Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Deep Security Logs | ✅ | trendmicro_deep_security | CEF | S3 | |||
One Vision XDR | ✅ | trendmicro_vision_one_xdr | JSON | API |
Overview
Trend Micro Deep Security is a comprehensive security solution designed to protect physical, virtual, cloud, and container environments. It offers a robust set of features including anti-malware, intrusion detection and prevention, firewall, integrity monitoring, and log inspection. By leveraging a unified security platform, Deep Security helps organizations ensure compliance, prevent data breaches, and reduce the complexity of managing multiple security tools. Its advanced capabilities, such as automated deployment and seamless integration with leading cloud service providers like AWS, Azure, and Google Cloud, enable efficient and effective protection of workloads across diverse IT environments.
Supported data types
Deep Security Logs
Table name: trendmicro_deep_security
Trend Micro Deep Security logs provide detailed records of security-related events across protected environments, including physical, virtual, cloud, and container infrastructures. These logs capture crucial information such as detected threats, intrusion attempts, firewall activities, system changes, and compliance status, enabling comprehensive monitoring and analysis.
Send data to Hunters
Hunters supports the ingestion of Trend Micro Deep Security logs through an intermediary AWS S3 bucket.
Follow this guide to forward the logs to syslog server in CEF format.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
One Vision XDR
Table name: trendmicro_one_vision_xdr
Trend Micro Vision One XDR logs provide comprehensive detection and response records across extended security environments, including endpoints, networks, email, servers, and cloud workloads. These logs capture workbench alerts with detailed investigation workflows, detection model triggers, threat scoring, impact assessments, and incident correlation, enabling unified threat detection, investigation tracking, and coordinated response across the entire attack surface.
Send data to Hunters
Hunters supports the ingestion of Trend Micro One Vision XDR Logs through an API integration.
Obtain authentication tokens
Obtain authentication tokens Generate authentication tokens in the TrendAI Vision Oneâ„¢ console to access the APIs.
On the TrendAI Vision Oneâ„¢ console, go to Administration > API Keys.
Generate a new authentication token. Click Add API key.
Specify the settings of the new API key.
Tip: Use the principle of least privilege when configuring API keys.
Name: A meaningful name that can help you identify the API key (Example: MS_Sentinel_API_Token).
Role: The user role assigned to the key.
API keys can use either predefined or custom user roles.
Expiration time: The time the API key remains valid. By default, authentication tokens expire one year after creation. However, a master administrator can delete and re-generate tokens at any time. Status: Whether the API key is enabled. Details: Extra information about the API key.
Click Add.
Proceed with the onboarding on the SSI page on Hunters Platform, you will also need to provide the endpoint depending on your region like:
https://api.eu.xdr.trendmicro.com/
Expected format - Deep Security Logs
Logs are expected in CEF format.
<46>Mar 28 01:50:00 cipdsmwapaeuw01 CEF:0|Trend Micro|Deep Security Manager|20.0.864|710|Events Retrieved|3|suser=System target=a.b.com msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
Expected format - One Vision XDR
Logs are expected in JSON format.
{"schemaVersion": "1.21", "id": "WB-12345-20240115-00001", "investigationStatus": "In Progress", "status": "New", "investigationResult": "Benign", "workbenchLink": "https://portal.xdr.trendmicro.com/workbench/alerts/WB-12345-20240115-00001", "alertProvider": "SAE", "modelId": "aaaaaaaa-1111-2222-3333-aaaaaaaaaaaa", "model": "Suspicious Script Activity", "modelType": "preset", "score": 45, "severity": "medium", "createdDateTime": "2024-01-15T10:30:00Z", "updatedDateTime": "2024-01-15T11:00:00Z", "firstInvestigatedDateTime": "2024-01-15T10:45:00Z", "ownerIds": ["analyst1", "analyst2"], "incidentId": "IC-12345-20240115-00001", "impactScope": {"desktopCount": 1, "serverCount": 0, "accountCount": 1, "emailAddressCount": 0, "containerCount": 0, "cloudIdentityCount": 0, "cloudWorkloadCount": 0}, "description": "Detected suspicious script activity on endpoint.", "matchedRules": [], "indicators": []}
{"schemaVersion": "1.21", "id": "WB-12345-20240115-00002", "investigationStatus": "Closed", "status": "Resolved", "investigationResult": "False Positive", "workbenchLink": "https://portal.xdr.trendmicro.com/workbench/alerts/WB-12345-20240115-00002", "alertProvider": "SAE", "modelId": "bbbbbbbb-2222-3333-4444-bbbbbbbbbbbb", "model": "Network Anomaly Detected", "modelType": "custom", "score": 30, "severity": "low", "createdDateTime": "2024-01-15T09:15:00Z", "updatedDateTime": "2024-01-15T10:30:00Z", "ownerIds": [], "incidentId": "IC-12345-20240115-00002", "impactScope": {"desktopCount": 0, "serverCount": 1, "accountCount": 2, "emailAddressCount": 1, "containerCount": 0, "cloudIdentityCount": 0, "cloudWorkloadCount": 0}, "description": "Network traffic pattern anomaly detected.", "matchedRules": [], "indicators": []}