Add format for Trend Micro Vision One

Trend Micro/trend-micro-vision-one/CHANGELOG.md

@@ -0,0 +1,8 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]

Trend Micro/trend-micro-vision-one/_meta/fields.yml

@@ -0,0 +1,29 @@
+trendmicro.vision_one.alert_id:
+  description: ''
+  name: trendmicro.vision_one.alert_id
+  type: keyword
+
+trendmicro.vision_one.case_id:
+  description: ''
+  name: trendmicro.vision_one.case_id
+  type: keyword
+
+trendmicro.vision_one.incident_id:
+  description: ''
+  name: trendmicro.vision_one.incident_id
+  type: keyword
+
+trendmicro.vision_one.investigation_status:
+  description: ''
+  name: trendmicro.vision_one.investigation_status
+  type: keyword
+
+trendmicro.vision_one.severity:
+  description: ''
+  name: trendmicro.vision_one.severity
+  type: keyword
+
+trendmicro.vision_one.status:
+  description: ''
+  name: trendmicro.vision_one.status
+  type: keyword

Trend Micro/trend-micro-vision-one/_meta/manifest.yml

@@ -0,0 +1,11 @@
+uuid: 9844ea0a-de7f-45d4-9a9b-b07651f0630e
+automation_connector_uuid: 7aa5dd7c-d694-44dd-b605-66b7974dfb05
+automation_module_uuid: 1b02d442-b804-4987-afe7-6a4be6ef35e6
+name: Trend Micro Vision One [BETA]
+slug: trend-micro-vision-one
+
+description: >-
+  Trend Micro Vision One is an extended detection and response (XDR) platform that enhances threat detection, investigation, and response across multiple security layers. It provides a centralized view for improved security posture and faster threat remediation.
+
+data_sources:
+  Process monitoring:

Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json

@@ -0,0 +1,10 @@
+[
+  {
+    "value": "{event.reason} on {host.ip}",
+    "conditions": [{ "field": "event.reason" }, { "field": "host.ip" }]
+  },
+  {
+    "value": "{event.reason}",
+    "conditions": [{ "field": "event.reason" }]
+  }
+]

Trend Micro/trend-micro-vision-one/ingest/parser.yml

@@ -0,0 +1,91 @@
+name: trend-micro-vision-one
+ignored_values: []
+pipeline:
+  - name: parsed_event
+    external:
+      name: json.parse-json
+      properties:
+        input_field: "{{original.message}}"
+        output_field: message
+
+  - name: set_ecs_fields
+
+stages:
+  set_ecs_fields:
+    actions:
+      - set:
+          event.kind: alert
+          event.category: ["intrusion_detection"]
+          event.type: ["info"]
+          observer.vendor: "TrendMicro"
+          observer.product: "Vision One"
+
+          event.reason: "{{parsed_event.message.model}}"
+
+      - set:
+          "@timestamp": "{{parsed_event.message.createdDateTime}}"
+
+          host.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.name }}"
+          host.ip: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.ips }}"
+
+          user.email: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'emailAddress') | first).entityValue }}"
+          container.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'container') | first).entityValue }}"
+          container.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'container') | first).entityId }}"
+
+          rule.name: "{{parsed_event.message.model}}"
+          rule.id: "{{parsed_event.message.model.modelId}}"
+
+          event.url: "{{parsed_event.message.model.workbenchLink}}"
+
+      - set:
+          user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityValue }}"
+
+      - set:
+          user.name: "{{final.user.id.split('\\\\') | last}}"
+          user.domain: "{{final.user.id.split('\\\\') | first}}"
+        filter: "{{final.user.id != null}}"
+
+      - set:
+          process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processCmd') | first).value }}"
+          process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentCmd') | first).value }}"
+          process.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFilePath') | first).value }}"
+          process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentFilePath') | first).value }}"
+          process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha1') | first).value }}"
+          process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha256') | first).value }}"
+          process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectPid') | first).value }}"
+
+      - set:
+          registry.hive: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[0] }}"
+          registry.key: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[1:] | join('\\\\') }}"
+          registry.value: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value') | first).value }}"
+          registry.path: >
+            {%- set path = [] -%}
+            {%- for indicator in parsed_event.message.indicators -%}
+              {%- if indicator.type == 'registry_key' -%}{%- set path = path.append(indicator.value) -%}{% endif %}
+            {%- endfor -%}
+            {%- for indicator in parsed_event.message.indicators -%}
+              {%- if indicator.type == 'registry_value' -%}{%- set path = path.append(indicator.value) -%}{% endif %}
+            {%- endfor -%}
+            {%- if path | length > 0 -%}{{ path | join('\\') }}{%- endif -%}
+
+          registry.data.strings: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value_data') | first).value }}"
+
+      - set:
+          registry.data.type: "REG_SZ"
+        filter: "{{final.registry.data.strings != null }}"
+
+      - set:
+          file.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha1') | first).value }}"
+          file.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha256') | first).value }}"
+          file.path: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFilePath') | first).value or (parsed_event.message.indicators | selectattr('field', 'equalto', 'filePath') | first).value}}"
+          file.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'fileName') | first).value }}"
+
+          user.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'logonUser') | first).value }}"
+
+      - set:
+          trendmicro.vision_one.severity: "{{parsed_event.message.severity}}"
+          trendmicro.vision_one.incident_id: "{{parsed_event.message.incidentId}}"
+          trendmicro.vision_one.case_id: "{{parsed_event.message.caseId}}"
+          trendmicro.vision_one.alert_id: "{{parsed_event.message.id}}"
+          trendmicro.vision_one.status: "{{parsed_event.message.status}}"
+          trendmicro.vision_one.investigation_status: "{{parsed_event.message.investigationStatus}}"

Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json

@@ -0,0 +1,72 @@
+{
+  "input": {
+    "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}"
+  },
+  "expected": {
+    "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}",
+    "event": {
+      "category": [
+        "intrusion_detection"
+      ],
+      "kind": "alert",
+      "reason": "Internal Network Scanner",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-07-23T14:46:11Z",
+    "file": {
+      "directory": "C:\\Users\\doe.john\\Downloads",
+      "hash": {
+        "sha256": "E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1"
+      },
+      "name": "Advanced_IP_Scanner_2.5.4594.1.exe",
+      "path": "C:\\Users\\doe.john\\Downloads\\Advanced_IP_Scanner_2.5.4594.1.exe"
+    },
+    "host": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "name": "doe10"
+    },
+    "observer": {
+      "product": "Vision One",
+      "vendor": "TrendMicro"
+    },
+    "process": {
+      "command_line": "C:\\WINDOWS\\Explorer.EXE",
+      "executable": "C:\\Windows\\explorer.exe",
+      "hash": {
+        "sha256": "B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631"
+      }
+    },
+    "related": {
+      "hash": [
+        "B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631",
+        "E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1"
+      ],
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "doe"
+      ]
+    },
+    "rule": {
+      "name": "Internal Network Scanner"
+    },
+    "trendmicro": {
+      "vision_one": {
+        "alert_id": "WB-11111-22222222-00000",
+        "investigation_status": "New",
+        "severity": "low",
+        "status": "Open"
+      }
+    },
+    "user": {
+      "domain": "john",
+      "id": "john\\doe",
+      "name": "doe"
+    }
+  }
+}