- Elastic integrations
- Integrations quick reference
- 1Password
- Abnormal Security
- ActiveMQ
- Active Directory Entity Analytics
- Airflow
- Akamai
- Apache
- API (custom)
- Arbor Peakflow SP Logs
- Arista NG Firewall
- Atlassian
- Auditd
- Auth0
- authentik
- AWS
- Amazon CloudFront
- Amazon DynamoDB
- Amazon EBS
- Amazon EC2
- Amazon ECS
- Amazon EMR
- AWS API Gateway
- Amazon GuardDuty
- AWS Health
- Amazon Kinesis Data Firehose
- Amazon Kinesis Data Stream
- Amazon Managed Streaming for Apache Kafka (MSK)
- Amazon NAT Gateway
- Amazon RDS
- Amazon Redshift
- Amazon S3
- Amazon S3 Storage Lens
- Amazon Security Lake
- Amazon SNS
- Amazon SQS
- Amazon VPC
- Amazon VPN
- AWS Bedrock
- AWS Billing
- AWS CloudTrail
- AWS CloudWatch
- AWS ELB
- AWS Fargate
- AWS Inspector
- AWS Lambda
- AWS Logs (custom)
- AWS Network Firewall
- AWS Route 53
- AWS Security Hub
- AWS Transit Gateway
- AWS Usage
- AWS WAF
- Azure
- Activity logs
- App Service
- Application Gateway
- Application Insights metrics
- Application Insights metrics overview
- Application State Insights metrics
- Azure logs (v2 preview)
- Azure OpenAI
- Billing metrics
- Container instance metrics
- Container registry metrics
- Container service metrics
- Custom Azure Logs
- Custom Blob Storage Input
- Database Account metrics
- Event Hub input
- Firewall logs
- Frontdoor
- Functions
- Microsoft Entra ID
- Monitor metrics
- Network Watcher VNet
- Network Watcher NSG
- Platform logs
- Resource metrics
- Spring Cloud logs
- Storage Account metrics
- Virtual machines metrics
- Virtual machines scaleset metrics
- Barracuda
- BeyondInsight and Password Safe Integration
- BitDefender
- Bitwarden
- blacklens.io
- Blue Coat Director Logs
- BBOT (Bighuge BLS OSINT Tool)
- Box Events
- Bravura Monitor
- Broadcom ProxySG
- Canva
- Cassandra
- CEL Custom API
- Ceph
- Check Point
- Cilium Tetragon
- CISA Known Exploited Vulnerabilities
- Cisco
- Cisco Meraki Metrics
- Citrix
- Claroty CTD
- Cloudflare
- Cloud Asset Inventory
- CockroachDB Metrics
- Common Event Format (CEF)
- Containerd
- CoreDNS
- Corelight
- Couchbase
- CouchDB
- Cribl
- CrowdStrike
- Cyberark
- Cybereason
- CylanceProtect Logs
- Custom Websocket logs
- Darktrace
- Data Exfiltration Detection
- DGA
- Digital Guardian
- Docker
- DomainTools Real Time Unified Feeds
- Elastic APM
- Elastic Fleet Server
- Elastic Security
- Elastic Stack monitoring
- Elasticsearch Service Billing
- Envoy Proxy
- ESET PROTECT
- ESET Threat Intelligence
- etcd
- Falco
- F5
- File Integrity Monitoring
- FireEye Network Security
- First EPSS
- Forcepoint Web Security
- ForgeRock
- Fortinet
- Gigamon
- GitHub
- GitLab
- Golang
- Google Cloud
- Custom GCS Input
- GCP
- GCP Audit logs
- GCP Billing metrics
- GCP Cloud Run metrics
- GCP CloudSQL metrics
- GCP Compute metrics
- GCP Dataproc metrics
- GCP DNS logs
- GCP Firestore metrics
- GCP Firewall logs
- GCP GKE metrics
- GCP Load Balancing metrics
- GCP Metrics Input
- GCP PubSub logs (custom)
- GCP PubSub metrics
- GCP Redis metrics
- GCP Security Command Center
- GCP Storage metrics
- GCP VPC Flow logs
- GCP Vertex AI
- GoFlow2 logs
- Hadoop
- HAProxy
- Hashicorp Vault
- HTTP Endpoint logs (custom)
- IBM MQ
- IIS
- Imperva
- InfluxDb
- Infoblox
- Iptables
- Istio
- Jamf Compliance Reporter
- Jamf Pro
- Jamf Protect
- Jolokia Input
- Journald logs (custom)
- JumpCloud
- Kafka
- Keycloak
- Kubernetes
- LastPass
- Lateral Movement Detection
- Linux Metrics
- Living off the Land Attack Detection
- Logs (custom)
- Lumos
- Lyve Cloud
- Mattermost
- Memcached
- Menlo Security
- Microsoft
- Microsoft 365
- Microsoft Defender for Cloud
- Microsoft Defender for Endpoint
- Microsoft DHCP
- Microsoft DNS Server
- Microsoft Entra ID Entity Analytics
- Microsoft Exchange Online Message Trace
- Microsoft Exchange Server
- Microsoft Graph Activity Logs
- Microsoft M365 Defender
- Microsoft Office 365 Metrics Integration
- Microsoft Sentinel
- Microsoft SQL Server
- Mimecast
- ModSecurity Audit
- MongoDB
- MongoDB Atlas
- MySQL
- Nagios XI
- NATS
- NetFlow Records
- Netskope
- Network Beaconing Identification
- Network Packet Capture
- Nginx
- Okta
- Oracle
- OpenAI
- OpenCanary
- Osquery
- Palo Alto
- pfSense
- PHP-FPM
- PingOne
- PingFederate
- Pleasant Password Server
- PostgreSQL
- Prometheus
- Proofpoint TAP
- Proofpoint On Demand
- Pulse Connect Secure
- Qualys VMDR
- QNAP NAS
- RabbitMQ Logs
- Radware DefensePro Logs
- Rapid7
- Redis
- Rubrik RSC Metrics Integration
- Sailpoint Identity Security Cloud
- Salesforce
- SentinelOne
- ServiceNow
- Slack Logs
- Snort
- Snyk
- SonicWall Firewall
- Sophos
- Spring Boot
- SpyCloud Enterprise Protection
- SQL Input
- Squid Logs
- SRX
- STAN
- Statsd Input
- Sublime Security
- Suricata
- StormShield SNS
- Symantec
- Symantec Endpoint Security
- Sysmon for Linux
- Sysdig
- Syslog Router Integration
- System
- System Audit
- Tanium
- TCP Logs (custom)
- Teleport
- Tenable
- Threat intelligence
- ThreatConnect
- Threat Map
- Thycotic Secret Server
- Tines
- Traefik
- Trellix
- Trend Micro
- TYCHON Agentless
- UDP Logs (custom)
- Universal Profiling
- Vectra Detect
- VMware
- WatchGuard Firebox
- WebSphere Application Server
- Windows
- Wiz
- Zeek
- ZeroFox
- Zero Networks
- ZooKeeper Metrics
- Zoom
- Zscaler
Trend Micro Vision One
editTrend Micro Vision One
editVersion |
1.25.1 (View all) |
Compatible Kibana version(s) |
8.13.0 or higher |
Supported Serverless project types |
Security |
Subscription level |
Basic |
Level of support |
Elastic |
Overview
editThe Trend Micro Vision One integration allows you to monitor Alert, Audit, and Detection activity. Trend Micro Vision One refers to the ability to do detection and response across email, endpoints, servers, cloud workloads, and networks via a single Trend Micro Vision One platform or the managed Trend Micro Vision One service.
Use the Trend Micro Vision One integration to collects and parses data from the REST APIs. Then visualize that data in Kibana.
Data streams
editThe Trend Micro Vision One integration collects logs for three types of events: Alert, Audit, and Detection.
Alert Displays information about workbench alerts. See more details in the doc https://automation.trendmicro.com/xdr/api-v3#tag/Workbench/paths/1v3.01workbench~1alerts/get[here].
Audit Displays log entries that match the specified search criteria. See more details in the doc here.
Detection Displays search results from the Detection Data source. See more details in the doc https://automation.trendmicro.com/xdr/api-v3#tag/Search/paths/1v3.01search~1detections/get[here].
Requirements
editYou need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your hardware.
This module has been tested against Trend Micro Vision One API version 3.0
.
The authentication token generated by a user expires one year after being generated.
Setup
editTo collect data from Trend Micro Vision One APIs, the user must have API Token. To create an API token follow the below steps:
edit- Log on to the Trend Micro Vision One console.
- On the Trend Vision One console, go to Administration → API Keys.
-
Generate a new authentication token. Click Add API key. Specify the settings of the new API key.
- Name: A meaningful name that can help you identify the API key.
-
Role: The user role assigned to the key. API keys can use either predefined or custom user roles. Custom roles can be created by navigating to Administration → User Roles → Add Role. The role must have appropriate API access permission to fetch relevant data. The following table outlines the access permissions to apps and features needed to fetch relevant data from Trend Vision API.
Datastream App Permissions Alert
Workbench
View, filter, and search
.Audit
Audit Logs
View, filter, and search
,Export and Download
.Detection
Search
View, filter, and search
.Refer to Account Role Permissions for more details.
- Expiration time: The time the API key remains valid. By default, authentication tokens expire one year after creation. However, a master administrator can delete and re-generate tokens at any time.
- Status: Whether the API key is enabled.
-
Details: Extra information about the API key.
Click Add.
- Copy the Authentication token.
Refer to Obtain authentication tokens for more details on setting up API Token.
Logs Reference
editalert
editThis is the alert
dataset.
Example
An example event for alert
looks as following:
{ "@timestamp": "2023-04-30T00:01:16.000Z", "agent": { "ephemeral_id": "332ba8f3-c3fa-4c28-a2db-d290177c13e5", "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "trend_micro_vision_one.alert", "namespace": "19452", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "email" ], "created": "2024-06-12T03:27:26.911Z", "dataset": "trend_micro_vision_one.alert", "id": "WB-9002-20200427-0002", "ingested": "2024-06-12T03:27:38Z", "kind": "alert", "original": "{\"alertProvider\":\"SAE\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"id\":\"WB-9002-20200427-0002\",\"impactScope\":{\"accountCount\":0,\"desktopCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"entityType\":\"host\",\"entityValue\":\"user@email.com\",\"provenance\":[\"Alert\"],\"relatedEntities\":[\"CODERED\\\\\\\\\\user\"],\"relatedIndicatorIds\":[1]}],\"serverCount\":0},\"indicators\":[{\"field\":\"request url\",\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"],\"id\":1,\"provenance\":[\"Alert\"],\"relatedEntities\":[\"user@example.com\"],\"type\":\"url\",\"value\":\"http://www.example.com/ab001.zip\"}],\"investigationStatus\":\"New\",\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"matchedEvents\":[{\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\",\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\"}],\"mitreTechniqueIds\":[\"T1192\"],\"name\":\"(T1192) Spearphishing Link\"}],\"name\":\"Possible SpearPhishing Email\"}],\"model\":\"Possible APT Attack\",\"schemaVersion\":\"1.0\",\"score\":63,\"severity\":\"critical\",\"updatedDateTime\":\"2023-04-30T00:01:16Z\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\"}", "severity": 63, "type": [ "info" ] }, "input": { "type": "httpjson" }, "log": { "level": "critical" }, "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields", "forwarded", "trend_micro_vision_one-alert" ], "trend_micro_vision_one": { "alert": { "alert_provider": "SAE", "created_date": "2020-04-30T00:01:15.000Z", "description": "A backdoor was possibly implanted after a user received a possible spear phishing email message.", "id": "WB-9002-20200427-0002", "impact_scope": { "account_count": 0, "desktop_count": 0, "email_address_count": 0, "entities": [ { "id": "5257b401-2fd7-469c-94fa-39a4f11eb925", "provenance": [ "Alert" ], "related_entities": [ "CODERED\\\\\user" ], "related_indicator_id": [ 1 ], "type": "host", "value": { "account_value": "user@email.com" } } ], "server_count": 0 }, "indicators": [ { "field": "request url", "filter_id": [ "f862df72-7f5e-4b2b-9f7f-9148e875f908" ], "id": 1, "provenance": [ "Alert" ], "related_entities": [ "user@example.com" ], "type": "url", "value": "http://www.example.com/ab001.zip" } ], "investigation_status": "New", "matched_rule": [ { "filter": [ { "date": "2019-08-02T04:00:01.000Z", "events": [ { "date": "2019-08-02T04:00:01.000Z", "type": "TELEMETRY_REGISTRY", "uuid": "fa9ff47c-e1b8-459e-a3d0-a5b104b854a5" } ], "id": "ccf86fc1-688f-4131-a46f-1d7a6ee2f88e", "mitre_technique_id": [ "T1192" ], "name": "(T1192) Spearphishing Link" } ], "id": "5f52d1f1-53e7-411a-b74f-745ee81fa30b", "name": "Possible SpearPhishing Email" } ], "model": "Possible APT Attack", "schema_version": "1.0", "score": 63, "severity": "critical", "workbench_link": "https://THE_WORKBENCH_URL" } }, "url": { "original": "https://THE_WORKBENCH_URL", "scheme": "https" } }
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Event timestamp. |
date |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
data_stream.dataset |
Data stream dataset. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
event.dataset |
Event dataset. |
constant_keyword |
event.module |
Event module. |
constant_keyword |
host.containerized |
If the host is a container. |
boolean |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
input.type |
Input type |
keyword |
log.offset |
Log offset |
long |
trend_micro_vision_one.alert.alert_provider |
Alert provider. |
keyword |
trend_micro_vision_one.alert.campaign |
An object-ref to a campaign object. |
keyword |
trend_micro_vision_one.alert.created_by |
Created by. |
keyword |
trend_micro_vision_one.alert.created_date |
Datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC) that indicates the created date time of the alert. |
date |
trend_micro_vision_one.alert.description |
Description of the detection model that triggered the alert. |
keyword |
trend_micro_vision_one.alert.id |
Workbench ID. |
keyword |
trend_micro_vision_one.alert.impact_scope.account_count |
Count of affected account. |
long |
trend_micro_vision_one.alert.impact_scope.desktop_count |
Count of affected desktop. |
long |
trend_micro_vision_one.alert.impact_scope.email_address_count |
Count of affected email address. |
long |
trend_micro_vision_one.alert.impact_scope.entities.id |
keyword |
|
trend_micro_vision_one.alert.impact_scope.entities.provenance |
keyword |
|
trend_micro_vision_one.alert.impact_scope.entities.related_entities |
keyword |
|
trend_micro_vision_one.alert.impact_scope.entities.related_indicator_id |
keyword |
|
trend_micro_vision_one.alert.impact_scope.entities.type |
keyword |
|
trend_micro_vision_one.alert.impact_scope.entities.value.account_value |
Account or emailAddress. |
keyword |
trend_micro_vision_one.alert.impact_scope.entities.value.guid |
GUID. |
keyword |
trend_micro_vision_one.alert.impact_scope.entities.value.id |
Impact scope entity id. |
keyword |
trend_micro_vision_one.alert.impact_scope.entities.value.ips |
Set of IPs. |
ip |
trend_micro_vision_one.alert.impact_scope.entities.value.name |
Host name. |
keyword |
trend_micro_vision_one.alert.impact_scope.entities.value.related_entities |
Related entities. |
keyword |
trend_micro_vision_one.alert.impact_scope.entities.value.related_indicator_id |
Related indicator ids. |
long |
trend_micro_vision_one.alert.impact_scope.entities.value.type |
Impact scope entity type. |
keyword |
trend_micro_vision_one.alert.impact_scope.server_count |
Count of affected server. |
long |
trend_micro_vision_one.alert.indicators.field |
Detailed description of the indicator. |
keyword |
trend_micro_vision_one.alert.indicators.fields |
Detailed description of the indicator. |
keyword |
trend_micro_vision_one.alert.indicators.filter_id |
Related matched filter ids. |
keyword |
trend_micro_vision_one.alert.indicators.first_seen_date |
First seen date times from related entities, datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). |
date |
trend_micro_vision_one.alert.indicators.id |
Indicator ID. |
keyword |
trend_micro_vision_one.alert.indicators.last_seen_date |
Last seen date times from related entities, datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). |
date |
trend_micro_vision_one.alert.indicators.matched_indicator.pattern_id |
Matched indicator pattern ids. |
keyword |
trend_micro_vision_one.alert.indicators.provenance |
Provenance. |
keyword |
trend_micro_vision_one.alert.indicators.related_entities |
Related entities. |
keyword |
trend_micro_vision_one.alert.indicators.type |
Indicator type. |
keyword |
trend_micro_vision_one.alert.indicators.value |
Indicator value. |
keyword |
trend_micro_vision_one.alert.industry |
Industry. |
keyword |
trend_micro_vision_one.alert.investigation_status |
Workbench alert status. |
keyword |
trend_micro_vision_one.alert.matched_indicator_count |
Matched indicator pattern count. |
long |
trend_micro_vision_one.alert.matched_indicators_pattern.id |
Pattern ID. |
keyword |
trend_micro_vision_one.alert.matched_indicators_pattern.matched_log |
Pattern matched log. |
keyword |
trend_micro_vision_one.alert.matched_indicators_pattern.pattern |
STIX indicator will be a pattern. |
keyword |
trend_micro_vision_one.alert.matched_indicators_pattern.tags |
Tags defined by STIX. |
keyword |
trend_micro_vision_one.alert.matched_rule.filter.date |
Datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). |
date |
trend_micro_vision_one.alert.matched_rule.filter.events.date |
Matched event date. |
date |
trend_micro_vision_one.alert.matched_rule.filter.events.type |
Matched event type. |
keyword |
trend_micro_vision_one.alert.matched_rule.filter.events.uuid |
Matched event uuid. |
keyword |
trend_micro_vision_one.alert.matched_rule.filter.id |
Matched filter id. |
keyword |
trend_micro_vision_one.alert.matched_rule.filter.mitre_technique_id |
Mitre technique id. |
keyword |
trend_micro_vision_one.alert.matched_rule.filter.name |
Filter name. |
keyword |
trend_micro_vision_one.alert.matched_rule.id |
The rules are triggered. |
keyword |
trend_micro_vision_one.alert.matched_rule.name |
Matched rule name. |
keyword |
trend_micro_vision_one.alert.model |
Name of the detection model that triggered the alert. |
keyword |
trend_micro_vision_one.alert.region_and_country |
region/country. |
keyword |
trend_micro_vision_one.alert.report_link |
A refrerence url which links to the report details analysis. For TrendMico research report, the link would link to trend blog. |
keyword |
trend_micro_vision_one.alert.schema_version |
The version of the JSON schema, not the version of alert trigger content. |
keyword |
trend_micro_vision_one.alert.score |
Overall severity assigned to the alert based on the severity of the matched detection model and the impact scope. |
long |
trend_micro_vision_one.alert.severity |
Workbench alert severity. |
keyword |
trend_micro_vision_one.alert.total_indicator_count |
Total indicator pattern count. |
long |
trend_micro_vision_one.alert.workbench_link |
Workbench URL. |
keyword |
audit
editThis is the audit
dataset.
Example
An example event for audit
looks as following:
{ "@timestamp": "2022-02-24T07:29:48.000Z", "agent": { "ephemeral_id": "652abe8f-556a-4a24-9e9d-dc2990f84a38", "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "trend_micro_vision_one.audit", "namespace": "46929", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, "version": "8.13.0" }, "event": { "agent_id_status": "verified", "category": [ "authentication" ], "created": "2024-06-12T03:28:27.263Z", "dataset": "trend_micro_vision_one.audit", "ingested": "2024-06-12T03:28:39Z", "kind": "event", "original": "{\"accessType\":\"Console\",\"activity\":\"string\",\"category\":\"Logon and Logoff\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"},\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedRole\":\"Master Administrator\",\"loggedUser\":\"Root Account\",\"result\":\"Unsuccessful\"}", "outcome": "failure", "type": [ "info" ] }, "input": { "type": "httpjson" }, "related": { "user": [ "Root Account" ] }, "source": { "user": { "name": "Root Account", "roles": [ "Master Administrator" ] } }, "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields", "forwarded", "trend_micro_vision_one-audit" ], "trend_micro_vision_one": { "audit": { "access_type": "Console", "activity": "string", "category": "Logon and Logoff", "details": { "property1": "string", "property2": "string" }, "logged_role": "Master Administrator", "logged_user": "Root Account", "result": "Unsuccessful" } } }
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Event timestamp. |
date |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
data_stream.dataset |
Data stream dataset. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
event.dataset |
Event dataset. |
constant_keyword |
event.module |
Event module. |
constant_keyword |
host.containerized |
If the host is a container. |
boolean |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
input.type |
Input type |
keyword |
log.offset |
Log offset |
long |
trend_micro_vision_one.audit.access_type |
Source of the activity. |
keyword |
trend_micro_vision_one.audit.activity |
The activity that was performed. |
keyword |
trend_micro_vision_one.audit.category |
Category. |
keyword |
trend_micro_vision_one.audit.details |
Object that contains a list of elements to be retrieved from the "details" field. |
flattened |
trend_micro_vision_one.audit.logged_role |
Role of the account. |
keyword |
trend_micro_vision_one.audit.logged_user |
The account that was used to perform the activity. |
keyword |
trend_micro_vision_one.audit.result |
Result. |
keyword |
detection
editThis is the detection
dataset.
Example
An example event for detection
looks as following:
{ "@timestamp": "2020-10-15T01:16:32.000Z", "agent": { "ephemeral_id": "b136ddab-1cc6-49c5-b9c2-4a4fcf650fe2", "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "trend_micro_vision_one.detection", "namespace": "99796", "type": "logs" }, "destination": { "domain": "Workgroup", "ip": [ "81.2.69.142" ], "port": 53 }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "d2a14a09-96fc-4f81-94ef-b0cd75ad71e7", "snapshot": false, "version": "8.13.0" }, "event": { "action": "clean", "agent_id_status": "verified", "category": [ "intrusion_detection" ], "created": "2024-06-12T03:29:29.064Z", "dataset": "trend_micro_vision_one.detection", "id": "100117", "ingested": "2024-06-12T03:29:41Z", "kind": "event", "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\\\Users\\\\\\\\\\user1\\\\\\\\\\Downloads\\\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\\\Program Files (x86)\\\\\\\\\\Microsoft\\\\\\\\\\Edge\\\\\\\\\\Application\\\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\\\Users\\\\\\\\\\user1\\\\\\\\\\Downloads\\\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\\\os\\\\\\\\\\system32\\\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\\\os\\\\\\\\\\System32\\\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\\\Program Files (x86)\\\\\\\\\\os\\\\\\\\\\Application\\\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", "severity": 50, "type": [ "info" ] }, "file": { "hash": { "md5": "761AEFF7E6B110970285B9C20C9E1DCA", "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" }, "name": [ "Unconfirmed 145081.crdownload" ], "path": "/etc/systemd/system/snap-xxxx-1246.xxxx", "size": 0 }, "host": { "hostname": "samplehost", "id": "1234-1234-1234", "ip": [ "81.2.69.142" ], "mac": [ "00-00-5E-00-53-23" ], "name": "abc-docker" }, "http": { "request": { "referrer": "http://www.example.com/" } }, "input": { "type": "httpjson" }, "network": { "direction": "outbound", "protocol": "http" }, "observer": { "hostname": "samplehost", "mac": [ "00-00-5E-00-53-23" ] }, "process": { "command_line": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca", "name": "string", "pid": 0 }, "related": { "hash": [ "761AEFF7E6B110970285B9C20C9E1DCA", "00496B4D53CEFE031B9702B3385C9F4430999932", "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7", "3395856ce81f2b7382dee72602f798b642f14140" ], "hosts": [ "samplehost", "abc-docker" ], "ip": [ "81.2.69.142", "81.2.69.192" ] }, "source": { "ip": "81.2.69.192", "port": 58871 }, "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields", "forwarded", "trend_micro_vision_one-detection" ], "threat": { "tactic": { "id": [ "TA0005" ] } }, "trend_micro_vision_one": { "detection": { "action": "Clean", "action_result": "Quarantined successfully", "behavior_category": "Grey-Detection", "block": "Web reputation", "client_flag": "dst", "component_version": [ "PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00" ], "compressed_file_size": 0, "destination": { "ip": [ "81.2.69.142" ], "ip_group": "Default", "port": 53 }, "detection": "Yes", "detection_source": "GLOBAL_INTELLIGENCE", "detection_type": "File", "device": { "direction": "outbound", "guid": "C5B09EDD-C725-907F-29D9-B8C30D18C48F", "host": "samplehost", "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "ip": [ "81.2.69.192" ], "mac": "00-00-5E-00-53-23", "process_name": "/snap/core/10126/usr/lib/snapd/snapd" }, "domain": { "name": "Workgroup" }, "end_time": "2021-09-30T17:40:04.000Z", "endpoint": { "guid": "1234-1234-1234", "hostname": "abc-docker", "ip": [ "81.2.69.142" ], "mac": "00-00-5E-00-53-23" }, "engine_type": "Virus Scan Engine (OS 2003, x64)", "engine_version": "12.500.1004", "event_id": "100117", "event_name": "INTEGRITY_MONITORING_EVENT", "event_time_dt": "2021-06-10T01:38:38.000Z", "file_hash": "3395856ce81f2b7382dee72602f798b642f14140", "file_name": [ "Unconfirmed 145081.crdownload" ], "file_operation": "Deleted", "file_path": "/etc/systemd/system", "file_path_name": "/etc/systemd/system/snap-xxxx-1246.xxxx", "file_size": 0, "first_action": "Clean", "first_action_result": "Unable to clean file", "full_path": "C:\\\\\Users\\\\\user1\\\\\Downloads\\\\\Unconfirmed 145081.crdownload", "hostname": "samplehost", "http_referer": "http://www.example.com/", "interested": { "host": "abc-docker", "ip": [ "81.2.69.192" ], "mac": "00-00-5E-00-53-23" }, "malware_name": "Eicar_test_1", "malware_type": "Virus/Malware", "mproduct": { "name": "Cloud One - Workload Security", "version": "Deep Security/20.0.222" }, "object": { "cmd": [ "C:\\\\\Program Files (x86)\\\\\Microsoft\\\\\Edge\\\\\Application\\\\\msedge.exe --profile-directory=Default" ], "file": { "hash": { "md5": "761AEFF7E6B110970285B9C20C9E1DCA", "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" }, "name": "Unconfirmed 142899.crdownload:SmartScreen", "path": "C:\\\\\Users\\\\\user1\\\\\Downloads\\\\\Unconfirmed 142899.crdownload:SmartScreen" }, "name": "CloudEndpointService.exe", "pid": 7660, "signer": [ "OS" ] }, "parent": { "cmd": "C:\\\\\os\\\\\system32\\\\\svchost.exe -k DcomLaunch -p", "file": { "hash": { "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" }, "path": "C:\\\\\os\\\\\System32\\\\\svchost.exe" } }, "peer": { "host": "samplehost", "ip": [ "81.2.69.192" ] }, "process": { "cmd": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca", "file": { "hash": { "md5": "761AEFF7E6B110970285B9C20C9E1DCA", "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" }, "path": "C:\\\\\Program Files (x86)\\\\\os\\\\\Application\\\\\msedge.exe" }, "name": "string", "pid": 0, "signer": "OS Publisher" }, "product": { "code": "sao", "name": "Apex One", "version": "20.0.0.877" }, "protocol": "HTTP", "protocol_group": "HTTP", "related_apt": false, "request": "https://example.com", "request_client_application": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1", "risk_level": 3, "rt": "2020-10-15T01:16:32.000Z", "rt_utc": "2020-10-15T01:16:32.000Z", "search_data_lake": "DDL", "security_analytics": { "engine": { "name": [ "T1090 (TA0005)" ], "version": "v6" } }, "severity_level": 50, "source": { "group": "Default", "ip": "81.2.69.192", "port": 58871 }, "sub_name": "Attack Discovery", "tactic_id": [ "TA0005" ], "tags": [ "XSAE.F2140", "XSAE.F3066" ], "threat_name": "Malicious_identified_CnC_querying_on_UDP_detected", "total_count": 1, "uuid": "1234-1234-1234" } }, "url": { "domain": "example.com", "original": "https://example.com", "scheme": "https" }, "user_agent": { "device": { "name": "iPhone" }, "name": "Mobile Safari", "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1", "os": { "full": "iOS 12.1", "name": "iOS", "version": "12.1" }, "version": "12.0" } }
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Event timestamp. |
date |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
data_stream.dataset |
Data stream dataset. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
event.dataset |
Event dataset. |
constant_keyword |
event.module |
Event module. |
constant_keyword |
host.containerized |
If the host is a container. |
boolean |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
input.type |
Input type |
keyword |
log.offset |
Log offset |
long |
trend_micro_vision_one.detection.action |
Action by detect product. |
keyword |
trend_micro_vision_one.detection.action_result |
Action result by detect product. |
keyword |
trend_micro_vision_one.detection.aggregated_count |
Aggregated count. |
long |
trend_micro_vision_one.detection.behavior_category |
The matched policy category (policy section) in the BM patterns, which will always Grey-Detection here. |
keyword |
trend_micro_vision_one.detection.block |
blocking Reason. |
keyword |
trend_micro_vision_one.detection.client_flag |
0:Unknown 1:src 2:dst. |
keyword |
trend_micro_vision_one.detection.client_ip |
Client IP. |
ip |
trend_micro_vision_one.detection.component_version |
Product component version. |
keyword |
trend_micro_vision_one.detection.compressed_file_size |
File size after compressed. |
long |
trend_micro_vision_one.detection.destination.ip |
Destination IP address. |
ip |
trend_micro_vision_one.detection.destination.ip_group |
Destination IP address group. |
keyword |
trend_micro_vision_one.detection.destination.port |
Destination port. |
long |
trend_micro_vision_one.detection.detection |
Yes (Tag it when it appears and the value is 1). |
keyword |
trend_micro_vision_one.detection.detection_source |
Detection source use by Deep Discovery Inspector. |
keyword |
trend_micro_vision_one.detection.detection_type |
Product detection type. |
keyword |
trend_micro_vision_one.detection.device.direction |
0: inbound 1: outbound 2: unknown (If cannot be parsed correctly, 2 is assigned). |
keyword |
trend_micro_vision_one.detection.device.guid |
Device GUID. |
keyword |
trend_micro_vision_one.detection.device.host |
device host. |
keyword |
trend_micro_vision_one.detection.device.id |
Device identity. |
keyword |
trend_micro_vision_one.detection.device.ip |
Devices ip list. |
ip |
trend_micro_vision_one.detection.device.mac |
Mac address. |
keyword |
trend_micro_vision_one.detection.device.process_name |
Process name in device. |
keyword |
trend_micro_vision_one.detection.domain.name |
Domain name. |
keyword |
trend_micro_vision_one.detection.end_time |
End time. |
date |
trend_micro_vision_one.detection.endpoint.guid |
endpoint GUID for identity. |
keyword |
trend_micro_vision_one.detection.endpoint.hostname |
Hostname of the endpoint on which the event was generated. |
keyword |
trend_micro_vision_one.detection.endpoint.ip |
Endpoint IP address list. |
ip |
trend_micro_vision_one.detection.endpoint.mac |
Endpoint Mac address. |
keyword |
trend_micro_vision_one.detection.engine_type |
Product scan engine type. |
keyword |
trend_micro_vision_one.detection.engine_version |
Product scan engine version. |
keyword |
trend_micro_vision_one.detection.event_id |
Event ID. |
keyword |
trend_micro_vision_one.detection.event_name |
Predefined event enumerator. |
keyword |
trend_micro_vision_one.detection.event_time_dt |
Detect time. |
date |
trend_micro_vision_one.detection.file_hash |
Detect file hash value. |
keyword |
trend_micro_vision_one.detection.file_name |
Detect file name. |
keyword |
trend_micro_vision_one.detection.file_operation |
Operation for detect file. |
keyword |
trend_micro_vision_one.detection.file_path |
Full file path without file name. |
keyword |
trend_micro_vision_one.detection.file_path_name |
Full file path. |
keyword |
trend_micro_vision_one.detection.file_size |
Detect file size. |
long |
trend_micro_vision_one.detection.file_type |
Detect file type. |
keyword |
trend_micro_vision_one.detection.first_action |
First action. |
keyword |
trend_micro_vision_one.detection.first_action_result |
First action result. |
keyword |
trend_micro_vision_one.detection.full_path |
File full path. |
keyword |
trend_micro_vision_one.detection.hostname |
host name. |
keyword |
trend_micro_vision_one.detection.http_referer |
http referer url. |
keyword |
trend_micro_vision_one.detection.interested.host |
Highlighted indicator for incident response members. |
keyword |
trend_micro_vision_one.detection.interested.ip |
Highlighted indicator for incident response members. |
ip |
trend_micro_vision_one.detection.interested.mac |
Highlighted indicator for incident response members. |
keyword |
trend_micro_vision_one.detection.malware_name |
Malware name. |
keyword |
trend_micro_vision_one.detection.malware_type |
Malware type. |
keyword |
trend_micro_vision_one.detection.mime_type |
Mime type. |
keyword |
trend_micro_vision_one.detection.mproduct.name |
Product name. |
keyword |
trend_micro_vision_one.detection.mproduct.version |
Product Version. |
keyword |
trend_micro_vision_one.detection.object.cmd |
The command line that a process detected by Attack Discovery uses to execute other processes. |
keyword |
trend_micro_vision_one.detection.object.file.hash.md5 |
File Hash Md5 value. |
keyword |
trend_micro_vision_one.detection.object.file.hash.sha1 |
File Hash Sha1 value. |
keyword |
trend_micro_vision_one.detection.object.file.hash.sha256 |
File Hash Sha256 value. |
keyword |
trend_micro_vision_one.detection.object.file.name |
File name. |
keyword |
trend_micro_vision_one.detection.object.file.path |
File path. |
keyword |
trend_micro_vision_one.detection.object.name |
Detect object name. |
keyword |
trend_micro_vision_one.detection.object.pid |
Detect object Pid. |
long |
trend_micro_vision_one.detection.object.signer |
Signer. |
keyword |
trend_micro_vision_one.detection.os.name |
Supported values: Linux, Windows, macOS, macOSX. |
keyword |
trend_micro_vision_one.detection.parent.cmd |
The command line that parent process. |
keyword |
trend_micro_vision_one.detection.parent.file.hash.sha1 |
Parent file sha1. |
keyword |
trend_micro_vision_one.detection.parent.file.hash.sha256 |
Parent file sha256. |
keyword |
trend_micro_vision_one.detection.parent.file.path |
Parent file path. |
keyword |
trend_micro_vision_one.detection.peer.host |
Peer host name. |
keyword |
trend_micro_vision_one.detection.peer.ip |
Peer ip list. |
ip |
trend_micro_vision_one.detection.policy.logkey |
Policy logkey. |
keyword |
trend_micro_vision_one.detection.policy.name |
Policy name. |
keyword |
trend_micro_vision_one.detection.policy.uuid |
Policy uuid. |
keyword |
trend_micro_vision_one.detection.principal_name |
Principal name. |
keyword |
trend_micro_vision_one.detection.process.cmd |
The command line used to launch this process. |
keyword |
trend_micro_vision_one.detection.process.file.hash.md5 |
Process file hash MD5 value. |
keyword |
trend_micro_vision_one.detection.process.file.hash.sha1 |
Process file hash Sha1 value. |
keyword |
trend_micro_vision_one.detection.process.file.hash.sha256 |
Process file hash Sha256 value. |
keyword |
trend_micro_vision_one.detection.process.file.path |
The process file path. |
keyword |
trend_micro_vision_one.detection.process.name |
Process name. |
keyword |
trend_micro_vision_one.detection.process.pid |
Process Pid. |
long |
trend_micro_vision_one.detection.process.signer |
Process signer. |
keyword |
trend_micro_vision_one.detection.product.code |
Product code name. |
keyword |
trend_micro_vision_one.detection.product.name |
product name. |
keyword |
trend_micro_vision_one.detection.product.version |
Product version. |
keyword |
trend_micro_vision_one.detection.profile |
Profile |
keyword |
trend_micro_vision_one.detection.protocol |
Protocol detect by Deep Discovery Inspector. |
keyword |
trend_micro_vision_one.detection.protocol_group |
Protocol group detect by Deep Discovery Inspector. |
keyword |
trend_micro_vision_one.detection.related_apt |
0:False, 1:True. |
boolean |
trend_micro_vision_one.detection.request |
URL. |
keyword |
trend_micro_vision_one.detection.request_base |
Request base. |
keyword |
trend_micro_vision_one.detection.request_client_application |
Browser user agent. |
keyword |
trend_micro_vision_one.detection.risk_level |
SLF_CCCA_RISKLEVEL_UNKNOWN (0) SLF_CCCA_RISKLEVEL_LOW (1) SLF_CCCA_RISKLEVEL_MEDIUM (2) SLF_CCCA_RISKLEVEL_HIGH (3). |
long |
trend_micro_vision_one.detection.rt |
Detect time. |
date |
trend_micro_vision_one.detection.rt_utc |
Detect utc time. |
date |
trend_micro_vision_one.detection.search_data_lake |
Datalake name. |
keyword |
trend_micro_vision_one.detection.security_analytics.engine.name |
Security Analytics Engine. |
keyword |
trend_micro_vision_one.detection.security_analytics.engine.version |
Security Analytics Engine version. |
keyword |
trend_micro_vision_one.detection.sender |
Sender. |
keyword |
trend_micro_vision_one.detection.severity_level |
severity score. |
long |
trend_micro_vision_one.detection.source.group |
Source IP address group. |
keyword |
trend_micro_vision_one.detection.source.ip |
Source IP address. |
ip |
trend_micro_vision_one.detection.source.port |
Source port. |
long |
trend_micro_vision_one.detection.sub_name |
Detect event subscribe name. |
keyword |
trend_micro_vision_one.detection.suid |
Suid. |
keyword |
trend_micro_vision_one.detection.tactic_id |
Security Agent or product policy. |
keyword |
trend_micro_vision_one.detection.tags |
Detected by Security Analytics Engine filters. |
keyword |
trend_micro_vision_one.detection.threat_name |
Threat name. |
keyword |
trend_micro_vision_one.detection.total_count |
total count. |
long |
trend_micro_vision_one.detection.url_cat |
URL cat. |
keyword |
trend_micro_vision_one.detection.user.domain |
User domain. |
keyword |
trend_micro_vision_one.detection.uuid |
Log unique id. |
keyword |
Changelog
editChangelog
Version | Details | Kibana version(s) |
---|---|---|
1.25.1 |
Bug fix (View pull request) |
8.13.0 or higher |
1.25.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.24.1 |
Bug fix (View pull request) |
8.13.0 or higher |
1.24.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.23.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.22.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.21.1 |
Bug fix (View pull request) |
8.13.0 or higher |
1.21.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.20.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.19.1 |
Bug fix (View pull request) |
8.12.0 or higher |
1.19.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.18.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.17.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.16.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.15.1 |
Enhancement (View pull request) |
8.7.1 or higher |
1.15.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.14.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.13.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.12.2 |
Bug fix (View pull request) |
8.7.1 or higher |
1.12.1 |
Bug fix (View pull request) |
8.7.1 or higher |
1.12.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.11.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.10.0 |
Bug fix (View pull request) |
8.7.1 or higher |
1.9.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.8.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.7.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.6.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.5.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.4.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.3.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.2.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.1.0 |
Enhancement (View pull request) |
8.4.0 or higher |
1.0.0 |
Enhancement (View pull request) |
8.4.0 or higher |
0.3.1 |
Enhancement (View pull request) |
— |
0.3.0 |
Enhancement (View pull request) |
— |
0.2.2 |
Bug fix (View pull request) |
— |
0.2.1 |
Enhancement (View pull request) |
— |
0.2.0 |
Enhancement (View pull request) |
— |
0.1.0 |
Enhancement (View pull request) |
— |
On this page