Skip to content

Trend Micro AV

Trend Micro AV

About

Trend Micro Inc. is an American-Japanese multinational cyber security software company with global headquarters in Tokyo, Japan and Irving, Texas, United States, with regional headquarters and R&D centers in Asia, Europe, and North America.

Product Details

Vendor URL: Trend Micro EDR

Product Type: EDR

Product Tier: Tier I

Integration Method: JSON, SYSLOG

Integration URL: Trend Micro Endpoint Sensor Integration and Policy Settings

Log Guide: Trend Micro EDR Log Sample and Mapping

Parser Details

Log Format: JSON + SYSLOG

Expected Normalization Rate: 90%

Data Label: TRENDMICRO_EDR

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
actiontaken security_result.summary
ccurl target.url
ccurl network.http.referral_url
Domain principal.administrative_domain
dst target.application
dst target.ip
dst target.hostname
dstemail target.email
dstip target.ip
dstuser target.user.userid
grayware security_result.rule_name
metadata.description metadata.event_type
observer observer.ip
observer observer.hostname
observer principal.hostname
policyRule security_result.rule_name
Process principal.process.file.full_path
productcode security_result.rule_name
reputationscore security_result.description
request target.url
result security_result.summary
result metadata.product_event_type
ScanMethod security_result.description
security_result_action security_result.action
src principal.ip
src principal.hostname
srcip principal.ip
suser principal.user.userid
targetfile target.file.full_path

Product Event Types

Event UDM Event Classification
[result] == "User Signed In" USER_LOGIN
[result] =~ "EVT_URL_CONTENT_FILTERING|SLF_INCIDENT_EVT_CCCA" NETWORK_HTTP
[result] =~ "SLF_INCIDENT_EVT_GRAYWARE_FOUND_QUARANTINE_SUCCESS|SLF_INCIDENT_EVT_GRAYWARE_FOUND_CLEAN_SUCCESS|EVT_UNKNOWN" SCAN_FILE

Log Sample

<133>Jan 31 2023 20:41:30 abcdef.domain.trendmicro.com CEF:0|Trend Micro|Company Central|2019|123456|Pattern Update Status|3|rt=Jan 31 2023 15:09:50 GMT+00:00 shost=ABC12345 cs1Label=Operating_System cs1=Windows 10  cs2Label=Product/Endpoint_IP cs2=10.10.10.1 cs3Label=Update_Agent cs3=0 cs4Label=Domain cs4=New Town cn1Label=Connection_Status cn1=100 cn2Label=Pattern/Rule cn2=1234567890 cs5Label=Pattern/Rule_Version cs5=1.12.123 cn3Label=Pattern/Rule_Status cn3=1 cs6Label=AUComponent_Type cs6=2 deviceFacility=Company msg=Global C&C IP List CompanyCentralHost=Company Central as a Service deviceNtDomain=COMPANY dntdom=New Town\\ 

Sample Parsing

metadata.event_timestamp.seconds = 1675177790
metadata.event_timestamp.nanos = 0
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Trend Micro"
metadata.product_name = "Company Central"
metadata.product_event_type = "Pattern Update Status"
metadata.description = "Global"
additional.fields["Update_Agent"] = "0"
additional.fields["Product/Endpoint_IP"] = "10.10.10.1"
additional.fields["Pattern/Rule_Version"] = "1.12.123"
additional.fields["Domain"] = "New Town"
additional.fields["Operating_System"] = "Windows 10"
principal.hostname = "ABC12345"
principal.asset.hostname = "ABC12345"
observer.hostname = "abcdef.domain.trendmicro.com"
security_result.rule_name = "123456"
security_result.summary = "Pattern Update Status"
security_result.severity = "LOW"

Parser Alerting

This product currently does not have any Parser-based Alerting