,\"type\":\"url\",\"field\":\"url\",\"value\":\"http://www.DVftYKDtEi.com/ds7555.zip\",\"relatedEntities\":[\"loki@jaguartm.onmicrosoft.com\"],\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"]}],\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"name\":\"Possible SpearPhishing Email\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"name\":\"(T1192) Spearphishing Link\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"mitreTechniqueIds\":[\"T1192\"],\"matchedEvents\":[{\"uuid\":\"123abc-123abc-123abc\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\"}]}]}]}", + "severity": 63, + "type": [ + "info" + ] + }, + "log": { + "level": "critical" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "trend_micro_vision_one": { + "alert": { + "alert_provider": "SAE", + "created_date": "2020-04-30T00:01:15.000Z", + "description": "Suspicious email followed by a possible backdoor implantation", + "id": "WB-9002-20200427-0002", + "impact_scope": { + "account_count": 1, + "desktop_count": 10, + "email_address_count": 0, + "entities": [ + { + "id": "loki@jaguartm.onmicrosoft.com", + "related_entities": [ + "CODERED\\\\loki" + ], + "related_indicator_id": [ + 1 + ], + "type": "emailAddress", + "value": { + "account_value": "loki@jaguartm.onmicrosoft.com" + } + } + ], + "server_count": 0 + }, + "indicators": [ + { + "field": "url", + "filter_id": [ + "f862df72-7f5e-4b2b-9f7f-9148e875f908" + ], + "id": 1, + "related_entities": [ + "loki@jaguartm.onmicrosoft.com" + ], + "type": "url", + "value": "http://www.DVftYKDtEi.com/ds7002.zip" + }, + { + "field": "url", + "filter_id": [ + "f862df72-7f5e-4b2b-9f7f-9148e875f908" + ], + "id": 2, + "related_entities": [ + "loki@jaguartm.onmicrosoft.com" + ], + "type": "url", + "value": "http://www.DVftYKDtEi.com/ds7555.zip" + } + ], + "investigation_status": "In Progress", + "matched_rule": [ + { + "filter": [ + { + "date": "2019-08-02T04:00:01.000Z", + "events": [ + { + "date": "2019-08-02T04:00:01.000Z", + "uuid": "123abc-123abc-123abc" + } + ], + "id": "ccf86fc1-688f-4131-a46f-1d7a6ee2f88e", + "mitre_technique_id": [ + "T1192" + ], + "name": "(T1192) Spearphishing Link" + } + ], + "id": "5f52d1f1-53e7-411a-b74f-745ee81fa30b", + "name": "Possible SpearPhishing Email" + } + ], + "model": "Possible APT Attack", + "schema_version": "1.0", + "score": 63, + "severity": "critical", + "workbench_link": "https://THE_WORKBENCH_URL" + } + }, + "url": { + "original": "https://THE_WORKBENCH_URL", + "scheme": "https" + } + }, + { + "@timestamp": "2030-04-30T00:01:16.000Z", + "ecs": { + "version": "8.4.0" + }, + "event": { + "id": "WB-9002-20200427-0002", + "kind": "alert", + "original": "{\"schemaVersion\":\"1.1\",\"id\":\"WB-9002-20200427-0002\",\"investigationStatus\":\"In Progress\",\"workbenchLink\":\"https://portal-int.visionone.trendmicro.com/index.html#/workbench?workbenchId=WB-9002-20200427-0002\",\"alertProvider\":\"TI\",\"model\":\"Desktop, Mobile Phishing Campaign Targets South Korean Websites, Steals Credentials Via Watering Hole\",\"campaign\":\"Soula\",\"industry\":null,\"regionAndCountry\":\"eastern-asia/Korea (the Republic of)\",\"createdBy\":\"Trend Micro Research\",\"totalIndicatorCount\":6,\"matchedIndicatorCount\":2,\"reportLink\":\"https://THE_WORKBENCH_URL\",\"score\":63,\"severity\":\"critical\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"updatedDateTime\":\"2030-04-30T00:01:16Z\",\"impactScope\":{\"desktopCount\":10,\"serverCount\":0,\"accountCount\":1,\"emailAddressCount\":0,\"entities\":[{\"entityType\":\"host\",\"entityValue\":{\"name\":\"CODERED\\\\\\\\bonus-PC\",\"ips\":[\"89.160.20.128\",\"89.160.20.112\"],\"guid\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\"},\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"relatedEntities\":[\"4257b401-2fd7-469c-94fa-39a4f11eb925\"],\"relatedIndicatorIds\":[1]}]},\"indicators\":[{\"id\":1,\"type\":\"url\",\"fields\":[[\"objectField-ip\",\"objectField-ip\"]],\"value\":\"http://www.DVftYKDtEi.com/ds7002.zip\",\"relatedEntities\":[\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"5257b401-2fd7-469c-94fa-39a4f11eb925\"],\"matchedIndicatorPatternIds\":[\"74f7eb0f-1ca3-491a-b4cf-f4d54c83c87d\"],\"firstSeenDateTimes\":[\"2020-04-30T00:01:15Z\",\"2020-04-30T00:01:15Z\"],\"lastSeenDateTimes\":[\"2019-06-14T18:25:55Z\",\"2019-06-14T18:25:55Z\"]}],\"matchedIndicatorPatterns\":[{\"id\":\"74f7eb0f-1ca3-491a-b4cf-f4d54c83c87d\",\"pattern\":\"[network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'oauth20.xyz']\",\"tags\":[\"STIX2.malicious-activity\"],\"matchedLogs\":[\"Lengthy log string\"]}]}", + "severity": 63 + }, + "log": { + "level": "critical" + }, + "related": { + "ip": [ + "89.160.20.128", + "89.160.20.112" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "trend_micro_vision_one": { + "alert": { + "alert_provider": "TI", + "campaign": "Soula", + "created_by": "Trend Micro Research", + "created_date": "2020-04-30T00:01:15.000Z", + "id": "WB-9002-20200427-0002", + "impact_scope": { + "account_count": 1, + "desktop_count": 10, + "email_address_count": 0, + "entities": [ + { + "id": "5257b401-2fd7-469c-94fa-39a4f11eb925", + "related_entities": [ + "4257b401-2fd7-469c-94fa-39a4f11eb925" + ], + "related_indicator_id": [ + 1 + ], + "type": "host", + "value": { + "guid": "5257b401-2fd7-469c-94fa-39a4f11eb925", + "ips": [ + "89.160.20.128", + "89.160.20.112" + ], + "name": "CODERED\\\\bonus-PC" + } + } + ], + "server_count": 0 + }, + "indicators": [ + { + "fields": [ + [ + "objectField-ip", + "objectField-ip" + ] + ], + "first_seen_date": [ + "2020-04-30T00:01:15.000Z", + "2020-04-30T00:01:15.000Z" + ], + "id": 1, + "last_seen_date": [ + "2019-06-14T18:25:55.000Z", + "2019-06-14T18:25:55.000Z" + ], + "matched_indicator": { + "pattern_id": [ + "74f7eb0f-1ca3-491a-b4cf-f4d54c83c87d" + ] + }, + "related_entities": [ + "5257b401-2fd7-469c-94fa-39a4f11eb925", + "5257b401-2fd7-469c-94fa-39a4f11eb925" + ], + "type": "url", + "value": "http://www.DVftYKDtEi.com/ds7002.zip" + } + ], + "investigation_status": "In Progress", + "matched_indicator_count": 2, + "matched_indicators_pattern": [ + { + "id": "74f7eb0f-1ca3-491a-b4cf-f4d54c83c87d", + "matched_log": [ + "Lengthy log string" + ], + "pattern": "[network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'oauth20.xyz']", + "tags": [ + "STIX2.malicious-activity" + ] + } + ], + "model": "Desktop, Mobile Phishing Campaign Targets South Korean Websites, Steals Credentials Via Watering Hole", + "region_and_country": "eastern-asia/Korea (the Republic of)", + "report_link": "https://THE_WORKBENCH_URL", + "schema_version": "1.1", + "score": 63, + "severity": "critical", + "total_indicator_count": 6, + "workbench_link": "https://portal-int.visionone.trendmicro.com/index.html#/workbench?workbenchId=WB-9002-20200427-0002" + } + }, + "url": { + "domain": "portal-int.visionone.trendmicro.com", + "extension": "html", + "fragment": "/workbench?workbenchId=WB-9002-20200427-0002", + "original": "https://portal-int.visionone.trendmicro.com/index.html#/workbench?workbenchId=WB-9002-20200427-0002", + "path": "/index.html", + "scheme": "https" + } + }, + { + "@timestamp": "2022-07-15T12:46:13.000Z", + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": [ + "host", + "authentication" + ], + "id": "WB-123-123-00001", + "kind": "alert", + "original": "{\"schemaVersion\":\"1.11\",\"id\":\"WB-123-123-00001\",\"investigationStatus\":\"New\",\"workbenchLink\":\"https://portal-int.visionone.trendmicro.com/index.html#/workbench?workbenchId=WB-9002-20200427-0002\",\"alertProvider\":\"SAE\",\"model\":\"Credential Dumping via Mimikatz\",\"score\":64,\"severity\":\"high\",\"createdDateTime\":\"2022-07-08T07:16:08Z\",\"updatedDateTime\":\"2022-07-15T12:46:13Z\",\"impactScope\":{\"desktopCount\":1,\"serverCount\":0,\"accountCount\":1,\"emailAddressCount\":0,\"entities\":[{\"entityType\":\"account\",\"entityValue\":\"desktop-example\\\\dummy\",\"entityId\":\"desktop-example\\\\dummy\",\"relatedEntities\":[\"ABC-123-ABC-123-ABC-123\"],\"relatedIndicatorIds\":[]},{\"entityType\":\"host\",\"entityValue\":{\"guid\":\"ABC-123-123-ABC\",\"name\":\"desktop-EXAMPLE\",\"ips\":[\"81.2.69.192\"]},\"entityId\":\"ABC-123-123-ABC\",\"relatedEntities\":[\"desktop-example\\\\dummy\"],\"relatedIndicatorIds\":[1,2,3,4,5,6,7,8,9,10,11,12]}]},\"description\":\"A user obtained account logon information that can be used to access remote systems via Mimikatz.\",\"matchedRules\":[{\"id\":\"123123-456456-789789\",\"name\":\"Potential Credential Dumping via Mimikatz\",\"matchedFilters\":[{\"id\":\"123-456-789\",\"name\":\"Possible Credential Dumping via Mimikatz\",\"matchedDateTime\":\"2022-07-08T07:06:35.113Z\",\"mitreTechniqueIds\":[\"V9.T1123.001\",\"V9.T1124.002\",\"V9.T1125\"],\"matchedEvents\":[{\"uuid\":\"123-456-789\",\"matchedDateTime\":\"2022-07-08T07:06:35.113Z\"},{\"uuid\":\"abcd-abcd-abcd\",\"matchedDateTime\":\"2022-07-08T07:14:06.159Z\"}]},{\"id\":\"abcd-abcd-1234-1234\",\"name\":\"Possible Credential Dumping via Mimikatz\",\"matchedDateTime\":\"2022-07-08T07:14:06.159Z\",\"mitreTechniqueIds\":[\"V9.T1123.001\",\"V9.T1124.002\",\"V9.T1125\"],\"matchedEvents\":[{\"uuid\":\"1234-1234-1234\",\"matchedDateTime\":\"2022-07-08T07:06:35.113Z\"},{\"uuid\":\"abcd-abcd-abcd\",\"matchedDateTime\":\"2022-07-08T07:14:06.159Z\"}]}]}],\"indicators\":[{\"id\":1,\"type\":\"command_line\",\"field\":\"objectCmd\",\"value\":\"\\\"example\\\" \",\"relatedEntities\":[\"ABC-ABC-123-123\"],\"filterIds\":[\"ABC-ABC-123-123\"]},{\"id\":2,\"type\":\"command_line\",\"field\":\"processCmd\",\"value\":\"example\",\"relatedEntities\":[\"ABC-ABC-ABC\"],\"filterIds\":[\"abc-abc-abc-123-123\"]},{\"id\":3,\"type\":\"command_line\",\"field\":\"objectCmd\",\"value\":\"\\\"example\",\"relatedEntities\":[\"ABC-ABC-ABC\"],\"filterIds\":[\"abcd-abcd-abcd\"]},{\"id\":4,\"type\":\"command_line\",\"field\":\"processCmd\",\"value\":\"example\",\"relatedEntities\":[\"ABCD-ABCD-ABCD\"],\"filterIds\":[\"abcd-123-abcd-123\"]},{\"id\":5,\"type\":\"file_sha1\",\"field\":\"objectFileHashSha1\",\"value\":\"H1E2L3L4O5\",\"relatedEntities\":[\"ABCDE1ABCDE2\"],\"filterIds\":[\"abcd-1234-abcd-1234\"]},{\"id\":6,\"type\":\"file_sha1\",\"field\":\"objectFileHashSha1\",\"value\":\"H1E2L3L4O5\",\"relatedEntities\":[\"ABCDE-12345-ABCDE-12345\"],\"filterIds\":[\"abcd-1234-abcd-1234\"]},{\"id\":7,\"type\":\"fullpath\",\"field\":\"objectFilePath\",\"value\":\"example\",\"relatedEntities\":[\"ABCDE-12345-ABCDE-12345\"],\"filterIds\":[\"abcde-12345-abcde-12345\"]},{\"id\":8,\"type\":\"fullpath\",\"field\":\"processFilePath\",\"value\":\"example\",\"relatedEntities\":[\"ABCDE-12345-ABCDE-12345\"],\"filterIds\":[\"abcde-1234-abcde-1234\"]},{\"id\":9,\"type\":\"fullpath\",\"field\":\"objectFilePath\",\"value\":\"example\",\"relatedEntities\":[\"ABCDE-12345-ABCDE-12345\"],\"filterIds\":[\"abcd-1234-abcd-1234\"]},{\"id\":10,\"type\":\"fullpath\",\"field\":\"processFilePath\",\"value\":\"example\",\"relatedEntities\":[\"ABCDE-1234-ABCDE-1234\"],\"filterIds\":[\"abcde-1234-abcd-1234\"]}]}", + "severity": 64, + "type": [ + "info" + ] + }, + "log": { + "level": "high" + }, + "related": { + "ip": [ + "81.2.69.192" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "trend_micro_vision_one": { + "alert": { + "alert_provider": "SAE", + "created_date": "2022-07-08T07:16:08.000Z", + "description": "A user obtained account logon information that can be used to access remote systems via Mimikatz.", + "id": "WB-123-123-00001", + "impact_scope": { + "account_count": 1, + "desktop_count": 1, + "email_address_count": 0, + "entities": [ + { + "id": "desktop-example\\dummy", + "related_entities": [ + "ABC-123-ABC-123-ABC-123" + ], + "type": "account", + "value": { + "account_value": "desktop-example\\dummy" + } + }, + { + "id": "ABC-123-123-ABC", + "related_entities": [ + "desktop-example\\dummy" + ], + "related_indicator_id": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9, + 10, + 11, + 12 + ], + "type": "host", + "value": { + "guid": "ABC-123-123-ABC", + "ips": [ + "81.2.69.192" + ], + "name": "desktop-EXAMPLE" + } + } + ], + "server_count": 0 + }, + "indicators": [ + { + "field": "objectCmd", + "filter_id": [ + "ABC-ABC-123-123" + ], + "id": 1, + "related_entities": [ + "ABC-ABC-123-123" + ], + "type": "command_line", + "value": "\"example\" " + }, + { + "field": "processCmd", + "filter_id": [ + "abc-abc-abc-123-123" + ], + "id": 2, + "related_entities": [ + "ABC-ABC-ABC" + ], + "type": "command_line", + "value": "example" + }, + { + "field": "objectCmd", + "filter_id": [ + "abcd-abcd-abcd" + ], + "id": 3, + "related_entities": [ + "ABC-ABC-ABC" + ], + "type": "command_line", + "value": "\"example" + }, + { + "field": "processCmd", + "filter_id": [ + "abcd-123-abcd-123" + ], + "id": 4, + "related_entities": [ + "ABCD-ABCD-ABCD" + ], + "type": "command_line", + "value": "example" + }, + { + "field": "objectFileHashSha1", + "filter_id": [ + "abcd-1234-abcd-1234" + ], + "id": 5, + "related_entities": [ + "ABCDE1ABCDE2" + ], + "type": "file_sha1", + "value": "H1E2L3L4O5" + }, + { + "field": "objectFileHashSha1", + "filter_id": [ + "abcd-1234-abcd-1234" + ], + "id": 6, + "related_entities": [ + "ABCDE-12345-ABCDE-12345" + ], + "type": "file_sha1", + "value": "H1E2L3L4O5" + }, + { + "field": "objectFilePath", + "filter_id": [ + "abcde-12345-abcde-12345" + ], + "id": 7, + "related_entities": [ + "ABCDE-12345-ABCDE-12345" + ], + "type": "fullpath", + "value": "example" + }, + { + "field": "processFilePath", + "filter_id": [ + "abcde-1234-abcde-1234" + ], + "id": 8, + "related_entities": [ + "ABCDE-12345-ABCDE-12345" + ], + "type": "fullpath", + "value": "example" + }, + { + "field": "objectFilePath", + "filter_id": [ + "abcd-1234-abcd-1234" + ], + "id": 9, + "related_entities": [ + "ABCDE-12345-ABCDE-12345" + ], + "type": "fullpath", + "value": "example" + }, + { + "field": "processFilePath", + "filter_id": [ + "abcde-1234-abcd-1234" + ], + "id": 10, + "related_entities": [ + "ABCDE-1234-ABCDE-1234" + ], + "type": "fullpath", + "value": "example" + } + ], + "investigation_status": "New", + "matched_rule": [ + { + "filter": [ + { + "date": "2022-07-08T07:06:35.113Z", + "events": [ + { + "date": "2022-07-08T07:06:35.113Z", + "uuid": "123-456-789" + }, + { + "date": "2022-07-08T07:14:06.159Z", + "uuid": "abcd-abcd-abcd" + } + ], + "id": "123-456-789", + "mitre_technique_id": [ + "V9.T1123.001", + "V9.T1124.002", + "V9.T1125" + ], + "name": "Possible Credential Dumping via Mimikatz" + }, + { + "date": "2022-07-08T07:14:06.159Z", + "events": [ + { + "date": "2022-07-08T07:06:35.113Z", + "uuid": "1234-1234-1234" + }, + { + "date": "2022-07-08T07:14:06.159Z", + "uuid": "abcd-abcd-abcd" + } + ], + "id": "abcd-abcd-1234-1234", + "mitre_technique_id": [ + "V9.T1123.001", + "V9.T1124.002", + "V9.T1125" + ], + "name": "Possible Credential Dumping via Mimikatz" + } + ], + "id": "123123-456456-789789", + "name": "Potential Credential Dumping via Mimikatz" + } + ], + "model": "Credential Dumping via Mimikatz", + "schema_version": "1.11", + "score": 64, + "severity": "high", + "workbench_link": "https://portal-int.visionone.trendmicro.com/index.html#/workbench?workbenchId=WB-9002-20200427-0002" + } + }, + "url": { + "domain": "portal-int.visionone.trendmicro.com", + "extension": "html", + "fragment": "/workbench?workbenchId=WB-9002-20200427-0002", + "original": "https://portal-int.visionone.trendmicro.com/index.html#/workbench?workbenchId=WB-9002-20200427-0002", + "path": "/index.html", + "scheme": "https" + } + }, + { + "@timestamp": "2030-04-30T00:01:16.000Z", + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": [ + "email" + ], + "id": "WB-9002-20200427-0002", + "kind": "alert", + "original": "{\"schemaVersion\":\"1.0\",\"id\":\"WB-9002-20200427-0002\",\"investigationStatus\":\"New\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\",\"alertProvider\":\"SAE\",\"model\":\"Possible APT Attack\",\"score\":63,\"severity\":\"critical\",\"impactScope\":{\"desktopCount\":0,\"serverCount\":0,\"accountCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityType\":\"host\",\"entityValue\":\"loki@jaguartm.onmicrosoft.com\",\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"relatedEntities\":[\"CODERED\\\\\\\\loki\"],\"relatedIndicatorIds\":[1],\"provenance\":[\"Alert\"]}]},\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"updatedDateTime\":\"2030-04-30T00:01:16Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"indicators\":[{\"id\":1,\"type\":\"url\",\"field\":\"request url\",\"value\":\"http://www.DVftYKDtEi.com/ds7002.zip\",\"relatedEntities\":[\"loki@jaguartm.onmicrosoft.com\"],\"provenance\":[\"Alert\"],\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"]}],\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"name\":\"Possible SpearPhishing Email\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"name\":\"(T1192) Spearphishing Link\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"mitreTechniqueIds\":[\"T1192\"],\"matchedEvents\":[{\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\"}]}]}]}", + "severity": 63, + "type": [ + "info" + ] + }, + "log": { + "level": "critical" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "trend_micro_vision_one": { + "alert": { + "alert_provider": "SAE", + "created_date": "2020-04-30T00:01:15.000Z", + "description": "A backdoor was possibly implanted after a user received a possible spear phishing email message.", + "id": "WB-9002-20200427-0002", + "impact_scope": { + "account_count": 0, + "desktop_count": 0, + "email_address_count": 0, + "entities": [ + { + "id": "5257b401-2fd7-469c-94fa-39a4f11eb925", + "provenance": [ + "Alert" + ], + "related_entities": [ + "CODERED\\\\loki" + ], + "related_indicator_id": [ + 1 + ], + "type": "host", + "value": { + "account_value": "loki@jaguartm.onmicrosoft.com" + } + } + ], + "server_count": 0 + }, + "indicators": [ + { + "field": "request url", + "filter_id": [ + "f862df72-7f5e-4b2b-9f7f-9148e875f908" + ], + "id": 1, + "provenance": [ + "Alert" + ], + "related_entities": [ + "loki@jaguartm.onmicrosoft.com" + ], + "type": "url", + "value": "http://www.DVftYKDtEi.com/ds7002.zip" + } + ], + "investigation_status": "New", + "matched_rule": [ + { + "filter": [ + { + "date": "2019-08-02T04:00:01.000Z", + "events": [ + { + "date": "2019-08-02T04:00:01.000Z", + "type": "TELEMETRY_REGISTRY", + "uuid": "fa9ff47c-e1b8-459e-a3d0-a5b104b854a5" + } + ], + "id": "ccf86fc1-688f-4131-a46f-1d7a6ee2f88e", + "mitre_technique_id": [ + "T1192" + ], + "name": "(T1192) Spearphishing Link" + } + ], + "id": "5f52d1f1-53e7-411a-b74f-745ee81fa30b", + "name": "Possible SpearPhishing Email" + } + ], + "model": "Possible APT Attack", + "schema_version": "1.0", + "score": 63, + "severity": "critical", + "workbench_link": "https://THE_WORKBENCH_URL" + } + }, + "url": { + "original": "https://THE_WORKBENCH_URL", + "scheme": "https" + } + } + ] +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/data_stream/alert/_dev/test/system/test-default-config.yml b/packages/trend_micro_vision_one/data_stream/alert/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..c6104a7bd86 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/_dev/test/system/test-default-config.yml @@ -0,0 +1,9 @@ +input: httpjson +service: trend_micro_vision_one +vars: + hostname: http://{{Hostname}}:{{Port}} + api_token: xxxx +data_stream: + vars: + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/trend_micro_vision_one/data_stream/alert/agent/stream/httpjson.yml.hbs b/packages/trend_micro_vision_one/data_stream/alert/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..c734c8fb695 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/agent/stream/httpjson.yml.hbs @@ -0,0 +1,57 @@ +config_version: 2 +interval: {{interval}} +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: GET +request.url: {{hostname}}/v3.0/workbench/alerts +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: + - set: + target: header.Authorization + value: 'Bearer {{api_token}}' + - set: + target: url.params.startDateTime + value: '[[formatDate (parseDate .cursor.last_update_at)]]' + default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' + - set: + target: url.params.endDateTime + value: '[[formatDate (now)]]' + - set: + target: url.params.orderBy + value: 'updatedDateTime asc' + - set: + target: url.params.dateTimeTarget + value: 'createdDateTime' +response.pagination: + - set: + target: url.value + value: '[[if index .last_response.body "nextLink"]][[replaceAll " " "%20" .last_response.body.nextLink]][[else]][[.last_response.terminate_pagination]][[end]]' + fail_on_template_error: true +cursor: + last_update_at: + value: '[[.last_response.url.params.Get "endDateTime"]]' +response.split: + target: body.items +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/trend_micro_vision_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..b9b4ba94f3b --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,559 @@ +--- +description: Pipeline for processing Trend Micro Vision One Alert logs. +processors: + - set: + field: ecs.version + value: '8.4.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - set: + field: event.kind + value: alert + - json: + field: event.original + target_field: json + ignore_failure: true + - script: + description: Set the value of event.category and event.type. + lang: painless + source: > + def eventCategory = new HashSet(); + def eventType = new HashSet(); + if (ctx.json?.description != null && ctx.json.description != '') { + def description = ctx.json.description.toLowerCase(); + if (description.contains('logon')) { + eventCategory.add('authentication'); + eventCategory.add('host'); + eventType.add('info'); + } else if (description.contains('email')) { + eventCategory.add('email'); + eventType.add('info'); + } else if (description.contains('network')) { + eventCategory.add('network'); + eventType.add('info'); + } else { + eventCategory.add('malware'); + eventType.add('info'); + } + } + if (!eventCategory.isEmpty()) { + ctx.event.category = eventCategory; + } + if (!eventType.isEmpty()) { + ctx.event.type = eventType; + } + - fingerprint: + fields: + - json.updatedDateTime + - json.createdDateTime + - json.id + target_field: _id + ignore_missing: true + - date: + field: json.updatedDateTime + if: ctx.json?.updatedDateTime != null && ctx.json.updatedDateTime != '' + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.id + target_field: trend_micro_vision_one.alert.id + ignore_missing: true + - set: + field: event.id + copy_from: trend_micro_vision_one.alert.id + ignore_failure: true + - convert: + field: json.score + target_field: trend_micro_vision_one.alert.score + if: ctx.json?.score != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: event.severity + copy_from: trend_micro_vision_one.alert.score + ignore_failure: true + - rename: + field: json.severity + target_field: trend_micro_vision_one.alert.severity + ignore_missing: true + - set: + field: log.level + copy_from: trend_micro_vision_one.alert.severity + ignore_failure: true + - lowercase: + field: log.level + ignore_missing: true + - rename: + field: json.schemaVersion + target_field: trend_micro_vision_one.alert.schema_version + ignore_missing: true + - rename: + field: json.investigationStatus + target_field: trend_micro_vision_one.alert.investigation_status + ignore_missing: true + - rename: + field: json.workbenchLink + target_field: trend_micro_vision_one.alert.workbench_link + ignore_missing: true + - uri_parts: + field: trend_micro_vision_one.alert.workbench_link + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.alertProvider + target_field: trend_micro_vision_one.alert.alert_provider + ignore_missing: true + - rename: + field: json.model + target_field: trend_micro_vision_one.alert.model + ignore_missing: true + - convert: + field: json.impactScope.desktopCount + target_field: trend_micro_vision_one.alert.impact_scope.desktop_count + if: ctx.json?.impactScope?.desktopCount != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.impactScope.serverCount + target_field: trend_micro_vision_one.alert.impact_scope.server_count + if: ctx.json?.impactScope?.serverCount != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.impactScope.accountCount + target_field: trend_micro_vision_one.alert.impact_scope.account_count + if: ctx.json?.impactScope?.accountCount != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.impactScope.emailAddressCount + target_field: trend_micro_vision_one.alert.impact_scope.email_address_count + if: ctx.json?.impactScope?.emailAddressCount != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.impactScope.entities + processor: + foreach: + field: _ingest._value.entityValue.ips + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + - script: + description: Mapped value object field of impactScope. + lang: painless + if: ctx.json?.impactScope?.entities instanceof List + source: > + def impactscope_entities = ctx.json.impactScope.entities; + for (entity_object in impactscope_entities) { + if (!(entity_object.entityValue instanceof HashMap)) { + def entityValue = entity_object.entityValue; + entity_object.value = new HashMap(); + entity_object.value.account_value = entityValue; + entity_object.remove("entityValue"); + } + } + - foreach: + field: json.impactScope.entities + processor: + rename: + field: _ingest._value.entityValue + target_field: _ingest._value.value + ignore_missing: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.impactScope.entities + processor: + convert: + field: _ingest._value.entityValue.ips + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + ignore_missing: true + ignore_failure: true + - foreach: + field: json.impactScope.entities + processor: + rename: + field: _ingest._value.entityType + target_field: _ingest._value.type + ignore_missing: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.impactScope.entities + processor: + rename: + field: _ingest._value.entityId + target_field: _ingest._value.id + ignore_missing: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.impactScope.entities + processor: + rename: + field: _ingest._value.relatedEntities + target_field: _ingest._value.related_entities + ignore_missing: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.impactScope.entities + processor: + convert: + field: _ingest._value.relatedIndicatorIds + target_field: _ingest._value.related_indicator_id + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + ignore_missing: true + ignore_failure: true + - foreach: + field: json.impactScope.entities + processor: + remove: + field: _ingest._value.relatedIndicatorIds + ignore_missing: true + ignore_missing: true + ignore_failure: true + - rename: + field: json.impactScope.entities + target_field: trend_micro_vision_one.alert.impact_scope.entities + ignore_missing: true + - date: + field: json.createdDateTime + target_field: trend_micro_vision_one.alert.created_date + if: ctx.json?.createdDateTime != null && ctx.json.createdDateTime != '' + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.description + target_field: trend_micro_vision_one.alert.description + ignore_missing: true + - foreach: + field: json.indicators + processor: + rename: + field: _ingest._value.relatedEntities + target_field: _ingest._value.related_entities + ignore_missing: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.indicators + processor: + rename: + field: _ingest._value.matchedIndicatorPatternIds + target_field: _ingest._value.matched_indicator.pattern_id + ignore_missing: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.indicators + processor: + foreach: + field: _ingest._value.firstSeenDateTimes + processor: + date: + field: _ingest._value + target_field: _ingest._value + formats: + - ISO8601 + ignore_failure: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.indicators + processor: + rename: + field: _ingest._value.firstSeenDateTimes + target_field: _ingest._value.first_seen_date + ignore_missing: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.indicators + processor: + rename: + field: _ingest._value.filterIds + target_field: _ingest._value.filter_id + ignore_missing: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.indicators + processor: + foreach: + field: _ingest._value.lastSeenDateTimes + processor: + date: + field: _ingest._value + target_field: _ingest._value + formats: + - ISO8601 + ignore_failure: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.indicators + processor: + rename: + field: _ingest._value.lastSeenDateTimes + target_field: _ingest._value.last_seen_date + ignore_missing: true + ignore_missing: true + ignore_failure: true + - rename: + field: json.indicators + target_field: trend_micro_vision_one.alert.indicators + ignore_missing: true + - foreach: + field: json.matchedIndicatorPatterns + processor: + rename: + field: _ingest._value.matchedLogs + target_field: _ingest._value.matched_log + ignore_missing: true + ignore_missing: true + ignore_failure: true + - rename: + field: json.matchedIndicatorPatterns + target_field: trend_micro_vision_one.alert.matched_indicators_pattern + ignore_missing: true + - foreach: + field: json.matchedRules + processor: + foreach: + field: _ingest._value.matchedFilters + processor: + date: + field: _ingest._value.matchedDateTime + target_field: _ingest._value.date + formats: + - ISO8601 + ignore_failure: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.matchedRules + processor: + foreach: + field: _ingest._value.matchedFilters + processor: + remove: + field: _ingest._value.matchedDateTime + ignore_missing: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.matchedRules + processor: + foreach: + field: _ingest._value.matchedFilters + processor: + rename: + field: _ingest._value.mitreTechniqueIds + target_field: _ingest._value.mitre_technique_id + ignore_missing: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.matchedRules + processor: + foreach: + field: _ingest._value.matchedFilters + processor: + foreach: + field: _ingest._value.matchedEvents + processor: + date: + field: _ingest._value.matchedDateTime + target_field: _ingest._value.date + formats: + - ISO8601 + ignore_failure: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.matchedRules + processor: + foreach: + field: _ingest._value.matchedFilters + processor: + foreach: + field: _ingest._value.matchedEvents + processor: + remove: + field: _ingest._value.matchedDateTime + ignore_missing: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.matchedRules + processor: + foreach: + field: _ingest._value.matchedFilters + processor: + rename: + field: _ingest._value.matchedEvents + target_field: _ingest._value.events + ignore_missing: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.matchedRules + processor: + rename: + field: _ingest._value.matchedFilters + target_field: _ingest._value.filter + ignore_missing: true + ignore_missing: true + ignore_failure: true + - rename: + field: json.matchedRules + target_field: trend_micro_vision_one.alert.matched_rule + ignore_missing: true + - rename: + field: json.campaign + target_field: trend_micro_vision_one.alert.campaign + ignore_missing: true + - rename: + field: json.industry + target_field: trend_micro_vision_one.alert.industry + ignore_missing: true + - rename: + field: json.regionAndCountry + target_field: trend_micro_vision_one.alert.region_and_country + ignore_missing: true + - rename: + field: json.createdBy + target_field: trend_micro_vision_one.alert.created_by + ignore_missing: true + - convert: + field: json.totalIndicatorCount + target_field: trend_micro_vision_one.alert.total_indicator_count + if: ctx.json?.totalIndicatorCount != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.matchedIndicatorCount + target_field: trend_micro_vision_one.alert.matched_indicator_count + if: ctx.json?.matchedIndicatorCount != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.reportLink + target_field: trend_micro_vision_one.alert.report_link + ignore_missing: true + - remove: + field: json + ignore_missing: true + - remove: + field: + - trend_micro_vision_one.alert.id + - trend_micro_vision_one.alert.score + - trend_micro_vision_one.alert.severity + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + ignore_failure: true + ignore_missing: true + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: +- append: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/trend_micro_vision_one/data_stream/alert/fields/agent.yml b/packages/trend_micro_vision_one/data_stream/alert/fields/agent.yml new file mode 100644 index 00000000000..e313ec82874 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/trend_micro_vision_one/data_stream/alert/fields/base-fields.yml b/packages/trend_micro_vision_one/data_stream/alert/fields/base-fields.yml new file mode 100644 index 00000000000..75af598bf0a --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: trend_micro_vision_one.alert +- name: event.module + type: constant_keyword + description: Event module. + value: trend_micro_vision_one +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/trend_micro_vision_one/data_stream/alert/fields/ecs.yml b/packages/trend_micro_vision_one/data_stream/alert/fields/ecs.yml new file mode 100644 index 00000000000..f4275f1ecc4 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/fields/ecs.yml @@ -0,0 +1,34 @@ +- external: ecs + name: ecs.version +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.id +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.severity +- external: ecs + name: event.type +- external: ecs + name: log.level +- external: ecs + name: related.ip +- external: ecs + name: tags +- external: ecs + name: url.domain +- external: ecs + name: url.extension +- external: ecs + name: url.fragment +- external: ecs + name: url.original +- external: ecs + name: url.path +- external: ecs + name: url.scheme diff --git a/packages/trend_micro_vision_one/data_stream/alert/fields/fields.yml b/packages/trend_micro_vision_one/data_stream/alert/fields/fields.yml new file mode 100644 index 00000000000..114d9dc0e32 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/fields/fields.yml @@ -0,0 +1,183 @@ +- name: trend_micro_vision_one.alert + type: group + fields: + - name: alert_provider + type: keyword + description: Alert provider. + - name: campaign + type: keyword + description: An object-ref to a campaign object. + - name: created_by + type: keyword + description: Created by. + - name: created_date + type: date + description: Datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC) that indicates the created date time of the alert. + - name: description + type: keyword + description: Description of the detection model that triggered the alert. + - name: id + type: keyword + description: Workbench ID. + - name: impact_scope + type: group + fields: + - name: account_count + type: long + description: Count of affected account. + - name: desktop_count + type: long + description: Count of affected desktop. + - name: email_address_count + type: long + description: Count of affected email address. + - name: entities + type: group + fields: + - name: value + type: group + fields: + - name: account_value + type: keyword + description: Account or emailAddress. + - name: guid + type: keyword + description: GUID. + - name: id + type: keyword + description: Impact scope entity id. + - name: ips + type: ip + description: Set of IPs. + - name: name + type: keyword + description: Host name. + - name: type + type: keyword + description: Impact scope entity type. + - name: related_entities + type: keyword + description: Related entities. + - name: related_indicator_id + type: long + description: Related indicator ids. + - name: server_count + type: long + description: Count of affected server. + - name: indicators + type: group + fields: + - name: field + type: keyword + description: Detailed description of the indicator. + - name: filter_id + type: keyword + description: Related matched filter ids. + - name: first_seen_date + type: date + description: First seen date times from related entities, datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). + - name: id + type: keyword + description: Indicator ID. + - name: last_seen_date + type: date + description: Last seen date times from related entities, datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). + - name: matched_indicator + type: group + fields: + - name: pattern_id + type: keyword + description: Matched indicator pattern ids. + - name: provenance + type: keyword + description: Provenance. + - name: related_entities + type: keyword + description: Related entities. + - name: type + type: keyword + description: Indicator type. + - name: value + type: keyword + description: Indicator value. + - name: industry + type: keyword + description: Industry. + - name: investigation_status + type: keyword + description: Workbench alert status. + - name: matched_indicator_count + type: long + description: Matched indicator pattern count. + - name: matched_indicators_pattern + type: group + fields: + - name: id + type: keyword + description: Pattern ID. + - name: matched_log + type: keyword + description: Pattern matched log. + - name: pattern + type: keyword + description: STIX indicator will be a pattern. + - name: tags + type: keyword + description: Tags defined by STIX. + - name: matched_rule + type: group + fields: + - name: filter + type: group + fields: + - name: date + type: date + description: Datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). + - name: events + type: group + fields: + - name: date + type: date + description: Matched event date. + - name: event_uuid + type: keyword + description: Matched event uuid. + - name: id + type: keyword + description: Matched filter id. + - name: mitre_technique_id + type: keyword + description: Mitre technique id. + - name: name + type: keyword + description: Filter name. + - name: id + type: keyword + description: The rules are triggered. + - name: name + type: keyword + description: Matched rule name. + - name: model + type: keyword + description: Name of the detection model that triggered the alert. + - name: region_and_country + type: keyword + description: region/country. + - name: report_link + type: keyword + description: A refrerence url which links to the report details analysis. For TrendMico research report, the link would link to trend blog. + - name: schema_version + type: keyword + description: The version of the JSON schema, not the version of alert trigger content. + - name: score + type: long + description: Overall severity assigned to the alert based on the severity of the matched detection model and the impact scope. + - name: severity + type: keyword + description: Workbench alert severity. + - name: total_indicator_count + type: long + description: Total indicator pattern count. + - name: workbench_link + type: keyword + description: Workbench URL. diff --git a/packages/trend_micro_vision_one/data_stream/alert/manifest.yml b/packages/trend_micro_vision_one/data_stream/alert/manifest.yml new file mode 100644 index 00000000000..07230e95c44 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/manifest.yml @@ -0,0 +1,65 @@ +title: Collect Alert logs from Trend Micro Vision One. +type: logs +streams: + - input: httpjson + title: Alert logs + description: Collect alert logs from Trend Micro Vision One. + template_path: httpjson.yml.hbs + vars: + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the alert from Trend Micro Vision One. NOTE:- Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 24h + - name: interval + type: text + title: Interval + description: Duration between requests to the Trend Micro Vision One API. NOTE:- Supported units for this parameter are h/m/s. + default: 5m + multi: false + required: true + show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. NOTE:- Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - trend_micro_vision_one-alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve trend_micro_vision_one.alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/trend_micro_vision_one/data_stream/alert/sample_event.json b/packages/trend_micro_vision_one/data_stream/alert/sample_event.json new file mode 100644 index 00000000000..70fae695a6d --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/sample_event.json @@ -0,0 +1,133 @@ +{ + "@timestamp": "2030-04-30T00:01:16.000Z", + "agent": { + "ephemeral_id": "11b64a19-0682-4a33-b385-4e6142171d69", + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.0" + }, + "data_stream": { + "dataset": "trend_micro_vision_one.alert", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", + "snapshot": false, + "version": "8.4.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "email" + ], + "created": "2022-09-30T11:50:26.826Z", + "dataset": "trend_micro_vision_one.alert", + "id": "WB-9002-20200427-0002", + "ingested": "2022-09-30T11:50:30Z", + "kind": "alert", + "original": "{\"alertProvider\":\"SAE\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"id\":\"WB-9002-20200427-0002\",\"impactScope\":{\"accountCount\":0,\"desktopCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"entityType\":\"host\",\"entityValue\":\"user@email.com\",\"provenance\":[\"Alert\"],\"relatedEntities\":[\"CODERED\\\\\\\\user\"],\"relatedIndicatorIds\":[1]}],\"serverCount\":0},\"indicators\":[{\"field\":\"request url\",\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"],\"id\":1,\"provenance\":[\"Alert\"],\"relatedEntities\":[\"user@example.com\"],\"type\":\"url\",\"value\":\"http://www.example.com/ab001.zip\"}],\"investigationStatus\":\"New\",\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"matchedEvents\":[{\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\",\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\"}],\"mitreTechniqueIds\":[\"T1192\"],\"name\":\"(T1192) Spearphishing Link\"}],\"name\":\"Possible SpearPhishing Email\"}],\"model\":\"Possible APT Attack\",\"schemaVersion\":\"1.0\",\"score\":63,\"severity\":\"critical\",\"updatedDateTime\":\"2030-04-30T00:01:16Z\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\"}", + "severity": 63, + "type": [ + "info" + ] + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "critical" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "trend_micro_vision_one-alert" + ], + "trend_micro_vision_one": { + "alert": { + "alert_provider": "SAE", + "created_date": "2020-04-30T00:01:15.000Z", + "description": "A backdoor was possibly implanted after a user received a possible spear phishing email message.", + "id": "WB-9002-20200427-0002", + "impact_scope": { + "account_count": 0, + "desktop_count": 0, + "email_address_count": 0, + "entities": [ + { + "id": "5257b401-2fd7-469c-94fa-39a4f11eb925", + "provenance": [ + "Alert" + ], + "related_entities": [ + "CODERED\\\\user" + ], + "related_indicator_id": [ + 1 + ], + "type": "host", + "value": { + "account_value": "user@email.com" + } + } + ], + "server_count": 0 + }, + "indicators": [ + { + "field": "request url", + "filter_id": [ + "f862df72-7f5e-4b2b-9f7f-9148e875f908" + ], + "id": 1, + "provenance": [ + "Alert" + ], + "related_entities": [ + "user@example.com" + ], + "type": "url", + "value": "http://www.example.com/ab001.zip" + } + ], + "investigation_status": "New", + "matched_rule": [ + { + "filter": [ + { + "date": "2019-08-02T04:00:01.000Z", + "events": [ + { + "date": "2019-08-02T04:00:01.000Z", + "type": "TELEMETRY_REGISTRY", + "uuid": "fa9ff47c-e1b8-459e-a3d0-a5b104b854a5" + } + ], + "id": "ccf86fc1-688f-4131-a46f-1d7a6ee2f88e", + "mitre_technique_id": [ + "T1192" + ], + "name": "(T1192) Spearphishing Link" + } + ], + "id": "5f52d1f1-53e7-411a-b74f-745ee81fa30b", + "name": "Possible SpearPhishing Email" + } + ], + "model": "Possible APT Attack", + "schema_version": "1.0", + "score": 63, + "severity": "critical", + "workbench_link": "https://THE_WORKBENCH_URL" + } + }, + "url": { + "original": "https://THE_WORKBENCH_URL", + "scheme": "https" + } +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-common-config.yml b/packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..be41bb0d476 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields diff --git a/packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-pipeline-audit.log b/packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-pipeline-audit.log new file mode 100644 index 00000000000..94c45e77f44 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-pipeline-audit.log @@ -0,0 +1,2 @@ +{"loggedDateTime":"2022-02-24T07:29:48Z","loggedUser":"Root Account","loggedRole":"Master Administrator","accessType":"Console","category":"Logon and Logoff","activity":"string","result":"Unsuccessful","details":{"property1":"string","property2":"string"}} +{"loggedDateTime":"2022-07-16 04:30:04","loggedUser":"Root Account","loggedRole":"Master Administrator","category":"Product Connector","activity":"Unregister product","accessType":"API","result":"Successful","details":{"product":"pdd"}} diff --git a/packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-pipeline-audit.log-expected.json b/packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-pipeline-audit.log-expected.json new file mode 100644 index 00000000000..5285eb342c4 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-pipeline-audit.log-expected.json @@ -0,0 +1,95 @@ +{ + "expected": [ + { + "@timestamp": "2022-02-24T07:29:48.000Z", + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "original": "{\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedUser\":\"Root Account\",\"loggedRole\":\"Master Administrator\",\"accessType\":\"Console\",\"category\":\"Logon and Logoff\",\"activity\":\"string\",\"result\":\"Unsuccessful\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"}}", + "outcome": "failure", + "type": [ + "info" + ] + }, + "related": { + "user": [ + "Root Account" + ] + }, + "source": { + "user": { + "name": "Root Account", + "roles": "Master Administrator" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "trend_micro_vision_one": { + "audit": { + "access_type": "Console", + "activity": "string", + "category": "Logon and Logoff", + "details": { + "property1": "string", + "property2": "string" + }, + "logged_role": "Master Administrator", + "logged_user": "Root Account", + "result": "Unsuccessful" + } + } + }, + { + "@timestamp": "2022-07-16T04:30:04.000Z", + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "original": "{\"loggedDateTime\":\"2022-07-16 04:30:04\",\"loggedUser\":\"Root Account\",\"loggedRole\":\"Master Administrator\",\"category\":\"Product Connector\",\"activity\":\"Unregister product\",\"accessType\":\"API\",\"result\":\"Successful\",\"details\":{\"product\":\"pdd\"}}", + "outcome": "success", + "type": [ + "info" + ] + }, + "related": { + "user": [ + "Root Account" + ] + }, + "source": { + "user": { + "name": "Root Account", + "roles": "Master Administrator" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "trend_micro_vision_one": { + "audit": { + "access_type": "API", + "activity": "Unregister product", + "category": "Product Connector", + "details": { + "product": "pdd" + }, + "logged_role": "Master Administrator", + "logged_user": "Root Account", + "result": "Successful" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/data_stream/audit/_dev/test/system/test-default-config.yml b/packages/trend_micro_vision_one/data_stream/audit/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..c6104a7bd86 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/_dev/test/system/test-default-config.yml @@ -0,0 +1,9 @@ +input: httpjson +service: trend_micro_vision_one +vars: + hostname: http://{{Hostname}}:{{Port}} + api_token: xxxx +data_stream: + vars: + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/trend_micro_vision_one/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/trend_micro_vision_one/data_stream/audit/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..4c6a8869bfb --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/agent/stream/httpjson.yml.hbs @@ -0,0 +1,60 @@ +config_version: 2 +interval: {{interval}} +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: GET +request.url: {{hostname}}/v3.0/audit/logs +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: + - set: + target: header.Authorization + value: 'Bearer {{api_token}}' + - set: + target: url.params.top + value: '200' + - set: + target: url.params.startDateTime + value: '[[formatDate (parseDate .cursor.last_update_at)]]' + default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' + - set: + target: url.params.endDateTime + value: '[[formatDate (now)]]' + - set: + target: url.params.orderBy + value: 'loggedDateTime asc' + - set: + target: url.params.labels + value: 'all' +response.pagination: + - set: + target: url.value + value: '[[if index .last_response.body "nextLink"]][[replaceAll " " "%20" .last_response.body.nextLink]][[else]][[.last_response.terminate_pagination]][[end]]' + fail_on_template_error: true +cursor: + last_update_at: + value: '[[.last_response.url.params.Get "endDateTime"]]' +response.split: + target: body.items +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..37d39000a53 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,171 @@ +--- +description: Pipeline for processing Trend Micro Vision One Audit logs. +processors: + - set: + field: ecs.version + value: '8.4.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - set: + field: event.kind + value: event + - json: + field: event.original + target_field: json + ignore_failure: true + - script: + description: Set the value of event.category and event.type. + lang: painless + source: > + def eventCategory = new HashSet(); + def eventType = new HashSet(); + if (ctx.json?.category != null && ctx.json.category != '' && ctx.json.activity != null && ctx.json.activity != '') { + def category = ctx.json.category.toLowerCase(); + def activity = ctx.json.activity.toLowerCase(); + if (['logon and logoff', 'saml single sign-on'].contains(category)) { + eventCategory.add('authentication'); + if (['log on', 'enable single sign-on'].contains(activity)) { + eventType.add('start'); + } + if (['log off', 'disable single sign-on'].contains(activity)) { + eventType.add('end'); + } else { + eventType.add('info'); + } + } + if (['account management', 'product connector', 'Notifications', 'detection model management', 'workbench', 'response management', 'search', 'managed xdr', 'third-party integration', 'service gateway inventory', 'endpoint inventory', 'endpoint security policies', 'zero trust secure access', 'sandbox analysis', 'oat', 'security playbooks'].contains(category)) { + eventCategory.add('authentication'); + eventType.add('info'); + } + if (category == 'network inventory') { + eventCategory.add('network'); + eventType.add('info'); + } + if (category == 'threat intelligence') { + eventCategory.add('threat'); + eventType.add('indicator'); + } + if (activity == 'email') { + eventCategory.add('email'); + } + if (activity == 'file') { + eventCategory.add('file'); + } + if (activity == 'threat') { + eventCategory.add('threat'); + } + } + if (!eventCategory.isEmpty()) { + ctx.event.category = eventCategory; + } + if (!eventType.isEmpty()) { + ctx.event.type = eventType; + } + - fingerprint: + fields: + - json.loggedDateTime + - json.loggedUser + - json.loggedRole + - json.category + - json.activity + - json.details + target_field: _id + ignore_missing: true + - date: + field: json.loggedDateTime + if: ctx.json?.loggedDateTime != null && ctx.json.loggedDateTime != '' + formats: + - ISO8601 + - yyyy-MM-dd HH:mm:ss + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.loggedUser + target_field: trend_micro_vision_one.audit.logged_user + ignore_missing: true + - set: + field: source.user.name + copy_from: trend_micro_vision_one.audit.logged_user + ignore_failure: true + - rename: + field: json.loggedRole + target_field: trend_micro_vision_one.audit.logged_role + ignore_missing: true + - set: + field: source.user.roles + copy_from: trend_micro_vision_one.audit.logged_role + ignore_failure: true + - rename: + field: json.accessType + target_field: trend_micro_vision_one.audit.access_type + ignore_missing: true + - rename: + field: json.category + target_field: trend_micro_vision_one.audit.category + ignore_missing: true + - rename: + field: json.activity + target_field: trend_micro_vision_one.audit.activity + ignore_missing: true + - rename: + field: json.result + target_field: trend_micro_vision_one.audit.result + ignore_missing: true + - set: + field: event.outcome + value: 'success' + if: ctx.trend_micro_vision_one?.audit?.result == 'Successful' + - set: + field: event.outcome + value: 'failure' + if: ctx.trend_micro_vision_one?.audit?.result == 'Unsuccessful' + - rename: + field: json.details + target_field: trend_micro_vision_one.audit.details + ignore_missing: true + - remove: + field: json + ignore_missing: true + - append: + field: related.user + value: '{{{source.user.name}}}' + if: ctx.source?.user?.name != null + allow_duplicates: false + ignore_failure: true + - remove: + field: + - trend_micro_vision_one.audit.logged_user + - trend_micro_vision_one.audit.logged_role + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + ignore_failure: true + ignore_missing: true + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: +- append: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/trend_micro_vision_one/data_stream/audit/fields/agent.yml b/packages/trend_micro_vision_one/data_stream/audit/fields/agent.yml new file mode 100644 index 00000000000..e313ec82874 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/trend_micro_vision_one/data_stream/audit/fields/base-fields.yml b/packages/trend_micro_vision_one/data_stream/audit/fields/base-fields.yml new file mode 100644 index 00000000000..8a5aa585b17 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: trend_micro_vision_one.audit +- name: event.module + type: constant_keyword + description: Event module. + value: trend_micro_vision_one +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/trend_micro_vision_one/data_stream/audit/fields/ecs.yml b/packages/trend_micro_vision_one/data_stream/audit/fields/ecs.yml new file mode 100644 index 00000000000..951fd69cf1c --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/fields/ecs.yml @@ -0,0 +1,20 @@ +- external: ecs + name: ecs.version +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.type +- external: ecs + name: related.user +- external: ecs + name: source.user.name +- external: ecs + name: source.user.roles +- external: ecs + name: tags diff --git a/packages/trend_micro_vision_one/data_stream/audit/fields/fields.yml b/packages/trend_micro_vision_one/data_stream/audit/fields/fields.yml new file mode 100644 index 00000000000..7b18021ce63 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/fields/fields.yml @@ -0,0 +1,24 @@ +- name: trend_micro_vision_one.audit + type: group + fields: + - name: access_type + type: keyword + description: Source of the activity. + - name: activity + type: keyword + description: The activity that was performed. + - name: category + type: keyword + description: Category. + - name: details + type: flattened + description: Object that contains a list of elements to be retrieved from the "details" field. + - name: logged_role + type: keyword + description: Role of the account. + - name: logged_user + type: keyword + description: The account that was used to perform the activity. + - name: result + type: keyword + description: Result. diff --git a/packages/trend_micro_vision_one/data_stream/audit/manifest.yml b/packages/trend_micro_vision_one/data_stream/audit/manifest.yml new file mode 100644 index 00000000000..3376929cdb9 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/manifest.yml @@ -0,0 +1,65 @@ +title: Collect Audit logs from Trend Micro Vision One. +type: logs +streams: + - input: httpjson + title: Audit logs + description: Collect audit logs from Trend Micro Vision One. + template_path: httpjson.yml.hbs + vars: + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the audit from Trend Micro Vision One. NOTE:- Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 24h + - name: interval + type: text + title: Interval + description: Duration between requests to the Trend Micro Vision One API. NOTE:- Supported units for this parameter are h/m/s. + default: 5m + multi: false + required: true + show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. NOTE:- Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - trend_micro_vision_one-audit + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve trend_micro_vision_one.audit fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/trend_micro_vision_one/data_stream/audit/sample_event.json b/packages/trend_micro_vision_one/data_stream/audit/sample_event.json new file mode 100644 index 00000000000..c198ffb7acb --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/sample_event.json @@ -0,0 +1,72 @@ +{ + "@timestamp": "2022-02-24T07:29:48.000Z", + "agent": { + "ephemeral_id": "804f8045-e600-48a3-85fc-958312d96c71", + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.0" + }, + "data_stream": { + "dataset": "trend_micro_vision_one.audit", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", + "snapshot": false, + "version": "8.4.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "authentication" + ], + "created": "2022-09-30T11:51:11.031Z", + "dataset": "trend_micro_vision_one.audit", + "ingested": "2022-09-30T11:51:14Z", + "kind": "event", + "original": "{\"accessType\":\"Console\",\"activity\":\"string\",\"category\":\"Logon and Logoff\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"},\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedRole\":\"Master Administrator\",\"loggedUser\":\"Root Account\",\"result\":\"Unsuccessful\"}", + "outcome": "failure", + "type": [ + "info" + ] + }, + "input": { + "type": "httpjson" + }, + "related": { + "user": [ + "Root Account" + ] + }, + "source": { + "user": { + "name": "Root Account", + "roles": "Master Administrator" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "trend_micro_vision_one-audit" + ], + "trend_micro_vision_one": { + "audit": { + "access_type": "Console", + "activity": "string", + "category": "Logon and Logoff", + "details": { + "property1": "string", + "property2": "string" + }, + "logged_role": "Master Administrator", + "logged_user": "Root Account", + "result": "Unsuccessful" + } + } +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-common-config.yml b/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..be41bb0d476 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields diff --git a/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-pipeline-detection.log b/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-pipeline-detection.log new file mode 100644 index 00000000000..aa794d180c4 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-pipeline-detection.log @@ -0,0 +1,2 @@ +{"act":"Clean","actResult":"Quarantined successfully","app":"HTTP","appGroup":"HTTP","aptRelated":"0","behaviorCat":"Grey-Detection","blocking":"Web reputation","cat":50,"cccaDetection":"Yes","cccaDetectionSource":"GLOBAL_INTELLIGENCE","cccaRiskLevel":3,"clientFlag":"dst","cnt":"1","component":["PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00"],"compressedFileSize":"0","detectionType":"File","deviceDirection":"outbound","deviceGUID":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","deviceProcessName":"/snap/core/10126/usr/lib/snapd/snapd","deviceMacAddress":"00:11:22:33:44:55","dhost":"samplehost","domainName":"Workgroup","dpt":53,"dst":["81.2.69.142"],"dstGroup":"Default","end":"2021-09-30T09:40:04-08:00","endpointGUID":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","endpointHostName":"xxx-docker","endpointIp":["81.2.69.142"],"endpointMacAddress":"00:11:22:33:44:55","engType":"Virus Scan Engine (Windows XP/Server 2003, x64)","engVer":"12.500.1004","eventId":"100117","eventName":"INTEGRITY_MONITORING_EVENT","eventSubName":"Attack Discovery","eventTime":1602724592000,"eventTimeDT":"2021-06-10T01:38:38+00:00","fileHash":"3395856ce81f2b7382dee72602f798b642f14140","fileName":["Unconfirmed 145081.crdownload"],"fileOperation":"Deleted","filePath":"/etc/systemd/system","filePathName":"/etc/systemd/system/snap-xxxx-1246.xxxx","fileSize":"0","firstAct":"Clean","firstActResult":"Unable to clean file","fullPath":"C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 145081.crdownload","hostName":"samplehost","httpReferer":"http://xxx.xxxxxx.com/","interestedHost":"xxx-docker","interestedIp":["192.168.47.102"],"interestedMacAddress":"00:11:22:33:44","malName":"Eicar_test_1","malType":"Virus/Malware","mDevice":["81.2.69.192","67.43.156.0"],"mDeviceGUID":"C5B09EDD-C725-907F-29D9-B8C30D18C48F","mitreMapping":["T1090 (TA0005)"],"mitreVersion":"v6","mpname":"Cloud One - Workload Security","mpver":"Deep Security/20.0.222","objectCmd":["C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe --profile-directory=Default"],"objectFileHashMd5":"761AEFF7E6B110970285B9C20C9E1DCA","objectFileHashSha1":"00496B4D53CEFE031B9702B3385C9F4430999932","objectFileHashSha256":"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7","objectFileName":"Unconfirmed 142899.crdownload:SmartScreen","objectFilePath":"C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 142899.crdownload:SmartScreen","objectName":"CloudEndpointService.exe","objectPid":7660,"objectSigner":["Microsoft Windows"],"parentCmd":"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k DcomLaunch -p","parentFileHashSha1":"00496B4D53CEFE031B9702B3385C9F4430999932","parentFileHashSha256":"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7","parentFilePath":"C:\\\\Windows\\\\System32\\\\svchost.exe","peerHost":"samplehost","peerIp":["81.2.69.144"],"pname":"Apex One","processCmd":"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca","processFileHashMd5":"761AEFF7E6B110970285B9C20C9E1DCA","processFileHashSha1":"00496B4D53CEFE031B9702B3385C9F4430999932","processFileHashSha256":"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7","processFilePath":"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe","processName":"string","processPid":0,"processSigner":"Microsoft Windows Publisher","productCode":"sao","pver":"20.0.0.877","request":"https://example.com","requestClientApplication":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0","rt":"2020-10-15T01:16:32.000Z","rt_utc":"2020-10-15T01:16:32.000Z","searchDL":"DDL","spt":58871,"src":["81.2.69.142"],"srcGroup":"Default","tacticId":["TA0005"],"tags":["XSAE.F2140","XSAE.F3066"],"threatName":"Malicious_identified_CnC_querying_on_UDP_detected","uuid":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"} +{"eventTimeDT":"2022-07-11T13:35:34+00:00","tags":null,"uuid":"1234abcd-1234abcd-1234abcd-1234abcd-1234abcd","searchDL":"DDL","eventTime":1657546534000,"productCode":"sig","eventName":"WEB_POLICY_VIOLATION","rt_utc":"2022-07-11T13:35:34Z","rt":"2022-07-11T13:35:34+0000","act":["Block"],"aggregatedCount":"1","detectionType":"Web Reputation Service","deviceGUID":"456xyz-456xyz-456xyz-456xyz-456xyz","dst":["81.2.69.142"],"endpointGUID":"789pqr-789pqr-789pqr-789pqr-789pqr","endpointHostName":"ABC01","fileSize":"0","fileType":"ASCII Text","osName":"10.15.6","pname":"Secure Web Gateway","policyName":"default","pver":"1.0","request":"http://example.com/","requestBase":"example.com","src":["81.2.69.142"],"suid":"user.name","urlCat":["Newly Observed Domain"],"userDomain":"example.com","profile":"Default threat protection profile","principalName":"user.name@example.com","policyUuid":"123123-abcd-123-abcd","sender":"Default cloud gateway","logKey":"123-123-123-abc-abc-abc","clientIp":["81.2.69.142"]} diff --git a/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-pipeline-detection.log-expected.json b/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-pipeline-detection.log-expected.json new file mode 100644 index 00000000000..24f010a1e4a --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-pipeline-detection.log-expected.json @@ -0,0 +1,419 @@ +{ + "expected": [ + { + "@timestamp": "2020-10-15T01:16:32.000Z", + "destination": { + "domain": "Workgroup", + "ip": [ + "81.2.69.142" + ], + "port": 53 + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "action": "clean", + "category": [ + "intrusion_detection" + ], + "id": "100117", + "kind": "event", + "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"deviceMacAddress\":\"00:11:22:33:44:55\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"endpointHostName\":\"xxx-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00:11:22:33:44:55\",\"engType\":\"Virus Scan Engine (Windows XP/Server 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://xxx.xxxxxx.com/\",\"interestedHost\":\"xxx-docker\",\"interestedIp\":[\"192.168.47.102\"],\"interestedMacAddress\":\"00:11:22:33:44\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mDevice\":[\"81.2.69.192\",\"67.43.156.0\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"Microsoft Windows\"],\"parentCmd\":\"C:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.144\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"Microsoft Windows Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":[\"81.2.69.142\"],\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\"}", + "severity": 50, + "type": [ + "info" + ] + }, + "file": { + "hash": { + "md5": "761AEFF7E6B110970285B9C20C9E1DCA", + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "name": [ + "Unconfirmed 145081.crdownload" + ], + "path": "/etc/systemd/system/snap-xxxx-1246.xxxx", + "size": 0 + }, + "host": { + "hostname": "samplehost", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "81.2.69.142" + ], + "mac": "00-11-22-33-44-55", + "name": "xxx-docker" + }, + "http": { + "request": { + "referrer": "http://xxx.xxxxxx.com/" + } + }, + "network": { + "direction": "outbound", + "protocol": "http" + }, + "observer": { + "hostname": "samplehost", + "mac": "00-11-22-33-44-55" + }, + "process": { + "command_line": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca", + "name": "string", + "pid": 0 + }, + "related": { + "hash": [ + "761AEFF7E6B110970285B9C20C9E1DCA", + "00496B4D53CEFE031B9702B3385C9F4430999932", + "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7", + "3395856ce81f2b7382dee72602f798b642f14140" + ], + "hosts": [ + "samplehost", + "xxx-docker" + ], + "ip": [ + "81.2.69.142", + "81.2.69.192", + "67.43.156.0", + "192.168.47.102", + "81.2.69.144" + ] + }, + "source": { + "ip": [ + "81.2.69.142" + ], + "port": 58871 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "tactic": { + "id": [ + "TA0005" + ] + } + }, + "trend_micro_vision_one": { + "detection": { + "action": "Clean", + "action_result": "Quarantined successfully", + "behavior_category": "Grey-Detection", + "block": "Web reputation", + "client_flag": "dst", + "component_version": [ + "PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00" + ], + "compressed_file_size": 0, + "destination": { + "ip": [ + "81.2.69.142" + ], + "ip_group": "Default", + "port": 53 + }, + "detection": "Yes", + "detection_source": "GLOBAL_INTELLIGENCE", + "detection_type": "File", + "device": { + "direction": "outbound", + "guid": "C5B09EDD-C725-907F-29D9-B8C30D18C48F", + "host": "samplehost", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "81.2.69.192", + "67.43.156.0" + ], + "mac": "00-11-22-33-44-55", + "process_name": "/snap/core/10126/usr/lib/snapd/snapd" + }, + "domain": { + "name": "Workgroup" + }, + "end_time": "2021-09-30T17:40:04.000Z", + "endpoint": { + "guid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "hostname": "xxx-docker", + "ip": [ + "81.2.69.142" + ], + "mac": "00-11-22-33-44-55" + }, + "engine_type": "Virus Scan Engine (Windows XP/Server 2003, x64)", + "engine_version": "12.500.1004", + "event_id": "100117", + "event_name": "INTEGRITY_MONITORING_EVENT", + "event_time_dt": "2021-06-10T01:38:38.000Z", + "file_hash": "3395856ce81f2b7382dee72602f798b642f14140", + "file_name": [ + "Unconfirmed 145081.crdownload" + ], + "file_operation": "Deleted", + "file_path": "/etc/systemd/system", + "file_path_name": "/etc/systemd/system/snap-xxxx-1246.xxxx", + "file_size": 0, + "first_action": "Clean", + "first_action_result": "Unable to clean file", + "full_path": "C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 145081.crdownload", + "hostname": "samplehost", + "http_referer": "http://xxx.xxxxxx.com/", + "interested": { + "host": "xxx-docker", + "ip": [ + "192.168.47.102" + ], + "mac": "00-11-22-33-44" + }, + "malware_name": "Eicar_test_1", + "malware_type": "Virus/Malware", + "mproduct": { + "name": "Cloud One - Workload Security", + "version": "Deep Security/20.0.222" + }, + "object": { + "cmd": [ + "C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe --profile-directory=Default" + ], + "file": { + "hash": { + "md5": "761AEFF7E6B110970285B9C20C9E1DCA", + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "name": "Unconfirmed 142899.crdownload:SmartScreen", + "path": "C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 142899.crdownload:SmartScreen" + }, + "name": "CloudEndpointService.exe", + "pid": 7660, + "signer": [ + "Microsoft Windows" + ] + }, + "parent": { + "cmd": "C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k DcomLaunch -p", + "file": { + "hash": { + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "path": "C:\\\\Windows\\\\System32\\\\svchost.exe" + } + }, + "peer": { + "host": "samplehost", + "ip": [ + "81.2.69.144" + ] + }, + "process": { + "cmd": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca", + "file": { + "hash": { + "md5": "761AEFF7E6B110970285B9C20C9E1DCA", + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "path": "C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe" + }, + "name": "string", + "pid": 0, + "signer": "Microsoft Windows Publisher" + }, + "product": { + "code": "sao", + "name": "Apex One", + "version": "20.0.0.877" + }, + "protocol": "HTTP", + "protocol_group": "HTTP", + "related_apt": false, + "request": "https://example.com", + "request_client_application": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0", + "risk_level": 3, + "rt": "2020-10-15T01:16:32.000Z", + "rt_utc": "2020-10-15T01:16:32.000Z", + "search_data_lake": "DDL", + "security_analytics": { + "engine": { + "name": [ + "T1090 (TA0005)" + ], + "version": "v6" + } + }, + "severity_level": 50, + "source": { + "group": "Default", + "ip": [ + "81.2.69.142" + ], + "port": 58871 + }, + "sub_name": "Attack Discovery", + "tactic_id": [ + "TA0005" + ], + "tags": [ + "XSAE.F2140", + "XSAE.F3066" + ], + "threat_name": "Malicious_identified_CnC_querying_on_UDP_detected", + "total_count": 1, + "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + } + }, + "url": { + "domain": "example.com", + "original": "https://example.com", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0", + "os": { + "full": "Windows 10", + "name": "Windows", + "version": "10" + }, + "version": "92.0." + } + }, + { + "@timestamp": "2022-07-11T13:35:34.000Z", + "client": { + "ip": [ + "81.2.69.142" + ] + }, + "destination": { + "ip": [ + "81.2.69.142" + ] + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "action": [ + "block" + ], + "category": [ + "intrusion_detection" + ], + "kind": "event", + "original": "{\"eventTimeDT\":\"2022-07-11T13:35:34+00:00\",\"tags\":null,\"uuid\":\"1234abcd-1234abcd-1234abcd-1234abcd-1234abcd\",\"searchDL\":\"DDL\",\"eventTime\":1657546534000,\"productCode\":\"sig\",\"eventName\":\"WEB_POLICY_VIOLATION\",\"rt_utc\":\"2022-07-11T13:35:34Z\",\"rt\":\"2022-07-11T13:35:34+0000\",\"act\":[\"Block\"],\"aggregatedCount\":\"1\",\"detectionType\":\"Web Reputation Service\",\"deviceGUID\":\"456xyz-456xyz-456xyz-456xyz-456xyz\",\"dst\":[\"81.2.69.142\"],\"endpointGUID\":\"789pqr-789pqr-789pqr-789pqr-789pqr\",\"endpointHostName\":\"ABC01\",\"fileSize\":\"0\",\"fileType\":\"ASCII Text\",\"osName\":\"10.15.6\",\"pname\":\"Secure Web Gateway\",\"policyName\":\"default\",\"pver\":\"1.0\",\"request\":\"http://example.com/\",\"requestBase\":\"example.com\",\"src\":[\"81.2.69.142\"],\"suid\":\"user.name\",\"urlCat\":[\"Newly Observed Domain\"],\"userDomain\":\"example.com\",\"profile\":\"Default threat protection profile\",\"principalName\":\"user.name@example.com\",\"policyUuid\":\"123123-abcd-123-abcd\",\"sender\":\"Default cloud gateway\",\"logKey\":\"123-123-123-abc-abc-abc\",\"clientIp\":[\"81.2.69.142\"]}", + "type": [ + "info" + ] + }, + "file": { + "size": 0, + "type": "ASCII Text" + }, + "host": { + "id": "789pqr-789pqr-789pqr-789pqr-789pqr", + "name": "ABC01" + }, + "os": { + "name": "10.15.6" + }, + "related": { + "hosts": [ + "ABC01" + ], + "ip": [ + "81.2.69.142" + ] + }, + "source": { + "ip": [ + "81.2.69.142" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "trend_micro_vision_one": { + "detection": { + "action": [ + "Block" + ], + "aggregated_count": 1, + "client_ip": [ + "81.2.69.142" + ], + "destination": { + "ip": [ + "81.2.69.142" + ] + }, + "detection_type": "Web Reputation Service", + "device": { + "id": "456xyz-456xyz-456xyz-456xyz-456xyz" + }, + "endpoint": { + "guid": "789pqr-789pqr-789pqr-789pqr-789pqr", + "hostname": "ABC01" + }, + "event_name": "WEB_POLICY_VIOLATION", + "event_time_dt": "2022-07-11T13:35:34.000Z", + "file_size": 0, + "file_type": "ASCII Text", + "os": { + "name": "10.15.6" + }, + "policy": { + "logkey": "123-123-123-abc-abc-abc", + "name": "default", + "uuid": "123123-abcd-123-abcd" + }, + "principal_name": "user.name@example.com", + "product": { + "code": "sig", + "name": "Secure Web Gateway", + "version": "1.0" + }, + "profile": "Default threat protection profile", + "request": "http://example.com/", + "request_base": "example.com", + "rt": "2022-07-11T13:35:34.000Z", + "rt_utc": "2022-07-11T13:35:34.000Z", + "search_data_lake": "DDL", + "sender": "Default cloud gateway", + "source": { + "ip": [ + "81.2.69.142" + ] + }, + "suid": "user.name", + "url_cat": [ + "Newly Observed Domain" + ], + "user": { + "domain": "example.com" + }, + "uuid": "1234abcd-1234abcd-1234abcd-1234abcd-1234abcd" + } + }, + "url": { + "domain": "example.com", + "original": "http://example.com/", + "path": "/", + "scheme": "http" + }, + "user": { + "domain": "example.com" + } + } + ] +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/data_stream/detection/_dev/test/system/test-default-config.yml b/packages/trend_micro_vision_one/data_stream/detection/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..c6104a7bd86 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/_dev/test/system/test-default-config.yml @@ -0,0 +1,9 @@ +input: httpjson +service: trend_micro_vision_one +vars: + hostname: http://{{Hostname}}:{{Port}} + api_token: xxxx +data_stream: + vars: + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/trend_micro_vision_one/data_stream/detection/agent/stream/httpjson.yml.hbs b/packages/trend_micro_vision_one/data_stream/detection/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..e40bef49beb --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/agent/stream/httpjson.yml.hbs @@ -0,0 +1,60 @@ +config_version: 2 +interval: {{interval}} +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: GET +request.url: {{hostname}}/v3.0/search/detections +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: + - set: + target: header.Authorization + value: 'Bearer {{api_token}}' + - set: + target: header.TMV1-Query + value: 'uuid' + - set: + target: url.params.top + value: '5000' + - set: + target: url.params.startDateTime + value: '[[formatDate (parseDate .cursor.last_update_at)]]' + default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' + - set: + target: url.params.endDateTime + value: '[[formatDate (now)]]' + - set: + target: url.params.select + value: 'empty' +response.pagination: + - set: + target: url.value + value: '[[if index .last_response.body "nextLink"]][[replaceAll " " "%20" .last_response.body.nextLink]][[else]][[.last_response.terminate_pagination]][[end]]' + fail_on_template_error: true +cursor: + last_update_at: + value: '[[.last_response.url.params.Get "endDateTime"]]' +response.split: + target: body.items +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..3ec96608462 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,977 @@ +--- +description: Pipeline for processing Trend Micro Vision One Alert logs. +processors: + - set: + field: ecs.version + value: '8.4.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - set: + field: event.kind + value: event + - set: + field: event.category + value: [intrusion_detection] + - set: + field: event.type + value: [info] + - json: + field: event.original + target_field: json + ignore_failure: true + - fingerprint: + fields: + - json.eventTime + - json.rt_utc + - json.uuid + target_field: _id + ignore_missing: true + - date: + field: json.eventTime + if: ctx.json?.eventTime != null && ctx.json.eventTime != '' + formats: + - UNIX_MS + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.domainName + target_field: trend_micro_vision_one.detection.domain.name + ignore_missing: true + - set: + field: destination.domain + copy_from: trend_micro_vision_one.detection.domain.name + ignore_failure: true + - convert: + field: json.dst + target_field: trend_micro_vision_one.detection.destination.ip + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: destination.ip + copy_from: trend_micro_vision_one.detection.destination.ip + ignore_failure: true + - convert: + field: json.dpt + target_field: trend_micro_vision_one.detection.destination.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: destination.port + copy_from: trend_micro_vision_one.detection.destination.port + ignore_failure: true + - rename: + field: json.act + target_field: trend_micro_vision_one.detection.action + ignore_missing: true + - set: + field: event.action + copy_from: trend_micro_vision_one.detection.action + ignore_failure: true + - lowercase: + field: event.action + ignore_missing: true + - rename: + field: json.eventId + target_field: trend_micro_vision_one.detection.event_id + ignore_missing: true + - set: + field: event.id + copy_from: trend_micro_vision_one.detection.event_id + ignore_failure: true + - rename: + field: json.objectFileHashMd5 + target_field: trend_micro_vision_one.detection.object.file.hash.md5 + ignore_missing: true + - set: + field: file.hash.md5 + copy_from: trend_micro_vision_one.detection.object.file.hash.md5 + ignore_failure: true + - rename: + field: json.objectFileHashSha1 + target_field: trend_micro_vision_one.detection.object.file.hash.sha1 + ignore_missing: true + - set: + field: file.hash.sha1 + copy_from: trend_micro_vision_one.detection.object.file.hash.sha1 + ignore_failure: true + - rename: + field: json.objectFileHashSha256 + target_field: trend_micro_vision_one.detection.object.file.hash.sha256 + ignore_missing: true + - set: + field: file.hash.sha256 + copy_from: trend_micro_vision_one.detection.object.file.hash.sha256 + ignore_failure: true + - rename: + field: json.fileName + target_field: trend_micro_vision_one.detection.file_name + ignore_missing: true + - set: + field: file.name + copy_from: trend_micro_vision_one.detection.file_name + ignore_failure: true + - rename: + field: json.filePathName + target_field: trend_micro_vision_one.detection.file_path_name + ignore_missing: true + - set: + field: file.path + copy_from: trend_micro_vision_one.detection.file_path_name + ignore_failure: true + - convert: + field: json.fileSize + target_field: trend_micro_vision_one.detection.file_size + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: file.size + copy_from: trend_micro_vision_one.detection.file_size + ignore_failure: true + - rename: + field: json.hostName + target_field: trend_micro_vision_one.detection.hostname + ignore_missing: true + - set: + field: host.hostname + copy_from: trend_micro_vision_one.detection.hostname + ignore_failure: true + - rename: + field: json.endpointGUID + target_field: trend_micro_vision_one.detection.endpoint.guid + ignore_missing: true + - set: + field: host.id + copy_from: trend_micro_vision_one.detection.endpoint.guid + ignore_failure: true + - foreach: + field: json.endpointIp + processor: + append: + field: trend_micro_vision_one.detection.endpoint.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + ignore_missing: true + ignore_failure: true + - set: + field: host.ip + copy_from: trend_micro_vision_one.detection.endpoint.ip + ignore_failure: true + - gsub: + field: json.endpointMacAddress + pattern: '[-:.]' + replacement: '-' + ignore_missing: true + - uppercase: + field: json.endpointMacAddress + ignore_missing: true + - rename: + field: json.endpointMacAddress + target_field: trend_micro_vision_one.detection.endpoint.mac + ignore_missing: true + - set: + field: host.mac + copy_from: trend_micro_vision_one.detection.endpoint.mac + ignore_failure: true + - rename: + field: json.endpointHostName + target_field: trend_micro_vision_one.detection.endpoint.hostname + ignore_missing: true + - set: + field: host.name + copy_from: trend_micro_vision_one.detection.endpoint.hostname + ignore_failure: true + - rename: + field: json.httpReferer + target_field: trend_micro_vision_one.detection.http_referer + ignore_missing: true + - set: + field: http.request.referrer + copy_from: trend_micro_vision_one.detection.http_referer + ignore_failure: true + - rename: + field: json.cat + target_field: trend_micro_vision_one.detection.severity_level + ignore_missing: true + - set: + field: event.severity + copy_from: trend_micro_vision_one.detection.severity_level + ignore_failure: true + - rename: + field: json.deviceDirection + target_field: trend_micro_vision_one.detection.device.direction + ignore_missing: true + - set: + field: network.direction + copy_from: trend_micro_vision_one.detection.device.direction + ignore_failure: true + - lowercase: + field: network.direction + ignore_missing: true + - rename: + field: json.app + target_field: trend_micro_vision_one.detection.protocol + ignore_missing: true + - set: + field: network.protocol + copy_from: trend_micro_vision_one.detection.protocol + ignore_failure: true + - lowercase: + field: network.protocol + ignore_missing: true + - rename: + field: json.dhost + target_field: trend_micro_vision_one.detection.device.host + ignore_missing: true + - set: + field: observer.hostname + copy_from: trend_micro_vision_one.detection.device.host + ignore_failure: true + - gsub: + field: json.deviceMacAddress + pattern: '[-:.]' + replacement: '-' + ignore_missing: true + - uppercase: + field: json.deviceMacAddress + ignore_missing: true + - rename: + field: json.deviceMacAddress + target_field: trend_micro_vision_one.detection.device.mac + ignore_missing: true + - set: + field: observer.mac + copy_from: trend_micro_vision_one.detection.device.mac + ignore_failure: true + - rename: + field: json.processCmd + target_field: trend_micro_vision_one.detection.process.cmd + ignore_missing: true + - set: + field: process.command_line + copy_from: trend_micro_vision_one.detection.process.cmd + ignore_failure: true + - rename: + field: json.processName + target_field: trend_micro_vision_one.detection.process.name + ignore_missing: true + - set: + field: process.name + copy_from: trend_micro_vision_one.detection.process.name + ignore_failure: true + - convert: + field: json.processPid + target_field: trend_micro_vision_one.detection.process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: process.pid + copy_from: trend_micro_vision_one.detection.process.pid + ignore_failure: true + - convert: + field: json.src + target_field: trend_micro_vision_one.detection.source.ip + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: source.ip + copy_from: trend_micro_vision_one.detection.source.ip + ignore_failure: true + - convert: + field: json.spt + target_field: trend_micro_vision_one.detection.source.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: source.port + copy_from: trend_micro_vision_one.detection.source.port + ignore_failure: true + - rename: + field: json.tacticId + target_field: trend_micro_vision_one.detection.tactic_id + ignore_missing: true + - set: + field: threat.tactic.id + copy_from: trend_micro_vision_one.detection.tactic_id + ignore_failure: true + - rename: + field: json.requestClientApplication + target_field: trend_micro_vision_one.detection.request_client_application + ignore_missing: true + - set: + field: url.request + copy_from: trend_micro_vision_one.detection.request_client_application + ignore_failure: true + - user_agent: + field: url.request + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.actResult + target_field: trend_micro_vision_one.detection.action_result + ignore_missing: true + - rename: + field: json.behaviorCat + target_field: trend_micro_vision_one.detection.behavior_category + ignore_missing: true + - rename: + field: json.blocking + target_field: trend_micro_vision_one.detection.block + ignore_missing: true + - rename: + field: json.clientFlag + target_field: trend_micro_vision_one.detection.client_flag + ignore_missing: true + - rename: + field: json.component + target_field: trend_micro_vision_one.detection.component_version + ignore_missing: true + - convert: + field: json.compressedFileSize + target_field: trend_micro_vision_one.detection.compressed_file_size + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.dstGroup + target_field: trend_micro_vision_one.detection.destination.ip_group + ignore_missing: true + - rename: + field: json.cccaDetection + target_field: trend_micro_vision_one.detection.detection + ignore_missing: true + - rename: + field: json.cccaDetectionSource + target_field: trend_micro_vision_one.detection.detection_source + ignore_missing: true + - rename: + field: json.detectionType + target_field: trend_micro_vision_one.detection.detection_type + ignore_missing: true + - convert: + field: json.cccaRiskLevel + target_field: trend_micro_vision_one.detection.risk_level + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.mDeviceGUID + target_field: trend_micro_vision_one.detection.device.guid + ignore_missing: true + - rename: + field: json.deviceGUID + target_field: trend_micro_vision_one.detection.device.id + ignore_missing: true + - convert: + field: json.mDevice + target_field: trend_micro_vision_one.detection.device.ip + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.deviceProcessName + target_field: trend_micro_vision_one.detection.device.process_name + ignore_missing: true + - date: + field: json.end + target_field: trend_micro_vision_one.detection.end_time + if: ctx.json?.end != null && ctx.json.end != '' + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.engType + target_field: trend_micro_vision_one.detection.engine_type + ignore_missing: true + - rename: + field: json.engVer + target_field: trend_micro_vision_one.detection.engine_version + ignore_missing: true + - rename: + field: json.eventName + target_field: trend_micro_vision_one.detection.event_name + ignore_missing: true + - date: + field: json.eventTimeDT + target_field: trend_micro_vision_one.detection.event_time_dt + if: ctx.json?.eventTimeDT != null && ctx.json.eventTimeDT != '' + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.fileHash + target_field: trend_micro_vision_one.detection.file_hash + ignore_missing: true + - rename: + field: json.fileOperation + target_field: trend_micro_vision_one.detection.file_operation + ignore_missing: true + - rename: + field: json.filePath + target_field: trend_micro_vision_one.detection.file_path + ignore_missing: true + - rename: + field: json.firstAct + target_field: trend_micro_vision_one.detection.first_action + ignore_missing: true + - rename: + field: json.firstActResult + target_field: trend_micro_vision_one.detection.first_action_result + ignore_missing: true + - rename: + field: json.fullPath + target_field: trend_micro_vision_one.detection.full_path + ignore_missing: true + - rename: + field: json.interestedHost + target_field: trend_micro_vision_one.detection.interested.host + ignore_missing: true + - convert: + field: json.interestedIp + target_field: trend_micro_vision_one.detection.interested.ip + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - gsub: + field: json.interestedMacAddress + pattern: '[-:.]' + replacement: '-' + ignore_missing: true + - uppercase: + field: json.interestedMacAddress + ignore_missing: true + - rename: + field: json.interestedMacAddress + target_field: trend_micro_vision_one.detection.interested.mac + ignore_missing: true + - rename: + field: json.malName + target_field: trend_micro_vision_one.detection.malware_name + ignore_missing: true + - rename: + field: json.malType + target_field: trend_micro_vision_one.detection.malware_type + ignore_missing: true + - rename: + field: json.objectCmd + target_field: trend_micro_vision_one.detection.object.cmd + ignore_missing: true + - rename: + field: json.objectFileName + target_field: trend_micro_vision_one.detection.object.file.name + ignore_missing: true + - rename: + field: json.objectFilePath + target_field: trend_micro_vision_one.detection.object.file.path + ignore_missing: true + - rename: + field: json.objectName + target_field: trend_micro_vision_one.detection.object.name + ignore_missing: true + - convert: + field: json.objectPid + target_field: trend_micro_vision_one.detection.object.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.objectSigner + target_field: trend_micro_vision_one.detection.object.signer + ignore_missing: true + - rename: + field: json.parentCmd + target_field: trend_micro_vision_one.detection.parent.cmd + ignore_missing: true + - rename: + field: json.parentFileHashSha1 + target_field: trend_micro_vision_one.detection.parent.file.hash.sha1 + ignore_missing: true + - rename: + field: json.parentFileHashSha256 + target_field: trend_micro_vision_one.detection.parent.file.hash.sha256 + ignore_missing: true + - rename: + field: json.parentFilePath + target_field: trend_micro_vision_one.detection.parent.file.path + ignore_missing: true + - rename: + field: json.peerHost + target_field: trend_micro_vision_one.detection.peer.host + ignore_missing: true + - convert: + field: json.peerIp + target_field: trend_micro_vision_one.detection.peer.ip + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.processFileHashMd5 + target_field: trend_micro_vision_one.detection.process.file.hash.md5 + ignore_missing: true + - rename: + field: json.processFileHashSha1 + target_field: trend_micro_vision_one.detection.process.file.hash.sha1 + ignore_missing: true + - rename: + field: json.processFileHashSha256 + target_field: trend_micro_vision_one.detection.process.file.hash.sha256 + ignore_missing: true + - rename: + field: json.processFilePath + target_field: trend_micro_vision_one.detection.process.file.path + ignore_missing: true + - rename: + field: json.processSigner + target_field: trend_micro_vision_one.detection.process.signer + ignore_missing: true + - rename: + field: json.request + target_field: trend_micro_vision_one.detection.request + ignore_missing: true + - uri_parts: + field: trend_micro_vision_one.detection.request + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.productCode + target_field: trend_micro_vision_one.detection.product.code + ignore_missing: true + - rename: + field: json.mpname + target_field: trend_micro_vision_one.detection.mproduct.name + ignore_missing: true + - rename: + field: json.pname + target_field: trend_micro_vision_one.detection.product.name + ignore_missing: true + - rename: + field: json.mpver + target_field: trend_micro_vision_one.detection.mproduct.version + ignore_missing: true + - rename: + field: json.pver + target_field: trend_micro_vision_one.detection.product.version + ignore_missing: true + - rename: + field: json.appGroup + target_field: trend_micro_vision_one.detection.protocol_group + ignore_missing: true + - set: + field: trend_micro_vision_one.detection.related_apt + value: false + if: ctx.json?.aptRelated == '0'; + - set: + field: trend_micro_vision_one.detection.related_apt + value: true + if: ctx.json?.aptRelated == '1'; + - date: + field: json.rt + target_field: trend_micro_vision_one.detection.rt + if: ctx.json?.rt != null && ctx.json.rt != '' + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - date: + field: json.rt_utc + target_field: trend_micro_vision_one.detection.rt_utc + if: ctx.json?.rt_utc != null && ctx.json.rt_utc != '' + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.searchDL + target_field: trend_micro_vision_one.detection.search_data_lake + ignore_missing: true + - rename: + field: json.mitreMapping + target_field: trend_micro_vision_one.detection.security_analytics.engine.name + ignore_missing: true + - rename: + field: json.mitreVersion + target_field: trend_micro_vision_one.detection.security_analytics.engine.version + ignore_missing: true + - rename: + field: json.srcGroup + target_field: trend_micro_vision_one.detection.source.group + ignore_missing: true + - rename: + field: json.threatName + target_field: trend_micro_vision_one.detection.threat_name + ignore_missing: true + - rename: + field: json.eventSubName + target_field: trend_micro_vision_one.detection.sub_name + ignore_missing: true + - rename: + field: json.tags + target_field: trend_micro_vision_one.detection.tags + ignore_missing: true + - convert: + field: json.cnt + target_field: trend_micro_vision_one.detection.total_count + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.uuid + target_field: trend_micro_vision_one.detection.uuid + ignore_missing: true + - convert: + field: json.aggregatedCount + target_field: trend_micro_vision_one.detection.aggregated_count + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.fileType + target_field: trend_micro_vision_one.detection.file_type + ignore_missing: true + - set: + field: file.type + copy_from: trend_micro_vision_one.detection.file_type + ignore_failure: true + - rename: + field: json.fileType + target_field: trend_micro_vision_one.detection.file_type + ignore_missing: true + - set: + field: file.type + copy_from: trend_micro_vision_one.detection.file_type + ignore_failure: true + - rename: + field: json.osName + target_field: trend_micro_vision_one.detection.os.name + ignore_missing: true + - set: + field: os.name + copy_from: trend_micro_vision_one.detection.os.name + ignore_failure: true + - rename: + field: json.policyName + target_field: trend_micro_vision_one.detection.policy.name + ignore_missing: true + - rename: + field: json.requestBase + target_field: trend_micro_vision_one.detection.request_base + ignore_missing: true + - rename: + field: json.suid + target_field: trend_micro_vision_one.detection.suid + ignore_missing: true + - rename: + field: json.urlCat + target_field: trend_micro_vision_one.detection.url_cat + ignore_missing: true + - rename: + field: json.userDomain + target_field: trend_micro_vision_one.detection.user.domain + ignore_missing: true + - set: + field: user.domain + copy_from: trend_micro_vision_one.detection.user.domain + ignore_failure: true + - rename: + field: json.profile + target_field: trend_micro_vision_one.detection.profile + ignore_missing: true + - rename: + field: json.principalName + target_field: trend_micro_vision_one.detection.principal_name + ignore_missing: true + - rename: + field: json.policyUuid + target_field: trend_micro_vision_one.detection.policy.uuid + ignore_missing: true + - rename: + field: json.sender + target_field: trend_micro_vision_one.detection.sender + ignore_missing: true + - rename: + field: json.logKey + target_field: trend_micro_vision_one.detection.policy.logkey + ignore_missing: true + - rename: + field: json.mimeType + target_field: trend_micro_vision_one.detection.mime_type + ignore_missing: true + - convert: + field: json.clientIp + target_field: trend_micro_vision_one.detection.client_ip + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: client.ip + copy_from: trend_micro_vision_one.detection.client_ip + ignore_failure: true + - remove: + field: json + ignore_missing: true + - append: + field: related.hash + value: '{{{file.hash.md5}}}' + if: ctx.file?.hash?.md5 != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hash + value: '{{{file.hash.sha1}}}' + if: ctx.file?.hash?.sha1 != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hash + value: '{{{file.hash.sha256}}}' + if: ctx.file?.hash?.sha256 != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hash + value: '{{{trend_micro_vision_one.detection.file_hash}}}' + if: ctx.trend_micro_vision_one?.detection?.file_hash != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hash + value: '{{{trend_micro_vision_one.detection.parent.file.hash.sha1}}}' + if: ctx.trend_micro_vision_one?.detection?.parent?.file?.hash?.sha1 != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hash + value: '{{{trend_micro_vision_one.detection.parent.file.hash.sha256}}}' + if: ctx.trend_micro_vision_one?.detection?.parent?.file?.hash?.sha256 != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hash + value: '{{{trend_micro_vision_one.detection.process.file.hash.md5}}}' + if: ctx.trend_micro_vision_one?.detection?.process?.file?.hash?.md5 != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hash + value: '{{{trend_micro_vision_one.detection.process.file.hash.sha1}}}' + if: ctx.trend_micro_vision_one?.detection?.process?.file?.hash?.sha1 != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hash + value: '{{{trend_micro_vision_one.detection.process.file.hash.sha256}}}' + if: ctx.trend_micro_vision_one?.detection?.process?.file?.hash?.sha256 != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hosts + value: '{{{host.hostname}}}' + if: ctx.host?.hostname != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hosts + value: '{{{host.name}}}' + if: ctx.host?.name != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hosts + value: '{{{observer.hostname}}}' + if: ctx.observer?.hostname != null + allow_duplicates: false + ignore_failure: true + - foreach: + field: destination.ip + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: source.ip + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: trend_micro_vision_one.detection.device.ip + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: trend_micro_vision_one.detection.interested.ip + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: trend_micro_vision_one.detection.peer.ip + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: client.ip + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + ignore_missing: true + ignore_failure: true + - remove: + field: + - trend_micro_vision_one.detection.domain.name + - trend_micro_vision_one.detection.destination.ip + - trend_micro_vision_one.detection.destination.port + - trend_micro_vision_one.detection.action + - trend_micro_vision_one.detection.event_id + - trend_micro_vision_one.detection.object.file.hash.md5 + - trend_micro_vision_one.detection.object.file.hash.sha1 + - trend_micro_vision_one.detection.object.file.hash.sha256 + - trend_micro_vision_one.detection.file_name + - trend_micro_vision_one.detection.file_path_name + - trend_micro_vision_one.detection.file_size + - trend_micro_vision_one.detection.hostname + - trend_micro_vision_one.detection.endpoint.guid + - trend_micro_vision_one.detection.endpoint.ip + - trend_micro_vision_one.detection.endpoint.mac + - trend_micro_vision_one.detection.endpoint.hostname + - trend_micro_vision_one.detection.http_referer + - trend_micro_vision_one.detection.severity_level + - trend_micro_vision_one.detection.device.direction + - trend_micro_vision_one.detection.protocol + - trend_micro_vision_one.detection.device.host + - trend_micro_vision_one.detection.device.mac + - trend_micro_vision_one.detection.process.cmd + - trend_micro_vision_one.detection.process.name + - trend_micro_vision_one.detection.process.pid + - trend_micro_vision_one.detection.source.ip + - trend_micro_vision_one.detection.source.port + - trend_micro_vision_one.detection.tactic_id + - trend_micro_vision_one.detection.request_client_application + - trend_micro_vision_one.detection.file_type + - trend_micro_vision_one.detection.os.name + - trend_micro_vision_one.detection.user.domain + - trend_micro_vision_one.detection.client_ip + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + ignore_failure: true + ignore_missing: true + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: +- append: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/trend_micro_vision_one/data_stream/detection/fields/agent.yml b/packages/trend_micro_vision_one/data_stream/detection/fields/agent.yml new file mode 100644 index 00000000000..e313ec82874 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/trend_micro_vision_one/data_stream/detection/fields/base-fields.yml b/packages/trend_micro_vision_one/data_stream/detection/fields/base-fields.yml new file mode 100644 index 00000000000..d144d282f15 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: trend_micro_vision_one.detection +- name: event.module + type: constant_keyword + description: Event module. + value: trend_micro_vision_one +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/trend_micro_vision_one/data_stream/detection/fields/ecs.yml b/packages/trend_micro_vision_one/data_stream/detection/fields/ecs.yml new file mode 100644 index 00000000000..ff82058f954 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/fields/ecs.yml @@ -0,0 +1,92 @@ +- external: ecs + name: client.ip +- external: ecs + name: destination.domain +- external: ecs + name: destination.ip +- external: ecs + name: destination.port +- external: ecs + name: ecs.version +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.severity +- external: ecs + name: event.type +- external: ecs + name: file.hash.md5 +- external: ecs + name: file.hash.sha1 +- external: ecs + name: file.hash.sha256 +- external: ecs + name: file.name +- external: ecs + name: file.path +- external: ecs + name: file.size +- external: ecs + name: file.type +- external: ecs + name: http.request.referrer +- external: ecs + name: network.direction +- external: ecs + name: network.protocol +- external: ecs + name: observer.hostname +- external: ecs + name: observer.mac +- external: ecs + name: os.name +- external: ecs + name: process.command_line +- external: ecs + name: process.name +- external: ecs + name: process.pid +- external: ecs + name: related.hash +- external: ecs + name: related.hosts +- external: ecs + name: related.ip +- external: ecs + name: source.ip +- external: ecs + name: source.port +- external: ecs + name: tags +- external: ecs + name: threat.tactic.id +- external: ecs + name: url.domain +- external: ecs + name: url.original +- external: ecs + name: url.path +- external: ecs + name: url.scheme +- external: ecs + name: user.domain +- external: ecs + name: user_agent.device.name +- external: ecs + name: user_agent.name +- external: ecs + name: user_agent.original +- external: ecs + name: user_agent.os.full +- external: ecs + name: user_agent.os.name +- external: ecs + name: user_agent.os.version +- external: ecs + name: user_agent.version diff --git a/packages/trend_micro_vision_one/data_stream/detection/fields/fields.yml b/packages/trend_micro_vision_one/data_stream/detection/fields/fields.yml new file mode 100644 index 00000000000..d4d7aeba24d --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/fields/fields.yml @@ -0,0 +1,405 @@ +- name: trend_micro_vision_one.detection + type: group + fields: + - name: action + type: keyword + description: Action by detect product. + - name: action_result + type: keyword + description: Action result by detect product. + - name: aggregated_count + type: long + description: Aggregated count. + - name: behavior_category + type: keyword + description: The matched policy category (policy section) in the BM patterns, which will always Grey-Detection here. + - name: block + type: keyword + description: blocking Reason. + - name: client_flag + type: keyword + description: 0:Unknown 1:src 2:dst. + - name: client_ip + type: ip + description: Client IP. + - name: component_version + type: keyword + description: Product component version. + - name: compressed_file_size + type: long + description: File size after compressed. + - name: destination + type: group + fields: + - name: ip + type: ip + description: Destination IP address. + - name: ip_group + type: keyword + description: Destination IP address group. + - name: port + type: long + description: Destination port. + - name: detection + type: keyword + description: Yes (Tag it when it appears and the value is 1). + - name: detection_source + type: keyword + description: Detection source use by Deep Discovery Inspector. + - name: detection_type + type: keyword + description: Product detection type. + - name: device + type: group + fields: + - name: direction + type: keyword + description: '0: inbound 1: outbound 2: unknown (If cannot be parsed correctly, 2 is assigned).' + - name: guid + type: keyword + description: Device GUID. + - name: host + type: keyword + description: device host. + - name: id + type: keyword + description: Device identity. + - name: ip + type: ip + description: Devices ip list. + - name: mac + type: keyword + description: Mac address. + - name: process_name + type: keyword + description: Process name in device. + - name: domain + type: group + fields: + - name: name + type: keyword + description: Domain name. + - name: end_time + type: date + description: End time. + - name: endpoint + type: group + fields: + - name: guid + type: keyword + description: endpoint GUID for identity. + - name: hostname + type: keyword + description: Hostname of the endpoint on which the event was generated. + - name: ip + type: ip + description: Endpoint IP address list. + - name: mac + type: keyword + description: Endpoint Mac address. + - name: engine_type + type: keyword + description: Product scan engine type. + - name: engine_version + type: keyword + description: Product scan engine version. + - name: event_id + type: keyword + description: Event ID. + - name: event_name + type: keyword + description: Predefined event enumerator. + - name: event_time_dt + type: date + description: Detect time. + - name: file_hash + type: keyword + description: Detect file hash value. + - name: file_name + type: keyword + description: Detect file name. + - name: file_operation + type: keyword + description: Operation for detect file. + - name: file_path + type: keyword + description: Full file path without file name. + - name: file_path_name + type: keyword + description: Full file path. + - name: file_size + type: long + description: Detect file size. + - name: file_type + type: keyword + description: Detect file type. + - name: first_action + type: keyword + description: First action. + - name: first_action_result + type: keyword + description: First action result. + - name: full_path + type: keyword + description: File full path. + - name: hostname + type: keyword + description: host name. + - name: http_referer + type: keyword + description: http referer url. + - name: interested + type: group + fields: + - name: host + type: keyword + description: Highlighted indicator for incident response members. + - name: ip + type: ip + description: Highlighted indicator for incident response members. + - name: mac + type: keyword + description: Highlighted indicator for incident response members. + - name: malware_name + type: keyword + description: Malware name. + - name: malware_type + type: keyword + description: Malware type. + - name: mime_type + type: keyword + description: Mime type. + - name: mproduct + type: group + fields: + - name: name + type: keyword + description: Product name. + - name: version + type: keyword + description: Product Version. + - name: object + type: group + fields: + - name: cmd + type: keyword + description: The command line that a process detected by Attack Discovery uses to execute other processes. + - name: file + type: group + fields: + - name: hash + type: group + fields: + - name: md5 + type: keyword + description: File Hash Md5 value. + - name: sha1 + type: keyword + description: File Hash Sha1 value. + - name: sha256 + type: keyword + description: File Hash Sha256 value. + - name: name + type: keyword + description: File name. + - name: path + type: keyword + description: File path. + - name: name + type: keyword + description: Detect object name. + - name: pid + type: long + description: Detect object Pid. + - name: signer + type: keyword + description: Signer. + - name: os + type: group + fields: + - name: name + type: keyword + description: 'Supported values: Linux, Windows, macOS, macOSX.' + - name: parent + type: group + fields: + - name: cmd + type: keyword + description: The command line that parent process. + - name: file + type: group + fields: + - name: hash + type: group + fields: + - name: sha1 + type: keyword + description: Parent file sha1. + - name: sha256 + type: keyword + description: Parent file sha256. + - name: path + type: keyword + description: Parent file path. + - name: peer + type: group + fields: + - name: host + type: keyword + description: Peer host name. + - name: ip + type: ip + description: Peer ip list. + - name: policy + type: group + fields: + - name: logkey + type: keyword + description: Policy logkey. + - name: name + type: keyword + description: Policy name. + - name: uuid + type: keyword + description: Policy uuid. + - name: principal_name + type: keyword + description: Principal name. + - name: process + type: group + fields: + - name: cmd + type: keyword + description: The command line used to launch this process. + - name: file + type: group + fields: + - name: hash + type: group + fields: + - name: md5 + type: keyword + description: Process file hash MD5 value. + - name: sha1 + type: keyword + description: Process file hash Sha1 value. + - name: sha256 + type: keyword + description: Process file hash Sha256 value. + - name: path + type: keyword + description: The process file path. + - name: name + type: keyword + description: Process name. + - name: pid + type: long + description: Process Pid. + - name: signer + type: keyword + description: Process signer. + - name: product + type: group + fields: + - name: code + type: keyword + description: Product code name. + - name: name + type: keyword + description: product name. + - name: version + type: keyword + description: Product version. + - name: profile + type: keyword + description: Profile + - name: protocol + type: keyword + description: Protocol detect by Deep Discovery Inspector. + - name: protocol_group + type: keyword + description: Protocol group detect by Deep Discovery Inspector. + - name: related_apt + type: boolean + description: 0:False, 1:True. + - name: request + type: keyword + description: URL. + - name: request_base + type: keyword + description: Request base. + - name: request_client_application + type: keyword + description: Browser user agent. + - name: risk_level + type: long + description: SLF_CCCA_RISKLEVEL_UNKNOWN (0) SLF_CCCA_RISKLEVEL_LOW (1) SLF_CCCA_RISKLEVEL_MEDIUM (2) SLF_CCCA_RISKLEVEL_HIGH (3). + - name: rt + type: date + description: Detect time. + - name: rt_utc + type: date + description: Detect utc time. + - name: search_data_lake + type: keyword + description: Datalake name. + - name: security_analytics + type: group + fields: + - name: engine + type: group + fields: + - name: name + type: keyword + description: Security Analytics Engine. + - name: version + type: keyword + description: Security Analytics Engine version. + - name: sender + type: keyword + description: Sender. + - name: severity_level + type: long + description: severity score. + - name: source + type: group + fields: + - name: group + type: keyword + description: Source IP address group. + - name: ip + type: ip + description: Source IP address. + - name: port + type: long + description: Source port. + - name: sub_name + type: keyword + description: Detect event subscribe name. + - name: suid + type: keyword + description: Suid. + - name: tactic_id + type: keyword + description: Security Agent or product policy. + - name: tags + type: keyword + description: Detected by Security Analytics Engine filters. + - name: threat_name + type: keyword + description: Threat name. + - name: total_count + type: long + description: total count. + - name: url_cat + type: keyword + description: URL cat. + - name: user + type: group + fields: + - name: domain + type: keyword + description: User domain. + - name: uuid + type: keyword + description: Log unique id. diff --git a/packages/trend_micro_vision_one/data_stream/detection/manifest.yml b/packages/trend_micro_vision_one/data_stream/detection/manifest.yml new file mode 100644 index 00000000000..908ce8903cb --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/manifest.yml @@ -0,0 +1,65 @@ +title: Collect Detection logs from Trend Micro Vision One. +type: logs +streams: + - input: httpjson + title: Detection logs + description: Collect detection logs from Trend Micro Vision One. + template_path: httpjson.yml.hbs + vars: + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the detection from Trend Micro Vision One. NOTE:- Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 24h + - name: interval + type: text + title: Interval + description: Duration between requests to the Trend Micro Vision One API. NOTE:- Supported units for this parameter are h/m/s. + default: 5m + multi: false + required: true + show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. NOTE:- Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - trend_micro_vision_one-detection + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve trend_micro_vision_one.detection fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/trend_micro_vision_one/data_stream/detection/sample_event.json b/packages/trend_micro_vision_one/data_stream/detection/sample_event.json new file mode 100644 index 00000000000..00c77d025cc --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/sample_event.json @@ -0,0 +1,305 @@ +{ + "@timestamp": "2020-10-15T01:16:32.000Z", + "agent": { + "ephemeral_id": "c1aa9508-1cfd-4e4e-892e-6537d5fd053d", + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.0" + }, + "data_stream": { + "dataset": "trend_micro_vision_one.detection", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "domain": "Workgroup", + "ip": [ + "81.2.69.142" + ], + "port": 53 + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", + "snapshot": false, + "version": "8.4.0" + }, + "event": { + "action": "clean", + "agent_id_status": "verified", + "category": [ + "intrusion_detection" + ], + "created": "2022-09-30T11:51:54.629Z", + "dataset": "trend_micro_vision_one.detection", + "id": "100117", + "ingested": "2022-09-30T11:51:58Z", + "kind": "event", + "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", + "severity": 50, + "type": [ + "info" + ] + }, + "file": { + "hash": { + "md5": "761AEFF7E6B110970285B9C20C9E1DCA", + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "name": [ + "Unconfirmed 145081.crdownload" + ], + "path": "/etc/systemd/system/snap-xxxx-1246.xxxx", + "size": 0 + }, + "host": { + "hostname": "samplehost", + "id": "1234-1234-1234", + "ip": [ + "81.2.69.142" + ], + "mac": "00-00-5E-00-53-23", + "name": "abc-docker" + }, + "http": { + "request": { + "referrer": "http://www.example.com/" + } + }, + "input": { + "type": "httpjson" + }, + "network": { + "direction": "outbound", + "protocol": "http" + }, + "observer": { + "hostname": "samplehost", + "mac": "00-00-5E-00-53-23" + }, + "process": { + "command_line": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca", + "name": "string", + "pid": 0 + }, + "related": { + "hash": [ + "761AEFF7E6B110970285B9C20C9E1DCA", + "00496B4D53CEFE031B9702B3385C9F4430999932", + "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7", + "3395856ce81f2b7382dee72602f798b642f14140" + ], + "hosts": [ + "samplehost", + "abc-docker" + ], + "ip": [ + "81.2.69.142", + "81.2.69.192" + ] + }, + "source": { + "ip": "81.2.69.192", + "port": 58871 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "trend_micro_vision_one-detection" + ], + "threat": { + "tactic": { + "id": [ + "TA0005" + ] + } + }, + "trend_micro_vision_one": { + "detection": { + "action": "Clean", + "action_result": "Quarantined successfully", + "behavior_category": "Grey-Detection", + "block": "Web reputation", + "client_flag": "dst", + "component_version": [ + "PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00" + ], + "compressed_file_size": 0, + "destination": { + "ip": [ + "81.2.69.142" + ], + "ip_group": "Default", + "port": 53 + }, + "detection": "Yes", + "detection_source": "GLOBAL_INTELLIGENCE", + "detection_type": "File", + "device": { + "direction": "outbound", + "guid": "C5B09EDD-C725-907F-29D9-B8C30D18C48F", + "host": "samplehost", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "81.2.69.192" + ], + "mac": "00-00-5E-00-53-23", + "process_name": "/snap/core/10126/usr/lib/snapd/snapd" + }, + "domain": { + "name": "Workgroup" + }, + "end_time": "2021-09-30T17:40:04.000Z", + "endpoint": { + "guid": "1234-1234-1234", + "hostname": "abc-docker", + "ip": [ + "81.2.69.142" + ], + "mac": "00-00-5E-00-53-23" + }, + "engine_type": "Virus Scan Engine (OS 2003, x64)", + "engine_version": "12.500.1004", + "event_id": "100117", + "event_name": "INTEGRITY_MONITORING_EVENT", + "event_time_dt": "2021-06-10T01:38:38.000Z", + "file_hash": "3395856ce81f2b7382dee72602f798b642f14140", + "file_name": [ + "Unconfirmed 145081.crdownload" + ], + "file_operation": "Deleted", + "file_path": "/etc/systemd/system", + "file_path_name": "/etc/systemd/system/snap-xxxx-1246.xxxx", + "file_size": 0, + "first_action": "Clean", + "first_action_result": "Unable to clean file", + "full_path": "C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 145081.crdownload", + "hostname": "samplehost", + "http_referer": "http://www.example.com/", + "interested": { + "host": "abc-docker", + "ip": [ + "81.2.69.192" + ], + "mac": "00-00-5E-00-53-23" + }, + "malware_name": "Eicar_test_1", + "malware_type": "Virus/Malware", + "mproduct": { + "name": "Cloud One - Workload Security", + "version": "Deep Security/20.0.222" + }, + "object": { + "cmd": [ + "C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe --profile-directory=Default" + ], + "file": { + "hash": { + "md5": "761AEFF7E6B110970285B9C20C9E1DCA", + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "name": "Unconfirmed 142899.crdownload:SmartScreen", + "path": "C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 142899.crdownload:SmartScreen" + }, + "name": "CloudEndpointService.exe", + "pid": 7660, + "signer": [ + "OS" + ] + }, + "parent": { + "cmd": "C:\\\\os\\\\system32\\\\svchost.exe -k DcomLaunch -p", + "file": { + "hash": { + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "path": "C:\\\\os\\\\System32\\\\svchost.exe" + } + }, + "peer": { + "host": "samplehost", + "ip": [ + "81.2.69.192" + ] + }, + "process": { + "cmd": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca", + "file": { + "hash": { + "md5": "761AEFF7E6B110970285B9C20C9E1DCA", + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "path": "C:\\\\Program Files (x86)\\\\os\\\\Application\\\\msedge.exe" + }, + "name": "string", + "pid": 0, + "signer": "OS Publisher" + }, + "product": { + "code": "sao", + "name": "Apex One", + "version": "20.0.0.877" + }, + "protocol": "HTTP", + "protocol_group": "HTTP", + "related_apt": false, + "request": "https://example.com", + "request_client_application": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1", + "risk_level": 3, + "rt": "2020-10-15T01:16:32.000Z", + "rt_utc": "2020-10-15T01:16:32.000Z", + "search_data_lake": "DDL", + "security_analytics": { + "engine": { + "name": [ + "T1090 (TA0005)" + ], + "version": "v6" + } + }, + "severity_level": 50, + "source": { + "group": "Default", + "ip": "81.2.69.192", + "port": 58871 + }, + "sub_name": "Attack Discovery", + "tactic_id": [ + "TA0005" + ], + "tags": [ + "XSAE.F2140", + "XSAE.F3066" + ], + "threat_name": "Malicious_identified_CnC_querying_on_UDP_detected", + "total_count": 1, + "uuid": "1234-1234-1234" + } + }, + "url": { + "domain": "example.com", + "original": "https://example.com", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "iPhone" + }, + "name": "Mobile Safari", + "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1", + "os": { + "full": "iOS 12.1", + "name": "iOS", + "version": "12.1" + }, + "version": "12.0" + } +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/docs/README.md b/packages/trend_micro_vision_one/docs/README.md new file mode 100644 index 00000000000..a0628ed587c --- /dev/null +++ b/packages/trend_micro_vision_one/docs/README.md @@ -0,0 +1,965 @@ +# Trend Micro Vision One + +## Overview + +The [Trend Micro Vision One](https://www.trendmicro.com/en_in/business/products/detection-response.html) integration allows you to monitor Alert, Audit, and Detection activity. Trend Micro Vision One refers to the ability to do detection and response across email, endpoints, servers, cloud workloads, and networks via a single Trend Micro Vision One platform or the managed Trend Micro Vision One service. + +Use the Trend Micro Vision One integration to collects and parses data from the REST APIs. Then visualize that data in Kibana. + +## Data streams + +The Trend Micro Vision One integration collects logs for three types of events: Alert, Audit, and Detection. + +**Alert** Displays information about workbench alerts. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Workbench/paths/~1v3.0~1workbench~1alerts/get). + +**Audit** Displays log entries that match the specified search criteria. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Audit-Logs). + +**Detection** Displays search results from the Detection Data source. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Search/paths/~1v3.0~1search~1detections/get). + +## Requirements + +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your hardware. + +This module has been tested against `Trend Micro Vision One API version 3.0`. + +**Note:** The authentication token generated by a user expires one year after being generated. + +## Setup + +### To collect data from Trend Micro Vision One APIs, the user must have API Token. To create an API token follow the below steps: + +1. Log on to the Trend Micro Vision One console. +2. Go to **Administration -> User Accounts**. +![Trend Micro Vision One console](../img/trend-micro-vision-one-console.png) +3. Click on the account name having appropriate API access permission to generate an API token. +![Trend Micro Vision One generate API token ](../img/trend-micro-vision-one-api-token-generate.png) +4. Copy the Authentication token. + +## Logs Reference + +### alert + +This is the `alert` dataset. + +#### Example + +An example event for `alert` looks as following: + +```json +{ + "@timestamp": "2030-04-30T00:01:16.000Z", + "agent": { + "ephemeral_id": "11b64a19-0682-4a33-b385-4e6142171d69", + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.0" + }, + "data_stream": { + "dataset": "trend_micro_vision_one.alert", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", + "snapshot": false, + "version": "8.4.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "email" + ], + "created": "2022-09-30T11:50:26.826Z", + "dataset": "trend_micro_vision_one.alert", + "id": "WB-9002-20200427-0002", + "ingested": "2022-09-30T11:50:30Z", + "kind": "alert", + "original": "{\"alertProvider\":\"SAE\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"id\":\"WB-9002-20200427-0002\",\"impactScope\":{\"accountCount\":0,\"desktopCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"entityType\":\"host\",\"entityValue\":\"user@email.com\",\"provenance\":[\"Alert\"],\"relatedEntities\":[\"CODERED\\\\\\\\user\"],\"relatedIndicatorIds\":[1]}],\"serverCount\":0},\"indicators\":[{\"field\":\"request url\",\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"],\"id\":1,\"provenance\":[\"Alert\"],\"relatedEntities\":[\"user@example.com\"],\"type\":\"url\",\"value\":\"http://www.example.com/ab001.zip\"}],\"investigationStatus\":\"New\",\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"matchedEvents\":[{\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\",\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\"}],\"mitreTechniqueIds\":[\"T1192\"],\"name\":\"(T1192) Spearphishing Link\"}],\"name\":\"Possible SpearPhishing Email\"}],\"model\":\"Possible APT Attack\",\"schemaVersion\":\"1.0\",\"score\":63,\"severity\":\"critical\",\"updatedDateTime\":\"2030-04-30T00:01:16Z\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\"}", + "severity": 63, + "type": [ + "info" + ] + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "critical" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "trend_micro_vision_one-alert" + ], + "trend_micro_vision_one": { + "alert": { + "alert_provider": "SAE", + "created_date": "2020-04-30T00:01:15.000Z", + "description": "A backdoor was possibly implanted after a user received a possible spear phishing email message.", + "id": "WB-9002-20200427-0002", + "impact_scope": { + "account_count": 0, + "desktop_count": 0, + "email_address_count": 0, + "entities": [ + { + "id": "5257b401-2fd7-469c-94fa-39a4f11eb925", + "provenance": [ + "Alert" + ], + "related_entities": [ + "CODERED\\\\user" + ], + "related_indicator_id": [ + 1 + ], + "type": "host", + "value": { + "account_value": "user@email.com" + } + } + ], + "server_count": 0 + }, + "indicators": [ + { + "field": "request url", + "filter_id": [ + "f862df72-7f5e-4b2b-9f7f-9148e875f908" + ], + "id": 1, + "provenance": [ + "Alert" + ], + "related_entities": [ + "user@example.com" + ], + "type": "url", + "value": "http://www.example.com/ab001.zip" + } + ], + "investigation_status": "New", + "matched_rule": [ + { + "filter": [ + { + "date": "2019-08-02T04:00:01.000Z", + "events": [ + { + "date": "2019-08-02T04:00:01.000Z", + "type": "TELEMETRY_REGISTRY", + "uuid": "fa9ff47c-e1b8-459e-a3d0-a5b104b854a5" + } + ], + "id": "ccf86fc1-688f-4131-a46f-1d7a6ee2f88e", + "mitre_technique_id": [ + "T1192" + ], + "name": "(T1192) Spearphishing Link" + } + ], + "id": "5f52d1f1-53e7-411a-b74f-745ee81fa30b", + "name": "Possible SpearPhishing Email" + } + ], + "model": "Possible APT Attack", + "schema_version": "1.0", + "score": 63, + "severity": "critical", + "workbench_link": "https://THE_WORKBENCH_URL" + } + }, + "url": { + "original": "https://THE_WORKBENCH_URL", + "scheme": "https" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Log offset | long | +| related.ip | All of the IPs seen on your event. | ip | +| tags | List of keywords used to tag each event. | keyword | +| trend_micro_vision_one.alert.alert_provider | Alert provider. | keyword | +| trend_micro_vision_one.alert.campaign | An object-ref to a campaign object. | keyword | +| trend_micro_vision_one.alert.created_by | Created by. | keyword | +| trend_micro_vision_one.alert.created_date | Datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC) that indicates the created date time of the alert. | date | +| trend_micro_vision_one.alert.description | Description of the detection model that triggered the alert. | keyword | +| trend_micro_vision_one.alert.id | Workbench ID. | keyword | +| trend_micro_vision_one.alert.impact_scope.account_count | Count of affected account. | long | +| trend_micro_vision_one.alert.impact_scope.desktop_count | Count of affected desktop. | long | +| trend_micro_vision_one.alert.impact_scope.email_address_count | Count of affected email address. | long | +| trend_micro_vision_one.alert.impact_scope.entities.value.account_value | Account or emailAddress. | keyword | +| trend_micro_vision_one.alert.impact_scope.entities.value.guid | GUID. | keyword | +| trend_micro_vision_one.alert.impact_scope.entities.value.id | Impact scope entity id. | keyword | +| trend_micro_vision_one.alert.impact_scope.entities.value.ips | Set of IPs. | ip | +| trend_micro_vision_one.alert.impact_scope.entities.value.name | Host name. | keyword | +| trend_micro_vision_one.alert.impact_scope.entities.value.related_entities | Related entities. | keyword | +| trend_micro_vision_one.alert.impact_scope.entities.value.related_indicator_id | Related indicator ids. | long | +| trend_micro_vision_one.alert.impact_scope.entities.value.type | Impact scope entity type. | keyword | +| trend_micro_vision_one.alert.impact_scope.server_count | Count of affected server. | long | +| trend_micro_vision_one.alert.indicators.field | Detailed description of the indicator. | keyword | +| trend_micro_vision_one.alert.indicators.filter_id | Related matched filter ids. | keyword | +| trend_micro_vision_one.alert.indicators.first_seen_date | First seen date times from related entities, datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). | date | +| trend_micro_vision_one.alert.indicators.id | Indicator ID. | keyword | +| trend_micro_vision_one.alert.indicators.last_seen_date | Last seen date times from related entities, datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). | date | +| trend_micro_vision_one.alert.indicators.matched_indicator.pattern_id | Matched indicator pattern ids. | keyword | +| trend_micro_vision_one.alert.indicators.provenance | Provenance. | keyword | +| trend_micro_vision_one.alert.indicators.related_entities | Related entities. | keyword | +| trend_micro_vision_one.alert.indicators.type | Indicator type. | keyword | +| trend_micro_vision_one.alert.indicators.value | Indicator value. | keyword | +| trend_micro_vision_one.alert.industry | Industry. | keyword | +| trend_micro_vision_one.alert.investigation_status | Workbench alert status. | keyword | +| trend_micro_vision_one.alert.matched_indicator_count | Matched indicator pattern count. | long | +| trend_micro_vision_one.alert.matched_indicators_pattern.id | Pattern ID. | keyword | +| trend_micro_vision_one.alert.matched_indicators_pattern.matched_log | Pattern matched log. | keyword | +| trend_micro_vision_one.alert.matched_indicators_pattern.pattern | STIX indicator will be a pattern. | keyword | +| trend_micro_vision_one.alert.matched_indicators_pattern.tags | Tags defined by STIX. | keyword | +| trend_micro_vision_one.alert.matched_rule.filter.date | Datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). | date | +| trend_micro_vision_one.alert.matched_rule.filter.events.date | Matched event date. | date | +| trend_micro_vision_one.alert.matched_rule.filter.events.event_uuid | Matched event uuid. | keyword | +| trend_micro_vision_one.alert.matched_rule.filter.id | Matched filter id. | keyword | +| trend_micro_vision_one.alert.matched_rule.filter.mitre_technique_id | Mitre technique id. | keyword | +| trend_micro_vision_one.alert.matched_rule.filter.name | Filter name. | keyword | +| trend_micro_vision_one.alert.matched_rule.id | The rules are triggered. | keyword | +| trend_micro_vision_one.alert.matched_rule.name | Matched rule name. | keyword | +| trend_micro_vision_one.alert.model | Name of the detection model that triggered the alert. | keyword | +| trend_micro_vision_one.alert.region_and_country | region/country. | keyword | +| trend_micro_vision_one.alert.report_link | A refrerence url which links to the report details analysis. For TrendMico research report, the link would link to trend blog. | keyword | +| trend_micro_vision_one.alert.schema_version | The version of the JSON schema, not the version of alert trigger content. | keyword | +| trend_micro_vision_one.alert.score | Overall severity assigned to the alert based on the severity of the matched detection model and the impact scope. | long | +| trend_micro_vision_one.alert.severity | Workbench alert severity. | keyword | +| trend_micro_vision_one.alert.total_indicator_count | Total indicator pattern count. | long | +| trend_micro_vision_one.alert.workbench_link | Workbench URL. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | + + +### audit + +This is the `audit` dataset. + +#### Example + +An example event for `audit` looks as following: + +```json +{ + "@timestamp": "2022-02-24T07:29:48.000Z", + "agent": { + "ephemeral_id": "804f8045-e600-48a3-85fc-958312d96c71", + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.0" + }, + "data_stream": { + "dataset": "trend_micro_vision_one.audit", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", + "snapshot": false, + "version": "8.4.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "authentication" + ], + "created": "2022-09-30T11:51:11.031Z", + "dataset": "trend_micro_vision_one.audit", + "ingested": "2022-09-30T11:51:14Z", + "kind": "event", + "original": "{\"accessType\":\"Console\",\"activity\":\"string\",\"category\":\"Logon and Logoff\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"},\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedRole\":\"Master Administrator\",\"loggedUser\":\"Root Account\",\"result\":\"Unsuccessful\"}", + "outcome": "failure", + "type": [ + "info" + ] + }, + "input": { + "type": "httpjson" + }, + "related": { + "user": [ + "Root Account" + ] + }, + "source": { + "user": { + "name": "Root Account", + "roles": "Master Administrator" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "trend_micro_vision_one-audit" + ], + "trend_micro_vision_one": { + "audit": { + "access_type": "Console", + "activity": "string", + "category": "Logon and Logoff", + "details": { + "property1": "string", + "property2": "string" + }, + "logged_role": "Master Administrator", + "logged_user": "Root Account", + "result": "Unsuccessful" + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| source.user.roles | Array of user roles at the time of the event. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| trend_micro_vision_one.audit.access_type | Source of the activity. | keyword | +| trend_micro_vision_one.audit.activity | The activity that was performed. | keyword | +| trend_micro_vision_one.audit.category | Category. | keyword | +| trend_micro_vision_one.audit.details | Object that contains a list of elements to be retrieved from the "details" field. | flattened | +| trend_micro_vision_one.audit.logged_role | Role of the account. | keyword | +| trend_micro_vision_one.audit.logged_user | The account that was used to perform the activity. | keyword | +| trend_micro_vision_one.audit.result | Result. | keyword | + + +### detection + +This is the `detection` dataset. + +#### Example + +An example event for `detection` looks as following: + +```json +{ + "@timestamp": "2020-10-15T01:16:32.000Z", + "agent": { + "ephemeral_id": "c1aa9508-1cfd-4e4e-892e-6537d5fd053d", + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.0" + }, + "data_stream": { + "dataset": "trend_micro_vision_one.detection", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "domain": "Workgroup", + "ip": [ + "81.2.69.142" + ], + "port": 53 + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", + "snapshot": false, + "version": "8.4.0" + }, + "event": { + "action": "clean", + "agent_id_status": "verified", + "category": [ + "intrusion_detection" + ], + "created": "2022-09-30T11:51:54.629Z", + "dataset": "trend_micro_vision_one.detection", + "id": "100117", + "ingested": "2022-09-30T11:51:58Z", + "kind": "event", + "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", + "severity": 50, + "type": [ + "info" + ] + }, + "file": { + "hash": { + "md5": "761AEFF7E6B110970285B9C20C9E1DCA", + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "name": [ + "Unconfirmed 145081.crdownload" + ], + "path": "/etc/systemd/system/snap-xxxx-1246.xxxx", + "size": 0 + }, + "host": { + "hostname": "samplehost", + "id": "1234-1234-1234", + "ip": [ + "81.2.69.142" + ], + "mac": "00-00-5E-00-53-23", + "name": "abc-docker" + }, + "http": { + "request": { + "referrer": "http://www.example.com/" + } + }, + "input": { + "type": "httpjson" + }, + "network": { + "direction": "outbound", + "protocol": "http" + }, + "observer": { + "hostname": "samplehost", + "mac": "00-00-5E-00-53-23" + }, + "process": { + "command_line": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca", + "name": "string", + "pid": 0 + }, + "related": { + "hash": [ + "761AEFF7E6B110970285B9C20C9E1DCA", + "00496B4D53CEFE031B9702B3385C9F4430999932", + "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7", + "3395856ce81f2b7382dee72602f798b642f14140" + ], + "hosts": [ + "samplehost", + "abc-docker" + ], + "ip": [ + "81.2.69.142", + "81.2.69.192" + ] + }, + "source": { + "ip": "81.2.69.192", + "port": 58871 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "trend_micro_vision_one-detection" + ], + "threat": { + "tactic": { + "id": [ + "TA0005" + ] + } + }, + "trend_micro_vision_one": { + "detection": { + "action": "Clean", + "action_result": "Quarantined successfully", + "behavior_category": "Grey-Detection", + "block": "Web reputation", + "client_flag": "dst", + "component_version": [ + "PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00" + ], + "compressed_file_size": 0, + "destination": { + "ip": [ + "81.2.69.142" + ], + "ip_group": "Default", + "port": 53 + }, + "detection": "Yes", + "detection_source": "GLOBAL_INTELLIGENCE", + "detection_type": "File", + "device": { + "direction": "outbound", + "guid": "C5B09EDD-C725-907F-29D9-B8C30D18C48F", + "host": "samplehost", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "81.2.69.192" + ], + "mac": "00-00-5E-00-53-23", + "process_name": "/snap/core/10126/usr/lib/snapd/snapd" + }, + "domain": { + "name": "Workgroup" + }, + "end_time": "2021-09-30T17:40:04.000Z", + "endpoint": { + "guid": "1234-1234-1234", + "hostname": "abc-docker", + "ip": [ + "81.2.69.142" + ], + "mac": "00-00-5E-00-53-23" + }, + "engine_type": "Virus Scan Engine (OS 2003, x64)", + "engine_version": "12.500.1004", + "event_id": "100117", + "event_name": "INTEGRITY_MONITORING_EVENT", + "event_time_dt": "2021-06-10T01:38:38.000Z", + "file_hash": "3395856ce81f2b7382dee72602f798b642f14140", + "file_name": [ + "Unconfirmed 145081.crdownload" + ], + "file_operation": "Deleted", + "file_path": "/etc/systemd/system", + "file_path_name": "/etc/systemd/system/snap-xxxx-1246.xxxx", + "file_size": 0, + "first_action": "Clean", + "first_action_result": "Unable to clean file", + "full_path": "C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 145081.crdownload", + "hostname": "samplehost", + "http_referer": "http://www.example.com/", + "interested": { + "host": "abc-docker", + "ip": [ + "81.2.69.192" + ], + "mac": "00-00-5E-00-53-23" + }, + "malware_name": "Eicar_test_1", + "malware_type": "Virus/Malware", + "mproduct": { + "name": "Cloud One - Workload Security", + "version": "Deep Security/20.0.222" + }, + "object": { + "cmd": [ + "C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe --profile-directory=Default" + ], + "file": { + "hash": { + "md5": "761AEFF7E6B110970285B9C20C9E1DCA", + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "name": "Unconfirmed 142899.crdownload:SmartScreen", + "path": "C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 142899.crdownload:SmartScreen" + }, + "name": "CloudEndpointService.exe", + "pid": 7660, + "signer": [ + "OS" + ] + }, + "parent": { + "cmd": "C:\\\\os\\\\system32\\\\svchost.exe -k DcomLaunch -p", + "file": { + "hash": { + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "path": "C:\\\\os\\\\System32\\\\svchost.exe" + } + }, + "peer": { + "host": "samplehost", + "ip": [ + "81.2.69.192" + ] + }, + "process": { + "cmd": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca", + "file": { + "hash": { + "md5": "761AEFF7E6B110970285B9C20C9E1DCA", + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "path": "C:\\\\Program Files (x86)\\\\os\\\\Application\\\\msedge.exe" + }, + "name": "string", + "pid": 0, + "signer": "OS Publisher" + }, + "product": { + "code": "sao", + "name": "Apex One", + "version": "20.0.0.877" + }, + "protocol": "HTTP", + "protocol_group": "HTTP", + "related_apt": false, + "request": "https://example.com", + "request_client_application": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1", + "risk_level": 3, + "rt": "2020-10-15T01:16:32.000Z", + "rt_utc": "2020-10-15T01:16:32.000Z", + "search_data_lake": "DDL", + "security_analytics": { + "engine": { + "name": [ + "T1090 (TA0005)" + ], + "version": "v6" + } + }, + "severity_level": 50, + "source": { + "group": "Default", + "ip": "81.2.69.192", + "port": 58871 + }, + "sub_name": "Attack Discovery", + "tactic_id": [ + "TA0005" + ], + "tags": [ + "XSAE.F2140", + "XSAE.F3066" + ], + "threat_name": "Malicious_identified_CnC_querying_on_UDP_detected", + "total_count": 1, + "uuid": "1234-1234-1234" + } + }, + "url": { + "domain": "example.com", + "original": "https://example.com", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "iPhone" + }, + "name": "Mobile Safari", + "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1", + "os": { + "full": "iOS 12.1", + "name": "iOS", + "version": "12.1" + }, + "version": "12.0" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.hash.md5 | MD5 hash. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| os.name | Operating system name, without the version. | keyword | +| os.name.text | Multi-field of `os.name`. | match_only_text | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| trend_micro_vision_one.detection.action | Action by detect product. | keyword | +| trend_micro_vision_one.detection.action_result | Action result by detect product. | keyword | +| trend_micro_vision_one.detection.aggregated_count | Aggregated count. | long | +| trend_micro_vision_one.detection.behavior_category | The matched policy category (policy section) in the BM patterns, which will always Grey-Detection here. | keyword | +| trend_micro_vision_one.detection.block | blocking Reason. | keyword | +| trend_micro_vision_one.detection.client_flag | 0:Unknown 1:src 2:dst. | keyword | +| trend_micro_vision_one.detection.client_ip | Client IP. | ip | +| trend_micro_vision_one.detection.component_version | Product component version. | keyword | +| trend_micro_vision_one.detection.compressed_file_size | File size after compressed. | long | +| trend_micro_vision_one.detection.destination.ip | Destination IP address. | ip | +| trend_micro_vision_one.detection.destination.ip_group | Destination IP address group. | keyword | +| trend_micro_vision_one.detection.destination.port | Destination port. | long | +| trend_micro_vision_one.detection.detection | Yes (Tag it when it appears and the value is 1). | keyword | +| trend_micro_vision_one.detection.detection_source | Detection source use by Deep Discovery Inspector. | keyword | +| trend_micro_vision_one.detection.detection_type | Product detection type. | keyword | +| trend_micro_vision_one.detection.device.direction | 0: inbound 1: outbound 2: unknown (If cannot be parsed correctly, 2 is assigned). | keyword | +| trend_micro_vision_one.detection.device.guid | Device GUID. | keyword | +| trend_micro_vision_one.detection.device.host | device host. | keyword | +| trend_micro_vision_one.detection.device.id | Device identity. | keyword | +| trend_micro_vision_one.detection.device.ip | Devices ip list. | ip | +| trend_micro_vision_one.detection.device.mac | Mac address. | keyword | +| trend_micro_vision_one.detection.device.process_name | Process name in device. | keyword | +| trend_micro_vision_one.detection.domain.name | Domain name. | keyword | +| trend_micro_vision_one.detection.end_time | End time. | date | +| trend_micro_vision_one.detection.endpoint.guid | endpoint GUID for identity. | keyword | +| trend_micro_vision_one.detection.endpoint.hostname | Hostname of the endpoint on which the event was generated. | keyword | +| trend_micro_vision_one.detection.endpoint.ip | Endpoint IP address list. | ip | +| trend_micro_vision_one.detection.endpoint.mac | Endpoint Mac address. | keyword | +| trend_micro_vision_one.detection.engine_type | Product scan engine type. | keyword | +| trend_micro_vision_one.detection.engine_version | Product scan engine version. | keyword | +| trend_micro_vision_one.detection.event_id | Event ID. | keyword | +| trend_micro_vision_one.detection.event_name | Predefined event enumerator. | keyword | +| trend_micro_vision_one.detection.event_time_dt | Detect time. | date | +| trend_micro_vision_one.detection.file_hash | Detect file hash value. | keyword | +| trend_micro_vision_one.detection.file_name | Detect file name. | keyword | +| trend_micro_vision_one.detection.file_operation | Operation for detect file. | keyword | +| trend_micro_vision_one.detection.file_path | Full file path without file name. | keyword | +| trend_micro_vision_one.detection.file_path_name | Full file path. | keyword | +| trend_micro_vision_one.detection.file_size | Detect file size. | long | +| trend_micro_vision_one.detection.file_type | Detect file type. | keyword | +| trend_micro_vision_one.detection.first_action | First action. | keyword | +| trend_micro_vision_one.detection.first_action_result | First action result. | keyword | +| trend_micro_vision_one.detection.full_path | File full path. | keyword | +| trend_micro_vision_one.detection.hostname | host name. | keyword | +| trend_micro_vision_one.detection.http_referer | http referer url. | keyword | +| trend_micro_vision_one.detection.interested.host | Highlighted indicator for incident response members. | keyword | +| trend_micro_vision_one.detection.interested.ip | Highlighted indicator for incident response members. | ip | +| trend_micro_vision_one.detection.interested.mac | Highlighted indicator for incident response members. | keyword | +| trend_micro_vision_one.detection.malware_name | Malware name. | keyword | +| trend_micro_vision_one.detection.malware_type | Malware type. | keyword | +| trend_micro_vision_one.detection.mime_type | Mime type. | keyword | +| trend_micro_vision_one.detection.mproduct.name | Product name. | keyword | +| trend_micro_vision_one.detection.mproduct.version | Product Version. | keyword | +| trend_micro_vision_one.detection.object.cmd | The command line that a process detected by Attack Discovery uses to execute other processes. | keyword | +| trend_micro_vision_one.detection.object.file.hash.md5 | File Hash Md5 value. | keyword | +| trend_micro_vision_one.detection.object.file.hash.sha1 | File Hash Sha1 value. | keyword | +| trend_micro_vision_one.detection.object.file.hash.sha256 | File Hash Sha256 value. | keyword | +| trend_micro_vision_one.detection.object.file.name | File name. | keyword | +| trend_micro_vision_one.detection.object.file.path | File path. | keyword | +| trend_micro_vision_one.detection.object.name | Detect object name. | keyword | +| trend_micro_vision_one.detection.object.pid | Detect object Pid. | long | +| trend_micro_vision_one.detection.object.signer | Signer. | keyword | +| trend_micro_vision_one.detection.os.name | Supported values: Linux, Windows, macOS, macOSX. | keyword | +| trend_micro_vision_one.detection.parent.cmd | The command line that parent process. | keyword | +| trend_micro_vision_one.detection.parent.file.hash.sha1 | Parent file sha1. | keyword | +| trend_micro_vision_one.detection.parent.file.hash.sha256 | Parent file sha256. | keyword | +| trend_micro_vision_one.detection.parent.file.path | Parent file path. | keyword | +| trend_micro_vision_one.detection.peer.host | Peer host name. | keyword | +| trend_micro_vision_one.detection.peer.ip | Peer ip list. | ip | +| trend_micro_vision_one.detection.policy.logkey | Policy logkey. | keyword | +| trend_micro_vision_one.detection.policy.name | Policy name. | keyword | +| trend_micro_vision_one.detection.policy.uuid | Policy uuid. | keyword | +| trend_micro_vision_one.detection.principal_name | Principal name. | keyword | +| trend_micro_vision_one.detection.process.cmd | The command line used to launch this process. | keyword | +| trend_micro_vision_one.detection.process.file.hash.md5 | Process file hash MD5 value. | keyword | +| trend_micro_vision_one.detection.process.file.hash.sha1 | Process file hash Sha1 value. | keyword | +| trend_micro_vision_one.detection.process.file.hash.sha256 | Process file hash Sha256 value. | keyword | +| trend_micro_vision_one.detection.process.file.path | The process file path. | keyword | +| trend_micro_vision_one.detection.process.name | Process name. | keyword | +| trend_micro_vision_one.detection.process.pid | Process Pid. | long | +| trend_micro_vision_one.detection.process.signer | Process signer. | keyword | +| trend_micro_vision_one.detection.product.code | Product code name. | keyword | +| trend_micro_vision_one.detection.product.name | product name. | keyword | +| trend_micro_vision_one.detection.product.version | Product version. | keyword | +| trend_micro_vision_one.detection.profile | Profile | keyword | +| trend_micro_vision_one.detection.protocol | Protocol detect by Deep Discovery Inspector. | keyword | +| trend_micro_vision_one.detection.protocol_group | Protocol group detect by Deep Discovery Inspector. | keyword | +| trend_micro_vision_one.detection.related_apt | 0:False, 1:True. | boolean | +| trend_micro_vision_one.detection.request | URL. | keyword | +| trend_micro_vision_one.detection.request_base | Request base. | keyword | +| trend_micro_vision_one.detection.request_client_application | Browser user agent. | keyword | +| trend_micro_vision_one.detection.risk_level | SLF_CCCA_RISKLEVEL_UNKNOWN (0) SLF_CCCA_RISKLEVEL_LOW (1) SLF_CCCA_RISKLEVEL_MEDIUM (2) SLF_CCCA_RISKLEVEL_HIGH (3). | long | +| trend_micro_vision_one.detection.rt | Detect time. | date | +| trend_micro_vision_one.detection.rt_utc | Detect utc time. | date | +| trend_micro_vision_one.detection.search_data_lake | Datalake name. | keyword | +| trend_micro_vision_one.detection.security_analytics.engine.name | Security Analytics Engine. | keyword | +| trend_micro_vision_one.detection.security_analytics.engine.version | Security Analytics Engine version. | keyword | +| trend_micro_vision_one.detection.sender | Sender. | keyword | +| trend_micro_vision_one.detection.severity_level | severity score. | long | +| trend_micro_vision_one.detection.source.group | Source IP address group. | keyword | +| trend_micro_vision_one.detection.source.ip | Source IP address. | ip | +| trend_micro_vision_one.detection.source.port | Source port. | long | +| trend_micro_vision_one.detection.sub_name | Detect event subscribe name. | keyword | +| trend_micro_vision_one.detection.suid | Suid. | keyword | +| trend_micro_vision_one.detection.tactic_id | Security Agent or product policy. | keyword | +| trend_micro_vision_one.detection.tags | Detected by Security Analytics Engine filters. | keyword | +| trend_micro_vision_one.detection.threat_name | Threat name. | keyword | +| trend_micro_vision_one.detection.total_count | total count. | long | +| trend_micro_vision_one.detection.url_cat | URL cat. | keyword | +| trend_micro_vision_one.detection.user.domain | User domain. | keyword | +| trend_micro_vision_one.detection.uuid | Log unique id. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | + diff --git a/packages/trend_micro_vision_one/img/trend-micro-vision-one-alert-dashboard-screenshot.png b/packages/trend_micro_vision_one/img/trend-micro-vision-one-alert-dashboard-screenshot.png new file mode 100644 index 00000000000..63b9e5bb62e Binary files /dev/null and b/packages/trend_micro_vision_one/img/trend-micro-vision-one-alert-dashboard-screenshot.png differ diff --git a/packages/trend_micro_vision_one/img/trend-micro-vision-one-api-token-generate.png b/packages/trend_micro_vision_one/img/trend-micro-vision-one-api-token-generate.png new file mode 100644 index 00000000000..9a4f51d9863 Binary files /dev/null and b/packages/trend_micro_vision_one/img/trend-micro-vision-one-api-token-generate.png differ diff --git a/packages/trend_micro_vision_one/img/trend-micro-vision-one-console.png b/packages/trend_micro_vision_one/img/trend-micro-vision-one-console.png new file mode 100644 index 00000000000..901c0c133d3 Binary files /dev/null and b/packages/trend_micro_vision_one/img/trend-micro-vision-one-console.png differ diff --git a/packages/trend_micro_vision_one/img/trend-micro-vision-one-logo.svg b/packages/trend_micro_vision_one/img/trend-micro-vision-one-logo.svg new file mode 100644 index 00000000000..9490d7a7479 --- /dev/null +++ b/packages/trend_micro_vision_one/img/trend-micro-vision-one-logo.svg @@ -0,0 +1,389 @@ + + + + diff --git a/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-02296130-0c1b-11ed-8d26-77f06c571b89.json b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-02296130-0c1b-11ed-8d26-77f06c571b89.json new file mode 100644 index 00000000000..bba9295fca9 --- /dev/null +++ b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-02296130-0c1b-11ed-8d26-77f06c571b89.json @@ -0,0 +1,418 @@ +{ + "attributes": { + "description": "Trend Micro Vision One Audit Events Overview.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.audit\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9fa43e27-f7bd-4f0f-b7d2-08955609a472", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "9fa43e27-f7bd-4f0f-b7d2-08955609a472": { + "columnOrder": [ + "d8a8e1d7-1241-4a70-85e3-382db7b4fa21", + "bda61ee5-a14d-4864-ba26-d3e0394c63ad" + ], + "columns": { + "bda61ee5-a14d-4864-ba26-d3e0394c63ad": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "d8a8e1d7-1241-4a70-85e3-382db7b4fa21": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Result", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "bda61ee5-a14d-4864-ba26-d3e0394c63ad", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.audit.result" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.audit\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "d8a8e1d7-1241-4a70-85e3-382db7b4fa21" + ], + "layerId": "9fa43e27-f7bd-4f0f-b7d2-08955609a472", + "layerType": "data", + "legendDisplay": "default", + "metric": "bda61ee5-a14d-4864-ba26-d3e0394c63ad", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "e3b9ed00-b61a-4e71-9144-d92505d7eaf9", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "e3b9ed00-b61a-4e71-9144-d92505d7eaf9", + "title": "Distribution of Audit by Result [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a5dfde98-4b93-4c4c-93c1-70043ff2502f", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "a5dfde98-4b93-4c4c-93c1-70043ff2502f": { + "columnOrder": [ + "3dae7a26-68d9-484c-8d34-c19f2b279979", + "1447642a-b455-4a1e-a425-568a15593cc3" + ], + "columns": { + "1447642a-b455-4a1e-a425-568a15593cc3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "3dae7a26-68d9-484c-8d34-c19f2b279979": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Access Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1447642a-b455-4a1e-a425-568a15593cc3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.audit.access_type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.audit\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "3dae7a26-68d9-484c-8d34-c19f2b279979" + ], + "layerId": "a5dfde98-4b93-4c4c-93c1-70043ff2502f", + "layerType": "data", + "legendDisplay": "default", + "metric": "1447642a-b455-4a1e-a425-568a15593cc3", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "984d6a97-d668-4f4f-8750-679983971d4c", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "984d6a97-d668-4f4f-8750-679983971d4c", + "title": "Distribution of Audit by Access Type [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-897f370a-3c32-469f-bfc2-74613384ef81", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "897f370a-3c32-469f-bfc2-74613384ef81": { + "columnOrder": [ + "fcd42d60-5fd5-4eda-98b3-fec2247b30ff", + "9f43b7e2-6213-44d3-85e1-c001f901b2b9" + ], + "columns": { + "9f43b7e2-6213-44d3-85e1-c001f901b2b9": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "fcd42d60-5fd5-4eda-98b3-fec2247b30ff": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Category", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "9f43b7e2-6213-44d3-85e1-c001f901b2b9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.audit.category" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.audit\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "9f43b7e2-6213-44d3-85e1-c001f901b2b9" + ], + "layerId": "897f370a-3c32-469f-bfc2-74613384ef81", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "fcd42d60-5fd5-4eda-98b3-fec2247b30ff" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "c04c566d-1863-49ab-9bc1-74ad66d40666", + "w": 48, + "x": 0, + "y": 15 + }, + "panelIndex": "c04c566d-1863-49ab-9bc1-74ad66d40666", + "title": "Distribution of Audit by Category [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "85e7772a-687e-4f8e-8808-f6bdc6f9a538", + "w": 48, + "x": 0, + "y": 30 + }, + "panelIndex": "85e7772a-687e-4f8e-8808-f6bdc6f9a538", + "panelRefName": "panel_85e7772a-687e-4f8e-8808-f6bdc6f9a538", + "type": "search", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Logs Trend Micro Vision One] Audit", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "trend_micro_vision_one-02296130-0c1b-11ed-8d26-77f06c571b89", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "e3b9ed00-b61a-4e71-9144-d92505d7eaf9:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e3b9ed00-b61a-4e71-9144-d92505d7eaf9:indexpattern-datasource-layer-9fa43e27-f7bd-4f0f-b7d2-08955609a472", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "984d6a97-d668-4f4f-8750-679983971d4c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "984d6a97-d668-4f4f-8750-679983971d4c:indexpattern-datasource-layer-a5dfde98-4b93-4c4c-93c1-70043ff2502f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c04c566d-1863-49ab-9bc1-74ad66d40666:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c04c566d-1863-49ab-9bc1-74ad66d40666:indexpattern-datasource-layer-897f370a-3c32-469f-bfc2-74613384ef81", + "type": "index-pattern" + }, + { + "id": "trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89", + "name": "85e7772a-687e-4f8e-8808-f6bdc6f9a538:panel_85e7772a-687e-4f8e-8808-f6bdc6f9a538", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-795c2840-0cda-11ed-ac7d-35d42be2de47.json b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-795c2840-0cda-11ed-ac7d-35d42be2de47.json new file mode 100644 index 00000000000..db3e979cc2a --- /dev/null +++ b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-795c2840-0cda-11ed-ac7d-35d42be2de47.json @@ -0,0 +1,1713 @@ +{ + "attributes": { + "description": "Trend Micro Vision One Detection Events Overview.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ab62783e-8f90-4ed1-aaa2-0986490650ff", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "ab62783e-8f90-4ed1-aaa2-0986490650ff": { + "columnOrder": [ + "78014197-8878-4d6a-9820-cbc319572497", + "4fbc0f3c-b645-4cfd-a340-3cda49fce133" + ], + "columns": { + "4fbc0f3c-b645-4cfd-a340-3cda49fce133": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "78014197-8878-4d6a-9820-cbc319572497": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Blocking Reason", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4fbc0f3c-b645-4cfd-a340-3cda49fce133", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.detection.block" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "4fbc0f3c-b645-4cfd-a340-3cda49fce133" + ], + "layerId": "ab62783e-8f90-4ed1-aaa2-0986490650ff", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "78014197-8878-4d6a-9820-cbc319572497" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "d62e0e2a-b417-4ab6-a0b2-b7d2b6b3d037", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "d62e0e2a-b417-4ab6-a0b2-b7d2b6b3d037", + "title": "Distribution of Detection by Blocking Reason [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-29f50e0d-fac2-443c-825c-8eb0c3a714d0", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "29f50e0d-fac2-443c-825c-8eb0c3a714d0": { + "columnOrder": [ + "48dd0201-3a46-47ea-b3fc-290d97ec6638", + "5a64df17-5e2d-4d42-b14a-adbb83d76b77" + ], + "columns": { + "48dd0201-3a46-47ea-b3fc-290d97ec6638": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Behavior Category", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "5a64df17-5e2d-4d42-b14a-adbb83d76b77", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.detection.behavior_category" + }, + "5a64df17-5e2d-4d42-b14a-adbb83d76b77": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "5a64df17-5e2d-4d42-b14a-adbb83d76b77" + ], + "layerId": "29f50e0d-fac2-443c-825c-8eb0c3a714d0", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "48dd0201-3a46-47ea-b3fc-290d97ec6638" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "52f01658-a95d-4f43-8e53-0a2a5acbb875", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "52f01658-a95d-4f43-8e53-0a2a5acbb875", + "title": "Distribution of Detection by Behavior Category [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-49c72f74-21be-4805-9818-62b060da841d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "49c72f74-21be-4805-9818-62b060da841d": { + "columnOrder": [ + "05971311-2b03-416e-b137-6570c146adf1", + "a2bbe427-42ce-4604-b8fe-4b5bd3e198d7" + ], + "columns": { + "05971311-2b03-416e-b137-6570c146adf1": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Network Direction", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a2bbe427-42ce-4604-b8fe-4b5bd3e198d7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "network.direction" + }, + "a2bbe427-42ce-4604-b8fe-4b5bd3e198d7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "05971311-2b03-416e-b137-6570c146adf1" + ], + "layerId": "49c72f74-21be-4805-9818-62b060da841d", + "layerType": "data", + "legendDisplay": "default", + "metric": "a2bbe427-42ce-4604-b8fe-4b5bd3e198d7", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "58a6256c-8b28-43db-86c2-3359cef9ab44", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "58a6256c-8b28-43db-86c2-3359cef9ab44", + "title": "Distribution of Detection by Device Direction [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f691f89d-3522-4220-a870-93486224b466", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "f691f89d-3522-4220-a870-93486224b466": { + "columnOrder": [ + "b1c380a4-c9bd-4033-a33d-90d729de1655", + "c85cf4bc-ee58-47d4-b395-0020646923c4" + ], + "columns": { + "b1c380a4-c9bd-4033-a33d-90d729de1655": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Protocol", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "c85cf4bc-ee58-47d4-b395-0020646923c4", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "network.protocol" + }, + "c85cf4bc-ee58-47d4-b395-0020646923c4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "b1c380a4-c9bd-4033-a33d-90d729de1655" + ], + "layerId": "f691f89d-3522-4220-a870-93486224b466", + "layerType": "data", + "legendDisplay": "default", + "metric": "c85cf4bc-ee58-47d4-b395-0020646923c4", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "6f265958-b714-4af3-8479-6a71792ab6e8", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "6f265958-b714-4af3-8479-6a71792ab6e8", + "title": "Distribution of Detection by Protocol [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d550744a-88fb-4110-aa6e-7b2c2fa25385", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "d550744a-88fb-4110-aa6e-7b2c2fa25385": { + "columnOrder": [ + "d1db4ae9-f392-4d84-9266-708f312a417d", + "89ecd6cc-d6c0-40fd-b815-ba5dd95df82c" + ], + "columns": { + "89ecd6cc-d6c0-40fd-b815-ba5dd95df82c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "d1db4ae9-f392-4d84-9266-708f312a417d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Action", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "89ecd6cc-d6c0-40fd-b815-ba5dd95df82c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.action" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "columns": [ + { + "columnId": "d1db4ae9-f392-4d84-9266-708f312a417d" + }, + { + "columnId": "89ecd6cc-d6c0-40fd-b815-ba5dd95df82c" + } + ], + "layerId": "d550744a-88fb-4110-aa6e-7b2c2fa25385", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "a57572f8-12d9-4d75-a3b7-e592f588881f", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "a57572f8-12d9-4d75-a3b7-e592f588881f", + "title": "Top 10 Action by Detect Product [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-72a2f6df-02ac-4dbc-9852-39e3ba8afa83", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "72a2f6df-02ac-4dbc-9852-39e3ba8afa83": { + "columnOrder": [ + "d963d750-55ea-467b-b420-2ee6f6a40f66", + "d1b13123-1275-49e1-b407-7c58b6a689f3" + ], + "columns": { + "d1b13123-1275-49e1-b407-7c58b6a689f3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "d963d750-55ea-467b-b420-2ee6f6a40f66": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Action Result", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "d1b13123-1275-49e1-b407-7c58b6a689f3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.detection.action_result" + } + } + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "columns": [ + { + "columnId": "d963d750-55ea-467b-b420-2ee6f6a40f66" + }, + { + "columnId": "d1b13123-1275-49e1-b407-7c58b6a689f3" + } + ], + "layerId": "72a2f6df-02ac-4dbc-9852-39e3ba8afa83", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "30d672ab-9361-421c-be5f-213d76fbe2dd", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "30d672ab-9361-421c-be5f-213d76fbe2dd", + "title": "Top 10 Action Result by Detect Product [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-50f136e8-fe91-4269-bd9b-650c0392557d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "50f136e8-fe91-4269-bd9b-650c0392557d": { + "columnOrder": [ + "e9b0baae-bc82-4535-b30b-9e3d1087bcea", + "72f117ec-bf7f-4b4a-8a46-1e62b9031e00" + ], + "columns": { + "72f117ec-bf7f-4b4a-8a46-1e62b9031e00": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "e9b0baae-bc82-4535-b30b-9e3d1087bcea": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Tags", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "72f117ec-bf7f-4b4a-8a46-1e62b9031e00", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.detection.tags" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "columns": [ + { + "columnId": "e9b0baae-bc82-4535-b30b-9e3d1087bcea", + "isTransposed": false + }, + { + "columnId": "72f117ec-bf7f-4b4a-8a46-1e62b9031e00", + "isTransposed": false + } + ], + "layerId": "50f136e8-fe91-4269-bd9b-650c0392557d", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "b7a95a71-0b0a-4377-81eb-9d493e103d14", + "w": 24, + "x": 0, + "y": 45 + }, + "panelIndex": "b7a95a71-0b0a-4377-81eb-9d493e103d14", + "title": "Top 10 Detail Tags [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e73c0595-8dfa-4b9d-9af9-da286f0ea969", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "e73c0595-8dfa-4b9d-9af9-da286f0ea969": { + "columnOrder": [ + "02b9468e-18df-4668-af94-216037f15562", + "5b8c77cc-c8bf-406e-9dcc-65861d3fea18" + ], + "columns": { + "02b9468e-18df-4668-af94-216037f15562": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "5b8c77cc-c8bf-406e-9dcc-65861d3fea18", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.detection.threat_name" + }, + "5b8c77cc-c8bf-406e-9dcc-65861d3fea18": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "columns": [ + { + "columnId": "02b9468e-18df-4668-af94-216037f15562" + }, + { + "columnId": "5b8c77cc-c8bf-406e-9dcc-65861d3fea18" + } + ], + "layerId": "e73c0595-8dfa-4b9d-9af9-da286f0ea969", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "0207e0e7-7809-46f9-b26f-0888a3d96d98", + "w": 24, + "x": 24, + "y": 45 + }, + "panelIndex": "0207e0e7-7809-46f9-b26f-0888a3d96d98", + "title": "Top 10 Threat Name [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a8599c32-418f-45e0-a013-1d0ef2a030c4", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "a8599c32-418f-45e0-a013-1d0ef2a030c4": { + "columnOrder": [ + "e864022d-8287-42ad-9ab5-4637769a9c71", + "85a7d42c-1431-412c-8497-f9a74a39b1df" + ], + "columns": { + "85a7d42c-1431-412c-8497-f9a74a39b1df": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "e864022d-8287-42ad-9ab5-4637769a9c71": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Detection Source", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "85a7d42c-1431-412c-8497-f9a74a39b1df", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.detection.detection_source" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "85a7d42c-1431-412c-8497-f9a74a39b1df" + ], + "layerId": "a8599c32-418f-45e0-a013-1d0ef2a030c4", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "e864022d-8287-42ad-9ab5-4637769a9c71" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "98acbf97-ec55-474c-b5db-cae2aaed7e14", + "w": 24, + "x": 0, + "y": 60 + }, + "panelIndex": "98acbf97-ec55-474c-b5db-cae2aaed7e14", + "title": "Distribution of Detection by Detection Source [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-bd766933-cdfd-4c87-ab55-3e994a2fe44e", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "bd766933-cdfd-4c87-ab55-3e994a2fe44e": { + "columnOrder": [ + "7e6beac1-f7da-41db-91a7-31d58a221a61", + "4ca7bc27-a9fa-476f-912b-522ed2a46ff3" + ], + "columns": { + "4ca7bc27-a9fa-476f-912b-522ed2a46ff3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "7e6beac1-f7da-41db-91a7-31d58a221a61": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "OS", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4ca7bc27-a9fa-476f-912b-522ed2a46ff3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "os.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "7e6beac1-f7da-41db-91a7-31d58a221a61" + ], + "layerId": "bd766933-cdfd-4c87-ab55-3e994a2fe44e", + "layerType": "data", + "legendDisplay": "default", + "metric": "4ca7bc27-a9fa-476f-912b-522ed2a46ff3", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "c2817d33-dceb-4442-b496-2fef04b7784a", + "w": 24, + "x": 24, + "y": 60 + }, + "panelIndex": "c2817d33-dceb-4442-b496-2fef04b7784a", + "title": "Distribution of Detection by OS Name [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-96da828c-adec-4f42-9d21-8e483f024d23", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "96da828c-adec-4f42-9d21-8e483f024d23": { + "columnOrder": [ + "b46706ba-b1dc-45db-af7a-53c85ff142c8", + "5ec5dfed-9b61-4812-b6a1-b166a679630f" + ], + "columns": { + "5ec5dfed-9b61-4812-b6a1-b166a679630f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "b46706ba-b1dc-45db-af7a-53c85ff142c8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Policy Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "5ec5dfed-9b61-4812-b6a1-b166a679630f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.detection.policy.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "columns": [ + { + "columnId": "b46706ba-b1dc-45db-af7a-53c85ff142c8" + }, + { + "columnId": "5ec5dfed-9b61-4812-b6a1-b166a679630f" + } + ], + "layerId": "96da828c-adec-4f42-9d21-8e483f024d23", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "533112ad-9176-45ae-b7e2-f17a052f06b8", + "w": 24, + "x": 0, + "y": 75 + }, + "panelIndex": "533112ad-9176-45ae-b7e2-f17a052f06b8", + "title": "Top 10 Policy Name [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f1c7368e-804d-4324-97e9-f12e0639e9d5", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "f1c7368e-804d-4324-97e9-f12e0639e9d5": { + "columnOrder": [ + "0bc965a0-c84f-4dc9-bbcd-a4a52567e52a", + "26e37366-6baa-411b-aa4d-3e1ce4ca5e34" + ], + "columns": { + "0bc965a0-c84f-4dc9-bbcd-a4a52567e52a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "File Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "26e37366-6baa-411b-aa4d-3e1ce4ca5e34", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "file.type" + }, + "26e37366-6baa-411b-aa4d-3e1ce4ca5e34": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "26e37366-6baa-411b-aa4d-3e1ce4ca5e34" + ], + "layerId": "f1c7368e-804d-4324-97e9-f12e0639e9d5", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "0bc965a0-c84f-4dc9-bbcd-a4a52567e52a" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "c4b23adc-cfc7-45d5-8330-28788f0d2cf1", + "w": 24, + "x": 24, + "y": 75 + }, + "panelIndex": "c4b23adc-cfc7-45d5-8330-28788f0d2cf1", + "title": "Distribution of Detection by File Type [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4917b550-af61-4625-af61-c9274e27047a", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "4917b550-af61-4625-af61-c9274e27047a": { + "columnOrder": [ + "ca6ec33b-2725-4194-b64c-69c605dd34a2", + "a7c8cecb-f044-462f-aed8-549776b43392" + ], + "columns": { + "a7c8cecb-f044-462f-aed8-549776b43392": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "ca6ec33b-2725-4194-b64c-69c605dd34a2": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Profile", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a7c8cecb-f044-462f-aed8-549776b43392", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.detection.profile" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "a7c8cecb-f044-462f-aed8-549776b43392" + ], + "layerId": "4917b550-af61-4625-af61-c9274e27047a", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "ca6ec33b-2725-4194-b64c-69c605dd34a2" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "a5dca630-9e4d-4782-aeb0-eec9fb3a7fe5", + "w": 24, + "x": 0, + "y": 90 + }, + "panelIndex": "a5dca630-9e4d-4782-aeb0-eec9fb3a7fe5", + "title": "Distribution of Detection by Profile Name [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d691e22d-4da1-4052-99e9-19980d1ad140", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "d691e22d-4da1-4052-99e9-19980d1ad140": { + "columnOrder": [ + "6b9911e7-dc62-4956-a3a1-8faf9e0b38d8", + "7ff5c2fd-ec85-4949-9ce7-899b284d7052" + ], + "columns": { + "6b9911e7-dc62-4956-a3a1-8faf9e0b38d8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Sender", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "7ff5c2fd-ec85-4949-9ce7-899b284d7052", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.detection.sender" + }, + "7ff5c2fd-ec85-4949-9ce7-899b284d7052": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "columns": [ + { + "columnId": "6b9911e7-dc62-4956-a3a1-8faf9e0b38d8" + }, + { + "columnId": "7ff5c2fd-ec85-4949-9ce7-899b284d7052" + } + ], + "layerId": "d691e22d-4da1-4052-99e9-19980d1ad140", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "b8ea0d85-673c-4f28-9397-48baf5fd0cb1", + "w": 24, + "x": 24, + "y": 90 + }, + "panelIndex": "b8ea0d85-673c-4f28-9397-48baf5fd0cb1", + "title": "Top 10 Sender Name [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Logs Trend Micro Vision One] Detection", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "trend_micro_vision_one-795c2840-0cda-11ed-ac7d-35d42be2de47", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "d62e0e2a-b417-4ab6-a0b2-b7d2b6b3d037:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d62e0e2a-b417-4ab6-a0b2-b7d2b6b3d037:indexpattern-datasource-layer-ab62783e-8f90-4ed1-aaa2-0986490650ff", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "52f01658-a95d-4f43-8e53-0a2a5acbb875:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "52f01658-a95d-4f43-8e53-0a2a5acbb875:indexpattern-datasource-layer-29f50e0d-fac2-443c-825c-8eb0c3a714d0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "58a6256c-8b28-43db-86c2-3359cef9ab44:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "58a6256c-8b28-43db-86c2-3359cef9ab44:indexpattern-datasource-layer-49c72f74-21be-4805-9818-62b060da841d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6f265958-b714-4af3-8479-6a71792ab6e8:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6f265958-b714-4af3-8479-6a71792ab6e8:indexpattern-datasource-layer-f691f89d-3522-4220-a870-93486224b466", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a57572f8-12d9-4d75-a3b7-e592f588881f:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a57572f8-12d9-4d75-a3b7-e592f588881f:indexpattern-datasource-layer-d550744a-88fb-4110-aa6e-7b2c2fa25385", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "30d672ab-9361-421c-be5f-213d76fbe2dd:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "30d672ab-9361-421c-be5f-213d76fbe2dd:indexpattern-datasource-layer-72a2f6df-02ac-4dbc-9852-39e3ba8afa83", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b7a95a71-0b0a-4377-81eb-9d493e103d14:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b7a95a71-0b0a-4377-81eb-9d493e103d14:indexpattern-datasource-layer-50f136e8-fe91-4269-bd9b-650c0392557d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0207e0e7-7809-46f9-b26f-0888a3d96d98:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0207e0e7-7809-46f9-b26f-0888a3d96d98:indexpattern-datasource-layer-e73c0595-8dfa-4b9d-9af9-da286f0ea969", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "98acbf97-ec55-474c-b5db-cae2aaed7e14:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "98acbf97-ec55-474c-b5db-cae2aaed7e14:indexpattern-datasource-layer-a8599c32-418f-45e0-a013-1d0ef2a030c4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c2817d33-dceb-4442-b496-2fef04b7784a:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c2817d33-dceb-4442-b496-2fef04b7784a:indexpattern-datasource-layer-bd766933-cdfd-4c87-ab55-3e994a2fe44e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "533112ad-9176-45ae-b7e2-f17a052f06b8:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "533112ad-9176-45ae-b7e2-f17a052f06b8:indexpattern-datasource-layer-96da828c-adec-4f42-9d21-8e483f024d23", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c4b23adc-cfc7-45d5-8330-28788f0d2cf1:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c4b23adc-cfc7-45d5-8330-28788f0d2cf1:indexpattern-datasource-layer-f1c7368e-804d-4324-97e9-f12e0639e9d5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a5dca630-9e4d-4782-aeb0-eec9fb3a7fe5:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a5dca630-9e4d-4782-aeb0-eec9fb3a7fe5:indexpattern-datasource-layer-4917b550-af61-4625-af61-c9274e27047a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b8ea0d85-673c-4f28-9397-48baf5fd0cb1:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b8ea0d85-673c-4f28-9397-48baf5fd0cb1:indexpattern-datasource-layer-d691e22d-4da1-4052-99e9-19980d1ad140", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-dc4fba10-0ce5-11ed-ac7d-35d42be2de47.json b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-dc4fba10-0ce5-11ed-ac7d-35d42be2de47.json new file mode 100644 index 00000000000..90fbcb7e4c7 --- /dev/null +++ b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-dc4fba10-0ce5-11ed-ac7d-35d42be2de47.json @@ -0,0 +1,748 @@ +{ + "attributes": { + "description": "Trend Micro Vision One Alert Events Overview.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.alert\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c66b406f-8e28-4d47-9fc4-39b968af345d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "c66b406f-8e28-4d47-9fc4-39b968af345d": { + "columnOrder": [ + "f8fe0e4c-a495-4e43-9d53-c1d67a1af7d6", + "e6f8a4fc-5fb0-4e3e-acdc-8f54b0d777ea" + ], + "columns": { + "e6f8a4fc-5fb0-4e3e-acdc-8f54b0d777ea": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "f8fe0e4c-a495-4e43-9d53-c1d67a1af7d6": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Severity", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "e6f8a4fc-5fb0-4e3e-acdc-8f54b0d777ea", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "log.level" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.alert\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "f8fe0e4c-a495-4e43-9d53-c1d67a1af7d6" + ], + "layerId": "c66b406f-8e28-4d47-9fc4-39b968af345d", + "layerType": "data", + "legendDisplay": "default", + "metric": "e6f8a4fc-5fb0-4e3e-acdc-8f54b0d777ea", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "04cd99db-4dd5-4eca-ab0a-f922068c9a25", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "04cd99db-4dd5-4eca-ab0a-f922068c9a25", + "title": "Distribution of Alert by Severity [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-93eb5209-5e6d-4079-a4a1-2bfab8dd99df", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "93eb5209-5e6d-4079-a4a1-2bfab8dd99df": { + "columnOrder": [ + "58ad7a12-5367-4cb6-8a1c-89b678df8266", + "c4ac9c4a-bc44-4309-9279-779185b07336" + ], + "columns": { + "58ad7a12-5367-4cb6-8a1c-89b678df8266": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "c4ac9c4a-bc44-4309-9279-779185b07336": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Score", + "operationType": "median", + "scale": "ratio", + "sourceField": "event.severity" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.alert\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "c4ac9c4a-bc44-4309-9279-779185b07336" + ], + "layerId": "93eb5209-5e6d-4079-a4a1-2bfab8dd99df", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "58ad7a12-5367-4cb6-8a1c-89b678df8266" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "db54892f-8ac3-49ed-9ec3-7cfe7648f646", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "db54892f-8ac3-49ed-9ec3-7cfe7648f646", + "title": "Trend of Alert Score Over Time [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ac7eae8e-47b7-494d-aa59-23badf3efe0f", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "ac7eae8e-47b7-494d-aa59-23badf3efe0f": { + "columnOrder": [ + "1a94ba46-8da2-4c13-86ae-6f0217196e37", + "896c9e40-e894-44bd-95cf-8098f7a30f3d" + ], + "columns": { + "1a94ba46-8da2-4c13-86ae-6f0217196e37": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Investigation Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "896c9e40-e894-44bd-95cf-8098f7a30f3d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.alert.investigation_status" + }, + "896c9e40-e894-44bd-95cf-8098f7a30f3d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.alert\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "1a94ba46-8da2-4c13-86ae-6f0217196e37" + ], + "layerId": "ac7eae8e-47b7-494d-aa59-23badf3efe0f", + "layerType": "data", + "legendDisplay": "default", + "metric": "896c9e40-e894-44bd-95cf-8098f7a30f3d", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "123f8240-4cc6-4003-83af-43553d428928", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "123f8240-4cc6-4003-83af-43553d428928", + "title": "Distribution of Alert by Investigation Status [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4d3824b7-1c3f-44cd-b84d-88552f0eff69", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "4d3824b7-1c3f-44cd-b84d-88552f0eff69": { + "columnOrder": [ + "1ad9ba6d-9cb3-4330-801c-f956897bcafa", + "0b3248dd-237b-4f84-badb-d179a9e76f4f" + ], + "columns": { + "0b3248dd-237b-4f84-badb-d179a9e76f4f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "1ad9ba6d-9cb3-4330-801c-f956897bcafa": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Entity Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "0b3248dd-237b-4f84-badb-d179a9e76f4f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.alert.impact_scope.entities.type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.alert\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "1ad9ba6d-9cb3-4330-801c-f956897bcafa" + ], + "layerId": "4d3824b7-1c3f-44cd-b84d-88552f0eff69", + "layerType": "data", + "legendDisplay": "default", + "metric": "0b3248dd-237b-4f84-badb-d179a9e76f4f", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "dee1cbd0-6143-4245-ab3f-b8cd4022e67e", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "dee1cbd0-6143-4245-ab3f-b8cd4022e67e", + "title": "Distribution of Alert by Entity Type [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-464ea482-63a1-4427-8f9c-224e693d4ffc", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "464ea482-63a1-4427-8f9c-224e693d4ffc": { + "columnOrder": [ + "d3f7e999-2c6b-4b3f-bbca-72ec716b4285", + "6c73fc78-7633-468b-9018-96c35a90e619" + ], + "columns": { + "6c73fc78-7633-468b-9018-96c35a90e619": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "d3f7e999-2c6b-4b3f-bbca-72ec716b4285": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Indicator Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "6c73fc78-7633-468b-9018-96c35a90e619", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.alert.indicators.type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.alert\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "6c73fc78-7633-468b-9018-96c35a90e619" + ], + "layerId": "464ea482-63a1-4427-8f9c-224e693d4ffc", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "d3f7e999-2c6b-4b3f-bbca-72ec716b4285" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "9e5504f2-2732-40d5-a0c8-c885c93a8153", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "9e5504f2-2732-40d5-a0c8-c885c93a8153", + "title": "Distribution of Alert by Indicator Type [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-38c2ae2f-27fd-47dc-911f-4aa95f5545d1", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "38c2ae2f-27fd-47dc-911f-4aa95f5545d1": { + "columnOrder": [ + "56d4df89-ea70-4cac-a0f7-0d56f3f3f1aa", + "a78e27d3-f17e-4e38-8815-4cb90a1c006f" + ], + "columns": { + "56d4df89-ea70-4cac-a0f7-0d56f3f3f1aa": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Matched Rule", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a78e27d3-f17e-4e38-8815-4cb90a1c006f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.alert.matched_rule.name" + }, + "a78e27d3-f17e-4e38-8815-4cb90a1c006f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.alert\"" + }, + "visualization": { + "columns": [ + { + "columnId": "56d4df89-ea70-4cac-a0f7-0d56f3f3f1aa" + }, + { + "columnId": "a78e27d3-f17e-4e38-8815-4cb90a1c006f" + } + ], + "layerId": "38c2ae2f-27fd-47dc-911f-4aa95f5545d1", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "eabd35ae-1d20-403d-ab31-993d621aa11d", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "eabd35ae-1d20-403d-ab31-993d621aa11d", + "title": "Top 10 Matched Rule [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Logs Trend Micro Vision One] Alert", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "trend_micro_vision_one-dc4fba10-0ce5-11ed-ac7d-35d42be2de47", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "04cd99db-4dd5-4eca-ab0a-f922068c9a25:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "04cd99db-4dd5-4eca-ab0a-f922068c9a25:indexpattern-datasource-layer-c66b406f-8e28-4d47-9fc4-39b968af345d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "db54892f-8ac3-49ed-9ec3-7cfe7648f646:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "db54892f-8ac3-49ed-9ec3-7cfe7648f646:indexpattern-datasource-layer-93eb5209-5e6d-4079-a4a1-2bfab8dd99df", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "123f8240-4cc6-4003-83af-43553d428928:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "123f8240-4cc6-4003-83af-43553d428928:indexpattern-datasource-layer-ac7eae8e-47b7-494d-aa59-23badf3efe0f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dee1cbd0-6143-4245-ab3f-b8cd4022e67e:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dee1cbd0-6143-4245-ab3f-b8cd4022e67e:indexpattern-datasource-layer-4d3824b7-1c3f-44cd-b84d-88552f0eff69", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9e5504f2-2732-40d5-a0c8-c885c93a8153:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9e5504f2-2732-40d5-a0c8-c885c93a8153:indexpattern-datasource-layer-464ea482-63a1-4427-8f9c-224e693d4ffc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "eabd35ae-1d20-403d-ab31-993d621aa11d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "eabd35ae-1d20-403d-ab31-993d621aa11d:indexpattern-datasource-layer-38c2ae2f-27fd-47dc-911f-4aa95f5545d1", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/kibana/search/trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89.json b/packages/trend_micro_vision_one/kibana/search/trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89.json new file mode 100644 index 00000000000..cafd4cfb828 --- /dev/null +++ b/packages/trend_micro_vision_one/kibana/search/trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89.json @@ -0,0 +1,42 @@ +{ + "attributes": { + "columns": [ + "source.user.name", + "source.user.roles", + "trend_micro_vision_one.audit.details" + ], + "description": "", + "grid": {}, + "hideChart": true, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.audit\"" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Audit Events Essential Details [Logs Trend Micro Vision One]" + }, + "coreMigrationVersion": "7.17.0", + "id": "trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/manifest.yml b/packages/trend_micro_vision_one/manifest.yml new file mode 100644 index 00000000000..f0d11696596 --- /dev/null +++ b/packages/trend_micro_vision_one/manifest.yml @@ -0,0 +1,78 @@ +format_version: 1.0.0 +name: trend_micro_vision_one +title: Trend Micro Vision One +version: '0.1.0' +license: basic +description: Collect logs from Trend Micro Vision One with Elastic Agent. +type: integration +categories: + - security +conditions: + kibana.version: ^8.4.0 +screenshots: + - src: /img/trend-micro-vision-one-alert-dashboard-screenshot.png + title: Trend Micro Vision One Dashboard Screenshot + size: 600x600 + type: image/png +icons: + - src: /img/trend-micro-vision-one-logo.svg + title: Trend Micro Vision One Logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: trend_micro_vision_one + title: Trend Micro Vision One + description: Collect logs from Trend Micro Vision One. + inputs: + - type: httpjson + title: Collect Trend Micro Vision One logs via API + description: Collecting Trend Micro Vision One logs via API. + vars: + - name: hostname + type: text + title: URL + description: Trend Micro Vision One domain name. + required: true + - name: api_token + type: password + title: API Token + description: API Token with API Access Level type. + required: true + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- +owner: + github: elastic/security-external-integrations