diff --git a/packages/trend_micro_vision_one/_dev/build/docs/README.md b/packages/trend_micro_vision_one/_dev/build/docs/README.md index be92f781209..d272fd2d97b 100644 --- a/packages/trend_micro_vision_one/_dev/build/docs/README.md +++ b/packages/trend_micro_vision_one/_dev/build/docs/README.md @@ -2,13 +2,13 @@ ## Overview -The [Trend Micro Vision One](https://www.trendmicro.com/en_in/business/products/detection-response.html) integration allows you to monitor Alert, Audit, Detection and Telemetry activity. Trend Micro Vision One refers to the ability to do detection and response across email, endpoints, servers, cloud workloads, and networks via a single Trend Micro Vision One platform or the managed Trend Micro Vision One service. +The [Trend Micro Vision One](https://www.trendmicro.com/en_in/business/products/detection-response.html) integration allows you to monitor Alert, Audit, Detection, Endpoint activity, Network activity, and Telemetry activity. Trend Micro Vision One refers to the ability to do detection and response across email, endpoints, servers, cloud workloads, and networks via a single Trend Micro Vision One platform or the managed Trend Micro Vision One service. Use the Trend Micro Vision One integration to collects and parses data from the REST APIs. Then visualize that data in Kibana. ## Data streams -The Trend Micro Vision One integration collects logs for four types of events: Alert, Audit, Detection and Telemetry. +The Trend Micro Vision One integration collects logs for four types of events: Alert, Audit, Detection, Endpoint activity, Network activity, and Telemetry. **Alert** Displays information about workbench alerts. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Workbench/paths/~1v3.0~1workbench~1alerts/get). @@ -16,6 +16,10 @@ The Trend Micro Vision One integration collects logs for four types of events: A **Detection** Displays search results from the Detection Data source. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Search/paths/~1v3.0~1search~1detections/get). +**Endpoint activity** Displays search results from the Endpoint activity Data source. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3/#tag/Search/paths/~1v3.0~1search~1endpointActivities/get). + +**Network activity** Displays search results from the Network activity Data source. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3/#tag/Search/paths/~1v3.0~1search~1networkActivities/get). + **Telemetry** Displays telemetry events from the Datalake Pipeline API. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3/#tag/Datalake-Pipeline). @@ -39,12 +43,14 @@ This module has been tested against `Trend Micro Vision One API version 3.0`. - **Name**: A meaningful name that can help you identify the API key. - **Role**: The user role assigned to the key. API keys can use either predefined or custom user roles. Custom roles can be created by navigating to **Administration -> User Roles -> Add Role**. The role must have appropriate API access permission to fetch relevant data. The following table outlines the access permissions to apps and features needed to fetch relevant data from Trend Vision API. - | Datastream | Section | Permissions | - |--------------|--------------------------------------------------------------|----------------------------------------------------| - | Alert | Platform Capabilities > XDR Threat Investigation > Workbench | `View, filter, and search`. | - | Audit | Settings > Administration > Audit Logs | `View, filter, and search`, `Export and Download`. | - | Detection | Platform Capabilities > XDR Threat Investigation > Search | `View, filter, and search`. | - | Telemetry | Platform Capabilities > XDR Threat Investigation > Search | `View, filter, and search`. | + | Datastream | Section | Permissions | + |-------------------|--------------------------------------------------------------|--------------------------------------------------------------| + | Alert | Platform Capabilities > XDR Threat Investigation > Workbench | `View, filter, and search`. | + | Audit | Settings > Administration > Audit Logs | `View, filter, and search`, `Export and Download`. | + | Detection | Platform Capabilities > XDR Threat Investigation > Search | `View, filter, and search`. | + | Endpoint activity | Agentic SIEM and XDR > XDR Data Explorer | `View queries and Watchlist, and filter and search queries`. | + | Network activity | Agentic SIEM and XDR > XDR Data Explorer | `View queries and Watchlist, and filter and search queries`. | + | Telemetry | Platform Capabilities > XDR Threat Investigation > Search | `View, filter, and search`. | Refer to [Account Role Permissions](https://automation.trendmicro.com/xdr/Guides/Authentication) for more details. @@ -93,6 +99,26 @@ This is the `detection` dataset. {{fields "detection"}} +### endpoint activity + +This is the `endpoint activity` dataset. + +#### Example + +{{event "endpoint_activity"}} + +{{fields "endpoint_activity"}} + +### network activity + +This is the `network activity` dataset. + +#### Example + +{{event "network_activity"}} + +{{fields "network_activity"}} + ### telemetry This is the `telemetry` dataset. diff --git a/packages/trend_micro_vision_one/_dev/deploy/docker/files/config.yml b/packages/trend_micro_vision_one/_dev/deploy/docker/files/config.yml index 9535222c507..13d7e437602 100644 --- a/packages/trend_micro_vision_one/_dev/deploy/docker/files/config.yml +++ b/packages/trend_micro_vision_one/_dev/deploy/docker/files/config.yml @@ -432,3 +432,511 @@ rules: "winEventId": 100 } `}} + - path: /v3.0/search/endpointActivities + methods: ['GET'] + query_params: + top: "2" + skipToken: Zec2b123 + request_headers: + Authorization: + - "Bearer xxxx" + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "items": [ + { + "dpt": 443, + "dst": "81.2.69.142", + "endpointGuid": "72436165-b5a5-471a-9389-0bdc3647bc33", + "endpointHostName": "workstation-pc01", + "endpointIp": [ + "1.128.0.0" + ], + "eventId": "1", + "eventSubId": 2, + "objectIntegrityLevel": 8192, + "objectTrueType": 7, + "objectSubTrueType": 7002, + "winEventId": 4624, + "eventTime": 1699876543211, + "eventTimeDT": "2023-11-13T11:55:43.210000+00:00", + "hostName": "workstation-pc01", + "logonUser": [ + "john.doe@example.com" + ], + "objectCmd": "C:\\Windows\\System32\\cmd.exe /c whoami", + "objectFileHashSha1": "A1B2C3D4E5F6789012345678901234567890ABCD", + "objectFilePath": "C:\\Windows\\System32\\cmd.exe", + "objectHostName": "api.example.com", + "objectIp": "81.2.69.144", + "objectIps": [ + "81.2.69.144", + "175.16.199.0" + ], + "objectPort": 8080, + "objectRegistryData": "C:\\Program Files\\MyApp\\startup.exe", + "objectRegistryKeyHandle": "hklm\\software\\microsoft\\windows\\currentversion\\run", + "objectRegistryValue": "MyAppStartup", + "objectSigner": [ + "Microsoft Windows" + ], + "objectSignerValid": [ + true + ], + "objectUser": "DOMAIN\\john.doe", + "os": "Windows 10", + "parentCmd": "C:\\Windows\\explorer.exe", + "parentFileHashSha1": "B2C3D4E5F67890123456789012345678901ABCDE", + "parentFilePath": "C:\\Windows\\explorer.exe", + "processCmd": "C:\\Windows\\System32\\cmd.exe /c whoami", + "processFileHashSha1": "C3D4E5F678901234567890123456789012ABCDEF", + "processFilePath": "C:\\Windows\\System32\\cmd.exe", + "request": "https://api.example.com/v1/auth", + "searchDL": "EDR", + "spt": 49152, + "src": "1.128.0.0", + "srcFileHashSha1": "D4E5F6789012345678901234567890123ABCDEFG", + "srcFilePath": "C:\\Users\\john.doe\\Downloads\\installer.exe", + "tags": [ + "MITRE.T1059.001", + "XSAE.F1001" + ], + "uuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" + }, + { + "dpt": 22, + "dst": "175.16.199.0", + "endpointGuid": "83547276-c6b6-582b-a49a-1cde4758cd44", + "endpointHostName": "server-db02", + "endpointIp": [ + "81.2.69.192" + ], + "eventId": "3", + "eventSubId": 201, + "objectIntegrityLevel": 16384, + "objectTrueType": 19, + "objectSubTrueType": 19002, + "winEventId": 5156, + "eventTime": 1699877654421, + "eventTimeDT": "2023-11-13T12:14:32.321000+00:00", + "hostName": "server-db02", + "logonUser": [ + "admin@example.com" + ], + "objectCmd": "C:\\Program Files\\OpenSSH\\sshd.exe -D", + "objectFileHashSha1": "E5F67890123456789012345678901234ABCDEFGH", + "objectFilePath": "C:\\Program Files\\OpenSSH\\sshd.exe", + "objectHostName": "ssh.example.com", + "objectIp": "175.16.199.0", + "objectIps": [ + "175.16.199.0" + ], + "objectPort": 22, + "objectRegistryData": "C:\\Program Files\\OpenSSH\\sshd.exe", + "objectRegistryKeyHandle": "hklm\\system\\currentcontrolset\\services\\sshd", + "objectRegistryValue": "ImagePath", + "objectSigner": [ + "OpenBSD Project" + ], + "objectSignerValid": [ + true + ], + "objectUser": "NT AUTHORITY\\SYSTEM", + "os": "Windows Server 2019", + "parentCmd": "C:\\Windows\\System32\\services.exe", + "parentFileHashSha1": "F67890123456789012345678901234ABCDEFGHI", + "parentFilePath": "C:\\Windows\\System32\\services.exe", + "processCmd": "C:\\Program Files\\OpenSSH\\sshd.exe -D", + "processFileHashSha1": "67890123456789012345678901234ABCDEFGHIJ", + "processFilePath": "C:\\Program Files\\OpenSSH\\sshd.exe", + "request": "https://ssh.example.com/session", + "searchDL": "XDR", + "spt": 51234, + "src": "81.2.69.192", + "srcFileHashSha1": "7890123456789012345678901234ABCDEFGHIJK", + "srcFilePath": "C:\\Windows\\Temp\\session.tmp", + "tags": [ + "MITRE.T1021.004" + ], + "uuid": "b2c3d4e5-f678-9012-bcde-f23456789012" + } + ], + "progressRate": 0 + } + `}} + - path: /v3.0/search/endpointActivities + methods: ['GET'] + query_params: + top: "2" + request_headers: + Authorization: + - "Bearer xxxx" + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "items": [ + { + "dpt": 442, + "dst": "81.2.69.142", + "endpointGuid": "72436165-b5a5-471a-9389-0bdc3647bc33", + "endpointHostName": "workstation-pc01", + "endpointIp": [ + "1.128.0.0" + ], + "eventId": "29", + "eventSubId": 2, + "objectIntegrityLevel": 8192, + "objectTrueType": 7, + "objectSubTrueType": 7002, + "winEventId": 4624, + "eventTime": 1699876543210, + "eventTimeDT": "2023-11-13T10:15:43.210000+00:00", + "hostName": "workstation-pc01", + "logonUser": [ + "john.doe@example.com" + ], + "objectCmd": "C:\\Windows\\System32\\cmd.exe /c whoami", + "objectFileHashSha1": "A1B2C3D4E5F6789012345678901234567890ABCD", + "objectFilePath": "C:\\Windows\\System32\\cmd.exe", + "objectHostName": "api.example.com", + "objectIp": "81.2.69.144", + "objectIps": [ + "81.2.69.144", + "175.16.199.0" + ], + "objectPort": 8080, + "objectRegistryData": "C:\\Program Files\\MyApp\\startup.exe", + "objectRegistryKeyHandle": "hklm\\software\\microsoft\\windows\\currentversion\\run", + "objectRegistryValue": "MyAppStartup", + "objectSigner": [ + "Microsoft Windows" + ], + "objectSignerValid": [ + true + ], + "objectUser": "DOMAIN\\john.doe", + "os": "Windows 10", + "parentCmd": "C:\\Windows\\explorer.exe", + "parentFileHashSha1": "B2C3D4E5F67890123456789012345678901ABCDE", + "parentFilePath": "C:\\Windows\\explorer.exe", + "processCmd": "C:\\Windows\\System32\\cmd.exe /c whoami", + "processFileHashSha1": "C3D4E5F678901234567890123456789012ABCDEF", + "processFilePath": "C:\\Windows\\System32\\cmd.exe", + "request": "https://api.example.com/v1/auth", + "searchDL": "EDR", + "spt": 49152, + "src": "1.128.0.0", + "srcFileHashSha1": "D4E5F6789012345678901234567890123ABCDEFG", + "srcFilePath": "C:\\Users\\john.doe\\Downloads\\installer.exe", + "tags": [ + "MITRE.T1059.001", + "XSAE.F1001" + ], + "uuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" + }, + { + "dpt": 23, + "dst": "175.16.199.0", + "endpointGuid": "83547276-c6b6-582b-a49a-1cde4758cd44", + "endpointHostName": "server-db02", + "endpointIp": [ + "81.2.69.192" + ], + "eventId": "30", + "eventSubId": 201, + "objectIntegrityLevel": 16384, + "objectTrueType": 19, + "objectSubTrueType": 19002, + "winEventId": 5156, + "eventTime": 1699877654321, + "eventTimeDT": "2023-11-13T12:14:14.321000+00:00", + "hostName": "server-db02", + "logonUser": [ + "admin@example.com" + ], + "objectCmd": "C:\\Program Files\\OpenSSH\\sshd.exe -D", + "objectFileHashSha1": "E5F67890123456789012345678901234ABCDEFGH", + "objectFilePath": "C:\\Program Files\\OpenSSH\\sshd.exe", + "objectHostName": "ssh.example.com", + "objectIp": "175.16.199.0", + "objectIps": [ + "175.16.199.0" + ], + "objectPort": 22, + "objectRegistryData": "C:\\Program Files\\OpenSSH\\sshd.exe", + "objectRegistryKeyHandle": "hklm\\system\\currentcontrolset\\services\\sshd", + "objectRegistryValue": "ImagePath", + "objectSigner": [ + "OpenBSD Project" + ], + "objectSignerValid": [ + true + ], + "objectUser": "NT AUTHORITY\\SYSTEM", + "os": "Windows Server 2019", + "parentCmd": "C:\\Windows\\System32\\services.exe", + "parentFileHashSha1": "F67890123456789012345678901234ABCDEFGHI", + "parentFilePath": "C:\\Windows\\System32\\services.exe", + "processCmd": "C:\\Program Files\\OpenSSH\\sshd.exe -D", + "processFileHashSha1": "67890123456789012345678901234ABCDEFGHIJ", + "processFilePath": "C:\\Program Files\\OpenSSH\\sshd.exe", + "request": "https://ssh.example.com/session", + "searchDL": "XDR", + "spt": 51234, + "src": "81.2.69.192", + "srcFileHashSha1": "7890123456789012345678901234ABCDEFGHIJK", + "srcFilePath": "C:\\Windows\\Temp\\session.tmp", + "tags": [ + "MITRE.T1021.004" + ], + "uuid": "b2c3d4e5-f678-9012-bcde-f23456789012" + } + ], + "progressRate": 0, + "nextLink": "http://svc-trend_micro_vision_one:8080/v3.0/search/endpointActivities?top=2&skipToken=Zec2b123" + } + `}} + - path: /v3.0/search/networkActivities + methods: ['GET'] + query_params: + top: "2" + skipToken: Zec2b123 + request_headers: + Authorization: + - "Bearer xxxx" + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "items": [ + { + "endpointHostName": "workstation-pc01", + "customerId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "osName": "Windows 10", + "dst": "81.2.69.142", + "endpointGuid": "72436165-b5a5-471a-9389-0bdc3647bc33", + "principalName": "john.doe@example.com", + "request": "https://portal.example.com/dashboard", + "act": 1, + "src": "1.128.0.0", + "serverTls": "TLS 1.3", + "eventTime": 1699876543, + "serverProtocol": "HTTP/2", + "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36", + "rt": 1699876545, + "tenantGuid": "b2c3d4e5-f678-9012-bcde-f23456789012", + "eventName": "SWG_ACTIVITY_LOG", + "application": "Microsoft 365", + "ruleName": "Corporate_Access_Policy", + "clientIp": "175.16.199.0", + "requestBase": "portal.example.com", + "score": 95, + "userDomain": "example.com", + "suid": "John Doe", + "duration": 45, + "eventSubName": "SharePoint file download", + "fileHash": "a1b2c3d4e5f6789012345678901234567890abcd", + "fileHashSha256": "ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93", + "fileName": "quarterly_report.xlsx", + "fileSize": 245678, + "fileType": "Microsoft Excel", + "malName": "", + "mimeType": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", + "sender": "Corporate Gateway", + "detectionType": 10, + "profile": "standard", + "userDepartment": "Finance", + "requestMethod": "GET", + "pname": "2200", + "pver": "2.1", + "deviceGUID": "c3d4e5f6-7890-1234-cdef-345678901234", + "requestMimeType": "application/json", + "ruleType": "access", + "ruleUuid": "d4e5f678-9012-3456-def0-456789012345", + "objectId": "e5f67890-1234-5678-ef01-567890123456", + "spt": 49152, + "policyUuid": "f6789012-3456-7890-f012-678901234567", + "dpt": 443, + "companyName": "Acme Corporation", + "start": 1699876500 + }, + { + "endpointHostName": "laptop-sales03", + "customerId": "b2c3d4e5-f678-9012-bcde-f23456789012", + "osName": "Windows 11", + "dst": "175.16.199.0", + "endpointGuid": "83547276-c6b6-582b-a49a-1cde4758cd44", + "principalName": "sarah.smith@example.com", + "request": "https://drive.example.com/files/contract.pdf", + "act": 4, + "src": "81.2.69.144", + "serverTls": "TLS 1.2", + "eventTime": 1699877654, + "serverProtocol": "HTTP/1.1", + "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0", + "rt": 1699877656, + "tenantGuid": "c3d4e5f6-7890-1234-cdef-345678901234", + "eventName": "SWG_ACTIVITY_LOG", + "application": "Google Drive", + "ruleName": "DLP_Sensitive_Files", + "clientIp": "81.2.69.192", + "requestBase": "drive.example.com", + "score": 45, + "userDomain": "example.com", + "suid": "Sarah Smith", + "duration": 120, + "eventSubName": "Cloud storage upload blocked", + "fileHash": "b2c3d4e5f67890123456789012345678901abcde", + "fileHashSha256": "cd3456789012345678901234567890abcdef123456789012345678901234abcd", + "fileName": "contract_confidential.pdf", + "fileSize": 1567890, + "fileType": "Adobe PDF", + "malName": "", + "mimeType": "application/pdf", + "sender": "Remote VPN Gateway", + "detectionType": 30, + "profile": "dlp_strict", + "userDepartment": "Sales", + "requestMethod": "POST", + "pname": "2200", + "pver": "2.1", + "deviceGUID": "d4e5f678-9012-3456-def0-456789012345", + "requestMimeType": "multipart/form-data", + "ruleType": "dlp", + "ruleUuid": "e5f67890-1234-5678-ef01-567890123456", + "objectId": "f6789012-3456-7890-f012-678901234567", + "spt": 51234, + "policyUuid": "01234567-89ab-cdef-0123-456789abcdef", + "dpt": 443, + "companyName": "Acme Corporation", + "start": 1699877600 + } + ], + "progressRate": 0 + } + `}} + - path: /v3.0/search/networkActivities + methods: ['GET'] + query_params: + top: "2" + request_headers: + Authorization: + - "Bearer xxxx" + responses: + - status_code: 200 + body: | + {{ minify_json ` + { + "items": [ + { + "endpointHostName": "desktop-hr04", + "customerId": "d4e5f678-9012-3456-def2-456789012345", + "osName": "macOS Sonoma", + "dst": "1.128.0.0", + "endpointGuid": "a5769498-e8d8-7a4d-c6bc-3ef06970ef66", + "principalName": "emma.jones@example.com", + "request": "https://malicious-site.example.net/download.exe", + "act": 2, + "src": "81.2.69.142", + "serverTls": "TLS 1.2", + "eventTime": 1699879876, + "serverProtocol": "HTTP/1.1", + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15", + "rt": 1699879878, + "tenantGuid": "e5f67890-1234-5678-ef01-567890123456", + "eventName": "SWG_ACTIVITY_LOG", + "application": "Unknown", + "ruleName": "Malware_Block_Policy", + "clientIp": "175.16.199.0", + "requestBase": "malicious-site.example.net", + "score": 5, + "userDomain": "example.com", + "suid": "Emma Jones", + "duration": 8, + "eventSubName": "Malware download blocked", + "fileHash": "c3d4e5f678901234567890123456789012abcdef", + "fileHashSha256": "de456789012345678901234567890abcdef0123456789012345678901234bcde", + "fileName": "invoice_update.exe", + "fileSize": 4567890, + "fileType": "Windows Executable", + "malName": "Trojan.GenericKD.46584712", + "mimeType": "application/x-msdownload", + "sender": "Corporate Gateway", + "detectionType": 60, + "profile": "threat_protection", + "userDepartment": "HR", + "requestMethod": "GET", + "pname": "2200", + "pver": "2.1", + "deviceGUID": "f6789012-3456-7890-f012-678901234567", + "requestMimeType": "application/octet-stream", + "ruleType": "threat", + "ruleUuid": "01234567-89ab-cdef-0123-456789abcdef", + "objectId": "12345678-9abc-def0-1234-56789abcdef0", + "spt": 53456, + "policyUuid": "23456789-abcd-ef01-2345-6789abcdef01", + "dpt": 80, + "companyName": "Acme Corporation", + "start": 1699879870 + }, + { + "endpointHostName": "server-web01", + "customerId": "c3d4e5f6-7890-1234-cdef-345678901234", + "osName": "Windows Server 2022", + "dst": "81.2.69.144", + "endpointGuid": "94658387-d7c7-693c-b5ab-2def5869de55", + "principalName": "admin@example.com", + "request": "https://api.example.com/v2/users", + "act": 1, + "src": "81.2.69.192", + "serverTls": "TLS 1.3", + "eventTime": 1699878765, + "serverProtocol": "HTTP/2", + "userAgent": "curl/8.4.0", + "rt": 1699878766, + "tenantGuid": "d4e5f678-9012-3456-def0-456789012345", + "eventName": "SWG_ACTIVITY_LOG", + "application": "Custom API", + "ruleName": "API_Gateway_Access", + "clientIp": "1.128.0.0", + "requestBase": "api.example.com", + "score": 100, + "userDomain": "example.com", + "suid": "API Service Account", + "duration": 15, + "eventSubName": "API request allowed", + "fileHash": "", + "fileHashSha256": "", + "fileName": "", + "fileSize": 0, + "fileType": "", + "malName": "", + "mimeType": "application/json", + "sender": "Internal Gateway", + "detectionType": 0, + "profile": "api_default", + "userDepartment": "IT", + "requestMethod": "GET", + "pname": "2200", + "pver": "2.1", + "deviceGUID": "e5f67890-1234-5678-ef01-567890123456", + "requestMimeType": "application/json", + "ruleType": "access", + "ruleUuid": "f6789012-3456-7890-f012-678901234567", + "objectId": "01234567-89ab-cdef-0123-456789abcdef", + "spt": 52345, + "policyUuid": "12345678-9abc-def0-1234-56789abcdef0", + "dpt": 8443, + "companyName": "Acme Corporation", + "start": 1699878760 + } + ], + "progressRate": 0, + "nextLink": "http://svc-trend_micro_vision_one:8080/v3.0/search/networkActivities?top=2&skipToken=Zec2b123" + } + `}} diff --git a/packages/trend_micro_vision_one/changelog.yml b/packages/trend_micro_vision_one/changelog.yml index 87fd482625a..196e9eb2224 100644 --- a/packages/trend_micro_vision_one/changelog.yml +++ b/packages/trend_micro_vision_one/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 2.6.0 + changes: + - description: Add support for Network Activity and Endpoint Activity Dataset. + type: enhancement + link: https://github.com/elastic/integrations/pull/16354 - version: "2.5.0" changes: - description: No error for unparsable `trend_micro_vision_one.detection.request` URI. diff --git a/packages/trend_micro_vision_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml index bcc3baa8419..7f89bfa9f34 100644 --- a/packages/trend_micro_vision_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml +++ b/packages/trend_micro_vision_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml @@ -9,6 +9,12 @@ processors: target_field: event.original ignore_missing: true if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null - set: field: event.kind value: alert diff --git a/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 3d8d4ad36e4..e8f45de3ff5 100644 --- a/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -9,6 +9,12 @@ processors: target_field: event.original ignore_missing: true if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null - set: field: event.kind value: event diff --git a/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml index 4f3ee5a49bb..4240e3987dd 100644 --- a/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml +++ b/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml @@ -9,6 +9,12 @@ processors: target_field: event.original ignore_missing: true if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null - set: field: event.kind value: event diff --git a/packages/trend_micro_vision_one/data_stream/endpoint_activity/_dev/test/pipeline/test-common-config.yml b/packages/trend_micro_vision_one/data_stream/endpoint_activity/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..37e8fa225fd --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/endpoint_activity/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_duplicate_custom_fields diff --git a/packages/trend_micro_vision_one/data_stream/endpoint_activity/_dev/test/pipeline/test-endpoint-activity.log b/packages/trend_micro_vision_one/data_stream/endpoint_activity/_dev/test/pipeline/test-endpoint-activity.log new file mode 100644 index 00000000000..7cd5d555297 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/endpoint_activity/_dev/test/pipeline/test-endpoint-activity.log @@ -0,0 +1,5 @@ +{"dpt": 443, "dst": "81.2.69.142", "endpointGuid": "72436165-b5a5-471a-9389-0bdc3647bc33", "endpointHostName": "workstation-pc01", "endpointIp": ["1.128.0.0"], "eventId": "1", "eventSubId": 2, "objectIntegrityLevel": 8192, "objectTrueType": 7, "objectSubTrueType": 7002, "winEventId": 4624, "eventTime": 1699876543210, "eventTimeDT": "2023-11-13T10:15:43.210000+00:00", "hostName": "workstation-pc01", "logonUser": ["john.doe@example.com"], "objectCmd": "C:\\Windows\\System32\\cmd.exe /c whoami", "objectFileHashSha1": "A1B2C3D4E5F6789012345678901234567890ABCD", "objectFilePath": "C:\\Windows\\System32\\cmd.exe", "objectHostName": "api.example.com", "objectIp": "81.2.69.144", "objectIps": ["81.2.69.144", "175.16.199.0"], "objectPort": 8080, "objectRegistryData": "C:\\Program Files\\MyApp\\startup.exe", "objectRegistryKeyHandle": "hklm\\software\\microsoft\\windows\\currentversion\\run", "objectRegistryValue": "MyAppStartup", "objectSigner": ["Microsoft Windows"], "objectSignerValid": [true], "objectUser": "DOMAIN\\john.doe", "os": "Windows 10", "parentCmd": "C:\\Windows\\explorer.exe", "parentFileHashSha1": "B2C3D4E5F67890123456789012345678901ABCDE", "parentFilePath": "C:\\Windows\\explorer.exe", "processCmd": "C:\\Windows\\System32\\cmd.exe /c whoami", "processFileHashSha1": "C3D4E5F678901234567890123456789012ABCDEF", "processFilePath": "C:\\Windows\\System32\\cmd.exe", "request": "https://api.example.com/v1/auth", "searchDL": "EDR", "spt": 49152, "src": "1.128.0.0", "srcFileHashSha1": "D4E5F6789012345678901234567890123ABCDEFG", "srcFilePath": "C:\\Users\\john.doe\\Downloads\\installer.exe", "tags": ["MITRE.T1059.001", "XSAE.F1001"], "uuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"} +{"dpt": 22, "dst": "175.16.199.0", "endpointGuid": "83547276-c6b6-582b-a49a-1cde4758cd44", "endpointHostName": "server-db02", "endpointIp": ["81.2.69.192"], "eventId": "3", "eventSubId": 201, "objectIntegrityLevel": 16384, "objectTrueType": 19, "objectSubTrueType": 19002, "winEventId": 5156, "eventTime": 1699877654321, "eventTimeDT": "2023-11-13T10:34:14.321000+00:00", "hostName": "server-db02", "logonUser": ["admin@example.com"], "objectCmd": "C:\\Program Files\\OpenSSH\\sshd.exe -D", "objectFileHashSha1": "E5F67890123456789012345678901234ABCDEFGH", "objectFilePath": "C:\\Program Files\\OpenSSH\\sshd.exe", "objectHostName": "ssh.example.com", "objectIp": "175.16.199.0", "objectIps": ["175.16.199.0"], "objectPort": 22, "objectRegistryData": "C:\\Program Files\\OpenSSH\\sshd.exe", "objectRegistryKeyHandle": "hklm\\system\\currentcontrolset\\services\\sshd", "objectRegistryValue": "ImagePath", "objectSigner": ["OpenBSD Project"], "objectSignerValid": [true], "objectUser": "NT AUTHORITY\\SYSTEM", "os": "Windows Server 2019", "parentCmd": "C:\\Windows\\System32\\services.exe", "parentFileHashSha1": "F67890123456789012345678901234ABCDEFGHI", "parentFilePath": "C:\\Windows\\System32\\services.exe", "processCmd": "C:\\Program Files\\OpenSSH\\sshd.exe -D", "processFileHashSha1": "67890123456789012345678901234ABCDEFGHIJ", "processFilePath": "C:\\Program Files\\OpenSSH\\sshd.exe", "request": "https://ssh.example.com/session", "searchDL": "XDR", "spt": 51234, "src": "81.2.69.192", "srcFileHashSha1": "7890123456789012345678901234ABCDEFGHIJK", "srcFilePath": "C:\\Windows\\Temp\\session.tmp", "tags": ["MITRE.T1021.004"], "uuid": "b2c3d4e5-f678-9012-bcde-f23456789012"} +{"dpt": 80, "dst": "81.2.69.144", "endpointGuid": "94658387-d7c7-693c-b5ab-2def5869de55", "endpointHostName": "laptop-sales03", "endpointIp": ["81.2.69.142"], "eventId": "7", "eventSubId": 602, "objectIntegrityLevel": 8192, "objectTrueType": 4000, "objectSubTrueType": 4003, "winEventId": 4663, "eventTime": 1699878765432, "eventTimeDT": "2023-11-13T10:52:45.432000+00:00", "hostName": "laptop-sales03", "logonUser": ["sarah.smith@example.com"], "objectCmd": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe --new-window https://portal.example.com", "objectFileHashSha1": "890123456789012345678901234ABCDEFGHIJKL", "objectFilePath": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "objectHostName": "portal.example.com", "objectIp": "81.2.69.144", "objectIps": ["81.2.69.144", "81.2.69.142"], "objectPort": 443, "objectRegistryData": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "objectRegistryKeyHandle": "hkcu\\software\\google\\chrome\\blbeacon", "objectRegistryValue": "version", "objectSigner": ["Google LLC"], "objectSignerValid": [true], "objectUser": "CORP\\sarah.smith", "os": "Windows 11", "parentCmd": "C:\\Windows\\explorer.exe", "parentFileHashSha1": "90123456789012345678901234ABCDEFGHIJKLM", "parentFilePath": "C:\\Windows\\explorer.exe", "processCmd": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe --new-window https://portal.example.com", "processFileHashSha1": "0123456789012345678901234ABCDEFGHIJKLMN", "processFilePath": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "request": "https://portal.example.com/dashboard", "searchDL": "SDL", "spt": 52345, "src": "81.2.69.142", "srcFileHashSha1": "123456789012345678901234ABCDEFGHIJKLMNO", "srcFilePath": "C:\\Users\\sarah.smith\\AppData\\Local\\Temp\\download.tmp", "tags": ["MITRE.T1071.001", "XSAE.F2003"], "uuid": "c3d4e5f6-7890-1234-cdef-345678901234"} +{"dpt": 3389, "dst": "1.128.0.0", "endpointGuid": "a5769498-e8d8-7a4d-c6bc-3ef06970ef66", "endpointHostName": "terminal-srv01", "endpointIp": ["175.16.199.0"], "eventId": "6", "eventSubId": 501, "objectIntegrityLevel": 12288, "objectTrueType": 7, "objectSubTrueType": 7005, "winEventId": 4720, "eventTime": 1699879876543, "eventTimeDT": "2023-11-13T11:11:16.543000+00:00", "hostName": "terminal-srv01", "logonUser": ["mike.wilson@example.com"], "objectCmd": "C:\\Windows\\System32\\mstsc.exe /v:remote.example.com", "objectFileHashSha1": "23456789012345678901234ABCDEFGHIJKLMNOP", "objectFilePath": "C:\\Windows\\System32\\mstsc.exe", "objectHostName": "remote.example.com", "objectIp": "1.128.0.0", "objectIps": ["1.128.0.0", "81.2.69.192"], "objectPort": 3389, "objectRegistryData": "C:\\Windows\\System32\\mstsc.exe", "objectRegistryKeyHandle": "hkcu\\software\\microsoft\\terminal server client\\servers", "objectRegistryValue": "UsernameHint", "objectSigner": ["Microsoft Corporation"], "objectSignerValid": [true], "objectUser": "DOMAIN\\mike.wilson", "os": "Windows Server 2022", "parentCmd": "C:\\Windows\\System32\\userinit.exe", "parentFileHashSha1": "3456789012345678901234ABCDEFGHIJKLMNOPQ", "parentFilePath": "C:\\Windows\\System32\\userinit.exe", "processCmd": "C:\\Windows\\System32\\mstsc.exe /v:remote.example.com", "processFileHashSha1": "456789012345678901234ABCDEFGHIJKLMNOPQR", "processFilePath": "C:\\Windows\\System32\\mstsc.exe", "request": "https://remote.example.com/rdweb", "searchDL": "EDR", "spt": 53456, "src": "175.16.199.0", "srcFileHashSha1": "56789012345678901234ABCDEFGHIJKLMNOPQRS", "srcFilePath": "C:\\Users\\mike.wilson\\Documents\\rdp_config.rdp", "tags": ["MITRE.T1021.001", "MITRE.T1078"], "uuid": "d4e5f678-9012-3456-def0-456789012345"} +{"dpt": 53, "dst": "81.2.69.192", "endpointGuid": "b687a5a9-f9e9-8b5e-d7cd-4f017a81f077", "endpointHostName": "desktop-hr04", "endpointIp": ["81.2.69.144"], "eventId": "4", "eventSubId": 301, "objectIntegrityLevel": 4096, "objectTrueType": 18, "objectSubTrueType": 28000, "winEventId": 5857, "eventTime": 1699880987654, "eventTimeDT": "2023-11-13T11:29:47.654000+00:00", "hostName": "desktop-hr04", "logonUser": ["emma.jones@example.com"], "objectCmd": "C:\\Windows\\System32\\nslookup.exe mail.example.com", "objectFileHashSha1": "6789012345678901234ABCDEFGHIJKLMNOPQRST", "objectFilePath": "C:\\Windows\\System32\\nslookup.exe", "objectHostName": "dns.example.com", "objectIp": "81.2.69.192", "objectIps": ["81.2.69.192"], "objectPort": 53, "objectRegistryData": "8.8.8.8,8.8.4.4", "objectRegistryKeyHandle": "hklm\\system\\currentcontrolset\\services\\tcpip\\parameters", "objectRegistryValue": "NameServer", "objectSigner": ["Microsoft Windows"], "objectSignerValid": [true], "objectUser": "CORP\\emma.jones", "os": "Windows 10", "parentCmd": "C:\\Windows\\System32\\cmd.exe", "parentFileHashSha1": "789012345678901234ABCDEFGHIJKLMNOPQRSTU", "parentFilePath": "C:\\Windows\\System32\\cmd.exe", "processCmd": "C:\\Windows\\System32\\nslookup.exe mail.example.com", "processFileHashSha1": "89012345678901234ABCDEFGHIJKLMNOPQRSTUV", "processFilePath": "C:\\Windows\\System32\\nslookup.exe", "request": "https://dns.example.com/lookup", "searchDL": "XDR", "spt": 54567, "src": "81.2.69.144", "srcFileHashSha1": "9012345678901234ABCDEFGHIJKLMNOPQRSTUVW", "srcFilePath": "C:\\Users\\emma.jones\\Scripts\\dns_check.bat", "tags": ["MITRE.T1071.004", "XSAE.F3002"], "uuid": "e5f67890-1234-5678-ef01-567890123456"} diff --git a/packages/trend_micro_vision_one/data_stream/endpoint_activity/_dev/test/pipeline/test-endpoint-activity.log-expected.json b/packages/trend_micro_vision_one/data_stream/endpoint_activity/_dev/test/pipeline/test-endpoint-activity.log-expected.json new file mode 100644 index 00000000000..2064df845ec --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/endpoint_activity/_dev/test/pipeline/test-endpoint-activity.log-expected.json @@ -0,0 +1,869 @@ +{ + "expected": [ + { + "@timestamp": "2023-11-13T10:15:43.210Z", + "destination": { + "address": "81.2.69.142", + "port": 443 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "code": "4624", + "id": "1", + "kind": "event", + "original": "{\"dpt\": 443, \"dst\": \"81.2.69.142\", \"endpointGuid\": \"72436165-b5a5-471a-9389-0bdc3647bc33\", \"endpointHostName\": \"workstation-pc01\", \"endpointIp\": [\"1.128.0.0\"], \"eventId\": \"1\", \"eventSubId\": 2, \"objectIntegrityLevel\": 8192, \"objectTrueType\": 7, \"objectSubTrueType\": 7002, \"winEventId\": 4624, \"eventTime\": 1699876543210, \"eventTimeDT\": \"2023-11-13T10:15:43.210000+00:00\", \"hostName\": \"workstation-pc01\", \"logonUser\": [\"john.doe@example.com\"], \"objectCmd\": \"C:\\\\Windows\\\\System32\\\\cmd.exe /c whoami\", \"objectFileHashSha1\": \"A1B2C3D4E5F6789012345678901234567890ABCD\", \"objectFilePath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"objectHostName\": \"api.example.com\", \"objectIp\": \"81.2.69.144\", \"objectIps\": [\"81.2.69.144\", \"175.16.199.0\"], \"objectPort\": 8080, \"objectRegistryData\": \"C:\\\\Program Files\\\\MyApp\\\\startup.exe\", \"objectRegistryKeyHandle\": \"hklm\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\", \"objectRegistryValue\": \"MyAppStartup\", \"objectSigner\": [\"Microsoft Windows\"], \"objectSignerValid\": [true], \"objectUser\": \"DOMAIN\\\\john.doe\", \"os\": \"Windows 10\", \"parentCmd\": \"C:\\\\Windows\\\\explorer.exe\", \"parentFileHashSha1\": \"B2C3D4E5F67890123456789012345678901ABCDE\", \"parentFilePath\": \"C:\\\\Windows\\\\explorer.exe\", \"processCmd\": \"C:\\\\Windows\\\\System32\\\\cmd.exe /c whoami\", \"processFileHashSha1\": \"C3D4E5F678901234567890123456789012ABCDEF\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"request\": \"https://api.example.com/v1/auth\", \"searchDL\": \"EDR\", \"spt\": 49152, \"src\": \"1.128.0.0\", \"srcFileHashSha1\": \"D4E5F6789012345678901234567890123ABCDEFG\", \"srcFilePath\": \"C:\\\\Users\\\\john.doe\\\\Downloads\\\\installer.exe\", \"tags\": [\"MITRE.T1059.001\", \"XSAE.F1001\"], \"uuid\": \"a1b2c3d4-e5f6-7890-abcd-ef1234567890\"}" + }, + "file": { + "hash": { + "sha1": "A1B2C3D4E5F6789012345678901234567890ABCD" + }, + "path": "C:\\Windows\\System32\\cmd.exe" + }, + "host": { + "hostname": "workstation-pc01", + "ip": [ + "1.128.0.0" + ], + "name": "workstation-pc01", + "os": { + "name": "Windows 10" + } + }, + "process": { + "command_line": "C:\\Windows\\System32\\cmd.exe /c whoami", + "executable": "C:\\Windows\\System32\\cmd.exe", + "hash": { + "sha1": "C3D4E5F678901234567890123456789012ABCDEF" + }, + "parent": { + "command_line": "C:\\Windows\\explorer.exe", + "executable": "C:\\Windows\\explorer.exe", + "hash": { + "sha1": "B2C3D4E5F67890123456789012345678901ABCDE" + } + } + }, + "registry": { + "path": "hklm\\software\\microsoft\\windows\\currentversion\\run", + "value": "MyAppStartup" + }, + "related": { + "hash": [ + "A1B2C3D4E5F6789012345678901234567890ABCD", + "C3D4E5F678901234567890123456789012ABCDEF", + "B2C3D4E5F67890123456789012345678901ABCDE", + "D4E5F6789012345678901234567890123ABCDEFG" + ], + "hosts": [ + "workstation-pc01", + "api.example.com" + ], + "ip": [ + "1.128.0.0", + "81.2.69.144", + "175.16.199.0", + "81.2.69.142" + ], + "user": [ + "john.doe@example.com", + "DOMAIN\\john.doe" + ] + }, + "source": { + "ip": "1.128.0.0", + "port": 49152 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "trend_micro_vision_one": { + "endpoint_activity": { + "destination": { + "address": "81.2.69.142", + "port": 443 + }, + "endpoint": { + "guid": "72436165-b5a5-471a-9389-0bdc3647bc33", + "host_name": "workstation-pc01", + "ip": [ + "1.128.0.0" + ] + }, + "event": { + "id": "1", + "sub_id": 2, + "time": "2023-11-13T11:55:43.210Z", + "time_dt": "2023-11-13T10:15:43.210Z" + }, + "host_name": "workstation-pc01", + "logon_user": [ + "john.doe@example.com" + ], + "object": { + "cmd": "C:\\Windows\\System32\\cmd.exe /c whoami", + "file": { + "hash_sha1": "A1B2C3D4E5F6789012345678901234567890ABCD", + "path": "C:\\Windows\\System32\\cmd.exe" + }, + "host_name": "api.example.com", + "integrity_level": 8192, + "ip": "81.2.69.144", + "ips": [ + "81.2.69.144", + "175.16.199.0" + ], + "port": 8080, + "registry": { + "data": "C:\\Program Files\\MyApp\\startup.exe", + "key_handle": "hklm\\software\\microsoft\\windows\\currentversion\\run", + "value": "MyAppStartup" + }, + "signer": [ + "Microsoft Windows" + ], + "signer_valid": [ + true + ], + "sub_true_type": 7002, + "true_type": 7, + "user": "DOMAIN\\john.doe" + }, + "os": "Windows 10", + "parent": { + "cmd": "C:\\Windows\\explorer.exe", + "file": { + "hash_sha1": "B2C3D4E5F67890123456789012345678901ABCDE", + "path": "C:\\Windows\\explorer.exe" + } + }, + "process": { + "cmd": "C:\\Windows\\System32\\cmd.exe /c whoami", + "file": { + "hash_sha1": "C3D4E5F678901234567890123456789012ABCDEF", + "path": "C:\\Windows\\System32\\cmd.exe" + } + }, + "request": "https://api.example.com/v1/auth", + "search_dl": "EDR", + "source": { + "ip": "1.128.0.0", + "port": 49152 + }, + "source_file": { + "hash_sha1": "D4E5F6789012345678901234567890123ABCDEFG", + "path": "C:\\Users\\john.doe\\Downloads\\installer.exe" + }, + "tags": [ + "MITRE.T1059.001", + "XSAE.F1001" + ], + "uuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "win_event_id": 4624 + } + }, + "url": { + "original": "https://api.example.com/v1/auth" + }, + "user": { + "name": [ + "john.doe@example.com" + ], + "target": { + "name": "DOMAIN\\john.doe" + } + } + }, + { + "@timestamp": "2023-11-13T10:34:14.321Z", + "destination": { + "address": "175.16.199.0", + "port": 22 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "code": "5156", + "id": "3", + "kind": "event", + "original": "{\"dpt\": 22, \"dst\": \"175.16.199.0\", \"endpointGuid\": \"83547276-c6b6-582b-a49a-1cde4758cd44\", \"endpointHostName\": \"server-db02\", \"endpointIp\": [\"81.2.69.192\"], \"eventId\": \"3\", \"eventSubId\": 201, \"objectIntegrityLevel\": 16384, \"objectTrueType\": 19, \"objectSubTrueType\": 19002, \"winEventId\": 5156, \"eventTime\": 1699877654321, \"eventTimeDT\": \"2023-11-13T10:34:14.321000+00:00\", \"hostName\": \"server-db02\", \"logonUser\": [\"admin@example.com\"], \"objectCmd\": \"C:\\\\Program Files\\\\OpenSSH\\\\sshd.exe -D\", \"objectFileHashSha1\": \"E5F67890123456789012345678901234ABCDEFGH\", \"objectFilePath\": \"C:\\\\Program Files\\\\OpenSSH\\\\sshd.exe\", \"objectHostName\": \"ssh.example.com\", \"objectIp\": \"175.16.199.0\", \"objectIps\": [\"175.16.199.0\"], \"objectPort\": 22, \"objectRegistryData\": \"C:\\\\Program Files\\\\OpenSSH\\\\sshd.exe\", \"objectRegistryKeyHandle\": \"hklm\\\\system\\\\currentcontrolset\\\\services\\\\sshd\", \"objectRegistryValue\": \"ImagePath\", \"objectSigner\": [\"OpenBSD Project\"], \"objectSignerValid\": [true], \"objectUser\": \"NT AUTHORITY\\\\SYSTEM\", \"os\": \"Windows Server 2019\", \"parentCmd\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"parentFileHashSha1\": \"F67890123456789012345678901234ABCDEFGHI\", \"parentFilePath\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"processCmd\": \"C:\\\\Program Files\\\\OpenSSH\\\\sshd.exe -D\", \"processFileHashSha1\": \"67890123456789012345678901234ABCDEFGHIJ\", \"processFilePath\": \"C:\\\\Program Files\\\\OpenSSH\\\\sshd.exe\", \"request\": \"https://ssh.example.com/session\", \"searchDL\": \"XDR\", \"spt\": 51234, \"src\": \"81.2.69.192\", \"srcFileHashSha1\": \"7890123456789012345678901234ABCDEFGHIJK\", \"srcFilePath\": \"C:\\\\Windows\\\\Temp\\\\session.tmp\", \"tags\": [\"MITRE.T1021.004\"], \"uuid\": \"b2c3d4e5-f678-9012-bcde-f23456789012\"}" + }, + "file": { + "hash": { + "sha1": "E5F67890123456789012345678901234ABCDEFGH" + }, + "path": "C:\\Program Files\\OpenSSH\\sshd.exe" + }, + "host": { + "hostname": "server-db02", + "ip": [ + "81.2.69.192" + ], + "name": "server-db02", + "os": { + "name": "Windows Server 2019" + } + }, + "process": { + "command_line": "C:\\Program Files\\OpenSSH\\sshd.exe -D", + "executable": "C:\\Program Files\\OpenSSH\\sshd.exe", + "hash": { + "sha1": "67890123456789012345678901234ABCDEFGHIJ" + }, + "parent": { + "command_line": "C:\\Windows\\System32\\services.exe", + "executable": "C:\\Windows\\System32\\services.exe", + "hash": { + "sha1": "F67890123456789012345678901234ABCDEFGHI" + } + } + }, + "registry": { + "path": "hklm\\system\\currentcontrolset\\services\\sshd", + "value": "ImagePath" + }, + "related": { + "hash": [ + "E5F67890123456789012345678901234ABCDEFGH", + "67890123456789012345678901234ABCDEFGHIJ", + "F67890123456789012345678901234ABCDEFGHI", + "7890123456789012345678901234ABCDEFGHIJK" + ], + "hosts": [ + "server-db02", + "ssh.example.com" + ], + "ip": [ + "81.2.69.192", + "175.16.199.0" + ], + "user": [ + "admin@example.com", + "NT AUTHORITY\\SYSTEM" + ] + }, + "source": { + "ip": "81.2.69.192", + "port": 51234 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "trend_micro_vision_one": { + "endpoint_activity": { + "destination": { + "address": "175.16.199.0", + "port": 22 + }, + "endpoint": { + "guid": "83547276-c6b6-582b-a49a-1cde4758cd44", + "host_name": "server-db02", + "ip": [ + "81.2.69.192" + ] + }, + "event": { + "id": "3", + "sub_id": 201, + "time": "2023-11-13T12:14:14.321Z", + "time_dt": "2023-11-13T10:34:14.321Z" + }, + "host_name": "server-db02", + "logon_user": [ + "admin@example.com" + ], + "object": { + "cmd": "C:\\Program Files\\OpenSSH\\sshd.exe -D", + "file": { + "hash_sha1": "E5F67890123456789012345678901234ABCDEFGH", + "path": "C:\\Program Files\\OpenSSH\\sshd.exe" + }, + "host_name": "ssh.example.com", + "integrity_level": 16384, + "ip": "175.16.199.0", + "ips": [ + "175.16.199.0" + ], + "port": 22, + "registry": { + "data": "C:\\Program Files\\OpenSSH\\sshd.exe", + "key_handle": "hklm\\system\\currentcontrolset\\services\\sshd", + "value": "ImagePath" + }, + "signer": [ + "OpenBSD Project" + ], + "signer_valid": [ + true + ], + "sub_true_type": 19002, + "true_type": 19, + "user": "NT AUTHORITY\\SYSTEM" + }, + "os": "Windows Server 2019", + "parent": { + "cmd": "C:\\Windows\\System32\\services.exe", + "file": { + "hash_sha1": "F67890123456789012345678901234ABCDEFGHI", + "path": "C:\\Windows\\System32\\services.exe" + } + }, + "process": { + "cmd": "C:\\Program Files\\OpenSSH\\sshd.exe -D", + "file": { + "hash_sha1": "67890123456789012345678901234ABCDEFGHIJ", + "path": "C:\\Program Files\\OpenSSH\\sshd.exe" + } + }, + "request": "https://ssh.example.com/session", + "search_dl": "XDR", + "source": { + "ip": "81.2.69.192", + "port": 51234 + }, + "source_file": { + "hash_sha1": "7890123456789012345678901234ABCDEFGHIJK", + "path": "C:\\Windows\\Temp\\session.tmp" + }, + "tags": [ + "MITRE.T1021.004" + ], + "uuid": "b2c3d4e5-f678-9012-bcde-f23456789012", + "win_event_id": 5156 + } + }, + "url": { + "original": "https://ssh.example.com/session" + }, + "user": { + "name": [ + "admin@example.com" + ], + "target": { + "name": "NT AUTHORITY\\SYSTEM" + } + } + }, + { + "@timestamp": "2023-11-13T10:52:45.432Z", + "destination": { + "address": "81.2.69.144", + "port": 80 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "code": "4663", + "id": "7", + "kind": "event", + "original": "{\"dpt\": 80, \"dst\": \"81.2.69.144\", \"endpointGuid\": \"94658387-d7c7-693c-b5ab-2def5869de55\", \"endpointHostName\": \"laptop-sales03\", \"endpointIp\": [\"81.2.69.142\"], \"eventId\": \"7\", \"eventSubId\": 602, \"objectIntegrityLevel\": 8192, \"objectTrueType\": 4000, \"objectSubTrueType\": 4003, \"winEventId\": 4663, \"eventTime\": 1699878765432, \"eventTimeDT\": \"2023-11-13T10:52:45.432000+00:00\", \"hostName\": \"laptop-sales03\", \"logonUser\": [\"sarah.smith@example.com\"], \"objectCmd\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe --new-window https://portal.example.com\", \"objectFileHashSha1\": \"890123456789012345678901234ABCDEFGHIJKL\", \"objectFilePath\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"objectHostName\": \"portal.example.com\", \"objectIp\": \"81.2.69.144\", \"objectIps\": [\"81.2.69.144\", \"81.2.69.142\"], \"objectPort\": 443, \"objectRegistryData\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"objectRegistryKeyHandle\": \"hkcu\\\\software\\\\google\\\\chrome\\\\blbeacon\", \"objectRegistryValue\": \"version\", \"objectSigner\": [\"Google LLC\"], \"objectSignerValid\": [true], \"objectUser\": \"CORP\\\\sarah.smith\", \"os\": \"Windows 11\", \"parentCmd\": \"C:\\\\Windows\\\\explorer.exe\", \"parentFileHashSha1\": \"90123456789012345678901234ABCDEFGHIJKLM\", \"parentFilePath\": \"C:\\\\Windows\\\\explorer.exe\", \"processCmd\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe --new-window https://portal.example.com\", \"processFileHashSha1\": \"0123456789012345678901234ABCDEFGHIJKLMN\", \"processFilePath\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"request\": \"https://portal.example.com/dashboard\", \"searchDL\": \"SDL\", \"spt\": 52345, \"src\": \"81.2.69.142\", \"srcFileHashSha1\": \"123456789012345678901234ABCDEFGHIJKLMNO\", \"srcFilePath\": \"C:\\\\Users\\\\sarah.smith\\\\AppData\\\\Local\\\\Temp\\\\download.tmp\", \"tags\": [\"MITRE.T1071.001\", \"XSAE.F2003\"], \"uuid\": \"c3d4e5f6-7890-1234-cdef-345678901234\"}" + }, + "file": { + "hash": { + "sha1": "890123456789012345678901234ABCDEFGHIJKL" + }, + "path": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" + }, + "host": { + "hostname": "laptop-sales03", + "ip": [ + "81.2.69.142" + ], + "name": "laptop-sales03", + "os": { + "name": "Windows 11" + } + }, + "process": { + "command_line": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe --new-window https://portal.example.com", + "executable": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "hash": { + "sha1": "0123456789012345678901234ABCDEFGHIJKLMN" + }, + "parent": { + "command_line": "C:\\Windows\\explorer.exe", + "executable": "C:\\Windows\\explorer.exe", + "hash": { + "sha1": "90123456789012345678901234ABCDEFGHIJKLM" + } + } + }, + "registry": { + "path": "hkcu\\software\\google\\chrome\\blbeacon", + "value": "version" + }, + "related": { + "hash": [ + "890123456789012345678901234ABCDEFGHIJKL", + "0123456789012345678901234ABCDEFGHIJKLMN", + "90123456789012345678901234ABCDEFGHIJKLM", + "123456789012345678901234ABCDEFGHIJKLMNO" + ], + "hosts": [ + "laptop-sales03", + "portal.example.com" + ], + "ip": [ + "81.2.69.142", + "81.2.69.144" + ], + "user": [ + "sarah.smith@example.com", + "CORP\\sarah.smith" + ] + }, + "source": { + "ip": "81.2.69.142", + "port": 52345 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "trend_micro_vision_one": { + "endpoint_activity": { + "destination": { + "address": "81.2.69.144", + "port": 80 + }, + "endpoint": { + "guid": "94658387-d7c7-693c-b5ab-2def5869de55", + "host_name": "laptop-sales03", + "ip": [ + "81.2.69.142" + ] + }, + "event": { + "id": "7", + "sub_id": 602, + "time": "2023-11-13T12:32:45.432Z", + "time_dt": "2023-11-13T10:52:45.432Z" + }, + "host_name": "laptop-sales03", + "logon_user": [ + "sarah.smith@example.com" + ], + "object": { + "cmd": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe --new-window https://portal.example.com", + "file": { + "hash_sha1": "890123456789012345678901234ABCDEFGHIJKL", + "path": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" + }, + "host_name": "portal.example.com", + "integrity_level": 8192, + "ip": "81.2.69.144", + "ips": [ + "81.2.69.144", + "81.2.69.142" + ], + "port": 443, + "registry": { + "data": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "key_handle": "hkcu\\software\\google\\chrome\\blbeacon", + "value": "version" + }, + "signer": [ + "Google LLC" + ], + "signer_valid": [ + true + ], + "sub_true_type": 4003, + "true_type": 4000, + "user": "CORP\\sarah.smith" + }, + "os": "Windows 11", + "parent": { + "cmd": "C:\\Windows\\explorer.exe", + "file": { + "hash_sha1": "90123456789012345678901234ABCDEFGHIJKLM", + "path": "C:\\Windows\\explorer.exe" + } + }, + "process": { + "cmd": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe --new-window https://portal.example.com", + "file": { + "hash_sha1": "0123456789012345678901234ABCDEFGHIJKLMN", + "path": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" + } + }, + "request": "https://portal.example.com/dashboard", + "search_dl": "SDL", + "source": { + "ip": "81.2.69.142", + "port": 52345 + }, + "source_file": { + "hash_sha1": "123456789012345678901234ABCDEFGHIJKLMNO", + "path": "C:\\Users\\sarah.smith\\AppData\\Local\\Temp\\download.tmp" + }, + "tags": [ + "MITRE.T1071.001", + "XSAE.F2003" + ], + "uuid": "c3d4e5f6-7890-1234-cdef-345678901234", + "win_event_id": 4663 + } + }, + "url": { + "original": "https://portal.example.com/dashboard" + }, + "user": { + "name": [ + "sarah.smith@example.com" + ], + "target": { + "name": "CORP\\sarah.smith" + } + } + }, + { + "@timestamp": "2023-11-13T11:11:16.543Z", + "destination": { + "address": "1.128.0.0", + "port": 3389 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "code": "4720", + "id": "6", + "kind": "event", + "original": "{\"dpt\": 3389, \"dst\": \"1.128.0.0\", \"endpointGuid\": \"a5769498-e8d8-7a4d-c6bc-3ef06970ef66\", \"endpointHostName\": \"terminal-srv01\", \"endpointIp\": [\"175.16.199.0\"], \"eventId\": \"6\", \"eventSubId\": 501, \"objectIntegrityLevel\": 12288, \"objectTrueType\": 7, \"objectSubTrueType\": 7005, \"winEventId\": 4720, \"eventTime\": 1699879876543, \"eventTimeDT\": \"2023-11-13T11:11:16.543000+00:00\", \"hostName\": \"terminal-srv01\", \"logonUser\": [\"mike.wilson@example.com\"], \"objectCmd\": \"C:\\\\Windows\\\\System32\\\\mstsc.exe /v:remote.example.com\", \"objectFileHashSha1\": \"23456789012345678901234ABCDEFGHIJKLMNOP\", \"objectFilePath\": \"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"objectHostName\": \"remote.example.com\", \"objectIp\": \"1.128.0.0\", \"objectIps\": [\"1.128.0.0\", \"81.2.69.192\"], \"objectPort\": 3389, \"objectRegistryData\": \"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"objectRegistryKeyHandle\": \"hkcu\\\\software\\\\microsoft\\\\terminal server client\\\\servers\", \"objectRegistryValue\": \"UsernameHint\", \"objectSigner\": [\"Microsoft Corporation\"], \"objectSignerValid\": [true], \"objectUser\": \"DOMAIN\\\\mike.wilson\", \"os\": \"Windows Server 2022\", \"parentCmd\": \"C:\\\\Windows\\\\System32\\\\userinit.exe\", \"parentFileHashSha1\": \"3456789012345678901234ABCDEFGHIJKLMNOPQ\", \"parentFilePath\": \"C:\\\\Windows\\\\System32\\\\userinit.exe\", \"processCmd\": \"C:\\\\Windows\\\\System32\\\\mstsc.exe /v:remote.example.com\", \"processFileHashSha1\": \"456789012345678901234ABCDEFGHIJKLMNOPQR\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"request\": \"https://remote.example.com/rdweb\", \"searchDL\": \"EDR\", \"spt\": 53456, \"src\": \"175.16.199.0\", \"srcFileHashSha1\": \"56789012345678901234ABCDEFGHIJKLMNOPQRS\", \"srcFilePath\": \"C:\\\\Users\\\\mike.wilson\\\\Documents\\\\rdp_config.rdp\", \"tags\": [\"MITRE.T1021.001\", \"MITRE.T1078\"], \"uuid\": \"d4e5f678-9012-3456-def0-456789012345\"}" + }, + "file": { + "hash": { + "sha1": "23456789012345678901234ABCDEFGHIJKLMNOP" + }, + "path": "C:\\Windows\\System32\\mstsc.exe" + }, + "host": { + "hostname": "terminal-srv01", + "ip": [ + "175.16.199.0" + ], + "name": "terminal-srv01", + "os": { + "name": "Windows Server 2022" + } + }, + "process": { + "command_line": "C:\\Windows\\System32\\mstsc.exe /v:remote.example.com", + "executable": "C:\\Windows\\System32\\mstsc.exe", + "hash": { + "sha1": "456789012345678901234ABCDEFGHIJKLMNOPQR" + }, + "parent": { + "command_line": "C:\\Windows\\System32\\userinit.exe", + "executable": "C:\\Windows\\System32\\userinit.exe", + "hash": { + "sha1": "3456789012345678901234ABCDEFGHIJKLMNOPQ" + } + } + }, + "registry": { + "path": "hkcu\\software\\microsoft\\terminal server client\\servers", + "value": "UsernameHint" + }, + "related": { + "hash": [ + "23456789012345678901234ABCDEFGHIJKLMNOP", + "456789012345678901234ABCDEFGHIJKLMNOPQR", + "3456789012345678901234ABCDEFGHIJKLMNOPQ", + "56789012345678901234ABCDEFGHIJKLMNOPQRS" + ], + "hosts": [ + "terminal-srv01", + "remote.example.com" + ], + "ip": [ + "175.16.199.0", + "1.128.0.0", + "81.2.69.192" + ], + "user": [ + "mike.wilson@example.com", + "DOMAIN\\mike.wilson" + ] + }, + "source": { + "ip": "175.16.199.0", + "port": 53456 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "trend_micro_vision_one": { + "endpoint_activity": { + "destination": { + "address": "1.128.0.0", + "port": 3389 + }, + "endpoint": { + "guid": "a5769498-e8d8-7a4d-c6bc-3ef06970ef66", + "host_name": "terminal-srv01", + "ip": [ + "175.16.199.0" + ] + }, + "event": { + "id": "6", + "sub_id": 501, + "time": "2023-11-13T12:51:16.543Z", + "time_dt": "2023-11-13T11:11:16.543Z" + }, + "host_name": "terminal-srv01", + "logon_user": [ + "mike.wilson@example.com" + ], + "object": { + "cmd": "C:\\Windows\\System32\\mstsc.exe /v:remote.example.com", + "file": { + "hash_sha1": "23456789012345678901234ABCDEFGHIJKLMNOP", + "path": "C:\\Windows\\System32\\mstsc.exe" + }, + "host_name": "remote.example.com", + "integrity_level": 12288, + "ip": "1.128.0.0", + "ips": [ + "1.128.0.0", + "81.2.69.192" + ], + "port": 3389, + "registry": { + "data": "C:\\Windows\\System32\\mstsc.exe", + "key_handle": "hkcu\\software\\microsoft\\terminal server client\\servers", + "value": "UsernameHint" + }, + "signer": [ + "Microsoft Corporation" + ], + "signer_valid": [ + true + ], + "sub_true_type": 7005, + "true_type": 7, + "user": "DOMAIN\\mike.wilson" + }, + "os": "Windows Server 2022", + "parent": { + "cmd": "C:\\Windows\\System32\\userinit.exe", + "file": { + "hash_sha1": "3456789012345678901234ABCDEFGHIJKLMNOPQ", + "path": "C:\\Windows\\System32\\userinit.exe" + } + }, + "process": { + "cmd": "C:\\Windows\\System32\\mstsc.exe /v:remote.example.com", + "file": { + "hash_sha1": "456789012345678901234ABCDEFGHIJKLMNOPQR", + "path": "C:\\Windows\\System32\\mstsc.exe" + } + }, + "request": "https://remote.example.com/rdweb", + "search_dl": "EDR", + "source": { + "ip": "175.16.199.0", + "port": 53456 + }, + "source_file": { + "hash_sha1": "56789012345678901234ABCDEFGHIJKLMNOPQRS", + "path": "C:\\Users\\mike.wilson\\Documents\\rdp_config.rdp" + }, + "tags": [ + "MITRE.T1021.001", + "MITRE.T1078" + ], + "uuid": "d4e5f678-9012-3456-def0-456789012345", + "win_event_id": 4720 + } + }, + "url": { + "original": "https://remote.example.com/rdweb" + }, + "user": { + "name": [ + "mike.wilson@example.com" + ], + "target": { + "name": "DOMAIN\\mike.wilson" + } + } + }, + { + "@timestamp": "2023-11-13T11:29:47.654Z", + "destination": { + "address": "81.2.69.192", + "port": 53 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "code": "5857", + "id": "4", + "kind": "event", + "original": "{\"dpt\": 53, \"dst\": \"81.2.69.192\", \"endpointGuid\": \"b687a5a9-f9e9-8b5e-d7cd-4f017a81f077\", \"endpointHostName\": \"desktop-hr04\", \"endpointIp\": [\"81.2.69.144\"], \"eventId\": \"4\", \"eventSubId\": 301, \"objectIntegrityLevel\": 4096, \"objectTrueType\": 18, \"objectSubTrueType\": 28000, \"winEventId\": 5857, \"eventTime\": 1699880987654, \"eventTimeDT\": \"2023-11-13T11:29:47.654000+00:00\", \"hostName\": \"desktop-hr04\", \"logonUser\": [\"emma.jones@example.com\"], \"objectCmd\": \"C:\\\\Windows\\\\System32\\\\nslookup.exe mail.example.com\", \"objectFileHashSha1\": \"6789012345678901234ABCDEFGHIJKLMNOPQRST\", \"objectFilePath\": \"C:\\\\Windows\\\\System32\\\\nslookup.exe\", \"objectHostName\": \"dns.example.com\", \"objectIp\": \"81.2.69.192\", \"objectIps\": [\"81.2.69.192\"], \"objectPort\": 53, \"objectRegistryData\": \"8.8.8.8,8.8.4.4\", \"objectRegistryKeyHandle\": \"hklm\\\\system\\\\currentcontrolset\\\\services\\\\tcpip\\\\parameters\", \"objectRegistryValue\": \"NameServer\", \"objectSigner\": [\"Microsoft Windows\"], \"objectSignerValid\": [true], \"objectUser\": \"CORP\\\\emma.jones\", \"os\": \"Windows 10\", \"parentCmd\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"parentFileHashSha1\": \"789012345678901234ABCDEFGHIJKLMNOPQRSTU\", \"parentFilePath\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"processCmd\": \"C:\\\\Windows\\\\System32\\\\nslookup.exe mail.example.com\", \"processFileHashSha1\": \"89012345678901234ABCDEFGHIJKLMNOPQRSTUV\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\nslookup.exe\", \"request\": \"https://dns.example.com/lookup\", \"searchDL\": \"XDR\", \"spt\": 54567, \"src\": \"81.2.69.144\", \"srcFileHashSha1\": \"9012345678901234ABCDEFGHIJKLMNOPQRSTUVW\", \"srcFilePath\": \"C:\\\\Users\\\\emma.jones\\\\Scripts\\\\dns_check.bat\", \"tags\": [\"MITRE.T1071.004\", \"XSAE.F3002\"], \"uuid\": \"e5f67890-1234-5678-ef01-567890123456\"}" + }, + "file": { + "hash": { + "sha1": "6789012345678901234ABCDEFGHIJKLMNOPQRST" + }, + "path": "C:\\Windows\\System32\\nslookup.exe" + }, + "host": { + "hostname": "desktop-hr04", + "ip": [ + "81.2.69.144" + ], + "name": "desktop-hr04", + "os": { + "name": "Windows 10" + } + }, + "process": { + "command_line": "C:\\Windows\\System32\\nslookup.exe mail.example.com", + "executable": "C:\\Windows\\System32\\nslookup.exe", + "hash": { + "sha1": "89012345678901234ABCDEFGHIJKLMNOPQRSTUV" + }, + "parent": { + "command_line": "C:\\Windows\\System32\\cmd.exe", + "executable": "C:\\Windows\\System32\\cmd.exe", + "hash": { + "sha1": "789012345678901234ABCDEFGHIJKLMNOPQRSTU" + } + } + }, + "registry": { + "path": "hklm\\system\\currentcontrolset\\services\\tcpip\\parameters", + "value": "NameServer" + }, + "related": { + "hash": [ + "6789012345678901234ABCDEFGHIJKLMNOPQRST", + "89012345678901234ABCDEFGHIJKLMNOPQRSTUV", + "789012345678901234ABCDEFGHIJKLMNOPQRSTU", + "9012345678901234ABCDEFGHIJKLMNOPQRSTUVW" + ], + "hosts": [ + "desktop-hr04", + "dns.example.com" + ], + "ip": [ + "81.2.69.144", + "81.2.69.192" + ], + "user": [ + "emma.jones@example.com", + "CORP\\emma.jones" + ] + }, + "source": { + "ip": "81.2.69.144", + "port": 54567 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "trend_micro_vision_one": { + "endpoint_activity": { + "destination": { + "address": "81.2.69.192", + "port": 53 + }, + "endpoint": { + "guid": "b687a5a9-f9e9-8b5e-d7cd-4f017a81f077", + "host_name": "desktop-hr04", + "ip": [ + "81.2.69.144" + ] + }, + "event": { + "id": "4", + "sub_id": 301, + "time": "2023-11-13T13:09:47.654Z", + "time_dt": "2023-11-13T11:29:47.654Z" + }, + "host_name": "desktop-hr04", + "logon_user": [ + "emma.jones@example.com" + ], + "object": { + "cmd": "C:\\Windows\\System32\\nslookup.exe mail.example.com", + "file": { + "hash_sha1": "6789012345678901234ABCDEFGHIJKLMNOPQRST", + "path": "C:\\Windows\\System32\\nslookup.exe" + }, + "host_name": "dns.example.com", + "integrity_level": 4096, + "ip": "81.2.69.192", + "ips": [ + "81.2.69.192" + ], + "port": 53, + "registry": { + "data": "8.8.8.8,8.8.4.4", + "key_handle": "hklm\\system\\currentcontrolset\\services\\tcpip\\parameters", + "value": "NameServer" + }, + "signer": [ + "Microsoft Windows" + ], + "signer_valid": [ + true + ], + "sub_true_type": 28000, + "true_type": 18, + "user": "CORP\\emma.jones" + }, + "os": "Windows 10", + "parent": { + "cmd": "C:\\Windows\\System32\\cmd.exe", + "file": { + "hash_sha1": "789012345678901234ABCDEFGHIJKLMNOPQRSTU", + "path": "C:\\Windows\\System32\\cmd.exe" + } + }, + "process": { + "cmd": "C:\\Windows\\System32\\nslookup.exe mail.example.com", + "file": { + "hash_sha1": "89012345678901234ABCDEFGHIJKLMNOPQRSTUV", + "path": "C:\\Windows\\System32\\nslookup.exe" + } + }, + "request": "https://dns.example.com/lookup", + "search_dl": "XDR", + "source": { + "ip": "81.2.69.144", + "port": 54567 + }, + "source_file": { + "hash_sha1": "9012345678901234ABCDEFGHIJKLMNOPQRSTUVW", + "path": "C:\\Users\\emma.jones\\Scripts\\dns_check.bat" + }, + "tags": [ + "MITRE.T1071.004", + "XSAE.F3002" + ], + "uuid": "e5f67890-1234-5678-ef01-567890123456", + "win_event_id": 5857 + } + }, + "url": { + "original": "https://dns.example.com/lookup" + }, + "user": { + "name": [ + "emma.jones@example.com" + ], + "target": { + "name": "CORP\\emma.jones" + } + } + } + ] +} diff --git a/packages/trend_micro_vision_one/data_stream/endpoint_activity/_dev/test/system/test-default-config.yml b/packages/trend_micro_vision_one/data_stream/endpoint_activity/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..81c3d6c163d --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/endpoint_activity/_dev/test/system/test-default-config.yml @@ -0,0 +1,12 @@ +input: cel +service: trend_micro_vision_one +vars: + hostname: http://{{Hostname}}:{{Port}} + api_token: xxxx +data_stream: + vars: + batch_size: 2 + preserve_original_event: true + preserve_duplicate_custom_fields: true +assert: + hit_count: 4 diff --git a/packages/trend_micro_vision_one/data_stream/endpoint_activity/agent/stream/cel.yml.hbs b/packages/trend_micro_vision_one/data_stream/endpoint_activity/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..2daa920e1ae --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/endpoint_activity/agent/stream/cel.yml.hbs @@ -0,0 +1,145 @@ +config_version: 2 +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{hostname}} +state: + api_token: {{api_token}} + initial_interval: {{initial_interval}} + batch_size: {{batch_size}} +redact: + fields: + - api_token +program: |- + ( + state.?want_more.orValue(false) ? + state + : + state.with({ + "start_time": state.?cursor.last_timestamp.orValue((now - duration(state.initial_interval)).format(time_layout.RFC3339)), + "end_time": now.format(time_layout.RFC3339), + }) + ).as(state, + // use next.link if available, otherwise build initial request + ( + state.?next.link.hasValue() ? + state.next.link + : + state.url.trim_right("/") + "/v3.0/search/endpointActivities?" + { + "top": [string(state.batch_size)], + "startDateTime": [string(state.start_time)], + "endDateTime": [string(state.end_time)], + }.format_query() + ).as(request_url, + request( + "GET", + request_url + ).with( + { + "Header": { + "Authorization": ["Bearer " + state.api_token], + "Content-Type": ["application/json;charset=utf-8"], + "TMV1-Query": ["*"], + }, + } + ).do_request().as(resp, + resp.StatusCode == 200 ? + resp.Body.decode_json().as(body, + { + "events": has(body.items) && size(body.items) > 0 ? + body.items.map(item, + { + "message": item.encode_json(), + } + ) + : + [], + // next.link will not be available in last paginated call + "next": {?"link": body.?nextLink}, + "want_more": body.?nextLink.hasValue(), + "api_token": state.api_token, + "batch_size": state.batch_size, + "initial_interval": state.initial_interval, + "cursor": { + ?"last_timestamp": (has(body.items) && size(body.items) > 0) ? + (has(state.?cursor.last_timestamp) ? + optional.of( + max([ + state.cursor.last_timestamp.parse_time("2006-01-02T15:04:05"), + timestamp(int(timestamp(0)+duration(string(int(body.items[0].eventTime))+"ms"))) + ]).format("2006-01-02T15:04:05") + ) + : + optional.of(timestamp(int(timestamp(0)+duration(string(int(body.items[0].eventTime))+"ms"))).format("2006-01-02T15:04:05")) + ) + : + state.?cursor.last_timestamp + } + } + ) + : + resp.StatusCode == 429 ? + { + "events": [], + "rate_limited": debug("rate_limit_exceeded", bytes(resp.Body).decode_json().?fail[0].message.orValue("missing message")), + "want_more": false, + "next": state.?next, + "api_token": state.api_token, + "initial_interval": state.initial_interval, + "batch_size": state.batch_size, + "cursor": state.?cursor, + } + : + { + "events": [ + { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET " + request_url + ": " + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + " (" + string(resp.StatusCode) + ")" + ), + }, + }, + ], + "want_more": false, + "next": state.?next, + "api_token": state.api_token, + "initial_interval": state.initial_interval, + "batch_size": state.batch_size, + "cursor": state.?cursor, + } + ) + ) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/trend_micro_vision_one/data_stream/endpoint_activity/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/data_stream/endpoint_activity/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..2faed8777b1 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/endpoint_activity/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,684 @@ +--- +description: Pipeline for processing endpoint activity logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.17.0 + - terminate: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + description: error message set and no data to process. + - set: + field: event.kind + tag: set_event_kind + value: event + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - remove: + field: + - organization + - division + - team + ignore_missing: true + if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String + tag: remove_agentless_tags + description: >- + Removes the fields added by Agentless as metadata, + as they can collide with ECS fields. + - json: + field: event.original + tag: json_event_original + target_field: json + - fingerprint: + fields: + - json.eventTime + - json.eventId + tag: fingerprint_endpoint_activity + target_field: _id + ignore_missing: true + - rename: + field: json.dst + tag: rename_dst + target_field: trend_micro_vision_one.endpoint_activity.destination.address + ignore_missing: true + - rename: + field: json.endpointGuid + tag: rename_endpoint_guid + target_field: trend_micro_vision_one.endpoint_activity.endpoint.guid + ignore_missing: true + - rename: + field: json.endpointHostName + tag: rename_endpoint_host_name + target_field: trend_micro_vision_one.endpoint_activity.endpoint.host_name + ignore_missing: true + - rename: + field: json.eventId + tag: rename_event_id + target_field: trend_micro_vision_one.endpoint_activity.event.id + ignore_missing: true + - rename: + field: json.hostName + tag: rename_host_name + target_field: trend_micro_vision_one.endpoint_activity.host_name + ignore_missing: true + - rename: + field: json.logonUser + tag: rename_logon_user + target_field: trend_micro_vision_one.endpoint_activity.logon_user + ignore_missing: true + - rename: + field: json.objectCmd + tag: rename_object_cmd + target_field: trend_micro_vision_one.endpoint_activity.object.cmd + ignore_missing: true + - rename: + field: json.objectFileHashSha1 + tag: rename_object_file_hash_sha1 + target_field: trend_micro_vision_one.endpoint_activity.object.file.hash_sha1 + ignore_missing: true + - rename: + field: json.objectFilePath + tag: rename_object_file_path + target_field: trend_micro_vision_one.endpoint_activity.object.file.path + ignore_missing: true + - rename: + field: json.objectHostName + tag: rename_object_host_name + target_field: trend_micro_vision_one.endpoint_activity.object.host_name + ignore_missing: true + - rename: + field: json.objectRegistryData + tag: rename_object_registry_data + target_field: trend_micro_vision_one.endpoint_activity.object.registry.data + ignore_missing: true + - rename: + field: json.objectRegistryKeyHandle + tag: rename_object_registry_key_handle + target_field: trend_micro_vision_one.endpoint_activity.object.registry.key_handle + ignore_missing: true + - rename: + field: json.objectRegistryValue + tag: rename_object_registry_value + target_field: trend_micro_vision_one.endpoint_activity.object.registry.value + ignore_missing: true + - rename: + field: json.objectSigner + tag: rename_object_signer + target_field: trend_micro_vision_one.endpoint_activity.object.signer + ignore_missing: true + - rename: + field: json.objectUser + tag: rename_object_user + target_field: trend_micro_vision_one.endpoint_activity.object.user + ignore_missing: true + - rename: + field: json.os + tag: rename_os + target_field: trend_micro_vision_one.endpoint_activity.os + ignore_missing: true + - rename: + field: json.parentCmd + tag: rename_parent_cmd + target_field: trend_micro_vision_one.endpoint_activity.parent.cmd + ignore_missing: true + - rename: + field: json.parentFileHashSha1 + tag: rename_parent_file_hash_sha1 + target_field: trend_micro_vision_one.endpoint_activity.parent.file.hash_sha1 + ignore_missing: true + - rename: + field: json.parentFilePath + tag: rename_parent_file_path + target_field: trend_micro_vision_one.endpoint_activity.parent.file.path + ignore_missing: true + - rename: + field: json.processCmd + tag: rename_process_cmd + target_field: trend_micro_vision_one.endpoint_activity.process.cmd + ignore_missing: true + - rename: + field: json.processFileHashSha1 + tag: rename_process_file_hash_sha1 + target_field: trend_micro_vision_one.endpoint_activity.process.file.hash_sha1 + ignore_missing: true + - rename: + field: json.processFilePath + tag: rename_process_file_path + target_field: trend_micro_vision_one.endpoint_activity.process.file.path + ignore_missing: true + - rename: + field: json.request + tag: rename_request + target_field: trend_micro_vision_one.endpoint_activity.request + ignore_missing: true + - rename: + field: json.searchDL + tag: rename_search_dl + target_field: trend_micro_vision_one.endpoint_activity.search_dl + ignore_missing: true + - rename: + field: json.srcFileHashSha1 + tag: rename_src_file_hash_sha1 + target_field: trend_micro_vision_one.endpoint_activity.source_file.hash_sha1 + ignore_missing: true + - rename: + field: json.srcFilePath + tag: rename_src_file_path + target_field: trend_micro_vision_one.endpoint_activity.source_file.path + ignore_missing: true + - rename: + field: json.tags + tag: rename_tags + target_field: trend_micro_vision_one.endpoint_activity.tags + ignore_missing: true + - rename: + field: json.uuid + tag: rename_uuid + target_field: trend_micro_vision_one.endpoint_activity.uuid + ignore_missing: true + - rename: + field: json.winEventId + tag: rename_win_event_id + target_field: trend_micro_vision_one.endpoint_activity.win_event_id + ignore_missing: true + - convert: + field: json.dpt + tag: convert_dpt + target_field: trend_micro_vision_one.endpoint_activity.destination.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.eventSubId + tag: convert_event_sub_id + target_field: trend_micro_vision_one.endpoint_activity.event.sub_id + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.objectIntegrityLevel + tag: convert_object_integrity_level + target_field: trend_micro_vision_one.endpoint_activity.object.integrity_level + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.objectPort + tag: convert_object_port + target_field: trend_micro_vision_one.endpoint_activity.object.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.objectSubTrueType + tag: convert_object_sub_true_type + target_field: trend_micro_vision_one.endpoint_activity.object.sub_true_type + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.objectTrueType + tag: convert_object_true_type + target_field: trend_micro_vision_one.endpoint_activity.object.true_type + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.spt + tag: convert_spt + target_field: trend_micro_vision_one.endpoint_activity.source.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.objectSignerValid + tag: foreach_objectSignerValid + if: ctx.json?.objectSignerValid instanceof List + processor: + convert: + field: _ingest._value + tag: convert_objectSignerValid + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.objectSignerValid + tag: rename_objectSignerValid + target_field: trend_micro_vision_one.endpoint_activity.object.signer_valid + ignore_missing: true + - foreach: + field: json.endpointIp + tag: foreach_endpointIp + if: ctx.json?.endpointIp instanceof List + processor: + convert: + field: _ingest._value + tag: convert_endpoint_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.endpointIp + tag: rename_endpointIp + target_field: trend_micro_vision_one.endpoint_activity.endpoint.ip + ignore_missing: true + - convert: + field: json.objectIp + tag: convert_object_ip + target_field: trend_micro_vision_one.endpoint_activity.object.ip + type: ip + ignore_missing: true + if: ctx.json?.objectIp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.objectIps + tag: foreach_objectIps + if: ctx.json?.objectIps instanceof List + processor: + convert: + field: _ingest._value + tag: convert_object_ips + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.objectIps + tag: rename_objectIps + target_field: trend_micro_vision_one.endpoint_activity.object.ips + ignore_missing: true + - convert: + field: json.src + tag: convert_src + target_field: trend_micro_vision_one.endpoint_activity.source.ip + type: ip + ignore_missing: true + if: ctx.json?.src != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.eventTime + tag: date_event_time + target_field: trend_micro_vision_one.endpoint_activity.event.time + formats: + - UNIX_MS + - UNIX + if: ctx.json?.eventTime != null && ctx.json.eventTime != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.eventTimeDT + tag: date_event_time_dt + target_field: trend_micro_vision_one.endpoint_activity.event.time_dt + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss[.SSSSSS][.SSS]XXX + if: ctx.json?.eventTimeDT != null && ctx.json.eventTimeDT != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.address + tag: set_destination_address + copy_from: trend_micro_vision_one.endpoint_activity.destination.address + ignore_empty_value: true + - set: + field: destination.port + tag: set_destination_port + copy_from: trend_micro_vision_one.endpoint_activity.destination.port + ignore_empty_value: true + - set: + field: host.hostname + tag: set_host_hostname + copy_from: trend_micro_vision_one.endpoint_activity.endpoint.host_name + ignore_empty_value: true + - foreach: + field: trend_micro_vision_one.endpoint_activity.endpoint.ip + tag: foreach_endpoint_activity_endpoint_ip + if: ctx.trend_micro_vision_one?.endpoint_activity?.endpoint?.ip instanceof List + processor: + append: + field: host.ip + tag: append_host_ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + - set: + field: event.id + tag: set_event_id + copy_from: trend_micro_vision_one.endpoint_activity.event.id + ignore_empty_value: true + - set: + field: '@timestamp' + tag: set_timestamp + copy_from: trend_micro_vision_one.endpoint_activity.event.time_dt + ignore_empty_value: true + - set: + field: host.name + tag: set_host_name + copy_from: trend_micro_vision_one.endpoint_activity.host_name + ignore_empty_value: true + - foreach: + field: trend_micro_vision_one.endpoint_activity.logon_user + tag: foreach_logon_user + if: ctx.trend_micro_vision_one?.endpoint_activity?.logon_user instanceof List + processor: + append: + field: user.name + tag: append_user_name + value: '{{{_ingest._value}}}' + allow_duplicates: false + - set: + field: process.command_line + tag: set_process_command_line + copy_from: trend_micro_vision_one.endpoint_activity.process.cmd + ignore_empty_value: true + - set: + field: file.hash.sha1 + tag: set_file_hash_sha1 + copy_from: trend_micro_vision_one.endpoint_activity.object.file.hash_sha1 + ignore_empty_value: true + - set: + field: file.path + tag: set_file_path + copy_from: trend_micro_vision_one.endpoint_activity.object.file.path + ignore_empty_value: true + - set: + field: registry.path + tag: set_registry_path + copy_from: trend_micro_vision_one.endpoint_activity.object.registry.key_handle + ignore_empty_value: true + - set: + field: registry.value + tag: set_registry_value + copy_from: trend_micro_vision_one.endpoint_activity.object.registry.value + ignore_empty_value: true + - set: + field: user.target.name + tag: set_user_target_name + copy_from: trend_micro_vision_one.endpoint_activity.object.user + ignore_empty_value: true + - set: + field: host.os.name + tag: set_host_os_name + copy_from: trend_micro_vision_one.endpoint_activity.os + ignore_empty_value: true + - set: + field: process.parent.command_line + tag: set_process_parent_command_line + copy_from: trend_micro_vision_one.endpoint_activity.parent.cmd + ignore_empty_value: true + - set: + field: process.parent.hash.sha1 + tag: set_process_parent_hash_sha1 + copy_from: trend_micro_vision_one.endpoint_activity.parent.file.hash_sha1 + ignore_empty_value: true + - set: + field: process.parent.executable + tag: set_process_parent_executable + copy_from: trend_micro_vision_one.endpoint_activity.parent.file.path + ignore_empty_value: true + - set: + field: process.hash.sha1 + tag: set_process_hash_sha1 + copy_from: trend_micro_vision_one.endpoint_activity.process.file.hash_sha1 + ignore_empty_value: true + - set: + field: process.executable + tag: set_process_executable + copy_from: trend_micro_vision_one.endpoint_activity.process.file.path + ignore_empty_value: true + - set: + field: url.original + tag: set_url_original + copy_from: trend_micro_vision_one.endpoint_activity.request + ignore_empty_value: true + - set: + field: source.ip + tag: set_source_ip + copy_from: trend_micro_vision_one.endpoint_activity.source.ip + ignore_empty_value: true + - set: + field: source.port + tag: set_source_port + copy_from: trend_micro_vision_one.endpoint_activity.source.port + ignore_empty_value: true + - convert: + field: trend_micro_vision_one.endpoint_activity.win_event_id + tag: convert_event_code + target_field: event.code + type: string + ignore_missing: true + - foreach: + field: host.ip + tag: foreach_host_ip + if: ctx.host?.ip instanceof List + processor: + append: + field: related.ip + tag: append_related_ip_from_host_ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + - foreach: + field: trend_micro_vision_one.endpoint_activity.object.ips + tag: foreach_endpoint_acitivity_objectIps + if: ctx.trend_micro_vision_one?.endpoint_activity?.object?.ips instanceof List + processor: + append: + field: related.ip + tag: append_related_ip_from_object_ips + value: '{{{_ingest._value}}}' + allow_duplicates: false + - append: + field: related.ip + tag: append_related_ip_source + value: '{{{trend_micro_vision_one.endpoint_activity.source.ip}}}' + allow_duplicates: false + if: ctx.trend_micro_vision_one?.endpoint_activity?.source?.ip != null + - append: + field: related.ip + tag: append_related_ip_destination + value: '{{{trend_micro_vision_one.endpoint_activity.destination.address}}}' + allow_duplicates: false + if: ctx.trend_micro_vision_one?.endpoint_activity?.destination?.address != null + - append: + field: related.ip + tag: append_related_ip_object + value: '{{{trend_micro_vision_one.endpoint_activity.object.ip}}}' + allow_duplicates: false + if: ctx.trend_micro_vision_one?.endpoint_activity?.object?.ip != null + - foreach: + field: trend_micro_vision_one.endpoint_activity.logon_user + tag: foreach_endpoint_activity_logon_user + if: ctx.trend_micro_vision_one?.endpoint_activity?.logon_user instanceof List + processor: + append: + field: related.user + tag: append_related_user + value: '{{{_ingest._value}}}' + allow_duplicates: false + - append: + field: related.user + tag: append_related_user_object + value: '{{{trend_micro_vision_one.endpoint_activity.object.user}}}' + allow_duplicates: false + if: ctx.trend_micro_vision_one?.endpoint_activity?.object?.user != null + - append: + field: related.hash + tag: append_related_hash_object_file + value: '{{{trend_micro_vision_one.endpoint_activity.object.file.hash_sha1}}}' + allow_duplicates: false + if: ctx.trend_micro_vision_one?.endpoint_activity?.object?.file?.hash_sha1 != null + - append: + field: related.hash + tag: append_related_hash_process_file + value: '{{{trend_micro_vision_one.endpoint_activity.process.file.hash_sha1}}}' + allow_duplicates: false + if: ctx.trend_micro_vision_one?.endpoint_activity?.process?.file?.hash_sha1 != null + - append: + field: related.hash + tag: append_related_hash_parent_file + value: '{{{trend_micro_vision_one.endpoint_activity.parent.file.hash_sha1}}}' + allow_duplicates: false + if: ctx.trend_micro_vision_one?.endpoint_activity?.parent?.file?.hash_sha1 != null + - append: + field: related.hash + tag: append_related_hash_source_file + value: '{{{trend_micro_vision_one.endpoint_activity.source_file.hash_sha1}}}' + allow_duplicates: false + if: ctx.trend_micro_vision_one?.endpoint_activity?.source_file?.hash_sha1 != null + - append: + field: related.hosts + tag: append_related_hosts_host_name + value: '{{{trend_micro_vision_one.endpoint_activity.host_name}}}' + allow_duplicates: false + if: ctx.trend_micro_vision_one?.endpoint_activity?.host_name != null + - append: + field: related.hosts + tag: append_related_hosts_endpoint + value: '{{{trend_micro_vision_one.endpoint_activity.endpoint.host_name}}}' + allow_duplicates: false + if: ctx.trend_micro_vision_one?.endpoint_activity?.endpoint?.host_name != null + - append: + field: related.hosts + tag: append_related_hosts_object + value: '{{{trend_micro_vision_one.endpoint_activity.object.host_name}}}' + allow_duplicates: false + if: ctx.trend_micro_vision_one?.endpoint_activity?.object?.host_name != null + - remove: + field: + - trend_micro_vision_one.endpoint_activity.destination.address + - trend_micro_vision_one.endpoint_activity.destination.port + - trend_micro_vision_one.endpoint_activity.endpoint.host_name + - trend_micro_vision_one.endpoint_activity.endpoint.ip + - trend_micro_vision_one.endpoint_activity.event.id + - trend_micro_vision_one.endpoint_activity.event.time_dt + - trend_micro_vision_one.endpoint_activity.host_name + - trend_micro_vision_one.endpoint_activity.logon_user + - trend_micro_vision_one.endpoint_activity.object.file.hash_sha1 + - trend_micro_vision_one.endpoint_activity.object.file.path + - trend_micro_vision_one.endpoint_activity.object.registry.key_handle + - trend_micro_vision_one.endpoint_activity.object.registry.value + - trend_micro_vision_one.endpoint_activity.object.user + - trend_micro_vision_one.endpoint_activity.os + - trend_micro_vision_one.endpoint_activity.parent.cmd + - trend_micro_vision_one.endpoint_activity.parent.file.hash_sha1 + - trend_micro_vision_one.endpoint_activity.parent.file.path + - trend_micro_vision_one.endpoint_activity.process.cmd + - trend_micro_vision_one.endpoint_activity.process.file.hash_sha1 + - trend_micro_vision_one.endpoint_activity.process.file.path + - trend_micro_vision_one.endpoint_activity.request + - trend_micro_vision_one.endpoint_activity.source.ip + - trend_micro_vision_one.endpoint_activity.source.port + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + - remove: + field: json + tag: remove_json + ignore_missing: true + - script: + tag: script_to_drop_null_values + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: |- + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/trend_micro_vision_one/data_stream/endpoint_activity/fields/base-fields.yml b/packages/trend_micro_vision_one/data_stream/endpoint_activity/fields/base-fields.yml new file mode 100644 index 00000000000..a88f5e8e58f --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/endpoint_activity/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs +- name: event.module + type: constant_keyword + external: ecs + value: trend_micro_vision_one +- name: event.dataset + type: constant_keyword + external: ecs + value: trend_micro_vision_one.endpoint_activity +- name: '@timestamp' + external: ecs diff --git a/packages/trend_micro_vision_one/data_stream/endpoint_activity/fields/beats.yml b/packages/trend_micro_vision_one/data_stream/endpoint_activity/fields/beats.yml new file mode 100644 index 00000000000..4084f1dc7f5 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/endpoint_activity/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/trend_micro_vision_one/data_stream/endpoint_activity/fields/fields.yml b/packages/trend_micro_vision_one/data_stream/endpoint_activity/fields/fields.yml new file mode 100644 index 00000000000..a83c084095e --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/endpoint_activity/fields/fields.yml @@ -0,0 +1,171 @@ +- name: trend_micro_vision_one + type: group + fields: + - name: endpoint_activity + type: group + fields: + - name: destination + type: group + fields: + - name: address + type: keyword + description: Destination IP address. + - name: port + type: long + description: Destination port. + - name: endpoint + type: group + fields: + - name: guid + type: keyword + description: Endpoint GUID for identity. + - name: host_name + type: keyword + description: Hostname of the endpoint on which the event was generated. + - name: ip + type: ip + description: Endpoint IP address list. + - name: event + type: group + fields: + - name: id + type: keyword + description: Event ID for data field mapping. + - name: sub_id + type: long + description: Event sub ID for data field mapping. + - name: time + type: date + description: Log collect time utc format. + - name: time_dt + type: date + description: Log collect time. + - name: host_name + type: keyword + description: Hostname of the endpoint on which the event was generated. + - name: logon_user + type: keyword + description: Logon user name. + - name: object + type: group + fields: + - name: cmd + type: keyword + description: Command line entry of target process. + - name: file + type: group + fields: + - name: hash_sha1 + type: keyword + description: The SHA1 hash of target process image or target file. + - name: path + type: keyword + description: File path location of target process image or target file. + - name: host_name + type: keyword + description: Server name where Internet event was detected. + - name: integrity_level + type: long + description: Object integrity level for data field mapping. + - name: ip + type: ip + description: IP address of internet event. + - name: ips + type: ip + description: IP address list of internet event. + - name: port + type: long + description: The port number used by internet event. + - name: registry + type: group + fields: + - name: data + type: keyword + description: The registry value data. + - name: key_handle + type: keyword + description: The registry key. + - name: value + type: keyword + description: Registry value name. + - name: signer + type: keyword + description: Certificate signer of object process or file. + - name: signer_valid + type: boolean + description: Validity of certificate signer. + - name: sub_true_type + type: long + description: Object sub true type for data field mapping. + - name: true_type + type: long + description: Object true type for data field mapping. + - name: user + type: keyword + description: The owner name of target process / The logon user name. + - name: os + type: keyword + description: Operating system. + - name: parent + type: group + fields: + - name: cmd + type: keyword + description: The command line that parent process. + - name: file + type: group + fields: + - name: hash_sha1 + type: keyword + description: The SHA1 hash of parent process. + - name: path + type: keyword + description: The file path location of parent process. + - name: process + type: group + fields: + - name: cmd + type: keyword + description: The command line used to launch this process. + - name: file + type: group + fields: + - name: hash_sha1 + type: keyword + description: The process file sha1. + - name: path + type: keyword + description: The process file path. + - name: request + type: keyword + description: Request URL (normally detected by Web Reputation Services). + - name: search_dl + type: keyword + description: Search data lake. + - name: source + type: group + fields: + - name: ip + type: ip + description: Source IP address. + - name: port + type: long + description: Source port. + - name: source_file + type: group + fields: + - name: hash_sha1 + type: keyword + description: Source file sha1. + - name: path + type: keyword + description: Source file path. + - name: tags + type: keyword + description: Detected by Security Analytics Engine filters. + - name: uuid + type: keyword + description: Log unique identity. + - name: win_event_id + type: long + description: Windows event ID for data field mapping. diff --git a/packages/trend_micro_vision_one/data_stream/endpoint_activity/manifest.yml b/packages/trend_micro_vision_one/data_stream/endpoint_activity/manifest.yml new file mode 100644 index 00000000000..73a61940cf1 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/endpoint_activity/manifest.yml @@ -0,0 +1,81 @@ +title: Collect endpoint activity logs from Trend Micro Vision One. +type: logs +streams: + - input: cel + enabled: false + title: Endpoint Activity + description: Collect endpoint activity logs from Trend Micro Vision One. + template_path: cel.yml.hbs + vars: + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: true + default: 24h + description: How far back to pull the Endpoint Activity logs from Trend Micro Vision One API. Supported units for this parameter are h/m/s. + - name: interval + type: text + title: Interval + description: Duration between requests to the Trend Micro Vision One API. Supported units for this parameter are h/m/s. + default: 24h + multi: false + required: true + show_user: true + - name: batch_size + type: integer + title: Batch Size + description: Batch size for the response of the Trend Micro Vision One API. The maximum supported page size value is 1000. + default: 1000 + multi: false + required: true + show_user: false + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: enable_request_tracer + type: bool + title: Enable request tracing + default: false + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - trend_micro_vision_one-endpoint_activity + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: false + show_user: false + title: Preserve duplicate custom fields + description: Preserve trend_micro_vision_one.endpoint_activity fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/trend_micro_vision_one/data_stream/endpoint_activity/sample_event.json b/packages/trend_micro_vision_one/data_stream/endpoint_activity/sample_event.json new file mode 100644 index 00000000000..0e1dde25636 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/endpoint_activity/sample_event.json @@ -0,0 +1,201 @@ +{ + "@timestamp": "2023-11-13T10:15:43.210Z", + "agent": { + "ephemeral_id": "e3104ef5-8982-48d9-a9ec-3f6c451df799", + "id": "fca8de1b-d200-49c4-9272-7088e4a986bb", + "name": "elastic-agent-21907", + "type": "filebeat", + "version": "8.19.7" + }, + "data_stream": { + "dataset": "trend_micro_vision_one.endpoint_activity", + "namespace": "48188", + "type": "logs" + }, + "destination": { + "address": "81.2.69.142", + "port": 442 + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "fca8de1b-d200-49c4-9272-7088e4a986bb", + "snapshot": true, + "version": "8.19.7" + }, + "event": { + "agent_id_status": "verified", + "code": "4624", + "dataset": "trend_micro_vision_one.endpoint_activity", + "id": "29", + "ingested": "2025-12-02T12:31:41Z", + "kind": "event", + "original": "{\"dpt\":442,\"dst\":\"81.2.69.142\",\"endpointGuid\":\"72436165-b5a5-471a-9389-0bdc3647bc33\",\"endpointHostName\":\"workstation-pc01\",\"endpointIp\":[\"1.128.0.0\"],\"eventId\":\"29\",\"eventSubId\":2,\"eventTime\":1699876543210,\"eventTimeDT\":\"2023-11-13T10:15:43.210000+00:00\",\"hostName\":\"workstation-pc01\",\"logonUser\":[\"john.doe@example.com\"],\"objectCmd\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c whoami\",\"objectFileHashSha1\":\"A1B2C3D4E5F6789012345678901234567890ABCD\",\"objectFilePath\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"objectHostName\":\"api.example.com\",\"objectIntegrityLevel\":8192,\"objectIp\":\"81.2.69.144\",\"objectIps\":[\"81.2.69.144\",\"175.16.199.0\"],\"objectPort\":8080,\"objectRegistryData\":\"C:\\\\Program Files\\\\MyApp\\\\startup.exe\",\"objectRegistryKeyHandle\":\"hklm\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\",\"objectRegistryValue\":\"MyAppStartup\",\"objectSigner\":[\"Microsoft Windows\"],\"objectSignerValid\":[true],\"objectSubTrueType\":7002,\"objectTrueType\":7,\"objectUser\":\"DOMAIN\\\\john.doe\",\"os\":\"Windows 10\",\"parentCmd\":\"C:\\\\Windows\\\\explorer.exe\",\"parentFileHashSha1\":\"B2C3D4E5F67890123456789012345678901ABCDE\",\"parentFilePath\":\"C:\\\\Windows\\\\explorer.exe\",\"processCmd\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c whoami\",\"processFileHashSha1\":\"C3D4E5F678901234567890123456789012ABCDEF\",\"processFilePath\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"request\":\"https://api.example.com/v1/auth\",\"searchDL\":\"EDR\",\"spt\":49152,\"src\":\"1.128.0.0\",\"srcFileHashSha1\":\"D4E5F6789012345678901234567890123ABCDEFG\",\"srcFilePath\":\"C:\\\\Users\\\\john.doe\\\\Downloads\\\\installer.exe\",\"tags\":[\"MITRE.T1059.001\",\"XSAE.F1001\"],\"uuid\":\"a1b2c3d4-e5f6-7890-abcd-ef1234567890\",\"winEventId\":4624}" + }, + "file": { + "hash": { + "sha1": "A1B2C3D4E5F6789012345678901234567890ABCD" + }, + "path": "C:\\Windows\\System32\\cmd.exe" + }, + "host": { + "hostname": "workstation-pc01", + "ip": [ + "1.128.0.0" + ], + "name": "workstation-pc01", + "os": { + "name": "Windows 10" + } + }, + "input": { + "type": "cel" + }, + "process": { + "command_line": "C:\\Windows\\System32\\cmd.exe /c whoami", + "executable": "C:\\Windows\\System32\\cmd.exe", + "hash": { + "sha1": "C3D4E5F678901234567890123456789012ABCDEF" + }, + "parent": { + "command_line": "C:\\Windows\\explorer.exe", + "executable": "C:\\Windows\\explorer.exe", + "hash": { + "sha1": "B2C3D4E5F67890123456789012345678901ABCDE" + } + } + }, + "registry": { + "path": "hklm\\software\\microsoft\\windows\\currentversion\\run", + "value": "MyAppStartup" + }, + "related": { + "hash": [ + "A1B2C3D4E5F6789012345678901234567890ABCD", + "C3D4E5F678901234567890123456789012ABCDEF", + "B2C3D4E5F67890123456789012345678901ABCDE", + "D4E5F6789012345678901234567890123ABCDEFG" + ], + "hosts": [ + "workstation-pc01", + "api.example.com" + ], + "ip": [ + "1.128.0.0", + "81.2.69.144", + "175.16.199.0", + "81.2.69.142" + ], + "user": [ + "john.doe@example.com", + "DOMAIN\\john.doe" + ] + }, + "source": { + "ip": "1.128.0.0", + "port": 49152 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "trend_micro_vision_one-endpoint_activity" + ], + "trend_micro_vision_one": { + "endpoint_activity": { + "destination": { + "address": "81.2.69.142", + "port": 442 + }, + "endpoint": { + "guid": "72436165-b5a5-471a-9389-0bdc3647bc33", + "host_name": "workstation-pc01", + "ip": [ + "1.128.0.0" + ] + }, + "event": { + "id": "29", + "sub_id": 2, + "time": "2023-11-13T11:55:43.210Z", + "time_dt": "2023-11-13T10:15:43.210Z" + }, + "host_name": "workstation-pc01", + "logon_user": [ + "john.doe@example.com" + ], + "object": { + "cmd": "C:\\Windows\\System32\\cmd.exe /c whoami", + "file": { + "hash_sha1": "A1B2C3D4E5F6789012345678901234567890ABCD", + "path": "C:\\Windows\\System32\\cmd.exe" + }, + "host_name": "api.example.com", + "integrity_level": 8192, + "ip": "81.2.69.144", + "ips": [ + "81.2.69.144", + "175.16.199.0" + ], + "port": 8080, + "registry": { + "data": "C:\\Program Files\\MyApp\\startup.exe", + "key_handle": "hklm\\software\\microsoft\\windows\\currentversion\\run", + "value": "MyAppStartup" + }, + "signer": [ + "Microsoft Windows" + ], + "signer_valid": [ + true + ], + "sub_true_type": 7002, + "true_type": 7, + "user": "DOMAIN\\john.doe" + }, + "os": "Windows 10", + "parent": { + "cmd": "C:\\Windows\\explorer.exe", + "file": { + "hash_sha1": "B2C3D4E5F67890123456789012345678901ABCDE", + "path": "C:\\Windows\\explorer.exe" + } + }, + "process": { + "cmd": "C:\\Windows\\System32\\cmd.exe /c whoami", + "file": { + "hash_sha1": "C3D4E5F678901234567890123456789012ABCDEF", + "path": "C:\\Windows\\System32\\cmd.exe" + } + }, + "request": "https://api.example.com/v1/auth", + "search_dl": "EDR", + "source": { + "ip": "1.128.0.0", + "port": 49152 + }, + "source_file": { + "hash_sha1": "D4E5F6789012345678901234567890123ABCDEFG", + "path": "C:\\Users\\john.doe\\Downloads\\installer.exe" + }, + "tags": [ + "MITRE.T1059.001", + "XSAE.F1001" + ], + "uuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "win_event_id": 4624 + } + }, + "url": { + "original": "https://api.example.com/v1/auth" + }, + "user": { + "name": [ + "john.doe@example.com" + ], + "target": { + "name": "DOMAIN\\john.doe" + } + } +} diff --git a/packages/trend_micro_vision_one/data_stream/network_activity/_dev/test/pipeline/test-common-config.yml b/packages/trend_micro_vision_one/data_stream/network_activity/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..53b076d7cfe --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/network_activity/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,8 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields +numeric_keyword_fields: + - trend_micro_vision_one.telemetry.event_id + - trend_micro_vision_one.telemetry.event_sub_id + - trend_micro_vision_one.telemetry.event_source_type diff --git a/packages/trend_micro_vision_one/data_stream/network_activity/_dev/test/pipeline/test-network-activity.log b/packages/trend_micro_vision_one/data_stream/network_activity/_dev/test/pipeline/test-network-activity.log new file mode 100644 index 00000000000..509ae373194 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/network_activity/_dev/test/pipeline/test-network-activity.log @@ -0,0 +1,5 @@ +{"endpointHostName": "workstation-pc01", "customerId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "osName": "Windows 10", "dst": "81.2.69.142", "endpointGuid": "72436165-b5a5-471a-9389-0bdc3647bc33", "principalName": "john.doe@example.com", "request": "https://portal.example.com/dashboard", "act": 1, "src": "1.128.0.0", "serverTls": "TLS 1.3", "eventTime": 1699876543, "serverProtocol": "HTTP/2", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36", "rt": 1699876545, "tenantGuid": "b2c3d4e5-f678-9012-bcde-f23456789012", "eventName": "SWG_ACTIVITY_LOG", "application": "Microsoft 365", "ruleName": "Corporate_Access_Policy", "clientIp": "175.16.199.0", "requestBase": "portal.example.com", "score": 95, "userDomain": "example.com", "suid": "John Doe", "duration": 45, "eventSubName": "SharePoint file download", "fileHash": "a1b2c3d4e5f6789012345678901234567890abcd", "fileHashSha256": "ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93", "fileName": "quarterly_report.xlsx", "fileSize": 245678, "fileType": "Microsoft Excel", "malName": "", "mimeType": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", "sender": "Corporate Gateway", "detectionType": 10, "profile": "standard", "userDepartment": "Finance", "requestMethod": "GET", "pname": "2200", "pver": "2.1", "deviceGUID": "c3d4e5f6-7890-1234-cdef-345678901234", "requestMimeType": "application/json", "ruleType": "access", "ruleUuid": "d4e5f678-9012-3456-def0-456789012345", "objectId": "e5f67890-1234-5678-ef01-567890123456", "spt": 49152, "policyUuid": "f6789012-3456-7890-f012-678901234567", "dpt": 443, "companyName": "Acme Corporation", "start": 1699876500} +{"endpointHostName": "laptop-sales03", "customerId": "b2c3d4e5-f678-9012-bcde-f23456789012", "osName": "Windows 11", "dst": "175.16.199.0", "endpointGuid": "83547276-c6b6-582b-a49a-1cde4758cd44", "principalName": "sarah.smith@example.com", "request": "https://drive.example.com/files/contract.pdf", "act": 4, "src": "81.2.69.144", "serverTls": "TLS 1.2", "eventTime": 1699877654, "serverProtocol": "HTTP/1.1", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0", "rt": 1699877656, "tenantGuid": "c3d4e5f6-7890-1234-cdef-345678901234", "eventName": "SWG_ACTIVITY_LOG", "application": "Google Drive", "ruleName": "DLP_Sensitive_Files", "clientIp": "81.2.69.192", "requestBase": "drive.example.com", "score": 45, "userDomain": "example.com", "suid": "Sarah Smith", "duration": 120, "eventSubName": "Cloud storage upload blocked", "fileHash": "b2c3d4e5f67890123456789012345678901abcde", "fileHashSha256": "cd3456789012345678901234567890abcdef123456789012345678901234abcd", "fileName": "contract_confidential.pdf", "fileSize": 1567890, "fileType": "Adobe PDF", "malName": "", "mimeType": "application/pdf", "sender": "Remote VPN Gateway", "detectionType": 30, "profile": "dlp_strict", "userDepartment": "Sales", "requestMethod": "POST", "pname": "2200", "pver": "2.1", "deviceGUID": "d4e5f678-9012-3456-def0-456789012345", "requestMimeType": "multipart/form-data", "ruleType": "dlp", "ruleUuid": "e5f67890-1234-5678-ef01-567890123456", "objectId": "f6789012-3456-7890-f012-678901234567", "spt": 51234, "policyUuid": "01234567-89ab-cdef-0123-456789abcdef", "dpt": 443, "companyName": "Acme Corporation", "start": 1699877600} +{"endpointHostName": "server-web01", "customerId": "c3d4e5f6-7890-1234-cdef-345678901234", "osName": "Windows Server 2022", "dst": "81.2.69.144", "endpointGuid": "94658387-d7c7-693c-b5ab-2def5869de55", "principalName": "admin@example.com", "request": "https://api.example.com/v2/users", "act": 1, "src": "81.2.69.192", "serverTls": "TLS 1.3", "eventTime": 1699878765, "serverProtocol": "HTTP/2", "userAgent": "curl/8.4.0", "rt": 1699878766, "tenantGuid": "d4e5f678-9012-3456-def0-456789012345", "eventName": "SWG_ACTIVITY_LOG", "application": "Custom API", "ruleName": "API_Gateway_Access", "clientIp": "1.128.0.0", "requestBase": "api.example.com", "score": 100, "userDomain": "example.com", "suid": "API Service Account", "duration": 15, "eventSubName": "API request allowed", "fileHash": "", "fileHashSha256": "", "fileName": "", "fileSize": 0, "fileType": "", "malName": "", "mimeType": "application/json", "sender": "Internal Gateway", "detectionType": 0, "profile": "api_default", "userDepartment": "IT", "requestMethod": "GET", "pname": "2200", "pver": "2.1", "deviceGUID": "e5f67890-1234-5678-ef01-567890123456", "requestMimeType": "application/json", "ruleType": "access", "ruleUuid": "f6789012-3456-7890-f012-678901234567", "objectId": "01234567-89ab-cdef-0123-456789abcdef", "spt": 52345, "policyUuid": "12345678-9abc-def0-1234-56789abcdef0", "dpt": 8443, "companyName": "Acme Corporation", "start": 1699878760} +{"endpointHostName": "desktop-hr04", "customerId": "d4e5f678-9012-3456-def0-456789012345", "osName": "macOS Sonoma", "dst": "1.128.0.0", "endpointGuid": "a5769498-e8d8-7a4d-c6bc-3ef06970ef66", "principalName": "emma.jones@example.com", "request": "https://malicious-site.example.net/download.exe", "act": 2, "src": "81.2.69.142", "serverTls": "TLS 1.2", "eventTime": 1699879876, "serverProtocol": "HTTP/1.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15", "rt": 1699879878, "tenantGuid": "e5f67890-1234-5678-ef01-567890123456", "eventName": "SWG_ACTIVITY_LOG", "application": "Unknown", "ruleName": "Malware_Block_Policy", "clientIp": "175.16.199.0", "requestBase": "malicious-site.example.net", "score": 5, "userDomain": "example.com", "suid": "Emma Jones", "duration": 8, "eventSubName": "Malware download blocked", "fileHash": "c3d4e5f678901234567890123456789012abcdef", "fileHashSha256": "de456789012345678901234567890abcdef0123456789012345678901234bcde", "fileName": "invoice_update.exe", "fileSize": 4567890, "fileType": "Windows Executable", "malName": "Trojan.GenericKD.46584712", "mimeType": "application/x-msdownload", "sender": "Corporate Gateway", "detectionType": 60, "profile": "threat_protection", "userDepartment": "HR", "requestMethod": "GET", "pname": "2200", "pver": "2.1", "deviceGUID": "f6789012-3456-7890-f012-678901234567", "requestMimeType": "application/octet-stream", "ruleType": "threat", "ruleUuid": "01234567-89ab-cdef-0123-456789abcdef", "objectId": "12345678-9abc-def0-1234-56789abcdef0", "spt": 53456, "policyUuid": "23456789-abcd-ef01-2345-6789abcdef01", "dpt": 80, "companyName": "Acme Corporation", "start": 1699879870} +{"endpointHostName": "laptop-dev05", "customerId": "e5f67890-1234-5678-ef01-567890123456", "osName": "Ubuntu 22.04", "dst": "81.2.69.192", "endpointGuid": "b687a5a9-f9e9-8b5e-d7cd-4f017a81f077", "principalName": "mike.wilson@example.com", "request": "https://github.example.com/repos/internal-tools", "act": 1, "src": "175.16.199.0", "serverTls": "TLS 1.3", "eventTime": 1699880987, "serverProtocol": "HTTP/2", "userAgent": "git/2.42.0", "rt": 1699880990, "tenantGuid": "f6789012-3456-7890-f012-678901234567", "eventName": "SWG_ACTIVITY_LOG", "application": "GitHub Enterprise", "ruleName": "Developer_Tools_Access", "clientIp": "81.2.69.144", "requestBase": "github.example.com", "score": 92, "userDomain": "example.com", "suid": "Mike Wilson", "duration": 250, "eventSubName": "Git repository clone", "fileHash": "d4e5f6789012345678901234567890123abcdef0", "fileHashSha256": "ef56789012345678901234567890abcdef01234567890123456789012345cdef", "fileName": "internal-tools.git", "fileSize": 89012345, "fileType": "Git Repository", "malName": "", "mimeType": "application/x-git", "sender": "Developer VPN", "detectionType": 0, "profile": "developer", "userDepartment": "Engineering", "requestMethod": "GET", "pname": "2200", "pver": "2.1", "deviceGUID": "01234567-89ab-cdef-0123-456789abcdef", "requestMimeType": "application/x-git-upload-pack-request", "ruleType": "access", "ruleUuid": "12345678-9abc-def0-1234-56789abcdef0", "objectId": "23456789-abcd-ef01-2345-6789abcdef01", "spt": 54567, "policyUuid": "34567890-bcde-f012-3456-789abcdef012", "dpt": 443, "companyName": "Acme Corporation", "start": 1699880900} diff --git a/packages/trend_micro_vision_one/data_stream/network_activity/_dev/test/pipeline/test-network-activity.log-expected.json b/packages/trend_micro_vision_one/data_stream/network_activity/_dev/test/pipeline/test-network-activity.log-expected.json new file mode 100644 index 00000000000..d07628e0de8 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/network_activity/_dev/test/pipeline/test-network-activity.log-expected.json @@ -0,0 +1,888 @@ +{ + "expected": [ + { + "@timestamp": "2023-11-13T11:55:43.000Z", + "client": { + "ip": "175.16.199.0" + }, + "destination": { + "ip": "81.2.69.142", + "port": 443 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "duration": 45000000, + "kind": "event", + "original": "{\"endpointHostName\": \"workstation-pc01\", \"customerId\": \"a1b2c3d4-e5f6-7890-abcd-ef1234567890\", \"osName\": \"Windows 10\", \"dst\": \"81.2.69.142\", \"endpointGuid\": \"72436165-b5a5-471a-9389-0bdc3647bc33\", \"principalName\": \"john.doe@example.com\", \"request\": \"https://portal.example.com/dashboard\", \"act\": 1, \"src\": \"1.128.0.0\", \"serverTls\": \"TLS 1.3\", \"eventTime\": 1699876543, \"serverProtocol\": \"HTTP/2\", \"userAgent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\", \"rt\": 1699876545, \"tenantGuid\": \"b2c3d4e5-f678-9012-bcde-f23456789012\", \"eventName\": \"SWG_ACTIVITY_LOG\", \"application\": \"Microsoft 365\", \"ruleName\": \"Corporate_Access_Policy\", \"clientIp\": \"175.16.199.0\", \"requestBase\": \"portal.example.com\", \"score\": 95, \"userDomain\": \"example.com\", \"suid\": \"John Doe\", \"duration\": 45, \"eventSubName\": \"SharePoint file download\", \"fileHash\": \"a1b2c3d4e5f6789012345678901234567890abcd\", \"fileHashSha256\": \"ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93\", \"fileName\": \"quarterly_report.xlsx\", \"fileSize\": 245678, \"fileType\": \"Microsoft Excel\", \"malName\": \"\", \"mimeType\": \"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet\", \"sender\": \"Corporate Gateway\", \"detectionType\": 10, \"profile\": \"standard\", \"userDepartment\": \"Finance\", \"requestMethod\": \"GET\", \"pname\": \"2200\", \"pver\": \"2.1\", \"deviceGUID\": \"c3d4e5f6-7890-1234-cdef-345678901234\", \"requestMimeType\": \"application/json\", \"ruleType\": \"access\", \"ruleUuid\": \"d4e5f678-9012-3456-def0-456789012345\", \"objectId\": \"e5f67890-1234-5678-ef01-567890123456\", \"spt\": 49152, \"policyUuid\": \"f6789012-3456-7890-f012-678901234567\", \"dpt\": 443, \"companyName\": \"Acme Corporation\", \"start\": 1699876500}", + "start": 1699876500 + }, + "file": { + "hash": { + "sha1": "a1b2c3d4e5f6789012345678901234567890abcd", + "sha256": "ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93" + }, + "mime_type": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", + "name": "quarterly_report.xlsx", + "size": 245678, + "type": "Microsoft Excel" + }, + "host": { + "hostname": "workstation-pc01", + "os": { + "name": "Windows 10" + } + }, + "http": { + "request": { + "method": "GET", + "mime_type": "application/json" + } + }, + "network": { + "protocol": "HTTP/2" + }, + "organization": { + "name": "Acme Corporation" + }, + "related": { + "hash": [ + "a1b2c3d4e5f6789012345678901234567890abcd", + "ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93" + ], + "hosts": [ + "workstation-pc01", + "portal.example.com" + ], + "ip": [ + "1.128.0.0", + "81.2.69.142", + "175.16.199.0" + ], + "user": [ + "John Doe", + "john.doe@example.com" + ] + }, + "rule": { + "category": "access", + "name": "Corporate_Access_Policy", + "uuid": "d4e5f678-9012-3456-def0-456789012345" + }, + "source": { + "ip": "1.128.0.0", + "port": 49152 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "tls": { + "version": "TLS 1.3" + }, + "trend_micro_vision_one": { + "network_activity": { + "act": 1, + "application": "Microsoft 365", + "client": { + "ip": "175.16.199.0" + }, + "company_name": "Acme Corporation", + "customer": { + "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" + }, + "destination": { + "ip": "81.2.69.142", + "port": 443 + }, + "detection": { + "type": 10 + }, + "device": { + "guid": "c3d4e5f6-7890-1234-cdef-345678901234" + }, + "duration": 45, + "endpoint": { + "guid": "72436165-b5a5-471a-9389-0bdc3647bc33", + "host_name": "workstation-pc01" + }, + "event": { + "name": "SWG_ACTIVITY_LOG", + "sub_name": "SharePoint file download", + "time": "2023-11-13T11:55:43.000Z" + }, + "file": { + "hash_sha1": "a1b2c3d4e5f6789012345678901234567890abcd", + "hash_sha256": "ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93", + "mime_type": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", + "name": "quarterly_report.xlsx", + "size": 245678, + "type": "Microsoft Excel" + }, + "object": { + "id": "e5f67890-1234-5678-ef01-567890123456" + }, + "os": { + "name": "Windows 10" + }, + "pname": "2200", + "policy": { + "uuid": "f6789012-3456-7890-f012-678901234567" + }, + "profile": "standard", + "pver": "2.1", + "request": { + "base": "portal.example.com", + "method": "GET", + "mime_type": "application/json", + "url": "https://portal.example.com/dashboard" + }, + "rt": 1699876545, + "rule": { + "name": "Corporate_Access_Policy", + "type": "access", + "uuid": "d4e5f678-9012-3456-def0-456789012345" + }, + "score": 95, + "sender": "Corporate Gateway", + "server": { + "protocol": "HTTP/2", + "tls": "TLS 1.3" + }, + "source": { + "ip": "1.128.0.0", + "port": 49152 + }, + "start": 1699876500, + "tenant": { + "guid": "b2c3d4e5-f678-9012-bcde-f23456789012" + }, + "user": { + "department": "Finance", + "domain": "example.com", + "id": "John Doe", + "principal_name": "john.doe@example.com" + }, + "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36" + } + }, + "url": { + "original": "https://portal.example.com/dashboard" + }, + "user": { + "domain": "example.com", + "email": "john.doe@example.com", + "name": "John Doe" + }, + "user_agent": { + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36" + } + }, + { + "@timestamp": "2023-11-13T12:14:14.000Z", + "client": { + "ip": "81.2.69.192" + }, + "destination": { + "ip": "175.16.199.0", + "port": 443 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "duration": 120000000, + "kind": "event", + "original": "{\"endpointHostName\": \"laptop-sales03\", \"customerId\": \"b2c3d4e5-f678-9012-bcde-f23456789012\", \"osName\": \"Windows 11\", \"dst\": \"175.16.199.0\", \"endpointGuid\": \"83547276-c6b6-582b-a49a-1cde4758cd44\", \"principalName\": \"sarah.smith@example.com\", \"request\": \"https://drive.example.com/files/contract.pdf\", \"act\": 4, \"src\": \"81.2.69.144\", \"serverTls\": \"TLS 1.2\", \"eventTime\": 1699877654, \"serverProtocol\": \"HTTP/1.1\", \"userAgent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0\", \"rt\": 1699877656, \"tenantGuid\": \"c3d4e5f6-7890-1234-cdef-345678901234\", \"eventName\": \"SWG_ACTIVITY_LOG\", \"application\": \"Google Drive\", \"ruleName\": \"DLP_Sensitive_Files\", \"clientIp\": \"81.2.69.192\", \"requestBase\": \"drive.example.com\", \"score\": 45, \"userDomain\": \"example.com\", \"suid\": \"Sarah Smith\", \"duration\": 120, \"eventSubName\": \"Cloud storage upload blocked\", \"fileHash\": \"b2c3d4e5f67890123456789012345678901abcde\", \"fileHashSha256\": \"cd3456789012345678901234567890abcdef123456789012345678901234abcd\", \"fileName\": \"contract_confidential.pdf\", \"fileSize\": 1567890, \"fileType\": \"Adobe PDF\", \"malName\": \"\", \"mimeType\": \"application/pdf\", \"sender\": \"Remote VPN Gateway\", \"detectionType\": 30, \"profile\": \"dlp_strict\", \"userDepartment\": \"Sales\", \"requestMethod\": \"POST\", \"pname\": \"2200\", \"pver\": \"2.1\", \"deviceGUID\": \"d4e5f678-9012-3456-def0-456789012345\", \"requestMimeType\": \"multipart/form-data\", \"ruleType\": \"dlp\", \"ruleUuid\": \"e5f67890-1234-5678-ef01-567890123456\", \"objectId\": \"f6789012-3456-7890-f012-678901234567\", \"spt\": 51234, \"policyUuid\": \"01234567-89ab-cdef-0123-456789abcdef\", \"dpt\": 443, \"companyName\": \"Acme Corporation\", \"start\": 1699877600}", + "start": 1699877600 + }, + "file": { + "hash": { + "sha1": "b2c3d4e5f67890123456789012345678901abcde", + "sha256": "cd3456789012345678901234567890abcdef123456789012345678901234abcd" + }, + "mime_type": "application/pdf", + "name": "contract_confidential.pdf", + "size": 1567890, + "type": "Adobe PDF" + }, + "host": { + "hostname": "laptop-sales03", + "os": { + "name": "Windows 11" + } + }, + "http": { + "request": { + "method": "POST", + "mime_type": "multipart/form-data" + } + }, + "network": { + "protocol": "HTTP/1.1" + }, + "organization": { + "name": "Acme Corporation" + }, + "related": { + "hash": [ + "b2c3d4e5f67890123456789012345678901abcde", + "cd3456789012345678901234567890abcdef123456789012345678901234abcd" + ], + "hosts": [ + "laptop-sales03", + "drive.example.com" + ], + "ip": [ + "81.2.69.144", + "175.16.199.0", + "81.2.69.192" + ], + "user": [ + "Sarah Smith", + "sarah.smith@example.com" + ] + }, + "rule": { + "category": "dlp", + "name": "DLP_Sensitive_Files", + "uuid": "e5f67890-1234-5678-ef01-567890123456" + }, + "source": { + "ip": "81.2.69.144", + "port": 51234 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "tls": { + "version": "TLS 1.2" + }, + "trend_micro_vision_one": { + "network_activity": { + "act": 4, + "application": "Google Drive", + "client": { + "ip": "81.2.69.192" + }, + "company_name": "Acme Corporation", + "customer": { + "id": "b2c3d4e5-f678-9012-bcde-f23456789012" + }, + "destination": { + "ip": "175.16.199.0", + "port": 443 + }, + "detection": { + "type": 30 + }, + "device": { + "guid": "d4e5f678-9012-3456-def0-456789012345" + }, + "duration": 120, + "endpoint": { + "guid": "83547276-c6b6-582b-a49a-1cde4758cd44", + "host_name": "laptop-sales03" + }, + "event": { + "name": "SWG_ACTIVITY_LOG", + "sub_name": "Cloud storage upload blocked", + "time": "2023-11-13T12:14:14.000Z" + }, + "file": { + "hash_sha1": "b2c3d4e5f67890123456789012345678901abcde", + "hash_sha256": "cd3456789012345678901234567890abcdef123456789012345678901234abcd", + "mime_type": "application/pdf", + "name": "contract_confidential.pdf", + "size": 1567890, + "type": "Adobe PDF" + }, + "object": { + "id": "f6789012-3456-7890-f012-678901234567" + }, + "os": { + "name": "Windows 11" + }, + "pname": "2200", + "policy": { + "uuid": "01234567-89ab-cdef-0123-456789abcdef" + }, + "profile": "dlp_strict", + "pver": "2.1", + "request": { + "base": "drive.example.com", + "method": "POST", + "mime_type": "multipart/form-data", + "url": "https://drive.example.com/files/contract.pdf" + }, + "rt": 1699877656, + "rule": { + "name": "DLP_Sensitive_Files", + "type": "dlp", + "uuid": "e5f67890-1234-5678-ef01-567890123456" + }, + "score": 45, + "sender": "Remote VPN Gateway", + "server": { + "protocol": "HTTP/1.1", + "tls": "TLS 1.2" + }, + "source": { + "ip": "81.2.69.144", + "port": 51234 + }, + "start": 1699877600, + "tenant": { + "guid": "c3d4e5f6-7890-1234-cdef-345678901234" + }, + "user": { + "department": "Sales", + "domain": "example.com", + "id": "Sarah Smith", + "principal_name": "sarah.smith@example.com" + }, + "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0" + } + }, + "url": { + "original": "https://drive.example.com/files/contract.pdf" + }, + "user": { + "domain": "example.com", + "email": "sarah.smith@example.com", + "name": "Sarah Smith" + }, + "user_agent": { + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0" + } + }, + { + "@timestamp": "2023-11-13T12:32:45.000Z", + "client": { + "ip": "1.128.0.0" + }, + "destination": { + "ip": "81.2.69.144", + "port": 8443 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "duration": 15000000, + "kind": "event", + "original": "{\"endpointHostName\": \"server-web01\", \"customerId\": \"c3d4e5f6-7890-1234-cdef-345678901234\", \"osName\": \"Windows Server 2022\", \"dst\": \"81.2.69.144\", \"endpointGuid\": \"94658387-d7c7-693c-b5ab-2def5869de55\", \"principalName\": \"admin@example.com\", \"request\": \"https://api.example.com/v2/users\", \"act\": 1, \"src\": \"81.2.69.192\", \"serverTls\": \"TLS 1.3\", \"eventTime\": 1699878765, \"serverProtocol\": \"HTTP/2\", \"userAgent\": \"curl/8.4.0\", \"rt\": 1699878766, \"tenantGuid\": \"d4e5f678-9012-3456-def0-456789012345\", \"eventName\": \"SWG_ACTIVITY_LOG\", \"application\": \"Custom API\", \"ruleName\": \"API_Gateway_Access\", \"clientIp\": \"1.128.0.0\", \"requestBase\": \"api.example.com\", \"score\": 100, \"userDomain\": \"example.com\", \"suid\": \"API Service Account\", \"duration\": 15, \"eventSubName\": \"API request allowed\", \"fileHash\": \"\", \"fileHashSha256\": \"\", \"fileName\": \"\", \"fileSize\": 0, \"fileType\": \"\", \"malName\": \"\", \"mimeType\": \"application/json\", \"sender\": \"Internal Gateway\", \"detectionType\": 0, \"profile\": \"api_default\", \"userDepartment\": \"IT\", \"requestMethod\": \"GET\", \"pname\": \"2200\", \"pver\": \"2.1\", \"deviceGUID\": \"e5f67890-1234-5678-ef01-567890123456\", \"requestMimeType\": \"application/json\", \"ruleType\": \"access\", \"ruleUuid\": \"f6789012-3456-7890-f012-678901234567\", \"objectId\": \"01234567-89ab-cdef-0123-456789abcdef\", \"spt\": 52345, \"policyUuid\": \"12345678-9abc-def0-1234-56789abcdef0\", \"dpt\": 8443, \"companyName\": \"Acme Corporation\", \"start\": 1699878760}", + "start": 1699878760 + }, + "file": { + "mime_type": "application/json", + "size": 0 + }, + "host": { + "hostname": "server-web01", + "os": { + "name": "Windows Server 2022" + } + }, + "http": { + "request": { + "method": "GET", + "mime_type": "application/json" + } + }, + "network": { + "protocol": "HTTP/2" + }, + "organization": { + "name": "Acme Corporation" + }, + "related": { + "hosts": [ + "server-web01", + "api.example.com" + ], + "ip": [ + "81.2.69.192", + "81.2.69.144", + "1.128.0.0" + ], + "user": [ + "API Service Account", + "admin@example.com" + ] + }, + "rule": { + "category": "access", + "name": "API_Gateway_Access", + "uuid": "f6789012-3456-7890-f012-678901234567" + }, + "source": { + "ip": "81.2.69.192", + "port": 52345 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "tls": { + "version": "TLS 1.3" + }, + "trend_micro_vision_one": { + "network_activity": { + "act": 1, + "application": "Custom API", + "client": { + "ip": "1.128.0.0" + }, + "company_name": "Acme Corporation", + "customer": { + "id": "c3d4e5f6-7890-1234-cdef-345678901234" + }, + "destination": { + "ip": "81.2.69.144", + "port": 8443 + }, + "detection": { + "type": 0 + }, + "device": { + "guid": "e5f67890-1234-5678-ef01-567890123456" + }, + "duration": 15, + "endpoint": { + "guid": "94658387-d7c7-693c-b5ab-2def5869de55", + "host_name": "server-web01" + }, + "event": { + "name": "SWG_ACTIVITY_LOG", + "sub_name": "API request allowed", + "time": "2023-11-13T12:32:45.000Z" + }, + "file": { + "mime_type": "application/json", + "size": 0 + }, + "object": { + "id": "01234567-89ab-cdef-0123-456789abcdef" + }, + "os": { + "name": "Windows Server 2022" + }, + "pname": "2200", + "policy": { + "uuid": "12345678-9abc-def0-1234-56789abcdef0" + }, + "profile": "api_default", + "pver": "2.1", + "request": { + "base": "api.example.com", + "method": "GET", + "mime_type": "application/json", + "url": "https://api.example.com/v2/users" + }, + "rt": 1699878766, + "rule": { + "name": "API_Gateway_Access", + "type": "access", + "uuid": "f6789012-3456-7890-f012-678901234567" + }, + "score": 100, + "sender": "Internal Gateway", + "server": { + "protocol": "HTTP/2", + "tls": "TLS 1.3" + }, + "source": { + "ip": "81.2.69.192", + "port": 52345 + }, + "start": 1699878760, + "tenant": { + "guid": "d4e5f678-9012-3456-def0-456789012345" + }, + "user": { + "department": "IT", + "domain": "example.com", + "id": "API Service Account", + "principal_name": "admin@example.com" + }, + "user_agent": "curl/8.4.0" + } + }, + "url": { + "original": "https://api.example.com/v2/users" + }, + "user": { + "domain": "example.com", + "email": "admin@example.com", + "name": "API Service Account" + }, + "user_agent": { + "original": "curl/8.4.0" + } + }, + { + "@timestamp": "2023-11-13T12:51:16.000Z", + "client": { + "ip": "175.16.199.0" + }, + "destination": { + "ip": "1.128.0.0", + "port": 80 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "duration": 8000000, + "kind": "event", + "original": "{\"endpointHostName\": \"desktop-hr04\", \"customerId\": \"d4e5f678-9012-3456-def0-456789012345\", \"osName\": \"macOS Sonoma\", \"dst\": \"1.128.0.0\", \"endpointGuid\": \"a5769498-e8d8-7a4d-c6bc-3ef06970ef66\", \"principalName\": \"emma.jones@example.com\", \"request\": \"https://malicious-site.example.net/download.exe\", \"act\": 2, \"src\": \"81.2.69.142\", \"serverTls\": \"TLS 1.2\", \"eventTime\": 1699879876, \"serverProtocol\": \"HTTP/1.1\", \"userAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15\", \"rt\": 1699879878, \"tenantGuid\": \"e5f67890-1234-5678-ef01-567890123456\", \"eventName\": \"SWG_ACTIVITY_LOG\", \"application\": \"Unknown\", \"ruleName\": \"Malware_Block_Policy\", \"clientIp\": \"175.16.199.0\", \"requestBase\": \"malicious-site.example.net\", \"score\": 5, \"userDomain\": \"example.com\", \"suid\": \"Emma Jones\", \"duration\": 8, \"eventSubName\": \"Malware download blocked\", \"fileHash\": \"c3d4e5f678901234567890123456789012abcdef\", \"fileHashSha256\": \"de456789012345678901234567890abcdef0123456789012345678901234bcde\", \"fileName\": \"invoice_update.exe\", \"fileSize\": 4567890, \"fileType\": \"Windows Executable\", \"malName\": \"Trojan.GenericKD.46584712\", \"mimeType\": \"application/x-msdownload\", \"sender\": \"Corporate Gateway\", \"detectionType\": 60, \"profile\": \"threat_protection\", \"userDepartment\": \"HR\", \"requestMethod\": \"GET\", \"pname\": \"2200\", \"pver\": \"2.1\", \"deviceGUID\": \"f6789012-3456-7890-f012-678901234567\", \"requestMimeType\": \"application/octet-stream\", \"ruleType\": \"threat\", \"ruleUuid\": \"01234567-89ab-cdef-0123-456789abcdef\", \"objectId\": \"12345678-9abc-def0-1234-56789abcdef0\", \"spt\": 53456, \"policyUuid\": \"23456789-abcd-ef01-2345-6789abcdef01\", \"dpt\": 80, \"companyName\": \"Acme Corporation\", \"start\": 1699879870}", + "start": 1699879870 + }, + "file": { + "hash": { + "sha1": "c3d4e5f678901234567890123456789012abcdef", + "sha256": "de456789012345678901234567890abcdef0123456789012345678901234bcde" + }, + "mime_type": "application/x-msdownload", + "name": "invoice_update.exe", + "size": 4567890, + "type": "Windows Executable" + }, + "host": { + "hostname": "desktop-hr04", + "os": { + "name": "macOS Sonoma" + } + }, + "http": { + "request": { + "method": "GET", + "mime_type": "application/octet-stream" + } + }, + "network": { + "protocol": "HTTP/1.1" + }, + "organization": { + "name": "Acme Corporation" + }, + "related": { + "hash": [ + "c3d4e5f678901234567890123456789012abcdef", + "de456789012345678901234567890abcdef0123456789012345678901234bcde" + ], + "hosts": [ + "desktop-hr04", + "malicious-site.example.net" + ], + "ip": [ + "81.2.69.142", + "1.128.0.0", + "175.16.199.0" + ], + "user": [ + "Emma Jones", + "emma.jones@example.com" + ] + }, + "rule": { + "category": "threat", + "name": "Malware_Block_Policy", + "uuid": "01234567-89ab-cdef-0123-456789abcdef" + }, + "source": { + "ip": "81.2.69.142", + "port": 53456 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "tls": { + "version": "TLS 1.2" + }, + "trend_micro_vision_one": { + "network_activity": { + "act": 2, + "application": "Unknown", + "client": { + "ip": "175.16.199.0" + }, + "company_name": "Acme Corporation", + "customer": { + "id": "d4e5f678-9012-3456-def0-456789012345" + }, + "destination": { + "ip": "1.128.0.0", + "port": 80 + }, + "detection": { + "type": 60 + }, + "device": { + "guid": "f6789012-3456-7890-f012-678901234567" + }, + "duration": 8, + "endpoint": { + "guid": "a5769498-e8d8-7a4d-c6bc-3ef06970ef66", + "host_name": "desktop-hr04" + }, + "event": { + "name": "SWG_ACTIVITY_LOG", + "sub_name": "Malware download blocked", + "time": "2023-11-13T12:51:16.000Z" + }, + "file": { + "hash_sha1": "c3d4e5f678901234567890123456789012abcdef", + "hash_sha256": "de456789012345678901234567890abcdef0123456789012345678901234bcde", + "mime_type": "application/x-msdownload", + "name": "invoice_update.exe", + "size": 4567890, + "type": "Windows Executable" + }, + "malware": { + "name": "Trojan.GenericKD.46584712" + }, + "object": { + "id": "12345678-9abc-def0-1234-56789abcdef0" + }, + "os": { + "name": "macOS Sonoma" + }, + "pname": "2200", + "policy": { + "uuid": "23456789-abcd-ef01-2345-6789abcdef01" + }, + "profile": "threat_protection", + "pver": "2.1", + "request": { + "base": "malicious-site.example.net", + "method": "GET", + "mime_type": "application/octet-stream", + "url": "https://malicious-site.example.net/download.exe" + }, + "rt": 1699879878, + "rule": { + "name": "Malware_Block_Policy", + "type": "threat", + "uuid": "01234567-89ab-cdef-0123-456789abcdef" + }, + "score": 5, + "sender": "Corporate Gateway", + "server": { + "protocol": "HTTP/1.1", + "tls": "TLS 1.2" + }, + "source": { + "ip": "81.2.69.142", + "port": 53456 + }, + "start": 1699879870, + "tenant": { + "guid": "e5f67890-1234-5678-ef01-567890123456" + }, + "user": { + "department": "HR", + "domain": "example.com", + "id": "Emma Jones", + "principal_name": "emma.jones@example.com" + }, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15" + } + }, + "url": { + "original": "https://malicious-site.example.net/download.exe" + }, + "user": { + "domain": "example.com", + "email": "emma.jones@example.com", + "name": "Emma Jones" + }, + "user_agent": { + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15" + } + }, + { + "@timestamp": "2023-11-13T13:09:47.000Z", + "client": { + "ip": "81.2.69.144" + }, + "destination": { + "ip": "81.2.69.192", + "port": 443 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "duration": 250000000, + "kind": "event", + "original": "{\"endpointHostName\": \"laptop-dev05\", \"customerId\": \"e5f67890-1234-5678-ef01-567890123456\", \"osName\": \"Ubuntu 22.04\", \"dst\": \"81.2.69.192\", \"endpointGuid\": \"b687a5a9-f9e9-8b5e-d7cd-4f017a81f077\", \"principalName\": \"mike.wilson@example.com\", \"request\": \"https://github.example.com/repos/internal-tools\", \"act\": 1, \"src\": \"175.16.199.0\", \"serverTls\": \"TLS 1.3\", \"eventTime\": 1699880987, \"serverProtocol\": \"HTTP/2\", \"userAgent\": \"git/2.42.0\", \"rt\": 1699880990, \"tenantGuid\": \"f6789012-3456-7890-f012-678901234567\", \"eventName\": \"SWG_ACTIVITY_LOG\", \"application\": \"GitHub Enterprise\", \"ruleName\": \"Developer_Tools_Access\", \"clientIp\": \"81.2.69.144\", \"requestBase\": \"github.example.com\", \"score\": 92, \"userDomain\": \"example.com\", \"suid\": \"Mike Wilson\", \"duration\": 250, \"eventSubName\": \"Git repository clone\", \"fileHash\": \"d4e5f6789012345678901234567890123abcdef0\", \"fileHashSha256\": \"ef56789012345678901234567890abcdef01234567890123456789012345cdef\", \"fileName\": \"internal-tools.git\", \"fileSize\": 89012345, \"fileType\": \"Git Repository\", \"malName\": \"\", \"mimeType\": \"application/x-git\", \"sender\": \"Developer VPN\", \"detectionType\": 0, \"profile\": \"developer\", \"userDepartment\": \"Engineering\", \"requestMethod\": \"GET\", \"pname\": \"2200\", \"pver\": \"2.1\", \"deviceGUID\": \"01234567-89ab-cdef-0123-456789abcdef\", \"requestMimeType\": \"application/x-git-upload-pack-request\", \"ruleType\": \"access\", \"ruleUuid\": \"12345678-9abc-def0-1234-56789abcdef0\", \"objectId\": \"23456789-abcd-ef01-2345-6789abcdef01\", \"spt\": 54567, \"policyUuid\": \"34567890-bcde-f012-3456-789abcdef012\", \"dpt\": 443, \"companyName\": \"Acme Corporation\", \"start\": 1699880900}", + "start": 1699880900 + }, + "file": { + "hash": { + "sha1": "d4e5f6789012345678901234567890123abcdef0", + "sha256": "ef56789012345678901234567890abcdef01234567890123456789012345cdef" + }, + "mime_type": "application/x-git", + "name": "internal-tools.git", + "size": 89012345, + "type": "Git Repository" + }, + "host": { + "hostname": "laptop-dev05", + "os": { + "name": "Ubuntu 22.04" + } + }, + "http": { + "request": { + "method": "GET", + "mime_type": "application/x-git-upload-pack-request" + } + }, + "network": { + "protocol": "HTTP/2" + }, + "organization": { + "name": "Acme Corporation" + }, + "related": { + "hash": [ + "d4e5f6789012345678901234567890123abcdef0", + "ef56789012345678901234567890abcdef01234567890123456789012345cdef" + ], + "hosts": [ + "laptop-dev05", + "github.example.com" + ], + "ip": [ + "175.16.199.0", + "81.2.69.192", + "81.2.69.144" + ], + "user": [ + "Mike Wilson", + "mike.wilson@example.com" + ] + }, + "rule": { + "category": "access", + "name": "Developer_Tools_Access", + "uuid": "12345678-9abc-def0-1234-56789abcdef0" + }, + "source": { + "ip": "175.16.199.0", + "port": 54567 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "tls": { + "version": "TLS 1.3" + }, + "trend_micro_vision_one": { + "network_activity": { + "act": 1, + "application": "GitHub Enterprise", + "client": { + "ip": "81.2.69.144" + }, + "company_name": "Acme Corporation", + "customer": { + "id": "e5f67890-1234-5678-ef01-567890123456" + }, + "destination": { + "ip": "81.2.69.192", + "port": 443 + }, + "detection": { + "type": 0 + }, + "device": { + "guid": "01234567-89ab-cdef-0123-456789abcdef" + }, + "duration": 250, + "endpoint": { + "guid": "b687a5a9-f9e9-8b5e-d7cd-4f017a81f077", + "host_name": "laptop-dev05" + }, + "event": { + "name": "SWG_ACTIVITY_LOG", + "sub_name": "Git repository clone", + "time": "2023-11-13T13:09:47.000Z" + }, + "file": { + "hash_sha1": "d4e5f6789012345678901234567890123abcdef0", + "hash_sha256": "ef56789012345678901234567890abcdef01234567890123456789012345cdef", + "mime_type": "application/x-git", + "name": "internal-tools.git", + "size": 89012345, + "type": "Git Repository" + }, + "object": { + "id": "23456789-abcd-ef01-2345-6789abcdef01" + }, + "os": { + "name": "Ubuntu 22.04" + }, + "pname": "2200", + "policy": { + "uuid": "34567890-bcde-f012-3456-789abcdef012" + }, + "profile": "developer", + "pver": "2.1", + "request": { + "base": "github.example.com", + "method": "GET", + "mime_type": "application/x-git-upload-pack-request", + "url": "https://github.example.com/repos/internal-tools" + }, + "rt": 1699880990, + "rule": { + "name": "Developer_Tools_Access", + "type": "access", + "uuid": "12345678-9abc-def0-1234-56789abcdef0" + }, + "score": 92, + "sender": "Developer VPN", + "server": { + "protocol": "HTTP/2", + "tls": "TLS 1.3" + }, + "source": { + "ip": "175.16.199.0", + "port": 54567 + }, + "start": 1699880900, + "tenant": { + "guid": "f6789012-3456-7890-f012-678901234567" + }, + "user": { + "department": "Engineering", + "domain": "example.com", + "id": "Mike Wilson", + "principal_name": "mike.wilson@example.com" + }, + "user_agent": "git/2.42.0" + } + }, + "url": { + "original": "https://github.example.com/repos/internal-tools" + }, + "user": { + "domain": "example.com", + "email": "mike.wilson@example.com", + "name": "Mike Wilson" + }, + "user_agent": { + "original": "git/2.42.0" + } + } + ] +} diff --git a/packages/trend_micro_vision_one/data_stream/network_activity/_dev/test/system/test-default-config.yml b/packages/trend_micro_vision_one/data_stream/network_activity/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..81c3d6c163d --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/network_activity/_dev/test/system/test-default-config.yml @@ -0,0 +1,12 @@ +input: cel +service: trend_micro_vision_one +vars: + hostname: http://{{Hostname}}:{{Port}} + api_token: xxxx +data_stream: + vars: + batch_size: 2 + preserve_original_event: true + preserve_duplicate_custom_fields: true +assert: + hit_count: 4 diff --git a/packages/trend_micro_vision_one/data_stream/network_activity/agent/stream/cel.yml.hbs b/packages/trend_micro_vision_one/data_stream/network_activity/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..bcf62b697cb --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/network_activity/agent/stream/cel.yml.hbs @@ -0,0 +1,145 @@ +config_version: 2 +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{hostname}} +state: + api_token: {{api_token}} + initial_interval: {{initial_interval}} + batch_size: {{batch_size}} +redact: + fields: + - api_token +program: |- + ( + state.?want_more.orValue(false) ? + state + : + state.with({ + "start_time": state.?cursor.last_timestamp.orValue((now - duration(state.initial_interval)).format(time_layout.RFC3339)), + "end_time": now.format(time_layout.RFC3339), + }) + ).as(state, + // use next.link if available, otherwise build initial request + ( + state.?next.link.hasValue() ? + state.next.link + : + state.url.trim_right("/") + "/v3.0/search/networkActivities?" + { + "top": [string(state.batch_size)], + "startDateTime": [string(state.start_time)], + "endDateTime": [string(state.end_time)], + }.format_query() + ).as(request_url, + request( + "GET", + request_url + ).with( + { + "Header": { + "Authorization": ["Bearer " + state.api_token], + "Content-Type": ["application/json;charset=utf-8"], + "TMV1-Query": ["*"], + }, + } + ).do_request().as(resp, + resp.StatusCode == 200 ? + resp.Body.decode_json().as(body, + { + "events": has(body.items) && size(body.items) > 0 ? + body.items.map(item, + { + "message": item.encode_json(), + } + ) + : + [], + // next.link will not be available in last paginated call + "next": {?"link": body.?nextLink}, + "want_more": body.?nextLink.hasValue(), + "api_token": state.api_token, + "batch_size": state.batch_size, + "initial_interval": state.initial_interval, + "cursor": { + ?"last_timestamp": (has(body.items) && size(body.items) > 0) ? + (has(state.?cursor.last_timestamp) ? + optional.of( + max([ + state.cursor.last_timestamp.parse_time("2006-01-02T15:04:05"), + timestamp(int(timestamp(0)+duration(string(int(body.items[0].eventTime))+"ms"))) + ]).format("2006-01-02T15:04:05") + ) + : + optional.of(timestamp(int(timestamp(0)+duration(string(int(body.items[0].eventTime))+"ms"))).format("2006-01-02T15:04:05")) + ) + : + state.?cursor.last_timestamp + } + } + ) + : + resp.StatusCode == 429 ? + { + "events": [], + "rate_limited": debug("rate_limit_exceeded", bytes(resp.Body).decode_json().?fail[0].message.orValue("missing message")), + "want_more": false, + "next": state.?next, + "api_token": state.api_token, + "initial_interval": state.initial_interval, + "batch_size": state.batch_size, + "cursor": state.?cursor, + } + : + { + "events": [ + { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET " + request_url + ": " + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + " (" + string(resp.StatusCode) + ")" + ), + }, + }, + ], + "want_more": false, + "next": state.?next, + "api_token": state.api_token, + "initial_interval": state.initial_interval, + "batch_size": state.batch_size, + "cursor": state.?cursor, + } + ) + ) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/trend_micro_vision_one/data_stream/network_activity/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/data_stream/network_activity/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..1d53730dda4 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/network_activity/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,659 @@ +--- +description: Pipeline for processing network activity logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.17.0 + - terminate: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + description: error message set and no data to process. + - set: + field: event.kind + tag: set_event_kind + value: event + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - remove: + field: + - organization + - division + - team + ignore_missing: true + if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String + tag: remove_agentless_tags + description: >- + Removes the fields added by Agentless as metadata, + as they can collide with ECS fields. + - json: + field: event.original + tag: json_event_original + target_field: json + - fingerprint: + fields: + - json.eventTime + - json.eventId + tag: fingerprint_network_activity + target_field: _id + ignore_missing: true + - rename: + field: json.application + tag: rename_application + target_field: trend_micro_vision_one.network_activity.application + ignore_missing: true + - rename: + field: json.companyName + tag: rename_company_name + target_field: trend_micro_vision_one.network_activity.company_name + ignore_missing: true + - rename: + field: json.customerId + tag: rename_customer_id + target_field: trend_micro_vision_one.network_activity.customer.id + ignore_missing: true + - rename: + field: json.deviceGUID + tag: rename_device_guid + target_field: trend_micro_vision_one.network_activity.device.guid + ignore_missing: true + - rename: + field: json.endpointGuid + tag: rename_endpoint_guid + target_field: trend_micro_vision_one.network_activity.endpoint.guid + ignore_missing: true + - rename: + field: json.endpointHostName + tag: rename_endpoint_host_name + target_field: trend_micro_vision_one.network_activity.endpoint.host_name + ignore_missing: true + - rename: + field: json.eventName + tag: rename_event_name + target_field: trend_micro_vision_one.network_activity.event.name + ignore_missing: true + - rename: + field: json.eventSubName + tag: rename_event_sub_name + target_field: trend_micro_vision_one.network_activity.event.sub_name + ignore_missing: true + - rename: + field: json.fileHash + tag: rename_file_hash + target_field: trend_micro_vision_one.network_activity.file.hash_sha1 + ignore_missing: true + - rename: + field: json.fileHashSha256 + tag: rename_file_hash_sha256 + target_field: trend_micro_vision_one.network_activity.file.hash_sha256 + ignore_missing: true + - rename: + field: json.fileName + tag: rename_file_name + target_field: trend_micro_vision_one.network_activity.file.name + ignore_missing: true + - rename: + field: json.fileType + tag: rename_file_type + target_field: trend_micro_vision_one.network_activity.file.type + ignore_missing: true + - rename: + field: json.malName + tag: rename_mal_name + target_field: trend_micro_vision_one.network_activity.malware.name + ignore_missing: true + - rename: + field: json.mimeType + tag: rename_mime_type + target_field: trend_micro_vision_one.network_activity.file.mime_type + ignore_missing: true + - rename: + field: json.objectId + tag: rename_object_id + target_field: trend_micro_vision_one.network_activity.object.id + ignore_missing: true + - rename: + field: json.osName + tag: rename_os_name + target_field: trend_micro_vision_one.network_activity.os.name + ignore_missing: true + - rename: + field: json.pname + tag: rename_pname + target_field: trend_micro_vision_one.network_activity.pname + ignore_missing: true + - rename: + field: json.policyUuid + tag: rename_policy_uuid + target_field: trend_micro_vision_one.network_activity.policy.uuid + ignore_missing: true + - rename: + field: json.profile + tag: rename_profile + target_field: trend_micro_vision_one.network_activity.profile + ignore_missing: true + - rename: + field: json.pver + tag: rename_pver + target_field: trend_micro_vision_one.network_activity.pver + ignore_missing: true + - rename: + field: json.principalName + tag: rename_principal_name + target_field: trend_micro_vision_one.network_activity.user.principal_name + ignore_missing: true + - rename: + field: json.request + tag: rename_request + target_field: trend_micro_vision_one.network_activity.request.url + ignore_missing: true + - rename: + field: json.requestBase + tag: rename_request_base + target_field: trend_micro_vision_one.network_activity.request.base + ignore_missing: true + - rename: + field: json.requestMethod + tag: rename_request_method + target_field: trend_micro_vision_one.network_activity.request.method + ignore_missing: true + - rename: + field: json.requestMimeType + tag: rename_request_mime_type + target_field: trend_micro_vision_one.network_activity.request.mime_type + ignore_missing: true + - rename: + field: json.ruleName + tag: rename_rule_name + target_field: trend_micro_vision_one.network_activity.rule.name + ignore_missing: true + - rename: + field: json.ruleType + tag: rename_rule_type + target_field: trend_micro_vision_one.network_activity.rule.type + ignore_missing: true + - rename: + field: json.ruleUuid + tag: rename_rule_uuid + target_field: trend_micro_vision_one.network_activity.rule.uuid + ignore_missing: true + - rename: + field: json.sender + tag: rename_sender + target_field: trend_micro_vision_one.network_activity.sender + ignore_missing: true + - rename: + field: json.serverProtocol + tag: rename_server_protocol + target_field: trend_micro_vision_one.network_activity.server.protocol + ignore_missing: true + - rename: + field: json.serverTls + tag: rename_server_tls + target_field: trend_micro_vision_one.network_activity.server.tls + ignore_missing: true + - rename: + field: json.suid + tag: rename_suid + target_field: trend_micro_vision_one.network_activity.user.id + ignore_missing: true + - rename: + field: json.tenantGuid + tag: rename_tenant_guid + target_field: trend_micro_vision_one.network_activity.tenant.guid + ignore_missing: true + - rename: + field: json.userAgent + tag: rename_user_agent + target_field: trend_micro_vision_one.network_activity.user_agent + ignore_missing: true + - rename: + field: json.userDepartment + tag: rename_user_department + target_field: trend_micro_vision_one.network_activity.user.department + ignore_missing: true + - rename: + field: json.userDomain + tag: rename_user_domain + target_field: trend_micro_vision_one.network_activity.user.domain + ignore_missing: true + - convert: + field: json.act + tag: convert_act + target_field: trend_micro_vision_one.network_activity.act + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.detectionType + tag: convert_detection_type + target_field: trend_micro_vision_one.network_activity.detection.type + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.dpt + tag: convert_dpt + target_field: trend_micro_vision_one.network_activity.destination.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.duration + tag: convert_duration + target_field: trend_micro_vision_one.network_activity.duration + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.fileSize + tag: convert_file_size + target_field: trend_micro_vision_one.network_activity.file.size + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.rt + tag: convert_rt + target_field: trend_micro_vision_one.network_activity.rt + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.score + tag: convert_score + target_field: trend_micro_vision_one.network_activity.score + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.spt + tag: convert_spt + target_field: trend_micro_vision_one.network_activity.source.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.start + tag: convert_start + target_field: trend_micro_vision_one.network_activity.start + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.clientIp + tag: convert_client_ip + target_field: trend_micro_vision_one.network_activity.client.ip + type: ip + ignore_missing: true + if: ctx.json?.clientIp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.dst + tag: convert_dst + target_field: trend_micro_vision_one.network_activity.destination.ip + type: ip + ignore_missing: true + if: ctx.json?.dst != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.src + tag: convert_src + target_field: trend_micro_vision_one.network_activity.source.ip + type: ip + ignore_missing: true + if: ctx.json?.src != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.eventTime + tag: date_event_time + target_field: trend_micro_vision_one.network_activity.event.time + formats: + - UNIX + - UNIX_MS + if: ctx.json?.eventTime != null && ctx.json.eventTime != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + tag: set_timestamp + copy_from: trend_micro_vision_one.network_activity.event.time + ignore_empty_value: true + - set: + field: client.ip + tag: set_client_ip + copy_from: trend_micro_vision_one.network_activity.client.ip + ignore_empty_value: true + - set: + field: destination.ip + tag: set_destination_ip + copy_from: trend_micro_vision_one.network_activity.destination.ip + ignore_empty_value: true + - set: + field: destination.port + tag: set_destination_port + copy_from: trend_micro_vision_one.network_activity.destination.port + ignore_empty_value: true + - set: + field: event.duration + tag: set_event_duration + copy_from: trend_micro_vision_one.network_activity.duration + ignore_empty_value: true + - script: + description: Convert duration from milliseconds to nanoseconds. + tag: script_duration_ms_to_ns + lang: painless + if: ctx.trend_micro_vision_one?.network_activity?.duration instanceof Number + source: >- + ctx.event.duration = ctx.trend_micro_vision_one.network_activity.duration * 1000000; + - set: + field: event.start + tag: set_event_start + copy_from: trend_micro_vision_one.network_activity.start + ignore_empty_value: true + - set: + field: file.hash.sha1 + tag: set_file_hash_sha1 + copy_from: trend_micro_vision_one.network_activity.file.hash_sha1 + ignore_empty_value: true + - set: + field: file.hash.sha256 + tag: set_file_hash_sha256 + copy_from: trend_micro_vision_one.network_activity.file.hash_sha256 + ignore_empty_value: true + - set: + field: file.mime_type + tag: set_file_mime_type + copy_from: trend_micro_vision_one.network_activity.file.mime_type + ignore_empty_value: true + - set: + field: file.name + tag: set_file_name + copy_from: trend_micro_vision_one.network_activity.file.name + ignore_empty_value: true + - set: + field: file.size + tag: set_file_size + copy_from: trend_micro_vision_one.network_activity.file.size + ignore_empty_value: true + - set: + field: file.type + tag: set_file_type + copy_from: trend_micro_vision_one.network_activity.file.type + ignore_empty_value: true + - set: + field: host.hostname + tag: set_host_hostname + copy_from: trend_micro_vision_one.network_activity.endpoint.host_name + ignore_empty_value: true + - set: + field: host.os.name + tag: set_host_os_name + copy_from: trend_micro_vision_one.network_activity.os.name + ignore_empty_value: true + - set: + field: http.request.method + tag: set_http_request_method + copy_from: trend_micro_vision_one.network_activity.request.method + ignore_empty_value: true + - set: + field: http.request.mime_type + tag: set_http_request_mime_type + copy_from: trend_micro_vision_one.network_activity.request.mime_type + ignore_empty_value: true + - set: + field: network.protocol + tag: set_network_protocol + copy_from: trend_micro_vision_one.network_activity.server.protocol + ignore_empty_value: true + - set: + field: organization.name + tag: set_organization_name + copy_from: trend_micro_vision_one.network_activity.company_name + ignore_empty_value: true + - set: + field: rule.category + tag: set_rule_category + copy_from: trend_micro_vision_one.network_activity.rule.type + ignore_empty_value: true + - set: + field: rule.name + tag: set_rule_name + copy_from: trend_micro_vision_one.network_activity.rule.name + ignore_empty_value: true + - set: + field: rule.uuid + tag: set_rule_uuid + copy_from: trend_micro_vision_one.network_activity.rule.uuid + ignore_empty_value: true + - set: + field: source.ip + tag: set_source_ip + copy_from: trend_micro_vision_one.network_activity.source.ip + ignore_empty_value: true + - set: + field: source.port + tag: set_source_port + copy_from: trend_micro_vision_one.network_activity.source.port + ignore_empty_value: true + - set: + field: tls.version + tag: set_tls_version + copy_from: trend_micro_vision_one.network_activity.server.tls + ignore_empty_value: true + - set: + field: url.original + tag: set_url_original + copy_from: trend_micro_vision_one.network_activity.request.url + ignore_empty_value: true + - set: + field: user.domain + tag: set_user_domain + copy_from: trend_micro_vision_one.network_activity.user.domain + ignore_empty_value: true + - set: + field: user.email + tag: set_user_email + copy_from: trend_micro_vision_one.network_activity.user.principal_name + ignore_empty_value: true + - set: + field: user.name + tag: set_user_name + copy_from: trend_micro_vision_one.network_activity.user.id + ignore_empty_value: true + - set: + field: user_agent.original + tag: set_user_agent_original + copy_from: trend_micro_vision_one.network_activity.user_agent + ignore_empty_value: true + - append: + field: related.ip + tag: append_related_ip_source + value: '{{{trend_micro_vision_one.network_activity.source.ip}}}' + allow_duplicates: false + if: ctx.trend_micro_vision_one?.network_activity?.source?.ip != null + - append: + field: related.ip + tag: append_related_ip_destination + value: '{{{trend_micro_vision_one.network_activity.destination.ip}}}' + allow_duplicates: false + if: ctx.trend_micro_vision_one?.network_activity?.destination?.ip != null + - append: + field: related.ip + tag: append_related_ip_client + value: '{{{trend_micro_vision_one.network_activity.client.ip}}}' + allow_duplicates: false + if: ctx.trend_micro_vision_one?.network_activity?.client?.ip != null + - append: + field: related.user + tag: append_related_user_id + value: '{{{trend_micro_vision_one.network_activity.user.id}}}' + allow_duplicates: false + if: ctx.trend_micro_vision_one?.network_activity?.user?.id != null + - append: + field: related.user + tag: append_related_user_principal_name + value: '{{{trend_micro_vision_one.network_activity.user.principal_name}}}' + allow_duplicates: false + if: ctx.trend_micro_vision_one?.network_activity?.user?.principal_name != null + - append: + field: related.hash + tag: append_related_hash_sha1 + value: '{{{trend_micro_vision_one.network_activity.file.hash_sha1}}}' + allow_duplicates: false + if: ctx.trend_micro_vision_one?.network_activity?.file?.hash_sha1 != null + - append: + field: related.hash + tag: append_related_hash_sha256 + value: '{{{trend_micro_vision_one.network_activity.file.hash_sha256}}}' + allow_duplicates: false + if: ctx.trend_micro_vision_one?.network_activity?.file?.hash_sha256 != null + - append: + field: related.hosts + tag: append_related_hosts_endpoint + value: '{{{trend_micro_vision_one.network_activity.endpoint.host_name}}}' + allow_duplicates: false + if: ctx.trend_micro_vision_one?.network_activity?.endpoint?.host_name != null + - append: + field: related.hosts + tag: append_related_hosts_request_base + value: '{{{trend_micro_vision_one.network_activity.request.base}}}' + allow_duplicates: false + if: ctx.trend_micro_vision_one?.network_activity?.request?.base != null + - remove: + field: + - trend_micro_vision_one.network_activity.client.ip + - trend_micro_vision_one.network_activity.company_name + - trend_micro_vision_one.network_activity.destination.ip + - trend_micro_vision_one.network_activity.destination.port + - trend_micro_vision_one.network_activity.endpoint.host_name + - trend_micro_vision_one.network_activity.event.time + - trend_micro_vision_one.network_activity.file.hash_sha1 + - trend_micro_vision_one.network_activity.file.hash_sha256 + - trend_micro_vision_one.network_activity.file.mime_type + - trend_micro_vision_one.network_activity.file.name + - trend_micro_vision_one.network_activity.file.size + - trend_micro_vision_one.network_activity.file.type + - trend_micro_vision_one.network_activity.os.name + - trend_micro_vision_one.network_activity.request.method + - trend_micro_vision_one.network_activity.request.mime_type + - trend_micro_vision_one.network_activity.request.url + - trend_micro_vision_one.network_activity.rule.name + - trend_micro_vision_one.network_activity.rule.type + - trend_micro_vision_one.network_activity.rule.uuid + - trend_micro_vision_one.network_activity.server.protocol + - trend_micro_vision_one.network_activity.server.tls + - trend_micro_vision_one.network_activity.source.ip + - trend_micro_vision_one.network_activity.source.port + - trend_micro_vision_one.network_activity.start + - trend_micro_vision_one.network_activity.user.domain + - trend_micro_vision_one.network_activity.user.id + - trend_micro_vision_one.network_activity.user.principal_name + - trend_micro_vision_one.network_activity.user_agent + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + - remove: + field: json + tag: remove_json + ignore_missing: true + - script: + tag: script_to_drop_null_values + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: |- + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/trend_micro_vision_one/data_stream/network_activity/fields/base-fields.yml b/packages/trend_micro_vision_one/data_stream/network_activity/fields/base-fields.yml new file mode 100644 index 00000000000..f01ef35149c --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/network_activity/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs +- name: event.module + type: constant_keyword + external: ecs + value: trend_micro_vision_one +- name: event.dataset + type: constant_keyword + external: ecs + value: trend_micro_vision_one.network_activity +- name: '@timestamp' + external: ecs diff --git a/packages/trend_micro_vision_one/data_stream/network_activity/fields/beats.yml b/packages/trend_micro_vision_one/data_stream/network_activity/fields/beats.yml new file mode 100644 index 00000000000..4084f1dc7f5 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/network_activity/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/trend_micro_vision_one/data_stream/network_activity/fields/fields.yml b/packages/trend_micro_vision_one/data_stream/network_activity/fields/fields.yml new file mode 100644 index 00000000000..4bfd83f23a6 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/network_activity/fields/fields.yml @@ -0,0 +1,207 @@ +- name: trend_micro_vision_one + type: group + fields: + - name: network_activity + type: group + fields: + - name: act + type: long + description: Action taken for the violation. + - name: application + type: keyword + description: Name of the requested application. + - name: client + type: group + fields: + - name: ip + type: ip + description: Internal IP address of source endpoint. + - name: company_name + type: keyword + description: Company name. + - name: customer + type: group + fields: + - name: id + type: keyword + description: Company ID. + - name: destination + type: group + fields: + - name: ip + type: ip + description: Destination IP address. + - name: port + type: long + description: Destination port of private application server. + - name: detection + type: group + fields: + - name: type + type: long + description: Scan type. + - name: device + type: group + fields: + - name: guid + type: keyword + description: GUID of the agent which reported this detection. + - name: duration + type: long + description: Scan complete time, in milliseconds. + - name: endpoint + type: group + fields: + - name: guid + type: keyword + description: GUID of the agent which reported the detection. + - name: host_name + type: keyword + description: Endpoint hostname. + - name: event + type: group + fields: + - name: name + type: keyword + description: Event type name. + - name: sub_name + type: keyword + description: Event type subname. + - name: time + type: date + description: Event generation time on the agent side. + - name: file + type: group + fields: + - name: hash_sha1 + type: keyword + description: The SHA-1 of the file which violated the policy. + - name: hash_sha256 + type: keyword + description: The SHA-256 of the file which violated the policy. + - name: mime_type + type: keyword + description: The MIME type/content type of the response body. + - name: name + type: keyword + description: File name of the file which violated the policy. + - name: size + type: long + description: Size of the file which violated the policy. + - name: type + type: keyword + description: File type of the file which violated the policy. + - name: malware + type: group + fields: + - name: name + type: keyword + description: Name of the malware detected. + - name: object + type: group + fields: + - name: id + type: keyword + description: UUID of private access application. + - name: os + type: group + fields: + - name: name + type: keyword + description: Endpoint device operating system. + - name: pname + type: keyword + description: Internal product ID (Deprecated use productCode). + - name: policy + type: group + fields: + - name: uuid + type: keyword + description: UUID of the triggered Private Access or Risk Control rule. + - name: profile + type: keyword + description: Name of the Threat Protection template or Data Loss Prevention profile triggered. + - name: pver + type: keyword + description: Product version. + - name: request + type: group + fields: + - name: base + type: keyword + description: Domain of the requested URL. + - name: method + type: keyword + description: HTTP/HTTPS request method. + - name: mime_type + type: keyword + description: Requested content type. + - name: url + type: keyword + description: The requested destination URL the user is accessing. + - name: rt + type: long + description: Report received time. + - name: rule + type: group + fields: + - name: name + type: keyword + description: Name of the rule that triggered the event. + - name: type + type: keyword + description: Type of rule which triggered. + - name: uuid + type: keyword + description: UUID of the triggered rule. + - name: score + type: long + description: Web Reputation Services URL rating. + - name: sender + type: keyword + description: Roaming users or gateway where the web traffic passed. + - name: server + type: group + fields: + - name: protocol + type: keyword + description: HTTP protocol version of destination server. + - name: tls + type: keyword + description: Server TLS/SSL version. + - name: source + type: group + fields: + - name: ip + type: ip + description: Source IP address that is connecting to the Internet Access gateway. + - name: port + type: long + description: Source virtual port assigned to endpoint Secure Access Module. + - name: start + type: long + description: Secure Access Module session start time. + - name: tenant + type: group + fields: + - name: guid + type: keyword + description: Tenant GUID of the Internet Access Gateway. + - name: user + type: group + fields: + - name: department + type: keyword + description: User department. + - name: domain + type: keyword + description: Domain of the username. + - name: id + type: keyword + description: User name or IP address. + - name: principal_name + type: keyword + description: User principal name used to log on to Trend Micro Web Security admin portal. + - name: user_agent + type: keyword + description: Name of the web browser app user connects from. diff --git a/packages/trend_micro_vision_one/data_stream/network_activity/manifest.yml b/packages/trend_micro_vision_one/data_stream/network_activity/manifest.yml new file mode 100644 index 00000000000..2582ae1d159 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/network_activity/manifest.yml @@ -0,0 +1,81 @@ +title: Collect network activity logs from Trend Micro Vision One. +type: logs +streams: + - input: cel + enabled: false + title: Network Activity + description: Collect network activity logs from Trend Micro Vision One. + template_path: cel.yml.hbs + vars: + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: true + default: 24h + description: How far back to pull the Network Activity logs from Trend Micro Vision One API. Supported units for this parameter are h/m/s. + - name: interval + type: text + title: Interval + description: Duration between requests to the Trend Micro Vision One API. Supported units for this parameter are h/m/s. + default: 24h + multi: false + required: true + show_user: true + - name: batch_size + type: integer + title: Batch Size + description: Batch size for the response of the Trend Micro Vision One API. The maximum supported page size value is 1000. + default: 1000 + multi: false + required: true + show_user: false + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: enable_request_tracer + type: bool + title: Enable request tracing + default: false + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - trend_micro_vision_one-network_activity + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: false + show_user: false + title: Preserve duplicate custom fields + description: Preserve trend_micro_vision_one.network_activity fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/trend_micro_vision_one/data_stream/network_activity/sample_event.json b/packages/trend_micro_vision_one/data_stream/network_activity/sample_event.json new file mode 100644 index 00000000000..52a1507204a --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/network_activity/sample_event.json @@ -0,0 +1,204 @@ +{ + "@timestamp": "2023-11-13T11:55:43.000Z", + "agent": { + "ephemeral_id": "76c92ca8-86e3-4b6e-983a-07da450d1d19", + "id": "e91d68b9-ae62-485d-85b7-813f8a96d54c", + "name": "elastic-agent-66717", + "type": "filebeat", + "version": "8.19.7" + }, + "client": { + "ip": "175.16.199.0" + }, + "data_stream": { + "dataset": "trend_micro_vision_one.network_activity", + "namespace": "83537", + "type": "logs" + }, + "destination": { + "ip": "81.2.69.142", + "port": 443 + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "e91d68b9-ae62-485d-85b7-813f8a96d54c", + "snapshot": true, + "version": "8.19.7" + }, + "event": { + "agent_id_status": "verified", + "dataset": "trend_micro_vision_one.network_activity", + "duration": 45, + "ingested": "2025-12-02T12:45:21Z", + "kind": "event", + "original": "{\"act\":1,\"application\":\"Microsoft 365\",\"clientIp\":\"175.16.199.0\",\"companyName\":\"Acme Corporation\",\"customerId\":\"a1b2c3d4-e5f6-7890-abcd-ef1234567890\",\"detectionType\":10,\"deviceGUID\":\"c3d4e5f6-7890-1234-cdef-345678901234\",\"dpt\":443,\"dst\":\"81.2.69.142\",\"duration\":45,\"endpointGuid\":\"72436165-b5a5-471a-9389-0bdc3647bc33\",\"endpointHostName\":\"workstation-pc01\",\"eventName\":\"SWG_ACTIVITY_LOG\",\"eventSubName\":\"SharePoint file download\",\"eventTime\":1699876543,\"fileHash\":\"a1b2c3d4e5f6789012345678901234567890abcd\",\"fileHashSha256\":\"ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93\",\"fileName\":\"quarterly_report.xlsx\",\"fileSize\":245678,\"fileType\":\"Microsoft Excel\",\"malName\":\"\",\"mimeType\":\"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet\",\"objectId\":\"e5f67890-1234-5678-ef01-567890123456\",\"osName\":\"Windows 10\",\"pname\":\"2200\",\"policyUuid\":\"f6789012-3456-7890-f012-678901234567\",\"principalName\":\"john.doe@example.com\",\"profile\":\"standard\",\"pver\":\"2.1\",\"request\":\"https://portal.example.com/dashboard\",\"requestBase\":\"portal.example.com\",\"requestMethod\":\"GET\",\"requestMimeType\":\"application/json\",\"rt\":1699876545,\"ruleName\":\"Corporate_Access_Policy\",\"ruleType\":\"access\",\"ruleUuid\":\"d4e5f678-9012-3456-def0-456789012345\",\"score\":95,\"sender\":\"Corporate Gateway\",\"serverProtocol\":\"HTTP/2\",\"serverTls\":\"TLS 1.3\",\"spt\":49152,\"src\":\"1.128.0.0\",\"start\":1699876500,\"suid\":\"John Doe\",\"tenantGuid\":\"b2c3d4e5-f678-9012-bcde-f23456789012\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\",\"userDepartment\":\"Finance\",\"userDomain\":\"example.com\"}", + "start": 1699876500 + }, + "file": { + "hash": { + "sha1": "a1b2c3d4e5f6789012345678901234567890abcd", + "sha256": "ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93" + }, + "mime_type": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", + "name": "quarterly_report.xlsx", + "size": 245678, + "type": "Microsoft Excel" + }, + "host": { + "hostname": "workstation-pc01", + "os": { + "name": "Windows 10" + } + }, + "http": { + "request": { + "method": "GET", + "mime_type": "application/json" + } + }, + "input": { + "type": "cel" + }, + "network": { + "protocol": "HTTP/2" + }, + "organization": { + "name": "Acme Corporation" + }, + "related": { + "hash": [ + "a1b2c3d4e5f6789012345678901234567890abcd", + "ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93" + ], + "hosts": [ + "workstation-pc01", + "portal.example.com" + ], + "ip": [ + "1.128.0.0", + "81.2.69.142", + "175.16.199.0" + ], + "user": [ + "John Doe", + "john.doe@example.com" + ] + }, + "rule": { + "category": "access", + "name": "Corporate_Access_Policy", + "uuid": "d4e5f678-9012-3456-def0-456789012345" + }, + "source": { + "ip": "1.128.0.0", + "port": 49152 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "trend_micro_vision_one-network_activity" + ], + "tls": { + "version": "TLS 1.3" + }, + "trend_micro_vision_one": { + "network_activity": { + "act": 1, + "application": "Microsoft 365", + "client": { + "ip": "175.16.199.0" + }, + "company_name": "Acme Corporation", + "customer": { + "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" + }, + "destination": { + "ip": "81.2.69.142", + "port": 443 + }, + "detection": { + "type": 10 + }, + "device": { + "guid": "c3d4e5f6-7890-1234-cdef-345678901234" + }, + "duration": 45, + "endpoint": { + "guid": "72436165-b5a5-471a-9389-0bdc3647bc33", + "host_name": "workstation-pc01" + }, + "event": { + "name": "SWG_ACTIVITY_LOG", + "sub_name": "SharePoint file download", + "time": "2023-11-13T11:55:43.000Z" + }, + "file": { + "hash_sha1": "a1b2c3d4e5f6789012345678901234567890abcd", + "hash_sha256": "ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93", + "mime_type": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", + "name": "quarterly_report.xlsx", + "size": 245678, + "type": "Microsoft Excel" + }, + "object": { + "id": "e5f67890-1234-5678-ef01-567890123456" + }, + "os": { + "name": "Windows 10" + }, + "pname": "2200", + "policy": { + "uuid": "f6789012-3456-7890-f012-678901234567" + }, + "profile": "standard", + "pver": "2.1", + "request": { + "base": "portal.example.com", + "method": "GET", + "mime_type": "application/json", + "url": "https://portal.example.com/dashboard" + }, + "rt": 1699876545, + "rule": { + "name": "Corporate_Access_Policy", + "type": "access", + "uuid": "d4e5f678-9012-3456-def0-456789012345" + }, + "score": 95, + "sender": "Corporate Gateway", + "server": { + "protocol": "HTTP/2", + "tls": "TLS 1.3" + }, + "source": { + "ip": "1.128.0.0", + "port": 49152 + }, + "start": 1699876500, + "tenant": { + "guid": "b2c3d4e5-f678-9012-bcde-f23456789012" + }, + "user": { + "department": "Finance", + "domain": "example.com", + "id": "John Doe", + "principal_name": "john.doe@example.com" + }, + "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36" + } + }, + "url": { + "original": "https://portal.example.com/dashboard" + }, + "user": { + "domain": "example.com", + "email": "john.doe@example.com", + "name": "John Doe" + }, + "user_agent": { + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36" + } +} diff --git a/packages/trend_micro_vision_one/data_stream/telemetry/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/data_stream/telemetry/elasticsearch/ingest_pipeline/default.yml index 500c09d28bf..d923d0e60f0 100644 --- a/packages/trend_micro_vision_one/data_stream/telemetry/elasticsearch/ingest_pipeline/default.yml +++ b/packages/trend_micro_vision_one/data_stream/telemetry/elasticsearch/ingest_pipeline/default.yml @@ -34,6 +34,12 @@ processors: target_field: event.original ignore_missing: true if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null - remove: tag: remove_message field: message diff --git a/packages/trend_micro_vision_one/docs/README.md b/packages/trend_micro_vision_one/docs/README.md index d601f1b8970..4ca392c4fbd 100644 --- a/packages/trend_micro_vision_one/docs/README.md +++ b/packages/trend_micro_vision_one/docs/README.md @@ -2,13 +2,13 @@ ## Overview -The [Trend Micro Vision One](https://www.trendmicro.com/en_in/business/products/detection-response.html) integration allows you to monitor Alert, Audit, Detection and Telemetry activity. Trend Micro Vision One refers to the ability to do detection and response across email, endpoints, servers, cloud workloads, and networks via a single Trend Micro Vision One platform or the managed Trend Micro Vision One service. +The [Trend Micro Vision One](https://www.trendmicro.com/en_in/business/products/detection-response.html) integration allows you to monitor Alert, Audit, Detection, Endpoint activity, Network activity, and Telemetry activity. Trend Micro Vision One refers to the ability to do detection and response across email, endpoints, servers, cloud workloads, and networks via a single Trend Micro Vision One platform or the managed Trend Micro Vision One service. Use the Trend Micro Vision One integration to collects and parses data from the REST APIs. Then visualize that data in Kibana. ## Data streams -The Trend Micro Vision One integration collects logs for four types of events: Alert, Audit, Detection and Telemetry. +The Trend Micro Vision One integration collects logs for four types of events: Alert, Audit, Detection, Endpoint activity, Network activity, and Telemetry. **Alert** Displays information about workbench alerts. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Workbench/paths/~1v3.0~1workbench~1alerts/get). @@ -16,6 +16,10 @@ The Trend Micro Vision One integration collects logs for four types of events: A **Detection** Displays search results from the Detection Data source. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Search/paths/~1v3.0~1search~1detections/get). +**Endpoint activity** Displays search results from the Endpoint activity Data source. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3/#tag/Search/paths/~1v3.0~1search~1endpointActivities/get). + +**Network activity** Displays search results from the Network activity Data source. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3/#tag/Search/paths/~1v3.0~1search~1networkActivities/get). + **Telemetry** Displays telemetry events from the Datalake Pipeline API. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3/#tag/Datalake-Pipeline). @@ -39,12 +43,14 @@ This module has been tested against `Trend Micro Vision One API version 3.0`. - **Name**: A meaningful name that can help you identify the API key. - **Role**: The user role assigned to the key. API keys can use either predefined or custom user roles. Custom roles can be created by navigating to **Administration -> User Roles -> Add Role**. The role must have appropriate API access permission to fetch relevant data. The following table outlines the access permissions to apps and features needed to fetch relevant data from Trend Vision API. - | Datastream | Section | Permissions | - |--------------|--------------------------------------------------------------|----------------------------------------------------| - | Alert | Platform Capabilities > XDR Threat Investigation > Workbench | `View, filter, and search`. | - | Audit | Settings > Administration > Audit Logs | `View, filter, and search`, `Export and Download`. | - | Detection | Platform Capabilities > XDR Threat Investigation > Search | `View, filter, and search`. | - | Telemetry | Platform Capabilities > XDR Threat Investigation > Search | `View, filter, and search`. | + | Datastream | Section | Permissions | + |-------------------|--------------------------------------------------------------|--------------------------------------------------------------| + | Alert | Platform Capabilities > XDR Threat Investigation > Workbench | `View, filter, and search`. | + | Audit | Settings > Administration > Audit Logs | `View, filter, and search`, `Export and Download`. | + | Detection | Platform Capabilities > XDR Threat Investigation > Search | `View, filter, and search`. | + | Endpoint activity | Agentic SIEM and XDR > XDR Data Explorer | `View queries and Watchlist, and filter and search queries`. | + | Network activity | Agentic SIEM and XDR > XDR Data Explorer | `View queries and Watchlist, and filter and search queries`. | + | Telemetry | Platform Capabilities > XDR Threat Investigation > Search | `View, filter, and search`. | Refer to [Account Role Permissions](https://automation.trendmicro.com/xdr/Guides/Authentication) for more details. @@ -843,6 +849,553 @@ An example event for `detection` looks as following: | trend_micro_vision_one.detection.uuid | Log unique id. | keyword | +### endpoint activity + +This is the `endpoint activity` dataset. + +#### Example + +An example event for `endpoint_activity` looks as following: + +```json +{ + "@timestamp": "2023-11-13T10:15:43.210Z", + "agent": { + "ephemeral_id": "e3104ef5-8982-48d9-a9ec-3f6c451df799", + "id": "fca8de1b-d200-49c4-9272-7088e4a986bb", + "name": "elastic-agent-21907", + "type": "filebeat", + "version": "8.19.7" + }, + "data_stream": { + "dataset": "trend_micro_vision_one.endpoint_activity", + "namespace": "48188", + "type": "logs" + }, + "destination": { + "address": "81.2.69.142", + "port": 442 + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "fca8de1b-d200-49c4-9272-7088e4a986bb", + "snapshot": true, + "version": "8.19.7" + }, + "event": { + "agent_id_status": "verified", + "code": "4624", + "dataset": "trend_micro_vision_one.endpoint_activity", + "id": "29", + "ingested": "2025-12-02T12:31:41Z", + "kind": "event", + "original": "{\"dpt\":442,\"dst\":\"81.2.69.142\",\"endpointGuid\":\"72436165-b5a5-471a-9389-0bdc3647bc33\",\"endpointHostName\":\"workstation-pc01\",\"endpointIp\":[\"1.128.0.0\"],\"eventId\":\"29\",\"eventSubId\":2,\"eventTime\":1699876543210,\"eventTimeDT\":\"2023-11-13T10:15:43.210000+00:00\",\"hostName\":\"workstation-pc01\",\"logonUser\":[\"john.doe@example.com\"],\"objectCmd\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c whoami\",\"objectFileHashSha1\":\"A1B2C3D4E5F6789012345678901234567890ABCD\",\"objectFilePath\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"objectHostName\":\"api.example.com\",\"objectIntegrityLevel\":8192,\"objectIp\":\"81.2.69.144\",\"objectIps\":[\"81.2.69.144\",\"175.16.199.0\"],\"objectPort\":8080,\"objectRegistryData\":\"C:\\\\Program Files\\\\MyApp\\\\startup.exe\",\"objectRegistryKeyHandle\":\"hklm\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\",\"objectRegistryValue\":\"MyAppStartup\",\"objectSigner\":[\"Microsoft Windows\"],\"objectSignerValid\":[true],\"objectSubTrueType\":7002,\"objectTrueType\":7,\"objectUser\":\"DOMAIN\\\\john.doe\",\"os\":\"Windows 10\",\"parentCmd\":\"C:\\\\Windows\\\\explorer.exe\",\"parentFileHashSha1\":\"B2C3D4E5F67890123456789012345678901ABCDE\",\"parentFilePath\":\"C:\\\\Windows\\\\explorer.exe\",\"processCmd\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c whoami\",\"processFileHashSha1\":\"C3D4E5F678901234567890123456789012ABCDEF\",\"processFilePath\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"request\":\"https://api.example.com/v1/auth\",\"searchDL\":\"EDR\",\"spt\":49152,\"src\":\"1.128.0.0\",\"srcFileHashSha1\":\"D4E5F6789012345678901234567890123ABCDEFG\",\"srcFilePath\":\"C:\\\\Users\\\\john.doe\\\\Downloads\\\\installer.exe\",\"tags\":[\"MITRE.T1059.001\",\"XSAE.F1001\"],\"uuid\":\"a1b2c3d4-e5f6-7890-abcd-ef1234567890\",\"winEventId\":4624}" + }, + "file": { + "hash": { + "sha1": "A1B2C3D4E5F6789012345678901234567890ABCD" + }, + "path": "C:\\Windows\\System32\\cmd.exe" + }, + "host": { + "hostname": "workstation-pc01", + "ip": [ + "1.128.0.0" + ], + "name": "workstation-pc01", + "os": { + "name": "Windows 10" + } + }, + "input": { + "type": "cel" + }, + "process": { + "command_line": "C:\\Windows\\System32\\cmd.exe /c whoami", + "executable": "C:\\Windows\\System32\\cmd.exe", + "hash": { + "sha1": "C3D4E5F678901234567890123456789012ABCDEF" + }, + "parent": { + "command_line": "C:\\Windows\\explorer.exe", + "executable": "C:\\Windows\\explorer.exe", + "hash": { + "sha1": "B2C3D4E5F67890123456789012345678901ABCDE" + } + } + }, + "registry": { + "path": "hklm\\software\\microsoft\\windows\\currentversion\\run", + "value": "MyAppStartup" + }, + "related": { + "hash": [ + "A1B2C3D4E5F6789012345678901234567890ABCD", + "C3D4E5F678901234567890123456789012ABCDEF", + "B2C3D4E5F67890123456789012345678901ABCDE", + "D4E5F6789012345678901234567890123ABCDEFG" + ], + "hosts": [ + "workstation-pc01", + "api.example.com" + ], + "ip": [ + "1.128.0.0", + "81.2.69.144", + "175.16.199.0", + "81.2.69.142" + ], + "user": [ + "john.doe@example.com", + "DOMAIN\\john.doe" + ] + }, + "source": { + "ip": "1.128.0.0", + "port": 49152 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "trend_micro_vision_one-endpoint_activity" + ], + "trend_micro_vision_one": { + "endpoint_activity": { + "destination": { + "address": "81.2.69.142", + "port": 442 + }, + "endpoint": { + "guid": "72436165-b5a5-471a-9389-0bdc3647bc33", + "host_name": "workstation-pc01", + "ip": [ + "1.128.0.0" + ] + }, + "event": { + "id": "29", + "sub_id": 2, + "time": "2023-11-13T11:55:43.210Z", + "time_dt": "2023-11-13T10:15:43.210Z" + }, + "host_name": "workstation-pc01", + "logon_user": [ + "john.doe@example.com" + ], + "object": { + "cmd": "C:\\Windows\\System32\\cmd.exe /c whoami", + "file": { + "hash_sha1": "A1B2C3D4E5F6789012345678901234567890ABCD", + "path": "C:\\Windows\\System32\\cmd.exe" + }, + "host_name": "api.example.com", + "integrity_level": 8192, + "ip": "81.2.69.144", + "ips": [ + "81.2.69.144", + "175.16.199.0" + ], + "port": 8080, + "registry": { + "data": "C:\\Program Files\\MyApp\\startup.exe", + "key_handle": "hklm\\software\\microsoft\\windows\\currentversion\\run", + "value": "MyAppStartup" + }, + "signer": [ + "Microsoft Windows" + ], + "signer_valid": [ + true + ], + "sub_true_type": 7002, + "true_type": 7, + "user": "DOMAIN\\john.doe" + }, + "os": "Windows 10", + "parent": { + "cmd": "C:\\Windows\\explorer.exe", + "file": { + "hash_sha1": "B2C3D4E5F67890123456789012345678901ABCDE", + "path": "C:\\Windows\\explorer.exe" + } + }, + "process": { + "cmd": "C:\\Windows\\System32\\cmd.exe /c whoami", + "file": { + "hash_sha1": "C3D4E5F678901234567890123456789012ABCDEF", + "path": "C:\\Windows\\System32\\cmd.exe" + } + }, + "request": "https://api.example.com/v1/auth", + "search_dl": "EDR", + "source": { + "ip": "1.128.0.0", + "port": 49152 + }, + "source_file": { + "hash_sha1": "D4E5F6789012345678901234567890123ABCDEFG", + "path": "C:\\Users\\john.doe\\Downloads\\installer.exe" + }, + "tags": [ + "MITRE.T1059.001", + "XSAE.F1001" + ], + "uuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "win_event_id": 4624 + } + }, + "url": { + "original": "https://api.example.com/v1/auth" + }, + "user": { + "name": [ + "john.doe@example.com" + ], + "target": { + "name": "DOMAIN\\john.doe" + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | +| input.type | Type of filebeat input. | keyword | +| log.offset | Log offset. | long | +| trend_micro_vision_one.endpoint_activity.destination.address | Destination IP address. | keyword | +| trend_micro_vision_one.endpoint_activity.destination.port | Destination port. | long | +| trend_micro_vision_one.endpoint_activity.endpoint.guid | Endpoint GUID for identity. | keyword | +| trend_micro_vision_one.endpoint_activity.endpoint.host_name | Hostname of the endpoint on which the event was generated. | keyword | +| trend_micro_vision_one.endpoint_activity.endpoint.ip | Endpoint IP address list. | ip | +| trend_micro_vision_one.endpoint_activity.event.id | Event ID for data field mapping. | keyword | +| trend_micro_vision_one.endpoint_activity.event.sub_id | Event sub ID for data field mapping. | long | +| trend_micro_vision_one.endpoint_activity.event.time | Log collect time utc format. | date | +| trend_micro_vision_one.endpoint_activity.event.time_dt | Log collect time. | date | +| trend_micro_vision_one.endpoint_activity.host_name | Hostname of the endpoint on which the event was generated. | keyword | +| trend_micro_vision_one.endpoint_activity.logon_user | Logon user name. | keyword | +| trend_micro_vision_one.endpoint_activity.object.cmd | Command line entry of target process. | keyword | +| trend_micro_vision_one.endpoint_activity.object.file.hash_sha1 | The SHA1 hash of target process image or target file. | keyword | +| trend_micro_vision_one.endpoint_activity.object.file.path | File path location of target process image or target file. | keyword | +| trend_micro_vision_one.endpoint_activity.object.host_name | Server name where Internet event was detected. | keyword | +| trend_micro_vision_one.endpoint_activity.object.integrity_level | Object integrity level for data field mapping. | long | +| trend_micro_vision_one.endpoint_activity.object.ip | IP address of internet event. | ip | +| trend_micro_vision_one.endpoint_activity.object.ips | IP address list of internet event. | ip | +| trend_micro_vision_one.endpoint_activity.object.port | The port number used by internet event. | long | +| trend_micro_vision_one.endpoint_activity.object.registry.data | The registry value data. | keyword | +| trend_micro_vision_one.endpoint_activity.object.registry.key_handle | The registry key. | keyword | +| trend_micro_vision_one.endpoint_activity.object.registry.value | Registry value name. | keyword | +| trend_micro_vision_one.endpoint_activity.object.signer | Certificate signer of object process or file. | keyword | +| trend_micro_vision_one.endpoint_activity.object.signer_valid | Validity of certificate signer. | boolean | +| trend_micro_vision_one.endpoint_activity.object.sub_true_type | Object sub true type for data field mapping. | long | +| trend_micro_vision_one.endpoint_activity.object.true_type | Object true type for data field mapping. | long | +| trend_micro_vision_one.endpoint_activity.object.user | The owner name of target process / The logon user name. | keyword | +| trend_micro_vision_one.endpoint_activity.os | Operating system. | keyword | +| trend_micro_vision_one.endpoint_activity.parent.cmd | The command line that parent process. | keyword | +| trend_micro_vision_one.endpoint_activity.parent.file.hash_sha1 | The SHA1 hash of parent process. | keyword | +| trend_micro_vision_one.endpoint_activity.parent.file.path | The file path location of parent process. | keyword | +| trend_micro_vision_one.endpoint_activity.process.cmd | The command line used to launch this process. | keyword | +| trend_micro_vision_one.endpoint_activity.process.file.hash_sha1 | The process file sha1. | keyword | +| trend_micro_vision_one.endpoint_activity.process.file.path | The process file path. | keyword | +| trend_micro_vision_one.endpoint_activity.request | Request URL (normally detected by Web Reputation Services). | keyword | +| trend_micro_vision_one.endpoint_activity.search_dl | Search data lake. | keyword | +| trend_micro_vision_one.endpoint_activity.source.ip | Source IP address. | ip | +| trend_micro_vision_one.endpoint_activity.source.port | Source port. | long | +| trend_micro_vision_one.endpoint_activity.source_file.hash_sha1 | Source file sha1. | keyword | +| trend_micro_vision_one.endpoint_activity.source_file.path | Source file path. | keyword | +| trend_micro_vision_one.endpoint_activity.tags | Detected by Security Analytics Engine filters. | keyword | +| trend_micro_vision_one.endpoint_activity.uuid | Log unique identity. | keyword | +| trend_micro_vision_one.endpoint_activity.win_event_id | Windows event ID for data field mapping. | long | + + +### network activity + +This is the `network activity` dataset. + +#### Example + +An example event for `network_activity` looks as following: + +```json +{ + "@timestamp": "2023-11-13T11:55:43.000Z", + "agent": { + "ephemeral_id": "76c92ca8-86e3-4b6e-983a-07da450d1d19", + "id": "e91d68b9-ae62-485d-85b7-813f8a96d54c", + "name": "elastic-agent-66717", + "type": "filebeat", + "version": "8.19.7" + }, + "client": { + "ip": "175.16.199.0" + }, + "data_stream": { + "dataset": "trend_micro_vision_one.network_activity", + "namespace": "83537", + "type": "logs" + }, + "destination": { + "ip": "81.2.69.142", + "port": 443 + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "e91d68b9-ae62-485d-85b7-813f8a96d54c", + "snapshot": true, + "version": "8.19.7" + }, + "event": { + "agent_id_status": "verified", + "dataset": "trend_micro_vision_one.network_activity", + "duration": 45, + "ingested": "2025-12-02T12:45:21Z", + "kind": "event", + "original": "{\"act\":1,\"application\":\"Microsoft 365\",\"clientIp\":\"175.16.199.0\",\"companyName\":\"Acme Corporation\",\"customerId\":\"a1b2c3d4-e5f6-7890-abcd-ef1234567890\",\"detectionType\":10,\"deviceGUID\":\"c3d4e5f6-7890-1234-cdef-345678901234\",\"dpt\":443,\"dst\":\"81.2.69.142\",\"duration\":45,\"endpointGuid\":\"72436165-b5a5-471a-9389-0bdc3647bc33\",\"endpointHostName\":\"workstation-pc01\",\"eventName\":\"SWG_ACTIVITY_LOG\",\"eventSubName\":\"SharePoint file download\",\"eventTime\":1699876543,\"fileHash\":\"a1b2c3d4e5f6789012345678901234567890abcd\",\"fileHashSha256\":\"ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93\",\"fileName\":\"quarterly_report.xlsx\",\"fileSize\":245678,\"fileType\":\"Microsoft Excel\",\"malName\":\"\",\"mimeType\":\"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet\",\"objectId\":\"e5f67890-1234-5678-ef01-567890123456\",\"osName\":\"Windows 10\",\"pname\":\"2200\",\"policyUuid\":\"f6789012-3456-7890-f012-678901234567\",\"principalName\":\"john.doe@example.com\",\"profile\":\"standard\",\"pver\":\"2.1\",\"request\":\"https://portal.example.com/dashboard\",\"requestBase\":\"portal.example.com\",\"requestMethod\":\"GET\",\"requestMimeType\":\"application/json\",\"rt\":1699876545,\"ruleName\":\"Corporate_Access_Policy\",\"ruleType\":\"access\",\"ruleUuid\":\"d4e5f678-9012-3456-def0-456789012345\",\"score\":95,\"sender\":\"Corporate Gateway\",\"serverProtocol\":\"HTTP/2\",\"serverTls\":\"TLS 1.3\",\"spt\":49152,\"src\":\"1.128.0.0\",\"start\":1699876500,\"suid\":\"John Doe\",\"tenantGuid\":\"b2c3d4e5-f678-9012-bcde-f23456789012\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\",\"userDepartment\":\"Finance\",\"userDomain\":\"example.com\"}", + "start": 1699876500 + }, + "file": { + "hash": { + "sha1": "a1b2c3d4e5f6789012345678901234567890abcd", + "sha256": "ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93" + }, + "mime_type": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", + "name": "quarterly_report.xlsx", + "size": 245678, + "type": "Microsoft Excel" + }, + "host": { + "hostname": "workstation-pc01", + "os": { + "name": "Windows 10" + } + }, + "http": { + "request": { + "method": "GET", + "mime_type": "application/json" + } + }, + "input": { + "type": "cel" + }, + "network": { + "protocol": "HTTP/2" + }, + "organization": { + "name": "Acme Corporation" + }, + "related": { + "hash": [ + "a1b2c3d4e5f6789012345678901234567890abcd", + "ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93" + ], + "hosts": [ + "workstation-pc01", + "portal.example.com" + ], + "ip": [ + "1.128.0.0", + "81.2.69.142", + "175.16.199.0" + ], + "user": [ + "John Doe", + "john.doe@example.com" + ] + }, + "rule": { + "category": "access", + "name": "Corporate_Access_Policy", + "uuid": "d4e5f678-9012-3456-def0-456789012345" + }, + "source": { + "ip": "1.128.0.0", + "port": 49152 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "trend_micro_vision_one-network_activity" + ], + "tls": { + "version": "TLS 1.3" + }, + "trend_micro_vision_one": { + "network_activity": { + "act": 1, + "application": "Microsoft 365", + "client": { + "ip": "175.16.199.0" + }, + "company_name": "Acme Corporation", + "customer": { + "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" + }, + "destination": { + "ip": "81.2.69.142", + "port": 443 + }, + "detection": { + "type": 10 + }, + "device": { + "guid": "c3d4e5f6-7890-1234-cdef-345678901234" + }, + "duration": 45, + "endpoint": { + "guid": "72436165-b5a5-471a-9389-0bdc3647bc33", + "host_name": "workstation-pc01" + }, + "event": { + "name": "SWG_ACTIVITY_LOG", + "sub_name": "SharePoint file download", + "time": "2023-11-13T11:55:43.000Z" + }, + "file": { + "hash_sha1": "a1b2c3d4e5f6789012345678901234567890abcd", + "hash_sha256": "ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93", + "mime_type": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", + "name": "quarterly_report.xlsx", + "size": 245678, + "type": "Microsoft Excel" + }, + "object": { + "id": "e5f67890-1234-5678-ef01-567890123456" + }, + "os": { + "name": "Windows 10" + }, + "pname": "2200", + "policy": { + "uuid": "f6789012-3456-7890-f012-678901234567" + }, + "profile": "standard", + "pver": "2.1", + "request": { + "base": "portal.example.com", + "method": "GET", + "mime_type": "application/json", + "url": "https://portal.example.com/dashboard" + }, + "rt": 1699876545, + "rule": { + "name": "Corporate_Access_Policy", + "type": "access", + "uuid": "d4e5f678-9012-3456-def0-456789012345" + }, + "score": 95, + "sender": "Corporate Gateway", + "server": { + "protocol": "HTTP/2", + "tls": "TLS 1.3" + }, + "source": { + "ip": "1.128.0.0", + "port": 49152 + }, + "start": 1699876500, + "tenant": { + "guid": "b2c3d4e5-f678-9012-bcde-f23456789012" + }, + "user": { + "department": "Finance", + "domain": "example.com", + "id": "John Doe", + "principal_name": "john.doe@example.com" + }, + "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36" + } + }, + "url": { + "original": "https://portal.example.com/dashboard" + }, + "user": { + "domain": "example.com", + "email": "john.doe@example.com", + "name": "John Doe" + }, + "user_agent": { + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | +| input.type | Type of filebeat input. | keyword | +| log.offset | Log offset. | long | +| trend_micro_vision_one.network_activity.act | Action taken for the violation. | long | +| trend_micro_vision_one.network_activity.application | Name of the requested application. | keyword | +| trend_micro_vision_one.network_activity.client.ip | Internal IP address of source endpoint. | ip | +| trend_micro_vision_one.network_activity.company_name | Company name. | keyword | +| trend_micro_vision_one.network_activity.customer.id | Company ID. | keyword | +| trend_micro_vision_one.network_activity.destination.ip | Destination IP address. | ip | +| trend_micro_vision_one.network_activity.destination.port | Destination port of private application server. | long | +| trend_micro_vision_one.network_activity.detection.type | Scan type. | long | +| trend_micro_vision_one.network_activity.device.guid | GUID of the agent which reported this detection. | keyword | +| trend_micro_vision_one.network_activity.duration | Scan complete time, in milliseconds. | long | +| trend_micro_vision_one.network_activity.endpoint.guid | GUID of the agent which reported the detection. | keyword | +| trend_micro_vision_one.network_activity.endpoint.host_name | Endpoint hostname. | keyword | +| trend_micro_vision_one.network_activity.event.name | Event type name. | keyword | +| trend_micro_vision_one.network_activity.event.sub_name | Event type subname. | keyword | +| trend_micro_vision_one.network_activity.event.time | Event generation time on the agent side. | date | +| trend_micro_vision_one.network_activity.file.hash_sha1 | The SHA-1 of the file which violated the policy. | keyword | +| trend_micro_vision_one.network_activity.file.hash_sha256 | The SHA-256 of the file which violated the policy. | keyword | +| trend_micro_vision_one.network_activity.file.mime_type | The MIME type/content type of the response body. | keyword | +| trend_micro_vision_one.network_activity.file.name | File name of the file which violated the policy. | keyword | +| trend_micro_vision_one.network_activity.file.size | Size of the file which violated the policy. | long | +| trend_micro_vision_one.network_activity.file.type | File type of the file which violated the policy. | keyword | +| trend_micro_vision_one.network_activity.malware.name | Name of the malware detected. | keyword | +| trend_micro_vision_one.network_activity.object.id | UUID of private access application. | keyword | +| trend_micro_vision_one.network_activity.os.name | Endpoint device operating system. | keyword | +| trend_micro_vision_one.network_activity.pname | Internal product ID (Deprecated use productCode). | keyword | +| trend_micro_vision_one.network_activity.policy.uuid | UUID of the triggered Private Access or Risk Control rule. | keyword | +| trend_micro_vision_one.network_activity.profile | Name of the Threat Protection template or Data Loss Prevention profile triggered. | keyword | +| trend_micro_vision_one.network_activity.pver | Product version. | keyword | +| trend_micro_vision_one.network_activity.request.base | Domain of the requested URL. | keyword | +| trend_micro_vision_one.network_activity.request.method | HTTP/HTTPS request method. | keyword | +| trend_micro_vision_one.network_activity.request.mime_type | Requested content type. | keyword | +| trend_micro_vision_one.network_activity.request.url | The requested destination URL the user is accessing. | keyword | +| trend_micro_vision_one.network_activity.rt | Report received time. | long | +| trend_micro_vision_one.network_activity.rule.name | Name of the rule that triggered the event. | keyword | +| trend_micro_vision_one.network_activity.rule.type | Type of rule which triggered. | keyword | +| trend_micro_vision_one.network_activity.rule.uuid | UUID of the triggered rule. | keyword | +| trend_micro_vision_one.network_activity.score | Web Reputation Services URL rating. | long | +| trend_micro_vision_one.network_activity.sender | Roaming users or gateway where the web traffic passed. | keyword | +| trend_micro_vision_one.network_activity.server.protocol | HTTP protocol version of destination server. | keyword | +| trend_micro_vision_one.network_activity.server.tls | Server TLS/SSL version. | keyword | +| trend_micro_vision_one.network_activity.source.ip | Source IP address that is connecting to the Internet Access gateway. | ip | +| trend_micro_vision_one.network_activity.source.port | Source virtual port assigned to endpoint Secure Access Module. | long | +| trend_micro_vision_one.network_activity.start | Secure Access Module session start time. | long | +| trend_micro_vision_one.network_activity.tenant.guid | Tenant GUID of the Internet Access Gateway. | keyword | +| trend_micro_vision_one.network_activity.user.department | User department. | keyword | +| trend_micro_vision_one.network_activity.user.domain | Domain of the username. | keyword | +| trend_micro_vision_one.network_activity.user.id | User name or IP address. | keyword | +| trend_micro_vision_one.network_activity.user.principal_name | User principal name used to log on to Trend Micro Web Security admin portal. | keyword | +| trend_micro_vision_one.network_activity.user_agent | Name of the web browser app user connects from. | keyword | + + ### telemetry This is the `telemetry` dataset. diff --git a/packages/trend_micro_vision_one/img/trend-micro-vision-one-endpoint-activity-dashboard-screenshot.png b/packages/trend_micro_vision_one/img/trend-micro-vision-one-endpoint-activity-dashboard-screenshot.png new file mode 100644 index 00000000000..8fef789495b Binary files /dev/null and b/packages/trend_micro_vision_one/img/trend-micro-vision-one-endpoint-activity-dashboard-screenshot.png differ diff --git a/packages/trend_micro_vision_one/img/trend-micro-vision-one-network-activity-dashboard-screenshot.png b/packages/trend_micro_vision_one/img/trend-micro-vision-one-network-activity-dashboard-screenshot.png new file mode 100644 index 00000000000..049dc35b02b Binary files /dev/null and b/packages/trend_micro_vision_one/img/trend-micro-vision-one-network-activity-dashboard-screenshot.png differ diff --git a/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-02296130-0c1b-11ed-8d26-77f06c571b89.json b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-02296130-0c1b-11ed-8d26-77f06c571b89.json index bba9295fca9..d45773631bd 100644 --- a/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-02296130-0c1b-11ed-8d26-77f06c571b89.json +++ b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-02296130-0c1b-11ed-8d26-77f06c571b89.json @@ -34,7 +34,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "9fa43e27-f7bd-4f0f-b7d2-08955609a472": { "columnOrder": [ @@ -49,7 +49,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "d8a8e1d7-1241-4a70-85e3-382db7b4fa21": { "customLabel": true, @@ -85,15 +85,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "d8a8e1d7-1241-4a70-85e3-382db7b4fa21" - ], "layerId": "9fa43e27-f7bd-4f0f-b7d2-08955609a472", "layerType": "data", "legendDisplay": "default", - "metric": "bda61ee5-a14d-4864-ba26-d3e0394c63ad", + "legendSize": "auto", + "metrics": [ + "bda61ee5-a14d-4864-ba26-d3e0394c63ad" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "d8a8e1d7-1241-4a70-85e3-382db7b4fa21" + ] } ], "shape": "pie" @@ -104,7 +107,8 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -116,7 +120,7 @@ "panelIndex": "e3b9ed00-b61a-4e71-9144-d92505d7eaf9", "title": "Distribution of Audit by Result [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -135,7 +139,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "a5dfde98-4b93-4c4c-93c1-70043ff2502f": { "columnOrder": [ @@ -150,7 +154,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "3dae7a26-68d9-484c-8d34-c19f2b279979": { "customLabel": true, @@ -186,15 +190,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "3dae7a26-68d9-484c-8d34-c19f2b279979" - ], "layerId": "a5dfde98-4b93-4c4c-93c1-70043ff2502f", "layerType": "data", "legendDisplay": "default", - "metric": "1447642a-b455-4a1e-a425-568a15593cc3", + "legendSize": "auto", + "metrics": [ + "1447642a-b455-4a1e-a425-568a15593cc3" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "3dae7a26-68d9-484c-8d34-c19f2b279979" + ] } ], "shape": "pie" @@ -205,7 +212,8 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -217,7 +225,7 @@ "panelIndex": "984d6a97-d668-4f4f-8750-679983971d4c", "title": "Distribution of Audit by Access Type [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -236,7 +244,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "897f370a-3c32-469f-bfc2-74613384ef81": { "columnOrder": [ @@ -251,7 +259,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "fcd42d60-5fd5-4eda-98b3-fec2247b30ff": { "customLabel": true, @@ -315,6 +323,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -337,7 +346,8 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -349,7 +359,7 @@ "panelIndex": "c04c566d-1863-49ab-9bc1-74ad66d40666", "title": "Distribution of Audit by Category [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -372,11 +382,9 @@ "title": "[Logs Trend Micro Vision One] Audit", "version": 1 }, - "coreMigrationVersion": "7.17.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2025-12-05T10:45:20.793Z", "id": "trend_micro_vision_one-02296130-0c1b-11ed-8d26-77f06c571b89", - "migrationVersion": { - "dashboard": "7.17.0" - }, "references": [ { "id": "logs-*", @@ -412,7 +420,13 @@ "id": "trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89", "name": "85e7772a-687e-4f8e-8808-f6bdc6f9a538:panel_85e7772a-687e-4f8e-8808-f6bdc6f9a538", "type": "search" + }, + { + "id": "trend_micro_vision_one-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "10.2.0" } \ No newline at end of file diff --git a/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-16edcded-6b80-45b9-a6fd-aa0caa5fab50.json b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-16edcded-6b80-45b9-a6fd-aa0caa5fab50.json index 256a5bd0f32..83150786017 100644 --- a/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-16edcded-6b80-45b9-a6fd-aa0caa5fab50.json +++ b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-16edcded-6b80-45b9-a6fd-aa0caa5fab50.json @@ -490,9 +490,8 @@ "version": 1 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-04-17T09:45:34.401Z", + "created_at": "2025-12-05T10:45:20.793Z", "id": "trend_micro_vision_one-16edcded-6b80-45b9-a6fd-aa0caa5fab50", - "managed": false, "references": [ { "id": "logs-*", @@ -513,8 +512,13 @@ "id": "logs-*", "name": "13e065ac-20ff-435c-a18e-479896b5c294:cfb0c71e-aaef-4009-9fcc-c0adea2d72f7", "type": "index-pattern" + }, + { + "id": "trend_micro_vision_one-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], "type": "dashboard", - "typeMigrationVersion": "8.9.0" -} + "typeMigrationVersion": "10.2.0" +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-6b1783a3-767a-4379-99fd-b721081cd601.json b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-6b1783a3-767a-4379-99fd-b721081cd601.json new file mode 100644 index 00000000000..5b5b342c9e3 --- /dev/null +++ b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-6b1783a3-767a-4379-99fd-b721081cd601.json @@ -0,0 +1,1421 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "0bf47af2-1ad6-4bf1-8b8e-1c0f0c4ae4d9": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "event.code", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Event Code" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + }, + "bae2976e-2575-4e34-b2cb-cfc01c4164ce": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "host.ip", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Host IP" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "Trend Micro Vision One Endpoint Activity Events Overview.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "layout": "vertical", + "links": [ + { + "destinationRefName": "link_4f1e05c4-8709-42ec-bc4f-85c6dcb94ac1_dashboard", + "id": "4f1e05c4-8709-42ec-bc4f-85c6dcb94ac1", + "label": "Alert", + "order": 0, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_179e9f84-1264-4269-8d9e-2dd23ff4f960_dashboard", + "id": "179e9f84-1264-4269-8d9e-2dd23ff4f960", + "label": "Audit", + "order": 1, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_97764c20-52be-490a-8884-7b1086b7a4ce_dashboard", + "id": "97764c20-52be-490a-8884-7b1086b7a4ce", + "label": "Detection", + "order": 2, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_2b21f308-ffc3-445e-809a-af2916c43744_dashboard", + "id": "2b21f308-ffc3-445e-809a-af2916c43744", + "label": "Endpoint Activity", + "order": 3, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_cd06dae8-9017-4be1-a263-2d0495f6f385_dashboard", + "id": "cd06dae8-9017-4be1-a263-2d0495f6f385", + "label": "Network Activity", + "order": 4, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_45b385a0-2c14-409a-8733-36e5f1c2a5b6_dashboard", + "id": "45b385a0-2c14-409a-8733-36e5f1c2a5b6", + "label": "Telemetry", + "order": 5, + "type": "dashboardLink" + } + ] + }, + "enhancements": {} + }, + "gridData": { + "h": 10, + "i": "5c746a21-9743-4dbd-8c5a-e44cb2870506", + "w": 8, + "x": 0, + "y": 0 + }, + "panelIndex": "5c746a21-9743-4dbd-8c5a-e44cb2870506", + "title": "Navigation", + "type": "links" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c1c5fed7-21e3-4097-9531-4283f4c74629", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e38040a6-ee24-4054-8fbe-85a49c61ef9c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "c1c5fed7-21e3-4097-9531-4283f4c74629": { + "columnOrder": [ + "4ba7f084-1617-449a-90f3-297a7dbeaaf3", + "92f95073-4e82-4b74-ab43-e777e081c87e" + ], + "columns": { + "4ba7f084-1617-449a-90f3-297a7dbeaaf3": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Host Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "92f95073-4e82-4b74-ab43-e777e081c87e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "host.name" + }, + "92f95073-4e82-4b74-ab43-e777e081c87e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "e38040a6-ee24-4054-8fbe-85a49c61ef9c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.endpoint_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.endpoint_activity" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "c1c5fed7-21e3-4097-9531-4283f4c74629", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "92f95073-4e82-4b74-ab43-e777e081c87e" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "4ba7f084-1617-449a-90f3-297a7dbeaaf3" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.endpoint_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.endpoint_activity" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 22, + "i": "458a97d3-693a-48c9-b5bd-1a70ff3b2aa4", + "w": 21, + "x": 8, + "y": 18 + }, + "panelIndex": "458a97d3-693a-48c9-b5bd-1a70ff3b2aa4", + "title": "Event by Host Name", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Overview**\n\nThis dashboard provides a comprehensive view of endpoint activity from Trend Micro Vision One. It highlights the top source and destination addresses to pinpoint high-activity or potentially suspicious network interactions. Time-based event trends help identify spikes or anomalies across the environment. The dashboard also breaks down events by host OS, user accounts, and individual host machines to surface abnormal behavior patterns. Together, these insights support faster investigations, enhanced visibility, and proactive threat detection across all endpoints.\n\n**[Navigation](/app/integrations/detail/trend_micro_vision_one/overview)**", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 30, + "i": "1ea337a4-22d9-491f-b2db-6736bb6ee2ad", + "w": 8, + "x": 0, + "y": 10 + }, + "panelIndex": "1ea337a4-22d9-491f-b2db-6736bb6ee2ad", + "title": "Table of Contents", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5d92caab-59db-46fd-a0ec-013530489e6e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "68c3a27e-63d2-4ee5-b3c8-bf3c7368c95a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5d92caab-59db-46fd-a0ec-013530489e6e": { + "columnOrder": [ + "b7d6550f-c4f5-46f9-b732-69e38cddb4da", + "421f7408-d063-486a-bade-752cb8b2d19d" + ], + "columns": { + "421f7408-d063-486a-bade-752cb8b2d19d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "b7d6550f-c4f5-46f9-b732-69e38cddb4da": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Host OS Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "421f7408-d063-486a-bade-752cb8b2d19d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "host.os.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "68c3a27e-63d2-4ee5-b3c8-bf3c7368c95a", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.endpoint_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.endpoint_activity" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "5d92caab-59db-46fd-a0ec-013530489e6e", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "421f7408-d063-486a-bade-752cb8b2d19d" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "b7d6550f-c4f5-46f9-b732-69e38cddb4da" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.endpoint_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.endpoint_activity" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 22, + "i": "7a7b1a74-c2f3-44f3-9369-0022a9ce9f23", + "w": 19, + "x": 29, + "y": 18 + }, + "panelIndex": "7a7b1a74-c2f3-44f3-9369-0022a9ce9f23", + "title": "Event by Host OS", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1832adb9-df51-43e5-b91c-b1f994f96437", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b5db55f6-3f59-46a0-98b2-7e7bce35c738", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "1832adb9-df51-43e5-b91c-b1f994f96437": { + "columnOrder": [ + "b8383b77-de83-4d1e-a9a4-5203caff2f79", + "bc6ce709-5e5c-4db8-bc62-beecd34be77f" + ], + "columns": { + "b8383b77-de83-4d1e-a9a4-5203caff2f79": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "bc6ce709-5e5c-4db8-bc62-beecd34be77f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "b5db55f6-3f59-46a0-98b2-7e7bce35c738", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.endpoint_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.endpoint_activity" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "bc6ce709-5e5c-4db8-bc62-beecd34be77f" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "1832adb9-df51-43e5-b91c-b1f994f96437", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "b8383b77-de83-4d1e-a9a4-5203caff2f79" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.endpoint_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.endpoint_activity" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "dba69287-170d-4c66-9f94-44495bbe977a", + "w": 40, + "x": 8, + "y": 0 + }, + "panelIndex": "dba69287-170d-4c66-9f94-44495bbe977a", + "title": "Event over Time", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-cc1cb6e4-12a0-4b2a-9104-fe173a78e33c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2ffcd506-8b22-43ed-a98a-e216075879a2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "cc1cb6e4-12a0-4b2a-9104-fe173a78e33c": { + "columnOrder": [ + "bdf08e62-8a36-4cfb-a03e-66c48587b9e7", + "7f0159c9-dea0-4143-a985-626f07e2394b" + ], + "columns": { + "7f0159c9-dea0-4143-a985-626f07e2394b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "bdf08e62-8a36-4cfb-a03e-66c48587b9e7": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7f0159c9-dea0-4143-a985-626f07e2394b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.ip" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "2ffcd506-8b22-43ed-a98a-e216075879a2", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.endpoint_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.endpoint_activity" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "bdf08e62-8a36-4cfb-a03e-66c48587b9e7", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "7f0159c9-dea0-4143-a985-626f07e2394b", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "cc1cb6e4-12a0-4b2a-9104-fe173a78e33c", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.endpoint_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.endpoint_activity" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 16, + "i": "ffaa8942-9892-4cf9-96a1-ca71e4adb342", + "w": 24, + "x": 0, + "y": 40 + }, + "panelIndex": "ffaa8942-9892-4cf9-96a1-ca71e4adb342", + "title": "Top Source IPs", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d5ddd5c3-e2a7-4e0f-bd29-ec3ff5945c33", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2ff4dc66-5a47-468a-82ae-7b41c1363146", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d5ddd5c3-e2a7-4e0f-bd29-ec3ff5945c33": { + "columnOrder": [ + "951bfaf0-19da-4729-bd31-f08a485ecb8f", + "b2ffa001-3f02-4f02-8763-45d0a5c71d05" + ], + "columns": { + "951bfaf0-19da-4729-bd31-f08a485ecb8f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Destination Address", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b2ffa001-3f02-4f02-8763-45d0a5c71d05", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "destination.address" + }, + "b2ffa001-3f02-4f02-8763-45d0a5c71d05": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "2ff4dc66-5a47-468a-82ae-7b41c1363146", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.endpoint_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.endpoint_activity" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "951bfaf0-19da-4729-bd31-f08a485ecb8f" + }, + { + "columnId": "b2ffa001-3f02-4f02-8763-45d0a5c71d05" + } + ], + "layerId": "d5ddd5c3-e2a7-4e0f-bd29-ec3ff5945c33", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.endpoint_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.endpoint_activity" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 16, + "i": "58368ca0-24f2-46f9-bd97-3361a8427763", + "w": 24, + "x": 24, + "y": 40 + }, + "panelIndex": "58368ca0-24f2-46f9-bd97-3361a8427763", + "title": "Top Destination Addresses", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8b2d819f-bee1-46cb-bc6b-2f8e546eed7f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c8005436-7a02-4f96-a6c7-8b75ac561a2b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8b2d819f-bee1-46cb-bc6b-2f8e546eed7f": { + "columnOrder": [ + "56a961d9-6c0f-4a7e-b4cf-1d4d81508fd7", + "588c15ff-e150-437f-b669-539be5fa3017" + ], + "columns": { + "56a961d9-6c0f-4a7e-b4cf-1d4d81508fd7": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "User Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "588c15ff-e150-437f-b669-539be5fa3017", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 12 + }, + "scale": "ordinal", + "sourceField": "user.name" + }, + "588c15ff-e150-437f-b669-539be5fa3017": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "c8005436-7a02-4f96-a6c7-8b75ac561a2b", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.endpoint_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.endpoint_activity" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "588c15ff-e150-437f-b669-539be5fa3017" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "8b2d819f-bee1-46cb-bc6b-2f8e546eed7f", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "56a961d9-6c0f-4a7e-b4cf-1d4d81508fd7" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.endpoint_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.endpoint_activity" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "204bc91f-ca72-46c9-8756-84ddb4e94d8a", + "w": 24, + "x": 0, + "y": 56 + }, + "panelIndex": "204bc91f-ca72-46c9-8756-84ddb4e94d8a", + "title": "Event by User Name", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Trend Micro Vision One] Endpoint Activity", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-12-05T09:57:31.043Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "trend_micro_vision_one-6b1783a3-767a-4379-99fd-b721081cd601", + "references": [ + { + "id": "trend_micro_vision_one-dc4fba10-0ce5-11ed-ac7d-35d42be2de47", + "name": "5c746a21-9743-4dbd-8c5a-e44cb2870506:link_4f1e05c4-8709-42ec-bc4f-85c6dcb94ac1_dashboard", + "type": "dashboard" + }, + { + "id": "trend_micro_vision_one-02296130-0c1b-11ed-8d26-77f06c571b89", + "name": "5c746a21-9743-4dbd-8c5a-e44cb2870506:link_179e9f84-1264-4269-8d9e-2dd23ff4f960_dashboard", + "type": "dashboard" + }, + { + "id": "trend_micro_vision_one-795c2840-0cda-11ed-ac7d-35d42be2de47", + "name": "5c746a21-9743-4dbd-8c5a-e44cb2870506:link_97764c20-52be-490a-8884-7b1086b7a4ce_dashboard", + "type": "dashboard" + }, + { + "id": "trend_micro_vision_one-6b1783a3-767a-4379-99fd-b721081cd601", + "name": "5c746a21-9743-4dbd-8c5a-e44cb2870506:link_2b21f308-ffc3-445e-809a-af2916c43744_dashboard", + "type": "dashboard" + }, + { + "id": "trend_micro_vision_one-f4f72f6b-e196-4c08-aa4c-cda69db25ee4", + "name": "5c746a21-9743-4dbd-8c5a-e44cb2870506:link_cd06dae8-9017-4be1-a263-2d0495f6f385_dashboard", + "type": "dashboard" + }, + { + "id": "trend_micro_vision_one-16edcded-6b80-45b9-a6fd-aa0caa5fab50", + "name": "5c746a21-9743-4dbd-8c5a-e44cb2870506:link_45b385a0-2c14-409a-8733-36e5f1c2a5b6_dashboard", + "type": "dashboard" + }, + { + "id": "logs-*", + "name": "458a97d3-693a-48c9-b5bd-1a70ff3b2aa4:indexpattern-datasource-layer-c1c5fed7-21e3-4097-9531-4283f4c74629", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "458a97d3-693a-48c9-b5bd-1a70ff3b2aa4:e38040a6-ee24-4054-8fbe-85a49c61ef9c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7a7b1a74-c2f3-44f3-9369-0022a9ce9f23:indexpattern-datasource-layer-5d92caab-59db-46fd-a0ec-013530489e6e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7a7b1a74-c2f3-44f3-9369-0022a9ce9f23:68c3a27e-63d2-4ee5-b3c8-bf3c7368c95a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dba69287-170d-4c66-9f94-44495bbe977a:indexpattern-datasource-layer-1832adb9-df51-43e5-b91c-b1f994f96437", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dba69287-170d-4c66-9f94-44495bbe977a:b5db55f6-3f59-46a0-98b2-7e7bce35c738", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ffaa8942-9892-4cf9-96a1-ca71e4adb342:indexpattern-datasource-layer-cc1cb6e4-12a0-4b2a-9104-fe173a78e33c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ffaa8942-9892-4cf9-96a1-ca71e4adb342:2ffcd506-8b22-43ed-a98a-e216075879a2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "58368ca0-24f2-46f9-bd97-3361a8427763:indexpattern-datasource-layer-d5ddd5c3-e2a7-4e0f-bd29-ec3ff5945c33", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "58368ca0-24f2-46f9-bd97-3361a8427763:2ff4dc66-5a47-468a-82ae-7b41c1363146", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "204bc91f-ca72-46c9-8756-84ddb4e94d8a:indexpattern-datasource-layer-8b2d819f-bee1-46cb-bc6b-2f8e546eed7f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "204bc91f-ca72-46c9-8756-84ddb4e94d8a:c8005436-7a02-4f96-a6c7-8b75ac561a2b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_bae2976e-2575-4e34-b2cb-cfc01c4164ce:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_0bf47af2-1ad6-4bf1-8b8e-1c0f0c4ae4d9:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-795c2840-0cda-11ed-ac7d-35d42be2de47.json b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-795c2840-0cda-11ed-ac7d-35d42be2de47.json index db3e979cc2a..7a74bb5916e 100644 --- a/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-795c2840-0cda-11ed-ac7d-35d42be2de47.json +++ b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-795c2840-0cda-11ed-ac7d-35d42be2de47.json @@ -34,7 +34,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "ab62783e-8f90-4ed1-aaa2-0986490650ff": { "columnOrder": [ @@ -49,7 +49,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "78014197-8878-4d6a-9820-cbc319572497": { "customLabel": true, @@ -113,6 +113,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -135,7 +136,8 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -147,7 +149,7 @@ "panelIndex": "d62e0e2a-b417-4ab6-a0b2-b7d2b6b3d037", "title": "Distribution of Detection by Blocking Reason [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -166,7 +168,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "29f50e0d-fac2-443c-825c-8eb0c3a714d0": { "columnOrder": [ @@ -200,7 +202,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -245,6 +247,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -267,7 +270,8 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -279,7 +283,7 @@ "panelIndex": "52f01658-a95d-4f43-8e53-0a2a5acbb875", "title": "Distribution of Detection by Behavior Category [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -298,7 +302,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "49c72f74-21be-4805-9818-62b060da841d": { "columnOrder": [ @@ -332,7 +336,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -349,15 +353,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "05971311-2b03-416e-b137-6570c146adf1" - ], "layerId": "49c72f74-21be-4805-9818-62b060da841d", "layerType": "data", "legendDisplay": "default", - "metric": "a2bbe427-42ce-4604-b8fe-4b5bd3e198d7", + "legendSize": "auto", + "metrics": [ + "a2bbe427-42ce-4604-b8fe-4b5bd3e198d7" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "05971311-2b03-416e-b137-6570c146adf1" + ] } ], "shape": "pie" @@ -368,7 +375,8 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -380,7 +388,7 @@ "panelIndex": "58a6256c-8b28-43db-86c2-3359cef9ab44", "title": "Distribution of Detection by Device Direction [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -399,7 +407,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "f691f89d-3522-4220-a870-93486224b466": { "columnOrder": [ @@ -433,7 +441,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -450,15 +458,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "b1c380a4-c9bd-4033-a33d-90d729de1655" - ], "layerId": "f691f89d-3522-4220-a870-93486224b466", "layerType": "data", "legendDisplay": "default", - "metric": "c85cf4bc-ee58-47d4-b395-0020646923c4", + "legendSize": "auto", + "metrics": [ + "c85cf4bc-ee58-47d4-b395-0020646923c4" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "b1c380a4-c9bd-4033-a33d-90d729de1655" + ] } ], "shape": "pie" @@ -469,7 +480,8 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -481,7 +493,7 @@ "panelIndex": "6f265958-b714-4af3-8479-6a71792ab6e8", "title": "Distribution of Detection by Protocol [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -500,7 +512,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "d550744a-88fb-4110-aa6e-7b2c2fa25385": { "columnOrder": [ @@ -515,7 +527,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "d1db4ae9-f392-4d84-9266-708f312a417d": { "customLabel": true, @@ -557,7 +569,9 @@ } ], "layerId": "d550744a-88fb-4110-aa6e-7b2c2fa25385", - "layerType": "data" + "layerType": "data", + "rowHeight": "custom", + "rowHeightLines": 1 } }, "title": "", @@ -565,7 +579,8 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -577,7 +592,7 @@ "panelIndex": "a57572f8-12d9-4d75-a3b7-e592f588881f", "title": "Top 10 Action by Detect Product [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -596,7 +611,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "72a2f6df-02ac-4dbc-9852-39e3ba8afa83": { "columnOrder": [ @@ -611,7 +626,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "d963d750-55ea-467b-b420-2ee6f6a40f66": { "customLabel": true, @@ -652,7 +667,9 @@ } ], "layerId": "72a2f6df-02ac-4dbc-9852-39e3ba8afa83", - "layerType": "data" + "layerType": "data", + "rowHeight": "custom", + "rowHeightLines": 1 } }, "title": "", @@ -660,7 +677,8 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -672,7 +690,7 @@ "panelIndex": "30d672ab-9361-421c-be5f-213d76fbe2dd", "title": "Top 10 Action Result by Detect Product [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -691,7 +709,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "50f136e8-fe91-4269-bd9b-650c0392557d": { "columnOrder": [ @@ -706,7 +724,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "e9b0baae-bc82-4535-b30b-9e3d1087bcea": { "customLabel": true, @@ -750,7 +768,9 @@ } ], "layerId": "50f136e8-fe91-4269-bd9b-650c0392557d", - "layerType": "data" + "layerType": "data", + "rowHeight": "custom", + "rowHeightLines": 1 } }, "title": "", @@ -758,7 +778,8 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -770,7 +791,7 @@ "panelIndex": "b7a95a71-0b0a-4377-81eb-9d493e103d14", "title": "Top 10 Detail Tags [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -789,7 +810,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "e73c0595-8dfa-4b9d-9af9-da286f0ea969": { "columnOrder": [ @@ -823,7 +844,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -846,7 +867,9 @@ } ], "layerId": "e73c0595-8dfa-4b9d-9af9-da286f0ea969", - "layerType": "data" + "layerType": "data", + "rowHeight": "custom", + "rowHeightLines": 1 } }, "title": "", @@ -854,7 +877,8 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -866,7 +890,7 @@ "panelIndex": "0207e0e7-7809-46f9-b26f-0888a3d96d98", "title": "Top 10 Threat Name [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -885,7 +909,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "a8599c32-418f-45e0-a013-1d0ef2a030c4": { "columnOrder": [ @@ -900,7 +924,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "e864022d-8287-42ad-9ab5-4637769a9c71": { "customLabel": true, @@ -964,6 +988,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -986,7 +1011,8 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -998,7 +1024,7 @@ "panelIndex": "98acbf97-ec55-474c-b5db-cae2aaed7e14", "title": "Distribution of Detection by Detection Source [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -1017,7 +1043,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "bd766933-cdfd-4c87-ab55-3e994a2fe44e": { "columnOrder": [ @@ -1032,7 +1058,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "7e6beac1-f7da-41db-91a7-31d58a221a61": { "customLabel": true, @@ -1068,15 +1094,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "7e6beac1-f7da-41db-91a7-31d58a221a61" - ], "layerId": "bd766933-cdfd-4c87-ab55-3e994a2fe44e", "layerType": "data", "legendDisplay": "default", - "metric": "4ca7bc27-a9fa-476f-912b-522ed2a46ff3", + "legendSize": "auto", + "metrics": [ + "4ca7bc27-a9fa-476f-912b-522ed2a46ff3" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "7e6beac1-f7da-41db-91a7-31d58a221a61" + ] } ], "shape": "pie" @@ -1087,7 +1116,8 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -1099,7 +1129,7 @@ "panelIndex": "c2817d33-dceb-4442-b496-2fef04b7784a", "title": "Distribution of Detection by OS Name [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -1118,7 +1148,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "96da828c-adec-4f42-9d21-8e483f024d23": { "columnOrder": [ @@ -1133,7 +1163,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "b46706ba-b1dc-45db-af7a-53c85ff142c8": { "customLabel": true, @@ -1175,7 +1205,9 @@ } ], "layerId": "96da828c-adec-4f42-9d21-8e483f024d23", - "layerType": "data" + "layerType": "data", + "rowHeight": "custom", + "rowHeightLines": 1 } }, "title": "", @@ -1183,7 +1215,8 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -1195,7 +1228,7 @@ "panelIndex": "533112ad-9176-45ae-b7e2-f17a052f06b8", "title": "Top 10 Policy Name [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -1214,7 +1247,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "f1c7368e-804d-4324-97e9-f12e0639e9d5": { "columnOrder": [ @@ -1248,7 +1281,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -1293,6 +1326,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -1315,7 +1349,8 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -1327,7 +1362,7 @@ "panelIndex": "c4b23adc-cfc7-45d5-8330-28788f0d2cf1", "title": "Distribution of Detection by File Type [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -1346,7 +1381,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "4917b550-af61-4625-af61-c9274e27047a": { "columnOrder": [ @@ -1361,7 +1396,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "ca6ec33b-2725-4194-b64c-69c605dd34a2": { "customLabel": true, @@ -1425,6 +1460,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -1447,7 +1483,8 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -1459,7 +1496,7 @@ "panelIndex": "a5dca630-9e4d-4782-aeb0-eec9fb3a7fe5", "title": "Distribution of Detection by Profile Name [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -1478,7 +1515,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "d691e22d-4da1-4052-99e9-19980d1ad140": { "columnOrder": [ @@ -1512,7 +1549,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -1535,7 +1572,9 @@ } ], "layerId": "d691e22d-4da1-4052-99e9-19980d1ad140", - "layerType": "data" + "layerType": "data", + "rowHeight": "custom", + "rowHeightLines": 1 } }, "title": "", @@ -1543,7 +1582,8 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -1555,18 +1595,16 @@ "panelIndex": "b8ea0d85-673c-4f28-9397-48baf5fd0cb1", "title": "Top 10 Sender Name [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" } ], "timeRestore": false, "title": "[Logs Trend Micro Vision One] Detection", "version": 1 }, - "coreMigrationVersion": "7.17.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2025-12-05T10:45:20.793Z", "id": "trend_micro_vision_one-795c2840-0cda-11ed-ac7d-35d42be2de47", - "migrationVersion": { - "dashboard": "7.17.0" - }, "references": [ { "id": "logs-*", @@ -1707,7 +1745,13 @@ "id": "logs-*", "name": "b8ea0d85-673c-4f28-9397-48baf5fd0cb1:indexpattern-datasource-layer-d691e22d-4da1-4052-99e9-19980d1ad140", "type": "index-pattern" + }, + { + "id": "trend_micro_vision_one-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "10.2.0" } \ No newline at end of file diff --git a/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-dc4fba10-0ce5-11ed-ac7d-35d42be2de47.json b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-dc4fba10-0ce5-11ed-ac7d-35d42be2de47.json index 90fbcb7e4c7..38e70dfb398 100644 --- a/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-dc4fba10-0ce5-11ed-ac7d-35d42be2de47.json +++ b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-dc4fba10-0ce5-11ed-ac7d-35d42be2de47.json @@ -34,7 +34,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "c66b406f-8e28-4d47-9fc4-39b968af345d": { "columnOrder": [ @@ -49,7 +49,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "f8fe0e4c-a495-4e43-9d53-c1d67a1af7d6": { "customLabel": true, @@ -85,15 +85,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "f8fe0e4c-a495-4e43-9d53-c1d67a1af7d6" - ], "layerId": "c66b406f-8e28-4d47-9fc4-39b968af345d", "layerType": "data", "legendDisplay": "default", - "metric": "e6f8a4fc-5fb0-4e3e-acdc-8f54b0d777ea", + "legendSize": "auto", + "metrics": [ + "e6f8a4fc-5fb0-4e3e-acdc-8f54b0d777ea" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "f8fe0e4c-a495-4e43-9d53-c1d67a1af7d6" + ] } ], "shape": "pie" @@ -104,7 +107,8 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -116,7 +120,7 @@ "panelIndex": "04cd99db-4dd5-4eca-ab0a-f922068c9a25", "title": "Distribution of Alert by Severity [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -135,7 +139,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "93eb5209-5e6d-4079-a4a1-2bfab8dd99df": { "columnOrder": [ @@ -149,6 +153,7 @@ "label": "@timestamp", "operationType": "date_histogram", "params": { + "includeEmptyRows": true, "interval": "auto" }, "scale": "interval", @@ -206,6 +211,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "line", @@ -228,7 +234,8 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -240,7 +247,7 @@ "panelIndex": "db54892f-8ac3-49ed-9ec3-7cfe7648f646", "title": "Trend of Alert Score Over Time [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -259,7 +266,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "ac7eae8e-47b7-494d-aa59-23badf3efe0f": { "columnOrder": [ @@ -293,7 +300,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -310,15 +317,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "1a94ba46-8da2-4c13-86ae-6f0217196e37" - ], "layerId": "ac7eae8e-47b7-494d-aa59-23badf3efe0f", "layerType": "data", "legendDisplay": "default", - "metric": "896c9e40-e894-44bd-95cf-8098f7a30f3d", + "legendSize": "auto", + "metrics": [ + "896c9e40-e894-44bd-95cf-8098f7a30f3d" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "1a94ba46-8da2-4c13-86ae-6f0217196e37" + ] } ], "shape": "pie" @@ -329,7 +339,8 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -341,7 +352,7 @@ "panelIndex": "123f8240-4cc6-4003-83af-43553d428928", "title": "Distribution of Alert by Investigation Status [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -360,7 +371,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "4d3824b7-1c3f-44cd-b84d-88552f0eff69": { "columnOrder": [ @@ -375,7 +386,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "1ad9ba6d-9cb3-4330-801c-f956897bcafa": { "customLabel": true, @@ -411,15 +422,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "1ad9ba6d-9cb3-4330-801c-f956897bcafa" - ], "layerId": "4d3824b7-1c3f-44cd-b84d-88552f0eff69", "layerType": "data", "legendDisplay": "default", - "metric": "0b3248dd-237b-4f84-badb-d179a9e76f4f", + "legendSize": "auto", + "metrics": [ + "0b3248dd-237b-4f84-badb-d179a9e76f4f" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "1ad9ba6d-9cb3-4330-801c-f956897bcafa" + ] } ], "shape": "pie" @@ -430,7 +444,8 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -442,7 +457,7 @@ "panelIndex": "dee1cbd0-6143-4245-ab3f-b8cd4022e67e", "title": "Distribution of Alert by Entity Type [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -461,7 +476,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "464ea482-63a1-4427-8f9c-224e693d4ffc": { "columnOrder": [ @@ -476,7 +491,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "d3f7e999-2c6b-4b3f-bbca-72ec716b4285": { "customLabel": true, @@ -540,6 +555,7 @@ ], "legend": { "isVisible": true, + "legendSize": "auto", "position": "right" }, "preferredSeriesType": "bar_stacked", @@ -562,7 +578,8 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -574,7 +591,7 @@ "panelIndex": "9e5504f2-2732-40d5-a0c8-c885c93a8153", "title": "Distribution of Alert by Indicator Type [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" }, { "embeddableConfig": { @@ -593,7 +610,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "38c2ae2f-27fd-47dc-911f-4aa95f5545d1": { "columnOrder": [ @@ -627,7 +644,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -650,7 +667,9 @@ } ], "layerId": "38c2ae2f-27fd-47dc-911f-4aa95f5545d1", - "layerType": "data" + "layerType": "data", + "rowHeight": "custom", + "rowHeightLines": 1 } }, "title": "", @@ -658,7 +677,8 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, "gridData": { "h": 15, @@ -670,18 +690,16 @@ "panelIndex": "eabd35ae-1d20-403d-ab31-993d621aa11d", "title": "Top 10 Matched Rule [Logs Trend Micro Vision One]", "type": "lens", - "version": "7.17.0" + "version": "8.9.0" } ], "timeRestore": false, "title": "[Logs Trend Micro Vision One] Alert", "version": 1 }, - "coreMigrationVersion": "7.17.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2025-12-05T10:45:20.793Z", "id": "trend_micro_vision_one-dc4fba10-0ce5-11ed-ac7d-35d42be2de47", - "migrationVersion": { - "dashboard": "7.17.0" - }, "references": [ { "id": "logs-*", @@ -742,7 +760,13 @@ "id": "logs-*", "name": "eabd35ae-1d20-403d-ab31-993d621aa11d:indexpattern-datasource-layer-38c2ae2f-27fd-47dc-911f-4aa95f5545d1", "type": "index-pattern" + }, + { + "id": "trend_micro_vision_one-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "10.2.0" } \ No newline at end of file diff --git a/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-f4f72f6b-e196-4c08-aa4c-cda69db25ee4.json b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-f4f72f6b-e196-4c08-aa4c-cda69db25ee4.json new file mode 100644 index 00000000000..7d8a775115d --- /dev/null +++ b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-f4f72f6b-e196-4c08-aa4c-cda69db25ee4.json @@ -0,0 +1,1634 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "6db3170c-635b-4984-a93e-1848195bdf37": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "rule.name", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Rule Name" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "abbffc1c-6518-48f4-b415-06c869fc468e": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "client.ip", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Client IP" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "Trend Micro Vision One Network Activity Events Overview.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-0303f65b-34a1-4ce6-a9bc-2f0c8fb97830", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5d7a9b6d-5820-4af9-a51e-aab3412cc3e6", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "0303f65b-34a1-4ce6-a9bc-2f0c8fb97830": { + "columnOrder": [ + "1ccf03db-8d12-4728-95c4-442015bf3398", + "9c769110-5623-4a55-8a61-39b20a0d2371" + ], + "columns": { + "1ccf03db-8d12-4728-95c4-442015bf3398": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "9c769110-5623-4a55-8a61-39b20a0d2371", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.ip" + }, + "9c769110-5623-4a55-8a61-39b20a0d2371": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "5d7a9b6d-5820-4af9-a51e-aab3412cc3e6", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.network_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.network_activity" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "1ccf03db-8d12-4728-95c4-442015bf3398", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "9c769110-5623-4a55-8a61-39b20a0d2371", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "0303f65b-34a1-4ce6-a9bc-2f0c8fb97830", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.network_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.network_activity" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "fcd5d587-acdd-4e7f-8e05-5d469742893b", + "w": 24, + "x": 0, + "y": 45 + }, + "panelIndex": "fcd5d587-acdd-4e7f-8e05-5d469742893b", + "title": "Top Source IPs", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-22ec96cd-8791-4cb5-b9e8-16fafe95257c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "92d6f0f2-3a58-47ca-8289-80f87320007c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "22ec96cd-8791-4cb5-b9e8-16fafe95257c": { + "columnOrder": [ + "dc4b7212-b323-42d4-80be-e36735efb8f2", + "f06c7305-af5d-4ebc-b8f4-9d9717b0199f" + ], + "columns": { + "dc4b7212-b323-42d4-80be-e36735efb8f2": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Destination IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f06c7305-af5d-4ebc-b8f4-9d9717b0199f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "destination.ip" + }, + "f06c7305-af5d-4ebc-b8f4-9d9717b0199f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "92d6f0f2-3a58-47ca-8289-80f87320007c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.network_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.network_activity" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "dc4b7212-b323-42d4-80be-e36735efb8f2", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "f06c7305-af5d-4ebc-b8f4-9d9717b0199f", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "22ec96cd-8791-4cb5-b9e8-16fafe95257c", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.network_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.network_activity" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "e497d3ff-051b-4858-96a9-1a66de9154a5", + "w": 24, + "x": 24, + "y": 45 + }, + "panelIndex": "e497d3ff-051b-4858-96a9-1a66de9154a5", + "title": "Top Destination IPs", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "layout": "vertical", + "links": [ + { + "destinationRefName": "link_21e6b7ab-dacb-44b5-b0ad-d42e62b1b365_dashboard", + "id": "21e6b7ab-dacb-44b5-b0ad-d42e62b1b365", + "label": "Alert", + "order": 0, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_78bcc20d-1174-4834-8c47-b8278d305539_dashboard", + "id": "78bcc20d-1174-4834-8c47-b8278d305539", + "label": "Audit", + "order": 1, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_375a26d6-89e6-4d0e-b67e-1aa67e349e2c_dashboard", + "id": "375a26d6-89e6-4d0e-b67e-1aa67e349e2c", + "label": "Detection", + "order": 2, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_a42f2c39-1d30-4ad6-8771-78364da9feec_dashboard", + "id": "a42f2c39-1d30-4ad6-8771-78364da9feec", + "label": "Endpoint Activity", + "order": 3, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_7f65ceff-556b-43c1-92e8-b1e5888b2559_dashboard", + "id": "7f65ceff-556b-43c1-92e8-b1e5888b2559", + "label": "Network Activity", + "order": 4, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_304309e9-2b4f-42bf-bc8d-ee26a1e80cf2_dashboard", + "id": "304309e9-2b4f-42bf-bc8d-ee26a1e80cf2", + "label": "Telemetry", + "order": 5, + "type": "dashboardLink" + } + ] + }, + "enhancements": {} + }, + "gridData": { + "h": 10, + "i": "13582bb8-c083-4b1e-a2cd-c87885798d0a", + "w": 8, + "x": 0, + "y": 0 + }, + "panelIndex": "13582bb8-c083-4b1e-a2cd-c87885798d0a", + "title": "Navigation", + "type": "links" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Overview**\n\nThis dashboard offers a unified view of network-focused endpoint events, helping security teams quickly identify abnormal or high-volume activity. It highlights the top source and destination IPs to uncover suspicious connections or potential attack origins. Event trends over time reveal spikes, anomalies, and evolving patterns. Additional breakdowns by host OS, user name, and hostname provide context on which systems or identities are most impacted. The Top Rule Category chart further surfaces dominant detection types, enabling faster triage and prioritization. Together, these insights strengthen visibility and support proactive threat investigation.\n\n**[Navigation](/app/integrations/detail/trend_micro_vision_one/overview)**", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 35, + "i": "7f665dfa-c3a9-4442-9dfb-044066be719b", + "w": 8, + "x": 0, + "y": 10 + }, + "panelIndex": "7f665dfa-c3a9-4442-9dfb-044066be719b", + "title": "Table of Contents", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-321bd29b-3729-4b30-af0a-a2f76132699e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "51509644-797e-476b-b341-7601190e2321", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "321bd29b-3729-4b30-af0a-a2f76132699e": { + "columnOrder": [ + "4068f893-4a27-4f35-a02f-08b1717c5c6a", + "b1bb86fc-d75a-4b91-851b-2bfbb0156fda" + ], + "columns": { + "4068f893-4a27-4f35-a02f-08b1717c5c6a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Host OS Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b1bb86fc-d75a-4b91-851b-2bfbb0156fda", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "host.os.name" + }, + "b1bb86fc-d75a-4b91-851b-2bfbb0156fda": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "51509644-797e-476b-b341-7601190e2321", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.network_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.network_activity" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "321bd29b-3729-4b30-af0a-a2f76132699e", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "b1bb86fc-d75a-4b91-851b-2bfbb0156fda" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "4068f893-4a27-4f35-a02f-08b1717c5c6a" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.network_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.network_activity" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "3b7b0341-fc7b-4c98-9514-3de770b8cdf8", + "w": 21, + "x": 8, + "y": 15 + }, + "panelIndex": "3b7b0341-fc7b-4c98-9514-3de770b8cdf8", + "title": "Event by Host OS", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-afe86258-03e0-4505-90ea-fdc6b8cd8f55", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "84560e1c-542a-45d5-9bc7-b18b9f1ab29b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "afe86258-03e0-4505-90ea-fdc6b8cd8f55": { + "columnOrder": [ + "1b02f12f-89ea-470c-bcf1-ec3242b855fc", + "b2d6a0ff-94eb-4ecb-b118-dce0729529de" + ], + "columns": { + "1b02f12f-89ea-470c-bcf1-ec3242b855fc": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Rule Category", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b2d6a0ff-94eb-4ecb-b118-dce0729529de", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "rule.category" + }, + "b2d6a0ff-94eb-4ecb-b118-dce0729529de": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "84560e1c-542a-45d5-9bc7-b18b9f1ab29b", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.network_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.network_activity" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "afe86258-03e0-4505-90ea-fdc6b8cd8f55", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "b2d6a0ff-94eb-4ecb-b118-dce0729529de" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "1b02f12f-89ea-470c-bcf1-ec3242b855fc" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.network_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.network_activity" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "edd6a78e-474e-4274-9a41-0f52246fba59", + "w": 17, + "x": 31, + "y": 0 + }, + "panelIndex": "edd6a78e-474e-4274-9a41-0f52246fba59", + "title": "Event by Rule Category", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-36a0295c-900e-4650-8c42-07008af2547c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8c5e7720-71b4-477b-b661-a06977277c6c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "36a0295c-900e-4650-8c42-07008af2547c": { + "columnOrder": [ + "57edc899-49ff-4dcb-9058-f77077bf1fca", + "da85576f-8198-4ea0-a0fa-5919e7fe40ef" + ], + "columns": { + "57edc899-49ff-4dcb-9058-f77077bf1fca": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Hostname", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "da85576f-8198-4ea0-a0fa-5919e7fe40ef", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "host.hostname" + }, + "da85576f-8198-4ea0-a0fa-5919e7fe40ef": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "8c5e7720-71b4-477b-b661-a06977277c6c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.network_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.network_activity" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "36a0295c-900e-4650-8c42-07008af2547c", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "da85576f-8198-4ea0-a0fa-5919e7fe40ef" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "57edc899-49ff-4dcb-9058-f77077bf1fca" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.network_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.network_activity" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "23d73f40-4aae-4623-bb54-877173021e7c", + "w": 19, + "x": 29, + "y": 15 + }, + "panelIndex": "23d73f40-4aae-4623-bb54-877173021e7c", + "title": "Event by Hostname", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-263dc422-d120-48dd-b4f7-e7997a05ead8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "eed678ef-3677-49c3-966e-22883d57a223", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "263dc422-d120-48dd-b4f7-e7997a05ead8": { + "columnOrder": [ + "a53e2226-3ebd-46e7-b763-274bb12802e7", + "04726475-52ff-4d4e-9e13-2846942f0e7a" + ], + "columns": { + "04726475-52ff-4d4e-9e13-2846942f0e7a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "a53e2226-3ebd-46e7-b763-274bb12802e7": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "User Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "04726475-52ff-4d4e-9e13-2846942f0e7a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "eed678ef-3677-49c3-966e-22883d57a223", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.network_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.network_activity" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "04726475-52ff-4d4e-9e13-2846942f0e7a" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "263dc422-d120-48dd-b4f7-e7997a05ead8", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "a53e2226-3ebd-46e7-b763-274bb12802e7" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.network_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.network_activity" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "a7db8434-a364-40b5-9397-685b5bba6871", + "w": 23, + "x": 8, + "y": 0 + }, + "panelIndex": "a7db8434-a364-40b5-9397-685b5bba6871", + "title": "Event by User Name", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-0837dd3e-81b1-4cab-a64f-6ccd9401f3ac", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "91860acb-3acd-4b51-a8d6-29086b55cdd3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "0837dd3e-81b1-4cab-a64f-6ccd9401f3ac": { + "columnOrder": [ + "98231ac8-5afe-4f1c-8b28-30116faf7c0f", + "f044d0eb-7249-4846-8489-2d850f11da1f" + ], + "columns": { + "98231ac8-5afe-4f1c-8b28-30116faf7c0f": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "f044d0eb-7249-4846-8489-2d850f11da1f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "91860acb-3acd-4b51-a8d6-29086b55cdd3", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.network_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.network_activity" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "f044d0eb-7249-4846-8489-2d850f11da1f" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "0837dd3e-81b1-4cab-a64f-6ccd9401f3ac", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "98231ac8-5afe-4f1c-8b28-30116faf7c0f" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trend_micro_vision_one.network_activity" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trend_micro_vision_one.network_activity" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 16, + "i": "48b39532-1c91-489a-996d-d19b08d5dba9", + "w": 40, + "x": 8, + "y": 29 + }, + "panelIndex": "48b39532-1c91-489a-996d-d19b08d5dba9", + "title": "Event over Time", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Trend Micro Vision One] Network Activity", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-12-05T10:51:51.587Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "trend_micro_vision_one-f4f72f6b-e196-4c08-aa4c-cda69db25ee4", + "references": [ + { + "id": "logs-*", + "name": "fcd5d587-acdd-4e7f-8e05-5d469742893b:indexpattern-datasource-layer-0303f65b-34a1-4ce6-a9bc-2f0c8fb97830", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fcd5d587-acdd-4e7f-8e05-5d469742893b:5d7a9b6d-5820-4af9-a51e-aab3412cc3e6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e497d3ff-051b-4858-96a9-1a66de9154a5:indexpattern-datasource-layer-22ec96cd-8791-4cb5-b9e8-16fafe95257c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e497d3ff-051b-4858-96a9-1a66de9154a5:92d6f0f2-3a58-47ca-8289-80f87320007c", + "type": "index-pattern" + }, + { + "id": "trend_micro_vision_one-dc4fba10-0ce5-11ed-ac7d-35d42be2de47", + "name": "13582bb8-c083-4b1e-a2cd-c87885798d0a:link_21e6b7ab-dacb-44b5-b0ad-d42e62b1b365_dashboard", + "type": "dashboard" + }, + { + "id": "trend_micro_vision_one-02296130-0c1b-11ed-8d26-77f06c571b89", + "name": "13582bb8-c083-4b1e-a2cd-c87885798d0a:link_78bcc20d-1174-4834-8c47-b8278d305539_dashboard", + "type": "dashboard" + }, + { + "id": "trend_micro_vision_one-795c2840-0cda-11ed-ac7d-35d42be2de47", + "name": "13582bb8-c083-4b1e-a2cd-c87885798d0a:link_375a26d6-89e6-4d0e-b67e-1aa67e349e2c_dashboard", + "type": "dashboard" + }, + { + "id": "trend_micro_vision_one-6b1783a3-767a-4379-99fd-b721081cd601", + "name": "13582bb8-c083-4b1e-a2cd-c87885798d0a:link_a42f2c39-1d30-4ad6-8771-78364da9feec_dashboard", + "type": "dashboard" + }, + { + "id": "trend_micro_vision_one-f4f72f6b-e196-4c08-aa4c-cda69db25ee4", + "name": "13582bb8-c083-4b1e-a2cd-c87885798d0a:link_7f65ceff-556b-43c1-92e8-b1e5888b2559_dashboard", + "type": "dashboard" + }, + { + "id": "trend_micro_vision_one-16edcded-6b80-45b9-a6fd-aa0caa5fab50", + "name": "13582bb8-c083-4b1e-a2cd-c87885798d0a:link_304309e9-2b4f-42bf-bc8d-ee26a1e80cf2_dashboard", + "type": "dashboard" + }, + { + "id": "logs-*", + "name": "3b7b0341-fc7b-4c98-9514-3de770b8cdf8:indexpattern-datasource-layer-321bd29b-3729-4b30-af0a-a2f76132699e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3b7b0341-fc7b-4c98-9514-3de770b8cdf8:51509644-797e-476b-b341-7601190e2321", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "edd6a78e-474e-4274-9a41-0f52246fba59:indexpattern-datasource-layer-afe86258-03e0-4505-90ea-fdc6b8cd8f55", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "edd6a78e-474e-4274-9a41-0f52246fba59:84560e1c-542a-45d5-9bc7-b18b9f1ab29b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "23d73f40-4aae-4623-bb54-877173021e7c:indexpattern-datasource-layer-36a0295c-900e-4650-8c42-07008af2547c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "23d73f40-4aae-4623-bb54-877173021e7c:8c5e7720-71b4-477b-b661-a06977277c6c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a7db8434-a364-40b5-9397-685b5bba6871:indexpattern-datasource-layer-263dc422-d120-48dd-b4f7-e7997a05ead8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a7db8434-a364-40b5-9397-685b5bba6871:eed678ef-3677-49c3-966e-22883d57a223", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "48b39532-1c91-489a-996d-d19b08d5dba9:indexpattern-datasource-layer-0837dd3e-81b1-4cab-a64f-6ccd9401f3ac", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "48b39532-1c91-489a-996d-d19b08d5dba9:91860acb-3acd-4b51-a8d6-29086b55cdd3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_6db3170c-635b-4984-a93e-1848195bdf37:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_abbffc1c-6518-48f4-b415-06c869fc468e:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/kibana/search/trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89.json b/packages/trend_micro_vision_one/kibana/search/trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89.json index cafd4cfb828..ef87f73e081 100644 --- a/packages/trend_micro_vision_one/kibana/search/trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89.json +++ b/packages/trend_micro_vision_one/kibana/search/trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89.json @@ -26,17 +26,21 @@ ], "title": "Audit Events Essential Details [Logs Trend Micro Vision One]" }, - "coreMigrationVersion": "7.17.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2025-12-05T10:45:20.793Z", "id": "trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89", - "migrationVersion": { - "search": "7.9.3" - }, "references": [ { "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" + }, + { + "id": "trend_micro_vision_one-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "search" + "type": "search", + "typeMigrationVersion": "10.5.0" } \ No newline at end of file diff --git a/packages/trend_micro_vision_one/kibana/tag/trend_micro_vision_one-security-solution-default.json b/packages/trend_micro_vision_one/kibana/tag/trend_micro_vision_one-security-solution-default.json new file mode 100644 index 00000000000..0272c74c8a1 --- /dev/null +++ b/packages/trend_micro_vision_one/kibana/tag/trend_micro_vision_one-security-solution-default.json @@ -0,0 +1,13 @@ +{ + "attributes": { + "color": "#54B399", + "description": "Tag defined in package-spec", + "name": "Security Solution" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-12-05T09:27:53.399Z", + "id": "trend_micro_vision_one-security-solution-default", + "references": [], + "type": "tag", + "typeMigrationVersion": "8.0.0" +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/manifest.yml b/packages/trend_micro_vision_one/manifest.yml index a72132c4771..7a61c99708a 100644 --- a/packages/trend_micro_vision_one/manifest.yml +++ b/packages/trend_micro_vision_one/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.3" +format_version: "3.3.2" name: trend_micro_vision_one title: Trend Micro Vision One -version: "2.5.0" +version: "2.6.0" description: Collect logs from Trend Micro Vision One with Elastic Agent. type: integration categories: @@ -11,12 +11,20 @@ categories: - siem conditions: kibana: - version: "^8.15.0 || ^9.0.0" + version: "^8.18.0 || ^9.0.0" screenshots: - src: /img/trend-micro-vision-one-alert-dashboard-screenshot.png title: Trend Micro Vision One Alert Dashboard Screenshot size: 600x600 type: image/png + - src: /img/trend-micro-vision-one-endpoint-activity-dashboard-screenshot.png + title: Trend Micro Vision One Endpoint Activity Dashboard Screenshot + size: 1280x1323 + type: image/png + - src: /img/trend-micro-vision-one-network-activity-dashboard-screenshot.png + title: Trend Micro Vision One Network Activity Dashboard Screenshot + size: 1280x1323 + type: image/png - src: /img/trend-micro-vision-one-telemetry-dashboard-screenshot.png title: Trend Micro Vision One Telemetry Dashboard Screenshot size: 1280x1323 @@ -32,8 +40,8 @@ policy_templates: description: Collect logs from Trend Micro Vision One. inputs: - type: httpjson - title: Collect Trend Micro Vision One logs via API - description: Collecting Trend Micro Vision One logs via API. + title: Collect Trend Micro Vision One alert, audit, and detection logs via API + description: Collecting Trend Micro Vision One alert, audit, and detection logs via API. vars: - name: hostname type: text @@ -83,8 +91,8 @@ policy_templates: # sxSmbIUfc2SGJGCJD4I= # -----END CERTIFICATE----- - type: cel - title: Collect Trend Micro Vision One data via the Datalake Pipeline API - description: Collecting Trend Micro Vision One data via the Datalake Pipeline API. + title: Collect Trend Micro Vision One endpoint and network activity logs via API, along with telemetry data through the Datalake Pipeline API + description: Collecting Trend Micro Vision One endpoint and network activity logs via API, along with telemetry data through the Datalake Pipeline API. vars: - name: hostname type: text