Trend Micro AV¶
About¶
Trend Micro Inc. is an American-Japanese multinational cyber security software company with global headquarters in Tokyo, Japan and Irving, Texas, United States, with regional headquarters and R&D centers in Asia, Europe, and North America.
Product Details¶
Vendor URL: Trend Micro Cloud SaaS Application Security Solutions
Product Type: Email
Product Tier: Tier I
Integration Method: JSON
Integration URL: Cloud App Security Online
Log Guide: Trend Micro Cloud App Security
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 80-100%
Data Label: TRENDMICRO_CLOUDAPPSECURITY
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field | UDM Event Type |
|---|---|---|
| vendor | metadata.vendor_name | All |
| product | metadata.product_name | All |
| GENERIC_EVENT, SCAN_FILE, SCAN_UNCATEGORIZED | metadata.product_event_type | All |
| log_item_id | additional.log_item_id | If Available |
| file_sha1 | target.file.sha1 | If Available |
| file_sha256 | target.file.sha256 | If Available |
| location, mail_message_file_name | target.file.full_path | If Available |
| service | principal.application | If Available |
| mail_message_subject | network.email.subject | If Available |
| mail_message_id | network.email.mail_id | If Available |
| mail_message_recipient | network.email.to | If Available |
| mail_message_sender | network.email.from | If Available |
| detection_time | extensions.vulns.vulnerabilities.scan_end_time | If Available |
| mail_message_delivery_time | additional.mail_message_delivery_time | If Available |
| mail_message_submit_time | extensions.vulns.vulnerabilities.scan_start_time | If Available |
| src, shost, service | principal.hostname | If Available |
| src, shost, service | principal.ip | If Available |
| dst, dhost | target.hostname | If Available |
| dst, dhost | target.ip | If Available |
| risk_level | security_result.severity_detail | If Available |
| triggered_policy_name | security_result.rule_name | If Available |
| security_risk_name | security_result.threat_name | If Available |
| securitycategory | security_result.category | If Available |
| detected_by | security_result.rule_id | If Available |
| scan_type | security_result.summary | If Available |
| triggered_security_filter | security_result.description | If Available |
| suser | principal.user.userid | If Available |
| request | target.url | If Available |
| LOW, MEDIUM, HIGH | security_result.severity | If Available |
| observer | observer.hostname | If Available |
| observer | observer.ip | If Available |
| ALLOW, BLOCK, QUARANTINE | security_result.action | If Available |
Product Event Types¶
| Description | metadata.event_type |
|---|---|
| Default | GENERIC_EVENT |
| Malware Scanning | SCAN_FILE |
| Web Reputation | SCAN_UNCATEGORIZED |
Log Sample¶
{"log_item_id":"logid","service":"Exchange Online","event":"security_risk_scan","message":{"mail_message_file_name":"NOTE.pdf","detection_time":"2021-11-03T18:26:09.000Z","action_result":"success","mail_message_sender":"\"john1 doe\"\u003john1.doe@company.com\u003e","mail_message_recipient":["\"John Doe\"\u003john.doe@company.com\u003e"],"file_sha1":"sha1","scan_type":"Real-time scan","affected_user":"john.doe@company.com","action":"Pass","file_sha256":"sha256","risk_level":"","location":"john.doe@company.com\\Inbox","mail_message_submit_time":"2021-11-03T18:26:05.000Z","mail_message_subject":"FW: NOTE, subject","mail_message_delivery_time":"2021-11-03T18:26:04.000Z","security_risk_name":"Malware: Other protected file","detected_by":"Pattern-based scanning","triggered_policy_name":"Production Policy","triggered_security_filter":"Malware Scanning","mail_message_id":"\id.hostname.prod.domain.com\u003e"}}
Sample Parsing¶
metadata.event_timestamp = "2021-11-03T18:26:09Z"
metadata.event_type = "SCAN_FILE"
metadata.vendor_name = "Trend Micro"
metadata.product_name = "Cloud App Security"
metadata.product_event_type = "security_risk_scan"
metadata.ingested_timestamp = "2021-11-03T18:41:21.105434Z"
additional.log_item_id = "logid"
additional.mail_message_delivery_time = "2021-11-03T18:26:04.000Z"
principal.hostname = "Exchange Online"
principal.user.userid = "john.doe@company.com"
principal.application = "Exchange Online"
principal.asset.hostname = "exchange online"
target.file.sha256 = "sha256"
target.file.sha1 = "sha1"
target.file.full_path = "john.doe@company.com\Inbox\NOTE.pdf"
observer.hostname = "Trend Micro Cloud App Security"
security_result.threat_name = "Malware: Other protected file"
security_result.rule_name = "Production Policy"
security_result.summary = "Real-time scan"
security_result.description = "Malware Scanning"
security_result.rule_id = "Pattern-based scanning"
network.email.from = ""john1 doe"<john1.doe@company.com>"
network.email.to = ""john doe"<john.doe@company.com>"
network.email.mail_id = "id.hostname.prod.domain.com"
network.email.subject = "FW: NOTE, subject"
extensions.vulns.vulnerabilities.scan_start_time = "2021-11-03T18:26:05Z"
extensions.vulns.vulnerabilities.scan_end_time = "2021-11-03T18:26:09Z"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming soon