Trend Micro AV¶
About¶
Trend Micro Inc. is an American-Japanese multinational cyber security software company with global headquarters in Tokyo, Japan and Irving, Texas, United States, with regional headquarters and R&D centers in Asia, Europe, and North America.
Product Details¶
Vendor URL: Trend Micro EDR
Product Type: EDR
Product Tier: Tier I
Integration Method: JSON, SYSLOG
Integration URL: Trend Micro Endpoint Sensor Integration and Policy Settings
Log Guide: Trend Micro EDR Log Sample and Mapping
Parser Details¶
Log Format: JSON + SYSLOG
Expected Normalization Rate: 90%
Data Label: TRENDMICRO_EDR
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
actiontaken | security_result.summary |
ccurl | target.url |
ccurl | network.http.referral_url |
Domain | principal.administrative_domain |
dst | target.application |
dst | target.ip |
dst | target.hostname |
dstemail | target.email |
dstip | target.ip |
dstuser | target.user.userid |
grayware | security_result.rule_name |
metadata.description | metadata.event_type |
observer | observer.ip |
observer | observer.hostname |
observer | principal.hostname |
policyRule | security_result.rule_name |
Process | principal.process.file.full_path |
productcode | security_result.rule_name |
reputationscore | security_result.description |
request | target.url |
result | security_result.summary |
result | metadata.product_event_type |
ScanMethod | security_result.description |
security_result_action | security_result.action |
src | principal.ip |
src | principal.hostname |
srcip | principal.ip |
suser | principal.user.userid |
targetfile | target.file.full_path |
Product Event Types¶
Event | UDM Event Classification |
---|---|
[result] == "User Signed In" | USER_LOGIN |
[result] =~ "EVT_URL_CONTENT_FILTERING|SLF_INCIDENT_EVT_CCCA" | NETWORK_HTTP |
[result] =~ "SLF_INCIDENT_EVT_GRAYWARE_FOUND_QUARANTINE_SUCCESS|SLF_INCIDENT_EVT_GRAYWARE_FOUND_CLEAN_SUCCESS|EVT_UNKNOWN" | SCAN_FILE |
Log Sample¶
<133>Jan 31 2023 20:41:30 abcdef.domain.trendmicro.com CEF:0|Trend Micro|Company Central|2019|123456|Pattern Update Status|3|rt=Jan 31 2023 15:09:50 GMT+00:00 shost=ABC12345 cs1Label=Operating_System cs1=Windows 10 cs2Label=Product/Endpoint_IP cs2=10.10.10.1 cs3Label=Update_Agent cs3=0 cs4Label=Domain cs4=New Town cn1Label=Connection_Status cn1=100 cn2Label=Pattern/Rule cn2=1234567890 cs5Label=Pattern/Rule_Version cs5=1.12.123 cn3Label=Pattern/Rule_Status cn3=1 cs6Label=AUComponent_Type cs6=2 deviceFacility=Company msg=Global C&C IP List CompanyCentralHost=Company Central as a Service deviceNtDomain=COMPANY dntdom=New Town\\
Sample Parsing¶
metadata.event_timestamp.seconds = 1675177790
metadata.event_timestamp.nanos = 0
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Trend Micro"
metadata.product_name = "Company Central"
metadata.product_event_type = "Pattern Update Status"
metadata.description = "Global"
additional.fields["Update_Agent"] = "0"
additional.fields["Product/Endpoint_IP"] = "10.10.10.1"
additional.fields["Pattern/Rule_Version"] = "1.12.123"
additional.fields["Domain"] = "New Town"
additional.fields["Operating_System"] = "Windows 10"
principal.hostname = "ABC12345"
principal.asset.hostname = "ABC12345"
observer.hostname = "abcdef.domain.trendmicro.com"
security_result.rule_name = "123456"
security_result.summary = "Pattern Update Status"
security_result.severity = "LOW"
Parser Alerting¶
This product currently does not have any Parser-based Alerting