Trend Vision One
ℹ️
Page created for EA release
This documentation has been published for the Early Access (EA) release of the cloud service event source integration with Trend Vision One.
Trend Vision One is an extended detection and response (XDR) platform that correlates data from native sensors and third-party integrations to detect threats, provide clear insights, and provide remediation capabilities.
The Trend Vision One event source enables SIEM (InsightIDR) to ingest Workbench Alerts from the Trend Vision One platform with event collection through the cloud.
To set up Trend Vision One:
- Read the requirements and complete any prerequisite steps.
- Configure Trend Vision One to send data to SIEM (InsightIDR).
- Configure SIEM (InsightIDR) to collect data from the event source.
- Test the configuration.
You can also:
Requirements
Before you start the configuration:
- Create and record a Trend Vision one API key (as outlined in Configure Trend Vision One to send data to SIEM (InsightIDR)).
- Identify your Trend Vision One region based on the portal URL (for more information, see Trend Vision One’s documentation on identifying your region):
- Australia:
api.au.xdr.trendmicro.com - Europe:
api.eu.xdr.trendmicro.com - India:
api.in.xdr.trendmicro.com - Japan:
api.xdr.trendmicro.co.jp - Singapore:
api.sg.xdr.trendmicro.com - United Arab Emirates:
api.mea.xdr.trendmicro.com - United Kingdom:
api.uk.xdr.trendmicro.com - United States:
api.xdr.trendmicro.com - United States (for Government):
api.usgov.xdr.trendmicro.com
- Australia:
Configure Trend Vision One to send data to SIEM (InsightIDR)
To allow SIEM (InsightIDR) to receive data from Trend Vision One, you must generate and record an API key.
To configure the Trend Vision One API:
- Log in to Trend Vision One: https://signin.v1.trendmicro.com/
- In the upper-right corner, click your organization name, then click API Keys.
- At the top of the page, click Add API Key.
- Provide a name for the key, select SIEM as the role, and set an expiration period (up to 15 years).
- Click Add to generate the key.
- Copy and securely save the API key. You won’t be able to retrieve it again after navigating away from the page.
Configure SIEM (InsightIDR) to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).
Task 1: Select Trend Vision One
- From the Command Platform main menu, go to Data Connectors > Data Collectors.
- Go to the Event Sources tab, then click Add Event Source.
- Do one of the following:
- Search for Trend Vision One in the event sources search bar.
- In the Product Type filter, select Third Party Alerts.
- Select the Trend Vision One event source tile.
Task 2: Set up your collection method
- Name the event source. This will become the name of the log that contains the event data in Log Search.
- Click Add a New Connection.
- In the Create a Cloud Connection screen, enter a name for the new connection.
- In the Region field, select the regional endpoint for your Trend Vision One instance, as determined in the Requirements section.
- In the API Key field, add a new credential:
- Name your credential.
- Describe your credential.
- Select the credential type.
- Enter the API Key that you obtained in the previous section, Configure Trend Vision One to send data to SIEM (InsightIDR).
- Specify the product access for this credential.
- Click Save Connection.
- Optionally, select the option to send unparsed data.
- Click Save.
Test the configuration
The event types that SIEM (InsightIDR) parses from this event source are:
- Workbench Alerts
To test that event data is flowing into SIEM (InsightIDR):
- From the Data Collection Management page, open the Event Sources tab.
- Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
- Wait approximately 7 minutes, then open Log Search.
Next, verify that log entries are appearing in Log Search:
- From the left menu, go to Log Search.
- In the Log Search filter panel, search for the event source you named in step 3 of Task 2: Set up your collection method. Trend Vision One logs should flow into these log sets:
- Third party alerts
- Unparsed data
- Select the log sets and the logs within them.
- Set the time range to Last 10 minutes and click Run.
The Results table displays all events that flowed into SIEM (InsightIDR) in the last 10 minutes. Pay attention to the keys and values that are displayed, which are helpful when you want to build a query and search your logs.
Sample logs
In Log Search, the log that is generated uses the name of your event source by default. The log appears under the log sets: third party alerts and unparsed data.
Here is a typical raw log entry that is created by the event source:
{
"schemaVersion": "1.12",
"id": "WB-9002-20220906-00022",
"investigationStatus": "New",
"status": "Open",
"investigationResult": "No Findings",
"workbenchLink": "",
"alertProvider": "SAE",
"modelId": "1ebd4f91-4b28-40b4-87f5-8defee4791d8",
"model": "Privilege Escalation via UAC Bypass",
"modelType": "preset",
"score": 64,
"severity": "high",
"firstInvestigatedDateTime": "2022-10-06T02:30:31Z",
"createdDateTime": "2022-09-06T02:49:31Z",
"updatedDateTime": "2022-09-06T02:49:48Z",
"incidentId": "IC-1-20230706-00001",
"caseId": "CL-1-20230706-00001",
"ownerIds": [
"12345678-1234-1234-1234-123456789012"
],
"impactScope": {
"desktopCount": 1,
"serverCount": 0,
"accountCount": 1,
"emailAddressCount": 1,
"containerCount": 1,
"cloudIdentityCount": 1,
"entities": [
{
"entityType": "account",
"entityValue": "shockwave\\sam",
"entityId": "shockwave\\sam",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
},
{
"entityType": "host",
"entityValue": {
"guid": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"name": "nimda",
"ips": [
"10.10.58.51"
]
},
"entityId": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"managementScopeGroupId": "deadbeef-292e-42ae-86be-d2fef483a248",
"managementScopeInstanceId": "1babc299-52de-44f4-a1d2-8a224f391eee",
"managementScopePartitionKey": "4c1850c0-8a2a-4637-9f88-6afbab54dd79",
"relatedEntities": [
"shockwave\\sam"
],
"relatedIndicatorIds": [
1,
2,
3,
4,
5,
6,
7,
8
],
"provenance": [
"Alert"
]
},
{
"entityType": "emailAddress",
"entityValue": "support@pctutordetroit.com",
"entityId": "SUPPORT@PCTUTORDETROIT.COM",
"relatedEntities": [],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
},
{
"entityType": "container",
"entityValue": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0",
"entityId": "7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496",
"relatedEntities": [],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
},
{
"entityType": "cloudIdentity",
"entityValue": "arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung",
"entityId": "arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung",
"relatedEntities": [],
"relatedIndicatorIds": [],
"provenance": [
"Alert"
]
}
]
},
"description": "A user bypassed User Account Control (UAC) to gain higher-level permissions.",
"matchedRules": [
{
"id": "25d96e5d-cb69-4935-ae27-43cc0cdca1cc",
"name": "(T1088) Bypass UAC via shell open registry",
"matchedFilters": [
{
"id": "ac200e74-8309-463e-ad6b-a4c16a3a377f",
"name": "Bypass UAC Via Shell Open Default Registry",
"matchedDateTime": "2022-09-05T03:53:49.802Z",
"mitreTechniqueIds": [
"T1112",
"V9.T1112",
"V9.T1548.002"
],
"matchedEvents": [
{
"uuid": "a32599b7-c0c9-45ed-97bf-f2be7679fb00",
"matchedDateTime": "2022-09-05T03:53:49.802Z",
"type": "TELEMETRY_REGISTRY"
}
]
},
{
"id": "857b6396-da29-44a8-bc11-25298e646795",
"name": "Bypass UAC Via Shell Open Registry",
"matchedDateTime": "2022-09-05T03:53:49.802Z",
"mitreTechniqueIds": [
"T1112",
"T1088",
"V9.T1112",
"V9.T1548.002"
],
"matchedEvents": [
{
"uuid": "4c456bbb-2dfc-40a5-b298-799a0ccefc01",
"matchedDateTime": "2022-09-05T03:53:49.802Z",
"type": "TELEMETRY_REGISTRY"
}
]
}
]
}
],
"indicators": [
{
"id": 1,
"type": "command_line",
"field": "processCmd",
"value": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"ac200e74-8309-463e-ad6b-a4c16a3a377f"
],
"provenance": [
"Alert"
]
},
{
"id": 2,
"type": "command_line",
"field": "parentCmd",
"value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; ",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"ac200e74-8309-463e-ad6b-a4c16a3a377f"
],
"provenance": [
"Alert"
]
},
{
"id": 3,
"type": "command_line",
"field": "processCmd",
"value": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"857b6396-da29-44a8-bc11-25298e646795"
],
"provenance": [
"Alert"
]
},
{
"id": 4,
"type": "command_line",
"field": "parentCmd",
"value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....jY0KTtpZXggJHNjQjs=')); iex $r; ",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"857b6396-da29-44a8-bc11-25298e646795"
],
"provenance": [
"Alert"
]
},
{
"id": 5,
"type": "registry_key",
"field": "objectRegistryKeyHandle",
"value": "hkcr\\ms-settings\\shell\\open\\command",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"ac200e74-8309-463e-ad6b-a4c16a3a377f"
],
"provenance": [
"Alert"
]
},
{
"id": 6,
"type": "registry_key",
"field": "objectRegistryKeyHandle",
"value": "hkcr\\ms-settings\\shell\\open\\command",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"857b6396-da29-44a8-bc11-25298e646795"
],
"provenance": [
"Alert"
]
},
{
"id": 7,
"type": "registry_value",
"field": "objectRegistryValue",
"value": "delegateexecute",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"857b6396-da29-44a8-bc11-25298e646795"
],
"provenance": [
"Alert"
]
},
{
"id": 8,
"type": "registry_value_data",
"field": "objectRegistryData",
"value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterIds": [
"ac200e74-8309-463e-ad6b-a4c16a3a377f"
],
"provenance": [
"Alert"
]
}
]
}