From efb084318aaa7804335caf2cf593128ebf0c7a15 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Wed, 4 Oct 2023 12:01:29 +0530 Subject: [PATCH 1/4] Fix Trendmicro detection API TMV1-Query header --- packages/trend_micro_vision_one/changelog.yml | 5 +++++ .../data_stream/detection/agent/stream/httpjson.yml.hbs | 2 +- packages/trend_micro_vision_one/manifest.yml | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/packages/trend_micro_vision_one/changelog.yml b/packages/trend_micro_vision_one/changelog.yml index 1cf7239592c..28813933381 100644 --- a/packages/trend_micro_vision_one/changelog.yml +++ b/packages/trend_micro_vision_one/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.12.1 + changes: + - description: Fix Detection API header + type: bugfix + link: https://github.com/elastic/integrations/pull/1111 - version: 1.12.0 changes: - description: Update the package format_version to 3.0.0. diff --git a/packages/trend_micro_vision_one/data_stream/detection/agent/stream/httpjson.yml.hbs b/packages/trend_micro_vision_one/data_stream/detection/agent/stream/httpjson.yml.hbs index 3754cfb0b5f..f5dd81b295a 100644 --- a/packages/trend_micro_vision_one/data_stream/detection/agent/stream/httpjson.yml.hbs +++ b/packages/trend_micro_vision_one/data_stream/detection/agent/stream/httpjson.yml.hbs @@ -20,7 +20,7 @@ request.transforms: value: 'Bearer {{api_token}}' - set: target: header.TMV1-Query - value: 'uuid' + value: 'uuid:*' - set: target: url.params.top value: '5000' diff --git a/packages/trend_micro_vision_one/manifest.yml b/packages/trend_micro_vision_one/manifest.yml index f20a102caec..90b208ee477 100644 --- a/packages/trend_micro_vision_one/manifest.yml +++ b/packages/trend_micro_vision_one/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: trend_micro_vision_one title: Trend Micro Vision One -version: "1.12.0" +version: "1.12.1" description: Collect logs from Trend Micro Vision One with Elastic Agent. type: integration categories: From 41df2cbce9ac3503c8d192a7d3719ab9cd9010e3 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Wed, 4 Oct 2023 12:08:39 +0530 Subject: [PATCH 2/4] update changelog --- packages/trend_micro_vision_one/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/trend_micro_vision_one/changelog.yml b/packages/trend_micro_vision_one/changelog.yml index 28813933381..9640a7c9015 100644 --- a/packages/trend_micro_vision_one/changelog.yml +++ b/packages/trend_micro_vision_one/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Fix Detection API header type: bugfix - link: https://github.com/elastic/integrations/pull/1111 + link: https://github.com/elastic/integrations/pull/8083 - version: 1.12.0 changes: - description: Update the package format_version to 3.0.0. From b21d7d483af2a2fdf46e15040a42e5425e030d44 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Fri, 6 Oct 2023 12:01:24 +0530 Subject: [PATCH 3/4] update system tests --- .../_dev/deploy/docker/files/config.yml | 6 +++++- .../detection/agent/stream/httpjson.yml.hbs | 2 +- .../data_stream/detection/sample_event.json | 20 +++++++++---------- .../trend_micro_vision_one/docs/README.md | 16 +++++++-------- 4 files changed, 24 insertions(+), 20 deletions(-) diff --git a/packages/trend_micro_vision_one/_dev/deploy/docker/files/config.yml b/packages/trend_micro_vision_one/_dev/deploy/docker/files/config.yml index 8ac8d7f2f04..3ded79e040d 100644 --- a/packages/trend_micro_vision_one/_dev/deploy/docker/files/config.yml +++ b/packages/trend_micro_vision_one/_dev/deploy/docker/files/config.yml @@ -4,7 +4,7 @@ rules: responses: - status_code: 200 body: | - {"totalCount":100,"count":10,"items":[{"schemaVersion":"1.0","id":"WB-9002-20200427-0002","investigationStatus":"New","workbenchLink":"https://THE_WORKBENCH_URL","alertProvider":"SAE","model":"Possible APT Attack","score":63,"severity":"critical","impactScope":{"desktopCount":0,"serverCount":0,"accountCount":0,"emailAddressCount":0,"entities":[{"entityType":"host","entityValue":"user@email.com","entityId":"5257b401-2fd7-469c-94fa-39a4f11eb925","relatedEntities":["CODERED\\\\user"],"relatedIndicatorIds":[1],"provenance":["Alert"]}]},"createdDateTime":"2020-04-30T00:01:15Z","updatedDateTime":"2030-04-30T00:01:16Z","description":"A backdoor was possibly implanted after a user received a possible spear phishing email message.","indicators":[{"id":1,"type":"url","field":"request url","value":"http://www.example.com/ab001.zip","relatedEntities":["user@example.com"],"provenance":["Alert"],"filterIds":["f862df72-7f5e-4b2b-9f7f-9148e875f908"]}],"matchedRules":[{"id":"5f52d1f1-53e7-411a-b74f-745ee81fa30b","name":"Possible SpearPhishing Email","matchedFilters":[{"id":"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e","name":"(T1192) Spearphishing Link","matchedDateTime":"2019-08-02T04:00:01Z","mitreTechniqueIds":["T1192"],"matchedEvents":[{"uuid":"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5","matchedDateTime":"2019-08-02T04:00:01Z","type":"TELEMETRY_REGISTRY"}]}]}]}],"nextLink":"https://api.xdr.trendmicro.com/v3.0/workbench/alerts?skipToken=MTA=&orderBy=score%20desc"} + {"totalCount":100,"count":10,"items":[{"schemaVersion":"1.0","id":"WB-9002-20200427-0002","investigationStatus":"New","workbenchLink":"https://THE_WORKBENCH_URL","alertProvider":"SAE","model":"Possible APT Attack","score":63,"severity":"critical","impactScope":{"desktopCount":0,"serverCount":0,"accountCount":0,"emailAddressCount":0,"entities":[{"entityType":"host","entityValue":"user@email.com","entityId":"5257b401-2fd7-469c-94fa-39a4f11eb925","relatedEntities":["CODERED\\\\user"],"relatedIndicatorIds":[1],"provenance":["Alert"]}]},"createdDateTime":"2020-04-30T00:01:15Z","updatedDateTime":"2023-04-30T00:01:16Z","description":"A backdoor was possibly implanted after a user received a possible spear phishing email message.","indicators":[{"id":1,"type":"url","field":"request url","value":"http://www.example.com/ab001.zip","relatedEntities":["user@example.com"],"provenance":["Alert"],"filterIds":["f862df72-7f5e-4b2b-9f7f-9148e875f908"]}],"matchedRules":[{"id":"5f52d1f1-53e7-411a-b74f-745ee81fa30b","name":"Possible SpearPhishing Email","matchedFilters":[{"id":"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e","name":"(T1192) Spearphishing Link","matchedDateTime":"2019-08-02T04:00:01Z","mitreTechniqueIds":["T1192"],"matchedEvents":[{"uuid":"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5","matchedDateTime":"2019-08-02T04:00:01Z","type":"TELEMETRY_REGISTRY"}]}]}]}],"nextLink":"https://api.xdr.trendmicro.com/v3.0/workbench/alerts?skipToken=MTA=&orderBy=score%20desc"} - path: /v3.0/audit/logs methods: ['GET'] responses: @@ -13,6 +13,10 @@ rules: {"items":[{"loggedDateTime":"2022-02-24T07:29:48Z","loggedUser":"Root Account","loggedRole":"Master Administrator","accessType":"Console","category":"Logon and Logoff","activity":"string","result":"Unsuccessful","details":{"property1":"string","property2":"string"}}],"nextLink":"https://api.xdr.trendmicro.com/v3.0/audit/logs?skipToken=","labels":{"property1":"string","property2":"string"}} - path: /v3.0/search/detections methods: ['GET'] + request_headers: + TMV1-Query: "uuid:*" + Authorization: + - "Bearer xxxx" responses: - status_code: 200 body: | diff --git a/packages/trend_micro_vision_one/data_stream/detection/agent/stream/httpjson.yml.hbs b/packages/trend_micro_vision_one/data_stream/detection/agent/stream/httpjson.yml.hbs index f5dd81b295a..7026ef155e7 100644 --- a/packages/trend_micro_vision_one/data_stream/detection/agent/stream/httpjson.yml.hbs +++ b/packages/trend_micro_vision_one/data_stream/detection/agent/stream/httpjson.yml.hbs @@ -20,7 +20,7 @@ request.transforms: value: 'Bearer {{api_token}}' - set: target: header.TMV1-Query - value: 'uuid:*' + value: "uuid:*" - set: target: url.params.top value: '5000' diff --git a/packages/trend_micro_vision_one/data_stream/detection/sample_event.json b/packages/trend_micro_vision_one/data_stream/detection/sample_event.json index 2666468c07f..c9bd1badd36 100644 --- a/packages/trend_micro_vision_one/data_stream/detection/sample_event.json +++ b/packages/trend_micro_vision_one/data_stream/detection/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2020-10-15T01:16:32.000Z", "agent": { - "ephemeral_id": "498db1fe-f272-4d31-8872-856b62ea3183", - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "ephemeral_id": "036acc9c-7c48-4333-9845-054f3093a5fc", + "id": "8d5d9aee-d289-458a-8e51-4f9b056c28ae", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.11.0" }, "data_stream": { "dataset": "trend_micro_vision_one.detection", @@ -23,9 +23,9 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", - "snapshot": false, - "version": "8.7.1" + "id": "8d5d9aee-d289-458a-8e51-4f9b056c28ae", + "snapshot": true, + "version": "8.11.0" }, "event": { "action": "clean", @@ -33,12 +33,12 @@ "category": [ "intrusion_detection" ], - "created": "2023-09-27T08:40:28.553Z", + "created": "2023-10-06T06:25:50.051Z", "dataset": "trend_micro_vision_one.detection", "id": "100117", - "ingested": "2023-09-27T08:40:32Z", + "ingested": "2023-10-06T06:25:53Z", "kind": "event", - "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", + "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1111-2222-3333-4444\"}", "severity": 50, "type": [ "info" @@ -283,7 +283,7 @@ ], "threat_name": "Malicious_identified_CnC_querying_on_UDP_detected", "total_count": 1, - "uuid": "1234-1234-1234" + "uuid": "1111-2222-3333-4444" } }, "url": { diff --git a/packages/trend_micro_vision_one/docs/README.md b/packages/trend_micro_vision_one/docs/README.md index da35dc3049f..8217638ce6a 100644 --- a/packages/trend_micro_vision_one/docs/README.md +++ b/packages/trend_micro_vision_one/docs/README.md @@ -453,11 +453,11 @@ An example event for `detection` looks as following: { "@timestamp": "2020-10-15T01:16:32.000Z", "agent": { - "ephemeral_id": "498db1fe-f272-4d31-8872-856b62ea3183", - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "ephemeral_id": "18c8b620-5852-4eb1-b5fd-689a811905c9", + "id": "8594fa29-3c94-487c-8956-5154932435f9", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.11.0" }, "data_stream": { "dataset": "trend_micro_vision_one.detection", @@ -475,9 +475,9 @@ An example event for `detection` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", - "snapshot": false, - "version": "8.7.1" + "id": "8594fa29-3c94-487c-8956-5154932435f9", + "snapshot": true, + "version": "8.11.0" }, "event": { "action": "clean", @@ -485,10 +485,10 @@ An example event for `detection` looks as following: "category": [ "intrusion_detection" ], - "created": "2023-09-27T08:40:28.553Z", + "created": "2023-10-06T06:19:20.041Z", "dataset": "trend_micro_vision_one.detection", "id": "100117", - "ingested": "2023-09-27T08:40:32Z", + "ingested": "2023-10-06T06:19:23Z", "kind": "event", "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", "severity": 50, From 2c2d10c558b7e767d071af16f7a98bc51f506963 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Fri, 6 Oct 2023 14:46:45 +0530 Subject: [PATCH 4/4] readme and format --- packages/trend_micro_vision_one/changelog.yml | 2 +- .../data_stream/detection/sample_event.json | 14 +++++++------- packages/trend_micro_vision_one/docs/README.md | 10 +++++----- packages/trend_micro_vision_one/validation.yml | 2 +- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/packages/trend_micro_vision_one/changelog.yml b/packages/trend_micro_vision_one/changelog.yml index 9640a7c9015..2985ac74d8e 100644 --- a/packages/trend_micro_vision_one/changelog.yml +++ b/packages/trend_micro_vision_one/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Fix Detection API header type: bugfix - link: https://github.com/elastic/integrations/pull/8083 + link: https://github.com/elastic/integrations/pull/8083 - version: 1.12.0 changes: - description: Update the package format_version to 3.0.0. diff --git a/packages/trend_micro_vision_one/data_stream/detection/sample_event.json b/packages/trend_micro_vision_one/data_stream/detection/sample_event.json index c9bd1badd36..16347deea2b 100644 --- a/packages/trend_micro_vision_one/data_stream/detection/sample_event.json +++ b/packages/trend_micro_vision_one/data_stream/detection/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2020-10-15T01:16:32.000Z", "agent": { - "ephemeral_id": "036acc9c-7c48-4333-9845-054f3093a5fc", - "id": "8d5d9aee-d289-458a-8e51-4f9b056c28ae", + "ephemeral_id": "041ba589-51ca-4422-a895-36a10f4568a8", + "id": "94a80c96-489d-4fc8-aeab-bdef580d21f8", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.11.0" @@ -23,7 +23,7 @@ "version": "8.10.0" }, "elastic_agent": { - "id": "8d5d9aee-d289-458a-8e51-4f9b056c28ae", + "id": "94a80c96-489d-4fc8-aeab-bdef580d21f8", "snapshot": true, "version": "8.11.0" }, @@ -33,12 +33,12 @@ "category": [ "intrusion_detection" ], - "created": "2023-10-06T06:25:50.051Z", + "created": "2023-10-06T09:10:41.685Z", "dataset": "trend_micro_vision_one.detection", "id": "100117", - "ingested": "2023-10-06T06:25:53Z", + "ingested": "2023-10-06T09:10:44Z", "kind": "event", - "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1111-2222-3333-4444\"}", + "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", "severity": 50, "type": [ "info" @@ -283,7 +283,7 @@ ], "threat_name": "Malicious_identified_CnC_querying_on_UDP_detected", "total_count": 1, - "uuid": "1111-2222-3333-4444" + "uuid": "1234-1234-1234" } }, "url": { diff --git a/packages/trend_micro_vision_one/docs/README.md b/packages/trend_micro_vision_one/docs/README.md index 8217638ce6a..f406ce50a5a 100644 --- a/packages/trend_micro_vision_one/docs/README.md +++ b/packages/trend_micro_vision_one/docs/README.md @@ -453,8 +453,8 @@ An example event for `detection` looks as following: { "@timestamp": "2020-10-15T01:16:32.000Z", "agent": { - "ephemeral_id": "18c8b620-5852-4eb1-b5fd-689a811905c9", - "id": "8594fa29-3c94-487c-8956-5154932435f9", + "ephemeral_id": "041ba589-51ca-4422-a895-36a10f4568a8", + "id": "94a80c96-489d-4fc8-aeab-bdef580d21f8", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.11.0" @@ -475,7 +475,7 @@ An example event for `detection` looks as following: "version": "8.10.0" }, "elastic_agent": { - "id": "8594fa29-3c94-487c-8956-5154932435f9", + "id": "94a80c96-489d-4fc8-aeab-bdef580d21f8", "snapshot": true, "version": "8.11.0" }, @@ -485,10 +485,10 @@ An example event for `detection` looks as following: "category": [ "intrusion_detection" ], - "created": "2023-10-06T06:19:20.041Z", + "created": "2023-10-06T09:10:41.685Z", "dataset": "trend_micro_vision_one.detection", "id": "100117", - "ingested": "2023-10-06T06:19:23Z", + "ingested": "2023-10-06T09:10:44Z", "kind": "event", "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", "severity": 50, diff --git a/packages/trend_micro_vision_one/validation.yml b/packages/trend_micro_vision_one/validation.yml index 6cb775c44b6..da88d107c6d 100644 --- a/packages/trend_micro_vision_one/validation.yml +++ b/packages/trend_micro_vision_one/validation.yml @@ -1,3 +1,3 @@ errors: exclude_checks: - - SVR00001 # Saved query, but no filter. + - SVR00001 # Saved query, but no filter.