From b6864d4407b6cc838aaa175ef8283e67a3880d74 Mon Sep 17 00:00:00 2001 From: vinit-elastic Date: Fri, 5 Aug 2022 19:00:39 +0530 Subject: [PATCH 1/6] Initial Release for the Trend Micro Vision One Package --- .github/CODEOWNERS | 1 + .../_dev/build/build.yml | 3 + .../_dev/build/docs/README.md | 68 + .../_dev/deploy/docker/docker-compose.yml | 15 + .../_dev/deploy/docker/files/config.yml | 19 + packages/trend_micro_vision_one/changelog.yml | 6 + .../_dev/test/pipeline/test-common-config.yml | 4 + .../test/pipeline/test-pipeline-alert.log | 4 + .../test-pipeline-alert.log-expected.json | 612 ++++++ .../_dev/test/system/test-default-config.yml | 9 + .../alert/agent/stream/ httpjson.yml.hbs | 54 + .../elasticsearch/ingest_pipeline/default.yml | 563 ++++++ .../data_stream/alert/fields/agent.yml | 204 ++ .../data_stream/alert/fields/base-fields.yml | 20 + .../data_stream/alert/fields/ecs.yml | 34 + .../data_stream/alert/fields/fields.yml | 183 ++ .../data_stream/alert/manifest.yml | 57 + .../data_stream/alert/sample_event.json | 133 ++ .../_dev/test/pipeline/test-common-config.yml | 4 + .../test/pipeline/test-pipeline-audit.log | 2 + .../test-pipeline-audit.log-expected.json | 95 + .../_dev/test/system/test-default-config.yml | 9 + .../audit/agent/stream/ httpjson.yml.hbs | 57 + .../elasticsearch/ingest_pipeline/default.yml | 172 ++ .../data_stream/audit/fields/agent.yml | 204 ++ .../data_stream/audit/fields/base-fields.yml | 20 + .../data_stream/audit/fields/ecs.yml | 20 + .../data_stream/audit/fields/fields.yml | 24 + .../data_stream/audit/manifest.yml | 57 + .../data_stream/audit/sample_event.json | 72 + .../_dev/test/pipeline/test-common-config.yml | 4 + .../test/pipeline/test-pipeline-detection.log | 2 + .../test-pipeline-detection.log-expected.json | 419 ++++ .../_dev/test/system/test-default-config.yml | 9 + .../detection/agent/stream/httpjson.yml.hbs | 57 + .../elasticsearch/ingest_pipeline/default.yml | 977 ++++++++++ .../data_stream/detection/fields/agent.yml | 204 ++ .../detection/fields/base-fields.yml | 20 + .../data_stream/detection/fields/ecs.yml | 92 + .../data_stream/detection/fields/fields.yml | 405 ++++ .../data_stream/detection/manifest.yml | 57 + .../data_stream/detection/sample_event.json | 305 +++ .../trend_micro_vision_one/docs/README.md | 965 ++++++++++ ...-vision-one-alert-dashboard-screenshot.png | Bin 0 -> 47472 bytes ...nd-micro-vision-one-api-token-generate.png | Bin 0 -> 21111 bytes .../img/trend-micro-vision-one-console.png | Bin 0 -> 25056 bytes .../img/trend-micro-vision-one-logo.svg | 389 ++++ ...-02296130-0c1b-11ed-8d26-77f06c571b89.json | 418 ++++ ...-795c2840-0cda-11ed-ac7d-35d42be2de47.json | 1713 +++++++++++++++++ ...-dc4fba10-0ce5-11ed-ac7d-35d42be2de47.json | 748 +++++++ ...-89e6e9b0-0c1d-11ed-8d26-77f06c571b89.json | 42 + packages/trend_micro_vision_one/manifest.yml | 78 + 52 files changed, 9629 insertions(+) create mode 100644 packages/trend_micro_vision_one/_dev/build/build.yml create mode 100644 packages/trend_micro_vision_one/_dev/build/docs/README.md create mode 100644 packages/trend_micro_vision_one/_dev/deploy/docker/docker-compose.yml create mode 100644 packages/trend_micro_vision_one/_dev/deploy/docker/files/config.yml create mode 100644 packages/trend_micro_vision_one/changelog.yml create mode 100644 packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-common-config.yml create mode 100644 packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log create mode 100644 packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json create mode 100644 packages/trend_micro_vision_one/data_stream/alert/_dev/test/system/test-default-config.yml create mode 100644 packages/trend_micro_vision_one/data_stream/alert/agent/stream/ httpjson.yml.hbs create mode 100644 packages/trend_micro_vision_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml create mode 100644 packages/trend_micro_vision_one/data_stream/alert/fields/agent.yml create mode 100644 packages/trend_micro_vision_one/data_stream/alert/fields/base-fields.yml create mode 100644 packages/trend_micro_vision_one/data_stream/alert/fields/ecs.yml create mode 100644 packages/trend_micro_vision_one/data_stream/alert/fields/fields.yml create mode 100644 packages/trend_micro_vision_one/data_stream/alert/manifest.yml create mode 100644 packages/trend_micro_vision_one/data_stream/alert/sample_event.json create mode 100644 packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-common-config.yml create mode 100644 packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-pipeline-audit.log create mode 100644 packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-pipeline-audit.log-expected.json create mode 100644 packages/trend_micro_vision_one/data_stream/audit/_dev/test/system/test-default-config.yml create mode 100644 packages/trend_micro_vision_one/data_stream/audit/agent/stream/ httpjson.yml.hbs create mode 100644 packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml create mode 100644 packages/trend_micro_vision_one/data_stream/audit/fields/agent.yml create mode 100644 packages/trend_micro_vision_one/data_stream/audit/fields/base-fields.yml create mode 100644 packages/trend_micro_vision_one/data_stream/audit/fields/ecs.yml create mode 100644 packages/trend_micro_vision_one/data_stream/audit/fields/fields.yml create mode 100644 packages/trend_micro_vision_one/data_stream/audit/manifest.yml create mode 100644 packages/trend_micro_vision_one/data_stream/audit/sample_event.json create mode 100644 packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-common-config.yml create mode 100644 packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-pipeline-detection.log create mode 100644 packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-pipeline-detection.log-expected.json create mode 100644 packages/trend_micro_vision_one/data_stream/detection/_dev/test/system/test-default-config.yml create mode 100644 packages/trend_micro_vision_one/data_stream/detection/agent/stream/httpjson.yml.hbs create mode 100644 packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml create mode 100644 packages/trend_micro_vision_one/data_stream/detection/fields/agent.yml create mode 100644 packages/trend_micro_vision_one/data_stream/detection/fields/base-fields.yml create mode 100644 packages/trend_micro_vision_one/data_stream/detection/fields/ecs.yml create mode 100644 packages/trend_micro_vision_one/data_stream/detection/fields/fields.yml create mode 100644 packages/trend_micro_vision_one/data_stream/detection/manifest.yml create mode 100644 packages/trend_micro_vision_one/data_stream/detection/sample_event.json create mode 100644 packages/trend_micro_vision_one/docs/README.md create mode 100644 packages/trend_micro_vision_one/img/trend-micro-vision-one-alert-dashboard-screenshot.png create mode 100644 packages/trend_micro_vision_one/img/trend-micro-vision-one-api-token-generate.png create mode 100644 packages/trend_micro_vision_one/img/trend-micro-vision-one-console.png create mode 100644 packages/trend_micro_vision_one/img/trend-micro-vision-one-logo.svg create mode 100644 packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-02296130-0c1b-11ed-8d26-77f06c571b89.json create mode 100644 packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-795c2840-0cda-11ed-ac7d-35d42be2de47.json create mode 100644 packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-dc4fba10-0ce5-11ed-ac7d-35d42be2de47.json create mode 100644 packages/trend_micro_vision_one/kibana/search/trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89.json create mode 100644 packages/trend_micro_vision_one/manifest.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index ea772efe4bc..b568977c389 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -168,6 +168,7 @@ /packages/ti_threatq @elastic/security-external-integrations /packages/tomcat @elastic/security-external-integrations /packages/traefik @elastic/obs-service-integrations +/packages/trend_micro_vision_one @elastic/security-external-integrations /packages/udp @elastic/security-external-integrations /packages/vsphere @elastic/obs-service-integrations /packages/websphere_application_server @elastic/obs-service-integrations diff --git a/packages/trend_micro_vision_one/_dev/build/build.yml b/packages/trend_micro_vision_one/_dev/build/build.yml new file mode 100644 index 00000000000..2254d90483c --- /dev/null +++ b/packages/trend_micro_vision_one/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@v8.4.0-rc1 diff --git a/packages/trend_micro_vision_one/_dev/build/docs/README.md b/packages/trend_micro_vision_one/_dev/build/docs/README.md new file mode 100644 index 00000000000..07963a90bbd --- /dev/null +++ b/packages/trend_micro_vision_one/_dev/build/docs/README.md @@ -0,0 +1,68 @@ +# Trend Micro Vision One + +## Overview + +The [Trend Micro Vision One](https://www.trendmicro.com/en_in/business/products/detection-response.html) integration allows you to monitor Alert, Audit, and Detection activity. Trend Micro Vision One refers to the ability to do detection and response across email, endpoints, servers, cloud workloads, and networks via a single Trend Micro Vision One platform or the managed Trend Micro Vision One service. + +Use the Trend Micro Vision One integration to collects and parses data from the REST APIs. Then visualize that data in Kibana. + +## Data streams + +The Trend Micro Vision One integration collects three types of data streams: Alert, Audit, and Detection. + +**Alert** Displays information about workbench alerts. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Workbench/paths/~1v3.0~1workbench~1alerts/get). + +**Audit** Displays log entries that match the specified search criteria. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Audit-Logs). + +**Detection** Displays search results from the Detection Data source. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Search/paths/~1v3.0~1search~1detections/get). + +## Requirements + +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your hardware. + +This module has been tested against `Trend Micro Vision One API version 3.0`. + +**Note:** The authentication token generated by a user expires one year after being generated. + +## Setup + +### To collect data from Trend Micro Vision One APIs, the user must have API Token. To create an API token follow the below steps: + +1. Log on to the Trend Micro Vision One console. +2. Go to **Administration -> User Accounts**. +![Trend Micro Vision One console](../img/trend-micro-vision-one-console.png) +3. Click on the account name having appropriate API access permission to generate an API token. +![Trend Micro Vision One generate API token ](../img/trend-micro-vision-one-api-token-generate.png) +4. Copy the Authentication token. + +## Logs Reference + +### alert + +This is the `alert` dataset. + +#### Example + +{{event "alert"}} + +{{fields "alert"}} + +### audit + +This is the `audit` dataset. + +#### Example + +{{event "audit"}} + +{{fields "audit"}} + +### detection + +This is the `detection` dataset. + +#### Example + +{{event "detection"}} + +{{fields "detection"}} diff --git a/packages/trend_micro_vision_one/_dev/deploy/docker/docker-compose.yml b/packages/trend_micro_vision_one/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..e9cc8f5a37a --- /dev/null +++ b/packages/trend_micro_vision_one/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,15 @@ +version: '2.3' +services: + trend_micro_vision_one: + image: docker.elastic.co/observability/stream:v0.7.0 + hostname: trend_micro_vision_one + ports: + - 8080 + volumes: + - ./files:/files:ro + environment: + PORT: '8080' + command: + - http-server + - --addr=:8080 + - --config=/files/config.yml diff --git a/packages/trend_micro_vision_one/_dev/deploy/docker/files/config.yml b/packages/trend_micro_vision_one/_dev/deploy/docker/files/config.yml new file mode 100644 index 00000000000..6570e38b9e2 --- /dev/null +++ b/packages/trend_micro_vision_one/_dev/deploy/docker/files/config.yml @@ -0,0 +1,19 @@ +rules: + - path: /v3.0/workbench/alerts + methods: ['GET'] + responses: + - status_code: 200 + body: | + {"totalCount":100,"count":10,"items":[{"schemaVersion":"1.0","id":"WB-9002-20200427-0002","investigationStatus":"New","workbenchLink":"https://THE_WORKBENCH_URL","alertProvider":"SAE","model":"Possible APT Attack","score":63,"severity":"critical","impactScope":{"desktopCount":0,"serverCount":0,"accountCount":0,"emailAddressCount":0,"entities":[{"entityType":"host","entityValue":"user@email.com","entityId":"5257b401-2fd7-469c-94fa-39a4f11eb925","relatedEntities":["CODERED\\\\user"],"relatedIndicatorIds":[1],"provenance":["Alert"]}]},"createdDateTime":"2020-04-30T00:01:15Z","updatedDateTime":"2030-04-30T00:01:16Z","description":"A backdoor was possibly implanted after a user received a possible spear phishing email message.","indicators":[{"id":1,"type":"url","field":"request url","value":"http://www.example.com/ab001.zip","relatedEntities":["user@example.com"],"provenance":["Alert"],"filterIds":["f862df72-7f5e-4b2b-9f7f-9148e875f908"]}],"matchedRules":[{"id":"5f52d1f1-53e7-411a-b74f-745ee81fa30b","name":"Possible SpearPhishing Email","matchedFilters":[{"id":"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e","name":"(T1192) Spearphishing Link","matchedDateTime":"2019-08-02T04:00:01Z","mitreTechniqueIds":["T1192"],"matchedEvents":[{"uuid":"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5","matchedDateTime":"2019-08-02T04:00:01Z","type":"TELEMETRY_REGISTRY"}]}]}]}],"nextLink":"https://api.xdr.trendmicro.com/v3.0/workbench/alerts?skipToken=MTA=&orderBy=score%20desc"} + - path: /v3.0/audit/logs + methods: ['GET'] + responses: + - status_code: 200 + body: | + {"items":[{"loggedDateTime":"2022-02-24T07:29:48Z","loggedUser":"Root Account","loggedRole":"Master Administrator","accessType":"Console","category":"Logon and Logoff","activity":"string","result":"Unsuccessful","details":{"property1":"string","property2":"string"}}],"nextLink":"https://api.xdr.trendmicro.com/v3.0/audit/logs?skipToken=","labels":{"property1":"string","property2":"string"}} + - path: /v3.0/search/detections + methods: ['GET'] + responses: + - status_code: 200 + body: | + {"nextLink":"https://api.xdr.trendmicro.com/v3.0/endpointActivities?...&skipToken=ewogICJvdXRlcl9zbGl...","progressRate":30,"items":[{"act":"Clean","actResult":"Quarantined successfully","app":"HTTP","appGroup":"HTTP","aptRelated":"0","behaviorCat":"Grey-Detection","blocking":"Web reputation","cat":50,"cccaDetection":"Yes","cccaDetectionSource":"GLOBAL_INTELLIGENCE","cccaRiskLevel":3,"clientFlag":"dst","cnt":"1","component":["PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00"],"compressedFileSize":"0","detectionType":"File","deviceDirection":"outbound","deviceGUID":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","deviceProcessName":"/snap/core/10126/usr/lib/snapd/snapd","deviceMacAddress":"00-00-5E-00-53-23","dhost":"samplehost","domainName":"Workgroup","dpt":53,"dst":["81.2.69.142"],"dstGroup":"Default","end":"2021-09-30T09:40:04-08:00","endpointGUID":"1234-1234-1234","endpointHostName":"abc-docker","endpointIp":["81.2.69.142"],"endpointMacAddress":"00-00-5E-00-53-23","engType":"Virus Scan Engine (OS 2003, x64)","engVer":"12.500.1004","eventId":"100117","eventName":"INTEGRITY_MONITORING_EVENT","eventSubName":"Attack Discovery","eventTime":1602724592000,"eventTimeDT":"2021-06-10T01:38:38+00:00","fileHash":"3395856ce81f2b7382dee72602f798b642f14140","fileName":["Unconfirmed 145081.crdownload"],"fileOperation":"Deleted","filePath":"/etc/systemd/system","filePathName":"/etc/systemd/system/snap-xxxx-1246.xxxx","fileSize":"0","firstAct":"Clean","firstActResult":"Unable to clean file","fullPath":"C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 145081.crdownload","hostName":"samplehost","httpReferer":"http://www.example.com/","interestedHost":"abc-docker","interestedIp":["81.2.69.192"],"interestedMacAddress":"00-00-5E-00-53-23","malName":"Eicar_test_1","malType":"Virus/Malware","mDevice":["81.2.69.192"],"mDeviceGUID":"C5B09EDD-C725-907F-29D9-B8C30D18C48F","mitreMapping":["T1090 (TA0005)"],"mitreVersion":"v6","mpname":"Cloud One - Workload Security","mpver":"Deep Security/20.0.222","objectCmd":["C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe --profile-directory=Default"],"objectFileHashMd5":"761AEFF7E6B110970285B9C20C9E1DCA","objectFileHashSha1":"00496B4D53CEFE031B9702B3385C9F4430999932","objectFileHashSha256":"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7","objectFileName":"Unconfirmed 142899.crdownload:SmartScreen","objectFilePath":"C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 142899.crdownload:SmartScreen","objectName":"CloudEndpointService.exe","objectPid":7660,"objectSigner":["OS"],"parentCmd":"C:\\\\os\\\\system32\\\\svchost.exe -k DcomLaunch -p","parentFileHashSha1":"00496B4D53CEFE031B9702B3385C9F4430999932","parentFileHashSha256":"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7","parentFilePath":"C:\\\\os\\\\System32\\\\svchost.exe","peerHost":"samplehost","peerIp":["81.2.69.192"],"pname":"Apex One","processCmd":"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca","processFileHashMd5":"761AEFF7E6B110970285B9C20C9E1DCA","processFileHashSha1":"00496B4D53CEFE031B9702B3385C9F4430999932","processFileHashSha256":"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7","processFilePath":"C:\\\\Program Files (x86)\\\\os\\\\Application\\\\msedge.exe","processName":"string","processPid":0,"processSigner":"OS Publisher","productCode":"sao","pver":"20.0.0.877","request":"https://example.com","requestClientApplication":"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1","rt":"2020-10-15T01:16:32.000Z","rt_utc":"2020-10-15T01:16:32.000Z","searchDL":"DDL","spt":58871,"src":"81.2.69.192","srcGroup":"Default","tacticId":["TA0005"],"tags":["XSAE.F2140","XSAE.F3066"],"threatName":"Malicious_identified_CnC_querying_on_UDP_detected","uuid":"1234-1234-1234"}]} diff --git a/packages/trend_micro_vision_one/changelog.yml b/packages/trend_micro_vision_one/changelog.yml new file mode 100644 index 00000000000..ecc6089249c --- /dev/null +++ b/packages/trend_micro_vision_one/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: '0.1.0' + changes: + - description: Initial Release. + type: enhancement + link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link diff --git a/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-common-config.yml b/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..be41bb0d476 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields diff --git a/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log b/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log new file mode 100644 index 00000000000..18719bf581c --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log @@ -0,0 +1,4 @@ +{"schemaVersion":"1.0","id":"WB-9002-20200427-0002","investigationStatus":"In Progress","workbenchLink":"https://THE_WORKBENCH_URL","alertProvider":"SAE","model":"Possible APT Attack","description":"Suspicious email followed by a possible backdoor implantation","score":63,"severity":"critical","createdDateTime":"2020-04-30T00:01:15Z","updatedDateTime":"2030-04-30T00:01:16Z","impactScope":{"desktopCount":10,"serverCount":0,"accountCount":1,"emailAddressCount":0,"entities":[{"entityType":"emailAddress","entityValue":"loki@jaguartm.onmicrosoft.com","entityId":"loki@jaguartm.onmicrosoft.com","relatedEntities":["CODERED\\\\loki"],"relatedIndicatorIds":[1]}]},"indicators":[{"id":1,"type":"url","field":"url","value":"http://www.DVftYKDtEi.com/ds7002.zip","relatedEntities":["loki@jaguartm.onmicrosoft.com"],"filterIds":["f862df72-7f5e-4b2b-9f7f-9148e875f908"]},{"id":2,"type":"url","field":"url","value":"http://www.DVftYKDtEi.com/ds7555.zip","relatedEntities":["loki@jaguartm.onmicrosoft.com"],"filterIds":["f862df72-7f5e-4b2b-9f7f-9148e875f908"]}],"matchedRules":[{"id":"5f52d1f1-53e7-411a-b74f-745ee81fa30b","name":"Possible SpearPhishing Email","matchedFilters":[{"id":"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e","name":"(T1192) Spearphishing Link","matchedDateTime":"2019-08-02T04:00:01Z","mitreTechniqueIds":["T1192"],"matchedEvents":[{"uuid":"123abc-123abc-123abc","matchedDateTime":"2019-08-02T04:00:01Z"}]}]}]} +{"schemaVersion":"1.1","id":"WB-9002-20200427-0002","investigationStatus":"In Progress","workbenchLink":"https://portal-int.visionone.trendmicro.com/index.html#/workbench?workbenchId=WB-9002-20200427-0002","alertProvider":"TI","model":"Desktop, Mobile Phishing Campaign Targets South Korean Websites, Steals Credentials Via Watering Hole","campaign":"Soula","industry":null,"regionAndCountry":"eastern-asia/Korea (the Republic of)","createdBy":"Trend Micro Research","totalIndicatorCount":6,"matchedIndicatorCount":2,"reportLink":"https://THE_WORKBENCH_URL","score":63,"severity":"critical","createdDateTime":"2020-04-30T00:01:15Z","updatedDateTime":"2030-04-30T00:01:16Z","impactScope":{"desktopCount":10,"serverCount":0,"accountCount":1,"emailAddressCount":0,"entities":[{"entityType":"host","entityValue":{"name":"CODERED\\\\bonus-PC","ips":["89.160.20.128","89.160.20.112"],"guid":"5257b401-2fd7-469c-94fa-39a4f11eb925"},"entityId":"5257b401-2fd7-469c-94fa-39a4f11eb925","relatedEntities":["4257b401-2fd7-469c-94fa-39a4f11eb925"],"relatedIndicatorIds":[1]}]},"indicators":[{"id":1,"type":"url","fields":[["objectField-ip","objectField-ip"]],"value":"http://www.DVftYKDtEi.com/ds7002.zip","relatedEntities":["5257b401-2fd7-469c-94fa-39a4f11eb925","5257b401-2fd7-469c-94fa-39a4f11eb925"],"matchedIndicatorPatternIds":["74f7eb0f-1ca3-491a-b4cf-f4d54c83c87d"],"firstSeenDateTimes":["2020-04-30T00:01:15Z","2020-04-30T00:01:15Z"],"lastSeenDateTimes":["2019-06-14T18:25:55Z","2019-06-14T18:25:55Z"]}],"matchedIndicatorPatterns":[{"id":"74f7eb0f-1ca3-491a-b4cf-f4d54c83c87d","pattern":"[network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'oauth20.xyz']","tags":["STIX2.malicious-activity"],"matchedLogs":["Lengthy log string"]}]} +{"schemaVersion":"1.11","id":"WB-123-123-00001","investigationStatus":"New","workbenchLink":"https://portal-int.visionone.trendmicro.com/index.html#/workbench?workbenchId=WB-9002-20200427-0002","alertProvider":"SAE","model":"Credential Dumping via Mimikatz","score":64,"severity":"high","createdDateTime":"2022-07-08T07:16:08Z","updatedDateTime":"2022-07-15T12:46:13Z","impactScope":{"desktopCount":1,"serverCount":0,"accountCount":1,"emailAddressCount":0,"entities":[{"entityType":"account","entityValue":"desktop-example\\dummy","entityId":"desktop-example\\dummy","relatedEntities":["ABC-123-ABC-123-ABC-123"],"relatedIndicatorIds":[]},{"entityType":"host","entityValue":{"guid":"ABC-123-123-ABC","name":"desktop-EXAMPLE","ips":["81.2.69.192"]},"entityId":"ABC-123-123-ABC","relatedEntities":["desktop-example\\dummy"],"relatedIndicatorIds":[1,2,3,4,5,6,7,8,9,10,11,12]}]},"description":"A user obtained account logon information that can be used to access remote systems via Mimikatz.","matchedRules":[{"id":"123123-456456-789789","name":"Potential Credential Dumping via Mimikatz","matchedFilters":[{"id":"123-456-789","name":"Possible Credential Dumping via Mimikatz","matchedDateTime":"2022-07-08T07:06:35.113Z","mitreTechniqueIds":["V9.T1123.001","V9.T1124.002","V9.T1125"],"matchedEvents":[{"uuid":"123-456-789","matchedDateTime":"2022-07-08T07:06:35.113Z"},{"uuid":"abcd-abcd-abcd","matchedDateTime":"2022-07-08T07:14:06.159Z"}]},{"id":"abcd-abcd-1234-1234","name":"Possible Credential Dumping via Mimikatz","matchedDateTime":"2022-07-08T07:14:06.159Z","mitreTechniqueIds":["V9.T1123.001","V9.T1124.002","V9.T1125"],"matchedEvents":[{"uuid":"1234-1234-1234","matchedDateTime":"2022-07-08T07:06:35.113Z"},{"uuid":"abcd-abcd-abcd","matchedDateTime":"2022-07-08T07:14:06.159Z"}]}]}],"indicators":[{"id":1,"type":"command_line","field":"objectCmd","value":"\"example\" ","relatedEntities":["ABC-ABC-123-123"],"filterIds":["ABC-ABC-123-123"]},{"id":2,"type":"command_line","field":"processCmd","value":"example","relatedEntities":["ABC-ABC-ABC"],"filterIds":["abc-abc-abc-123-123"]},{"id":3,"type":"command_line","field":"objectCmd","value":"\"example","relatedEntities":["ABC-ABC-ABC"],"filterIds":["abcd-abcd-abcd"]},{"id":4,"type":"command_line","field":"processCmd","value":"example","relatedEntities":["ABCD-ABCD-ABCD"],"filterIds":["abcd-123-abcd-123"]},{"id":5,"type":"file_sha1","field":"objectFileHashSha1","value":"H1E2L3L4O5","relatedEntities":["ABCDE1ABCDE2"],"filterIds":["abcd-1234-abcd-1234"]},{"id":6,"type":"file_sha1","field":"objectFileHashSha1","value":"H1E2L3L4O5","relatedEntities":["ABCDE-12345-ABCDE-12345"],"filterIds":["abcd-1234-abcd-1234"]},{"id":7,"type":"fullpath","field":"objectFilePath","value":"example","relatedEntities":["ABCDE-12345-ABCDE-12345"],"filterIds":["abcde-12345-abcde-12345"]},{"id":8,"type":"fullpath","field":"processFilePath","value":"example","relatedEntities":["ABCDE-12345-ABCDE-12345"],"filterIds":["abcde-1234-abcde-1234"]},{"id":9,"type":"fullpath","field":"objectFilePath","value":"example","relatedEntities":["ABCDE-12345-ABCDE-12345"],"filterIds":["abcd-1234-abcd-1234"]},{"id":10,"type":"fullpath","field":"processFilePath","value":"example","relatedEntities":["ABCDE-1234-ABCDE-1234"],"filterIds":["abcde-1234-abcd-1234"]}]} +{"schemaVersion":"1.0","id":"WB-9002-20200427-0002","investigationStatus":"New","workbenchLink":"https://THE_WORKBENCH_URL","alertProvider":"SAE","model":"Possible APT Attack","score":63,"severity":"critical","impactScope":{"desktopCount":0,"serverCount":0,"accountCount":0,"emailAddressCount":0,"entities":[{"entityType":"host","entityValue":"loki@jaguartm.onmicrosoft.com","entityId":"5257b401-2fd7-469c-94fa-39a4f11eb925","relatedEntities":["CODERED\\\\loki"],"relatedIndicatorIds":[1],"provenance":["Alert"]}]},"createdDateTime":"2020-04-30T00:01:15Z","updatedDateTime":"2030-04-30T00:01:16Z","description":"A backdoor was possibly implanted after a user received a possible spear phishing email message.","indicators":[{"id":1,"type":"url","field":"request url","value":"http://www.DVftYKDtEi.com/ds7002.zip","relatedEntities":["loki@jaguartm.onmicrosoft.com"],"provenance":["Alert"],"filterIds":["f862df72-7f5e-4b2b-9f7f-9148e875f908"]}],"matchedRules":[{"id":"5f52d1f1-53e7-411a-b74f-745ee81fa30b","name":"Possible SpearPhishing Email","matchedFilters":[{"id":"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e","name":"(T1192) Spearphishing Link","matchedDateTime":"2019-08-02T04:00:01Z","mitreTechniqueIds":["T1192"],"matchedEvents":[{"uuid":"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5","matchedDateTime":"2019-08-02T04:00:01Z","type":"TELEMETRY_REGISTRY"}]}]}]} diff --git a/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json b/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json new file mode 100644 index 00000000000..dc09cd74fb9 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log-expected.json @@ -0,0 +1,612 @@ +{ + "expected": [ + { + "@timestamp": "2030-04-30T00:01:16.000Z", + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": [ + "email" + ], + "id": "WB-9002-20200427-0002", + "kind": "alert", + "original": "{\"schemaVersion\":\"1.0\",\"id\":\"WB-9002-20200427-0002\",\"investigationStatus\":\"In Progress\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\",\"alertProvider\":\"SAE\",\"model\":\"Possible APT Attack\",\"description\":\"Suspicious email followed by a possible backdoor implantation\",\"score\":63,\"severity\":\"critical\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"updatedDateTime\":\"2030-04-30T00:01:16Z\",\"impactScope\":{\"desktopCount\":10,\"serverCount\":0,\"accountCount\":1,\"emailAddressCount\":0,\"entities\":[{\"entityType\":\"emailAddress\",\"entityValue\":\"loki@jaguartm.onmicrosoft.com\",\"entityId\":\"loki@jaguartm.onmicrosoft.com\",\"relatedEntities\":[\"CODERED\\\\\\\\loki\"],\"relatedIndicatorIds\":[1]}]},\"indicators\":[{\"id\":1,\"type\":\"url\",\"field\":\"url\",\"value\":\"http://www.DVftYKDtEi.com/ds7002.zip\",\"relatedEntities\":[\"loki@jaguartm.onmicrosoft.com\"],\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"]},{\"id\":2,\"type\":\"url\",\"field\":\"url\",\"value\":\"http://www.DVftYKDtEi.com/ds7555.zip\",\"relatedEntities\":[\"loki@jaguartm.onmicrosoft.com\"],\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"]}],\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"name\":\"Possible SpearPhishing Email\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"name\":\"(T1192) Spearphishing Link\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"mitreTechniqueIds\":[\"T1192\"],\"matchedEvents\":[{\"uuid\":\"123abc-123abc-123abc\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\"}]}]}]}", + "severity": 63, + "type": [ + "info" + ] + }, + "log": { + "level": "critical" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "trend_micro_vision_one": { + "alert": { + "alert_provider": "SAE", + "created_date": "2020-04-30T00:01:15.000Z", + "description": "Suspicious email followed by a possible backdoor implantation", + "id": "WB-9002-20200427-0002", + "impact_scope": { + "account_count": 1, + "desktop_count": 10, + "email_address_count": 0, + "entities": [ + { + "id": "loki@jaguartm.onmicrosoft.com", + "related_entities": [ + "CODERED\\\\loki" + ], + "related_indicator_id": [ + 1 + ], + "type": "emailAddress", + "value": { + "account_value": "loki@jaguartm.onmicrosoft.com" + } + } + ], + "server_count": 0 + }, + "indicators": [ + { + "field": "url", + "filter_id": [ + "f862df72-7f5e-4b2b-9f7f-9148e875f908" + ], + "id": 1, + "related_entities": [ + "loki@jaguartm.onmicrosoft.com" + ], + "type": "url", + "value": "http://www.DVftYKDtEi.com/ds7002.zip" + }, + { + "field": "url", + "filter_id": [ + "f862df72-7f5e-4b2b-9f7f-9148e875f908" + ], + "id": 2, + "related_entities": [ + "loki@jaguartm.onmicrosoft.com" + ], + "type": "url", + "value": "http://www.DVftYKDtEi.com/ds7555.zip" + } + ], + "investigation_status": "In Progress", + "matched_rule": [ + { + "filter": [ + { + "date": "2019-08-02T04:00:01.000Z", + "events": [ + { + "date": "2019-08-02T04:00:01.000Z", + "uuid": "123abc-123abc-123abc" + } + ], + "id": "ccf86fc1-688f-4131-a46f-1d7a6ee2f88e", + "mitre_technique_id": [ + "T1192" + ], + "name": "(T1192) Spearphishing Link" + } + ], + "id": "5f52d1f1-53e7-411a-b74f-745ee81fa30b", + "name": "Possible SpearPhishing Email" + } + ], + "model": "Possible APT Attack", + "schema_version": "1.0", + "score": 63, + "severity": "critical", + "workbench_link": "https://THE_WORKBENCH_URL" + } + }, + "url": { + "original": "https://THE_WORKBENCH_URL", + "scheme": "https" + } + }, + { + "@timestamp": "2030-04-30T00:01:16.000Z", + "ecs": { + "version": "8.4.0" + }, + "event": { + "id": "WB-9002-20200427-0002", + "kind": "alert", + "original": "{\"schemaVersion\":\"1.1\",\"id\":\"WB-9002-20200427-0002\",\"investigationStatus\":\"In Progress\",\"workbenchLink\":\"https://portal-int.visionone.trendmicro.com/index.html#/workbench?workbenchId=WB-9002-20200427-0002\",\"alertProvider\":\"TI\",\"model\":\"Desktop, Mobile Phishing Campaign Targets South Korean Websites, Steals Credentials Via Watering Hole\",\"campaign\":\"Soula\",\"industry\":null,\"regionAndCountry\":\"eastern-asia/Korea (the Republic of)\",\"createdBy\":\"Trend Micro Research\",\"totalIndicatorCount\":6,\"matchedIndicatorCount\":2,\"reportLink\":\"https://THE_WORKBENCH_URL\",\"score\":63,\"severity\":\"critical\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"updatedDateTime\":\"2030-04-30T00:01:16Z\",\"impactScope\":{\"desktopCount\":10,\"serverCount\":0,\"accountCount\":1,\"emailAddressCount\":0,\"entities\":[{\"entityType\":\"host\",\"entityValue\":{\"name\":\"CODERED\\\\\\\\bonus-PC\",\"ips\":[\"89.160.20.128\",\"89.160.20.112\"],\"guid\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\"},\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"relatedEntities\":[\"4257b401-2fd7-469c-94fa-39a4f11eb925\"],\"relatedIndicatorIds\":[1]}]},\"indicators\":[{\"id\":1,\"type\":\"url\",\"fields\":[[\"objectField-ip\",\"objectField-ip\"]],\"value\":\"http://www.DVftYKDtEi.com/ds7002.zip\",\"relatedEntities\":[\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"5257b401-2fd7-469c-94fa-39a4f11eb925\"],\"matchedIndicatorPatternIds\":[\"74f7eb0f-1ca3-491a-b4cf-f4d54c83c87d\"],\"firstSeenDateTimes\":[\"2020-04-30T00:01:15Z\",\"2020-04-30T00:01:15Z\"],\"lastSeenDateTimes\":[\"2019-06-14T18:25:55Z\",\"2019-06-14T18:25:55Z\"]}],\"matchedIndicatorPatterns\":[{\"id\":\"74f7eb0f-1ca3-491a-b4cf-f4d54c83c87d\",\"pattern\":\"[network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'oauth20.xyz']\",\"tags\":[\"STIX2.malicious-activity\"],\"matchedLogs\":[\"Lengthy log string\"]}]}", + "severity": 63 + }, + "log": { + "level": "critical" + }, + "related": { + "ip": [ + "89.160.20.128", + "89.160.20.112" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "trend_micro_vision_one": { + "alert": { + "alert_provider": "TI", + "campaign": "Soula", + "created_by": "Trend Micro Research", + "created_date": "2020-04-30T00:01:15.000Z", + "id": "WB-9002-20200427-0002", + "impact_scope": { + "account_count": 1, + "desktop_count": 10, + "email_address_count": 0, + "entities": [ + { + "id": "5257b401-2fd7-469c-94fa-39a4f11eb925", + "related_entities": [ + "4257b401-2fd7-469c-94fa-39a4f11eb925" + ], + "related_indicator_id": [ + 1 + ], + "type": "host", + "value": { + "guid": "5257b401-2fd7-469c-94fa-39a4f11eb925", + "ips": [ + "89.160.20.128", + "89.160.20.112" + ], + "name": "CODERED\\\\bonus-PC" + } + } + ], + "server_count": 0 + }, + "indicators": [ + { + "fields": [ + [ + "objectField-ip", + "objectField-ip" + ] + ], + "first_seen_date": [ + "2020-04-30T00:01:15.000Z", + "2020-04-30T00:01:15.000Z" + ], + "id": 1, + "last_seen_date": [ + "2019-06-14T18:25:55.000Z", + "2019-06-14T18:25:55.000Z" + ], + "matched_indicator": { + "pattern_id": [ + "74f7eb0f-1ca3-491a-b4cf-f4d54c83c87d" + ] + }, + "related_entities": [ + "5257b401-2fd7-469c-94fa-39a4f11eb925", + "5257b401-2fd7-469c-94fa-39a4f11eb925" + ], + "type": "url", + "value": "http://www.DVftYKDtEi.com/ds7002.zip" + } + ], + "investigation_status": "In Progress", + "matched_indicator_count": 2, + "matched_indicators_pattern": [ + { + "id": "74f7eb0f-1ca3-491a-b4cf-f4d54c83c87d", + "matched_log": [ + "Lengthy log string" + ], + "pattern": "[network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'oauth20.xyz']", + "tags": [ + "STIX2.malicious-activity" + ] + } + ], + "model": "Desktop, Mobile Phishing Campaign Targets South Korean Websites, Steals Credentials Via Watering Hole", + "region_and_country": "eastern-asia/Korea (the Republic of)", + "report_link": "https://THE_WORKBENCH_URL", + "schema_version": "1.1", + "score": 63, + "severity": "critical", + "total_indicator_count": 6, + "workbench_link": "https://portal-int.visionone.trendmicro.com/index.html#/workbench?workbenchId=WB-9002-20200427-0002" + } + }, + "url": { + "domain": "portal-int.visionone.trendmicro.com", + "extension": "html", + "fragment": "/workbench?workbenchId=WB-9002-20200427-0002", + "original": "https://portal-int.visionone.trendmicro.com/index.html#/workbench?workbenchId=WB-9002-20200427-0002", + "path": "/index.html", + "scheme": "https" + } + }, + { + "@timestamp": "2022-07-15T12:46:13.000Z", + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": [ + "host", + "authentication" + ], + "id": "WB-123-123-00001", + "kind": "alert", + "original": "{\"schemaVersion\":\"1.11\",\"id\":\"WB-123-123-00001\",\"investigationStatus\":\"New\",\"workbenchLink\":\"https://portal-int.visionone.trendmicro.com/index.html#/workbench?workbenchId=WB-9002-20200427-0002\",\"alertProvider\":\"SAE\",\"model\":\"Credential Dumping via Mimikatz\",\"score\":64,\"severity\":\"high\",\"createdDateTime\":\"2022-07-08T07:16:08Z\",\"updatedDateTime\":\"2022-07-15T12:46:13Z\",\"impactScope\":{\"desktopCount\":1,\"serverCount\":0,\"accountCount\":1,\"emailAddressCount\":0,\"entities\":[{\"entityType\":\"account\",\"entityValue\":\"desktop-example\\\\dummy\",\"entityId\":\"desktop-example\\\\dummy\",\"relatedEntities\":[\"ABC-123-ABC-123-ABC-123\"],\"relatedIndicatorIds\":[]},{\"entityType\":\"host\",\"entityValue\":{\"guid\":\"ABC-123-123-ABC\",\"name\":\"desktop-EXAMPLE\",\"ips\":[\"81.2.69.192\"]},\"entityId\":\"ABC-123-123-ABC\",\"relatedEntities\":[\"desktop-example\\\\dummy\"],\"relatedIndicatorIds\":[1,2,3,4,5,6,7,8,9,10,11,12]}]},\"description\":\"A user obtained account logon information that can be used to access remote systems via Mimikatz.\",\"matchedRules\":[{\"id\":\"123123-456456-789789\",\"name\":\"Potential Credential Dumping via Mimikatz\",\"matchedFilters\":[{\"id\":\"123-456-789\",\"name\":\"Possible Credential Dumping via Mimikatz\",\"matchedDateTime\":\"2022-07-08T07:06:35.113Z\",\"mitreTechniqueIds\":[\"V9.T1123.001\",\"V9.T1124.002\",\"V9.T1125\"],\"matchedEvents\":[{\"uuid\":\"123-456-789\",\"matchedDateTime\":\"2022-07-08T07:06:35.113Z\"},{\"uuid\":\"abcd-abcd-abcd\",\"matchedDateTime\":\"2022-07-08T07:14:06.159Z\"}]},{\"id\":\"abcd-abcd-1234-1234\",\"name\":\"Possible Credential Dumping via Mimikatz\",\"matchedDateTime\":\"2022-07-08T07:14:06.159Z\",\"mitreTechniqueIds\":[\"V9.T1123.001\",\"V9.T1124.002\",\"V9.T1125\"],\"matchedEvents\":[{\"uuid\":\"1234-1234-1234\",\"matchedDateTime\":\"2022-07-08T07:06:35.113Z\"},{\"uuid\":\"abcd-abcd-abcd\",\"matchedDateTime\":\"2022-07-08T07:14:06.159Z\"}]}]}],\"indicators\":[{\"id\":1,\"type\":\"command_line\",\"field\":\"objectCmd\",\"value\":\"\\\"example\\\" \",\"relatedEntities\":[\"ABC-ABC-123-123\"],\"filterIds\":[\"ABC-ABC-123-123\"]},{\"id\":2,\"type\":\"command_line\",\"field\":\"processCmd\",\"value\":\"example\",\"relatedEntities\":[\"ABC-ABC-ABC\"],\"filterIds\":[\"abc-abc-abc-123-123\"]},{\"id\":3,\"type\":\"command_line\",\"field\":\"objectCmd\",\"value\":\"\\\"example\",\"relatedEntities\":[\"ABC-ABC-ABC\"],\"filterIds\":[\"abcd-abcd-abcd\"]},{\"id\":4,\"type\":\"command_line\",\"field\":\"processCmd\",\"value\":\"example\",\"relatedEntities\":[\"ABCD-ABCD-ABCD\"],\"filterIds\":[\"abcd-123-abcd-123\"]},{\"id\":5,\"type\":\"file_sha1\",\"field\":\"objectFileHashSha1\",\"value\":\"H1E2L3L4O5\",\"relatedEntities\":[\"ABCDE1ABCDE2\"],\"filterIds\":[\"abcd-1234-abcd-1234\"]},{\"id\":6,\"type\":\"file_sha1\",\"field\":\"objectFileHashSha1\",\"value\":\"H1E2L3L4O5\",\"relatedEntities\":[\"ABCDE-12345-ABCDE-12345\"],\"filterIds\":[\"abcd-1234-abcd-1234\"]},{\"id\":7,\"type\":\"fullpath\",\"field\":\"objectFilePath\",\"value\":\"example\",\"relatedEntities\":[\"ABCDE-12345-ABCDE-12345\"],\"filterIds\":[\"abcde-12345-abcde-12345\"]},{\"id\":8,\"type\":\"fullpath\",\"field\":\"processFilePath\",\"value\":\"example\",\"relatedEntities\":[\"ABCDE-12345-ABCDE-12345\"],\"filterIds\":[\"abcde-1234-abcde-1234\"]},{\"id\":9,\"type\":\"fullpath\",\"field\":\"objectFilePath\",\"value\":\"example\",\"relatedEntities\":[\"ABCDE-12345-ABCDE-12345\"],\"filterIds\":[\"abcd-1234-abcd-1234\"]},{\"id\":10,\"type\":\"fullpath\",\"field\":\"processFilePath\",\"value\":\"example\",\"relatedEntities\":[\"ABCDE-1234-ABCDE-1234\"],\"filterIds\":[\"abcde-1234-abcd-1234\"]}]}", + "severity": 64, + "type": [ + "info" + ] + }, + "log": { + "level": "high" + }, + "related": { + "ip": [ + "81.2.69.192" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "trend_micro_vision_one": { + "alert": { + "alert_provider": "SAE", + "created_date": "2022-07-08T07:16:08.000Z", + "description": "A user obtained account logon information that can be used to access remote systems via Mimikatz.", + "id": "WB-123-123-00001", + "impact_scope": { + "account_count": 1, + "desktop_count": 1, + "email_address_count": 0, + "entities": [ + { + "id": "desktop-example\\dummy", + "related_entities": [ + "ABC-123-ABC-123-ABC-123" + ], + "type": "account", + "value": { + "account_value": "desktop-example\\dummy" + } + }, + { + "id": "ABC-123-123-ABC", + "related_entities": [ + "desktop-example\\dummy" + ], + "related_indicator_id": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9, + 10, + 11, + 12 + ], + "type": "host", + "value": { + "guid": "ABC-123-123-ABC", + "ips": [ + "81.2.69.192" + ], + "name": "desktop-EXAMPLE" + } + } + ], + "server_count": 0 + }, + "indicators": [ + { + "field": "objectCmd", + "filter_id": [ + "ABC-ABC-123-123" + ], + "id": 1, + "related_entities": [ + "ABC-ABC-123-123" + ], + "type": "command_line", + "value": "\"example\" " + }, + { + "field": "processCmd", + "filter_id": [ + "abc-abc-abc-123-123" + ], + "id": 2, + "related_entities": [ + "ABC-ABC-ABC" + ], + "type": "command_line", + "value": "example" + }, + { + "field": "objectCmd", + "filter_id": [ + "abcd-abcd-abcd" + ], + "id": 3, + "related_entities": [ + "ABC-ABC-ABC" + ], + "type": "command_line", + "value": "\"example" + }, + { + "field": "processCmd", + "filter_id": [ + "abcd-123-abcd-123" + ], + "id": 4, + "related_entities": [ + "ABCD-ABCD-ABCD" + ], + "type": "command_line", + "value": "example" + }, + { + "field": "objectFileHashSha1", + "filter_id": [ + "abcd-1234-abcd-1234" + ], + "id": 5, + "related_entities": [ + "ABCDE1ABCDE2" + ], + "type": "file_sha1", + "value": "H1E2L3L4O5" + }, + { + "field": "objectFileHashSha1", + "filter_id": [ + "abcd-1234-abcd-1234" + ], + "id": 6, + "related_entities": [ + "ABCDE-12345-ABCDE-12345" + ], + "type": "file_sha1", + "value": "H1E2L3L4O5" + }, + { + "field": "objectFilePath", + "filter_id": [ + "abcde-12345-abcde-12345" + ], + "id": 7, + "related_entities": [ + "ABCDE-12345-ABCDE-12345" + ], + "type": "fullpath", + "value": "example" + }, + { + "field": "processFilePath", + "filter_id": [ + "abcde-1234-abcde-1234" + ], + "id": 8, + "related_entities": [ + "ABCDE-12345-ABCDE-12345" + ], + "type": "fullpath", + "value": "example" + }, + { + "field": "objectFilePath", + "filter_id": [ + "abcd-1234-abcd-1234" + ], + "id": 9, + "related_entities": [ + "ABCDE-12345-ABCDE-12345" + ], + "type": "fullpath", + "value": "example" + }, + { + "field": "processFilePath", + "filter_id": [ + "abcde-1234-abcd-1234" + ], + "id": 10, + "related_entities": [ + "ABCDE-1234-ABCDE-1234" + ], + "type": "fullpath", + "value": "example" + } + ], + "investigation_status": "New", + "matched_rule": [ + { + "filter": [ + { + "date": "2022-07-08T07:06:35.113Z", + "events": [ + { + "date": "2022-07-08T07:06:35.113Z", + "uuid": "123-456-789" + }, + { + "date": "2022-07-08T07:14:06.159Z", + "uuid": "abcd-abcd-abcd" + } + ], + "id": "123-456-789", + "mitre_technique_id": [ + "V9.T1123.001", + "V9.T1124.002", + "V9.T1125" + ], + "name": "Possible Credential Dumping via Mimikatz" + }, + { + "date": "2022-07-08T07:14:06.159Z", + "events": [ + { + "date": "2022-07-08T07:06:35.113Z", + "uuid": "1234-1234-1234" + }, + { + "date": "2022-07-08T07:14:06.159Z", + "uuid": "abcd-abcd-abcd" + } + ], + "id": "abcd-abcd-1234-1234", + "mitre_technique_id": [ + "V9.T1123.001", + "V9.T1124.002", + "V9.T1125" + ], + "name": "Possible Credential Dumping via Mimikatz" + } + ], + "id": "123123-456456-789789", + "name": "Potential Credential Dumping via Mimikatz" + } + ], + "model": "Credential Dumping via Mimikatz", + "schema_version": "1.11", + "score": 64, + "severity": "high", + "workbench_link": "https://portal-int.visionone.trendmicro.com/index.html#/workbench?workbenchId=WB-9002-20200427-0002" + } + }, + "url": { + "domain": "portal-int.visionone.trendmicro.com", + "extension": "html", + "fragment": "/workbench?workbenchId=WB-9002-20200427-0002", + "original": "https://portal-int.visionone.trendmicro.com/index.html#/workbench?workbenchId=WB-9002-20200427-0002", + "path": "/index.html", + "scheme": "https" + } + }, + { + "@timestamp": "2030-04-30T00:01:16.000Z", + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": [ + "email" + ], + "id": "WB-9002-20200427-0002", + "kind": "alert", + "original": "{\"schemaVersion\":\"1.0\",\"id\":\"WB-9002-20200427-0002\",\"investigationStatus\":\"New\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\",\"alertProvider\":\"SAE\",\"model\":\"Possible APT Attack\",\"score\":63,\"severity\":\"critical\",\"impactScope\":{\"desktopCount\":0,\"serverCount\":0,\"accountCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityType\":\"host\",\"entityValue\":\"loki@jaguartm.onmicrosoft.com\",\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"relatedEntities\":[\"CODERED\\\\\\\\loki\"],\"relatedIndicatorIds\":[1],\"provenance\":[\"Alert\"]}]},\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"updatedDateTime\":\"2030-04-30T00:01:16Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"indicators\":[{\"id\":1,\"type\":\"url\",\"field\":\"request url\",\"value\":\"http://www.DVftYKDtEi.com/ds7002.zip\",\"relatedEntities\":[\"loki@jaguartm.onmicrosoft.com\"],\"provenance\":[\"Alert\"],\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"]}],\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"name\":\"Possible SpearPhishing Email\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"name\":\"(T1192) Spearphishing Link\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"mitreTechniqueIds\":[\"T1192\"],\"matchedEvents\":[{\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\"}]}]}]}", + "severity": 63, + "type": [ + "info" + ] + }, + "log": { + "level": "critical" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "trend_micro_vision_one": { + "alert": { + "alert_provider": "SAE", + "created_date": "2020-04-30T00:01:15.000Z", + "description": "A backdoor was possibly implanted after a user received a possible spear phishing email message.", + "id": "WB-9002-20200427-0002", + "impact_scope": { + "account_count": 0, + "desktop_count": 0, + "email_address_count": 0, + "entities": [ + { + "id": "5257b401-2fd7-469c-94fa-39a4f11eb925", + "provenance": [ + "Alert" + ], + "related_entities": [ + "CODERED\\\\loki" + ], + "related_indicator_id": [ + 1 + ], + "type": "host", + "value": { + "account_value": "loki@jaguartm.onmicrosoft.com" + } + } + ], + "server_count": 0 + }, + "indicators": [ + { + "field": "request url", + "filter_id": [ + "f862df72-7f5e-4b2b-9f7f-9148e875f908" + ], + "id": 1, + "provenance": [ + "Alert" + ], + "related_entities": [ + "loki@jaguartm.onmicrosoft.com" + ], + "type": "url", + "value": "http://www.DVftYKDtEi.com/ds7002.zip" + } + ], + "investigation_status": "New", + "matched_rule": [ + { + "filter": [ + { + "date": "2019-08-02T04:00:01.000Z", + "events": [ + { + "date": "2019-08-02T04:00:01.000Z", + "type": "TELEMETRY_REGISTRY", + "uuid": "fa9ff47c-e1b8-459e-a3d0-a5b104b854a5" + } + ], + "id": "ccf86fc1-688f-4131-a46f-1d7a6ee2f88e", + "mitre_technique_id": [ + "T1192" + ], + "name": "(T1192) Spearphishing Link" + } + ], + "id": "5f52d1f1-53e7-411a-b74f-745ee81fa30b", + "name": "Possible SpearPhishing Email" + } + ], + "model": "Possible APT Attack", + "schema_version": "1.0", + "score": 63, + "severity": "critical", + "workbench_link": "https://THE_WORKBENCH_URL" + } + }, + "url": { + "original": "https://THE_WORKBENCH_URL", + "scheme": "https" + } + } + ] +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/data_stream/alert/_dev/test/system/test-default-config.yml b/packages/trend_micro_vision_one/data_stream/alert/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..c6104a7bd86 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/_dev/test/system/test-default-config.yml @@ -0,0 +1,9 @@ +input: httpjson +service: trend_micro_vision_one +vars: + hostname: http://{{Hostname}}:{{Port}} + api_token: xxxx +data_stream: + vars: + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/trend_micro_vision_one/data_stream/alert/agent/stream/ httpjson.yml.hbs b/packages/trend_micro_vision_one/data_stream/alert/agent/stream/ httpjson.yml.hbs new file mode 100644 index 00000000000..2e3d045596d --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/agent/stream/ httpjson.yml.hbs @@ -0,0 +1,54 @@ +config_version: 2 +interval: {{interval}} +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: GET +request.url: {{hostname}}/v3.0/workbench/alerts +request.transforms: + - set: + target: header.Authorization + value: 'Bearer {{api_token}}' + - set: + target: url.params.startDateTime + value: '[[formatDate (parseDate .cursor.last_update_at)]]' + default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' + - set: + target: url.params.endDateTime + value: '[[formatDate (now)]]' + - set: + target: url.params.orderBy + value: 'updatedDateTime asc' + - set: + target: url.params.dateTimeTarget + value: 'createdDateTime' +response.pagination: + - set: + target: url.value + value: '[[if index .last_response.body "nextLink"]][[replaceAll " " "%20" .last_response.body.nextLink]][[else]][[.last_response.terminate_pagination]][[end]]' + fail_on_template_error: true +cursor: + last_update_at: + value: '[[.last_response.url.params.Get "endDateTime"]]' +response.split: + target: body.items +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/trend_micro_vision_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..0163fb0e600 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,563 @@ +--- +description: Pipeline for processing Trend Micro Vision One Alert logs. +processors: + - set: + field: ecs.version + value: '8.4.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - set: + field: event.kind + value: alert + - json: + field: event.original + target_field: json + ignore_failure: true + - script: + description: Set the value of event.category and event.type. + lang: painless + source: > + def eventCategory = new HashSet(); + def eventType = new HashSet(); + if(ctx.json?.description != null && ctx.json?.description != ''){ + def description = ctx.json.description.toLowerCase(); + if(description.contains('logon')){ + eventCategory.add('authentication'); + eventCategory.add('host'); + eventType.add('info'); + } + else if(description.contains('email')){ + eventCategory.add('email'); + eventType.add('info'); + } + else if(description.contains('network')){ + eventCategory.add('network'); + eventType.add('info'); + } + else{ + eventCategory.add('malware'); + eventType.add('info'); + } + } + if(!eventCategory.isEmpty()){ + ctx.event.category = eventCategory; + } + if(!eventType.isEmpty()){ + ctx.event.type = eventType; + } + - fingerprint: + fields: + - json.updatedDateTime + - json.createdDateTime + - json.id + target_field: _id + ignore_missing: true + - date: + field: json.updatedDateTime + if: ctx.json?.updatedDateTime != null && ctx.json?.updatedDateTime != '' + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.id + target_field: trend_micro_vision_one.alert.id + ignore_missing: true + - set: + field: event.id + copy_from: trend_micro_vision_one.alert.id + ignore_failure: true + - convert: + field: json.score + target_field: trend_micro_vision_one.alert.score + if: ctx.json?.score != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: event.severity + copy_from: trend_micro_vision_one.alert.score + ignore_failure: true + - rename: + field: json.severity + target_field: trend_micro_vision_one.alert.severity + ignore_missing: true + - set: + field: log.level + copy_from: trend_micro_vision_one.alert.severity + ignore_failure: true + - lowercase: + field: log.level + ignore_missing: true + - rename: + field: json.schemaVersion + target_field: trend_micro_vision_one.alert.schema_version + ignore_missing: true + - rename: + field: json.investigationStatus + target_field: trend_micro_vision_one.alert.investigation_status + ignore_missing: true + - rename: + field: json.workbenchLink + target_field: trend_micro_vision_one.alert.workbench_link + ignore_missing: true + - uri_parts: + field: trend_micro_vision_one.alert.workbench_link + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.alertProvider + target_field: trend_micro_vision_one.alert.alert_provider + ignore_missing: true + - rename: + field: json.model + target_field: trend_micro_vision_one.alert.model + ignore_missing: true + - convert: + field: json.impactScope.desktopCount + target_field: trend_micro_vision_one.alert.impact_scope.desktop_count + if: ctx.json?.impactScope?.desktopCount != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.impactScope.serverCount + target_field: trend_micro_vision_one.alert.impact_scope.server_count + if: ctx.json?.impactScope?.serverCount != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.impactScope.accountCount + target_field: trend_micro_vision_one.alert.impact_scope.account_count + if: ctx.json?.impactScope?.accountCount != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.impactScope.emailAddressCount + target_field: trend_micro_vision_one.alert.impact_scope.email_address_count + if: ctx.json?.impactScope?.emailAddressCount != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.impactScope.entities + processor: + foreach: + field: _ingest._value.entityValue.ips + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + - script: + description: Mapped value object field of impactScope. + lang: painless + source: + def impactscope_entities = ctx.json.impactScope.entities; + + for (entitiy_object in impactscope_entities){ + if(!(entitiy_object.entityValue instanceof HashMap)) + { + def entityValue = entitiy_object.entityValue; + entitiy_object.value = new HashMap(); + entitiy_object.value.account_value = entityValue; + entitiy_object.remove("entityValue"); + } + } + - foreach: + field: json.impactScope.entities + processor: + rename: + field: _ingest._value.entityValue + target_field: _ingest._value.value + ignore_missing: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.impactScope.entities + processor: + convert: + field: _ingest._value.entityValue.ips + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + ignore_missing: true + ignore_failure: true + - foreach: + field: json.impactScope.entities + processor: + rename: + field: _ingest._value.entityType + target_field: _ingest._value.type + ignore_missing: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.impactScope.entities + processor: + rename: + field: _ingest._value.entityId + target_field: _ingest._value.id + ignore_missing: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.impactScope.entities + processor: + rename: + field: _ingest._value.relatedEntities + target_field: _ingest._value.related_entities + ignore_missing: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.impactScope.entities + processor: + convert: + field: _ingest._value.relatedIndicatorIds + target_field: _ingest._value.related_indicator_id + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + ignore_missing: true + ignore_failure: true + - foreach: + field: json.impactScope.entities + processor: + remove: + field: _ingest._value.relatedIndicatorIds + ignore_missing: true + ignore_missing: true + ignore_failure: true + - rename: + field: json.impactScope.entities + target_field: trend_micro_vision_one.alert.impact_scope.entities + ignore_missing: true + - date: + field: json.createdDateTime + target_field: trend_micro_vision_one.alert.created_date + if: ctx.json?.createdDateTime != null && ctx.json?.createdDateTime != '' + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.description + target_field: trend_micro_vision_one.alert.description + ignore_missing: true + - foreach: + field: json.indicators + processor: + rename: + field: _ingest._value.relatedEntities + target_field: _ingest._value.related_entities + ignore_missing: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.indicators + processor: + rename: + field: _ingest._value.matchedIndicatorPatternIds + target_field: _ingest._value.matched_indicator.pattern_id + ignore_missing: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.indicators + processor: + foreach: + field: _ingest._value.firstSeenDateTimes + processor: + date: + field: _ingest._value + target_field: _ingest._value + formats: + - ISO8601 + ignore_failure: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.indicators + processor: + rename: + field: _ingest._value.firstSeenDateTimes + target_field: _ingest._value.first_seen_date + ignore_missing: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.indicators + processor: + rename: + field: _ingest._value.filterIds + target_field: _ingest._value.filter_id + ignore_missing: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.indicators + processor: + foreach: + field: _ingest._value.lastSeenDateTimes + processor: + date: + field: _ingest._value + target_field: _ingest._value + formats: + - ISO8601 + ignore_failure: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.indicators + processor: + rename: + field: _ingest._value.lastSeenDateTimes + target_field: _ingest._value.last_seen_date + ignore_missing: true + ignore_missing: true + ignore_failure: true + - rename: + field: json.indicators + target_field: trend_micro_vision_one.alert.indicators + ignore_missing: true + - foreach: + field: json.matchedIndicatorPatterns + processor: + rename: + field: _ingest._value.matchedLogs + target_field: _ingest._value.matched_log + ignore_missing: true + ignore_missing: true + ignore_failure: true + - rename: + field: json.matchedIndicatorPatterns + target_field: trend_micro_vision_one.alert.matched_indicators_pattern + ignore_missing: true + - foreach: + field: json.matchedRules + processor: + foreach: + field: _ingest._value.matchedFilters + processor: + date: + field: _ingest._value.matchedDateTime + target_field: _ingest._value.date + formats: + - ISO8601 + ignore_failure: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.matchedRules + processor: + foreach: + field: _ingest._value.matchedFilters + processor: + remove: + field: _ingest._value.matchedDateTime + ignore_missing: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.matchedRules + processor: + foreach: + field: _ingest._value.matchedFilters + processor: + rename: + field: _ingest._value.mitreTechniqueIds + target_field: _ingest._value.mitre_technique_id + ignore_missing: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.matchedRules + processor: + foreach: + field: _ingest._value.matchedFilters + processor: + foreach: + field: _ingest._value.matchedEvents + processor: + date: + field: _ingest._value.matchedDateTime + target_field: _ingest._value.date + formats: + - ISO8601 + ignore_failure: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.matchedRules + processor: + foreach: + field: _ingest._value.matchedFilters + processor: + foreach: + field: _ingest._value.matchedEvents + processor: + remove: + field: _ingest._value.matchedDateTime + ignore_missing: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.matchedRules + processor: + foreach: + field: _ingest._value.matchedFilters + processor: + rename: + field: _ingest._value.matchedEvents + target_field: _ingest._value.events + ignore_missing: true + ignore_missing: true + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: json.matchedRules + processor: + rename: + field: _ingest._value.matchedFilters + target_field: _ingest._value.filter + ignore_missing: true + ignore_missing: true + ignore_failure: true + - rename: + field: json.matchedRules + target_field: trend_micro_vision_one.alert.matched_rule + ignore_missing: true + - rename: + field: json.campaign + target_field: trend_micro_vision_one.alert.campaign + ignore_missing: true + - rename: + field: json.industry + target_field: trend_micro_vision_one.alert.industry + ignore_missing: true + - rename: + field: json.regionAndCountry + target_field: trend_micro_vision_one.alert.region_and_country + ignore_missing: true + - rename: + field: json.createdBy + target_field: trend_micro_vision_one.alert.created_by + ignore_missing: true + - convert: + field: json.totalIndicatorCount + target_field: trend_micro_vision_one.alert.total_indicator_count + if: ctx.json?.totalIndicatorCount != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.matchedIndicatorCount + target_field: trend_micro_vision_one.alert.matched_indicator_count + if: ctx.json?.matchedIndicatorCount != '' + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.reportLink + target_field: trend_micro_vision_one.alert.report_link + ignore_missing: true + - remove: + field: json + ignore_missing: true + - remove: + field: + - trend_micro_vision_one.alert.id + - trend_micro_vision_one.alert.score + - trend_micro_vision_one.alert.severity + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + ignore_failure: true + ignore_missing: true + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: +- append: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/trend_micro_vision_one/data_stream/alert/fields/agent.yml b/packages/trend_micro_vision_one/data_stream/alert/fields/agent.yml new file mode 100644 index 00000000000..e313ec82874 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/trend_micro_vision_one/data_stream/alert/fields/base-fields.yml b/packages/trend_micro_vision_one/data_stream/alert/fields/base-fields.yml new file mode 100644 index 00000000000..75af598bf0a --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: trend_micro_vision_one.alert +- name: event.module + type: constant_keyword + description: Event module. + value: trend_micro_vision_one +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/trend_micro_vision_one/data_stream/alert/fields/ecs.yml b/packages/trend_micro_vision_one/data_stream/alert/fields/ecs.yml new file mode 100644 index 00000000000..f4275f1ecc4 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/fields/ecs.yml @@ -0,0 +1,34 @@ +- external: ecs + name: ecs.version +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.id +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.severity +- external: ecs + name: event.type +- external: ecs + name: log.level +- external: ecs + name: related.ip +- external: ecs + name: tags +- external: ecs + name: url.domain +- external: ecs + name: url.extension +- external: ecs + name: url.fragment +- external: ecs + name: url.original +- external: ecs + name: url.path +- external: ecs + name: url.scheme diff --git a/packages/trend_micro_vision_one/data_stream/alert/fields/fields.yml b/packages/trend_micro_vision_one/data_stream/alert/fields/fields.yml new file mode 100644 index 00000000000..114d9dc0e32 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/fields/fields.yml @@ -0,0 +1,183 @@ +- name: trend_micro_vision_one.alert + type: group + fields: + - name: alert_provider + type: keyword + description: Alert provider. + - name: campaign + type: keyword + description: An object-ref to a campaign object. + - name: created_by + type: keyword + description: Created by. + - name: created_date + type: date + description: Datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC) that indicates the created date time of the alert. + - name: description + type: keyword + description: Description of the detection model that triggered the alert. + - name: id + type: keyword + description: Workbench ID. + - name: impact_scope + type: group + fields: + - name: account_count + type: long + description: Count of affected account. + - name: desktop_count + type: long + description: Count of affected desktop. + - name: email_address_count + type: long + description: Count of affected email address. + - name: entities + type: group + fields: + - name: value + type: group + fields: + - name: account_value + type: keyword + description: Account or emailAddress. + - name: guid + type: keyword + description: GUID. + - name: id + type: keyword + description: Impact scope entity id. + - name: ips + type: ip + description: Set of IPs. + - name: name + type: keyword + description: Host name. + - name: type + type: keyword + description: Impact scope entity type. + - name: related_entities + type: keyword + description: Related entities. + - name: related_indicator_id + type: long + description: Related indicator ids. + - name: server_count + type: long + description: Count of affected server. + - name: indicators + type: group + fields: + - name: field + type: keyword + description: Detailed description of the indicator. + - name: filter_id + type: keyword + description: Related matched filter ids. + - name: first_seen_date + type: date + description: First seen date times from related entities, datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). + - name: id + type: keyword + description: Indicator ID. + - name: last_seen_date + type: date + description: Last seen date times from related entities, datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). + - name: matched_indicator + type: group + fields: + - name: pattern_id + type: keyword + description: Matched indicator pattern ids. + - name: provenance + type: keyword + description: Provenance. + - name: related_entities + type: keyword + description: Related entities. + - name: type + type: keyword + description: Indicator type. + - name: value + type: keyword + description: Indicator value. + - name: industry + type: keyword + description: Industry. + - name: investigation_status + type: keyword + description: Workbench alert status. + - name: matched_indicator_count + type: long + description: Matched indicator pattern count. + - name: matched_indicators_pattern + type: group + fields: + - name: id + type: keyword + description: Pattern ID. + - name: matched_log + type: keyword + description: Pattern matched log. + - name: pattern + type: keyword + description: STIX indicator will be a pattern. + - name: tags + type: keyword + description: Tags defined by STIX. + - name: matched_rule + type: group + fields: + - name: filter + type: group + fields: + - name: date + type: date + description: Datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). + - name: events + type: group + fields: + - name: date + type: date + description: Matched event date. + - name: event_uuid + type: keyword + description: Matched event uuid. + - name: id + type: keyword + description: Matched filter id. + - name: mitre_technique_id + type: keyword + description: Mitre technique id. + - name: name + type: keyword + description: Filter name. + - name: id + type: keyword + description: The rules are triggered. + - name: name + type: keyword + description: Matched rule name. + - name: model + type: keyword + description: Name of the detection model that triggered the alert. + - name: region_and_country + type: keyword + description: region/country. + - name: report_link + type: keyword + description: A refrerence url which links to the report details analysis. For TrendMico research report, the link would link to trend blog. + - name: schema_version + type: keyword + description: The version of the JSON schema, not the version of alert trigger content. + - name: score + type: long + description: Overall severity assigned to the alert based on the severity of the matched detection model and the impact scope. + - name: severity + type: keyword + description: Workbench alert severity. + - name: total_indicator_count + type: long + description: Total indicator pattern count. + - name: workbench_link + type: keyword + description: Workbench URL. diff --git a/packages/trend_micro_vision_one/data_stream/alert/manifest.yml b/packages/trend_micro_vision_one/data_stream/alert/manifest.yml new file mode 100644 index 00000000000..e6afb172c11 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/manifest.yml @@ -0,0 +1,57 @@ +title: Collect Alert logs from Trend Micro Vision One. +type: logs +streams: + - input: httpjson + title: Alert logs + description: Collect alert logs from Trend Micro Vision One. + template_path: httpjson.yml.hbs + vars: + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the alert from Trend Micro Vision One. + multi: false + required: true + show_user: true + default: 24h + - name: interval + type: text + title: Interval + description: Duration between requests to the Trend Micro Vision One API. + default: 5m + multi: false + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - trend_micro_vision_one_alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: true + title: Preserve duplicate custom fields + description: Preserve trend_micro_vision_one.alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/trend_micro_vision_one/data_stream/alert/sample_event.json b/packages/trend_micro_vision_one/data_stream/alert/sample_event.json new file mode 100644 index 00000000000..6f8a6a15479 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/alert/sample_event.json @@ -0,0 +1,133 @@ +{ + "@timestamp": "2030-04-30T00:01:16.000Z", + "agent": { + "ephemeral_id": "2c4b19a6-8652-4d61-8fb4-b6e544c17d09", + "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.0" + }, + "data_stream": { + "dataset": "trend_micro_vision_one.alert", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "snapshot": true, + "version": "8.4.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "email" + ], + "created": "2022-08-05T08:53:29.385Z", + "dataset": "trend_micro_vision_one.alert", + "id": "WB-9002-20200427-0002", + "ingested": "2022-08-05T08:53:35Z", + "kind": "alert", + "original": "{\"alertProvider\":\"SAE\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"id\":\"WB-9002-20200427-0002\",\"impactScope\":{\"accountCount\":0,\"desktopCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"entityType\":\"host\",\"entityValue\":\"user@email.com\",\"provenance\":[\"Alert\"],\"relatedEntities\":[\"CODERED\\\\\\\\user\"],\"relatedIndicatorIds\":[1]}],\"serverCount\":0},\"indicators\":[{\"field\":\"request url\",\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"],\"id\":1,\"provenance\":[\"Alert\"],\"relatedEntities\":[\"user@example.com\"],\"type\":\"url\",\"value\":\"http://www.example.com/ab001.zip\"}],\"investigationStatus\":\"New\",\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"matchedEvents\":[{\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\",\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\"}],\"mitreTechniqueIds\":[\"T1192\"],\"name\":\"(T1192) Spearphishing Link\"}],\"name\":\"Possible SpearPhishing Email\"}],\"model\":\"Possible APT Attack\",\"schemaVersion\":\"1.0\",\"score\":63,\"severity\":\"critical\",\"updatedDateTime\":\"2030-04-30T00:01:16Z\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\"}", + "severity": 63, + "type": [ + "info" + ] + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "critical" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "trend_micro_vision_one_alert" + ], + "trend_micro_vision_one": { + "alert": { + "alert_provider": "SAE", + "created_date": "2020-04-30T00:01:15.000Z", + "description": "A backdoor was possibly implanted after a user received a possible spear phishing email message.", + "id": "WB-9002-20200427-0002", + "impact_scope": { + "account_count": 0, + "desktop_count": 0, + "email_address_count": 0, + "entities": [ + { + "id": "5257b401-2fd7-469c-94fa-39a4f11eb925", + "provenance": [ + "Alert" + ], + "related_entities": [ + "CODERED\\\\user" + ], + "related_indicator_id": [ + 1 + ], + "type": "host", + "value": { + "account_value": "user@email.com" + } + } + ], + "server_count": 0 + }, + "indicators": [ + { + "field": "request url", + "filter_id": [ + "f862df72-7f5e-4b2b-9f7f-9148e875f908" + ], + "id": 1, + "provenance": [ + "Alert" + ], + "related_entities": [ + "user@example.com" + ], + "type": "url", + "value": "http://www.example.com/ab001.zip" + } + ], + "investigation_status": "New", + "matched_rule": [ + { + "filter": [ + { + "date": "2019-08-02T04:00:01.000Z", + "events": [ + { + "date": "2019-08-02T04:00:01.000Z", + "type": "TELEMETRY_REGISTRY", + "uuid": "fa9ff47c-e1b8-459e-a3d0-a5b104b854a5" + } + ], + "id": "ccf86fc1-688f-4131-a46f-1d7a6ee2f88e", + "mitre_technique_id": [ + "T1192" + ], + "name": "(T1192) Spearphishing Link" + } + ], + "id": "5f52d1f1-53e7-411a-b74f-745ee81fa30b", + "name": "Possible SpearPhishing Email" + } + ], + "model": "Possible APT Attack", + "schema_version": "1.0", + "score": 63, + "severity": "critical", + "workbench_link": "https://THE_WORKBENCH_URL" + } + }, + "url": { + "original": "https://THE_WORKBENCH_URL", + "scheme": "https" + } +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-common-config.yml b/packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..be41bb0d476 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields diff --git a/packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-pipeline-audit.log b/packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-pipeline-audit.log new file mode 100644 index 00000000000..94c45e77f44 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-pipeline-audit.log @@ -0,0 +1,2 @@ +{"loggedDateTime":"2022-02-24T07:29:48Z","loggedUser":"Root Account","loggedRole":"Master Administrator","accessType":"Console","category":"Logon and Logoff","activity":"string","result":"Unsuccessful","details":{"property1":"string","property2":"string"}} +{"loggedDateTime":"2022-07-16 04:30:04","loggedUser":"Root Account","loggedRole":"Master Administrator","category":"Product Connector","activity":"Unregister product","accessType":"API","result":"Successful","details":{"product":"pdd"}} diff --git a/packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-pipeline-audit.log-expected.json b/packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-pipeline-audit.log-expected.json new file mode 100644 index 00000000000..5285eb342c4 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/_dev/test/pipeline/test-pipeline-audit.log-expected.json @@ -0,0 +1,95 @@ +{ + "expected": [ + { + "@timestamp": "2022-02-24T07:29:48.000Z", + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "original": "{\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedUser\":\"Root Account\",\"loggedRole\":\"Master Administrator\",\"accessType\":\"Console\",\"category\":\"Logon and Logoff\",\"activity\":\"string\",\"result\":\"Unsuccessful\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"}}", + "outcome": "failure", + "type": [ + "info" + ] + }, + "related": { + "user": [ + "Root Account" + ] + }, + "source": { + "user": { + "name": "Root Account", + "roles": "Master Administrator" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "trend_micro_vision_one": { + "audit": { + "access_type": "Console", + "activity": "string", + "category": "Logon and Logoff", + "details": { + "property1": "string", + "property2": "string" + }, + "logged_role": "Master Administrator", + "logged_user": "Root Account", + "result": "Unsuccessful" + } + } + }, + { + "@timestamp": "2022-07-16T04:30:04.000Z", + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": [ + "authentication" + ], + "kind": "event", + "original": "{\"loggedDateTime\":\"2022-07-16 04:30:04\",\"loggedUser\":\"Root Account\",\"loggedRole\":\"Master Administrator\",\"category\":\"Product Connector\",\"activity\":\"Unregister product\",\"accessType\":\"API\",\"result\":\"Successful\",\"details\":{\"product\":\"pdd\"}}", + "outcome": "success", + "type": [ + "info" + ] + }, + "related": { + "user": [ + "Root Account" + ] + }, + "source": { + "user": { + "name": "Root Account", + "roles": "Master Administrator" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "trend_micro_vision_one": { + "audit": { + "access_type": "API", + "activity": "Unregister product", + "category": "Product Connector", + "details": { + "product": "pdd" + }, + "logged_role": "Master Administrator", + "logged_user": "Root Account", + "result": "Successful" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/data_stream/audit/_dev/test/system/test-default-config.yml b/packages/trend_micro_vision_one/data_stream/audit/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..c6104a7bd86 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/_dev/test/system/test-default-config.yml @@ -0,0 +1,9 @@ +input: httpjson +service: trend_micro_vision_one +vars: + hostname: http://{{Hostname}}:{{Port}} + api_token: xxxx +data_stream: + vars: + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/trend_micro_vision_one/data_stream/audit/agent/stream/ httpjson.yml.hbs b/packages/trend_micro_vision_one/data_stream/audit/agent/stream/ httpjson.yml.hbs new file mode 100644 index 00000000000..ea5d7b361ef --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/agent/stream/ httpjson.yml.hbs @@ -0,0 +1,57 @@ +config_version: 2 +interval: {{interval}} +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: GET +request.url: {{hostname}}/v3.0/audit/logs +request.transforms: + - set: + target: header.Authorization + value: 'Bearer {{api_token}}' + - set: + target: url.params.top + value: '200' + - set: + target: url.params.startDateTime + value: '[[formatDate (parseDate .cursor.last_update_at)]]' + default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' + - set: + target: url.params.endDateTime + value: '[[formatDate (now)]]' + - set: + target: url.params.orderBy + value: 'loggedDateTime asc' + - set: + target: url.params.labels + value: 'all' +response.pagination: + - set: + target: url.value + value: '[[if index .last_response.body "nextLink"]][[replaceAll " " "%20" .last_response.body.nextLink]][[else]][[.last_response.terminate_pagination]][[end]]' + fail_on_template_error: true +cursor: + last_update_at: + value: '[[.last_response.url.params.Get "endDateTime"]]' +response.split: + target: body.items +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..524ae7e49bb --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,172 @@ +--- +description: Pipeline for processing Trend Micro Vision One Audit logs. +processors: + - set: + field: ecs.version + value: '8.4.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - set: + field: event.kind + value: event + - json: + field: event.original + target_field: json + ignore_failure: true + - script: + description: Set the value of event.category and event.type. + lang: painless + source: > + def eventCategory = new HashSet(); + def eventType = new HashSet(); + if(ctx.json?.category != null && ctx.json?.category != ''){ + def category = ctx.json.category.toLowerCase(); + def activity = ctx.json.activity.toLowerCase(); + if(category == 'logon and logoff' || category == 'saml single sign-on') { + eventCategory.add('authentication'); + if(activity == 'log on' || activity == 'enable single sign-on'){ + eventType.add('start'); + } + if(activity == 'log off' || activity == 'disable single sign-on'){ + eventType.add('end'); + } + else{ + eventType.add('info'); + } + } + if(category == 'account management' || category == 'product connector' || category == 'Notifications' || category == 'detection model management' || category == 'workbench' || category == 'response management' || category == 'search' || category == 'managed xdr' || category == 'third-party integration' || category == 'service gateway inventory' || category == 'endpoint inventory' || category == 'endpoint security policies' || category == 'zero trust secure access' || category == 'sandbox analysis' || category == 'oat' || category == 'security playbooks'){ + eventCategory.add('authentication'); + eventType.add('info'); + } + if(category == 'network inventory'){ + eventCategory.add('network'); + eventType.add('info'); + } + if(category == 'threat intelligence'){ + eventCategory.add('threat'); + eventType.add('indicator'); + } + if(activity.contains('email')){ + eventCategory.add('email'); + } + if(activity.contains('file')){ + eventCategory.add('file'); + } + if(activity.contains('threat')){ + eventCategory.add('threat'); + } + } + if(!eventCategory.isEmpty()){ + ctx.event.category = eventCategory; + } + if(!eventType.isEmpty()){ + ctx.event.type = eventType; + } + - fingerprint: + fields: + - json.loggedDateTime + - json.loggedUser + - json.loggedRole + - json.category + - json.activity + - json.details + target_field: _id + ignore_missing: true + - date: + field: json.loggedDateTime + if: ctx.json?.loggedDateTime != null && ctx.json?.loggedDateTime != '' + formats: + - ISO8601 + - yyyy-MM-dd HH:mm:ss + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.loggedUser + target_field: trend_micro_vision_one.audit.logged_user + ignore_missing: true + - set: + field: source.user.name + copy_from: trend_micro_vision_one.audit.logged_user + ignore_failure: true + - rename: + field: json.loggedRole + target_field: trend_micro_vision_one.audit.logged_role + ignore_missing: true + - set: + field: source.user.roles + copy_from: trend_micro_vision_one.audit.logged_role + ignore_failure: true + - rename: + field: json.accessType + target_field: trend_micro_vision_one.audit.access_type + ignore_missing: true + - rename: + field: json.category + target_field: trend_micro_vision_one.audit.category + ignore_missing: true + - rename: + field: json.activity + target_field: trend_micro_vision_one.audit.activity + ignore_missing: true + - rename: + field: json.result + target_field: trend_micro_vision_one.audit.result + ignore_missing: true + - set: + field: event.outcome + value: 'success' + if: ctx.trend_micro_vision_one?.audit?.result == 'Successful' + - set: + field: event.outcome + value: 'failure' + if: ctx.trend_micro_vision_one?.audit?.result == 'Unsuccessful' + - rename: + field: json.details + target_field: trend_micro_vision_one.audit.details + ignore_missing: true + - remove: + field: json + ignore_missing: true + - append: + field: related.user + value: '{{{source.user.name}}}' + if: ctx.source?.user?.name != null + allow_duplicates: false + ignore_failure: true + - remove: + field: + - trend_micro_vision_one.audit.logged_user + - trend_micro_vision_one.audit.logged_role + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + ignore_failure: true + ignore_missing: true + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: +- append: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/trend_micro_vision_one/data_stream/audit/fields/agent.yml b/packages/trend_micro_vision_one/data_stream/audit/fields/agent.yml new file mode 100644 index 00000000000..e313ec82874 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/trend_micro_vision_one/data_stream/audit/fields/base-fields.yml b/packages/trend_micro_vision_one/data_stream/audit/fields/base-fields.yml new file mode 100644 index 00000000000..8a5aa585b17 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: trend_micro_vision_one.audit +- name: event.module + type: constant_keyword + description: Event module. + value: trend_micro_vision_one +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/trend_micro_vision_one/data_stream/audit/fields/ecs.yml b/packages/trend_micro_vision_one/data_stream/audit/fields/ecs.yml new file mode 100644 index 00000000000..951fd69cf1c --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/fields/ecs.yml @@ -0,0 +1,20 @@ +- external: ecs + name: ecs.version +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.type +- external: ecs + name: related.user +- external: ecs + name: source.user.name +- external: ecs + name: source.user.roles +- external: ecs + name: tags diff --git a/packages/trend_micro_vision_one/data_stream/audit/fields/fields.yml b/packages/trend_micro_vision_one/data_stream/audit/fields/fields.yml new file mode 100644 index 00000000000..7b18021ce63 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/fields/fields.yml @@ -0,0 +1,24 @@ +- name: trend_micro_vision_one.audit + type: group + fields: + - name: access_type + type: keyword + description: Source of the activity. + - name: activity + type: keyword + description: The activity that was performed. + - name: category + type: keyword + description: Category. + - name: details + type: flattened + description: Object that contains a list of elements to be retrieved from the "details" field. + - name: logged_role + type: keyword + description: Role of the account. + - name: logged_user + type: keyword + description: The account that was used to perform the activity. + - name: result + type: keyword + description: Result. diff --git a/packages/trend_micro_vision_one/data_stream/audit/manifest.yml b/packages/trend_micro_vision_one/data_stream/audit/manifest.yml new file mode 100644 index 00000000000..4f6fe7ad687 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/manifest.yml @@ -0,0 +1,57 @@ +title: Collect Audit logs from Trend Micro Vision One. +type: logs +streams: + - input: httpjson + title: Audit logs + description: Collect audit logs from Trend Micro Vision One. + template_path: httpjson.yml.hbs + vars: + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the audit from Trend Micro Vision One. + multi: false + required: true + show_user: true + default: 24h + - name: interval + type: text + title: Interval + description: Duration between requests to the Trend Micro Vision One API. + default: 5m + multi: false + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - trend_micro_vision_one_audit + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: true + title: Preserve duplicate custom fields + description: Preserve trend_micro_vision_one.audit fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/trend_micro_vision_one/data_stream/audit/sample_event.json b/packages/trend_micro_vision_one/data_stream/audit/sample_event.json new file mode 100644 index 00000000000..96508562793 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/audit/sample_event.json @@ -0,0 +1,72 @@ +{ + "@timestamp": "2022-02-24T07:29:48.000Z", + "agent": { + "ephemeral_id": "680afd6e-4f98-4136-83fb-4216ea972672", + "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.0" + }, + "data_stream": { + "dataset": "trend_micro_vision_one.audit", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "snapshot": true, + "version": "8.4.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "authentication" + ], + "created": "2022-08-05T08:55:09.322Z", + "dataset": "trend_micro_vision_one.audit", + "ingested": "2022-08-05T08:55:12Z", + "kind": "event", + "original": "{\"accessType\":\"Console\",\"activity\":\"string\",\"category\":\"Logon and Logoff\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"},\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedRole\":\"Master Administrator\",\"loggedUser\":\"Root Account\",\"result\":\"Unsuccessful\"}", + "outcome": "failure", + "type": [ + "info" + ] + }, + "input": { + "type": "httpjson" + }, + "related": { + "user": [ + "Root Account" + ] + }, + "source": { + "user": { + "name": "Root Account", + "roles": "Master Administrator" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "trend_micro_vision_one_audit" + ], + "trend_micro_vision_one": { + "audit": { + "access_type": "Console", + "activity": "string", + "category": "Logon and Logoff", + "details": { + "property1": "string", + "property2": "string" + }, + "logged_role": "Master Administrator", + "logged_user": "Root Account", + "result": "Unsuccessful" + } + } +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-common-config.yml b/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..be41bb0d476 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields diff --git a/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-pipeline-detection.log b/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-pipeline-detection.log new file mode 100644 index 00000000000..aa794d180c4 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-pipeline-detection.log @@ -0,0 +1,2 @@ +{"act":"Clean","actResult":"Quarantined successfully","app":"HTTP","appGroup":"HTTP","aptRelated":"0","behaviorCat":"Grey-Detection","blocking":"Web reputation","cat":50,"cccaDetection":"Yes","cccaDetectionSource":"GLOBAL_INTELLIGENCE","cccaRiskLevel":3,"clientFlag":"dst","cnt":"1","component":["PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00"],"compressedFileSize":"0","detectionType":"File","deviceDirection":"outbound","deviceGUID":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","deviceProcessName":"/snap/core/10126/usr/lib/snapd/snapd","deviceMacAddress":"00:11:22:33:44:55","dhost":"samplehost","domainName":"Workgroup","dpt":53,"dst":["81.2.69.142"],"dstGroup":"Default","end":"2021-09-30T09:40:04-08:00","endpointGUID":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","endpointHostName":"xxx-docker","endpointIp":["81.2.69.142"],"endpointMacAddress":"00:11:22:33:44:55","engType":"Virus Scan Engine (Windows XP/Server 2003, x64)","engVer":"12.500.1004","eventId":"100117","eventName":"INTEGRITY_MONITORING_EVENT","eventSubName":"Attack Discovery","eventTime":1602724592000,"eventTimeDT":"2021-06-10T01:38:38+00:00","fileHash":"3395856ce81f2b7382dee72602f798b642f14140","fileName":["Unconfirmed 145081.crdownload"],"fileOperation":"Deleted","filePath":"/etc/systemd/system","filePathName":"/etc/systemd/system/snap-xxxx-1246.xxxx","fileSize":"0","firstAct":"Clean","firstActResult":"Unable to clean file","fullPath":"C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 145081.crdownload","hostName":"samplehost","httpReferer":"http://xxx.xxxxxx.com/","interestedHost":"xxx-docker","interestedIp":["192.168.47.102"],"interestedMacAddress":"00:11:22:33:44","malName":"Eicar_test_1","malType":"Virus/Malware","mDevice":["81.2.69.192","67.43.156.0"],"mDeviceGUID":"C5B09EDD-C725-907F-29D9-B8C30D18C48F","mitreMapping":["T1090 (TA0005)"],"mitreVersion":"v6","mpname":"Cloud One - Workload Security","mpver":"Deep Security/20.0.222","objectCmd":["C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe --profile-directory=Default"],"objectFileHashMd5":"761AEFF7E6B110970285B9C20C9E1DCA","objectFileHashSha1":"00496B4D53CEFE031B9702B3385C9F4430999932","objectFileHashSha256":"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7","objectFileName":"Unconfirmed 142899.crdownload:SmartScreen","objectFilePath":"C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 142899.crdownload:SmartScreen","objectName":"CloudEndpointService.exe","objectPid":7660,"objectSigner":["Microsoft Windows"],"parentCmd":"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k DcomLaunch -p","parentFileHashSha1":"00496B4D53CEFE031B9702B3385C9F4430999932","parentFileHashSha256":"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7","parentFilePath":"C:\\\\Windows\\\\System32\\\\svchost.exe","peerHost":"samplehost","peerIp":["81.2.69.144"],"pname":"Apex One","processCmd":"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca","processFileHashMd5":"761AEFF7E6B110970285B9C20C9E1DCA","processFileHashSha1":"00496B4D53CEFE031B9702B3385C9F4430999932","processFileHashSha256":"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7","processFilePath":"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe","processName":"string","processPid":0,"processSigner":"Microsoft Windows Publisher","productCode":"sao","pver":"20.0.0.877","request":"https://example.com","requestClientApplication":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0","rt":"2020-10-15T01:16:32.000Z","rt_utc":"2020-10-15T01:16:32.000Z","searchDL":"DDL","spt":58871,"src":["81.2.69.142"],"srcGroup":"Default","tacticId":["TA0005"],"tags":["XSAE.F2140","XSAE.F3066"],"threatName":"Malicious_identified_CnC_querying_on_UDP_detected","uuid":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"} +{"eventTimeDT":"2022-07-11T13:35:34+00:00","tags":null,"uuid":"1234abcd-1234abcd-1234abcd-1234abcd-1234abcd","searchDL":"DDL","eventTime":1657546534000,"productCode":"sig","eventName":"WEB_POLICY_VIOLATION","rt_utc":"2022-07-11T13:35:34Z","rt":"2022-07-11T13:35:34+0000","act":["Block"],"aggregatedCount":"1","detectionType":"Web Reputation Service","deviceGUID":"456xyz-456xyz-456xyz-456xyz-456xyz","dst":["81.2.69.142"],"endpointGUID":"789pqr-789pqr-789pqr-789pqr-789pqr","endpointHostName":"ABC01","fileSize":"0","fileType":"ASCII Text","osName":"10.15.6","pname":"Secure Web Gateway","policyName":"default","pver":"1.0","request":"http://example.com/","requestBase":"example.com","src":["81.2.69.142"],"suid":"user.name","urlCat":["Newly Observed Domain"],"userDomain":"example.com","profile":"Default threat protection profile","principalName":"user.name@example.com","policyUuid":"123123-abcd-123-abcd","sender":"Default cloud gateway","logKey":"123-123-123-abc-abc-abc","clientIp":["81.2.69.142"]} diff --git a/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-pipeline-detection.log-expected.json b/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-pipeline-detection.log-expected.json new file mode 100644 index 00000000000..24f010a1e4a --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/_dev/test/pipeline/test-pipeline-detection.log-expected.json @@ -0,0 +1,419 @@ +{ + "expected": [ + { + "@timestamp": "2020-10-15T01:16:32.000Z", + "destination": { + "domain": "Workgroup", + "ip": [ + "81.2.69.142" + ], + "port": 53 + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "action": "clean", + "category": [ + "intrusion_detection" + ], + "id": "100117", + "kind": "event", + "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"deviceMacAddress\":\"00:11:22:33:44:55\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"endpointHostName\":\"xxx-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00:11:22:33:44:55\",\"engType\":\"Virus Scan Engine (Windows XP/Server 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://xxx.xxxxxx.com/\",\"interestedHost\":\"xxx-docker\",\"interestedIp\":[\"192.168.47.102\"],\"interestedMacAddress\":\"00:11:22:33:44\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mDevice\":[\"81.2.69.192\",\"67.43.156.0\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"Microsoft Windows\"],\"parentCmd\":\"C:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.144\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"Microsoft Windows Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":[\"81.2.69.142\"],\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\"}", + "severity": 50, + "type": [ + "info" + ] + }, + "file": { + "hash": { + "md5": "761AEFF7E6B110970285B9C20C9E1DCA", + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "name": [ + "Unconfirmed 145081.crdownload" + ], + "path": "/etc/systemd/system/snap-xxxx-1246.xxxx", + "size": 0 + }, + "host": { + "hostname": "samplehost", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "81.2.69.142" + ], + "mac": "00-11-22-33-44-55", + "name": "xxx-docker" + }, + "http": { + "request": { + "referrer": "http://xxx.xxxxxx.com/" + } + }, + "network": { + "direction": "outbound", + "protocol": "http" + }, + "observer": { + "hostname": "samplehost", + "mac": "00-11-22-33-44-55" + }, + "process": { + "command_line": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca", + "name": "string", + "pid": 0 + }, + "related": { + "hash": [ + "761AEFF7E6B110970285B9C20C9E1DCA", + "00496B4D53CEFE031B9702B3385C9F4430999932", + "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7", + "3395856ce81f2b7382dee72602f798b642f14140" + ], + "hosts": [ + "samplehost", + "xxx-docker" + ], + "ip": [ + "81.2.69.142", + "81.2.69.192", + "67.43.156.0", + "192.168.47.102", + "81.2.69.144" + ] + }, + "source": { + "ip": [ + "81.2.69.142" + ], + "port": 58871 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "tactic": { + "id": [ + "TA0005" + ] + } + }, + "trend_micro_vision_one": { + "detection": { + "action": "Clean", + "action_result": "Quarantined successfully", + "behavior_category": "Grey-Detection", + "block": "Web reputation", + "client_flag": "dst", + "component_version": [ + "PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00" + ], + "compressed_file_size": 0, + "destination": { + "ip": [ + "81.2.69.142" + ], + "ip_group": "Default", + "port": 53 + }, + "detection": "Yes", + "detection_source": "GLOBAL_INTELLIGENCE", + "detection_type": "File", + "device": { + "direction": "outbound", + "guid": "C5B09EDD-C725-907F-29D9-B8C30D18C48F", + "host": "samplehost", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "81.2.69.192", + "67.43.156.0" + ], + "mac": "00-11-22-33-44-55", + "process_name": "/snap/core/10126/usr/lib/snapd/snapd" + }, + "domain": { + "name": "Workgroup" + }, + "end_time": "2021-09-30T17:40:04.000Z", + "endpoint": { + "guid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "hostname": "xxx-docker", + "ip": [ + "81.2.69.142" + ], + "mac": "00-11-22-33-44-55" + }, + "engine_type": "Virus Scan Engine (Windows XP/Server 2003, x64)", + "engine_version": "12.500.1004", + "event_id": "100117", + "event_name": "INTEGRITY_MONITORING_EVENT", + "event_time_dt": "2021-06-10T01:38:38.000Z", + "file_hash": "3395856ce81f2b7382dee72602f798b642f14140", + "file_name": [ + "Unconfirmed 145081.crdownload" + ], + "file_operation": "Deleted", + "file_path": "/etc/systemd/system", + "file_path_name": "/etc/systemd/system/snap-xxxx-1246.xxxx", + "file_size": 0, + "first_action": "Clean", + "first_action_result": "Unable to clean file", + "full_path": "C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 145081.crdownload", + "hostname": "samplehost", + "http_referer": "http://xxx.xxxxxx.com/", + "interested": { + "host": "xxx-docker", + "ip": [ + "192.168.47.102" + ], + "mac": "00-11-22-33-44" + }, + "malware_name": "Eicar_test_1", + "malware_type": "Virus/Malware", + "mproduct": { + "name": "Cloud One - Workload Security", + "version": "Deep Security/20.0.222" + }, + "object": { + "cmd": [ + "C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe --profile-directory=Default" + ], + "file": { + "hash": { + "md5": "761AEFF7E6B110970285B9C20C9E1DCA", + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "name": "Unconfirmed 142899.crdownload:SmartScreen", + "path": "C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 142899.crdownload:SmartScreen" + }, + "name": "CloudEndpointService.exe", + "pid": 7660, + "signer": [ + "Microsoft Windows" + ] + }, + "parent": { + "cmd": "C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k DcomLaunch -p", + "file": { + "hash": { + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "path": "C:\\\\Windows\\\\System32\\\\svchost.exe" + } + }, + "peer": { + "host": "samplehost", + "ip": [ + "81.2.69.144" + ] + }, + "process": { + "cmd": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca", + "file": { + "hash": { + "md5": "761AEFF7E6B110970285B9C20C9E1DCA", + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "path": "C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe" + }, + "name": "string", + "pid": 0, + "signer": "Microsoft Windows Publisher" + }, + "product": { + "code": "sao", + "name": "Apex One", + "version": "20.0.0.877" + }, + "protocol": "HTTP", + "protocol_group": "HTTP", + "related_apt": false, + "request": "https://example.com", + "request_client_application": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0", + "risk_level": 3, + "rt": "2020-10-15T01:16:32.000Z", + "rt_utc": "2020-10-15T01:16:32.000Z", + "search_data_lake": "DDL", + "security_analytics": { + "engine": { + "name": [ + "T1090 (TA0005)" + ], + "version": "v6" + } + }, + "severity_level": 50, + "source": { + "group": "Default", + "ip": [ + "81.2.69.142" + ], + "port": 58871 + }, + "sub_name": "Attack Discovery", + "tactic_id": [ + "TA0005" + ], + "tags": [ + "XSAE.F2140", + "XSAE.F3066" + ], + "threat_name": "Malicious_identified_CnC_querying_on_UDP_detected", + "total_count": 1, + "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + } + }, + "url": { + "domain": "example.com", + "original": "https://example.com", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0", + "os": { + "full": "Windows 10", + "name": "Windows", + "version": "10" + }, + "version": "92.0." + } + }, + { + "@timestamp": "2022-07-11T13:35:34.000Z", + "client": { + "ip": [ + "81.2.69.142" + ] + }, + "destination": { + "ip": [ + "81.2.69.142" + ] + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "action": [ + "block" + ], + "category": [ + "intrusion_detection" + ], + "kind": "event", + "original": "{\"eventTimeDT\":\"2022-07-11T13:35:34+00:00\",\"tags\":null,\"uuid\":\"1234abcd-1234abcd-1234abcd-1234abcd-1234abcd\",\"searchDL\":\"DDL\",\"eventTime\":1657546534000,\"productCode\":\"sig\",\"eventName\":\"WEB_POLICY_VIOLATION\",\"rt_utc\":\"2022-07-11T13:35:34Z\",\"rt\":\"2022-07-11T13:35:34+0000\",\"act\":[\"Block\"],\"aggregatedCount\":\"1\",\"detectionType\":\"Web Reputation Service\",\"deviceGUID\":\"456xyz-456xyz-456xyz-456xyz-456xyz\",\"dst\":[\"81.2.69.142\"],\"endpointGUID\":\"789pqr-789pqr-789pqr-789pqr-789pqr\",\"endpointHostName\":\"ABC01\",\"fileSize\":\"0\",\"fileType\":\"ASCII Text\",\"osName\":\"10.15.6\",\"pname\":\"Secure Web Gateway\",\"policyName\":\"default\",\"pver\":\"1.0\",\"request\":\"http://example.com/\",\"requestBase\":\"example.com\",\"src\":[\"81.2.69.142\"],\"suid\":\"user.name\",\"urlCat\":[\"Newly Observed Domain\"],\"userDomain\":\"example.com\",\"profile\":\"Default threat protection profile\",\"principalName\":\"user.name@example.com\",\"policyUuid\":\"123123-abcd-123-abcd\",\"sender\":\"Default cloud gateway\",\"logKey\":\"123-123-123-abc-abc-abc\",\"clientIp\":[\"81.2.69.142\"]}", + "type": [ + "info" + ] + }, + "file": { + "size": 0, + "type": "ASCII Text" + }, + "host": { + "id": "789pqr-789pqr-789pqr-789pqr-789pqr", + "name": "ABC01" + }, + "os": { + "name": "10.15.6" + }, + "related": { + "hosts": [ + "ABC01" + ], + "ip": [ + "81.2.69.142" + ] + }, + "source": { + "ip": [ + "81.2.69.142" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "trend_micro_vision_one": { + "detection": { + "action": [ + "Block" + ], + "aggregated_count": 1, + "client_ip": [ + "81.2.69.142" + ], + "destination": { + "ip": [ + "81.2.69.142" + ] + }, + "detection_type": "Web Reputation Service", + "device": { + "id": "456xyz-456xyz-456xyz-456xyz-456xyz" + }, + "endpoint": { + "guid": "789pqr-789pqr-789pqr-789pqr-789pqr", + "hostname": "ABC01" + }, + "event_name": "WEB_POLICY_VIOLATION", + "event_time_dt": "2022-07-11T13:35:34.000Z", + "file_size": 0, + "file_type": "ASCII Text", + "os": { + "name": "10.15.6" + }, + "policy": { + "logkey": "123-123-123-abc-abc-abc", + "name": "default", + "uuid": "123123-abcd-123-abcd" + }, + "principal_name": "user.name@example.com", + "product": { + "code": "sig", + "name": "Secure Web Gateway", + "version": "1.0" + }, + "profile": "Default threat protection profile", + "request": "http://example.com/", + "request_base": "example.com", + "rt": "2022-07-11T13:35:34.000Z", + "rt_utc": "2022-07-11T13:35:34.000Z", + "search_data_lake": "DDL", + "sender": "Default cloud gateway", + "source": { + "ip": [ + "81.2.69.142" + ] + }, + "suid": "user.name", + "url_cat": [ + "Newly Observed Domain" + ], + "user": { + "domain": "example.com" + }, + "uuid": "1234abcd-1234abcd-1234abcd-1234abcd-1234abcd" + } + }, + "url": { + "domain": "example.com", + "original": "http://example.com/", + "path": "/", + "scheme": "http" + }, + "user": { + "domain": "example.com" + } + } + ] +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/data_stream/detection/_dev/test/system/test-default-config.yml b/packages/trend_micro_vision_one/data_stream/detection/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..c6104a7bd86 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/_dev/test/system/test-default-config.yml @@ -0,0 +1,9 @@ +input: httpjson +service: trend_micro_vision_one +vars: + hostname: http://{{Hostname}}:{{Port}} + api_token: xxxx +data_stream: + vars: + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/trend_micro_vision_one/data_stream/detection/agent/stream/httpjson.yml.hbs b/packages/trend_micro_vision_one/data_stream/detection/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..5a44f63b54d --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/agent/stream/httpjson.yml.hbs @@ -0,0 +1,57 @@ +config_version: 2 +interval: {{interval}} +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: GET +request.url: {{hostname}}/v3.0/search/detections +request.transforms: + - set: + target: header.Authorization + value: 'Bearer {{api_token}}' + - set: + target: header.TMV1-Query + value: 'uuid' + - set: + target: url.params.top + value: '5000' + - set: + target: url.params.startDateTime + value: '[[formatDate (parseDate .cursor.last_update_at)]]' + default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' + - set: + target: url.params.endDateTime + value: '[[formatDate (now)]]' + - set: + target: url.params.select + value: 'empty' +response.pagination: + - set: + target: url.value + value: '[[if index .last_response.body "nextLink"]][[replaceAll " " "%20" .last_response.body.nextLink]][[else]][[.last_response.terminate_pagination]][[end]]' + fail_on_template_error: true +cursor: + last_update_at: + value: '[[.last_response.url.params.Get "endDateTime"]]' +response.split: + target: body.items +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..ccc5eb99561 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,977 @@ +--- +description: Pipeline for processing Trend Micro Vision One Alert logs. +processors: + - set: + field: ecs.version + value: '8.4.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - set: + field: event.kind + value: event + - set: + field: event.category + value: [intrusion_detection] + - set: + field: event.type + value: [info] + - json: + field: event.original + target_field: json + ignore_failure: true + - fingerprint: + fields: + - json.eventTime + - json.rt_utc + - json.uuid + target_field: _id + ignore_missing: true + - date: + field: json.eventTime + if: ctx.json?.eventTime != null && ctx.json?.eventTime != '' + formats: + - UNIX_MS + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.domainName + target_field: trend_micro_vision_one.detection.domain.name + ignore_missing: true + - set: + field: destination.domain + copy_from: trend_micro_vision_one.detection.domain.name + ignore_failure: true + - convert: + field: json.dst + target_field: trend_micro_vision_one.detection.destination.ip + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: destination.ip + copy_from: trend_micro_vision_one.detection.destination.ip + ignore_failure: true + - convert: + field: json.dpt + target_field: trend_micro_vision_one.detection.destination.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: destination.port + copy_from: trend_micro_vision_one.detection.destination.port + ignore_failure: true + - rename: + field: json.act + target_field: trend_micro_vision_one.detection.action + ignore_missing: true + - set: + field: event.action + copy_from: trend_micro_vision_one.detection.action + ignore_failure: true + - lowercase: + field: event.action + ignore_missing: true + - rename: + field: json.eventId + target_field: trend_micro_vision_one.detection.event_id + ignore_missing: true + - set: + field: event.id + copy_from: trend_micro_vision_one.detection.event_id + ignore_failure: true + - rename: + field: json.objectFileHashMd5 + target_field: trend_micro_vision_one.detection.object.file.hash.md5 + ignore_missing: true + - set: + field: file.hash.md5 + copy_from: trend_micro_vision_one.detection.object.file.hash.md5 + ignore_failure: true + - rename: + field: json.objectFileHashSha1 + target_field: trend_micro_vision_one.detection.object.file.hash.sha1 + ignore_missing: true + - set: + field: file.hash.sha1 + copy_from: trend_micro_vision_one.detection.object.file.hash.sha1 + ignore_failure: true + - rename: + field: json.objectFileHashSha256 + target_field: trend_micro_vision_one.detection.object.file.hash.sha256 + ignore_missing: true + - set: + field: file.hash.sha256 + copy_from: trend_micro_vision_one.detection.object.file.hash.sha256 + ignore_failure: true + - rename: + field: json.fileName + target_field: trend_micro_vision_one.detection.file_name + ignore_missing: true + - set: + field: file.name + copy_from: trend_micro_vision_one.detection.file_name + ignore_failure: true + - rename: + field: json.filePathName + target_field: trend_micro_vision_one.detection.file_path_name + ignore_missing: true + - set: + field: file.path + copy_from: trend_micro_vision_one.detection.file_path_name + ignore_failure: true + - convert: + field: json.fileSize + target_field: trend_micro_vision_one.detection.file_size + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: file.size + copy_from: trend_micro_vision_one.detection.file_size + ignore_failure: true + - rename: + field: json.hostName + target_field: trend_micro_vision_one.detection.hostname + ignore_missing: true + - set: + field: host.hostname + copy_from: trend_micro_vision_one.detection.hostname + ignore_failure: true + - rename: + field: json.endpointGUID + target_field: trend_micro_vision_one.detection.endpoint.guid + ignore_missing: true + - set: + field: host.id + copy_from: trend_micro_vision_one.detection.endpoint.guid + ignore_failure: true + - foreach: + field: json.endpointIp + processor: + append: + field: trend_micro_vision_one.detection.endpoint.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + ignore_missing: true + ignore_failure: true + - set: + field: host.ip + copy_from: trend_micro_vision_one.detection.endpoint.ip + ignore_failure: true + - gsub: + field: json.endpointMacAddress + pattern: '[-:.]' + replacement: '-' + ignore_missing: true + - uppercase: + field: json.endpointMacAddress + ignore_missing: true + - rename: + field: json.endpointMacAddress + target_field: trend_micro_vision_one.detection.endpoint.mac + ignore_missing: true + - set: + field: host.mac + copy_from: trend_micro_vision_one.detection.endpoint.mac + ignore_failure: true + - rename: + field: json.endpointHostName + target_field: trend_micro_vision_one.detection.endpoint.hostname + ignore_missing: true + - set: + field: host.name + copy_from: trend_micro_vision_one.detection.endpoint.hostname + ignore_failure: true + - rename: + field: json.httpReferer + target_field: trend_micro_vision_one.detection.http_referer + ignore_missing: true + - set: + field: http.request.referrer + copy_from: trend_micro_vision_one.detection.http_referer + ignore_failure: true + - rename: + field: json.cat + target_field: trend_micro_vision_one.detection.severity_level + ignore_missing: true + - set: + field: event.severity + copy_from: trend_micro_vision_one.detection.severity_level + ignore_failure: true + - rename: + field: json.deviceDirection + target_field: trend_micro_vision_one.detection.device.direction + ignore_missing: true + - set: + field: network.direction + copy_from: trend_micro_vision_one.detection.device.direction + ignore_failure: true + - lowercase: + field: network.direction + ignore_missing: true + - rename: + field: json.app + target_field: trend_micro_vision_one.detection.protocol + ignore_missing: true + - set: + field: network.protocol + copy_from: trend_micro_vision_one.detection.protocol + ignore_failure: true + - lowercase: + field: network.protocol + ignore_missing: true + - rename: + field: json.dhost + target_field: trend_micro_vision_one.detection.device.host + ignore_missing: true + - set: + field: observer.hostname + copy_from: trend_micro_vision_one.detection.device.host + ignore_failure: true + - gsub: + field: json.deviceMacAddress + pattern: '[-:.]' + replacement: '-' + ignore_missing: true + - uppercase: + field: json.deviceMacAddress + ignore_missing: true + - rename: + field: json.deviceMacAddress + target_field: trend_micro_vision_one.detection.device.mac + ignore_missing: true + - set: + field: observer.mac + copy_from: trend_micro_vision_one.detection.device.mac + ignore_failure: true + - rename: + field: json.processCmd + target_field: trend_micro_vision_one.detection.process.cmd + ignore_missing: true + - set: + field: process.command_line + copy_from: trend_micro_vision_one.detection.process.cmd + ignore_failure: true + - rename: + field: json.processName + target_field: trend_micro_vision_one.detection.process.name + ignore_missing: true + - set: + field: process.name + copy_from: trend_micro_vision_one.detection.process.name + ignore_failure: true + - convert: + field: json.processPid + target_field: trend_micro_vision_one.detection.process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: process.pid + copy_from: trend_micro_vision_one.detection.process.pid + ignore_failure: true + - convert: + field: json.src + target_field: trend_micro_vision_one.detection.source.ip + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: source.ip + copy_from: trend_micro_vision_one.detection.source.ip + ignore_failure: true + - convert: + field: json.spt + target_field: trend_micro_vision_one.detection.source.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: source.port + copy_from: trend_micro_vision_one.detection.source.port + ignore_failure: true + - rename: + field: json.tacticId + target_field: trend_micro_vision_one.detection.tactic_id + ignore_missing: true + - set: + field: threat.tactic.id + copy_from: trend_micro_vision_one.detection.tactic_id + ignore_failure: true + - rename: + field: json.requestClientApplication + target_field: trend_micro_vision_one.detection.request_client_application + ignore_missing: true + - set: + field: url.request + copy_from: trend_micro_vision_one.detection.request_client_application + ignore_failure: true + - user_agent: + field: url.request + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.actResult + target_field: trend_micro_vision_one.detection.action_result + ignore_missing: true + - rename: + field: json.behaviorCat + target_field: trend_micro_vision_one.detection.behavior_category + ignore_missing: true + - rename: + field: json.blocking + target_field: trend_micro_vision_one.detection.block + ignore_missing: true + - rename: + field: json.clientFlag + target_field: trend_micro_vision_one.detection.client_flag + ignore_missing: true + - rename: + field: json.component + target_field: trend_micro_vision_one.detection.component_version + ignore_missing: true + - convert: + field: json.compressedFileSize + target_field: trend_micro_vision_one.detection.compressed_file_size + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.dstGroup + target_field: trend_micro_vision_one.detection.destination.ip_group + ignore_missing: true + - rename: + field: json.cccaDetection + target_field: trend_micro_vision_one.detection.detection + ignore_missing: true + - rename: + field: json.cccaDetectionSource + target_field: trend_micro_vision_one.detection.detection_source + ignore_missing: true + - rename: + field: json.detectionType + target_field: trend_micro_vision_one.detection.detection_type + ignore_missing: true + - convert: + field: json.cccaRiskLevel + target_field: trend_micro_vision_one.detection.risk_level + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.mDeviceGUID + target_field: trend_micro_vision_one.detection.device.guid + ignore_missing: true + - rename: + field: json.deviceGUID + target_field: trend_micro_vision_one.detection.device.id + ignore_missing: true + - convert: + field: json.mDevice + target_field: trend_micro_vision_one.detection.device.ip + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.deviceProcessName + target_field: trend_micro_vision_one.detection.device.process_name + ignore_missing: true + - date: + field: json.end + target_field: trend_micro_vision_one.detection.end_time + if: ctx.json?.end != null && ctx.json?.end != '' + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.engType + target_field: trend_micro_vision_one.detection.engine_type + ignore_missing: true + - rename: + field: json.engVer + target_field: trend_micro_vision_one.detection.engine_version + ignore_missing: true + - rename: + field: json.eventName + target_field: trend_micro_vision_one.detection.event_name + ignore_missing: true + - date: + field: json.eventTimeDT + target_field: trend_micro_vision_one.detection.event_time_dt + if: ctx.json?.eventTimeDT != null && ctx.json?.eventTimeDT != '' + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.fileHash + target_field: trend_micro_vision_one.detection.file_hash + ignore_missing: true + - rename: + field: json.fileOperation + target_field: trend_micro_vision_one.detection.file_operation + ignore_missing: true + - rename: + field: json.filePath + target_field: trend_micro_vision_one.detection.file_path + ignore_missing: true + - rename: + field: json.firstAct + target_field: trend_micro_vision_one.detection.first_action + ignore_missing: true + - rename: + field: json.firstActResult + target_field: trend_micro_vision_one.detection.first_action_result + ignore_missing: true + - rename: + field: json.fullPath + target_field: trend_micro_vision_one.detection.full_path + ignore_missing: true + - rename: + field: json.interestedHost + target_field: trend_micro_vision_one.detection.interested.host + ignore_missing: true + - convert: + field: json.interestedIp + target_field: trend_micro_vision_one.detection.interested.ip + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - gsub: + field: json.interestedMacAddress + pattern: '[-:.]' + replacement: '-' + ignore_missing: true + - uppercase: + field: json.interestedMacAddress + ignore_missing: true + - rename: + field: json.interestedMacAddress + target_field: trend_micro_vision_one.detection.interested.mac + ignore_missing: true + - rename: + field: json.malName + target_field: trend_micro_vision_one.detection.malware_name + ignore_missing: true + - rename: + field: json.malType + target_field: trend_micro_vision_one.detection.malware_type + ignore_missing: true + - rename: + field: json.objectCmd + target_field: trend_micro_vision_one.detection.object.cmd + ignore_missing: true + - rename: + field: json.objectFileName + target_field: trend_micro_vision_one.detection.object.file.name + ignore_missing: true + - rename: + field: json.objectFilePath + target_field: trend_micro_vision_one.detection.object.file.path + ignore_missing: true + - rename: + field: json.objectName + target_field: trend_micro_vision_one.detection.object.name + ignore_missing: true + - convert: + field: json.objectPid + target_field: trend_micro_vision_one.detection.object.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.objectSigner + target_field: trend_micro_vision_one.detection.object.signer + ignore_missing: true + - rename: + field: json.parentCmd + target_field: trend_micro_vision_one.detection.parent.cmd + ignore_missing: true + - rename: + field: json.parentFileHashSha1 + target_field: trend_micro_vision_one.detection.parent.file.hash.sha1 + ignore_missing: true + - rename: + field: json.parentFileHashSha256 + target_field: trend_micro_vision_one.detection.parent.file.hash.sha256 + ignore_missing: true + - rename: + field: json.parentFilePath + target_field: trend_micro_vision_one.detection.parent.file.path + ignore_missing: true + - rename: + field: json.peerHost + target_field: trend_micro_vision_one.detection.peer.host + ignore_missing: true + - convert: + field: json.peerIp + target_field: trend_micro_vision_one.detection.peer.ip + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.processFileHashMd5 + target_field: trend_micro_vision_one.detection.process.file.hash.md5 + ignore_missing: true + - rename: + field: json.processFileHashSha1 + target_field: trend_micro_vision_one.detection.process.file.hash.sha1 + ignore_missing: true + - rename: + field: json.processFileHashSha256 + target_field: trend_micro_vision_one.detection.process.file.hash.sha256 + ignore_missing: true + - rename: + field: json.processFilePath + target_field: trend_micro_vision_one.detection.process.file.path + ignore_missing: true + - rename: + field: json.processSigner + target_field: trend_micro_vision_one.detection.process.signer + ignore_missing: true + - rename: + field: json.request + target_field: trend_micro_vision_one.detection.request + ignore_missing: true + - uri_parts: + field: trend_micro_vision_one.detection.request + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.productCode + target_field: trend_micro_vision_one.detection.product.code + ignore_missing: true + - rename: + field: json.mpname + target_field: trend_micro_vision_one.detection.mproduct.name + ignore_missing: true + - rename: + field: json.pname + target_field: trend_micro_vision_one.detection.product.name + ignore_missing: true + - rename: + field: json.mpver + target_field: trend_micro_vision_one.detection.mproduct.version + ignore_missing: true + - rename: + field: json.pver + target_field: trend_micro_vision_one.detection.product.version + ignore_missing: true + - rename: + field: json.appGroup + target_field: trend_micro_vision_one.detection.protocol_group + ignore_missing: true + - set: + field: trend_micro_vision_one.detection.related_apt + value: false + if: ctx.json?.aptRelated == '0'; + - set: + field: trend_micro_vision_one.detection.related_apt + value: true + if: ctx.json?.aptRelated == '1'; + - date: + field: json.rt + target_field: trend_micro_vision_one.detection.rt + if: ctx.json?.rt != null && ctx.json?.rt != '' + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - date: + field: json.rt_utc + target_field: trend_micro_vision_one.detection.rt_utc + if: ctx.json?.rt_utc != null && ctx.json?.rt_utc != '' + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.searchDL + target_field: trend_micro_vision_one.detection.search_data_lake + ignore_missing: true + - rename: + field: json.mitreMapping + target_field: trend_micro_vision_one.detection.security_analytics.engine.name + ignore_missing: true + - rename: + field: json.mitreVersion + target_field: trend_micro_vision_one.detection.security_analytics.engine.version + ignore_missing: true + - rename: + field: json.srcGroup + target_field: trend_micro_vision_one.detection.source.group + ignore_missing: true + - rename: + field: json.threatName + target_field: trend_micro_vision_one.detection.threat_name + ignore_missing: true + - rename: + field: json.eventSubName + target_field: trend_micro_vision_one.detection.sub_name + ignore_missing: true + - rename: + field: json.tags + target_field: trend_micro_vision_one.detection.tags + ignore_missing: true + - convert: + field: json.cnt + target_field: trend_micro_vision_one.detection.total_count + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.uuid + target_field: trend_micro_vision_one.detection.uuid + ignore_missing: true + - convert: + field: json.aggregatedCount + target_field: trend_micro_vision_one.detection.aggregated_count + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.fileType + target_field: trend_micro_vision_one.detection.file_type + ignore_missing: true + - set: + field: file.type + copy_from: trend_micro_vision_one.detection.file_type + ignore_failure: true + - rename: + field: json.fileType + target_field: trend_micro_vision_one.detection.file_type + ignore_missing: true + - set: + field: file.type + copy_from: trend_micro_vision_one.detection.file_type + ignore_failure: true + - rename: + field: json.osName + target_field: trend_micro_vision_one.detection.os.name + ignore_missing: true + - set: + field: os.name + copy_from: trend_micro_vision_one.detection.os.name + ignore_failure: true + - rename: + field: json.policyName + target_field: trend_micro_vision_one.detection.policy.name + ignore_missing: true + - rename: + field: json.requestBase + target_field: trend_micro_vision_one.detection.request_base + ignore_missing: true + - rename: + field: json.suid + target_field: trend_micro_vision_one.detection.suid + ignore_missing: true + - rename: + field: json.urlCat + target_field: trend_micro_vision_one.detection.url_cat + ignore_missing: true + - rename: + field: json.userDomain + target_field: trend_micro_vision_one.detection.user.domain + ignore_missing: true + - set: + field: user.domain + copy_from: trend_micro_vision_one.detection.user.domain + ignore_failure: true + - rename: + field: json.profile + target_field: trend_micro_vision_one.detection.profile + ignore_missing: true + - rename: + field: json.principalName + target_field: trend_micro_vision_one.detection.principal_name + ignore_missing: true + - rename: + field: json.policyUuid + target_field: trend_micro_vision_one.detection.policy.uuid + ignore_missing: true + - rename: + field: json.sender + target_field: trend_micro_vision_one.detection.sender + ignore_missing: true + - rename: + field: json.logKey + target_field: trend_micro_vision_one.detection.policy.logkey + ignore_missing: true + - rename: + field: json.mimeType + target_field: trend_micro_vision_one.detection.mime_type + ignore_missing: true + - convert: + field: json.clientIp + target_field: trend_micro_vision_one.detection.client_ip + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: client.ip + copy_from: trend_micro_vision_one.detection.client_ip + ignore_failure: true + - remove: + field: json + ignore_missing: true + - append: + field: related.hash + value: '{{{file.hash.md5}}}' + if: ctx.file?.hash?.md5 != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hash + value: '{{{file.hash.sha1}}}' + if: ctx.file?.hash?.sha1 != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hash + value: '{{{file.hash.sha256}}}' + if: ctx.file?.hash?.sha256 != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hash + value: '{{{trend_micro_vision_one.detection.file_hash}}}' + if: ctx.trend_micro_vision_one?.detection?.file_hash != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hash + value: '{{{trend_micro_vision_one.detection.parent.file.hash.sha1}}}' + if: ctx.trend_micro_vision_one?.detection?.parent?.file?.hash?.sha1 != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hash + value: '{{{trend_micro_vision_one.detection.parent.file.hash.sha256}}}' + if: ctx.trend_micro_vision_one?.detection?.parent?.file?.hash?.sha256 != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hash + value: '{{{trend_micro_vision_one.detection.process.file.hash.md5}}}' + if: ctx.trend_micro_vision_one?.detection?.process?.file?.hash?.md5 != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hash + value: '{{{trend_micro_vision_one.detection.process.file.hash.sha1}}}' + if: ctx.trend_micro_vision_one?.detection?.process?.file?.hash?.sha1 != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hash + value: '{{{trend_micro_vision_one.detection.process.file.hash.sha256}}}' + if: ctx.trend_micro_vision_one?.detection?.process?.file?.hash?.sha256 != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hosts + value: '{{{host.hostname}}}' + if: ctx.host?.hostname != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hosts + value: '{{{host.name}}}' + if: ctx.host?.name != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hosts + value: '{{{observer.hostname}}}' + if: ctx.observer?.hostname != null + allow_duplicates: false + ignore_failure: true + - foreach: + field: destination.ip + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: source.ip + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: trend_micro_vision_one.detection.device.ip + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: trend_micro_vision_one.detection.interested.ip + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: trend_micro_vision_one.detection.peer.ip + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + ignore_missing: true + ignore_failure: true + - foreach: + field: client.ip + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + ignore_missing: true + ignore_failure: true + - remove: + field: + - trend_micro_vision_one.detection.domain.name + - trend_micro_vision_one.detection.destination.ip + - trend_micro_vision_one.detection.destination.port + - trend_micro_vision_one.detection.action + - trend_micro_vision_one.detection.event_id + - trend_micro_vision_one.detection.object.file.hash.md5 + - trend_micro_vision_one.detection.object.file.hash.sha1 + - trend_micro_vision_one.detection.object.file.hash.sha256 + - trend_micro_vision_one.detection.file_name + - trend_micro_vision_one.detection.file_path_name + - trend_micro_vision_one.detection.file_size + - trend_micro_vision_one.detection.hostname + - trend_micro_vision_one.detection.endpoint.guid + - trend_micro_vision_one.detection.endpoint.ip + - trend_micro_vision_one.detection.endpoint.mac + - trend_micro_vision_one.detection.endpoint.hostname + - trend_micro_vision_one.detection.http_referer + - trend_micro_vision_one.detection.severity_level + - trend_micro_vision_one.detection.device.direction + - trend_micro_vision_one.detection.protocol + - trend_micro_vision_one.detection.device.host + - trend_micro_vision_one.detection.device.mac + - trend_micro_vision_one.detection.process.cmd + - trend_micro_vision_one.detection.process.name + - trend_micro_vision_one.detection.process.pid + - trend_micro_vision_one.detection.source.ip + - trend_micro_vision_one.detection.source.port + - trend_micro_vision_one.detection.tactic_id + - trend_micro_vision_one.detection.request_client_application + - trend_micro_vision_one.detection.file_type + - trend_micro_vision_one.detection.os.name + - trend_micro_vision_one.detection.user.domain + - trend_micro_vision_one.detection.client_ip + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + ignore_failure: true + ignore_missing: true + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: +- append: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/trend_micro_vision_one/data_stream/detection/fields/agent.yml b/packages/trend_micro_vision_one/data_stream/detection/fields/agent.yml new file mode 100644 index 00000000000..e313ec82874 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/trend_micro_vision_one/data_stream/detection/fields/base-fields.yml b/packages/trend_micro_vision_one/data_stream/detection/fields/base-fields.yml new file mode 100644 index 00000000000..d144d282f15 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: trend_micro_vision_one.detection +- name: event.module + type: constant_keyword + description: Event module. + value: trend_micro_vision_one +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/trend_micro_vision_one/data_stream/detection/fields/ecs.yml b/packages/trend_micro_vision_one/data_stream/detection/fields/ecs.yml new file mode 100644 index 00000000000..ff82058f954 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/fields/ecs.yml @@ -0,0 +1,92 @@ +- external: ecs + name: client.ip +- external: ecs + name: destination.domain +- external: ecs + name: destination.ip +- external: ecs + name: destination.port +- external: ecs + name: ecs.version +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.severity +- external: ecs + name: event.type +- external: ecs + name: file.hash.md5 +- external: ecs + name: file.hash.sha1 +- external: ecs + name: file.hash.sha256 +- external: ecs + name: file.name +- external: ecs + name: file.path +- external: ecs + name: file.size +- external: ecs + name: file.type +- external: ecs + name: http.request.referrer +- external: ecs + name: network.direction +- external: ecs + name: network.protocol +- external: ecs + name: observer.hostname +- external: ecs + name: observer.mac +- external: ecs + name: os.name +- external: ecs + name: process.command_line +- external: ecs + name: process.name +- external: ecs + name: process.pid +- external: ecs + name: related.hash +- external: ecs + name: related.hosts +- external: ecs + name: related.ip +- external: ecs + name: source.ip +- external: ecs + name: source.port +- external: ecs + name: tags +- external: ecs + name: threat.tactic.id +- external: ecs + name: url.domain +- external: ecs + name: url.original +- external: ecs + name: url.path +- external: ecs + name: url.scheme +- external: ecs + name: user.domain +- external: ecs + name: user_agent.device.name +- external: ecs + name: user_agent.name +- external: ecs + name: user_agent.original +- external: ecs + name: user_agent.os.full +- external: ecs + name: user_agent.os.name +- external: ecs + name: user_agent.os.version +- external: ecs + name: user_agent.version diff --git a/packages/trend_micro_vision_one/data_stream/detection/fields/fields.yml b/packages/trend_micro_vision_one/data_stream/detection/fields/fields.yml new file mode 100644 index 00000000000..d4d7aeba24d --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/fields/fields.yml @@ -0,0 +1,405 @@ +- name: trend_micro_vision_one.detection + type: group + fields: + - name: action + type: keyword + description: Action by detect product. + - name: action_result + type: keyword + description: Action result by detect product. + - name: aggregated_count + type: long + description: Aggregated count. + - name: behavior_category + type: keyword + description: The matched policy category (policy section) in the BM patterns, which will always Grey-Detection here. + - name: block + type: keyword + description: blocking Reason. + - name: client_flag + type: keyword + description: 0:Unknown 1:src 2:dst. + - name: client_ip + type: ip + description: Client IP. + - name: component_version + type: keyword + description: Product component version. + - name: compressed_file_size + type: long + description: File size after compressed. + - name: destination + type: group + fields: + - name: ip + type: ip + description: Destination IP address. + - name: ip_group + type: keyword + description: Destination IP address group. + - name: port + type: long + description: Destination port. + - name: detection + type: keyword + description: Yes (Tag it when it appears and the value is 1). + - name: detection_source + type: keyword + description: Detection source use by Deep Discovery Inspector. + - name: detection_type + type: keyword + description: Product detection type. + - name: device + type: group + fields: + - name: direction + type: keyword + description: '0: inbound 1: outbound 2: unknown (If cannot be parsed correctly, 2 is assigned).' + - name: guid + type: keyword + description: Device GUID. + - name: host + type: keyword + description: device host. + - name: id + type: keyword + description: Device identity. + - name: ip + type: ip + description: Devices ip list. + - name: mac + type: keyword + description: Mac address. + - name: process_name + type: keyword + description: Process name in device. + - name: domain + type: group + fields: + - name: name + type: keyword + description: Domain name. + - name: end_time + type: date + description: End time. + - name: endpoint + type: group + fields: + - name: guid + type: keyword + description: endpoint GUID for identity. + - name: hostname + type: keyword + description: Hostname of the endpoint on which the event was generated. + - name: ip + type: ip + description: Endpoint IP address list. + - name: mac + type: keyword + description: Endpoint Mac address. + - name: engine_type + type: keyword + description: Product scan engine type. + - name: engine_version + type: keyword + description: Product scan engine version. + - name: event_id + type: keyword + description: Event ID. + - name: event_name + type: keyword + description: Predefined event enumerator. + - name: event_time_dt + type: date + description: Detect time. + - name: file_hash + type: keyword + description: Detect file hash value. + - name: file_name + type: keyword + description: Detect file name. + - name: file_operation + type: keyword + description: Operation for detect file. + - name: file_path + type: keyword + description: Full file path without file name. + - name: file_path_name + type: keyword + description: Full file path. + - name: file_size + type: long + description: Detect file size. + - name: file_type + type: keyword + description: Detect file type. + - name: first_action + type: keyword + description: First action. + - name: first_action_result + type: keyword + description: First action result. + - name: full_path + type: keyword + description: File full path. + - name: hostname + type: keyword + description: host name. + - name: http_referer + type: keyword + description: http referer url. + - name: interested + type: group + fields: + - name: host + type: keyword + description: Highlighted indicator for incident response members. + - name: ip + type: ip + description: Highlighted indicator for incident response members. + - name: mac + type: keyword + description: Highlighted indicator for incident response members. + - name: malware_name + type: keyword + description: Malware name. + - name: malware_type + type: keyword + description: Malware type. + - name: mime_type + type: keyword + description: Mime type. + - name: mproduct + type: group + fields: + - name: name + type: keyword + description: Product name. + - name: version + type: keyword + description: Product Version. + - name: object + type: group + fields: + - name: cmd + type: keyword + description: The command line that a process detected by Attack Discovery uses to execute other processes. + - name: file + type: group + fields: + - name: hash + type: group + fields: + - name: md5 + type: keyword + description: File Hash Md5 value. + - name: sha1 + type: keyword + description: File Hash Sha1 value. + - name: sha256 + type: keyword + description: File Hash Sha256 value. + - name: name + type: keyword + description: File name. + - name: path + type: keyword + description: File path. + - name: name + type: keyword + description: Detect object name. + - name: pid + type: long + description: Detect object Pid. + - name: signer + type: keyword + description: Signer. + - name: os + type: group + fields: + - name: name + type: keyword + description: 'Supported values: Linux, Windows, macOS, macOSX.' + - name: parent + type: group + fields: + - name: cmd + type: keyword + description: The command line that parent process. + - name: file + type: group + fields: + - name: hash + type: group + fields: + - name: sha1 + type: keyword + description: Parent file sha1. + - name: sha256 + type: keyword + description: Parent file sha256. + - name: path + type: keyword + description: Parent file path. + - name: peer + type: group + fields: + - name: host + type: keyword + description: Peer host name. + - name: ip + type: ip + description: Peer ip list. + - name: policy + type: group + fields: + - name: logkey + type: keyword + description: Policy logkey. + - name: name + type: keyword + description: Policy name. + - name: uuid + type: keyword + description: Policy uuid. + - name: principal_name + type: keyword + description: Principal name. + - name: process + type: group + fields: + - name: cmd + type: keyword + description: The command line used to launch this process. + - name: file + type: group + fields: + - name: hash + type: group + fields: + - name: md5 + type: keyword + description: Process file hash MD5 value. + - name: sha1 + type: keyword + description: Process file hash Sha1 value. + - name: sha256 + type: keyword + description: Process file hash Sha256 value. + - name: path + type: keyword + description: The process file path. + - name: name + type: keyword + description: Process name. + - name: pid + type: long + description: Process Pid. + - name: signer + type: keyword + description: Process signer. + - name: product + type: group + fields: + - name: code + type: keyword + description: Product code name. + - name: name + type: keyword + description: product name. + - name: version + type: keyword + description: Product version. + - name: profile + type: keyword + description: Profile + - name: protocol + type: keyword + description: Protocol detect by Deep Discovery Inspector. + - name: protocol_group + type: keyword + description: Protocol group detect by Deep Discovery Inspector. + - name: related_apt + type: boolean + description: 0:False, 1:True. + - name: request + type: keyword + description: URL. + - name: request_base + type: keyword + description: Request base. + - name: request_client_application + type: keyword + description: Browser user agent. + - name: risk_level + type: long + description: SLF_CCCA_RISKLEVEL_UNKNOWN (0) SLF_CCCA_RISKLEVEL_LOW (1) SLF_CCCA_RISKLEVEL_MEDIUM (2) SLF_CCCA_RISKLEVEL_HIGH (3). + - name: rt + type: date + description: Detect time. + - name: rt_utc + type: date + description: Detect utc time. + - name: search_data_lake + type: keyword + description: Datalake name. + - name: security_analytics + type: group + fields: + - name: engine + type: group + fields: + - name: name + type: keyword + description: Security Analytics Engine. + - name: version + type: keyword + description: Security Analytics Engine version. + - name: sender + type: keyword + description: Sender. + - name: severity_level + type: long + description: severity score. + - name: source + type: group + fields: + - name: group + type: keyword + description: Source IP address group. + - name: ip + type: ip + description: Source IP address. + - name: port + type: long + description: Source port. + - name: sub_name + type: keyword + description: Detect event subscribe name. + - name: suid + type: keyword + description: Suid. + - name: tactic_id + type: keyword + description: Security Agent or product policy. + - name: tags + type: keyword + description: Detected by Security Analytics Engine filters. + - name: threat_name + type: keyword + description: Threat name. + - name: total_count + type: long + description: total count. + - name: url_cat + type: keyword + description: URL cat. + - name: user + type: group + fields: + - name: domain + type: keyword + description: User domain. + - name: uuid + type: keyword + description: Log unique id. diff --git a/packages/trend_micro_vision_one/data_stream/detection/manifest.yml b/packages/trend_micro_vision_one/data_stream/detection/manifest.yml new file mode 100644 index 00000000000..754ec9f9368 --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/manifest.yml @@ -0,0 +1,57 @@ +title: Collect Detection logs from Trend Micro Vision One. +type: logs +streams: + - input: httpjson + title: Detection logs + description: Collect detection logs from Trend Micro Vision One. + template_path: httpjson.yml.hbs + vars: + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the detection from Trend Micro Vision One. + multi: false + required: true + show_user: true + default: 24h + - name: interval + type: text + title: Interval + description: Duration between requests to the Trend Micro Vision One API. + default: 5m + multi: false + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - trend_micro_vision_one_detection + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: true + title: Preserve duplicate custom fields + description: Preserve trend_micro_vision_one.detection fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/trend_micro_vision_one/data_stream/detection/sample_event.json b/packages/trend_micro_vision_one/data_stream/detection/sample_event.json new file mode 100644 index 00000000000..42aa5a9c7ad --- /dev/null +++ b/packages/trend_micro_vision_one/data_stream/detection/sample_event.json @@ -0,0 +1,305 @@ +{ + "@timestamp": "2020-10-15T01:16:32.000Z", + "agent": { + "ephemeral_id": "f9918934-0175-4439-873b-b3c8c80eeacc", + "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.0" + }, + "data_stream": { + "dataset": "trend_micro_vision_one.detection", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "domain": "Workgroup", + "ip": [ + "81.2.69.142" + ], + "port": 53 + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "snapshot": true, + "version": "8.4.0" + }, + "event": { + "action": "clean", + "agent_id_status": "verified", + "category": [ + "intrusion_detection" + ], + "created": "2022-08-05T08:56:54.217Z", + "dataset": "trend_micro_vision_one.detection", + "id": "100117", + "ingested": "2022-08-05T08:56:57Z", + "kind": "event", + "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", + "severity": 50, + "type": [ + "info" + ] + }, + "file": { + "hash": { + "md5": "761AEFF7E6B110970285B9C20C9E1DCA", + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "name": [ + "Unconfirmed 145081.crdownload" + ], + "path": "/etc/systemd/system/snap-xxxx-1246.xxxx", + "size": 0 + }, + "host": { + "hostname": "samplehost", + "id": "1234-1234-1234", + "ip": [ + "81.2.69.142" + ], + "mac": "00-00-5E-00-53-23", + "name": "abc-docker" + }, + "http": { + "request": { + "referrer": "http://www.example.com/" + } + }, + "input": { + "type": "httpjson" + }, + "network": { + "direction": "outbound", + "protocol": "http" + }, + "observer": { + "hostname": "samplehost", + "mac": "00-00-5E-00-53-23" + }, + "process": { + "command_line": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca", + "name": "string", + "pid": 0 + }, + "related": { + "hash": [ + "761AEFF7E6B110970285B9C20C9E1DCA", + "00496B4D53CEFE031B9702B3385C9F4430999932", + "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7", + "3395856ce81f2b7382dee72602f798b642f14140" + ], + "hosts": [ + "samplehost", + "abc-docker" + ], + "ip": [ + "81.2.69.142", + "81.2.69.192" + ] + }, + "source": { + "ip": "81.2.69.192", + "port": 58871 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "trend_micro_vision_one_detection" + ], + "threat": { + "tactic": { + "id": [ + "TA0005" + ] + } + }, + "trend_micro_vision_one": { + "detection": { + "action": "Clean", + "action_result": "Quarantined successfully", + "behavior_category": "Grey-Detection", + "block": "Web reputation", + "client_flag": "dst", + "component_version": [ + "PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00" + ], + "compressed_file_size": 0, + "destination": { + "ip": [ + "81.2.69.142" + ], + "ip_group": "Default", + "port": 53 + }, + "detection": "Yes", + "detection_source": "GLOBAL_INTELLIGENCE", + "detection_type": "File", + "device": { + "direction": "outbound", + "guid": "C5B09EDD-C725-907F-29D9-B8C30D18C48F", + "host": "samplehost", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "81.2.69.192" + ], + "mac": "00-00-5E-00-53-23", + "process_name": "/snap/core/10126/usr/lib/snapd/snapd" + }, + "domain": { + "name": "Workgroup" + }, + "end_time": "2021-09-30T17:40:04.000Z", + "endpoint": { + "guid": "1234-1234-1234", + "hostname": "abc-docker", + "ip": [ + "81.2.69.142" + ], + "mac": "00-00-5E-00-53-23" + }, + "engine_type": "Virus Scan Engine (OS 2003, x64)", + "engine_version": "12.500.1004", + "event_id": "100117", + "event_name": "INTEGRITY_MONITORING_EVENT", + "event_time_dt": "2021-06-10T01:38:38.000Z", + "file_hash": "3395856ce81f2b7382dee72602f798b642f14140", + "file_name": [ + "Unconfirmed 145081.crdownload" + ], + "file_operation": "Deleted", + "file_path": "/etc/systemd/system", + "file_path_name": "/etc/systemd/system/snap-xxxx-1246.xxxx", + "file_size": 0, + "first_action": "Clean", + "first_action_result": "Unable to clean file", + "full_path": "C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 145081.crdownload", + "hostname": "samplehost", + "http_referer": "http://www.example.com/", + "interested": { + "host": "abc-docker", + "ip": [ + "81.2.69.192" + ], + "mac": "00-00-5E-00-53-23" + }, + "malware_name": "Eicar_test_1", + "malware_type": "Virus/Malware", + "mproduct": { + "name": "Cloud One - Workload Security", + "version": "Deep Security/20.0.222" + }, + "object": { + "cmd": [ + "C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe --profile-directory=Default" + ], + "file": { + "hash": { + "md5": "761AEFF7E6B110970285B9C20C9E1DCA", + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "name": "Unconfirmed 142899.crdownload:SmartScreen", + "path": "C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 142899.crdownload:SmartScreen" + }, + "name": "CloudEndpointService.exe", + "pid": 7660, + "signer": [ + "OS" + ] + }, + "parent": { + "cmd": "C:\\\\os\\\\system32\\\\svchost.exe -k DcomLaunch -p", + "file": { + "hash": { + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "path": "C:\\\\os\\\\System32\\\\svchost.exe" + } + }, + "peer": { + "host": "samplehost", + "ip": [ + "81.2.69.192" + ] + }, + "process": { + "cmd": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca", + "file": { + "hash": { + "md5": "761AEFF7E6B110970285B9C20C9E1DCA", + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "path": "C:\\\\Program Files (x86)\\\\os\\\\Application\\\\msedge.exe" + }, + "name": "string", + "pid": 0, + "signer": "OS Publisher" + }, + "product": { + "code": "sao", + "name": "Apex One", + "version": "20.0.0.877" + }, + "protocol": "HTTP", + "protocol_group": "HTTP", + "related_apt": false, + "request": "https://example.com", + "request_client_application": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1", + "risk_level": 3, + "rt": "2020-10-15T01:16:32.000Z", + "rt_utc": "2020-10-15T01:16:32.000Z", + "search_data_lake": "DDL", + "security_analytics": { + "engine": { + "name": [ + "T1090 (TA0005)" + ], + "version": "v6" + } + }, + "severity_level": 50, + "source": { + "group": "Default", + "ip": "81.2.69.192", + "port": 58871 + }, + "sub_name": "Attack Discovery", + "tactic_id": [ + "TA0005" + ], + "tags": [ + "XSAE.F2140", + "XSAE.F3066" + ], + "threat_name": "Malicious_identified_CnC_querying_on_UDP_detected", + "total_count": 1, + "uuid": "1234-1234-1234" + } + }, + "url": { + "domain": "example.com", + "original": "https://example.com", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "iPhone" + }, + "name": "Mobile Safari", + "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1", + "os": { + "full": "iOS 12.1", + "name": "iOS", + "version": "12.1" + }, + "version": "12.0" + } +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/docs/README.md b/packages/trend_micro_vision_one/docs/README.md new file mode 100644 index 00000000000..8e11170eae8 --- /dev/null +++ b/packages/trend_micro_vision_one/docs/README.md @@ -0,0 +1,965 @@ +# Trend Micro Vision One + +## Overview + +The [Trend Micro Vision One](https://www.trendmicro.com/en_in/business/products/detection-response.html) integration allows you to monitor Alert, Audit, and Detection activity. Trend Micro Vision One refers to the ability to do detection and response across email, endpoints, servers, cloud workloads, and networks via a single Trend Micro Vision One platform or the managed Trend Micro Vision One service. + +Use the Trend Micro Vision One integration to collects and parses data from the REST APIs. Then visualize that data in Kibana. + +## Data streams + +The Trend Micro Vision One integration collects three types of data streams: Alert, Audit, and Detection. + +**Alert** Displays information about workbench alerts. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Workbench/paths/~1v3.0~1workbench~1alerts/get). + +**Audit** Displays log entries that match the specified search criteria. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Audit-Logs). + +**Detection** Displays search results from the Detection Data source. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Search/paths/~1v3.0~1search~1detections/get). + +## Requirements + +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your hardware. + +This module has been tested against `Trend Micro Vision One API version 3.0`. + +**Note:** The authentication token generated by a user expires one year after being generated. + +## Setup + +### To collect data from Trend Micro Vision One APIs, the user must have API Token. To create an API token follow the below steps: + +1. Log on to the Trend Micro Vision One console. +2. Go to **Administration -> User Accounts**. +![Trend Micro Vision One console](../img/trend-micro-vision-one-console.png) +3. Click on the account name having appropriate API access permission to generate an API token. +![Trend Micro Vision One generate API token ](../img/trend-micro-vision-one-api-token-generate.png) +4. Copy the Authentication token. + +## Logs Reference + +### alert + +This is the `alert` dataset. + +#### Example + +An example event for `alert` looks as following: + +```json +{ + "@timestamp": "2030-04-30T00:01:16.000Z", + "agent": { + "ephemeral_id": "2c4b19a6-8652-4d61-8fb4-b6e544c17d09", + "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.0" + }, + "data_stream": { + "dataset": "trend_micro_vision_one.alert", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "snapshot": true, + "version": "8.4.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "email" + ], + "created": "2022-08-05T08:53:29.385Z", + "dataset": "trend_micro_vision_one.alert", + "id": "WB-9002-20200427-0002", + "ingested": "2022-08-05T08:53:35Z", + "kind": "alert", + "original": "{\"alertProvider\":\"SAE\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"id\":\"WB-9002-20200427-0002\",\"impactScope\":{\"accountCount\":0,\"desktopCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"entityType\":\"host\",\"entityValue\":\"user@email.com\",\"provenance\":[\"Alert\"],\"relatedEntities\":[\"CODERED\\\\\\\\user\"],\"relatedIndicatorIds\":[1]}],\"serverCount\":0},\"indicators\":[{\"field\":\"request url\",\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"],\"id\":1,\"provenance\":[\"Alert\"],\"relatedEntities\":[\"user@example.com\"],\"type\":\"url\",\"value\":\"http://www.example.com/ab001.zip\"}],\"investigationStatus\":\"New\",\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"matchedEvents\":[{\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\",\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\"}],\"mitreTechniqueIds\":[\"T1192\"],\"name\":\"(T1192) Spearphishing Link\"}],\"name\":\"Possible SpearPhishing Email\"}],\"model\":\"Possible APT Attack\",\"schemaVersion\":\"1.0\",\"score\":63,\"severity\":\"critical\",\"updatedDateTime\":\"2030-04-30T00:01:16Z\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\"}", + "severity": 63, + "type": [ + "info" + ] + }, + "input": { + "type": "httpjson" + }, + "log": { + "level": "critical" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "trend_micro_vision_one_alert" + ], + "trend_micro_vision_one": { + "alert": { + "alert_provider": "SAE", + "created_date": "2020-04-30T00:01:15.000Z", + "description": "A backdoor was possibly implanted after a user received a possible spear phishing email message.", + "id": "WB-9002-20200427-0002", + "impact_scope": { + "account_count": 0, + "desktop_count": 0, + "email_address_count": 0, + "entities": [ + { + "id": "5257b401-2fd7-469c-94fa-39a4f11eb925", + "provenance": [ + "Alert" + ], + "related_entities": [ + "CODERED\\\\user" + ], + "related_indicator_id": [ + 1 + ], + "type": "host", + "value": { + "account_value": "user@email.com" + } + } + ], + "server_count": 0 + }, + "indicators": [ + { + "field": "request url", + "filter_id": [ + "f862df72-7f5e-4b2b-9f7f-9148e875f908" + ], + "id": 1, + "provenance": [ + "Alert" + ], + "related_entities": [ + "user@example.com" + ], + "type": "url", + "value": "http://www.example.com/ab001.zip" + } + ], + "investigation_status": "New", + "matched_rule": [ + { + "filter": [ + { + "date": "2019-08-02T04:00:01.000Z", + "events": [ + { + "date": "2019-08-02T04:00:01.000Z", + "type": "TELEMETRY_REGISTRY", + "uuid": "fa9ff47c-e1b8-459e-a3d0-a5b104b854a5" + } + ], + "id": "ccf86fc1-688f-4131-a46f-1d7a6ee2f88e", + "mitre_technique_id": [ + "T1192" + ], + "name": "(T1192) Spearphishing Link" + } + ], + "id": "5f52d1f1-53e7-411a-b74f-745ee81fa30b", + "name": "Possible SpearPhishing Email" + } + ], + "model": "Possible APT Attack", + "schema_version": "1.0", + "score": 63, + "severity": "critical", + "workbench_link": "https://THE_WORKBENCH_URL" + } + }, + "url": { + "original": "https://THE_WORKBENCH_URL", + "scheme": "https" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Log offset | long | +| related.ip | All of the IPs seen on your event. | ip | +| tags | List of keywords used to tag each event. | keyword | +| trend_micro_vision_one.alert.alert_provider | Alert provider. | keyword | +| trend_micro_vision_one.alert.campaign | An object-ref to a campaign object. | keyword | +| trend_micro_vision_one.alert.created_by | Created by. | keyword | +| trend_micro_vision_one.alert.created_date | Datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC) that indicates the created date time of the alert. | date | +| trend_micro_vision_one.alert.description | Description of the detection model that triggered the alert. | keyword | +| trend_micro_vision_one.alert.id | Workbench ID. | keyword | +| trend_micro_vision_one.alert.impact_scope.account_count | Count of affected account. | long | +| trend_micro_vision_one.alert.impact_scope.desktop_count | Count of affected desktop. | long | +| trend_micro_vision_one.alert.impact_scope.email_address_count | Count of affected email address. | long | +| trend_micro_vision_one.alert.impact_scope.entities.value.account_value | Account or emailAddress. | keyword | +| trend_micro_vision_one.alert.impact_scope.entities.value.guid | GUID. | keyword | +| trend_micro_vision_one.alert.impact_scope.entities.value.id | Impact scope entity id. | keyword | +| trend_micro_vision_one.alert.impact_scope.entities.value.ips | Set of IPs. | ip | +| trend_micro_vision_one.alert.impact_scope.entities.value.name | Host name. | keyword | +| trend_micro_vision_one.alert.impact_scope.entities.value.related_entities | Related entities. | keyword | +| trend_micro_vision_one.alert.impact_scope.entities.value.related_indicator_id | Related indicator ids. | long | +| trend_micro_vision_one.alert.impact_scope.entities.value.type | Impact scope entity type. | keyword | +| trend_micro_vision_one.alert.impact_scope.server_count | Count of affected server. | long | +| trend_micro_vision_one.alert.indicators.field | Detailed description of the indicator. | keyword | +| trend_micro_vision_one.alert.indicators.filter_id | Related matched filter ids. | keyword | +| trend_micro_vision_one.alert.indicators.first_seen_date | First seen date times from related entities, datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). | date | +| trend_micro_vision_one.alert.indicators.id | Indicator ID. | keyword | +| trend_micro_vision_one.alert.indicators.last_seen_date | Last seen date times from related entities, datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). | date | +| trend_micro_vision_one.alert.indicators.matched_indicator.pattern_id | Matched indicator pattern ids. | keyword | +| trend_micro_vision_one.alert.indicators.provenance | Provenance. | keyword | +| trend_micro_vision_one.alert.indicators.related_entities | Related entities. | keyword | +| trend_micro_vision_one.alert.indicators.type | Indicator type. | keyword | +| trend_micro_vision_one.alert.indicators.value | Indicator value. | keyword | +| trend_micro_vision_one.alert.industry | Industry. | keyword | +| trend_micro_vision_one.alert.investigation_status | Workbench alert status. | keyword | +| trend_micro_vision_one.alert.matched_indicator_count | Matched indicator pattern count. | long | +| trend_micro_vision_one.alert.matched_indicators_pattern.id | Pattern ID. | keyword | +| trend_micro_vision_one.alert.matched_indicators_pattern.matched_log | Pattern matched log. | keyword | +| trend_micro_vision_one.alert.matched_indicators_pattern.pattern | STIX indicator will be a pattern. | keyword | +| trend_micro_vision_one.alert.matched_indicators_pattern.tags | Tags defined by STIX. | keyword | +| trend_micro_vision_one.alert.matched_rule.filter.date | Datetime in ISO 8601 format (yyyy-MM-ddThh:mm:ssZ in UTC). | date | +| trend_micro_vision_one.alert.matched_rule.filter.events.date | Matched event date. | date | +| trend_micro_vision_one.alert.matched_rule.filter.events.event_uuid | Matched event uuid. | keyword | +| trend_micro_vision_one.alert.matched_rule.filter.id | Matched filter id. | keyword | +| trend_micro_vision_one.alert.matched_rule.filter.mitre_technique_id | Mitre technique id. | keyword | +| trend_micro_vision_one.alert.matched_rule.filter.name | Filter name. | keyword | +| trend_micro_vision_one.alert.matched_rule.id | The rules are triggered. | keyword | +| trend_micro_vision_one.alert.matched_rule.name | Matched rule name. | keyword | +| trend_micro_vision_one.alert.model | Name of the detection model that triggered the alert. | keyword | +| trend_micro_vision_one.alert.region_and_country | region/country. | keyword | +| trend_micro_vision_one.alert.report_link | A refrerence url which links to the report details analysis. For TrendMico research report, the link would link to trend blog. | keyword | +| trend_micro_vision_one.alert.schema_version | The version of the JSON schema, not the version of alert trigger content. | keyword | +| trend_micro_vision_one.alert.score | Overall severity assigned to the alert based on the severity of the matched detection model and the impact scope. | long | +| trend_micro_vision_one.alert.severity | Workbench alert severity. | keyword | +| trend_micro_vision_one.alert.total_indicator_count | Total indicator pattern count. | long | +| trend_micro_vision_one.alert.workbench_link | Workbench URL. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | + + +### audit + +This is the `audit` dataset. + +#### Example + +An example event for `audit` looks as following: + +```json +{ + "@timestamp": "2022-02-24T07:29:48.000Z", + "agent": { + "ephemeral_id": "680afd6e-4f98-4136-83fb-4216ea972672", + "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.0" + }, + "data_stream": { + "dataset": "trend_micro_vision_one.audit", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "snapshot": true, + "version": "8.4.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "authentication" + ], + "created": "2022-08-05T08:55:09.322Z", + "dataset": "trend_micro_vision_one.audit", + "ingested": "2022-08-05T08:55:12Z", + "kind": "event", + "original": "{\"accessType\":\"Console\",\"activity\":\"string\",\"category\":\"Logon and Logoff\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"},\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedRole\":\"Master Administrator\",\"loggedUser\":\"Root Account\",\"result\":\"Unsuccessful\"}", + "outcome": "failure", + "type": [ + "info" + ] + }, + "input": { + "type": "httpjson" + }, + "related": { + "user": [ + "Root Account" + ] + }, + "source": { + "user": { + "name": "Root Account", + "roles": "Master Administrator" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "trend_micro_vision_one_audit" + ], + "trend_micro_vision_one": { + "audit": { + "access_type": "Console", + "activity": "string", + "category": "Logon and Logoff", + "details": { + "property1": "string", + "property2": "string" + }, + "logged_role": "Master Administrator", + "logged_user": "Root Account", + "result": "Unsuccessful" + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| source.user.roles | Array of user roles at the time of the event. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| trend_micro_vision_one.audit.access_type | Source of the activity. | keyword | +| trend_micro_vision_one.audit.activity | The activity that was performed. | keyword | +| trend_micro_vision_one.audit.category | Category. | keyword | +| trend_micro_vision_one.audit.details | Object that contains a list of elements to be retrieved from the "details" field. | flattened | +| trend_micro_vision_one.audit.logged_role | Role of the account. | keyword | +| trend_micro_vision_one.audit.logged_user | The account that was used to perform the activity. | keyword | +| trend_micro_vision_one.audit.result | Result. | keyword | + + +### detection + +This is the `detection` dataset. + +#### Example + +An example event for `detection` looks as following: + +```json +{ + "@timestamp": "2020-10-15T01:16:32.000Z", + "agent": { + "ephemeral_id": "f9918934-0175-4439-873b-b3c8c80eeacc", + "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.0" + }, + "data_stream": { + "dataset": "trend_micro_vision_one.detection", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "domain": "Workgroup", + "ip": [ + "81.2.69.142" + ], + "port": 53 + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "snapshot": true, + "version": "8.4.0" + }, + "event": { + "action": "clean", + "agent_id_status": "verified", + "category": [ + "intrusion_detection" + ], + "created": "2022-08-05T08:56:54.217Z", + "dataset": "trend_micro_vision_one.detection", + "id": "100117", + "ingested": "2022-08-05T08:56:57Z", + "kind": "event", + "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", + "severity": 50, + "type": [ + "info" + ] + }, + "file": { + "hash": { + "md5": "761AEFF7E6B110970285B9C20C9E1DCA", + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "name": [ + "Unconfirmed 145081.crdownload" + ], + "path": "/etc/systemd/system/snap-xxxx-1246.xxxx", + "size": 0 + }, + "host": { + "hostname": "samplehost", + "id": "1234-1234-1234", + "ip": [ + "81.2.69.142" + ], + "mac": "00-00-5E-00-53-23", + "name": "abc-docker" + }, + "http": { + "request": { + "referrer": "http://www.example.com/" + } + }, + "input": { + "type": "httpjson" + }, + "network": { + "direction": "outbound", + "protocol": "http" + }, + "observer": { + "hostname": "samplehost", + "mac": "00-00-5E-00-53-23" + }, + "process": { + "command_line": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca", + "name": "string", + "pid": 0 + }, + "related": { + "hash": [ + "761AEFF7E6B110970285B9C20C9E1DCA", + "00496B4D53CEFE031B9702B3385C9F4430999932", + "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7", + "3395856ce81f2b7382dee72602f798b642f14140" + ], + "hosts": [ + "samplehost", + "abc-docker" + ], + "ip": [ + "81.2.69.142", + "81.2.69.192" + ] + }, + "source": { + "ip": "81.2.69.192", + "port": 58871 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "trend_micro_vision_one_detection" + ], + "threat": { + "tactic": { + "id": [ + "TA0005" + ] + } + }, + "trend_micro_vision_one": { + "detection": { + "action": "Clean", + "action_result": "Quarantined successfully", + "behavior_category": "Grey-Detection", + "block": "Web reputation", + "client_flag": "dst", + "component_version": [ + "PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00" + ], + "compressed_file_size": 0, + "destination": { + "ip": [ + "81.2.69.142" + ], + "ip_group": "Default", + "port": 53 + }, + "detection": "Yes", + "detection_source": "GLOBAL_INTELLIGENCE", + "detection_type": "File", + "device": { + "direction": "outbound", + "guid": "C5B09EDD-C725-907F-29D9-B8C30D18C48F", + "host": "samplehost", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "81.2.69.192" + ], + "mac": "00-00-5E-00-53-23", + "process_name": "/snap/core/10126/usr/lib/snapd/snapd" + }, + "domain": { + "name": "Workgroup" + }, + "end_time": "2021-09-30T17:40:04.000Z", + "endpoint": { + "guid": "1234-1234-1234", + "hostname": "abc-docker", + "ip": [ + "81.2.69.142" + ], + "mac": "00-00-5E-00-53-23" + }, + "engine_type": "Virus Scan Engine (OS 2003, x64)", + "engine_version": "12.500.1004", + "event_id": "100117", + "event_name": "INTEGRITY_MONITORING_EVENT", + "event_time_dt": "2021-06-10T01:38:38.000Z", + "file_hash": "3395856ce81f2b7382dee72602f798b642f14140", + "file_name": [ + "Unconfirmed 145081.crdownload" + ], + "file_operation": "Deleted", + "file_path": "/etc/systemd/system", + "file_path_name": "/etc/systemd/system/snap-xxxx-1246.xxxx", + "file_size": 0, + "first_action": "Clean", + "first_action_result": "Unable to clean file", + "full_path": "C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 145081.crdownload", + "hostname": "samplehost", + "http_referer": "http://www.example.com/", + "interested": { + "host": "abc-docker", + "ip": [ + "81.2.69.192" + ], + "mac": "00-00-5E-00-53-23" + }, + "malware_name": "Eicar_test_1", + "malware_type": "Virus/Malware", + "mproduct": { + "name": "Cloud One - Workload Security", + "version": "Deep Security/20.0.222" + }, + "object": { + "cmd": [ + "C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe --profile-directory=Default" + ], + "file": { + "hash": { + "md5": "761AEFF7E6B110970285B9C20C9E1DCA", + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "name": "Unconfirmed 142899.crdownload:SmartScreen", + "path": "C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 142899.crdownload:SmartScreen" + }, + "name": "CloudEndpointService.exe", + "pid": 7660, + "signer": [ + "OS" + ] + }, + "parent": { + "cmd": "C:\\\\os\\\\system32\\\\svchost.exe -k DcomLaunch -p", + "file": { + "hash": { + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "path": "C:\\\\os\\\\System32\\\\svchost.exe" + } + }, + "peer": { + "host": "samplehost", + "ip": [ + "81.2.69.192" + ] + }, + "process": { + "cmd": "-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca", + "file": { + "hash": { + "md5": "761AEFF7E6B110970285B9C20C9E1DCA", + "sha1": "00496B4D53CEFE031B9702B3385C9F4430999932", + "sha256": "7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7" + }, + "path": "C:\\\\Program Files (x86)\\\\os\\\\Application\\\\msedge.exe" + }, + "name": "string", + "pid": 0, + "signer": "OS Publisher" + }, + "product": { + "code": "sao", + "name": "Apex One", + "version": "20.0.0.877" + }, + "protocol": "HTTP", + "protocol_group": "HTTP", + "related_apt": false, + "request": "https://example.com", + "request_client_application": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1", + "risk_level": 3, + "rt": "2020-10-15T01:16:32.000Z", + "rt_utc": "2020-10-15T01:16:32.000Z", + "search_data_lake": "DDL", + "security_analytics": { + "engine": { + "name": [ + "T1090 (TA0005)" + ], + "version": "v6" + } + }, + "severity_level": 50, + "source": { + "group": "Default", + "ip": "81.2.69.192", + "port": 58871 + }, + "sub_name": "Attack Discovery", + "tactic_id": [ + "TA0005" + ], + "tags": [ + "XSAE.F2140", + "XSAE.F3066" + ], + "threat_name": "Malicious_identified_CnC_querying_on_UDP_detected", + "total_count": 1, + "uuid": "1234-1234-1234" + } + }, + "url": { + "domain": "example.com", + "original": "https://example.com", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "iPhone" + }, + "name": "Mobile Safari", + "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1", + "os": { + "full": "iOS 12.1", + "name": "iOS", + "version": "12.1" + }, + "version": "12.0" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.hash.md5 | MD5 hash. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| os.name | Operating system name, without the version. | keyword | +| os.name.text | Multi-field of `os.name`. | match_only_text | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| trend_micro_vision_one.detection.action | Action by detect product. | keyword | +| trend_micro_vision_one.detection.action_result | Action result by detect product. | keyword | +| trend_micro_vision_one.detection.aggregated_count | Aggregated count. | long | +| trend_micro_vision_one.detection.behavior_category | The matched policy category (policy section) in the BM patterns, which will always Grey-Detection here. | keyword | +| trend_micro_vision_one.detection.block | blocking Reason. | keyword | +| trend_micro_vision_one.detection.client_flag | 0:Unknown 1:src 2:dst. | keyword | +| trend_micro_vision_one.detection.client_ip | Client IP. | ip | +| trend_micro_vision_one.detection.component_version | Product component version. | keyword | +| trend_micro_vision_one.detection.compressed_file_size | File size after compressed. | long | +| trend_micro_vision_one.detection.destination.ip | Destination IP address. | ip | +| trend_micro_vision_one.detection.destination.ip_group | Destination IP address group. | keyword | +| trend_micro_vision_one.detection.destination.port | Destination port. | long | +| trend_micro_vision_one.detection.detection | Yes (Tag it when it appears and the value is 1). | keyword | +| trend_micro_vision_one.detection.detection_source | Detection source use by Deep Discovery Inspector. | keyword | +| trend_micro_vision_one.detection.detection_type | Product detection type. | keyword | +| trend_micro_vision_one.detection.device.direction | 0: inbound 1: outbound 2: unknown (If cannot be parsed correctly, 2 is assigned). | keyword | +| trend_micro_vision_one.detection.device.guid | Device GUID. | keyword | +| trend_micro_vision_one.detection.device.host | device host. | keyword | +| trend_micro_vision_one.detection.device.id | Device identity. | keyword | +| trend_micro_vision_one.detection.device.ip | Devices ip list. | ip | +| trend_micro_vision_one.detection.device.mac | Mac address. | keyword | +| trend_micro_vision_one.detection.device.process_name | Process name in device. | keyword | +| trend_micro_vision_one.detection.domain.name | Domain name. | keyword | +| trend_micro_vision_one.detection.end_time | End time. | date | +| trend_micro_vision_one.detection.endpoint.guid | endpoint GUID for identity. | keyword | +| trend_micro_vision_one.detection.endpoint.hostname | Hostname of the endpoint on which the event was generated. | keyword | +| trend_micro_vision_one.detection.endpoint.ip | Endpoint IP address list. | ip | +| trend_micro_vision_one.detection.endpoint.mac | Endpoint Mac address. | keyword | +| trend_micro_vision_one.detection.engine_type | Product scan engine type. | keyword | +| trend_micro_vision_one.detection.engine_version | Product scan engine version. | keyword | +| trend_micro_vision_one.detection.event_id | Event ID. | keyword | +| trend_micro_vision_one.detection.event_name | Predefined event enumerator. | keyword | +| trend_micro_vision_one.detection.event_time_dt | Detect time. | date | +| trend_micro_vision_one.detection.file_hash | Detect file hash value. | keyword | +| trend_micro_vision_one.detection.file_name | Detect file name. | keyword | +| trend_micro_vision_one.detection.file_operation | Operation for detect file. | keyword | +| trend_micro_vision_one.detection.file_path | Full file path without file name. | keyword | +| trend_micro_vision_one.detection.file_path_name | Full file path. | keyword | +| trend_micro_vision_one.detection.file_size | Detect file size. | long | +| trend_micro_vision_one.detection.file_type | Detect file type. | keyword | +| trend_micro_vision_one.detection.first_action | First action. | keyword | +| trend_micro_vision_one.detection.first_action_result | First action result. | keyword | +| trend_micro_vision_one.detection.full_path | File full path. | keyword | +| trend_micro_vision_one.detection.hostname | host name. | keyword | +| trend_micro_vision_one.detection.http_referer | http referer url. | keyword | +| trend_micro_vision_one.detection.interested.host | Highlighted indicator for incident response members. | keyword | +| trend_micro_vision_one.detection.interested.ip | Highlighted indicator for incident response members. | ip | +| trend_micro_vision_one.detection.interested.mac | Highlighted indicator for incident response members. | keyword | +| trend_micro_vision_one.detection.malware_name | Malware name. | keyword | +| trend_micro_vision_one.detection.malware_type | Malware type. | keyword | +| trend_micro_vision_one.detection.mime_type | Mime type. | keyword | +| trend_micro_vision_one.detection.mproduct.name | Product name. | keyword | +| trend_micro_vision_one.detection.mproduct.version | Product Version. | keyword | +| trend_micro_vision_one.detection.object.cmd | The command line that a process detected by Attack Discovery uses to execute other processes. | keyword | +| trend_micro_vision_one.detection.object.file.hash.md5 | File Hash Md5 value. | keyword | +| trend_micro_vision_one.detection.object.file.hash.sha1 | File Hash Sha1 value. | keyword | +| trend_micro_vision_one.detection.object.file.hash.sha256 | File Hash Sha256 value. | keyword | +| trend_micro_vision_one.detection.object.file.name | File name. | keyword | +| trend_micro_vision_one.detection.object.file.path | File path. | keyword | +| trend_micro_vision_one.detection.object.name | Detect object name. | keyword | +| trend_micro_vision_one.detection.object.pid | Detect object Pid. | long | +| trend_micro_vision_one.detection.object.signer | Signer. | keyword | +| trend_micro_vision_one.detection.os.name | Supported values: Linux, Windows, macOS, macOSX. | keyword | +| trend_micro_vision_one.detection.parent.cmd | The command line that parent process. | keyword | +| trend_micro_vision_one.detection.parent.file.hash.sha1 | Parent file sha1. | keyword | +| trend_micro_vision_one.detection.parent.file.hash.sha256 | Parent file sha256. | keyword | +| trend_micro_vision_one.detection.parent.file.path | Parent file path. | keyword | +| trend_micro_vision_one.detection.peer.host | Peer host name. | keyword | +| trend_micro_vision_one.detection.peer.ip | Peer ip list. | ip | +| trend_micro_vision_one.detection.policy.logkey | Policy logkey. | keyword | +| trend_micro_vision_one.detection.policy.name | Policy name. | keyword | +| trend_micro_vision_one.detection.policy.uuid | Policy uuid. | keyword | +| trend_micro_vision_one.detection.principal_name | Principal name. | keyword | +| trend_micro_vision_one.detection.process.cmd | The command line used to launch this process. | keyword | +| trend_micro_vision_one.detection.process.file.hash.md5 | Process file hash MD5 value. | keyword | +| trend_micro_vision_one.detection.process.file.hash.sha1 | Process file hash Sha1 value. | keyword | +| trend_micro_vision_one.detection.process.file.hash.sha256 | Process file hash Sha256 value. | keyword | +| trend_micro_vision_one.detection.process.file.path | The process file path. | keyword | +| trend_micro_vision_one.detection.process.name | Process name. | keyword | +| trend_micro_vision_one.detection.process.pid | Process Pid. | long | +| trend_micro_vision_one.detection.process.signer | Process signer. | keyword | +| trend_micro_vision_one.detection.product.code | Product code name. | keyword | +| trend_micro_vision_one.detection.product.name | product name. | keyword | +| trend_micro_vision_one.detection.product.version | Product version. | keyword | +| trend_micro_vision_one.detection.profile | Profile | keyword | +| trend_micro_vision_one.detection.protocol | Protocol detect by Deep Discovery Inspector. | keyword | +| trend_micro_vision_one.detection.protocol_group | Protocol group detect by Deep Discovery Inspector. | keyword | +| trend_micro_vision_one.detection.related_apt | 0:False, 1:True. | boolean | +| trend_micro_vision_one.detection.request | URL. | keyword | +| trend_micro_vision_one.detection.request_base | Request base. | keyword | +| trend_micro_vision_one.detection.request_client_application | Browser user agent. | keyword | +| trend_micro_vision_one.detection.risk_level | SLF_CCCA_RISKLEVEL_UNKNOWN (0) SLF_CCCA_RISKLEVEL_LOW (1) SLF_CCCA_RISKLEVEL_MEDIUM (2) SLF_CCCA_RISKLEVEL_HIGH (3). | long | +| trend_micro_vision_one.detection.rt | Detect time. | date | +| trend_micro_vision_one.detection.rt_utc | Detect utc time. | date | +| trend_micro_vision_one.detection.search_data_lake | Datalake name. | keyword | +| trend_micro_vision_one.detection.security_analytics.engine.name | Security Analytics Engine. | keyword | +| trend_micro_vision_one.detection.security_analytics.engine.version | Security Analytics Engine version. | keyword | +| trend_micro_vision_one.detection.sender | Sender. | keyword | +| trend_micro_vision_one.detection.severity_level | severity score. | long | +| trend_micro_vision_one.detection.source.group | Source IP address group. | keyword | +| trend_micro_vision_one.detection.source.ip | Source IP address. | ip | +| trend_micro_vision_one.detection.source.port | Source port. | long | +| trend_micro_vision_one.detection.sub_name | Detect event subscribe name. | keyword | +| trend_micro_vision_one.detection.suid | Suid. | keyword | +| trend_micro_vision_one.detection.tactic_id | Security Agent or product policy. | keyword | +| trend_micro_vision_one.detection.tags | Detected by Security Analytics Engine filters. | keyword | +| trend_micro_vision_one.detection.threat_name | Threat name. | keyword | +| trend_micro_vision_one.detection.total_count | total count. | long | +| trend_micro_vision_one.detection.url_cat | URL cat. | keyword | +| trend_micro_vision_one.detection.user.domain | User domain. | keyword | +| trend_micro_vision_one.detection.uuid | Log unique id. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | + diff --git a/packages/trend_micro_vision_one/img/trend-micro-vision-one-alert-dashboard-screenshot.png b/packages/trend_micro_vision_one/img/trend-micro-vision-one-alert-dashboard-screenshot.png new file mode 100644 index 0000000000000000000000000000000000000000..63b9e5bb62eabba483ee1d28dc80e39f146f79fe GIT binary patch literal 47472 zcmY&N) zk02n(A*4Vesvh4@JK>T^mOV)y)%@1!m6c7Akg})#)ueEA*^Qy-i_cc2|Jlgg@Ly_)cs*S^UF25EgmUJe`Zoixn*g zA17)LVhYfQb}l(|PN+Z5%Za+YPiijSl{{Xr>^SxYl&v-gI-f5(xS z*9DL+OOIR#tAtGeruaElwW5f}No5ldf*6JmME}25%YjbrwCDAM+>YgsLF$1BHXu9^ zAQE32|A;_3U2}MHAsy1P#Dg->iyhr5f0@WeMw{_g9@zxkBcyi&0@TpD^F5b70=gf5)M?s207|LrXZj?Yz zln<=eR@OR`eQJkQ7ojpi%hSbwlPXw`?zciiuCL}IZ%?}lslQsESnTGyPU1{s?>R6u z1C`WGsIab{T-#H)XnZ(9C=V| z2=w7DzOyk$olaK6CGq@L86&AZxZ%@l<&~NXRgDEp$yvE(HW8 zz+;2cGb4}M6u}r9q-2A5u^-6wv0|05mw+GV6)BgRAAUYB!*32SkZeh4-JLSuT%)n& zK-dXVKlVIiO{hj_&>?Gsq3b7M#V#8q-@yzjRt*Hmk>`cENI79`CtFST_?X{uj0=rv z)vXkC)t;X7Z+e)W&>Mz%`iYjXo!qwWpx|t;Og>gpQ-~NbY!6Bj= zFFELPOXRMF*20~dUkh1~-6uTTRsP;^ne#sZdneMUtsh3FgfDkw!E;*W-nVao;wonph~>jS+U*73^7d$Ja*$WE7Nd%XK6~BdVD0#QZep;r=ubU|TI>L5^KJ zcxxa>YV{S3{ZUj4!MnXpcb3KX_HN6!B!qTmL@0=%XCp|@$mqSD!)|NiOOP*lI&l6~ zS~okk$L69pbZQf@8UFESZO);^tsHNqj{xmZ(!5%I)$ejWLuQ$3(VP0z>V7jns$=Pla zFL0uPAgzZZmOlbStf!Z4b6nIFh$5P{6br4UBzo;ikNM@l$z=co4WNOcuyE>_D^D#Je1oJ|2Oqo$Q;6sjKWk5SKmFTa379sI>MA+Sn@~?^)(;Rr z{pSFgk`a=vhcI`H%KMEs+=N|6{PAVx@Wsm{Zp~E}jRw~2DQ{zuKy1KaYPOu~tK6%j zG7-C=a@%h+K!f-=c0l83wbCo(uYkm^)svFW>&LA+V6Yre3h%553y<-&ehl?_8}ofug70z* z?x$2O@zCJqC43UhLMb;ByWC!!19g%oQSb9Z5Z+~``Nj{zh(3N_!YLe!D&Nwv9-8*{ z%M@sLv4}%^O3l`cpi;WtTH>rO{s^lHkb-w4o|R1-vRu+s#?;kd54Kz5fKoZ1q6r3p zo=Cn~J{QrSy$GPHk}yauz9yrCy!p;7UQXOI3$#AN3M0UZaHmYVqw-A=hu~nNE!@Wr zHw=x$kWy)dM zr`vEYoxAAU*DOJ2*fJBuc`Fq0s!$i|2>`tiUz7(!tX})GQkA;n^R3ppq+WJ*Ekovr zR@Jff7e3yV>9w_i433%TqC_bdx2AgW=;7>YYhnz?qZx=AuB}?dKh02D7=oDp?b@}- z0H{E3^4CB<5SMOY*9xIS zkOY}fvx&75CJop~4_xJAk_x1Osq>w%0ywO{0-~h$D`WKeGX}-pc!l`1oG-hDgeHo6 zH+=GNx*g0BC%@Af(%Ns;KQxP|Q+0S2g+GuEZ)VasJqDEw8q%@xZLwRAsLR&wV~gfQ z5%SpZ#G;|s>qC|o>lp))*)=~dQlcIwnq%viM}6)sg_ZM3+KBGbLKV#GAFq4cDVRlT z&B{^j!y^s1_?Y9xrNC_EhUJQ4YYhpJj+SjBr8?MG`>Y`N0rQp-~a(K>J_N zZ(2*KK~@ue`JE((VqXG89}kEHkK%M(-=yCW(cfaL`SENvk8*EAb4 zw71)tsDwFRj_)~4zmXDm6OvldUA!Vg%H|TP+xhX(xgMY6^_(SjT!R^Px~OUTVgkDo z2=mAjD1YS<&Ed}eH#U}&TC>=awQls_W~tep8LPLavJJTveVy>XvE~p351<;T74W%g zt?)S2grhc>>)>RGl9i=kw(`jNp|G(S@soLvHRqc_D=8K=kd;~QQc4vCXjVZT-4>Hp zokyQfuEEBt(|9$!<>q3_zQDxDz8Et}Seni>80DHp#z-j!8h6Er8s_Fw2hY1We4Jy? zv;}gB(=V-+Z+8h09F~(wHOCwH9?U!5nz$05M(hkUJGF2d=kXQinR(Ze;2o7Bvq{OP z+M3J~#@_W$ua@7mq>9#Ru7b33Sdn>Fa|`2!S42#z_a302`U81Ar5L) z6Xoa=LRGD6-#Um>+bB_X#1=O8QEE}EAM7q5T3Qi&Tl`3NDj*LJM~GKv>_RFoHPA$y z$_YfssBOXqjT;G`LxCPKiA12WYzZHaCrD`!ZB6HASQV$v-fohFmLwzx>VPcDZ3yQ? zidz#Blp5kcl4y;nx&9cF8%g-7u={D-%M-;z zJzQgznO$i3hSX#KIQ7^`GlXcQq6R)|*z_Y;ny!*}c6PSR@3@TuWCSv_|DuN$NT^*_ zXUl@<>@!x`U2FWDYKrWsB@@Yw0fB5s-R$x_qovcIpvZ6+S@HaRa;y~Aj0z4X4oLAe z5siw!Zel=9kim9BGZqjiS-b<(C=FuQvI2?As2a{veHAW_#LYascN;**0B4af6_hYW zR=Wf^!*JH} zK`EZ?5%C@F{6WdVqx^r(4=r?>AG8h~6rbct&Db7@Xgmr~jc z((BNmUsT(7b%Z%&94yPj$+e}h^b}i@q$iqPXt+;zQ(?J+4SxNEzMC8_?yhy>lr6{A ze-Z*eN7_FBm;ESwnqs^!{$$z&Sf%P$%h}CaGVcFS60&|1p&lg@Y+qMKTqVL38GghZ z(S5U^#t8;K$k55uA}FOS7w|4}tx1%FV^?qafk7SF6V+FYIUYd2rmEY6x99 zC#OZRBB-uGD-8FJ+d?F}H!zyTBWA460_oe~K9+R0(2uBxk$om1D|zM-hv-TaY+yVA z3GLdRjfml-gEo|yyq-zS>GDkK?K=G7gP5F$5i~Fsub)*^F|C+3mRINsY5^%UjTKhM)m`<}|q{ypGDvd9RCdo$t5WmTiwsOgv(`|^+o8{w0Cs6+awH$90|#H);; zPtgNuEC)E5_4o61BxC3c@(4fLa&|9{p9lNARbf`|GWKt?!Oc#mI0*ckFR!(9UU8Vt zPGnWDRs1p*PflJQj^8LCoBrc8ej$a!WR`ZHq$BlUPL7*>~2ND=l#Rd~NC5jdxAUvrmIGa)e zB+fk=ciI|bAs~bj)V(Q)V#8hY4YI^SU{WDQnBT|F@Kx#M!|s<^UU$MuQUPkX8=Nn? zod~`Sgm8QTh2&l>xzC&e0!5u$tRxm#;IH1q6G6sc|BVHR+e}AClW#$`e1Ark!CfWz zAq+nFe_JIllygBx*HFDl?7q0ZW{blY z!VxgEDbVQy8QoQLuo%f9hLP;yfiZw0%ST-@Qtw)8OQqn6Jec4<^Ei~SbC?M6pKU>@ z^$;?)&La@#FS#X5M`F!&-Si(;@`6ZHaro}~;()9JtC02(Z#Nm_z ziUKMV7qVt6v}Xhs9H9{OYrllpsmr)(qL;<_DYM3ybg2Og84maJ6&z&XZ4T)-YQqvY z8ptA;oszo>%EOPeDYYItmeuex$32sedzu(y&5#P_eJBP;YrxSyB0NUVZ@{fIzo|Wx z=pebqD?-bTeVx`Emx?e!gNJw87yI%(!?M(|qz{ zSo}#OQl+vX;=yyhH^}BmI^_AZE#&z21j|-RFnKZ-|3p_G>oFa;{< zUJNrI^3(i=5mv?)(gPHgZhBZ&jTIK+hy$smij)9MiEe2Q8=tWQ-Wt{l#%h9q7A=bAFjIyrG#!^iir}|h%M!&r()OOm#n6^Q29&V_ZKZ! zZO@m5q^C4wXC=&&EFs zNkOQ@W54Fs8Lo*@*RgC`U(_o~McBSv^&XI7T~d9AGaB6}&TZrGOtIOb$}^b7XH#pI zU9rKwyaN?jR0gD(Wk2EAH7{0tz;2*+)nr=6;|QB@o zR(uB!+-f>wEq-zrw7F?E^{9-52k2wcMX*{ftSQXGGusw2<@g;Ah;Pj#;5ywP29I#C zt027^Jr2{|%*;yU>n)XunizZPrb^N#&+CTGL?}b#>4X9xLEeoj`6&4-LO+vf@~COD z49>eRkRa^n5oe_J{(D`xbR(i#6nRScpAf(#E04VfRY9ThxN~RE{W%Hk&kD&euczk& zq5%_SBeF=KxWw?4tlsY`rn;TH;rR)c#2q_sCW(%7F?3X4`bs#zLrB45&>zoMjvG06 zU`LWlNO;4Umlqk6r<9bbqkxQ+mc(H=W?@ZmmlRHb zfoC(_Y}PX7;bfg449cm#f2!S>Xgv5cZ371&+;^I}o;#+tQU%H+#D^#7LQqRo_XI*^ z%YY*kccd2lH6rU3?`W+9Mnj;EW5Z480@CEui@xB`v&l*?Ay|w zkG{$;p1@XWLz-$x*n1-}eQz5t5^D2qOJG(B@Vb1FqB3vN+%xG-JT#=%2YEMza4e-- zinyGlrDcg^ZxD1-mm+8Snh-hET3W zn2$)56XR5bIFtfW5pE&F<+SsM<(T^S8Ax!-AYVd$K`zMc6# z%cvJuZdqbMd{15)Xs%xNB)?xH#^aW*XJuq(!_eVFe@gB}b0-#mTZ{hxRTsS!&jQH>9(1wq@4 z9y@nCEiPMB?=KtgB>XS^Kb1Jar$RntHeAIw9kmVZJ#z{SM*gDa+Blf=VLgU54d>_+z$E`Nq>1vP5 zSFKm7R-am&4vf+mtTX?xO(XPx{#G2Q2N!4boKi#X`Ka=E{c&Yq_Y&ZJnS;g;Xw?j) zI8Gxa6X#44nO1hV&~rC3aUq`Mzd?THQ=VFFL&vfOB@t+HvIuaF?lP{eM@E_dHGIf_ zNoXozQLEmbX@KG5itW0`PPP&1n4w+qcHf!DvZtty@Yoe2GpHBQgz(~%j+bMnncO)> za*?JAOp$&h%)AhM*Wbd2RbEDI(Z;sTZa0{VoNpl~;FuyGeM zy5iL3ea9BBApK49f?hvXs!4r+e)^~E+rd=*1?|1d7gk=u&;XgATR2PD&`7Q^T1!CiTZr{Rbj7l@; z67P}!qQ)7NGwmq4;~Ixx&aJSI2BJ=u<=gQ{Hr^Tf>vJ(s1ir^|zu((;!AdAyO+i2O zaZ0CUF^ZrYFU?~NZJHo>Kdgn8o^FS2d_Znr!IQon4msXW{8ZGyoC2ZMw-VcY4J=g= zU9F~ET3(H;@p-CXq5r~vyAH?7rV^x+33gXNV?xyxRrnz7N$cCZ1gy9bhw$CAC6hdC zUVL;5Nys!2U3?6OVEdcrRhH`*06rBLES^^B(|kr30#_v6^*|p zOLNTKB!v$ZG7Qz|dLb?Ah1Jyz3|^{2+M}lC&(lmV&cn)BgS9Jx8J0sMvj-R$HvG>^ zL;HFPoYQW|VVJ!SaEdgxZY}I3}LJ`ZE?mXBxO(Zf()3^dPQ~& z`4iI8c_`GoBW?lHzOV9>3yu)p_vfK3zL@%+&kUdN43rHOY99cdcAdi z44M2eem(S#+qs^1Wb$B;C_Fsx#ArTzeZ{1U=8lR6D9NG7-UQJI9oO3js*)}l&HOYzuDwPQb!V9De^9V)3k$J_d+zDOv z$8GknLkv^%yrPZ?qkR(ViEXXoyq#@ znX?A_m%f^;w#Qp`qoj;LVh>g4T?8m>1wE|A9{4{)g)-^&k$8J4HVJh2Yy)|XnNUf6 z@xJppB8c0;OOSeSB?`PG2tBdO=XgL*wdI|y!KgYPYGAuuti?HteM65XUZnRq#p;Gw z%NR^j5Q3|}<23n4tXdQ5s1mC2my$H1H=e!a4%6!yjZ&j}+n@rDIkj&&p8)?GOhbdo zraIH+X)Eigz&&Ysd(2;1;)gYNeOd@Ht@?fVc!&zs2m^vjJ!zVqe+OLM&x@+{h}u+< z8H{4GE<2-p&P&s{A$qKikNJgZ#FIO>73Nd^wRle>P#_N2v{{Rzji{M921K!+(`^S3 zk%iEQ?Kk-RWiWlGv^LJTPvrr!{DFlRAMDo$`aKmie|xcv(a(58&85SO*d%FD1+U8# zwvI}^_vgHG-ku!}{_J`caB(-?)O|ugeSH-Yv)An>qWM0sJWY5%2)_Nd5Jexv(NZdw z7gk~*WH#rKR4(bTrnaR@W24Jtm?;;W`F16t_8PiAF@MOF37V?MaE2n0Kz4B}lF)!aa*#dxKw7thHD_E|O&p!C z!c$4ryaavPB$F=>oWUcwj6LN?Eot)UZ#WG7+#aFiijKwkeFXjP3`mS95ameeYrm zCh;XvY@jVKVpCP?drGP?@FTn9^IA^8yYX@V_3f9UMX<9Q&j?jUg7H4eOWYux|R_D~W7wLk3a}4a& z7t@&K9kH2c?HHYTF$BVoabu|hvQ2Q(+iq0}U1vkKwQ3o$)MiDg(>EWgSUCO`b2{;r zs?q^B#V0>pWS~_(-}MYu_Cn1MjoP!Gau2c*Z@LK0WGQEISwVfpeqTCE0sPEKT;T*O_Ugbw|`#l4VvfHnEdIeh&*m<>Qqa&1Zz;py*Tch}- zgdjEy2^nkH5YZ4l+U*E{Q61G-vsWiTDkjKhZsaUzxT+MiTqUfboBDM`mXA$}BxIQw zu{f|rGmN~2mJk*0k7A707}Wy`q&EM+z>ZF$QraCa;ymH!{@X{+XkhvtKX3&3Z%#MF zQ2EYQ7+KEeh!A~-`MF6^TMe&B9%(ptz^>`nRslmTI%A+DVk}U=){Dp#N&f4n@s?{v zb#(H3K2M*mA;rJ|x|Q2hwc034_^#=yI$;0w7T>JArg*+Tw*AsJ0FJx#* zt858SKs5(Lr04qvsu>5)C(5rYd)wogaXCZihc;NZxth3Oo@qI0wD@hU8ZgXT!F>56 zE+J!O=aH%u3Jyp}ge_!`T7dcew>(L)IZt9ocPZx|-=U^Vm<%s6T?E6*Y*&+g+2X|K zCWuYK#X{A0KcTtNRU&$9L>s3g3;lGP?)kcq$uM{ZILH};ggfRbg9QJ(0zidwm1FQ< z;$ABjLLvT#vyfz|)TyZLFa<6|A~-e7qqD6!xa6+91nqzgTE9qv^B`4#2&6RP5UMhS zt`7c)I~9^7zTA&LIY(B6#+NTo*l>Q?6hgu67|au8@YTL$Ji+ZF6t+x_Vk+xDTf2xJ zU^${P!1l(;&b}ORG>?3Ev8aRV*pVHYC{)h`FWl3)A|kS=5&ID@WnXaTLUg&Agl<=F z{&W(3W!pdBnsTDEIij)88tTy}Yum5OuXV|_fa~|*$zdZ;&?L@-E1~K#z472g$|5 z8r3}rJ!a>wn0B2n|LYV9OalWEw5mB!y+ocv%m@yWrO(Hxx5MR1iU%nCCGPE z3j}m%hf{yUF2ZwRD$1F#4C}iVb{#lHF&5S9w3(ODxO@oy^~ObK6q1|d(1@oriCy@+ z_AU40BqQZv7Ar&}yr%&E5l}Ho6$ShO9XP;d*-E$yCT&^wcB^l)zxSIl9Gw&v%ALIM zx_B|Vwuz1A2)Gc_^TeZT7H7#!rI! zUV8^+Rm&T27$hT@4yvUs5|uGqk8Zl}3=^<{0qmDeuf%dDD_BQesM};WjG6%1ZNp}B z6pxFV)8Ri;=Z-_u%Y^>#H{u&!AbOf%P~}^|a^iI;LG=K&6b_;+(&-Q4eA3_>jQLObif!j|Fy(hNz$=^RjT$)6sqNPJkE5bHqeUQ8 z%WgT;;qPI=CTE1UH&Ljp-mVdE6M<0D`?>*iiv@!afOQn(x)<6{fnCCx@Noj9)=Al_ z=q#l{m(D=3SP^9(V?CJ?6 zt{n7iBk=l;Zcs`--Bg!jG_Cfy)I0WK>=-gh9_E9^n|V}Bir>?dki_v*K7lO-q6X&E z=jSnsut|$^Rs*p#rV=~UuN)>cMS)H4nTAQX_?VS)ztJ;Y@u^&1t?Yly?S^YNpWuJR zV^JL0QT0SjDux_uT+W=ol0-S~yVgy+b+?071Yq#Ahvryd=1Q%{)V%)!%sTGFc?MJPc9>>t<1 z??6d50Ir*AgBk`{@v9c**W3CIJ+ZKy9^(i~kL^9ogIh#)&3`o~y-pFop1^EJLYQ{H z>LTfYY;DnLOm*FI=AwgLZY17(JK?2^h~KDn#$>bWZ1G%(6d0&9S3MloXkSgU_V`>{A-kZ9fo=hdkkH0WYCRJUsw5++? zOV&2MATk^K^;*`ZtEL=tWHHO_L@M>0GzRxNp^DvMGE9o8Cgw|F78Hz&TCX?fW1uTE zq7l*j*$kEfRLCf7?nD$m-pedvRvMH-G9!-1_XbQlLHu!3Y}Uh14NIfTGeFDV_qeB~Y@7RV}c&^)9q=P-*H|ciMf1yMACYyU`z!-UdcpS~=r9?H-S+ z-~=mDjdE4W8MEbIQEX#h)h)i|46Z^ht6i-cqY7aR#K1LTo zPyWvz#X%HmXL*3;P%xZ)q5_?l4$y*zCq=ccS->l%9Xg>(QE+Xvdg>eT3KmX8{q&6%Y#xVa!ec{gO;MmB3z11vL~Uo@Z-wTNnTjbe>ecP;)WVv zZHVOT>6Rh;1Jrjor`gDljY3y|aylmNP|6kixnJ#4q}tGbki`A_L^JK$Q15=$%MBB= z@($#^^9$UL0#tP3tFW#mK7IUq;CXN03vGR`Q_zBYG8jJ24w<{bAr+ zEmE7Km)F}y3YC>nEYf6=MU`7RS-w}G>)sM5uAn@y)x~}9GBBN~Je@E@*xE-ZMgHm% zywwip_bOetx>_TqAd;D#XT_Qe?~cNrfb8raC%Vh^g>ZBnc~ z#;?G+nvEFqpyL{@1`zPxMzEocSX#8I^LC|RR-W8((c~TqA9|!!uP}(kxq%%&x{%!( z!3lGwwAfN4qa`U!tHr)dRGOJ?mJ5~!zkD%&v>ER_T}3@UbI)^EP<}0|tV8^*Uo&X2 z5NN|jk)I!AIUY5lmAz<_!#$)vqt$+3^qRObjE46xp*)vw8cp4}Yz2j9i% z1Zz&`+3@u}KMsDnGFDw>!9bA_>vz%V<4&_07vz6a3sg5&WTX!c;PNjJg^9Xy7 zhfe>gM#X#SJLT@;^Mk~rtFI+aIte%`VAt@sF%9iGQE(7IP~Y^C#t<~&#fCw{kn7FX z<0b8+j7t4AxDP|8ge^{Fw^`gVP%Red8U2h2P;M>F}STtlsr=fI{qe_gRjV-A2mO)S1TfL;A5BPN)xfU#^V zXYFf;zkev!Y;Xdp`6hMi>X0_o1(VSpegIa8XV8L-%^k_7GHwNF<(3RX3sWVBX< zNx0DBLum9PtTdCAN|JY`Q>=|ex;0fjJ&WEd46C0~TaF7I>=3sXSfD&LcKuHZ9B;Oi z={WMcGv&^wFFSUy2!xju!!189Rt<1_vwnfmJF%vOSN}F$@aqS*w18Gq{ETUbxdP(D zxpaPs+QDimteuK>c4H`|jX%zR{*CTOORpTe1U#y`lZT@dy3h!UVSiaOT#@2A2?qFiDlRW4qVi2SyDxCIF(I(L~EQz@T*p#p>mj66V;4 zjf8=&SX%Q?ed)Fc+YZyFe{-LayO(NX*E4ZJShe$XjoiiIgE(YP6R!vyrlmt3`i^JB z;g5cU6~n|O_s6PIlsqf~G`&%?f5JVLzY_$f<5)`*s|nhdJZDMyW0lt_X#1H=z7FeC z-=)<_Hb{7)E@HDKbnkC8m4@r<<@@QK(TqZK z;^v`{NKv+H<)L;dYi6)Jnq+#L}c4e z92d+dadvzxU*WE}yPNDhoI8tC%X|wwLeufH5)~1Hernb?ee^*J-dOg}C z;#SK7g_YOW%nwFX$8ce+TVO~PE2!D}Y&Nm`UFD!MHDe`KPIRA%1vWk{T5Q3WwXn^j zGi1VcvASRiWwl0@(u!iy$~zdF&c%Ex)){yv*P$o~U!y6ZMPo$35IYUk&wm{G74I-<;PgI* z3%<`5VlP+CRY2}}ShS7Z_00))NG2&Om4brq1aqJR`xh=|r8$#A!8e=`TfX5q6kx`1 z4=2hT9n4>%QVZUK5!|`a`l(yMxED^UlIcW}61^BE*yWV}hq52$tQa1~Sc4e)7g;oY z;fwdecr_BUsy;xB-}w?XNXyJR$XI78iQxQCqpf_jY%rZh<5WuQrt^cFfxkPy?6>;l zkhMJT&*T*8sWEF73Go1G*yB)N{?zzBq*xWq$OG zjM)YxS^+S^Sp%So@a}eM)+MI99KeKfiV}u zrW*2IDXRVoyqTr^nHGF^DgebuICNNqb*hFV*8~*u#2HzT@1M0T#WvgIMNJMzU38=v z!L;rJnX+QRFsr&3Irbg9;#$IGvt9+tH=c=K;X~1>ar?%Q%W4+(`$*{B_JdM_#*Qqhy zAVoaUR*zfu4I$K)mE2Gi0nISzH!#t@o` z*YvQ{$!?gah1lv;W=l8Uk*_UB{aZrM#4WsHw=N&f6; z-cXfRkQ%AfRyw_kMcfmHHz=H5Oy4g4Dkld3W z?I|$a*>P{&ndYn4{gEcx>d+AD7gnUVTqaRgLN*x zOO}V;zpqk^A@ViAQ40$(P1!FGT|M_DunDC#!3|wGrOIX@PMh)_>}<%UD)l zsF#f>dRM5B>J0F)H4EV}<#7hD$e3QE3jsSQaud`7GFQlUSr)fm9Hjf^Al>kHl}30( zl|t^P*XFv99JD-cfk-Dm#Ik!*_{9FNM8lq)MbJ7Hs{*3cRfQ4QPjfv#v_I z)`Cfuj6tLBKPPp%o&0GIhBJiBnY;=9z^NmAw*D&2_=+Xulr5m`q#{pT4Qh6eb^Xp^ zY`>;X=W>nC#O`@3HVVEel;rp}RqQzV>R<3~R zY`Ce$2YLBL;je@~jLX;6!l>!k0kn~iC1i(ULI=awp9{Qa*t+5#2KXc%^mgv|v&B(f z+nfC&>F2d9c6AXPXER`-C7alKfg)<|x}0e1?er1)etDTCjSb)S3GE}@9d16I>=UKn z3J@6T)d-W{e%ZmBE>^M?k)CgTs+lL(Oim1t4Tc`_kMt-evGw(4b=)I1_bf?9i6jLZ z8o}4AP@d+dSY3or(Pxz#uFJOYS4u{K2`kg-ihf3H{al|9Nlk-VEJD7{oG-5H;ISKM z{~R?!)F)uRAmOy4A7fFPU+PQz%>yfQBVCIxTxin;>!ce@FY^Hr(#lpYL69H2`F6xd z3ZYciWl`PY51%C`=11p%SuRO;a7|nec$qUHRV`IZXRA#uaKKNc8d__fTLRbAsO0p# z9M^OVdT*-0=5jZ403*bVM7>j9>ruU^zk@CUKZE1)sGaw+H;7TuB%x6=pKoFCwCgkd zkXq`Yv)kQ|lXM8+mK?BSRZ1!#=%;NG%;EGGk)-J9y)LSpHW*G8w(< z0JAk^<@UrUkN~r2l$DjM4R!OpFfjdeUaF!|ay&z+0oKixt?~9+-R^qoI>$?*@V5H=}`9LSXbd@CqXQcqNf0SPA!Pe*RxR@HD&Z(Ia-*hG_4_ywb==L`b(_8 z_!u8z`?2vw27^L-V;E!GvRdtk0!_WM{u~s->0EXNRZU@krP3N(hOhAWY(DB3<2n|R zQ1*cqZOkYgfj^xoeJ%@2dnX9zJCSN-SGF48 z{{u$fSoM|SL`Z7L6m!J^O5JJF4~3ARA3ybB^nl$ z{gm}5t$+gM$Fl|-lEsWoedR7za;g3$O#RDm%cMI!d%M*LgK3E(18xrscT6(Df1xhA zhH6HKifvihz9$c%fRhE*j(J>SCp~n~oF37~`6*J1;)DnmXgIJT;@fvd!ILxLS_`vZ z0~rijOKZhDWc*7J3#wGnv>o#?U4aLmp$Ij#@PfgKCfb8n(-C_S(;c!d302(AQQ(wO zx5D&^`jW^IX;m3tM}yW{{1tfTjH(`@MBc-yqm+vxomyc93i7|~z>x+oK9dW>p)he? zv~u(D1qk_^&`1s=0t@;BxOAkv_pD1`WS4P#n7p~9DZlcs4)4kn9#^>}u&p@-w4H4` z=o5F}=X@vi(>%8J)nNUE%TW)JUWFPjR*r-po|kf2HM>)VgTfK7O)HIS@VM!Kp-AfW zcIFs`_4(MA>e@Glr*xa96=}Pit54)$yx8ZaH(U^&?giuTcx8$_hnRP*d|PeLffsuA z$uVW-j{vDK(XpEES=Eb(kiE_iymayXwnQtwl$*VlBl*Y_tphq5d&e=5j7 zYaM$IcI?wfmP6I?gougra^;rJAM?vU zWn+>f$GRawYG*dtgsbwON3C#wWSohlz`R!EZp8dz3JdFTU6Jvby5ygW=9L}W%1BD4 zoY0C_R4*k=)u>X(h$)@A8|Fp5$X-=*Ub?{&E4eBhf&5E@wc4L@Xy2s0nqV+})T!z| zm7;pNl+SQ}s<4I}dihWh{@Kw!)60|-?D=$2Z-|A<`iEb`D*OA}0o-aM-DhNiDc@Z#1qDC$)moK_e zX*S^grZOlu+0yjK?0&DkkR|+n67>1B1-OHd&hc~zJv@B^-iU4@!I*3>r!fJh3w3-gF3@0+nk(?-HL7HgElm!O4hY?6w}+iL-y!mj9y#=(G2$B@6S~ISm5~Z5$I0#Vo(cTzt}_GDB8t z=g5hXgt0N*t+$BZ>E(YfDZ>QRQ`*m4w_`F$L6oOPrO|Cczs!0(DiSd(m4@oSWD{am zHV%2zkwOvNP2|r${yo&9nuF(er{A;DCvLWts+A1dgRBpYi6i^Fy#>uU#gXou472>e zWrk<_@%_`o2#eefq}gnAk6b1GfXKONDo>eE0j@vodI-3=P!T5SOwT&NN4&W6-C4s= z*S_x|{^yf@1W<4dKT4o$Hjm06PiItg*tjZ zcU4VKpAT@dbG$L~IuE(RW}dEo!~3{CP(jC~l57XM`+XVoqSoaS(Zfov-H1Nr_^6b5 zT}V~cJIAZp%X~**ItMcZX2b@q-tR?h5&ii5iHPZf`q%*q-K>CtZ!)3WJUn6p9_z!n zJKJHfj}_qC&{Or-`U3x1mtJcPRY#(JS{%s!-X~ZEv&a(YU##M=m5jdKZi36E9MGIU zZ|my#>f6Zss{xsuS<7s!aj2Cb7Dk;_aO-4y;QN`YAm?}d1~O6fVdmVzM*NIRMIbM` z+r+SixAjd-sUw=D2(_DRllJq7tv%SYo#uJEEa$T=epRZ{q|} zq!k^$Ebt2$aJ_{+-jmnJnayTn_d+WK(fx1FTd&@Ff6ndQUGR2M!s{9UJyy+qzS)FI zP1dBI9<+TWP9nCG2=e3lp;G&<&Sd*vokO~I%SDA-xf$dQe7s9qXrx|4Pa(o+e`(E! z$Ein#2j(b6I77e9jy;mqPnq%F5jbyvc^3P?s$HLI;{obie=x`%W!oOo)7gPW#F)4D zzdvRb20ISfaXTFL%318Mf4EBf{~wcsD*Iy(VonihPlcsFl!UvhoRgAg?lWHuD2SIB zwd-3(+P&f7$;q4u9slV5Vgz?;MoV?$`lp zo&2i0NdljDytaM{49Uqt^>-azL|pHblY?1Z`F;z5H?-ON-SJ~X!6<4ajH)N`u;llt z<9>we^}pbTHAz@&B<1Dn2-vQt-?%TGjiZ}QK7`=+6!@08?Urm{4de=IM9v@Rlqcz; ziz2AAqU>ZxO)hFCLTyPzy-++zp>&iz33UAn6yD#clLNmf%<71~uU)9qZc| z?in;TE1m1ki*34uvg?a<`j)Y`>Eq4)k}6PjY{HNb``cpgrLA0K`PGV>5g2qCCoDf5 z)qiSm&7OCnzugbix>UPdx4Ae!hOGUi5$7mOCaOSH`&zO0@9M9#4L?TBe&#a?)A0is z3b6GC-8^Kv8RrK)J8vk8wTURyv0cYbg!HZ3@HkQ!ILNR<^w^|AzX(>8ds}r5DpaBX z=M`x6yU0`>SZc#bl`z+pxW>{ZRDFG&R-qSJ4qQjzQ&DN=sDYGInnQ|z42~zuozX1y zb<70f3m(@Zf?b$?8+UBG(`QWMCG}t&BZGRCmzJdQKVR;W)Y_FAlI)$ZK>ASM|9iaM z`a}YGP4v@12-1!>TlWXy3Gpuru%1~kheZ$HB@l`dA@#v-ms&bM7Tl19Mt=%{mb6N2 zsmpVoChuViZ6)I#QHs%6deX6w3;WLVDR=pD*ddG;GEK^o1wNMFP1qDD1rjF(Gz~i3 z|Ce~rEV^{#X5`#iacFL2aDztg)s~vu`l1F*T^y(y+XO)7%mQCFz4+EoD*s*@79!uF zTvCJ0Bg=g#BX}vaK&unLhu0I9mz1_~eu1!HYz3%^nKuJUE}c9ULvS->Rr7Zmd^+8r zC(*AsD@g-&;5iMIRu~y%qMew!mToJ7q?9%78#aSihBd{v@XhR2j>dS$m14<~=wXd( zCPb&h7N&W_p63mlHoGEi7K#F=2r4xk&pBENOKWU^?mfSy)c#ka$@L*JI5a7UP%<}z z@N7CcmuddT+L2V?G(n4Po@-g$OY1rJUkmnbSE@Mn0RFcY4fG}#xgEn)g+aQ`X1*zUna5f#Q#LpcMeOoF z$5kT+>K`mZzSQQxe0ZHu1+sAmvv7A=?vEUjH~&IYk4SOVtgtQ`E|GooHW^zp-KaC9dW_$z>*mVxFt0}Q?+vXS}@ zo6!Km*y}`TCTl{4HTKh8VR-f~;T+SQZ{)#?Tavse{|*bXyV5q@im_z;_zNo!%H|VCKYBER(-o z4n(XLh_%_E+LsGb$w@n0k~*p-7G1Kj367eSg@V=cGsKdx9xpmh(xB zv+oP;^F!sdGl=Qg04J|1APqboLl*Bm@tCvFM!zr^RT~OmR80)RR&?InGWC7+Ct$^v zPSK)Zq|xmRsm8$`FY7V&a`D#r@C|AuREy4;)=lBY%w(rM2( z|ICCoWH#A5{t+FiX@aXRl%I_C-3TtDu8Q|_5p`iFh>)U*DstBs>hyucvdhcNe~;_i zRJdMkQEw0_mr%$QSm!qMMkN#WBS|fzE42-9AnQsa$JUTzs90FvaokBFG+1y##Mx}H zfn_k2UWgiF>E~Vmu*M3hARt0z{g=#Z;(HcJ*LY5?EE9wnR`ThEjKXnZ2H-$+dX7mf88{(ihpX$0Ii(k$``f}2@zVGU>-AO91 zIrdB{m?XLY0*LkqvU?=SX5tv4h{of^VI3ek_><82D{K}_T5eqHiv zz!+Sz_;rA8DP>< z&7S>};TB;VGFBrA>#Ptw(LSELjxxZm) zPWf;1_ANG}4pg#XZ4Wp$eu3ckCb5L{IQkV=mrYT^<$FqH$ql(wRb+F8PPN(Pa?@(_ zUoU*_zfqR_aIHr0)rsc{p=SH8K6*_xEjoQH&LJqeW7-AxO*KsfKFwIZt&awoy$zh% zo~MB181*=sUysV% z9*l?+Aw;k#3ejD(9&DOk&;RjqFvY8pZ8pO!CA3>L3BY8MGNa&nIyfIkMUjY+1RjQ1 z)M>FIC6rw531dZ#77cr7+T5~DX^sEh5!GjslD-m(Vtad`*R-*2Iu?3NNkFXZd!{-o z=iulynpcNkXGa5YMKUz0m3z6TOa;w2Nq2AA0_y&m=^RZJ|ze+6!mthGT4r4P(A(k5Tn zA8VMGP$HIUf<`I>A-QoRu9^f~J|=MIyJ|C`bM@+rGguEM5gVHaCht7lULBNxmU^JQ zY@OuOH3+RZQ|k+kU$RKj<*Ucd)N z9$~no7VQN9X5$L@5>vN73}&XvVX?|5%qWbq#1E{N%eA!qL0yFApSscoScD#ah-aHxz+8-2xFZC^jizexB271qKSIZKGXB zw(0wk0qcRkV@5#n$-D<==tz|C(%@6|zp6~eZ#bGB`GuH*sELQo8Cy*0!aPsBqGQAV?FQlK3nmgj5|4IX3B~>N^MZ;yYt6 z7z+0B8tPnslK||`BG9vq?kNc*^hw{mMrlJO6Hf(2CIjcJ;iK|A)_PrBwjs=RoaY>Hsj+?ap7>mvNhm=lg%u9&izA9Y!@SH8l_<_=t%_K&`4w9dlmBa#>=E&(V}dDIo9@QwmeA z`$FW3arm7lx@G30`>a{Ifa~mnY&Y2=mgFYLMo)1T^7}{#V>?;n|Bh^8Y})in)M#{n zd~2~U1`pN{@dd)>*PAsjlwa;0?Shs6kwqJg3IK3EJk3Tz$`_X68=;^&JvLD<*M7cn zatpW8h2pp@P+Bq<#b5e#vf$-mP2pmcl)pXX;Q2p#bnv}*WxUu3LlSG6;G^;9oY`WX z7>-mdr5*=Jzc6J-pA`c1^6kM1D>BvRaFaGopjcvk%ZA~rF9$*3y;1(!GJZGr z{9t9{|6J*bKX7m>wM$`7qu2O~o1Q13V5P)uRQTsY_*2Bs8IpL_vj9Huey28Is4tbQ zBUqp{6{~ut*>WnCiB;{Q?I+*nZx4aA;Z)HR9OU{qAJqRo#J)eFnSlS3&*# z9oW>|n6QL`KDP}t7d4N~IexDDMhpq?+A+aKT6IdmKa24G`-|?;XLh{ARIR{X5(-^R zdqAO`K%8m~_Lbr+`R@t^hRw>t=An>|8p_{VF3wS;erIc;S~UwsO2Cuhh_BSKC8A57 z3V~DwnlnCvD1~FtjhV2eSYc+Eb?!@0Pk*khrfuzLbj!bVDOzEG&T1a_D7_5;am>2q z5C!nsb}mLn_Fq9SmkM*_eaP@Q>zSv=kp%<&4c*AzsQ6iDq>%!9GemY7u;=Ql6dtIU zcH`hNG_>7&+uNFF4Bp?K8R0UR5Y4&y_#z@?0mz=7aDX>O;3T`ix6u2C>13d3LN)x; zdZ-r4iGn&TF*=Fk?ZJdV?!5jOpq7g4CyI8pX>YY*uIWr=+7s*coW%VX!!uNdCo+0D~X

Zi$tb`z+v<5^IUp8YbNC~R z5va8w(1ZA7IOZ@440(jN3pdBmWg#9KOM(~7IJik=VG1VLC+aH727(TUOwy#?o#;`v zSJU(_=4w<1K>3J^Nw>@ZVCvI*Evp3;{&pLnc31Xb7l5+ghfBle+DABBL005c$|>IU zg_}5}xfUYC#0St|^bN$YY|s*Fsz!xAG$4S>vfmr00}bl>?9)&L%0qwX1I}LtsrrOH z;4=?@!Z{z{nDK4oITH(jCWKyb_Iv%p#4C!w4z$Dl%V+GYunA3PRL@n&42ZjC)G-;k z{~d}pJ9CV)|3_c-WvdN34sPWbGRoyMiH7a@j}|YXL~vUIlddGNfd%nG<_`$DxWP3t$wk8LN z3zyz)7m1fq;UXL6*Uio1Zl9e5)LPCr(D53;p3nIiOL+UU&=S|(wlwgzZb<@-X+k}% zHqn`)G$MsN;mUvFhnNH+xhYlgesQDcAqV1sz=fWJ#q+Vq!Gv~p%bgap&TX17*A!XC z<_1*)_vYaMaCVEFu8|n&RFar43B*a`C*d;;LnUz*9XPinu2Y)MHL$V@)uJ%f!FIr` z%gPwkX)GLz7}r#m|9fO-NknB2hud?ukvAT%pVxLVK8l(T^tu$#YUIKcW9 zsEl5JA{z~(R>IC-Jj4apY#y!40UTHw_N%)IZmv`K$72nnuiw4!A5tH};I-wzkldot zl`|Ugj$+w|UE&$u_&q_s=Kfv3<5}Me04jmAae{uiM#_Wrro8JU#Z_Z}qDO`VZ*Q2x zPPsnIkBSbIw|&ril*7`J4S;Pxp(++&aDB9GB0uoEV7CKLtL$A(#lKu~CyV~$yOQxzNZxF2w0e=EMEM8~n& z=muil z_%|$42pZjyF^>Sm4EmPFan$ohaI~Mhm(H6G_9}_{UIGv^<_8F}!(K1Uo`N3Gd9k4P zTB|Kt(ZO#hmKy|mP$D*3y}4WC_V@fvafZ!NRZ96<^D6*Al z`<%?+`bMY&Mz()gu27Om;mMFlyqATxQcN`F=6>71L^53`X#F`}|D?jmt4dNxE@IW+ zw@M|%+L++gBXkj<8tGg|e_KgEZdxTa+~C&M)%fQ$s|+-y)`ZG|_y3@LoyYS4u_?;> z3uZkUPH;nE))}TSICV9h5PcZz@*&aU%>TZnbUe|zifX-t&tNMNFda?34tyfT<2vZHwlw#>@$?!1o(i z$3*&@1Pd;4f+jJ66x2GN#Qp2<5_i%S3;XcocD7)kg*#5flEY`0!Bn@xfai6Fo}U<> zOQSe{QGnt5Z}ALtL2ae49u%>S5B)Kg+Lq=rdAZ!oJj+oJ(v|0 zLm-sD<-S6ao#51m;A|FQBh&Et{x{Q=5+5QUWJ)VgvBL;HgLzKW{Lt0DZ|pE&-sa2Yl;d0i~Od@~6>LbIIAiXZr#N*Z!MGnEz? z1<^cUsA$vZQp0r2A6y=mM|cqR`=0ViF3NH73u!ql?7q22eo4;rj^%GI^%^v7M0d ziQT9{9rPU>5<~}s4C4>G&qD<|F0O$XsS+5t!Zn^r9mMcBe8BTaPrvJ8aAW^oOynR; zo;!B<7tFd)Q$~3j4BT?>m-QIqx9_{T;;0IxKdTr5+NeRPL~I%aMFiLWd%QiQg78se zGh<;^Ii+9*2Jq-xUIWB^T$*GJXTI(Z>r#YjC!x}p@`u$r$%G!M6XE5l95y6=2|V*) z9E6~a8kz8JcBT-*tWyeZpQ!sCC6(KkvPSgrcNE$%aTcVaHd}kQo&ks}!#|)$r{aF= zR1w`-HkISFl$5FUsH&-0R|M8rRs}vz#`$%vsxOuuv@HuOs z!NFnv_c{!yoes9qk=f9(9OOn86j@JVeax50ohsxL+#2-4*1d0|)XhHmSK%bOz8k;C zDhLs!fPP5*8~=%(@4t$Ra`T6gtnzVn^z|m`a63y|18#D*=Et`+CqP`E0R=rVEMd>n zHF3hpx7#?;4x+X1|J;RFF|tgLVm0j+*T=%4n!dk@=op8iKyj4S{GeU;0w|=IvJCHE zf8YOnj@myv14>Hi9*vGwekypg5WLOO*W=cbXkM>di{oS=#4&3(wzk_5L6hT?qRSy| zMWHHNOQDG{q_AEr-+Y}JaKYOI()ls%75tK|iPRr(!&ioctgKhfKM^^D#w4Jb+zXoQ zE0gSxgCnLAyeK+Bso)I(QVQxeSznG#cAh2>=r#U1NIna@7WTyXyNQZrRo9vP_8-3> zH8x1iG3IllE5GL3CF+dtC+v%d+F@I?_S9=?!vvMEXD8Y{mBVhj9v2kp^4h8W2J#*S zNP)u|_o~&t)GzG!g2dHu5>3Nl5KYY0qjb?g82CUDDh2DdmJn3lqd z1egef8b{QFS6Xf=ogK76v8SWeO_liVe)a(lxT*A zBD$8o1@?ST%`mzQ(}hvFgG$d9Pk9t)|A!S9ti6kc6UK2=s5u#(8jr~i#RFE*aVzhu;wfzMOeq6@pDQV_GRQkJPB`t`H60&5clRE62z z@+sj{SRcHdXrX=uuu-D4K19c(na8QYmI+MwKtthaGo$E=b{`VDo@7xRqx5k;fFarO zhHP*5+N)oHplabF2q3@tbXt#SDLx8h)yObaWFGWM$OLK+MwPiSnVO#DQKm<^xmJCyuShnbGSgZu5ppL+rbYm@ zKDs!yR4?k;U_D{Ovom_`KD2g-f?!f7AA~@y>k;qm=?fq(hVht-H)UuGhH;klXs_+V zzEa*2RaYtfSpiSGiMltpir4X_;C<4+?vgvN7|WKnYcqK9AtHpbKRaF&$4GB zqg=d$izXAr@vM4us|rU1i}uthvoE*^p|P~DTBGyEoynr(MnI#RF39iD;>d^A5`sJC zd*f}fJ@0``KEgabk^ZI$KE@SWIIW7T03wRGHp9bihNUCjC)yEW)=d)Hzpnfv)Zn>p z-H*#!((*Z>s~@b_ea5K!_WKkvm1%1JR9AIrSSFS#W{TC78@`d{S4!;v^#V*GM~R^j zqckbAQkB4U2p!-h-}++XQpw?DuvAi!SJ%L)lHA@*Li5}j&3obyX0hPs9wyC z+|=i`*edSB#<8Cb7wQMYb8s@~-F{T|FEL99h@_|fi_AViuHYssAM&g~>`U5(oj4{( z{jQ+oVcMj#T4D_o(=_RrqcEEgROvn zJ-#Su{F|pC6WuIR?Up*2?f+SuXU9#6iq06_-R%etDmVcNtEl=P>zvID&Y;yTmzvgM z>63pFDYQd4QndL)Eo@*lY7SBe=p+uyYD)4rFS`7CMt|ECf$S9imcmHk$A_bl{j=)D z033L+WAk4}3c*zDlgJ0r{gih@NNm`%o?^Gwo=TTRZ}3DMAcl|M0?<9)B>^dpu8^4;K4~l@g))1D74@k1bgMhtjqN8ZE+dlUH|)Idw^1 zBKkcr)!#u~ZR*ul*Z#(ev`7JFYFd_}Q$~3KKd+CfA>Nh~5M>D%2(VS8_|vr!K_w$e zOy@0oV5-xy+Hs>{V*qSlpmjoH_~ym>$Ys(F1{yXe77sU-!L~mgN0`V(5T-;7bT~Gy zVW{O%21a6r8>?}V%^Pvpo-sa5)LoNFA_scK09E#a-1sBst;yC_1Tm1y~%CJWF6 z>O8@`5fmJkPoZasgej8Ok;uC1Lx|jr=p@$6Fm}^R0GC0`%9OgemrV6m8@1tDw2Yee zrEQD;shaG6s?W4;2`g88q1HXn?Msk=FMe7z?^(XnK9Vs#R&5SkMwtIP4etJH)6eU` z-y}3T*e?WZpqlxRiFUoVeyD1A5l$~;6XM=@;O}sg48~C`6J$W#Z#-)Z0>jwwLV=}N zOk#3II3a=7V*%=^RIq8MXUd{aeHZcXR+6>vt1t9FeS-T~gC`5EK@Dzzg4+OIe%NCg z>cHdLc1AQEt7s-*;2F8URNd_iX;!ftt3p(QE=4aKQ>SUEpi2fwlV=1ax;ZaE}y^KRRVK@5Z)p z8B&))M{DK|LxE|^mAF2x^5ssU4_d)%B52>OnMeYee*D0Y}D75_CS@&Uk_dUMDP4+aobAh~S)tdhXT^xtAPzh>{d6hhGf$vIjL{zU@6)0L=ZrTr>=n_en{9|# z)B92|0f^dHh_1jKgdY6=1o!NLWsf&5QS+kPq4A{ylK7`;^i+E3Myc~S*TUo6r~PGI=ui2P z2%L){?JtG!{#%PK6Y7y2!}9xDLkR2*)f6=8HoqDp96AhbXU${4O~k_CYp}4W zu>%w;tLAB@f1q5YRqh4+_7c?woE|{ebo~*)tUDuURBF!{Uvc?{V$$~k19O0A>-IeC zs>k=%+?Hdy&}1Ud15Ezq(o7kyl4mcTP)M=jOrXtT8V6?0tx^M-Rr)XDIm*%z3PVdv z@3x*Vd#Pp3CsvMppj2wIa!@=Kx#us?XBz6z`oeHojih@$(Fj;wz)oW8j%hMPdRs?c zCza~3|41}zq=myr*?%R6U>yYx_6HR5Vy+a)cVeYgw_H=QQl=d*C=vqa3zYLrkC86=xr% zVVfvw@j93W@e?`RmzIJUBgFxEHYN-5SsBpn zA@JIuc`Zw6h1Gy(U7!emSlqv~Cy*qobeh_)E+M!HmVE*F6`$Afe!P5oL{KxXrXHjm zYnC1I=$c^J%NIi%6cE_^{PE80!ke$13I4n6kzP}i;I+1zcXk}{O18C^5?9(^&L;2a zW=pI^)W}*+yPjeR$8INMlx&M_a$w>HQ4kALXy-sMQE}~$?+|&E)Q%(_UP5fG;~O{Y zW@G6jhkbRvq+${W8zZq_%%O3_91^2nn)08OClpKt%09x3K`uP*P;V|E&K=8|i!-y@F9ZZvi1#+8nCR0Ln6kMvp|O}wF^NlxkMB(&Gjl} zZOWJOwlElWP{Nf^+<~+?;w)xO{JpG9pL@bs~Q4$Nk`(6y|ce~P3g*KLXUnJ=h85O1rV%+#zq;mMth z+BOhyr8Zt14{WLdi9zJ9vwIjQexuRdG{@svh0g)BuuV{5B8e_@=M|C+$8mTmrN^YornQa1{J=ZnDB4L5ScQt(?>jFlAMLYjnxwE8 ziAqt}f&^D%M~IVj{qkf6G|1o#QFBjM=JcONq64PSWUe#=sdD zc7@nj!?I^9ll^FFF|eHAH>X0>Wg)Cp!ekP7gJM?4mzE(Eh_e6UM4RXRH{>{gwy1?$ zPnT8d7g`*h$R--Nly17H#%)tmX#f7{Ny!oR_(%GBaf>ceL+!~DpJm)7O-msan*OJE z>{s;39lk%}z-DI6l^l!rOn)Yip)%b{ar+QMtcTT3muAlJuzCot<&KfrbbsK}Iv+Rz zZtz+38mn+i;GRQ8Ky~v9#Q$?Y^x^qRS;GEAC8fK)je^gZ0Rsy8M%bg}HVc>%?laK0 zC(4K}kY8aKO4V2OlvN_?F;D!oLWo|5 z3`H_R4u`p1NeH9PUvv(mnFg0mztTXE6hF(4%YW8mTYX>Bxe}HvBR)_+ptPFzvtWk5 z`wudf%^C+l8-oe=%)UMj>Frw(V8wS%qbnBd|10vx#5_@q9{j_Lo++X23$|m1AK6C} zu52MMyB|LS8j?hFE-;8^G(k{C1YL?m`Brto?keqzg``rfr>(Y$E++t~Q&*k0nQ{YXOjj z&mF7}z5+9_6IMib_M?-B8v*IZ916M43k z`0+CPq{cmA5K+LG4p5h_R1O?xpx@G6cdhoRNsL9@=?a@_`#r6HhhxI5qv|2SwRZ>= z#P!9oeE(=F3l<+O{&>*^6qhgB zQKj0IEiz!~Nh^(`%B7BY=XanhsL-e=AGwz}CJij+w9LLpenCTb*B$)MBT(Mx;&x0J zycsx%wJ6r~C55#q(T4&e*+04@m?`(l_`+BUm|8=RF?x7l-ZOR?T8t>ilf~8VhK^5P zmXc?)Ne*1mqz4taZSIc}H=_Yp3B?Af;cp}nQmH^kZem(mCpid>tBfo3{KC^!->(Tq zFzILk&8xJ=nQo!qWN5oi`^5hc^aN1V*%8PU$8g7R5g;3x z-;a)YX_t+v>rqfmsynWG>I=H{&ef^tRJ12fyKk2=MVS;uylZ#brnL8c`O2`_^-QtB zWQnw*&|mk%sS+*Ei`dYS2|NTq-%HPKbxcSiW7RHBPJYsX*ZsD81nvhWgaP3UdFXeA zWUCjo@J;aT15F5xsEYH0&-&bQuU{c`_cnHp&50OxPBx9~Kir=44R$gXcTvy!k8m6_3Rs+*rZTou6MK;fq_w8gx(IfO zM7oM}y49`<>9}@rNY`MpEJ(!78~)nG|QWhc>yuIiKr0OK(H=f24uKK=X#P7ukEV5 zLt;gRnJOPvsC=E6hozmq11-Av#G*fD0}lT8FHJ);bzu5ZxRaU;@VMAL(y=W$kyGE#31jXCHF}4?*a?;H9ppGMrQ|PQR4bS5`q{j_F+26TK;EYw+66b!*v+N4g{bwH9wm=5zkaP!TzP zAc$c%fZHH3(E9N%Q0!b;vFEXV$qn5^{qJxiDW=7GpnN=<_P~W-$Yl}R;!CwAfz#v0 z^PkGd{rXL4b!pxA={Z(1B9tT3>`gIe9Bbz?5sR#2X{;^Eo`0u1V5(QBzb;?8^B)U?zR95mGR z_xgv1N2)_LMHLm$A!2cH@dpll%(a|CyW{c9JONcShiq23hO_s#IFU@p<^TqK2nt=qxHxn0;QROs zCGQElq#fKK43lXVJ>HHnihp<)R}rU32r05gw*!Q5Vk;K&8t~&E1n9w>9Kwk|ev1ca z2%R~cnc6dyAX;Q8^B14k0p3XfkYZ)2a{G2BOY;c*h*{Z2!Il+lT*6_d8nj*!L_Yg| zCPV9EA_)@{eB;&#+^ysT`@!wJojo)(Xw z&4n#>TB4K18>uM{YQB9hesq-Qo0SL!+geX^auhlz)|}k4B0>~J73GqKuYmT=I9p4S z$f1~=90JjV5*rt!)C)<+dD!*KCvm;qU_RW1O1R~K)nUzUKB zj#$+JsEzUY3QbPMa0mOMQEQi*-p6FG<)YeNc#=ZWoYP>5_7&3gqp)vf3!5VG8kJXr zh;u?oFF9ZI`T1RL&b~Z&Uf?(sO`S?o)DIOYd=VxcM<{1j7HeEj+AoMxrGnb;qFHd3 zN=X*|g2D-rqyaLgiZoS1_9wxO^lcR5CcXwZ6xYiA!c6htEux_yBjM>WJs9uv5^KJo zT)h-Q?~D?_hY$ne;Go5fhA(HmiN<`3S)%+R+;8H)i*cjB6q>H+U`>&NVbUSok4qW$ z?sHYI<9a>r+VlR5SfXhd+#>3MsUe9mH`t{4BYns@XQJ_hZ< zQMI zB}DnPx@-o#qTqLWB_l}1)MeA`39KeWT=jLif)$2zCZ_j*VcXsf3ziuTJqu>ljY|@` zA@_eI42tTMM7S@O1~?c-^99=uhwCg9$>5^j`LYWOL}ZoXR3?%R|AoP4MYWCI@xiRg zh{W1TNX8G_v?JSh3gh93=S&L1B5zb75|~$m6^S3vrW7?f@JM6JkY#aXsZz4`M`(PE zx9GUyw+}!m%NJ9;GYZ*v7*z>6EA@F#=a~<++j3{3OF|lV%#To!*tt9aAoa&M^ZNo0&QeKEXFWZI)AjpXE@AvDlYbN8UspApvU87+mzaiOal!LQ9CKPYa zqE~&?9D*Fz>Pk{n;aiA2!Ht-ZzS<71l;MjbL|dmCQ2bx$gP$&ZU%Wd=WakbO;xM1y z8Ut~H-n#oEM#5tSuKGzOB;IXz1JF{|*}0aVlhy6nIr(5Rml80&^G9}6F?OFmI9*;h zRae)dn?4xX4iQgyeUQ|)!%im%la*j`O8@b`_eH5;Rt-Jd^u;`ic;M^`1R=*EBCf6O z#5Xm$`fMo+-hIei4{nA%UBCXt%C(u&aiBE$RbL=xC_)M31B}~qb8?0$WOnc0`?7Iz zA{NfYiIR~eK0RKnQz{ppoa7t2IHlUjmT9JW#W+b};2&2=U%x1*Sg75bI{Ps$%6}1g z0=b*>_#EfcvI+4dSv(dDKRXM?Wv>x!bUjew%aL<%CT46SN1qCJM2k`@(b*G#Mro>c zd}SB(wmgeScKvEe?@2JbQ3^umN=1z?#soB+BwuzVj1oxSEjX`zsPg)*AZ)KK&d!pq z$7O^QG7Fyx8jzVw%7w#K*P<$*Y!>k2_a8rg2kq}i%~3RE4KJUE!A1JZGL0^@bdyx5 z$NAbITp9L+mi-+*6+ofLPc(BPkBpEaCiS^P_xNiMO8@JCM|v@`?M*sF8gNW};VvCM z!HSGs-I6%kR_b#AWph2<-XC}J#unOLO@w*+tVTz|iouS|z7*r-3`nCVbrN|;d-%oR z^Y?XkEM=D97qMWRbKpBEdVcP}tH=|Xhtc2^Yk$Osw8#T-C+xjGk;GvpJ1zY+-x+#g zZsgCEn2ZV(rfDiPFIsjHp^z%{0a}q8HN}U#q17Ed(b^w_F=6)|Y@NZ3nJ+GP^Txd9 z?6OUEfCnOwzx-$)KM#ucCFt{Q!&_Bn_lxrYYWr_-w-#7<2`S(qicd*t$Lqcf`kfE6 zBOZ-zt{)?xw;CE*D0UoeCY-hsuW5R&{=m_`-JRiSNSU;0*A^aW2gJ5sSmDQniuuK; z=d^OdAbIu)e%7D_={w-h3v2P~OeWdu=Du^)(7djQ^|2DsrbbfmR5;~)}xNqpZ9eJc4ZmzR2;hwg@hAYQVXR^FZ z@Ji8XwjTKN%!q+4Kp>sdSHw=dsPNHIX)$1U(y?zlT*O@HCVbKub7FMeW;igfYXW>- z7@<;epUx3aH4lMnAI>heLop+)jlO{e;kYs0f;L2^f^#ay05=e;#+t7c^Yv%X1Tr33 z)O5=l`nvKDO<23ArFv;8S8=7vaEsHm1Yt=EbfWHmWgSPdW4Rtm>b(Beb*y&+t(j-k zk1lTVmGTpE+PvPW8Vn<2rHp&{V`}_=46=x2G;2oQp5PulT4JSAUKkmb=~BaQQp~~~ z9QHl@B#p3?Y4T$a&-|{)7@}M@Q&{#f#g(fqm8oD2IqC(lDm#poFH88VH$5EEHe{8n zejAC&U=A+)B993viB#h|*wP6HlE)L9yO^EG+EqLWJe$s^KxK2t#j9Z{qqK9e;KLe& z{l*1p2d27LWf;Dpv@8qxkrD5m(aXx{Yu~jylT+t66noN{?-aTVy6U=WCs{kbOqFiF z{kF_s?!+>vq!@8UM`cdidDOHnnN!RkG%I*+c(gK}O4ttR9hMYCotzGtx@ji? zW!%GElH%ZgPpkjy1#rN4c3wy|U$*NlJ$O$A%X&n5j64=-eU8Y^4ur-{D4vn_DZ@U! zJp3WX3#g?6RRttTm0T@l9hy4s^E$^w${$XY8kb!T;&(6RW-y7ip>R`F+ex zYG=XxiG3(FhxK;aPiUD;FD85=XoF+9i&nR_1-Pk+*i_DfI=yG-8b-=qQ^Z09M#U9R zIfL9ur?7g)l-};H&S^zIJKD_Z&9;lWJxx8{wWE40lUA?3sg_~L9TvuJoek-(nBl)+mnx8>0DEbel*Mzg-rcd86nfg z?R4~d%i$|J)=fCuMcOgKdbKgj71O?{DH;=hCA?5C9&8$iEGucwMJD=~>Jt=B>d*QI znA~rZu?@G?ErAEuP5oM@fA}&DJK>oAUv+O87ghAOjVcZ@guoC3(kf)x%jT9U@P>R`fy)9sm|gU zD^`wMx}E58^UP*sF*+MnQvgx`zkeg-KQAgU2E#yXiFQ9~;nTAQAhwhupYW0LJWA(v zy|TyUYNPrd<~wyNAdKr|V({?GVPiac4Jy!I8W4HMViPz2ls%paoSxd*4aJlN?1bm7 zZ5RT^6=Z^~2-#cSz26Jd{pQ!q4lKOELC3Q12K8itjR+ry4oWspzqRA9w4)~TSdbj< zkq@vx0>8C`I&jO<7BcquIU`OP^LbWq?XhWLA6_gL2E4>&<0`GV&#T_dfGOR7-{Uq- zTfm@dQliYNwAVjx1=!L5ax|R`&VF_--?F?y5p=(+5h}Lb8ef`&QwlE+3v|A`bgztm zM6ZDku8>E{;Cl~+P~RP*7Y=!!e|vt5%D5-(Jnj6~Hjc{9&VFitqnXLvng2`P3bI~Y zUXHD*`V6sk-Yvqz6LS|r-h7g{_-4^$Y$4EwPIs}8G`=EkWQOs#bqd!!t+b#gq&zA7@eXZ>7;Drp z{gK+P_3#o75kX*jmZGsGl!U#q(;(Fx_e)D;F`P8&k2mVTOZr8KI>atpMv3F`)aTt1 zgc-wyeQbwuE>(n*8vzR^B<8UQ1DgwiU7G$`rOK|NM9Q)CtZS1Z?2MU<0^#y1cblBS zPOex~`nz#%W3NGkf+JM#$AOGU#BT}G7mKZ5-deC*5y*YZTwumCdH%wg+|5&zkMqgf z_sv2);Ocb(X9H}u2|)*CnR&bylYOrivqPSrqES-vqRo3-tigfQk>bS%Z|mTsjb5RWR>>}pPJ zf3fd!uFPG(&)7uo)xVEzaNWtJeZw~iI^9q9;l$ip*sv-2bfx&OX@#&H`R&zvUp#wp zqXt-$^-dJUfUNK77<+_hlen4lnE`7Ol)<27vu)v~ za(L!?OBl365{$dG?1SA>wU)T3{w{Qk5ZC|0YyIH&)$R>WqwB70ZTJgV}H2QAQ#AQ{wQ5`~zsk0bJxWUBVULjy~Ev}5T6_QThDzGb8MdKxcQ&xOY zq0?5>9(YeFfB0if8|)WgVI1Aeo-)E1D(lSMOTxVe%iryct~T{2#8j1?+aV~s*v!)x z(BmJl=i?zY>cTju>e<@AE3kVFp)&gQa&gu1zC(tJFP#Jeb}5>T-0>=tjxR3MKy|nKINYp_L7y=J(ri^G^!Xa z=hnZ=o~Vl+(bgoVelBllklkJ!r&EdJN|5%x(3M1r-}YJx`JEoxwDkFoynEN)KQ=ao zC@CQcc}IP7aS&AkLYubU#?{w+gmzAm`SGKa*~%kh7xXm^(hN>dOB*jee5MRKOOF7G z8atH=+WLu#Qq02LuE!MO?g{}V6Ssv2@iQ|5KW1k+3>t=mWSXH*>lI=TMV`;d+fPQ~ zW-x4E(2HFzvE7INTz*HKZDHS}()x!H`o5w3h2zxmnE&QgsVu+V{pd{Na6n60%m|dj zyq))1uPUWF|3MGe$7bq;ki%42o63&)biA^SvqHzq+&C_CUWjb@;tO!PGcCTE&-_fC z%4>bY=e3T=1#2U`3XgQ_5dxt)#dujmJxkf(vtcYwS(~G-D$d)Zf9f0t2$z@Y)A6!@ zsIOQ0s`GC+ajzUfUxzdbh-W%;7U-nnVd5MkAl@61eqP#d`#Gzf&z;h*(<6utmI$&V zo9$O^UnOl!$?rozBaQDW=ksy+3Wd-9EqfoXRJVsHh(tUsAva_q8dj~uWXQ#vX2X0$X?0e@Q156=*WQrICsGj5qFk0piQbH-pt`yW zkX9*-K|wC2&7vM&UWRLBm!()BJ!*_)r-aH_mpAm-G7?U#JM~T;IN$#rqVvCexqewg z-|V#~B66`GQe4*Tb5x6TzxgMQl4fQneoh%$NaNt>p!ehBUQz=ipcN@SR|%fMrfpm zmiwJKzy!mT9w-q>+;}fvLEmj;fUL!w;cF*3Ov^ioE@k-vl|s5Z*;Wlj!_VY?A6_nR zTqbB!TL4vEovDLQ9DVs$VVeS5^mg*J9-+0I!Hw{IyD=vzGMhEFLmDzHDe*C%-Q>jV zIjh5-o{d`M%;osG(dVS$KVc1e(f|u2IF$!go2WGu+6QvnyOK{_pSD6B`xt-u&iwWD z%@Q7uFb~VEeYD-l0|JegD1{V!>X)I5F=<_J8`x`#i6gA>At-B%P}&D5FJgZMGroi3 zFlXfIsusX{jpN&Y|58luc=XSEY*vmWT#x4eS4-lf{kpFpUtd?|#>WpbbV3b76vgR4 zPA|O0>Aty55+%ncf!|_O;ulUVDQ|rMn!XE6l=$cdz8OME$j$`wRmli_&x;zSY)P;p zt0i7^)>OO}T+AO4k|CX5jE%b4U>|63T{(*X`DR*7*`-^q1S4NSG1$s?*aDCv(lk&e`)L zD{Q^QL0;e@p0o{}c^zIr9;T-p290XC0Bh1TI6W0perdu9H+#hcIQAr)!Ae{ z-R7Szl87&&*8!fS)VkV`gx*yTVaVYPy3jn0AY~AMqfIt+@`Or$jYH6yBmH?M6ps5xP(cIbH9q>Oel^V$VDHL#7fG>=D z83;2r4xic~Xc3s2;sc1~o97D)WZ}}1wBa9BKChnmMSNlv9x>|(c+SW7cCOVsNkP7l zU*RG)TuJeTvhLKl&NI{-FoWs*;#-sC7X&uXo`%}lJ42K%i@4;lCOj--P8$`JqlU9` za!DMl0(8I)=C-968#`-cgCMl%)ZbD%3|uaWD0WGbUvk2k4(H|( zXOTKgei_fMJ~cH(w@MT-pP7{^^m9fK&#W&){E z)`rW7hK!Bj{@q*Z0kK`M^s+n;356g9d93F5JKTw*aJ^!@-*dpwC5D0NqxX1<>404Y z=^o`oA38nznnqzVr3XXy-HZZ%>~)Kuq}_IOVl>`AHS;QCP7-4^5@VMVq2f5%4TaCz z+kcnnLtC^&rRclQodiNqNlMDDv8{_aHF$BaT^-t zaKC&RwzdXoUgE4N(EjHy;#K(R6Tna3*N)caMMI}Y${=-g!-qvYzBmr`y$eJhho}9g z$4XQrhaP%tQLYIb<1sG%E9RDAa_57mll+l7-w|ZT42we+wGg5Gm0c2%8AleAmYtqN zWYU!QBD^m;k%XnIT-J(6vhgo`U8W=2L(@-px;KRyBFr{N7=z2ShLHFrV$eEycoh)p z(?^I25uDmMixt3qmIPMTvmKz~e<_GHk~OeLaP=kNk2-4_)I6A3uZZ~P5Pom0xFvPP z(iVP+6-XfNohMNy(F~g*_TQ+7p_cyt9BOR-g>2BB0+E=dR#~ugh`uVshSD|h(Grr&nc^ck0Cucx>X2cpIFZi#2}!To7a0A~d^L+Jmf^E^D;*D6mxjq^@W=?$nJMIzX$=s7%S5vjlPmlt8>4ETH4gi@wskG~V z808`snx;@ngHkgmTp0ZF!Qa!7yy1AX)AZV+sSdWc5VHA;Y|bA;s>fvc(c|MS9irz{ zP1*`INL;-{?Z}75p(q(H27<^iWydHbM}RG8RHx% zTV%b^b2j-mZ)l&f`1QQd;e6}sYU&L$;2+@rbPv^Wvj$=pThfl!8!f;uOE+nLp#YYe zHr=sC%Z;fCFc||`v2y8e3subtDjC0k1Si8sfqFtWVL;dn6~f z7E&?YN)LIHw(cTK(XAf}MgDCzvzLxiPCdF+;1a+8(=@(+#wA?ovNSze1P3fF=jU^@ zE(Jz|yf1y>L}{sge0)5jqXYVKjVwMf;ZvYKIdgqPm4lsw0}+|dFG0y#aEy$x9ejFv z23$VAv_uh#DxlFX;*sqQ14$`X4M=&h{hyq{rF zA2H5#go9{lr?#n*wDo(|0010jFBo1v3DQv6o}U+HXXm6NJ)|eXwY0F%O6DWrWqigS zYo_2^njqcNW9R4$*?WOul(ZN&k-`J_95|9pTI8||0k;Q@J|tl z_vEt9@S~cn3Dehm^M7M2P8W`errt^P>~A6c?$nP)f2@753aGmm3s_4isd7&&6#uN0VG>XYdS${XJ4J5ApHnwiEe^1wc17IRzS^e74wh~|g0nW2NhK{;E;*wm)7^wEJV1NXi|la4i1jt=<&Y`=7g}mF*KW~ z(dsEdc@@)TD0KwV=BM78e2@WIj5HIGMv+@$GCT3+Bd#hFA@Wj4ETv?+vC)ZZ~_RR8)}z8&IKSBx}OU zP1?}2W&aGf>(ifL^e|HL{H|}O@nD9)?_woy?rx3dI$gO8fg^^$*Yr37j1SW3;nn60 z;Fwjr@FOFy+UObzH!NLiwK0kyP_f#i2OwsAg4DGB0Mjn!BCFX(^r8*U#-x; zC!DSen%+PcM2T%s4)bx}DO&Loo`*_e)9e{@)QJX`+IA>y#~D-bWeN%Y2wN!^3Vj(> zw|A2PPB%|Rygci1c%AhsCVVb%N`;WqpkMHMx$od(a4{O@3{SxEpuHp@I8j9dE1t&V z5y+~+7ZhVCrNe}-Et2F8Smq8Kk(Y>D8Ms7Lj~=(xwp+1F$rKG_d!Nn?7}UFITKTJK z;j&SV%9E|Iqt-r0IAF3#zZA|EfIh7q75fN=I zIjiH-E-qPNH56he>N2Ir&M5SG!6S6?*4(FM`5o z-Tn%8B5D4dy${xAqDYhtU&_qQB2K3*8DUI3+&=jC?@2e^%#S7ZK`7-nslQR8a%;(YHX8`z9a%?;uR5~eRVGzqLcr2O%E~vqW%ZwEgbuGR;8waL2R$pvPsK(cG^(bdPLMmCA^O zq)W66c1K-C@vCLJieB+wQ%oW)^oTlRo`wh24b`VgV%H%|U zv1t?z#CIx`QgMSd&5TG$!0c520lJxqI#Nb!pe6Y6wT4)6U=v;R$_Zh~8I3CDud9d~gC!iW73a@i< zoY?CRFI;;v>VK5AF~cGClb^=cMYoc39CuEsxZ5Gw9!^~`{K0;ezPrI}+A~ayyr@$D zFZXv}4w8?Vz=ntyGa7D`CwV@AIWr%rAOY+&;K3rqVg#T@0H9gh?{1pn{ui<;fPu#u z9aHPg0eFS@pYRHRT8YFDPlX)Qbb-nreawOb>^u0vuUtSXX+QY^q_F{MBRATnB!EsI z3-JLNt!`KS&?{`hiY3~IbW!hPDqzfT7{Ihbdt>teSKisb_l7Vw}{ula5+i6!ekPHS^4U}mK(29 zOatzwT?>EiV#t;*4@W&z#r@lBz{pSE{#!GIARz3q4Sa%vN&04i&*DV`7xP zXQ7ySrf-NDc{FvaD^?Ayptbv?AsSKAT)IY#$5&L?JP z)_Q!b@Q=J63^bMHQ#sCfuDx@(vCckLSs`iF=x&h zVSTkH(D!iRSYAh0&hQ6`zfFsWmWP94m5^VESN<(eDKHTDT>d+dc6N3)eFh8+5@T7# zZy?7Tf(nERz69)I8)lrUB%36#0$}c(fn;T1_b_CgPD3YD7Fuz#wbH%1O5@VHCqN;D zJV>wnY}wbRKqOvGqE>=tA_&hO5r_S9_?$hx8OA7y7NX=_61+Dc?)6E$Q~XC5m+3Xc zCRLNarClM83t8zqLl5Jo)O*c4ia6I?w2v=!%{Bo1&<~Pw>Jdxny8w@R*pPg<`d_g` zv)5;|YyJu{FZ@l@tdU}p2ag_+?kmbj>db)i<)hF|A^Dp}$lud8RDi*fNhc3Oi3Oio z1oa0Tsd_9{8R5oqK5CIJ(|#Pi2-6VFI-0W^WC3!6Qp z9t*~(+{b$B?)rdD+VK)l+&U&C@iHma+by^T>Ae}k5JDl9!BqC3*Z;vM+@aHixjk7k z|I+c&d%}yK>%GP?3HUmkDjkmpF~6RDhnay`-JM>9u&0{Hw$@LG{;6 z;PgWBWZn)9=vsp*Pqu}XIpRV-#frUXJyW@NmB7-@@a;r_CcV2N!#vZ-NKw|X0VkKV zpNjV7jP(s1;-ZsbZ#5bHOjghLIg?xtR$PX`*~9_WP=sN=S=))0Gwm|*3}jKS0o{6zmrm}L>XVMmTKXb6JK2}=8VnwM%zQ; zjP)>{?J{ouzWr`_*iSmI#S^p(3$&CW%6CMk(5WkDY1eWA@R~BFdw) zneP6j_#asUQf{x};KY_%d??nZvBpmy)-DMjyoAG#^>w}Vsc&rjH4Vr) z`J!|`^a6x_5)@)XR5tZ+y4-aYZ#fVW6?R5bKBFfNh-rpbNxoFQ4VeAu<88cnkGOw1N=Ho%#ODKJqk+*xiak^`1Q^}P)njtwD5?m3!P(fRad^#}$jk2B>9p7o`e}Wn4+_M?-`%GQD-z@Li6(=G`8JYKdDdDw{ zQ0(2gT4v)jvO9iVOE(>zv;kLFeD6XQG6jD1<;*U;@9kkbPFR6!%*Tm6J7jK`)aRlp z*{CV$p39txtuaTQ5VsPgvZP1(F8KjBcp-(U5sD9YG zHzve8ZtT9oTZ?$2ju4~R@R}fUz{V&mbMKtgAx_-rb}LmAxoDr|42}-Y6p8>?vC#IK z=34GJu6?2KjJ#W3KJShf;qH*k)IL>;N1@S#ru-`=M9*vi6?$$Uf{`VxLE{*_8&XRs(?(#aZ$7ijJ&@QPLhERZxQ1Qw(@8_x(gJ&sg zj3vO}5GDo85*gMu`pXI3@3P-2QK z;95;R_hNi}v@=?oP+fFe2s`jhi)x=DP>h}sg*B!$Mua9+AP$m2maVdfGKT8PHkAs+ z0L856U?_v3EGY@_kEnM*B|pjnTM%X20>m#MD6B*kz-l&OZJ_C{@$pe*p>^PN;F+Jr z>kL4#l>epmQ$L1S1=f&XJBy@*(lh?eZDs?cvg^%(3Eel0>=#p+oSG`vPdR zgNV2q)0==ruqjm_Rgi%`Tf)v9x6ZR_lixa7QIK~w zZE%|k9fB6_HBJxmfOMv%|Q=ju`hZbOxqz z9iEuz9wm{et#8)3u4?#mZF_%7i7IA>Avt~-lLXfuVBYQzYKA9h6kLNin!tJ*TJCud z!-Q^J1I1eT%OUh^rV==gdvS*$EefB(R=?Us!cmfAHE$5XFM{q@k77Z)zY-L0w{Ke& zeobyalTG$k=pcKGKO9}WrsVKc-I=ogBJs6;3cTI#jQ;j)XSRlInIbgJ+u4ee+$?aL zrsMjs26)ApGWB}Nd)ws31`L*CXFLn;z?u~E2N zn*xQ1mVr$l{yD=2lnCx)#U=#io+ZLdH6)%~wOOu_8(nOuQ{PaYHhET(v9P#IHC5#e zc#Hcy^CtOS!$%-rjE|xlDryAL!ogqRNLR`$c5J=mXbRb=ySKN2Z60^dMc>$; z#xoy3riX0~Yu&aNI2&d&74HbWdYw?c7l`v37#q088Y@OGYqv$XiGciZo8z``D1YN^ zZXo+daXuwL&scI#H?CzTHq>{dm%{jV^$;__`F;cZywKX(PeYjM^lc1WEIRqt7?`4d zgm#&5gY<+E{c7_d@rZvnkrT^MjKHL)kZhYzp(#!VRdLD1Yxny>p`HJ>DRIK-4sTfp zlWQiE|Kj<6mNo>|7;Y9ulJ1IV*>+%;QU?N}ty|!hPkTtpoXwPCH=pbGY-@t{lI$iV zTL-2CNu2q80YQ($ilFPG=b~f>5{Z4Y zY}!Zp%GoWG&My>x-tvB!Rk-HF)LUpwMmrp(#Bj5?0T%di2i&sSS7!MeZcqJ^a}Z!X zd?ok9hl#{6&W%Dm-kaHDvEmaJt#`(sV2*kJWYNu+GQHDOQBx77153voK*R_eMj<#c zB~oyFw6wdnf`=?L-sB=WePPVE->C5dOFyYVgY{tajm#7yRa;%tI$z4hc2mAM5oK9o zvXI%d)7sf1hZmtbIacw#UF7=qs~59#A3F64rJOQMuY8&}qiJF%IiEEKb+B!2jXcE* z?bX#?`|~s-e*r~(dwZObo-|hHL|A2y(rXjp#8NS@9JlD5Ofu%IYCU00T$p4jV%xut zc-%@;`jPA3z;5!7K0DeGLbDM|Noy@*jPx?pxW^at0c%Y9EDOEUrtUr2d+lFwGv6mp zvn`BF4U_^)n(g`m;}=JbHgwyH$8Yjxi?Q0xnNM?S{dAl2%z|FOt|FgSoGP4Xkr__9 znN3YhgN{_^>}I~%c{XCvd7PP6dpy#n^|ejlB9mtmaeaMt)ma{A(pIF=oBAWh)E6C0 zZeEqKLPeBPEU4R3h=IRw+$0aF@WUl{=Kw-!=mUI6gT}hV^CK~YS#up&f?Q1~@L1dR zzGf;XA75T!h&9EF>wKse%GMf2@Oy3ENRDG)*1X4%cM{LF9QQInX~yPes}=@*45p_E}OKf8}F5dkzsm-0z>$Im6~04qmyBC7VB^IFtryp&GD3!d)z0! zrh|c7%VMYJr!@WAtIK3aJt5|6Ya^(R?nVdyE5Rg%Imb9dxqgQ}DNwl{10yxi2@bLa zo9H9d^~YDD;$MT}(5-A-sHQFmqX#V66-qs_NyeL+1|-97_F69{<|j~LH{bqJR6iDR zzkJlsW!jxv>Oa@v`N(&wyL|_QD=r$!(JmIZ>rTcaszpi2SJ&*fCsMto$Y8@GG#=Fx zb#CeB_f*^afIeqbYRaDbG~Chd3tp?YOSSInQhV_qdV;R1v^;zRXtL_>C&@nA@edOk z4PEhLa}LpslB6=r(XAB|6LsP(=e0zYmipfku@9Mxq{+2$#0L7y8>%CXGlB(OmfD_~ z2sYn)d)A+jL(D!nF0jmGW`TiAhLqeN>Z%6s0YjhJG0^fW*w#J&Hp&P|8i2&frKo(q z%=Hl>kmAhg^RU3prQF-z-~Y8u%<&sIcU)|J)Cf89AxhkX+jvnKHQ^o-Cf;>#$$_B_ zB8r$X2>S&J)$y0ljQm=KrQ|g$>=;6w1d_g5rS2}Rti&k@8K2;4$Klw!dDzg7{C#^x zL6-u?`>hl8X0A($X=G1wPyUImxBftFs7`m1p(N!BCRVDxMQ^I3;XYebT&o9hi*^> zAoPq3<7?pmj1n;IDnX3xfJc7zf+lqOkSQ4r41jPc36OG2ZwsV=g~>I$^zbo9{fOV% zCx>*eS+kCYlKZ!;Iy-(9pKsgjd-U={jRX&KxGfkT<48~=w4h-KJ}Nbc7J%<{z(0pZsQuCL zrRHaHL6^1tpRLK6?_f=>qFi)1PS!Fg-NMyr7dhMkZA7%*oZ&)}gXK#Wqgx?G&*YsC*|| z28#hCAO_?Gsw?OY*j@KdLsPavfG)sTK~ob+S#dY7>bKGFbvP3k;EQvQPoF+Lq5dcw zhbnyh%UyUGde3rtdb+wE5l2cXmN-E5 zYM2}u3!iS}Fk%seROmTyu$1G^Q2^~EApdH%GQ9(?YT6QCu3tq#{0M|X?@QEYwStU5(XXvqB;|hMY*oKw`b!gCzv~iy7gGmK`Ne2eb9o?BF(`% zw6N#BbhI*`*1Dg7&_Q1I~ZeOdjqG*S#-#a30a6NO#=Mt6qN*(mF;;uFC$fpPA>aJ+^W-mKZ zggLkK8a#-Ce|`NmN}9>0m%J3`arW;Md5uSBX~Cooz>Q@GOF)8evm{%0*!CnNXqN~vYW;s-zT zW6_nVSeEeHC0J=e*%|M=-y-}W?RH6WErJtwiFaa3ZYJNpzewRzt?#oCb-ujEMRh}~ TDa=$K0Y61qHJK_YcqQo`TdUmXsuwpm*deaOR?|Fux6+Q-arFl#9fEPu_+>>4^*XN4pL1Px? zvAMxU*FGKWZPAFhtPeO2i8!y0H{FPHU2U`z)KX9w-Ei64+v~CY;om(l@DOEgZoXA= z32|CJD`MA;x&DcVt!wG7n3i}i4-bz(Oxw|Z`_a0Su)OHbxP;Ov#HyXGf~lli)q^u5 zNc3objh>#q@^B-w)iAen#>~W|q&<8VK}_@cf7FG`s$7|)44z3#P*6}1N9E?`zI^#| z)MH_Bk)4fA#C?BztMbS#y!k$gqhfp1kE5c&y5B}-n=#gDv@J%6oLw`kZ-F{+YG*30 zz1ePs(0BT0qRi02qNDHEA`stC1I3%`Gi& zi!R4c9v&XTU$HZG6^FZXLpyDby@X!R0!FzQ^04&0 zAsIj=nncJw?TP$sDZIuZyGc^^00ng9RYgm>~Y`BEuufyH7>?>GE2o$CL zR8>`#oSY0J*IOZ6>MyPd*q%+zWC(dsFgA2BFqDmh&fMBw8Ov6E>k}CnIp{nUv%9-H zRv(zFwb);53$x(~dW@bns&zAF$#rUdrgPrPq4WT*i{VoUqr6KwI$(@HV9li*Msn5; zDM}4px@XkKw|{{CWwKFNvB5S{K|T`j-YCw^!PPaIEyQc;PvFYH^O z@c-gToYPQ%HFJKrBZAq?Vo6j^4fUZ7Y6uQxbr*bQV#3VE784P1Qzr;PwtP=)b=KF{ zch1=1FzOd3;`>`p!dx=U#m;RIJ*Fd4TlHyv0^_W-`8Z^cAm7|lzeP|JcpDiRt!3y= zx|O=j7p#|wo+CV1PZE2W)HyG)v9e-KtM1yl8yw0R5)$HU9#(e-&PTdCmgawBfdoN# z6`ymLS5_X4*7>oA`wg5CN7V;heagqm{>*Ef{?k;P$Dm;@+hVA8k<|!H_4%A}FMRSr zx2=JsSQlyj7ygbGYvpjrvguSs#bw3&h$r8YG7-}9K9?pJR?{hpgEXy~# z73D?hctuxgiI0D=2|3%214~nU8xPi=FBYrjP%lGGR@yFhBrG(VnprWs;?zrcky^N6 zaatI&Io}w<2=nNBK^(vJi*h#u504|2iq%jd$Hi!P;Xv`(vl;D!F70!Eb`F^VR(LdS z>xA{zsUG_7yPa`F9lpejE*MPEJdzbbVo?}1wS&<*jUXh5XduadGnW4gVgG;h))b5u zBg(fmJ>6_ZY% zKK+X9omG+B-llW;;LOZSPEO9^qD8=%Ps7w2&+Xf;5Rf)DHmY=f%-H2{)pEmCsHmv; z$viE|NUD%yt$4j#9kb((RVsA98LQvEG+DJ*^_KK z37c7IXlQUn2)pgxCfsqYfR`a%hmPf>q`bLrA}Q(JGdID%*b>1F*8nLNei#iB5fSMy zelJ3k^|E5Q8eiOt!27A5-staqQy3K-X`IUX!qiJMGtVq73)RzM*^TjMz{1kvez$)I zMn~aW4tF)|=g*%yoKmPNokxiZ#hUE87)whI%FXYTmM2dR8#giv2%T``D zPbefSRcFP=$15>U*a@nLPKUCns1~5hU7jQ=M96-5qD*=Aq{TqV6K!pI6m?)yUfz2V z%4`okuZ{KfW#J_&eogl9E|aU&)Q0lN^E-EvI-P~7D~CKrYtOwBLi*e3GCHpkNLpK4 zn;su5eG1yzL!F&ZIWJF6O*zMsOO$A`$H+12GllTI9V^o3dd3@-NSaF#|H!x}LyJ1F ze#Wk?rDc76J&W;rwv(_N3Nlw}7w?}VX8~*0t(R@4X^tRXwDg@=Y2HkaRw8al%;_J) zTjuI&e2h&@q{VNg)>=pR%-IXZh&LPGdRcWTu--W~E+(ejX@yp!5*HD^^LZVuI`xVN zeK}wZMg_y!`&3*UVeT=L7%ogL&qQJ)7&AY3Ik0~1rwqr$g|!`5h7jL}@O!#4iw261 zkIyv!w|z|9*Xogxk=L(Jhf2ddqBApUb&G#}=h`>x{$Ib|_sq3wH0-%nKxV}V$G-T5 zi)0agPCH&NMuvv9F$Mu+v_Vql<_kZ5JaTk&gn0{7)rX19Z)0mKcVfQ+X6r(qBnlT7 zm#W^^``lL8r49~{o#ujqf_vTsgdH1mJu)&fD(noG&QkGPU0bRkFBlkG$=XBrUgfCL zfk&%rV)BNkDFUYZ%QF|5L!})!E~Lh%rluw&yzIJz8nNPEqF_b79XuFuD6Lztyh6PA zR{tTX!&2+=GUwr0GDLrPd88)((e!nf%J9iaLkIhHH2Dc6>v8vnJI6)5xb~jj-phV< zC8ecH_G}13IemS$96=g-@AY7Ckar^gj(qQp^86ef)$^A~c*KOKaRK>uk3GCOv2&)l zSm0TyOyfHIjds*oG`#tN5Ho_XK7dnh?81xBve^^2K6Mxq`JOy+75O-9Q>;lF^uze} zPlxc}89c8O&k2yMyEetq<88bdK_~tR@J+dWIAc+$k=c`*X^G$nvzCt$p^oce?R)RJtUrw*EuerJTW!1-5ZhUvOv|=O@id}bB%h^vNI=L$hK4#f>yBtYSda8Xna7#&3i0xi`J(0>Fa`$nd$t<9HpN{17LI~3hKg$G%CNRz zB0z>Opk}1y<&Hw}|5zL-tr=OKo}T_L>VQ}cb(-WukO-2}*Vjk&8t1Ecf?)1p~gQs1T)1$;cpc;j*{4PfSdlk4{%Mee&dqz5T}Yw6S0eI%Dfo z&m49e#_Ct6m#=;!$fs|CftL3OP^C1=p|t$drx%F@T_$WSEE@4|N!!FTd%SB#n!`CD zTxz5%mkzk^tQxGNkvpuR(*AGX{`&Rn5}}_x*))uen4*C)YK9@?+1BC!iY`spU*hTG z$B&sv^l%v%8JnA$-by?bjOm`+fH)Y#?Pve8DrL;3*emLWPtC91u?-uKgzLV5CQ~ov}fa3h?rluw-x?s5^zc+7I zm5Y*#AQJ85tQf3k!A=9)rIGv0t52tUMi28lxOaIkihKyLN1a zbdn@9A6Aq?GTo=L9Y8dXQ@bbv>*19F3nOl^-RXqp(7UKK{8}`PlCpBnGaQ7jw}n(N zft7vj`G z;){}H=)4gq46C8g49g`T&=}d1t=eLk3)tNp-VbFf*`&6rYHyB#jI*=ATs(0{ON%T& zRcurg@uW(!QjpYmce;jpdI3zHR$*>#+qrJG6;A6bGj{4991IO5(v{m=T59!frFNw# zF{|MS##l6mu{G-3K=|@0uo#%N;?GlO+ap7CVwA7s>H(}9cSb|Za*oyRj5W-?GI9#Z zvZkw@2N-lO{?g#mseb~ty$hZx)(j}G1B!wqT0CCIQiuNeds!n7kwDcm2opc#_@22s zOH>hq!eEW5g+)eDQLjGN^==#lkL4d?m#g-72x5)iClSvJFHArG>s9}Mg0%i)F2OfW ztKQDeuGfrrr0@B2Kwv|IgBJPfrKP0;0UD0ZTdE1lTiVjnm0Q^HKN0E)oncA+n1IzV z(!LfG6JzGrKE)l?iu%>n^(1R{F-B4;B~HCb`$6p(K7OV}Hi6O9QCM6_&wU)E->X*E z(!wJ4!-q@tg+ogmj~;A!MXjv~Ey zF>tuJ)ONZE$C9I+u9M)2!2Fd?Z3lccD54MINXrCdV;`cZd?&}y^ z`7!mJ+7|^Nu{}m8sdL6vG;Z5!Z+*8)b{EsxQBJXNBgJ0J2|;?PPWdp8NZ-_$#p`=n zr2~nkd192mZN#djrRC%aoVfOI>BQHsU;FsnFRK~RQBlm)EUpe~SII;V!>Ng2J z;*GjWMWz4J+uK{s)s||ji6t`&C;rh_Sa1tW)bkrIH-gSa2^0BVK7X1P(kOH28}o5~ z3n!;uxOoSMok{Y!*jMh&hYbrGV$ui_bw~P3{g`#AG`&81^UCI?Ls;mE>p6hGv1Wz> z7Qk{yjK$ycex*BNrRuVSLXEHOP*750dm!>HX$u6%FoY;7?x^rzIDPNm@gI?2U2jOO z;2aK8r1Du`u-+Qj41n7A7xBd7e}n*&Q^(;Rv~VA#sHo`N>`bfPZ>T2HT_NVUNL6pm z#>Q6au%JE>u;R3z+b+7ccW~Akd3WLFfnC5DFeW0@@)*pXmLyRJ@KayDeCh207_ZMY zVV}`cW5&xE@_@IvX5%xGNrjwY0mypLr@24J?)pRsrL=Rb1nJ(Odj_*%1DJ%^T7U#-SAzpXOqf zkIsk!Dxtud@lp{4zI`jzrzQQR=hrV1Qc{41MqF2(NuEMH>65!=Q&Lg@Y5YM-db!x| z-@jj)Mvzl5C*a3g8vGIl1um^*CE6c22(J`FNKii((%^rCtgM$X*gZVh8^SD=10j`V zdCXX~2`$~`;UVm3=BO0rKR$Z<`bvSy;VmjG3^#Y(nFzw~ zaS%^ZvrWN+hM*hy`T6yMG+Qp^N4uFv(x|C&Z&xeb><8Zoqn1`FMGfqCDc z``$uQock_th*6r1$hVi%)ayVrDL=1XaDagI#Vyu(GD7=cR)tats9Px?>|ax9zm@R6 zo=Sfx=Ix!5%IbatnkP^qI#@&%(>rTbK*zW`)|*jp=z+^PC&4q5TDnmgWHy1>cB zr2wSZuU~+A60edXNZ9*ULqM7h4L*4T^c6$R@Wc4M6UevIRsXGd^e^z^-nH!+w#Axo z`y~>Bd~&d6mX?u)AZ}i04YHe+rW4pY{LBbKjtZ-FFuw1d_ry|F<}~ zGUt(ZW0^{Vn^?@MNxm3s-)f~q4c`>d`5-`0ic5ddU=1_lr364(xV3|KV7ZgLm0!Zw zqLFDdwI#V&OP;e;LW_9%Ly-yehC;HPU<_2cW##4N13H}10=BP3E!)mtytsF82q6+~ zv_i79v@}pjR|&kUbglt=D)BesVtr>dj&0{@wyL8eU%j=N94~|+$ZUgSD@s5zIO=;F zQer>cxi$=Ol!BtSC-AFMPwpB@pGl#X{Ii%U1Q3CnJyN*Ozt#DXi%_?(jMc-xCJwhE zWMNvt5;F30iE1Uo^MW*U=Je@kIU^Yvd_thfSyVFY92_ckCZp8THyat_^!M;yI>%a? zo72-4j6r3I?da?4OIMzQtOg%tWMGJlimLPGCAoRgcw;Csa^FC3qcZd|T{H)*IdQ1r zVvi4MsQZ5Z{@vf-(ml!IBatvl_K=^-uzVYcgySSgWTfH4bm=T`L{Y$^R>ePR(C5k~ zKLh1xMn;=nc9AA~YL}p}aEmon-&XNd?3$CXd!_b=WsSJ|KGT*vH=i-$gY@w3!_3>E zB^n9}KoX{wmgK*$1^X@~UjO7I9Lsl&I|K(3mSCPu=|K@o}RsxYdx2tXa?x z2XVTT&eG}YGgc%;S55YN?)qXS@ncEJdS=IQXLkpOO&~zGb`sSQ&xh9%;|72JTy3>< z4{>W%r!jjd!ovehvT7h^X|TNd4TeXSAw)V+4~9q`(wNtDRUjZLGIG_WoIPBoY+!0F zy<*@Za_u6~66QEyK;hn7Sbf0gUO6;kl?N4iLBVVBcvaSdT>;$Zp7mqcV`;~256}a1 zsQN(#uvu5HUIjW^Z|HT+Na^Ml4x)cthOY_!LXhQe0kt>Ju}{!3C`Z zm|ezDo(vd+xyJj|3GqDh>w89LIeKZPGYS6P-rnx1*v$X(g@G1Wn!nNr5XZ`HZU>O2 z>Rv+rs5llD_Uk=d_ZAAV0qvrDtZvlPfDGm~s0D03=jE+K=%!Q`M!w-1J>@~e=ui3IMUKOn6bq887LiW2wq2HOmG2>%nV`k=u9g;MmVPPN$IG3aSCDuCQ z4&VFi?(K1)%eHHY<;{#i?7SH5KUzz5o{*fJ9Qz>D=TPm+0W}R| zSplRJJ{}&(>Xyd&@TqsLZR?O>^YZg!gq>F*wLw}u8r-TVY`S_QsG+vDc4)tK=vplf z5|)eIDpx(O*dW~a8UrH;vR7)qwUyPQgbtuDE%iY-xL5#R7k9Kjg|ge6$ATsVRAftA zTZT{L%)J9oSATB`Pe$xA%IF6VAxwwFg9F}r~e zaX=eUU=IBm0JWG*lVR?Nl@rhyzZZ#y!mZ(l)$2Gg6^AKq{u2rBU({UxvHH35WP^JK zL6ns}{}fyi$6TH6^H^C1`8d&sDA71eYx(bg2 zV9wm<$|ah*2dZ>9FP*)7{`Jm|bLoPx%q%SMM97N91&$T% z?Cbz;E`XQ`yqFFr6Ezi{7bH4i>OiNba3dg}flSb?eIEHXXN2$lcP~Iq8giWUJUeGV z>RoXvgOV~m-9KMhA^F$N+SHnb`qtioVQw*?$o%|JAHCz`y0vQxdI&8bZ;NNkbf3-Cm?ZJg;a%o=^e&^-)Vz< zoS^K@Z#BgCt^o;z(s6x48dl1U8#kKW@_;D%8y#t4nA^8NN=jO2F+f2>qiy5aWs(k3 zgG54<#}{PT>i0KU#!s5;M)~S>5f)q#z*f=8PB@gpeFeUgj{Iq1AH;jYEB@bKxM~hT zV6}PHhN2BBo8ksOX4Xy+@>cmOot~*n6OO0%kJnr1b(iu+eWHqi5_{9fk307F_a$f? zfnR?oMMvcOs!k8Pp8zabjq&Xao2OOg^MWElQUJz)Qo@_lds)RPBEl9O)u^A6oUFTK z_O8{?OTxcz0a!oOd$}Y_kQ*L9j_)vDcR2u$g4@`4e?aiv->$>(>kG0BENO#uurY-n zU}CAKJJ{F+`!qE-*JV<_N(Oky6`@awHG_$gmL?njXjz!X7X`)9d+EeSNlx*t%0E!G zO_R=tps38xe@RLL5@DC@6?fHv#T>a`KfcSJX!GF?Y?( zz5oL#D=!}&8X6(X5IeQtP^z9D8xcXsHDG)jC<6ilf*d-%#~NB%=}OF*TBYCD$~tHC zacj%N{}8X$)K|kAj>UNrJTK|Q*||9l&2vJul)&GY&JDXU+*TxyZ_(; zKs#5x+Y~G;EWpFmfB*h-Chw8a;PrJEH-4%L*Bu*}Lcnr@Xlo^FU@+0ravt9$7b`3( z3Sq`8>Exz@L~7S@xy1ScMrrke%&*QQA6?<9){oJB-Zn}12?%WOnjpC(>`1L5&NoBp zL!<)TobPN1i z4PjB4_1aiQgh|o$=KpAHYy|bL?rASs>{PhlZ_va>;zSR(pRVA3?VMRXP3iyLj28o3 z>ZUmzk+mSKksy&EpQIC>55MQUs1s~oWBpOryy>4i64B;DLgq&wA)C@QTNlBSN8-a2 zBz1{U<~ukd;3;&g5C-x^$Vw;v)aP0lEZ6A$+F|@^V?z&A{d|j8S~kU08j>ubO-ju9 zt2dX0<5~@u1kDV>IkX*02Vk-Qotir1okf0Oz8o9oN-q0{=kjv?IkR3}{bGD;>ZE5i zkzP!B+7J-Q4;$=g-=JtAu7dCo(s}TOzdD?@jA|cMPZfBWf~fwan;k6FBiv0Fhw(%rlxcLv?vS@4-X6oz|-2R zd#aF3QhLZ5{R>Y11B2s<38*V+)c>6aB=$~J0+83OhJJp2Yh*KKb*!>`elNoaoZaZ-+Mh^7GoaA|jy-_mByB}n~)YEuGi$tUw zmS@6k^5muPpJz6v-lR>)$q9DTP*YP=QleWN#{DKz7{Ov^$lX1IBJr1ifE5|eFWe4g z9jv^l*0AP@S6R*aTz`B}ZbF2|k6$WKA_3%*`HJw4j>qZB8j6ZFzn`Q5=&v01XY&;Zyu6czO`Ixw#V*NDps~I9EUr$jAr~t-R|cQl*-%4Azttr|ux5 zG4NghRO!Q(^HsZXplT};+i6b5PStU|M22+}!2D%e{=twpD(TA?-mljXjTWQ$EvIEm$cy`qIWE2!OBKwhVKtPR5&DX z|Gx?5XDgWCOyAlq-iWBE5LYRn2(J}M;QcRo&HfSh{DXt-QCN6*lETerLWOyGRKiYK zX=(Gj8*^T4raYSLJ%yDA=25K$hY28Lg8B%vFklQ%ffD(~&++o!e$6#aeoqfxfzuCYJ#qc0Prsn-{e+p_2Y!84jV`Fd!oj&$HEUh>dm|;h4idPF*Ro=Ew znHn2A0f`K7rF{x~QB?K!X$eOfCm}M^eS*rEUQ*f}=$l0rA`AzxnV`E>>AdrKQT0(e z5!l%3&11+m@6R`Q_T&lB@ra3u%><~R#z#Jv0UuGt@75)*T&HdLow1qb|MIUv(F&f;gCo1UJ%YL~#fNr%&J@)OHFk9BH=I z6dW)hxM)z++&X}ZD5!)7M;*vWf+r9o=V1A^e#{wEeEtB%WF^ejBB}h`ic`hGf@N;z z*vfXWMi}uQ07@ol%X#_Nj2!^TYJ9H=3A`i+;DlikbqND_+@icWw+^O>h=?l%^9H@A z8le)6kG~$TA&$ycO{=VoV|%mp$FV6&OL6(~F#jTX<#ye3+%vDJ8@_$}_T$I9V-!8V zxXAFSP9to5YY*&*KU#EO3IyPvJOREr5V?$vjlF`1s6jm1dk1u%U*8ba{?`Qm+1ek2 zOF~X=dYi&a{PAD4KjhLFx%Sr92ghtNIXO8oVf$LKrrhtxP(VGv^8%?BUX<~(zgbT1 zFA*X|_ZL;%JOQu`l4L>Yds!7G67chRUI=cUpmQv+_Wx%LQ17+}5l6t28!qKeG9W`x zQu?82y&}b89c#^{N?x@V(-Y+NJ*FNvK>Bhjv9vMSw(t^V82jV*!}x z?Cc!HrYWa(&Xl?B71Zfn{{)&c$6$v=p^B1HKR``aSJxPxEN+0m^BS>JYt&(T+Mr;o zsbL!$8eY4Phb`Nxt=&m;1ksbs(Z1h zXKrBH^*xPWU9cK767E}gSWkh`^buGzWi&KNkRvct7*QvjI?xcT z?9_oQq0%da@Cn+W-d9q9U3sG(p0$IMy6fw|I@UK!IwZr1H`8eRB><)kSZLd{fHi?D z;;md#-}vw0yL1GvLix!0CDJ>|pUN~SF+WjPk8IReT?cJFtB?m!x7jmo6&1k8J!PYE z;!qVd>eGI*6D-fl${K$Rz?eBSN0qgjx!3r%Ays+FStpj+^{WwmFH6jtj6$#a zqIDzpCowa6Hi0|)#Jaeu$p9855*{Zjy)h+@tDB!^WrNZIfGz-kzq%Z!w)m>VsE*{Vkxw*MP z>``P6?ds|>dyCEttRI7yMy%jYc&>+C6&R? zz#0bFzM`VS*VosKR|W-3C{Y38bM_suU_p=;4}ux!9FlduYi@%zB~6*dv~2vU6rkNv zwSIinY5ilj#qj~N?D1pWe03Ekrjr!@hPt}fW8|hnp)z?dO`q!RugeIywf7~f=!z5_ zXgIH;Nmc6H1!1IcXMoc&O$jM~?SrC)7XWvsHI$T;{QRll&<{g{|3|#r&Z-FYdIkpv z*QFYkquUM7de=aH5x*djU~OiWmYK-`(U!YO$Pch({HgGI9nLK6U?*YreWtav4MzNn zP=D}naaD^)o9k+m7p#;<17ie`y5JpQ<}L6`#m16#OZuW-q|X3o=Z<(QkpSxz48Xl$ z^1B@*#p>u&TwE;6P-FO%%?E&aU5#o#U;yQs?QJK{%XCn;G49tt3F65B{7gt1@6z_uF7~ z0C$b!(qL<>jPg;4m-iKo&$&$GC$!4UhWMj;FpV|nMj&0!${WnsxioGNQfewG^`;`Ta_RQbEf8SX~fL7001++z&fj!d= z8m4Q<)q@(zV3*AXRLW+&&1?I?TJ{cT)|6TUR)Lq}f@(&UU%nWEZ6<9hcN<4OQNg)A z2+)2)hmZDoHuqJsLOW%5j~^50`te(r&pTJX866yG+9FI}hQU*5$Y#k70no>Mn3=H? zjF7dV3NOr4qpDbU#?@-L8Yaym+a~S+HV%_~byf8Y;VC_t@7++-2VWr!tOuI%&6_t| z5iP+SnG#SjOG;wd-lFI*VQJbkbcR+KGNzR@a?aQ+KU5LgTQSd&LF35_FC= zddLgW*r62aQ8KY%=XQ}~C6h)!vJ<5PXf#?>P>{kG)m!e%Lh?=}S1w6o|1fcWgh-5H z{?dG94JiZp_<=s*+%=s_aj*+@o`_i-apRc3zZiV3;)Ie>07j1O-1So|jc5nP1{prX%v$4WnAd zYIoYyvirJTajb~j;45s)jlo=dC`Cb`Pf3xUM$*b`${+yuEf{7t5&PES9oQM#*nl6M z-O>JiF@z{k3osq67GVvP-)6CY*#e){g^vVDea^|TDgFRqtC|jIQ&(5bvlP~WFS-xI z)zW0pkZB!R8k#Wv0RixI*psOZR!A+k7_i`^cI8x6n{$tzi4NQK zm82z%kyBAqEAAH&03*49fx&#wHSjZGX|xwvf#>^WVm}C`zu>K(())a8SVVkKdB5a0 zGfKfA>(#e_p7Xj2)B+Dr{@qic^uGEa@(0WWj|@@aAi{b7ufCW+rW}ivAyr)D&Rr%F zyhe{OR{GA)nLKo+T(BJ}F zs2ZwXo`FS^pxDA=}(I6|G8oP6^cHyC+@57s+rT$k_0 zORHB&2%kWfIsYo9h{OWlCue3t;R`Nco|hof0dW$+ZPaaBD-4wqP+Y00em=cNnZ5vX zN4&^Iw})SXFh|R*WImb#R{xOoLBId7^7@?F86#)J72zC{f)SvNVhaCKwH6#($S zzyR1*van_-yV+mK&!0a(_7Ov7XOxQu>qN5B?EcQ$^E;jkKYM$nP*}5q!otF&r1}Y) z$H%b!5ueYlg@eU2Liry#HuJaw{vNWI7lJcbv#HC`jGN% zr`n*P0y>&jPhev*%F@BX0Sdaz9u`>*FhL&f?*KVxe0z4o#djKN5?E7qcI(h6Gpa-X zDIkD=b{6_==I8gJ)#{jRKfdzZ+>onnV=I6lz(@nRa0_~{;FF^jy!h+jx8|(@%?6%( zp(gz(@f1IMCUac-)QZ!f$B~NFt|nYSF0%PXfGVk=uHF>Z z_s7Sb&SQ{+ogW^)R&PyJf8pZAIXgk1@&79Qs%@c$aCb+4*lY@AG281(Re8c3+NiHy zTmbiebAi&bjPUG97Z(@z^#mG1=y?c|s@364dlc0IK#RO^qt^1>M}7n&@KQ#^H&*ZB$D_xFtBuBab!eS zSAE3FG*U7;>VyLa-kd?Mkd^X>W5;v)7cbSgxHv$2rpzyW_>cWahPi5GfLm6DEx97# zW`Z7xeL1l`lAdm*=Q4f{H9C9xB{0&U8_)NZW46G>_>39T#(=%0Dt?`S_g&v(A3&hF?ZLPKvJaP?R$F{5HF9r#6p@Qf59?>svhKh zs1%drVt{i6l{-*)^(-av*^^)|yH>GeaI132k~hjLOpcXoZgCMEADpU^$;-!=DQ9 zK%!q;)PPn4z!Luc{si7*u$oK--4IV#AW*-evP&KBMZwz z?#;@bh~<_Ac|47{x5*n{7!S8R5;Y4vFGdcUInwOJ;U^c33pA%}3cD|F6bscf&a8+( z$&dDTI*CxL&vV}b0%OAvGp4;C?6WJ!lXc{OFrT^69Vt%c#AomX<8X*=UpL${q_&IU z{baZj?VG&v+@lvGv>d|I`e>uSqr@`WKwCagi)!0jES9>os4b<|_Qba@LEF^mC+&_B zndRJ@ex21}`IF$@A&Gu3%aQs!fm`UiySqs-&O~gcO8IgRD(~F`*WU-^olnWTToe!D zqWuUeD_c9iuxFp`^OdqJ=sB7R{6$YjTQYDYh>88`vS|G5ez}5T8jq0Z!Xdtv+Nr2V zmv2y29~g;^6>Dqn72cS?BClrRMKo4&Fr)JVL(QW6Xi129dE#0s@ zii7iQ819i*uHbF84f%v;kM0tW$YWvHSGzP)R4m)P4*Oqh6(Gh)R z539XaB~vZ%rukBMp+5bnq>yD>-}5*hn#2~f_1Q{S?pqsY%41+;f%ymbwpZo9yIZ?# zBvtlXUi)@WMtbSKigNb5h$#8*Vf#Hc?LCD@D{ zD;TzU^4^<4v&yU6jf`T4awaDGt74VcP6{5C9>TZbitPt~u`?~6n)5T&(EJuGv|1%| ze|9u@)rFQzZ1-)6zTZxVk&l#yVS9^Q+h7HAZ0ESE^jGaCIbAtVv4Jbism>4S4-Qo` z#CGR*OXsb#iYw8|`9_TbvqhEVArYe zC21qK13mQnEDtA-ZYq$c+DU}0CGTJxr#Gl+rDgr){rAtv$kVKyhPxVZM1xSB}KDiY1UB}OL zolN6;B#oQlWOtYB=*2Xyuw z`>#27)_dz3O)DGdwu9E{RSy&^4@iajZMd_zUa35Vx31-eFia_$roZy(m3JOhskF=- zT0F{Le*XYv^3=Jt=dcfMMk@nr!wjx)9>nC}&O%kHEW1mUx0UA}M*d7^=%G2svFt0Q zq8wCMKsuey1B=IhXir`jzx}{vg|i@lMPbg@_gArHQ+&ig928Vnz9bAGOH+F%lcs!k zqxKj7oG}M=NOT1cH(}A?(czBPJ=ahnxr0rW$w;xm-P)sI=v=VWde|--*0uP=R@CW87scNq#hE)H5`2SnpBM)VHxcoH%MO z6gKaMUyBb@?WX-qcimG%OKliLp;+!u+nV68K5Jl1TjoD6tYjXK7`2Ywa5N9};1S`D z*t*StCYWp8gsLb{^X67;Jll4Yh{())mgXR6DT`wAxT32kkeY2^n|cIHth%{dV=2X0)#0fK#$WjY~RC|Bcd zSQO(e9?{j!qYc$QvGD=M8`Q+*gNm@GyW<|b5^HUd#p9t%5(jlCu3{$~DCq?PL5zBo4>?jwVPq&$hH5Run+wG=urJc?~7% z!a{gxXWa@aR#$jl|4mjtMvcuJie6ky=~4ZL$8G{Fb{}Iy+N^i6dv5u0mPT9UXALyn z4jw^{c{&zere<(zRKW6#yUm7n#m(p-E5~=svk$jALO0?xT)ZO`qoDe`da^#0Ra1H!My|c26`D!u>nfxmX(I4&tp`tS!`1W zI2?2pzvDIluuHzIvYKp(Al+P;p7yC913TQ$CU7*9N;TR+aoKA4vg+C%84FO+d(XkU z{WoWl#-L!#%=9!ADf4rG?|(pRX|b6>^LCSI4?h)wu2y@bKut}Jdu3c}d-vgAZKF_p zpz>B(5X93P3tZ9zjU;Ga^{e~Y-{1e^hZR8nJJ;@@jM}0Jw~kSudb;Qz(>e5J{sqFI zgP&{*{kyL(Ji4;D*jZ2SQ)(*MXxvu(wBNhG0W5UIw?_)v7vKPQ4;U70ZP!LgZ`WIA zmaXFL36kJFQBneZw5#2c^Kvg8RXw3HIJ8r5-0HkiIn*x54CnFV!0ftKeE%-7X@6`E z%!9GOW%Aq4D*ZurhS{J-IOY%TbqWLkwQi=yHu4adhERfT4U||ht^4buEwxl0`GgtO6;*lCMHe# zT+YJOw7*LoIZ9n;ZHg<_VwSR~;vysUZU_kq_8Nd^T=jWQS()oYe?nTW2wCvsyDWl# z(`^$QBjlJf7cn1q+^9Vji)qv6(yDZiaXXmLZ6|`lYk$Gg1GBej{<3O$JVbu6uTVZ& z>2Tgi%(ip@I{v|yHxHOsJRY2+KyYgB{tQ1hJVRSQw0M@m-V(<fpuuDJ=1#ySN6Xq1TK~xSd;zP>X znX7J^GLG-15js>?*3FeU@G0gXhKm#%ed7eue}oq@vsUuPZe{a@EPX-iBP9!k$Ty)b z`7eBkBB;c|%Ug|>YRP?kq=J~OO-PuZtSVPsyZ|Z?^PMk7`Q0zhxI|=pEf6nH9KXmu zLS{-*NAcu-#B46sYeXYrX8Z(UqF*74&6;XDF7jh{3DbDfJ~^0!nM)ly$ z+r^+0-JnEys;hjNdSCKlXhK0FzQXh)H{Pi(<*(SDHFf;3S#Y>Ft*8Cg{3`gt{PibN zb@t;k5eagh;sA;Dd2R)4w1M~JjG~45Xu?;OVwtLAWA1QT=GLd5md?<%6?kL+WKZ-=HT%B}qg|FXg_S7jrsNPle4whn;YzEa(XrBrbW52Ht>kR_IgvRhx^G9d-5N`Q}fT*MRv!{pp@RnD305xKF1!+W@6TjW_+S zRbr)!a?x5Rv=+awQHhokAa~Mq;v`dK@2{_|`0u}+5%X;Sa2iof(}|Eny)jeZZiWlU z{kKIhTbN6OWC+0)lzuwQ{R#Tjg`m5ZmO{72i6l$J)ihfbjQMgq{fooH-L#1> zKR7a7TGWe_?&S9rQ;=pRY4Uc>;55gUoiyv>V z-w8Y#deYvP6g$9H!m+kNFx_FH+a3k_1D$WL3rg#M0j{%R@RTMu0$o~ z0SiY(#gHzOhu~e6mye5%9_N?K>;ZzM^iTi#Q{a%2I`6{((v?BWj*bR9+u-ltDUX=I z8b(Ld_+{uEf?WF0IYZ|$kAdAJ;6jeY))vFH^>sUGX*>)IGxM7ZAoY`xk~U7P9v-@H zcEi3rjfdjU8JyLgF|y(Won>mR(C+f5cTB7Y_?-ZMf4~w38-}?%;6NSZb&54QlDQ0) zKQ!8~(*Z#Ud-L+cKYX}M8yOSx@WBILA0No!@3+`urvw7#K-uKrurxCpcRmEJ4z>)i zDD3m@%SFK^1t9q*-HCs6^2`|yc6Jv@*oy$j9*}}BCgCDyNut7LV0RVJ$AQ2BZSfac z5w^HEZb5tkE!TfU%Hd%hFY%F@V(5vIWza|(1{%Tu_*o zDk#F5j~snpkMLU<8iEq&eGmmYIwRw;HAWPD9l7JV>=qjv8Tq@nw*igW%DxnYH4E_d zy~)bj(%gK5wm{Nrtmx}kCgml!JB_6jHK!jkbP6UxXN5y)3~BB|uKDj@ux9KxZ>}t2 zR=R<>n%UTe=LiSS)f0$MXka_lIoX7cw8787&6t`^a!W#U+|}a^xN2{3cB8>;TCQ?Q;(;_-n_h_8@RY_%*tTqLDlg>OARFE6jCh<{Tn7^i-0Wm#D4 z)~)O=f5h|BxQ)P$L*TD4_po61xwwpdv)Q?=zzwj1ZXN`Ib2{_kjxUJs$x2{|y`P5b z%I~U<@f9n>nx8ee5mR4Rcgo@;aZvLF2=1vKdY2GXdy?$MkM!X@yg!RkwCDQo7-_Pr zc(POBcv@N=Z!9Bx3`<6j4eOWwY!dd@u>Zhy>f=3JR(kV>KDZ~nD38~6rHCS-zfK#D znHU{H$5aY1_F}#CIWI$lILKPiiJCD7a!#oO?2NMbJ3kdbT52gSa*LR$lV!E$NP%#z z%dwfU&&cO%_H9AEB>p2mo!b;V6c?JUX}K<+2gj<$014vCbh2r^#VL6p|L4|^HiA0A zdzrA+N?RLvRHhdf4R5ewagbNnf9PX(f6|96^1r{X!Hv%1vs-PaNzY4F`Q7CwVQ}Bw z>FKlemaahN)f%;`*_sMl-&7W_8P|KzX=IeGTK4?V_Klw(?DFLeovg24L%Rf64zW%~ zMvRnYwo?Hh0xCYcO>y83&v6(AL;2EAWr=NHRJ(#9AW*-dMU3AedK{0VLe(kPW>sai z^x}dXpL6Gtt_-PRE*<=09VYpp>%*=>K!Co`#6wOpkC5fJ4@KiA z=eTVQtZJv~)pO8c&Un~PoFcsNw%mQYI^r^63z|wQl<@I=_w5Xyj~*fpB=Z+qrOp=f z?Yij9^AP5H8HiKM zFk9?|_KuFw4tc!Cl18rpV&+l3fYFsJXwN&q?D)w)-D{(#-gS-i`OZOSbSU05m@il2 z^YtJqQ7rVn%D6X8)4PMB<<0%p;y3%tJ~2Yf_%$r}9!=Ka7ZUy(j1Z#OyCX_|H-#bqa8E-$Q}Y00-=Z16!!21&{HYd7SjzV*K%22IkYk?8(hY zw$HL0MfjVqC0?CA;2hf|aG9$-7(BF=Ge#L->SN~S+}v#p%xHSC42z}u_B>^QoDFP3 zv1Bg)vg*grpE)IlPEP#b#)fS_?vlRp@fY?XXuDSj( z>ImA5OTq3NPo9tx!ko+gKU1Cl{>r^v|Nq_cJeCE& z(l1triHV5t0Gl0KB^f&&YcV{q?fjhR$I!qp3_5xcU#Vi3y6gGbwC##hdP{(ZGu_A+ zWz_@D>jCGYV%Zsz9tJPl|K{c!vzAR0&sEL?p4reS{TjGgZE4U)oBg2Dv7n~1Z%Rkb z%XH0u2A*ZV7OU_7fL@|@x;$FG?9VCWGPR)Q46rD>(MDW}2Ws?nfVaEh^9HzZ{Gs3d XjgcvY!L1y);e)}`)z4*}Q$iB}NjF@C literal 0 HcmV?d00001 diff --git a/packages/trend_micro_vision_one/img/trend-micro-vision-one-console.png b/packages/trend_micro_vision_one/img/trend-micro-vision-one-console.png new file mode 100644 index 0000000000000000000000000000000000000000..901c0c133d301b44a7355358ff6091c3b5831268 GIT binary patch literal 25056 zcma&NV|ZQ9_ddLXHnxq%PGj4R?Z&o^#ZYgd8 z04X3NE~4g{bDHasf;s=Mr=p$upoQmvr6wel@*u}WGMFX;K1vV`N)c@k+ zh*6#&rZRj8wo^t;)ZuxVaUc??7mcKd2$~x{!l{YdvyHaq_6qx7x}n0Tf!K^XH4F#< zyZpy|9W)&JuHx{)O{DlwkQ@B46Q%?lbg+<2u}_$pc9_wl@4G-w^oEC3Ft{JZ2q?G! z0v4S@IzbB4z}5BEkg?woW!Nd85mp5JyK_FAB`36qy=EYFqBL;!Dq-BVnzaGm}5=&_-jH$Rk zM(SR}%U{(|)4+JlNy;PZIcFCeNf<~CPU^9cP&1ApjM0=u3X5s47EK5zNi(ytv9aUK z{zerY7uQvS{zSd?@FFKCr>d%Y@z(~qhb3m+-r@1L8l4yaMn1#(dLK)S8eMFBJPv#) zP1HYjyGEVyu`&C!O9cn+@j8XF`hx#T&zU>St0^%D{~aaNzMqPYn(yBAUWFz?6v9+9 zE54tH52qRX&>Tjb{h!3|fo8CLD_@#-WdqC#qm7|f0`7X*Yz|^E8?$`R58aDqJku9B zaBvU&+h4k;@29wYaJvZ*-xNBh+^n>{!Loyp<}!W}Gaiy* zTti)*(V)X~JdKfF;}2@2xPLbZK+~6*Z@6uO+tD^)>gGk1)>miUoln!^J->(YIOCMI z5=B?vf8m6Qotn%510WvJk9L1caJ7>mJHG^g;aX1B*!)jrt)<07gojb+$T_5V9Y04* zT_AvAC5`a$EpqOx2HlDDSVM9slT>*Uv2i+RJoxb+c1a8l3mWIyyS|D)_>T`uh9J6!Qh`RvN5kOXc$g1<1&@ z$gaptwKYmq%*@TB2DcObE2yn{#MszrnVDYoA=0w4V`o+5=#ji`$8(J~nrUVa=j$&w z(?Y74p+7%*+)T>V@NwbR*Mu3w=*hQDiaW|SUaI}x`Z!we8!Hw8AdrGqRz=P1Ghp{k zB_m>-o(4IGJUS*`RgN)qNJj{uP+w7)a3~R);DY6ejudJ<{?`}GNS}q2my2I*wj$v4 z-rfw)>AU2-YXS8vet@I-$QX)+jSc)%NveQ{hX4Zevrw}PRj^t-!+HZDJ>`cunLk== zzZY|sTA^1_)6v$~Qb7htk?eBqlpvHfEGovj@p1bOO_D|TGG;OY zD!uDi#Bz`U%lKu`d*scBpZ{dI!-b%x;AJEZOzBS}naUDi>O?*5dM7nd?V6&o z;;1_yV^=7KD}RA);N6YsNh^)B(2C$kZ;w;XH!7F*_3q_Z`0KxYPI?9g8$nPoO%5Rc z^R?ENmX^_E>gi0jVFSZi~ z)qkH~sV`1WH5YJPRNG5FYIalQkd?J&Ij6tjwgxQgR$6qNj`B4eo>c1C4HO@#GQS;+ zX3*xFj}q;ecVJ@B;j!#6p072-i5Z~J<@nhwKk$o%1XTa)!}#&p@4Va zsGmUK^Z~PB*Xs`yL7>mxJ=utLivz0>*ya|fM)dfk5U=p9ijHX)5Z|h`9@DUKm!up} zOH~7eGYo!=+%=Sl5+#xr=negZ2c+fYr>2>q)riMjGDmE_Qdksc!&h-zNl&rBR@-b7 ztO?_VjgF0>!$Lc^<{06Y&EnzVX=`eR8)?bNL@wLf|LJ$Am}JBruQBRhX|ikge|u)s zZE`(d^E#d@pP!#c`h=SgwpD>`_EZS)@UPupGjo>JK$n9?RYlwY5OT9-;HBXt(qSOFfe*Yn|C62fX)^s}J8in^|*`nxfxrDI^K zJBQo*(AeKk|LkWiQLN;S$vD^iLMHrl^-ewFxL$jfc+~RmC^47MC`vO=C8eQkLu> zP5?{8Nj9^Prd9&T<6Luop2J-Aj>c`I&`^PpTitPQbMZ;$?PmP<@82g(#7mCLmZlH` zWaXglnjVrgo_YZ-i03ASjmtfP`aFNP`w)ZBU~`M=w1vz|Bm~K3;@7!TI6wI7>aOlP zEju?meTmU}0h5@aOOpe|a{xRh`@>xw~J}7>w$C^^ND~DmGkBDx7CzO z48fd*-MhPXrgVbyFzfFk_nhY3^z6Io0iQNF0|6 zD$`iWFED{PxM%OWL?~-S|4i8NN81leIW`;S9!Um8j-dL^+`C_|$J3b&{XgCwEG9Cp z?iLLlmTHWiZ;v=yCR5u3hTead3so*I68+;k(fN4u31sJcas3gaNM`=_ zxILMPrM1ul(Yd|tQzApiD!-cLG+X@c2iMF~A(Qomf>TxEoaP4e^>*v97D_OWcRT$n zpMsG-pJ}8|oczu_>lWURwg&a@Qv#aoF1j{lQwB*JB_D@PqZQRj+D2$%r7=uZ9-zXm zy}i9Jk};^T&=fM}rlv6@LK`P{8?BLaRjLLC$iUs*9W%3TqyJ**FpN;E&B=bHjo|rJ zHKmWc{c5er$^E*IB&VWQry1xupEKaA$)##_XSd%&9P3&5IbV&#!+B-Bf!E8?6j^n^ zrI|v;Y6jc+K;in!{b|ZL+k)M4hu!?g_O$1C zc>WG|xf&fNJVejML$o+~qVzx=!>|+KuvOy--~IfRB#<&m_St=n)z=!22f6(5%Egz+*i{ds-~NwHn!Kg_nWd>s_)ni(E6Lq&}WUk z85KT%0y!+6h~3G~gqZ0{Q6y|7ZYjHTdvAScK+X-6u+zV~+e*i4wh7$Z+ITP`5dz}j zaIv7uxnk3Z!LI;K<=0`V{a?4rS6_W>O)X1GkAiW+ZTTCAy3S%RFIgngWujliW{yl? zm@)HteK)g9#?z~G+#IL#mVOcBjA<1qcLhvO@fSI5c)XbJ;>JoAE$_4AgR2>d4Djc$ zqDwI~^KT2~-X~9syw;{UOZJ5=FpRQf_(Ss*KlYQPN#>v>JEW4N$)NfU2XXd|Lfn!i zJASk^L%`+?th3GW$w_@(9Wo)<3Zh4vo~<+HBu3yF6pxF?I|E>CqUY%sU8Y)AgYeTGN=#nE=aou>SFv zi2ycbpN%iNg0UdhbZsBM9YyT4LQr>LF56gV;F%lm!0i`6E>^-piNlTT`X~|{vRPNx8Q+@8^rSZr>m#FXYeva>P zpUz*L*XBL;AY}T0%M~M3bSt;al{-#VPpVw44iQP9v^fQ%{~1x{d}d!r>@yCWsCP)Y zg6|X0$zA1=Q;BvvBF_OKt7}b{JWl$gLQtK=35CsGWb6~CzMGkOKDCMKQqYgRg86o4 zk|lLh5|EhH&{<)mRiXE2`dj)H&5K969#q=IR2)kAP2u|In0hb!%E=H>vS3n(SZ4G{ zV-pjZBt%3rd`*^~Tn$DrY=a9yNBEnOg{T=$gO@Bs3)hC2sl{1&&I^Un#^Rg zSoou@-{wjta~*%Sr#hSVJAMO%I9g4ko>US#IPR6PXuzx)nZxk}0))-TV(*C7J475}V)zoS?8W6Yx>~z1*WrnBfNqVJ~?^F_Ny-D6DS<1e-=@pQv^rrcAnl_I^Re9Fre$*G=wfc5X zFK~a#%V+wUL1Xrii1+;Zs)~k}iz=1+qinV|W7sW>WWjlNb5F?5x0g~T&C~DKP8~(1 zU)#kV>%~Luey->BotX^Uijbr3k2Ps=@qzR8cBy#cPN$tAFtCK|`6&?{6%_?+jwTkF zeUH7=7{2pdjW;}Eb;jMV(r&O7X$U#}Tlq0TiviJQx6Y+#SM{ft-H2as+Q(|*u{qDr zXYfy_Pjw#83Kbm`8h4PylPrWBo8G(g#VB{tc*JHXdV zQ~Xsjug1+h*y#jaI;RKCLSgmA0o2m8dp&Al=-bae8#uTjqk(_nT%5pfGFpuvn$^dberql(RPoEg(Fu0=ve`t-E4yn_J>Vljzpp?+>TpJLCT?OH8)K{L(WR>ODOL@5L!P#DjDv(s!JM^R{g<;He60EQ`!)Y2!Ejrz-Zq!}N`_iPL`O>38(m040suA{NZ+DTd>`i(PYiXR9`i1l6?^IP9c<`o zUEg=dn&S&`<52+Iu)>V$jXnAg|NG14W+bAQrAQ3g8D5BB05%oO3;~gs8jMm!xR3x% z)Kay5wdFs(vZ*K}46M}Eq@6~NAt(|*4@7bK)v|%q^i)bplz0hozh}hLr+o`HrdRgY zI}Dinu8qorzeuYdvMk6wwCItqISyNYyQ1CgrkUxu-XGR?6Jl^9*Dl)MPE`_oL>aKF z^;+w|-ZcTItyZ(Wez*UdsHo`k-AQ_8=F@(07x!d*6s(WMs81kmNKEoBLTUs^;pg*+ z){kC5@2-bf00P=M#+4P7INg{9x5@u?#}Be4Xzqy&6_>;(9~83Z z{SLc@at^`}PC+fwz1s-R7`asJWLT09`BrwHVTagpxl!jQ)wxj ze`yZJd?RLp#_c)1E}M$-HahH6r+4&t9oW~;LFShM9QB4T>t*tdZYk4O_iX(T4Q_5h z>XdC&r3(mw5D{~5)aesBMVpf#wQlhqu5<(3bQ1vJGeA*b29_L?|H6EMnHX7rkhxQ( zQTCy1o#$Ga0Nv_J?6`WZ!XJB7Y46;p6UGv6plkKH7uLwqlTJuQTdVOZPz*Q^-B!Jt zEf!lG1U%m1XE)kjlujN5@JKh}HQB2#Fq_S#ap+bs`C7mqHNOpe3A#jLNtglH^{vHm z=a&;ceKesx+eqGQA9%QkVXP)Yh$Mo(U>`9Yd~l!EPeY#kEF29}0stl2fcdgG>&K8w zhjYI12DHz1&_Kw^2UmJQgfv88jAW>U@(~>n0ej0KqUE?7dvp6yMHP(=CG6_mPid;+ zBs_QWwE_?>{2T%6O4v^h;s1O|lwd>IvD)?MEBLWJ7!89=7!etX$7(#lchP}?hgYrv zS_sggOEqY9HtP>VqKT5FNV+>&G;DDcDgPH5Vo;B#W9KPmB=3p{;39UNcfMHQBfL;HB(sLXL~PYY*iTFp3x=A+zk~wS`=ElcAszvsf$V#^ zqD%w>O|PoT_PO3_I~fZRwq>ZUH|u&Y!ml9mBIUdcY&!ASbmlS(To%l=I|;Kp@PQ)X zX`Vq*U9j|>#gQUWQweO}#$qKG?_3DdPPK>Jo@BkkdV5-|Z^q$%kj*Gt{}Ctu*AJ~3 zHHP@P-wi|-Aumrm%`DA<`v?>d>nPznPD`;N;l<`}^A^n@qI&+;qcY*a!wXf@T!sMp zc2uFOf}QF9p_WWcw||2GgvCXpB!h8dpUOW&kV+JkCmf_ zMZz?!Z<%5+^(cVl{#8&--!N?&L&j#}{_hB`s@o^3nP1B7nWpMl(6#M9(+VKwZCEs= zomI4zt$smHWW@a9a58QryHdz)Bn^P>1{vz=65!+0VMhnF--1F`Km9Pl9olka&pWr@ z4EyegDUq6%#z`0(8;iuyDd=gB{2A}LsUEm2iUAPo@sc(g1a9A-tF{riCAc+=XP2Wib;fQ%a(FoDW< znEC!4*7}1~uP8L!HO-|D$Te;U-+Z2g4w8I5`}+qQT6`8| zi{M8_`#iM?0`q07;L@J4Hl|3#Ji4NG+>3c+X=O8!wE>tfZAjCg0}7q5GGI` zh3M%|rd9vK25T{-U0+`Z+)ECE-w8$V=gs>BbB6^;%^{4Q4LQ`K7eu;*8w&Cr8`8fn zgw)`Pt48Vn0U-j`0=BO_QK1X1+Q96(mzP)2vsK2L7-yT*-w)qa}!c4pZXI zi&cdM(M0<`j3^#jWMFX6s!>NUfBN8N&-sb5`9c-btX7Ljuf?(5cUdI(bq5YVkk6&! zy(k_EUijT+PY&w)V%Z@cfC)f+he$XP`WMhr>j26$!=?JWDuMc+1N^IAnEx}T1i`n# zv%W2k%j{3@unglm4BfJ0g^MQ;T7=C&plBJ6frA?1Fr{p)nq!ec)24Z>fd@?c!IdW% zbYi2S{bzT7^lmzGH`y*b-ySNb9uFz?fTw|%mzRQKw)Pj30TNKt5%}O_ z+;Umg6VxeHiGK3%P}LsVDJo7PusG`w%zwOB^(tQc5m~$>-&pb{7{|O@gp&J&a^1W` z%qKW4@Syi{f9A%kucM>m@BfY@buf{+{^hmX?-wc4v&$ zJbur&c>+G*V;M^%K{%=rM$*&MQ`m=>Fz%yVDC;}<^UFMK4~NdDdndz~gz2L)Ew6;Y z&u$Vf7+*sL>Fu^q3tIA=f*nb8k9M*oFYCON4xtK+WJ@NO z%tAO^K5yL(B3WXWo^|cVPU?Y4GvmNVl1Ykf4ug*4JY_?qAh5QK@3|it5;*+4j2jji z5n&l2g8TPSMX^!IVJ`%^IPe> z^=hNdu+v(JT)I6mj3Xgf{uC1xjgd6@E+2aBqoU(Z@UL0dU4fu(Ga(X_EU*RP52aGKc`8rf zrS%{Wf#Tnv>gxEI7|iIwpj)Gx{mCLL@6jYm`(}dvn#pV~3v+X0+=U`3ltgJYJ-wW) zEPPmYzsE}>;IAcnG&UnTe5j((n`=6gK6e}&ek=i(eMj}(n@I}~ORWOR$yJ@ws3--z zEHuy)E5Jo|dSJ&<@1fGk<`sXpsBd5>K?7anLw~2KzZyUlBw@jiws2jMWih4Hsq&~3 zrf(ODS9?h9HJ9NU)R@;L4YhyJhbhhYsq!`hs%#Zyv8e&Q|G``2lHh_vCP`UYIY^f@ zecX%Rz{;vzi$M~Vf}g*mxR`>C?Pekq{KvqD$iUE0o=|{6iHaA0-tDbx^q?_kHWqy7 zq&b4+{lI`Ym|BI0Z_r@`z_>b86s@Jupqi@&%YYP>1@Q}Zv`o_6k*jfSOF_XVmxVF| z_V`Mp4H2@Gjt)McrlCPaN$K}|R0dp$`IrZI*Ie%?8u-}GFWWo6Y(-RIv~d}Fy54M} zi8bfbW$^wP)ikU==d;eC_n2N9rb5uG>V#=Rhh!vauMIeVco7p5lZqqs5(@~p-0WR# zc5tY1i8a#JU`h`U4{u+$$CO~r>(NtHXg)%<{s>K?F2w!0>sbEvPa5`}G?Gw*8@1v0 z1T4z`iv_6mc>3ke!(%4Jr8&p#gLr5|%k3kWPsmabji-!kg?)3a`>|Nz5a5$p8zG!M zJh)}%MY*@nX)+Xlf!b(s(L2yG5jBRNs`vINcN4YvUgq{-z%HiG@BA%&olN9()vt=P zOuICOH9azH>V)piC_RzIN43u9klQC#5taVno&`;=t;Dz8j%24vqL^K7mUQ(#f8270 zT_N&J&|iZw9mY;L0W>Ip9|+!1$V9xZLos;1g84=ngV8wMxBuke;NTE&m~!|$n1-F? zvpJDYS&J)DH3wknXeD*L5UFJ>aF9oUbs3bag@GqMG}McqxJ2d1xm8q5 z3@s_T*JIP~8I@waiw z43@=c4V5!eb;sDRt9&*Kf55M@uI_94_?~ks1$yM{5d$M*E}Mk{ zDaJ_R7b#Evyg}pgiV7RBo+HQHxqIbl%c<++#mR*E=W?MR&7yU~MIc((~h+6+L`3mMmspdRF8(6LsYz! zm4~gH+9T?xun2Bc1hkMJsxP_o#K<0CDa6mwqyL%j5Y$6wDZJROS0xNt)ML>Na%f&1 zG-e&IgBJPAPK1sQ7O%jkv9xr=x;+X-!uaGQ*bq`uQc}o#7Bz#Ov((ool2E3QX@(|jH$3rGO4YtXS9{39AU8VPBU&qh9UA79msbUbku`B|=M*8fGpI4sH%4ufrRSh)}}fHLUG zPkg>jiAEJ*tvQuKf2%E|`^-cao$>lw!91BUf?9QP&^=i~aWtpXs8*;7C!}>XGxJKP zs$KrAi2HTx8b4~5Y+}BCcq)CV;3%O*T3?qD8{|Vg&f24xNNQR+XuIYX*09LPTUo&G$6h}i@2vW;s-(GUfP_4&Q%Q_EH~`Gd_(lDCUIG1a5aJb70|C)lszftj zTq{iK*jhzNZlb+#aMNfx^RuBLg*0M!*EG$nQp3j2&reho5|~?DJaKIs8v)KY#vANx^JhwfmZhj)4J&O+Efgww(3LgaicO z0IqZM=0z~`$LDe0;c}pmC>`?i@N%o413z^BxGTfwu1FJy>HYAB*uhwly4v~jHicS{ z4l3|yI(Z+Y9m%QlSCpE!(I%O+)eJYj#c{@S`~)FXG`znS>{Te_@^YM?<_r3**mBaR zHjls&j}+=?YtyEWSL=)SRaDb`MsV8`wU7IiBO}Zd&?xA=Qt!a*ZL%okK*#|B#Q56M zRRShn`XDVY|Bbx|c>Rm6`pc2F#t^!jfwoB~><+swXYy&T0>@xcPk;=-yeiVF1~PE zzyg1NN+6_}K}Ao0s1gdU<-d_wyapP!2G#xLf}WS1xsW~ls4RHlK_wS<0RVphS~w&y z9tuDu4}?@Aghegj*#tv%n|D$6KvW1J7+e4af&>N@AOXYzw*$k0(V)j?BvG%Ze?)!t zib2xTPC06HNDMxZz<3>esA!=Q`yUgoU1P*QZ^pRTmt!as$b~fckAx$Mcv_o#SDry% z`8OIL1B1kZih^zpg3bd-t#mfCAkxXQN(t_bIMOCB9-3{JuhR|vtsJ2Sod^N*>AbTm z&#uR9ghrjoohtyBu=&^xf6W#NGg*!WrxyrRDC5e$BCt=BrEFf+4|*cWDosvGTC?{6 zFT?@_hx+9Uj zmo3qbJ;vO;`(jjqudy02g}`Rb=GR!_s}%-fd|=LaZr@A-zGV6+fwtJb3`V#B9fCGR z=2Hg9><$i7mTWp^#}_~cP`~w>KzU48FOMq~R$_iX}*s!Okb12K<1pe*=*y#p5z5?_)S8on$Fg=it z52r$I)dl<#%g9@qy5Pt~*k7kMp9pyT1U=7ffr3Qp!%4Qshn~sL06>T=u zfF2V*^P9U%HgsB+vx^HD_`LtNtpdBZjnEGeYsAojln`4G*C(T~-No6Vm)vRAHH%!2 z#v2L04$0s!Fj2t~l-(fEqerMH1iA>F7%=xZduJ$=c5Gvr%y)Kc$s(u+VJLsc@ z0(?&*xHtf?=YrgnMwVEs>=O3;*UgWOD&=EpVL={4f(ijZ-?zM%kgsEd9W^Zs=s80K07nW@ZsH`%f*f(YzwZ#lN%rrP z>=)1ToI2@}bQt$DFQ>J)z`+(6NO>dxzw>?n zAhmAO9eY#517p|;C^2Am+-~_0lz4gE`Rl*tF7W3vSA5&IWqJNGkX0}}b@vA-bYzbA zO01Y#d(5O310cnWexoQ`)I%_~WZU_A$CzZgmg)0niEAZ>nK4~#7tc>GoupfzOx#xk zj{{`TvQx#(_eD+9;j0iL?RUtl8I4Mv`I^BLvt^lNs!yVY>w%y!sR#e-ew<-rc0bp% zmwDD7j2 zBdCc-aUI8i{IYod)pAwPj4@_M>}OGa03QIXI{0*c&Y>coGz(Sf@;j@Y-;r?e*BCfd zI=O&sn8yO1C#NsuX&)W+_)c5T;+xOs0&<`se$EVi6(Q|d;ovD2_QdZBHFLuw+<&op zkN})tLuNn$&DctmHF05(&a~5egVJruZ!nt%wNQb2 zRF18q2SSfJZbxqc)$Hz>t>5*a-*;`s38o~g&Dz@Um-uViX8m)ba%wDI*yrT(R%@?I z;{7dsQ-=F3+sMM)$1gMmSpEOS^rR=Gt$#*{T8%Tbes${g2pB$E*{2zt{=ZewgAh_9DaHL98#w>$6_;Q zu`qr>tN<_w(L;C1ztovMLI#&I-0Fw-?VoZ$zNWuNuFt1BT1|XDI^0{kPUgh(%%oU( z{&?+1J?x(e!Hm+Z>Lt6E^p#c-T#<|7N41g#7UU zQm2iSL4REf=zbhhcOLsaW?N{I{_1)BMEiru_JgmXkQ`+i0Q^ zCrfbex0si!XuHno_8z=em5Ho#S#5V9c#3M1Mr}spi;$n8?juFu7$4n36O9UxBi7d3 z8*@b~*{bGkKuCv(>mOKb7-<2AKUJvd%(RUs0R~qM^(%xw;>emq^V^j?>K|F?=}To2 zXoSMRFKDv`E$dTvs(kme+g4^TKlBff`R`qP!eJ$f78EU53d%2ER{l0A+KBmemdh

=oP(}qx*lB=9FtY~3S=(Zne8K75q*wV&LSeN`Us&tbKzAZ z;+eOwoHm?Tdkm=dHn+r4mz~PKn544Zhf%{Bf=XCp<|~|wyALqlYHK!}db$0idL2Ow zcX~*D;Cs1W0blz#da!Z4&N!^=fd926KIC4jk^>Naeq*jQz$e=ulF#@)a{hYNfR-4^ zQ^Z$Xa*Mmjm{NG?gH$fk4j^{w4x}$9_PQ8++=7_(9;X>JXNP&E(2L4GPIffS?R|ax z!{OLgEG)vK#qC^lN*XQ8n)az42vvN_Yj(%VP5ilA_y3f1T}Q6Zo8-M4e{Xk{P@%89 zgC>}NJ}~T(OX)4Jn!bm2d~G7^#z;z$Fq=BYy{kUU8(tlbdq3^V77~zZS*J(w$7B*7 zp70d`d7fUgh|DzbQ&d@mFEFmUaT4*(*ho*Sx}EM)?=P$p!BzSwoF`@Fp^JUuol2QL zb1m~YX?Nc<_FEsVFfVIbKD}3-BR1inR&k$*@}bq__xrA^pUgxucB(O&1Q8sbdif7tGL-7 z)apDdH~CqySq%#-R{%3JYvZY0f-$raW+H0QFgGO`+uF3RR1r_2-4>+|9%-Z@t0=#t z<~YR*6bYsNB%%If5x+?>xTugf*Zk+tbGuzQU*j}cgK}k^F3Ryj?@5D>KmE!yn53Fl zTVG9tE26ovR;x;`Q6cjS{+(WPIvp}O1y0S0_`Bm0S4q1*t(1P075@ceLzLg1;><^W z#QYZsEfX;4{hDrTCEcJRu1y;SSwnU!fwQXmQx?4dRtl^kJ>aC7m7lEDkorO)!aP4x z5j34jj3cMNKs$FiT$Fcg^-G~*a#=oeujoV@X)PoxHpeHb5njlcY-PB7rXv%d#=vH)al_ zPwFI$$&I+1eT+n9%n@Ql!GCY3K>! znwt!(FV78B(qq~tQB&uc*i|>W6$3_i0$BssEHM;ojwM6qSLp`4e!H6sklpUD1^eyD z`RAOzYI9KR{{HZ{tVbuDXUeI$OS(GK|8_Udvg3*PitU%xj~gg<5&bF@srKBUq*)P* z@Jg3Qng{)TB1dr+>#~!=GwJD5WEg!oBWak+zwjeR4-ezKn>|e0)HY@FHv7SXm=mOG zim9rW({J);NDYwpT6s1?{B!j)%wa`w-zLGk#;*TcRNkRc%m&XsRxh1Gp{TL8I;!2Y+|cKw6%VU!CJj`!N@ zWShv0yw9IHy>FOzsBX)~^Ze$O~!8^jG^~P~r%MW>n4Bj9lFv zelG{ye#3l5PBdGY}q`BEy3oj*T0BJNYFIQ z>TFSWPiLeSi_L%c*g5LAxCx8R9a%`X<#Uo@#9E)0G__J8ULjZUzdT^`dvRr5_^SU^ zv`fFU&}I=C28Eb_=bhDKZx8AK9&0;%3fi$De}2%-Cb8GTFO|w>kk&+W^%h~i3Uh!~ z(T?f5o!;8Uj6YAfoZIcSIG*}+wTSDn(!!l&gqSzVZQJYs#kwBG2CaG2HZfu#JU}pU zxz^zZwzhW8He&I;#{D1yuITsFIiG?2p#%zf4&(5QzvO(QlnvaO!Og5YfXi!6uAP37 zBz~;@5~dI1gF+IXISz}AOhh~OjTF0@&+WWunIMk1TZsvm_a}jYe!$&8?SR1#lgBEO zW&*y(_$t>c(bne<+3>?^$HPrr`1yfb%Vab9)|wkn`wycp$FgHPJAKwRzpGkmr&#|b zH+~C;b~E!z6=Yr4y&CUgoA<7KM8-kH2Lg5RfT*AU{`~`U)&%6*gO1hjQzk8!&LFe-GnY z3rEDd!Mg7(RW8&#TAoIAj70E^B(UhsJR3tPPrL_Xv^Zpy9^=N3;Za`!xu3$AcG8JK zVth|!Q!9HOp2n~=#mkm6WEe+ouXtDiiV77LFD+Sa&>($Xz7D>8_^Qy$H5FhnDs8!Z{aq>s7Ek3582pi`O19d0UR>td9n zmk-53yP-}(#cIv=N$xL;bfLZa2_p8;!%ig{%$}yiu>}x7i#-4o)YP!x>IwcA<^U^V z_CQ}(Ur(|kPXE8u(EzZrZ|HP?y1WTX`hOjSP@&P_L%U_+@cs*p_|PNH9E<~V2jJih zo8T{j|Fxd@`XHpBqzn=2U2RYSM5Xt$=VuWpM{0X5)OX!oBNQ+RAw&`fp*Aw2sucv8 zKwweH17z)WFgOxYo5MvmqZj@OTurH?n0ABhQHF6w4%S4k2@jP9=pczrC2Xk0EJZDp7$0e(a>R zrxOl41&QM?Jsf=9i4b2oWHfVHBTtouG}JRE3^CqVhdK4%R0>(Q_E?{cb=l+|O`w1c zMPWHU17WA_jMB)nDUiZILqWH0WJu^T@4LK&(u#@N4?M`T_(bayyiSa{Blun&X;fB|(sRBRWMqieN=QC3>WvJ+;V> zLncm>`jq_7F@?T?q}b7+)G2?7!)J$KSsb}feG5a1WXfjGEtDaKv>7ziNPqefmyIL! z@W9EEZ}Zt<3x&_PXIFTEJo0kWlJRR_{=!9SnbvCsGMiT6xTB?LjnrpN+6Utbx=H$4 zis$rsH!j4p8bq&CqQjqJBZOW*!k##C(<1XLz$nrT5gY$_2>jmJz)7Iwzmsr^8~EaOtcack1bB0%0BwcS9C7>D|1` z)+o8`PV9EI4Hs;`Y}~=b3)HRGab{-x^r0D-t~U}fr~g9;<=(-(ZNmIW{ zbY*4b7an(#fpt=|N`!n+bCsM`TzawA_=Q$)(c!WNyL@z~>{}WSq2WivO{ieuH|MF8 ztD-;HF3I=nFz%D!q#F~>^45QnPbZBA3bJ7)N7)i9KH7U#%0~X>(#Onpq{VD#Ol>|&N zU~-^24|+3s@6*s}ZM5aT6B|Kg;sqX4&pM@r`R(5mw*4Lmb4*U{a}AENtfiYp?+pg8 zBM&b4Thx17kyjiX)NeZ*K5b@Ll?s#6Rx@>CK~gQ`w0c!)ltY8LbZvjj^-rkm_)5a* zW_j-`Y3MBZ4q1OQ3Gv#Py(m@dv-7s~rJQZ(5(+exZoVe3XQ!zAew>t=v$o?GW*xpd zf2s0}p{Fe;x|ynfU0R|qX=HI$(a?E86Ii|BsFnJEg?(jIThY30XrV=lw@4|_2A2ZG zi?%dau_DEtV!_=Kq{Ur|TMNa5OK@l@Pzdhs?jD@Cd)~WuynF7w=j6v8$rx+w?CkZe zZ_V%9bIzPuj}(otChnm|!_vv*8hQ|nqCyDID;G|z;lxLxm%SP+HV@=+DTmm8Q57a^ zt(PQ?YlB0)FHTm678OkVSrk%FGNX5j@!_zIeiv_#D6tU7OQx6)1uBf;DaW4UWrX9; zY*P~WjctUbN(Q7p`Ji`xRAgOpYIiWKJeq9T`hxFIwMRkQVeA&Edu|-pI6l}{O5&!C4c zr)&&U0#zPuSv%+nX=Oa4&3h~IQEaz}7M|=o^=US-d+Aa9Xu`UhZP0UnXLidu`s2gJ zCPhtuPvn;@8BlL1(xA8pWpmkUn4bNf&(S`Mm^QfwH)~zL`z7rpqw&fPn&y`XE+IkW z>N!$D9%WAie#`a9i0af*FmkwSz*ru9eRsAe!WDY7cmLe(tl7~zwiiB+^8%A(j}8-p zQLgLwrJ6Zo0ps&$&eEzUgP|i}8v~nS^{|iH%5NLrLokRjB_s$O%j%+L70wjT=91Bb z+QrY*k!;FqR~Kx;l|08H?~?4+l07nlOgJz32oDGrek$Avhg+-^Z__5FyXNd$PuAST z;HQqy)*YZ2wrSz)bY;sotvDeM_Vh@BTRyFsWcd8LO^t$&8h(irj}k^m%J+ zj7g%re{~uCIhshzbqwO*UaLt-_jE(_I1eo!7?)RE6aAZ4_ETDEiz++y&eNNLKRK6y zxIr>c5)&+;=jV|=BTw+DY;1(f&DaoG>hE5)(;%AZ! zKproALwG4A2+-4M(@@O z5bKvWJ#C~+9a2SfU^UKtao&O*A-LW6B^qusiW*_j{W+ zT|{M3B$(etl}thYzw}zyRc)`MnNE5g$Fr2x z_N(p2TO0>dLh|~0Rqn|rxZyIL@*weku}A*oR)i{UAz{m$ee>oWjVOI+B>rv7NL09Q zog}lW_S2R=XrGCu8P_^g4^FuS3BY z<1e?zp%h-b7k%X>QknVr5h}P+^65Oq&Jwnb65mDy>5LP5()lW$Ta8pr=16K~!j*|N zF+Ois5c)BYbhQuy^y4%L_|UT{(GriOTXHJu_vCS)eDcKY*wA?l8dtY>3ayXR`>bnH zCj!n`vL78pCl%i%sGU0h`e{nh9{&l0{~ynK)@!m<$@y>CZVkHLi*tOsx4Q9p$cr9n zGp0!L-p1Vw;b*j_TT8kJ?TZ^_4bTWLh&bCC0|Kz;pGBlRz)? z6)MOamuIOuFKSwIpD7cjn5CQ@h`q00St3ipW?RgvU*Bi9BXS|B*HYZRg(o~UkjCcX znru_7_W-WSK$<=`GuOqM6+|x$J6V&`I2jp4{2Uk@SitRyO3W~B`oPVz<|em#e6)C6$u zUAJBDD!ncwY|@%$60myd{qdcN9OTFGaP|}NTsMr*kwz4m?WOX~J2JM9-bo3x7h%3n zUXZ}Wrf|HfRizfQ^r332-`q|t1=)G+`#)h)YUs=AHPs+3d)~c=y{Lrv6rlO_g(g= zu-2LPL*(*`<3*y8z2E#kK- z85`nVI`}d+uJbLJ#Q{vx#ekTmJ0Q+`ghp#!-;0$xIwwF^%$(_`vZ=h}Pq}-o`XNc^ z7nGk^IbW#TY>zG$%KM_J2@ZjTht_&uI^Jse`D+pqOXiOuw?m_B0HhHPnQ~-;DD&tWPkT&>JE?bt6(Z4WW?%j zoj>aUJG1>{lpM0S(!jNx>;IxZ$EGcuJ?^}6mDJ^l;i zjg|PdoTmQ>^oXQfMKXBWhzacC9z1!}zwci_SLdC*Yj7+QP{5#mEYQ-bcn?F*eO>YG z3Q=J6JPjE~g*L3w_O8zNxbn!|&f-CvL!ubYLNM%Eggl9KP#EST6Y2vE*YmU*{gC1m zOmgH)ObQSdPhtnDdZ|uq?Jy*dER3vT?fZ({!1qqoV zP7727zlU?wF*`sA#4j|#k)+WAJ;mhsyfF*h{oeMk>FOl_PpE5q2XAnKf2f^x*LtuE zQKx-;hyGs(lM{1#Sy9L_*76c1e7HpXppU44$YTpxq z3;^l{_k`sC`|u^G71T-#p00#l;uBz@KiDVg?}4IKML{ zorE+OXn}zj0|RvM7&yOg9uaUwA_2f*fdvydDq&H8UQv4F_*=%pe?O&DvC8E6P7^3EN6xS0I2UD+P77K{uU{BIucJ&G`&dmGTV=eA+5FkK+d8!5i z9mx5*f$jzJpm}eg>v)K^%hXw>uVScDq$r1McjOO0YT?^G6UqcZU=IHn=j>5WyTVka zr-nYfgTUcq1LwTptnYEAw#$FV%gLWkolMjE=+IE^0{SoUW(~6R$3+CyNfF)WBFOK1 zo9nLCt{X*4)$c`TmBi|pxcQsrC%zPkgIax9TJ=jUHq+Au(3miY51yk8E z7hP=FWV3pBZbo}MDFytjG=#=9l@^cn^rXM8L)LJ(Y(%G+FirJqn3E;y33wQ%G*qU7 z&1XNjo-I859DTrJUSBb6%8x`I$t$^%j6)Bl3xDUG-MoNpoUqUZjX+)ARkUfR8wtd( zrk{U8((`WiBzHg02mpAkk;@c;<=VyM3Ydf-`{G|8h#(ZW_dxDAKD)p}@&7qsUI0C>`kUZ=zkLiGk7G@-2JbGT#n(!7I5Jdsj0+gtX6q-Il$j+n zS_^@zb;9Vwc3rS*2r`|&`WX|qY^z;!Sl(I8M_X9YVII{W*4)xn_&%O1ZD!hQF;%Q3 zGx*fwTHtPHFKg#_X!fbed!FhC9D1vl9*Y~DXO>8Lg6X3jly|0vsPSYe<9ZppQ)8|u z^111tQX6*`omS8sb0j{oGNNagVI)MWZ+}*#Gx!;}dERt#_Se6LC zhOJ-{qSW@iT>IB&e+mOjd_31T6C)q%-V5S7_DdVPXE6{adv;Vk_5QvmgW8JcWr3Ss zn*H2Mw~}TT3u|`Yfo%j? z_8_<6?)E4Wsp<~vJ?xjE=b;iRtiHUWX_N*pIg1Jr#~3g>Plwl!ndRw{u5w!xp^7Vd z@Odf;V6dwGPm2htF9qW6>kmN-DSSyhpNl=um5-%?rxM|NsV%O5e#4pt`hsWnB;hRez1hGztlhWqMUFl+2ji!7(8?;-iw3I;@eHp02@fzByvFDMs=P zx|JSRdL}d4#F+TOt!gY?Q;>HWR>&&MNWa}ig`ia+becv$!3 zmXk~R$dq-VH``H(0#A>4S$DgdsD)Y+~Yw?p`7fYQ|~buTCPTJ^XoGRlSCS$6E~{uNLn!W@}^( z2xu&B5rPhAv8FIT?RsyG3nO74K1MTJi_K41(d+~K`7x-Ic%dU%%YG4}Nhnclodn8s^`rHum7slIk= z_m$i>AMf!2b4FzKv>{^_wVk)%@}hzjZ7p(bSCmnzeacIx{zMt#nO;&+&UZIf*U9>H zRYlpnNZqdL!67CFNVjOu0ycK+oo@i1fM7gmRU(^jw%z5< zT4YP;y>MLYS#^`Aea~G7o2u~YAXHE;l;E6#u7$=|R>Xb${=zSj90dAI-%9!O&zMOx zeIKQzYrSsKm`x;@{GuoF4|@R2Pn^4rGm6M%gDFw5o9fjI{TJ32r7{W>-^r#=Dps(u zwnKt(QB)tFal{4dx!fG-#=l`a8+jTK!tHk9N3NLWgjxL=AVYd!%wYuoUV7){O5T_B zyG*`nreQZZPs`&+N%r=RxeqCJ?OEiWQ{McFOcKS5nVK8fCZ^bHnq=0-;=IbsrYONI z1oo<`lDMgnDQ+M9{DKJ~*2TmW=|ztlAtF>edLLM3I0po+-^Q;zh0$pRsl;ZNjk7Hd zH-R-<@Ayi-Zg+6(?QNA$+=vO747gQKS}wmML~f?Y%6RJaCqHQWOqILo=}AyCJznDT zd&0FQ?4xkb$ndP**SOxgO9dggebGY@NaHi*&tNV(3eW+G{(T@B{o85#54`yM2KA3* z2POS$E9Xl2fVS=1yJw&Sf)wBXb+5li=&MYcORrnORq4JH-S|CD3eHD$kbk(`c3%vj z$-?aJ5rEpmwFLT-#QlD!SmZo^^)f!#F*KCPK)mVAh}kpj*+vgl6>MVV&8mVf2;{4d zh?%@H2eBzWEnh|c8!6tZPdmYlRnOG`(AwMpGRI`gXvtr$B+RM|RL~U^DME@^kIdwD zk2R_V(CdySa+#`2g{wS?jV78@w)=GBO{;u6(ta#0h35Ir(sjD|`jA7?T2^1d+VyC& zKT<8t3dc4cNc_{-2Ly(?irNruMGJXj@G^rGdqS`=NtUpYGN_fA)?1`GMRH>^|?FK^Qr9)x_yvDN&#|b26`zNCc=ex z`vRjH7r^SWXZhz1?cV{l|1U;Z4?s!$Ze7J;Yp^iRz$hw>qf-VJ@ut(UidckPixBka z)Z@rk4k#Mt-}+*dE$z8jzEAAy|3rdMCEx&Y1+!%1N{6#{zXy|qXY#TrE8=+2F@{r0 zJr*$S#sp8U43(4D%$BX1_vR_#eSI3+o*2RTLgBDqKt>I>0B@i4&sPs;+8T{=dvw;t^D}F;v0){MW@dl8L@&M%-rD-8#X6uD8+GE<|$3` zsFCb4g1~KJhSDQloslkUYW1wd;~XQb3vQQojV$$nHP(1^E7`(qw&SR1JRs&S^YNx1 z3MFFcs9EE`xgWXU4hR3%d__t|>Vyyzm*i0FV?*RC$|+M{&1g_ z7M>i+FbOkf_qIHrd>#*DwY0M^H+;p+v*M_k?;&*3pX$A!1|m855g}kjlHw3t@&>O< zUC4-z^6hbPknKe#KD1i9y>_bM(mHpJ@F{+7hFMT1h2OXAwI+4c8+}iS=|%A^gyMKt zVrtsZ3lGV+#ej?1JW!bdA&2=c`8=+hoBE<#4=GCTJ`oumd48$ ziZ)(Rhp^>Sx0|Jc26F*^{;lF0?^3x^fr(x9ra8my{e7qn+VPXXrjASQZEgqf3Lvy) z8FsF5b3<+^te}&x9=)7xdMi#1v;~O&*bfN3+h4I9*I~Oo+Pdg4B3@gpBr9e|`7G`2 zwoF{~OuF3(5_t`u$5wIbPp-1)zhV(x@e9iIxI{NV(RU7LuU>)2iHeUOZM1bNzE_<+ z9?$JX&Yri1Pe$!dus}s`8d$I1Aqn?ww?h;n?TU+7D0s~J;e?Ox`bm?+_tZwtBN)0n zGvJbUb;~s`r;mR(6}dgr_CkkNeQ@n<>;GiV^x)TT?2-;NH-x!lN(Q(!agH6@};xa5^`1Xz}+opgW$eSe=d0 z9|NS1b3p0)f!RJaxKT`HRZg#^zU7ggDh6bkWf7CI7S%YSpzhwaJmS!SAtm!>&^INQe z{>9x|=A6OKW}(p0*e%Csq_8=s!4ZlQWhO`6!~{*L#&@~bB3x{rRvN*f@o~bx*kui<>1dWtGw%Qt5(pGs{|X1G zEnt*cjKT>^n|B?pVr|oeJZ`Ti4ZIa!CX0ALaEW{C9i&==0PMDa%LUrgMkZUb_-q{) z4pL${t@VZ}^k_Puj-F-Z|8fXR=zYc~(y-K%yh><03ENizhxT(Y{|TkbT9lOhss%$; zT+l1(S6H{#!tfdJbt;@4v}7?P%{UEe1Z8P@>M=mA0@z%jtjD+GgkwXSs@;df6?Dm_ zY#Ll*o1ah7r75p!+SXPyfBurhlUGk2wWbG0E?;}o0+r_671=DaV*_`EF_!V_Nos;f zt+QFw&(}5`C)I9%0-G*j-dm1~?JqbaGX!bEh5}5oEhoxkj<%~uCCVWS+|Y|eJaW151Jku7$>NObp4)d_aZdN1iqtBy{e+xCLO?#j$Y zw+|`WV8$(vyHVUq=uKl!v9NwmPq$-@`tEtH6eU<($KiSv9aW+woGNl(>DtoZlX0QM z29E71FpcjYco0=hqU`#^RlFSz;_3L--m-T9!cBHEynn2EV*I_u`3n^7LnJWijR8QT z;=eRH|G9i2SzTZM8!v$9=UFHI-;L{mUw%o6Z5fK|yivat@GkLe`l3e!@+~rt_PTdB z0Fjnn2ExhxUO#Z+|JDE-S(U!8*XUlZ%fSQ=YCG(pvco)dN6xzHz+fV6T-4OmoJ}Vx zL}&oV%!eEdNdj_kL9u;Xb`S`|`R{)OI4t?Au~usrS65f_nD-${N(j1t^4rcNrKGUN z$ox>T1Wft?_dLMqjO?rE!!VVCXFFiv#xo?^-5Y{dr>Ca_3PC^!i}}`yach6ypuu%_ z-y7WkcsW^BYX{;S$>qDvd6*j;FIAYLJ~!w9b@Y%a#~yCL=ip}qLH+AjM(oZbWW)Kzp!W9weBq2woB_DJ + + + diff --git a/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-02296130-0c1b-11ed-8d26-77f06c571b89.json b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-02296130-0c1b-11ed-8d26-77f06c571b89.json new file mode 100644 index 00000000000..bba9295fca9 --- /dev/null +++ b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-02296130-0c1b-11ed-8d26-77f06c571b89.json @@ -0,0 +1,418 @@ +{ + "attributes": { + "description": "Trend Micro Vision One Audit Events Overview.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.audit\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9fa43e27-f7bd-4f0f-b7d2-08955609a472", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "9fa43e27-f7bd-4f0f-b7d2-08955609a472": { + "columnOrder": [ + "d8a8e1d7-1241-4a70-85e3-382db7b4fa21", + "bda61ee5-a14d-4864-ba26-d3e0394c63ad" + ], + "columns": { + "bda61ee5-a14d-4864-ba26-d3e0394c63ad": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "d8a8e1d7-1241-4a70-85e3-382db7b4fa21": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Result", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "bda61ee5-a14d-4864-ba26-d3e0394c63ad", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.audit.result" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.audit\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "d8a8e1d7-1241-4a70-85e3-382db7b4fa21" + ], + "layerId": "9fa43e27-f7bd-4f0f-b7d2-08955609a472", + "layerType": "data", + "legendDisplay": "default", + "metric": "bda61ee5-a14d-4864-ba26-d3e0394c63ad", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "e3b9ed00-b61a-4e71-9144-d92505d7eaf9", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "e3b9ed00-b61a-4e71-9144-d92505d7eaf9", + "title": "Distribution of Audit by Result [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a5dfde98-4b93-4c4c-93c1-70043ff2502f", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "a5dfde98-4b93-4c4c-93c1-70043ff2502f": { + "columnOrder": [ + "3dae7a26-68d9-484c-8d34-c19f2b279979", + "1447642a-b455-4a1e-a425-568a15593cc3" + ], + "columns": { + "1447642a-b455-4a1e-a425-568a15593cc3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "3dae7a26-68d9-484c-8d34-c19f2b279979": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Access Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1447642a-b455-4a1e-a425-568a15593cc3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.audit.access_type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.audit\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "3dae7a26-68d9-484c-8d34-c19f2b279979" + ], + "layerId": "a5dfde98-4b93-4c4c-93c1-70043ff2502f", + "layerType": "data", + "legendDisplay": "default", + "metric": "1447642a-b455-4a1e-a425-568a15593cc3", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "984d6a97-d668-4f4f-8750-679983971d4c", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "984d6a97-d668-4f4f-8750-679983971d4c", + "title": "Distribution of Audit by Access Type [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-897f370a-3c32-469f-bfc2-74613384ef81", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "897f370a-3c32-469f-bfc2-74613384ef81": { + "columnOrder": [ + "fcd42d60-5fd5-4eda-98b3-fec2247b30ff", + "9f43b7e2-6213-44d3-85e1-c001f901b2b9" + ], + "columns": { + "9f43b7e2-6213-44d3-85e1-c001f901b2b9": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "fcd42d60-5fd5-4eda-98b3-fec2247b30ff": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Category", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "9f43b7e2-6213-44d3-85e1-c001f901b2b9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.audit.category" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.audit\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "9f43b7e2-6213-44d3-85e1-c001f901b2b9" + ], + "layerId": "897f370a-3c32-469f-bfc2-74613384ef81", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "fcd42d60-5fd5-4eda-98b3-fec2247b30ff" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "c04c566d-1863-49ab-9bc1-74ad66d40666", + "w": 48, + "x": 0, + "y": 15 + }, + "panelIndex": "c04c566d-1863-49ab-9bc1-74ad66d40666", + "title": "Distribution of Audit by Category [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "85e7772a-687e-4f8e-8808-f6bdc6f9a538", + "w": 48, + "x": 0, + "y": 30 + }, + "panelIndex": "85e7772a-687e-4f8e-8808-f6bdc6f9a538", + "panelRefName": "panel_85e7772a-687e-4f8e-8808-f6bdc6f9a538", + "type": "search", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Logs Trend Micro Vision One] Audit", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "trend_micro_vision_one-02296130-0c1b-11ed-8d26-77f06c571b89", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "e3b9ed00-b61a-4e71-9144-d92505d7eaf9:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e3b9ed00-b61a-4e71-9144-d92505d7eaf9:indexpattern-datasource-layer-9fa43e27-f7bd-4f0f-b7d2-08955609a472", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "984d6a97-d668-4f4f-8750-679983971d4c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "984d6a97-d668-4f4f-8750-679983971d4c:indexpattern-datasource-layer-a5dfde98-4b93-4c4c-93c1-70043ff2502f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c04c566d-1863-49ab-9bc1-74ad66d40666:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c04c566d-1863-49ab-9bc1-74ad66d40666:indexpattern-datasource-layer-897f370a-3c32-469f-bfc2-74613384ef81", + "type": "index-pattern" + }, + { + "id": "trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89", + "name": "85e7772a-687e-4f8e-8808-f6bdc6f9a538:panel_85e7772a-687e-4f8e-8808-f6bdc6f9a538", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-795c2840-0cda-11ed-ac7d-35d42be2de47.json b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-795c2840-0cda-11ed-ac7d-35d42be2de47.json new file mode 100644 index 00000000000..db3e979cc2a --- /dev/null +++ b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-795c2840-0cda-11ed-ac7d-35d42be2de47.json @@ -0,0 +1,1713 @@ +{ + "attributes": { + "description": "Trend Micro Vision One Detection Events Overview.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ab62783e-8f90-4ed1-aaa2-0986490650ff", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "ab62783e-8f90-4ed1-aaa2-0986490650ff": { + "columnOrder": [ + "78014197-8878-4d6a-9820-cbc319572497", + "4fbc0f3c-b645-4cfd-a340-3cda49fce133" + ], + "columns": { + "4fbc0f3c-b645-4cfd-a340-3cda49fce133": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "78014197-8878-4d6a-9820-cbc319572497": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Blocking Reason", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4fbc0f3c-b645-4cfd-a340-3cda49fce133", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.detection.block" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "4fbc0f3c-b645-4cfd-a340-3cda49fce133" + ], + "layerId": "ab62783e-8f90-4ed1-aaa2-0986490650ff", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "78014197-8878-4d6a-9820-cbc319572497" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "d62e0e2a-b417-4ab6-a0b2-b7d2b6b3d037", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "d62e0e2a-b417-4ab6-a0b2-b7d2b6b3d037", + "title": "Distribution of Detection by Blocking Reason [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-29f50e0d-fac2-443c-825c-8eb0c3a714d0", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "29f50e0d-fac2-443c-825c-8eb0c3a714d0": { + "columnOrder": [ + "48dd0201-3a46-47ea-b3fc-290d97ec6638", + "5a64df17-5e2d-4d42-b14a-adbb83d76b77" + ], + "columns": { + "48dd0201-3a46-47ea-b3fc-290d97ec6638": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Behavior Category", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "5a64df17-5e2d-4d42-b14a-adbb83d76b77", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.detection.behavior_category" + }, + "5a64df17-5e2d-4d42-b14a-adbb83d76b77": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "5a64df17-5e2d-4d42-b14a-adbb83d76b77" + ], + "layerId": "29f50e0d-fac2-443c-825c-8eb0c3a714d0", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "48dd0201-3a46-47ea-b3fc-290d97ec6638" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "52f01658-a95d-4f43-8e53-0a2a5acbb875", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "52f01658-a95d-4f43-8e53-0a2a5acbb875", + "title": "Distribution of Detection by Behavior Category [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-49c72f74-21be-4805-9818-62b060da841d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "49c72f74-21be-4805-9818-62b060da841d": { + "columnOrder": [ + "05971311-2b03-416e-b137-6570c146adf1", + "a2bbe427-42ce-4604-b8fe-4b5bd3e198d7" + ], + "columns": { + "05971311-2b03-416e-b137-6570c146adf1": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Network Direction", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a2bbe427-42ce-4604-b8fe-4b5bd3e198d7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "network.direction" + }, + "a2bbe427-42ce-4604-b8fe-4b5bd3e198d7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "05971311-2b03-416e-b137-6570c146adf1" + ], + "layerId": "49c72f74-21be-4805-9818-62b060da841d", + "layerType": "data", + "legendDisplay": "default", + "metric": "a2bbe427-42ce-4604-b8fe-4b5bd3e198d7", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "58a6256c-8b28-43db-86c2-3359cef9ab44", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "58a6256c-8b28-43db-86c2-3359cef9ab44", + "title": "Distribution of Detection by Device Direction [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f691f89d-3522-4220-a870-93486224b466", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "f691f89d-3522-4220-a870-93486224b466": { + "columnOrder": [ + "b1c380a4-c9bd-4033-a33d-90d729de1655", + "c85cf4bc-ee58-47d4-b395-0020646923c4" + ], + "columns": { + "b1c380a4-c9bd-4033-a33d-90d729de1655": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Protocol", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "c85cf4bc-ee58-47d4-b395-0020646923c4", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "network.protocol" + }, + "c85cf4bc-ee58-47d4-b395-0020646923c4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "b1c380a4-c9bd-4033-a33d-90d729de1655" + ], + "layerId": "f691f89d-3522-4220-a870-93486224b466", + "layerType": "data", + "legendDisplay": "default", + "metric": "c85cf4bc-ee58-47d4-b395-0020646923c4", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "6f265958-b714-4af3-8479-6a71792ab6e8", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "6f265958-b714-4af3-8479-6a71792ab6e8", + "title": "Distribution of Detection by Protocol [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d550744a-88fb-4110-aa6e-7b2c2fa25385", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "d550744a-88fb-4110-aa6e-7b2c2fa25385": { + "columnOrder": [ + "d1db4ae9-f392-4d84-9266-708f312a417d", + "89ecd6cc-d6c0-40fd-b815-ba5dd95df82c" + ], + "columns": { + "89ecd6cc-d6c0-40fd-b815-ba5dd95df82c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "d1db4ae9-f392-4d84-9266-708f312a417d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Action", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "89ecd6cc-d6c0-40fd-b815-ba5dd95df82c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.action" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "columns": [ + { + "columnId": "d1db4ae9-f392-4d84-9266-708f312a417d" + }, + { + "columnId": "89ecd6cc-d6c0-40fd-b815-ba5dd95df82c" + } + ], + "layerId": "d550744a-88fb-4110-aa6e-7b2c2fa25385", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "a57572f8-12d9-4d75-a3b7-e592f588881f", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "a57572f8-12d9-4d75-a3b7-e592f588881f", + "title": "Top 10 Action by Detect Product [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-72a2f6df-02ac-4dbc-9852-39e3ba8afa83", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "72a2f6df-02ac-4dbc-9852-39e3ba8afa83": { + "columnOrder": [ + "d963d750-55ea-467b-b420-2ee6f6a40f66", + "d1b13123-1275-49e1-b407-7c58b6a689f3" + ], + "columns": { + "d1b13123-1275-49e1-b407-7c58b6a689f3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "d963d750-55ea-467b-b420-2ee6f6a40f66": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Action Result", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "d1b13123-1275-49e1-b407-7c58b6a689f3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.detection.action_result" + } + } + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "columns": [ + { + "columnId": "d963d750-55ea-467b-b420-2ee6f6a40f66" + }, + { + "columnId": "d1b13123-1275-49e1-b407-7c58b6a689f3" + } + ], + "layerId": "72a2f6df-02ac-4dbc-9852-39e3ba8afa83", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "30d672ab-9361-421c-be5f-213d76fbe2dd", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "30d672ab-9361-421c-be5f-213d76fbe2dd", + "title": "Top 10 Action Result by Detect Product [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-50f136e8-fe91-4269-bd9b-650c0392557d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "50f136e8-fe91-4269-bd9b-650c0392557d": { + "columnOrder": [ + "e9b0baae-bc82-4535-b30b-9e3d1087bcea", + "72f117ec-bf7f-4b4a-8a46-1e62b9031e00" + ], + "columns": { + "72f117ec-bf7f-4b4a-8a46-1e62b9031e00": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "e9b0baae-bc82-4535-b30b-9e3d1087bcea": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Tags", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "72f117ec-bf7f-4b4a-8a46-1e62b9031e00", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.detection.tags" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "columns": [ + { + "columnId": "e9b0baae-bc82-4535-b30b-9e3d1087bcea", + "isTransposed": false + }, + { + "columnId": "72f117ec-bf7f-4b4a-8a46-1e62b9031e00", + "isTransposed": false + } + ], + "layerId": "50f136e8-fe91-4269-bd9b-650c0392557d", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "b7a95a71-0b0a-4377-81eb-9d493e103d14", + "w": 24, + "x": 0, + "y": 45 + }, + "panelIndex": "b7a95a71-0b0a-4377-81eb-9d493e103d14", + "title": "Top 10 Detail Tags [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e73c0595-8dfa-4b9d-9af9-da286f0ea969", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "e73c0595-8dfa-4b9d-9af9-da286f0ea969": { + "columnOrder": [ + "02b9468e-18df-4668-af94-216037f15562", + "5b8c77cc-c8bf-406e-9dcc-65861d3fea18" + ], + "columns": { + "02b9468e-18df-4668-af94-216037f15562": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "5b8c77cc-c8bf-406e-9dcc-65861d3fea18", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.detection.threat_name" + }, + "5b8c77cc-c8bf-406e-9dcc-65861d3fea18": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "columns": [ + { + "columnId": "02b9468e-18df-4668-af94-216037f15562" + }, + { + "columnId": "5b8c77cc-c8bf-406e-9dcc-65861d3fea18" + } + ], + "layerId": "e73c0595-8dfa-4b9d-9af9-da286f0ea969", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "0207e0e7-7809-46f9-b26f-0888a3d96d98", + "w": 24, + "x": 24, + "y": 45 + }, + "panelIndex": "0207e0e7-7809-46f9-b26f-0888a3d96d98", + "title": "Top 10 Threat Name [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a8599c32-418f-45e0-a013-1d0ef2a030c4", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "a8599c32-418f-45e0-a013-1d0ef2a030c4": { + "columnOrder": [ + "e864022d-8287-42ad-9ab5-4637769a9c71", + "85a7d42c-1431-412c-8497-f9a74a39b1df" + ], + "columns": { + "85a7d42c-1431-412c-8497-f9a74a39b1df": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "e864022d-8287-42ad-9ab5-4637769a9c71": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Detection Source", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "85a7d42c-1431-412c-8497-f9a74a39b1df", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.detection.detection_source" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "85a7d42c-1431-412c-8497-f9a74a39b1df" + ], + "layerId": "a8599c32-418f-45e0-a013-1d0ef2a030c4", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "e864022d-8287-42ad-9ab5-4637769a9c71" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "98acbf97-ec55-474c-b5db-cae2aaed7e14", + "w": 24, + "x": 0, + "y": 60 + }, + "panelIndex": "98acbf97-ec55-474c-b5db-cae2aaed7e14", + "title": "Distribution of Detection by Detection Source [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-bd766933-cdfd-4c87-ab55-3e994a2fe44e", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "bd766933-cdfd-4c87-ab55-3e994a2fe44e": { + "columnOrder": [ + "7e6beac1-f7da-41db-91a7-31d58a221a61", + "4ca7bc27-a9fa-476f-912b-522ed2a46ff3" + ], + "columns": { + "4ca7bc27-a9fa-476f-912b-522ed2a46ff3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "7e6beac1-f7da-41db-91a7-31d58a221a61": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "OS", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4ca7bc27-a9fa-476f-912b-522ed2a46ff3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "os.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "7e6beac1-f7da-41db-91a7-31d58a221a61" + ], + "layerId": "bd766933-cdfd-4c87-ab55-3e994a2fe44e", + "layerType": "data", + "legendDisplay": "default", + "metric": "4ca7bc27-a9fa-476f-912b-522ed2a46ff3", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "c2817d33-dceb-4442-b496-2fef04b7784a", + "w": 24, + "x": 24, + "y": 60 + }, + "panelIndex": "c2817d33-dceb-4442-b496-2fef04b7784a", + "title": "Distribution of Detection by OS Name [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-96da828c-adec-4f42-9d21-8e483f024d23", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "96da828c-adec-4f42-9d21-8e483f024d23": { + "columnOrder": [ + "b46706ba-b1dc-45db-af7a-53c85ff142c8", + "5ec5dfed-9b61-4812-b6a1-b166a679630f" + ], + "columns": { + "5ec5dfed-9b61-4812-b6a1-b166a679630f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "b46706ba-b1dc-45db-af7a-53c85ff142c8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Policy Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "5ec5dfed-9b61-4812-b6a1-b166a679630f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.detection.policy.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "columns": [ + { + "columnId": "b46706ba-b1dc-45db-af7a-53c85ff142c8" + }, + { + "columnId": "5ec5dfed-9b61-4812-b6a1-b166a679630f" + } + ], + "layerId": "96da828c-adec-4f42-9d21-8e483f024d23", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "533112ad-9176-45ae-b7e2-f17a052f06b8", + "w": 24, + "x": 0, + "y": 75 + }, + "panelIndex": "533112ad-9176-45ae-b7e2-f17a052f06b8", + "title": "Top 10 Policy Name [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f1c7368e-804d-4324-97e9-f12e0639e9d5", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "f1c7368e-804d-4324-97e9-f12e0639e9d5": { + "columnOrder": [ + "0bc965a0-c84f-4dc9-bbcd-a4a52567e52a", + "26e37366-6baa-411b-aa4d-3e1ce4ca5e34" + ], + "columns": { + "0bc965a0-c84f-4dc9-bbcd-a4a52567e52a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "File Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "26e37366-6baa-411b-aa4d-3e1ce4ca5e34", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "file.type" + }, + "26e37366-6baa-411b-aa4d-3e1ce4ca5e34": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "26e37366-6baa-411b-aa4d-3e1ce4ca5e34" + ], + "layerId": "f1c7368e-804d-4324-97e9-f12e0639e9d5", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "0bc965a0-c84f-4dc9-bbcd-a4a52567e52a" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "c4b23adc-cfc7-45d5-8330-28788f0d2cf1", + "w": 24, + "x": 24, + "y": 75 + }, + "panelIndex": "c4b23adc-cfc7-45d5-8330-28788f0d2cf1", + "title": "Distribution of Detection by File Type [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4917b550-af61-4625-af61-c9274e27047a", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "4917b550-af61-4625-af61-c9274e27047a": { + "columnOrder": [ + "ca6ec33b-2725-4194-b64c-69c605dd34a2", + "a7c8cecb-f044-462f-aed8-549776b43392" + ], + "columns": { + "a7c8cecb-f044-462f-aed8-549776b43392": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "ca6ec33b-2725-4194-b64c-69c605dd34a2": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Profile", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a7c8cecb-f044-462f-aed8-549776b43392", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.detection.profile" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "a7c8cecb-f044-462f-aed8-549776b43392" + ], + "layerId": "4917b550-af61-4625-af61-c9274e27047a", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "ca6ec33b-2725-4194-b64c-69c605dd34a2" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "a5dca630-9e4d-4782-aeb0-eec9fb3a7fe5", + "w": 24, + "x": 0, + "y": 90 + }, + "panelIndex": "a5dca630-9e4d-4782-aeb0-eec9fb3a7fe5", + "title": "Distribution of Detection by Profile Name [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d691e22d-4da1-4052-99e9-19980d1ad140", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "d691e22d-4da1-4052-99e9-19980d1ad140": { + "columnOrder": [ + "6b9911e7-dc62-4956-a3a1-8faf9e0b38d8", + "7ff5c2fd-ec85-4949-9ce7-899b284d7052" + ], + "columns": { + "6b9911e7-dc62-4956-a3a1-8faf9e0b38d8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Sender", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "7ff5c2fd-ec85-4949-9ce7-899b284d7052", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.detection.sender" + }, + "7ff5c2fd-ec85-4949-9ce7-899b284d7052": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.detection\"" + }, + "visualization": { + "columns": [ + { + "columnId": "6b9911e7-dc62-4956-a3a1-8faf9e0b38d8" + }, + { + "columnId": "7ff5c2fd-ec85-4949-9ce7-899b284d7052" + } + ], + "layerId": "d691e22d-4da1-4052-99e9-19980d1ad140", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "b8ea0d85-673c-4f28-9397-48baf5fd0cb1", + "w": 24, + "x": 24, + "y": 90 + }, + "panelIndex": "b8ea0d85-673c-4f28-9397-48baf5fd0cb1", + "title": "Top 10 Sender Name [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Logs Trend Micro Vision One] Detection", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "trend_micro_vision_one-795c2840-0cda-11ed-ac7d-35d42be2de47", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "d62e0e2a-b417-4ab6-a0b2-b7d2b6b3d037:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d62e0e2a-b417-4ab6-a0b2-b7d2b6b3d037:indexpattern-datasource-layer-ab62783e-8f90-4ed1-aaa2-0986490650ff", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "52f01658-a95d-4f43-8e53-0a2a5acbb875:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "52f01658-a95d-4f43-8e53-0a2a5acbb875:indexpattern-datasource-layer-29f50e0d-fac2-443c-825c-8eb0c3a714d0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "58a6256c-8b28-43db-86c2-3359cef9ab44:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "58a6256c-8b28-43db-86c2-3359cef9ab44:indexpattern-datasource-layer-49c72f74-21be-4805-9818-62b060da841d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6f265958-b714-4af3-8479-6a71792ab6e8:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6f265958-b714-4af3-8479-6a71792ab6e8:indexpattern-datasource-layer-f691f89d-3522-4220-a870-93486224b466", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a57572f8-12d9-4d75-a3b7-e592f588881f:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a57572f8-12d9-4d75-a3b7-e592f588881f:indexpattern-datasource-layer-d550744a-88fb-4110-aa6e-7b2c2fa25385", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "30d672ab-9361-421c-be5f-213d76fbe2dd:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "30d672ab-9361-421c-be5f-213d76fbe2dd:indexpattern-datasource-layer-72a2f6df-02ac-4dbc-9852-39e3ba8afa83", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b7a95a71-0b0a-4377-81eb-9d493e103d14:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b7a95a71-0b0a-4377-81eb-9d493e103d14:indexpattern-datasource-layer-50f136e8-fe91-4269-bd9b-650c0392557d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0207e0e7-7809-46f9-b26f-0888a3d96d98:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0207e0e7-7809-46f9-b26f-0888a3d96d98:indexpattern-datasource-layer-e73c0595-8dfa-4b9d-9af9-da286f0ea969", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "98acbf97-ec55-474c-b5db-cae2aaed7e14:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "98acbf97-ec55-474c-b5db-cae2aaed7e14:indexpattern-datasource-layer-a8599c32-418f-45e0-a013-1d0ef2a030c4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c2817d33-dceb-4442-b496-2fef04b7784a:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c2817d33-dceb-4442-b496-2fef04b7784a:indexpattern-datasource-layer-bd766933-cdfd-4c87-ab55-3e994a2fe44e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "533112ad-9176-45ae-b7e2-f17a052f06b8:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "533112ad-9176-45ae-b7e2-f17a052f06b8:indexpattern-datasource-layer-96da828c-adec-4f42-9d21-8e483f024d23", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c4b23adc-cfc7-45d5-8330-28788f0d2cf1:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c4b23adc-cfc7-45d5-8330-28788f0d2cf1:indexpattern-datasource-layer-f1c7368e-804d-4324-97e9-f12e0639e9d5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a5dca630-9e4d-4782-aeb0-eec9fb3a7fe5:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a5dca630-9e4d-4782-aeb0-eec9fb3a7fe5:indexpattern-datasource-layer-4917b550-af61-4625-af61-c9274e27047a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b8ea0d85-673c-4f28-9397-48baf5fd0cb1:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b8ea0d85-673c-4f28-9397-48baf5fd0cb1:indexpattern-datasource-layer-d691e22d-4da1-4052-99e9-19980d1ad140", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-dc4fba10-0ce5-11ed-ac7d-35d42be2de47.json b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-dc4fba10-0ce5-11ed-ac7d-35d42be2de47.json new file mode 100644 index 00000000000..90fbcb7e4c7 --- /dev/null +++ b/packages/trend_micro_vision_one/kibana/dashboard/trend_micro_vision_one-dc4fba10-0ce5-11ed-ac7d-35d42be2de47.json @@ -0,0 +1,748 @@ +{ + "attributes": { + "description": "Trend Micro Vision One Alert Events Overview.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.alert\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c66b406f-8e28-4d47-9fc4-39b968af345d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "c66b406f-8e28-4d47-9fc4-39b968af345d": { + "columnOrder": [ + "f8fe0e4c-a495-4e43-9d53-c1d67a1af7d6", + "e6f8a4fc-5fb0-4e3e-acdc-8f54b0d777ea" + ], + "columns": { + "e6f8a4fc-5fb0-4e3e-acdc-8f54b0d777ea": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "f8fe0e4c-a495-4e43-9d53-c1d67a1af7d6": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Severity", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "e6f8a4fc-5fb0-4e3e-acdc-8f54b0d777ea", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "log.level" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.alert\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "f8fe0e4c-a495-4e43-9d53-c1d67a1af7d6" + ], + "layerId": "c66b406f-8e28-4d47-9fc4-39b968af345d", + "layerType": "data", + "legendDisplay": "default", + "metric": "e6f8a4fc-5fb0-4e3e-acdc-8f54b0d777ea", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "04cd99db-4dd5-4eca-ab0a-f922068c9a25", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "04cd99db-4dd5-4eca-ab0a-f922068c9a25", + "title": "Distribution of Alert by Severity [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-93eb5209-5e6d-4079-a4a1-2bfab8dd99df", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "93eb5209-5e6d-4079-a4a1-2bfab8dd99df": { + "columnOrder": [ + "58ad7a12-5367-4cb6-8a1c-89b678df8266", + "c4ac9c4a-bc44-4309-9279-779185b07336" + ], + "columns": { + "58ad7a12-5367-4cb6-8a1c-89b678df8266": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "c4ac9c4a-bc44-4309-9279-779185b07336": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Score", + "operationType": "median", + "scale": "ratio", + "sourceField": "event.severity" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.alert\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "c4ac9c4a-bc44-4309-9279-779185b07336" + ], + "layerId": "93eb5209-5e6d-4079-a4a1-2bfab8dd99df", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "58ad7a12-5367-4cb6-8a1c-89b678df8266" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "db54892f-8ac3-49ed-9ec3-7cfe7648f646", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "db54892f-8ac3-49ed-9ec3-7cfe7648f646", + "title": "Trend of Alert Score Over Time [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ac7eae8e-47b7-494d-aa59-23badf3efe0f", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "ac7eae8e-47b7-494d-aa59-23badf3efe0f": { + "columnOrder": [ + "1a94ba46-8da2-4c13-86ae-6f0217196e37", + "896c9e40-e894-44bd-95cf-8098f7a30f3d" + ], + "columns": { + "1a94ba46-8da2-4c13-86ae-6f0217196e37": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Investigation Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "896c9e40-e894-44bd-95cf-8098f7a30f3d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.alert.investigation_status" + }, + "896c9e40-e894-44bd-95cf-8098f7a30f3d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.alert\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "1a94ba46-8da2-4c13-86ae-6f0217196e37" + ], + "layerId": "ac7eae8e-47b7-494d-aa59-23badf3efe0f", + "layerType": "data", + "legendDisplay": "default", + "metric": "896c9e40-e894-44bd-95cf-8098f7a30f3d", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "123f8240-4cc6-4003-83af-43553d428928", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "123f8240-4cc6-4003-83af-43553d428928", + "title": "Distribution of Alert by Investigation Status [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4d3824b7-1c3f-44cd-b84d-88552f0eff69", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "4d3824b7-1c3f-44cd-b84d-88552f0eff69": { + "columnOrder": [ + "1ad9ba6d-9cb3-4330-801c-f956897bcafa", + "0b3248dd-237b-4f84-badb-d179a9e76f4f" + ], + "columns": { + "0b3248dd-237b-4f84-badb-d179a9e76f4f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "1ad9ba6d-9cb3-4330-801c-f956897bcafa": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Entity Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "0b3248dd-237b-4f84-badb-d179a9e76f4f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.alert.impact_scope.entities.type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.alert\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "1ad9ba6d-9cb3-4330-801c-f956897bcafa" + ], + "layerId": "4d3824b7-1c3f-44cd-b84d-88552f0eff69", + "layerType": "data", + "legendDisplay": "default", + "metric": "0b3248dd-237b-4f84-badb-d179a9e76f4f", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "dee1cbd0-6143-4245-ab3f-b8cd4022e67e", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "dee1cbd0-6143-4245-ab3f-b8cd4022e67e", + "title": "Distribution of Alert by Entity Type [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-464ea482-63a1-4427-8f9c-224e693d4ffc", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "464ea482-63a1-4427-8f9c-224e693d4ffc": { + "columnOrder": [ + "d3f7e999-2c6b-4b3f-bbca-72ec716b4285", + "6c73fc78-7633-468b-9018-96c35a90e619" + ], + "columns": { + "6c73fc78-7633-468b-9018-96c35a90e619": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "d3f7e999-2c6b-4b3f-bbca-72ec716b4285": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Indicator Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "6c73fc78-7633-468b-9018-96c35a90e619", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.alert.indicators.type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.alert\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "6c73fc78-7633-468b-9018-96c35a90e619" + ], + "layerId": "464ea482-63a1-4427-8f9c-224e693d4ffc", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "d3f7e999-2c6b-4b3f-bbca-72ec716b4285" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "9e5504f2-2732-40d5-a0c8-c885c93a8153", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "9e5504f2-2732-40d5-a0c8-c885c93a8153", + "title": "Distribution of Alert by Indicator Type [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-38c2ae2f-27fd-47dc-911f-4aa95f5545d1", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "38c2ae2f-27fd-47dc-911f-4aa95f5545d1": { + "columnOrder": [ + "56d4df89-ea70-4cac-a0f7-0d56f3f3f1aa", + "a78e27d3-f17e-4e38-8815-4cb90a1c006f" + ], + "columns": { + "56d4df89-ea70-4cac-a0f7-0d56f3f3f1aa": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Matched Rule", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a78e27d3-f17e-4e38-8815-4cb90a1c006f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trend_micro_vision_one.alert.matched_rule.name" + }, + "a78e27d3-f17e-4e38-8815-4cb90a1c006f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.alert\"" + }, + "visualization": { + "columns": [ + { + "columnId": "56d4df89-ea70-4cac-a0f7-0d56f3f3f1aa" + }, + { + "columnId": "a78e27d3-f17e-4e38-8815-4cb90a1c006f" + } + ], + "layerId": "38c2ae2f-27fd-47dc-911f-4aa95f5545d1", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "eabd35ae-1d20-403d-ab31-993d621aa11d", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "eabd35ae-1d20-403d-ab31-993d621aa11d", + "title": "Top 10 Matched Rule [Logs Trend Micro Vision One]", + "type": "lens", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Logs Trend Micro Vision One] Alert", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "trend_micro_vision_one-dc4fba10-0ce5-11ed-ac7d-35d42be2de47", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "04cd99db-4dd5-4eca-ab0a-f922068c9a25:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "04cd99db-4dd5-4eca-ab0a-f922068c9a25:indexpattern-datasource-layer-c66b406f-8e28-4d47-9fc4-39b968af345d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "db54892f-8ac3-49ed-9ec3-7cfe7648f646:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "db54892f-8ac3-49ed-9ec3-7cfe7648f646:indexpattern-datasource-layer-93eb5209-5e6d-4079-a4a1-2bfab8dd99df", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "123f8240-4cc6-4003-83af-43553d428928:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "123f8240-4cc6-4003-83af-43553d428928:indexpattern-datasource-layer-ac7eae8e-47b7-494d-aa59-23badf3efe0f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dee1cbd0-6143-4245-ab3f-b8cd4022e67e:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dee1cbd0-6143-4245-ab3f-b8cd4022e67e:indexpattern-datasource-layer-4d3824b7-1c3f-44cd-b84d-88552f0eff69", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9e5504f2-2732-40d5-a0c8-c885c93a8153:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9e5504f2-2732-40d5-a0c8-c885c93a8153:indexpattern-datasource-layer-464ea482-63a1-4427-8f9c-224e693d4ffc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "eabd35ae-1d20-403d-ab31-993d621aa11d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "eabd35ae-1d20-403d-ab31-993d621aa11d:indexpattern-datasource-layer-38c2ae2f-27fd-47dc-911f-4aa95f5545d1", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/kibana/search/trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89.json b/packages/trend_micro_vision_one/kibana/search/trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89.json new file mode 100644 index 00000000000..cafd4cfb828 --- /dev/null +++ b/packages/trend_micro_vision_one/kibana/search/trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89.json @@ -0,0 +1,42 @@ +{ + "attributes": { + "columns": [ + "source.user.name", + "source.user.roles", + "trend_micro_vision_one.audit.details" + ], + "description": "", + "grid": {}, + "hideChart": true, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"trend_micro_vision_one.audit\"" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Audit Events Essential Details [Logs Trend Micro Vision One]" + }, + "coreMigrationVersion": "7.17.0", + "id": "trend_micro_vision_one-89e6e9b0-0c1d-11ed-8d26-77f06c571b89", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/trend_micro_vision_one/manifest.yml b/packages/trend_micro_vision_one/manifest.yml new file mode 100644 index 00000000000..f0d11696596 --- /dev/null +++ b/packages/trend_micro_vision_one/manifest.yml @@ -0,0 +1,78 @@ +format_version: 1.0.0 +name: trend_micro_vision_one +title: Trend Micro Vision One +version: '0.1.0' +license: basic +description: Collect logs from Trend Micro Vision One with Elastic Agent. +type: integration +categories: + - security +conditions: + kibana.version: ^8.4.0 +screenshots: + - src: /img/trend-micro-vision-one-alert-dashboard-screenshot.png + title: Trend Micro Vision One Dashboard Screenshot + size: 600x600 + type: image/png +icons: + - src: /img/trend-micro-vision-one-logo.svg + title: Trend Micro Vision One Logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: trend_micro_vision_one + title: Trend Micro Vision One + description: Collect logs from Trend Micro Vision One. + inputs: + - type: httpjson + title: Collect Trend Micro Vision One logs via API + description: Collecting Trend Micro Vision One logs via API. + vars: + - name: hostname + type: text + title: URL + description: Trend Micro Vision One domain name. + required: true + - name: api_token + type: password + title: API Token + description: API Token with API Access Level type. + required: true + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- +owner: + github: elastic/security-external-integrations From e7199d7e0ad7a72af9eb99e27f96e07d0b45ed82 Mon Sep 17 00:00:00 2001 From: vinit-elastic Date: Fri, 5 Aug 2022 19:17:07 +0530 Subject: [PATCH 2/6] Update changelog file --- packages/trend_micro_vision_one/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/trend_micro_vision_one/changelog.yml b/packages/trend_micro_vision_one/changelog.yml index ecc6089249c..a4f25398761 100644 --- a/packages/trend_micro_vision_one/changelog.yml +++ b/packages/trend_micro_vision_one/changelog.yml @@ -3,4 +3,4 @@ changes: - description: Initial Release. type: enhancement - link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link + link: https://github.com/elastic/integrations/pull/3963 From c4a63e0309cc9b62590d2c1c06dc46b87e20cb47 Mon Sep 17 00:00:00 2001 From: vinit-elastic Date: Thu, 18 Aug 2022 11:55:34 +0530 Subject: [PATCH 3/6] Changes as per review comments --- .../_dev/build/docs/README.md | 10 ++- .../elasticsearch/ingest_pipeline/default.yml | 66 +++++++------- .../data_stream/alert/sample_event.json | 10 +-- .../elasticsearch/ingest_pipeline/default.yml | 87 +++++++++---------- .../data_stream/audit/sample_event.json | 10 +-- .../elasticsearch/ingest_pipeline/default.yml | 10 +-- .../data_stream/detection/sample_event.json | 10 +-- .../trend_micro_vision_one/docs/README.md | 40 +++++---- 8 files changed, 127 insertions(+), 116 deletions(-) diff --git a/packages/trend_micro_vision_one/_dev/build/docs/README.md b/packages/trend_micro_vision_one/_dev/build/docs/README.md index 07963a90bbd..7b2c2a53eb6 100644 --- a/packages/trend_micro_vision_one/_dev/build/docs/README.md +++ b/packages/trend_micro_vision_one/_dev/build/docs/README.md @@ -8,7 +8,7 @@ Use the Trend Micro Vision One integration to collects and parses data from the ## Data streams -The Trend Micro Vision One integration collects three types of data streams: Alert, Audit, and Detection. +The Trend Micro Vision One integration collects logs for three types of events: Alert, Audit, and Detection. **Alert** Displays information about workbench alerts. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Workbench/paths/~1v3.0~1workbench~1alerts/get). @@ -35,6 +35,14 @@ This module has been tested against `Trend Micro Vision One API version 3.0`. ![Trend Micro Vision One generate API token ](../img/trend-micro-vision-one-api-token-generate.png) 4. Copy the Authentication token. +### Enabling the integration in Elastic + +1. In Kibana go to **Management > Integrations**. +2. In the "Search for integrations" search bar, type **Trend Micro Vision One**. +3. Click on **Trend Micro Vision One** integration from the search results. +4. Click on **Add Trend Micro Vision One** button to add Trend Micro Vision One integration. +5. Enable the Integration to collect logs via API. + ## Logs Reference ### alert diff --git a/packages/trend_micro_vision_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml index 0163fb0e600..221d43cc163 100644 --- a/packages/trend_micro_vision_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml +++ b/packages/trend_micro_vision_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml @@ -19,34 +19,31 @@ processors: description: Set the value of event.category and event.type. lang: painless source: > - def eventCategory = new HashSet(); - def eventType = new HashSet(); - if(ctx.json?.description != null && ctx.json?.description != ''){ - def description = ctx.json.description.toLowerCase(); - if(description.contains('logon')){ - eventCategory.add('authentication'); - eventCategory.add('host'); - eventType.add('info'); - } - else if(description.contains('email')){ - eventCategory.add('email'); - eventType.add('info'); - } - else if(description.contains('network')){ - eventCategory.add('network'); - eventType.add('info'); - } - else{ - eventCategory.add('malware'); - eventType.add('info'); - } - } - if(!eventCategory.isEmpty()){ - ctx.event.category = eventCategory; - } - if(!eventType.isEmpty()){ - ctx.event.type = eventType; - } + def eventCategory = new HashSet(); + def eventType = new HashSet(); + if (ctx.json?.description != null && ctx.json.description != '') { + def description = ctx.json.description.toLowerCase(); + if (description.contains('logon')) { + eventCategory.add('authentication'); + eventCategory.add('host'); + eventType.add('info'); + } else if (description.contains('email')) { + eventCategory.add('email'); + eventType.add('info'); + } else if (description.contains('network')) { + eventCategory.add('network'); + eventType.add('info'); + } else { + eventCategory.add('malware'); + eventType.add('info'); + } + } + if (!eventCategory.isEmpty()) { + ctx.event.category = eventCategory; + } + if (!eventType.isEmpty()) { + ctx.event.type = eventType; + } - fingerprint: fields: - json.updatedDateTime @@ -56,7 +53,7 @@ processors: ignore_missing: true - date: field: json.updatedDateTime - if: ctx.json?.updatedDateTime != null && ctx.json?.updatedDateTime != '' + if: ctx.json?.updatedDateTime != null && ctx.json.updatedDateTime != '' formats: - ISO8601 on_failure: @@ -180,12 +177,11 @@ processors: - script: description: Mapped value object field of impactScope. lang: painless - source: + if: ctx.json?.impactScope?.entities instanceof List + source: > def impactscope_entities = ctx.json.impactScope.entities; - - for (entitiy_object in impactscope_entities){ - if(!(entitiy_object.entityValue instanceof HashMap)) - { + for (entitiy_object in impactscope_entities) { + if (!(entitiy_object.entityValue instanceof HashMap)) { def entityValue = entitiy_object.entityValue; entitiy_object.value = new HashMap(); entitiy_object.value.account_value = entityValue; @@ -270,7 +266,7 @@ processors: - date: field: json.createdDateTime target_field: trend_micro_vision_one.alert.created_date - if: ctx.json?.createdDateTime != null && ctx.json?.createdDateTime != '' + if: ctx.json?.createdDateTime != null && ctx.json.createdDateTime != '' formats: - ISO8601 on_failure: diff --git a/packages/trend_micro_vision_one/data_stream/alert/sample_event.json b/packages/trend_micro_vision_one/data_stream/alert/sample_event.json index 6f8a6a15479..6186a9c3a10 100644 --- a/packages/trend_micro_vision_one/data_stream/alert/sample_event.json +++ b/packages/trend_micro_vision_one/data_stream/alert/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2030-04-30T00:01:16.000Z", "agent": { - "ephemeral_id": "2c4b19a6-8652-4d61-8fb4-b6e544c17d09", - "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "ephemeral_id": "07f7cfd9-f8ce-47b1-9f6c-9e6742647c84", + "id": "747c1d31-3641-496d-b07e-abac6231f881", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -16,7 +16,7 @@ "version": "8.4.0" }, "elastic_agent": { - "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "id": "747c1d31-3641-496d-b07e-abac6231f881", "snapshot": true, "version": "8.4.0" }, @@ -25,10 +25,10 @@ "category": [ "email" ], - "created": "2022-08-05T08:53:29.385Z", + "created": "2022-08-17T12:12:17.444Z", "dataset": "trend_micro_vision_one.alert", "id": "WB-9002-20200427-0002", - "ingested": "2022-08-05T08:53:35Z", + "ingested": "2022-08-17T12:12:20Z", "kind": "alert", "original": "{\"alertProvider\":\"SAE\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"id\":\"WB-9002-20200427-0002\",\"impactScope\":{\"accountCount\":0,\"desktopCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"entityType\":\"host\",\"entityValue\":\"user@email.com\",\"provenance\":[\"Alert\"],\"relatedEntities\":[\"CODERED\\\\\\\\user\"],\"relatedIndicatorIds\":[1]}],\"serverCount\":0},\"indicators\":[{\"field\":\"request url\",\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"],\"id\":1,\"provenance\":[\"Alert\"],\"relatedEntities\":[\"user@example.com\"],\"type\":\"url\",\"value\":\"http://www.example.com/ab001.zip\"}],\"investigationStatus\":\"New\",\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"matchedEvents\":[{\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\",\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\"}],\"mitreTechniqueIds\":[\"T1192\"],\"name\":\"(T1192) Spearphishing Link\"}],\"name\":\"Possible SpearPhishing Email\"}],\"model\":\"Possible APT Attack\",\"schemaVersion\":\"1.0\",\"score\":63,\"severity\":\"critical\",\"updatedDateTime\":\"2030-04-30T00:01:16Z\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\"}", "severity": 63, diff --git a/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 524ae7e49bb..23ab77223b2 100644 --- a/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -19,51 +19,50 @@ processors: description: Set the value of event.category and event.type. lang: painless source: > - def eventCategory = new HashSet(); - def eventType = new HashSet(); - if(ctx.json?.category != null && ctx.json?.category != ''){ - def category = ctx.json.category.toLowerCase(); - def activity = ctx.json.activity.toLowerCase(); - if(category == 'logon and logoff' || category == 'saml single sign-on') { - eventCategory.add('authentication'); - if(activity == 'log on' || activity == 'enable single sign-on'){ - eventType.add('start'); - } - if(activity == 'log off' || activity == 'disable single sign-on'){ - eventType.add('end'); - } - else{ - eventType.add('info'); - } - } - if(category == 'account management' || category == 'product connector' || category == 'Notifications' || category == 'detection model management' || category == 'workbench' || category == 'response management' || category == 'search' || category == 'managed xdr' || category == 'third-party integration' || category == 'service gateway inventory' || category == 'endpoint inventory' || category == 'endpoint security policies' || category == 'zero trust secure access' || category == 'sandbox analysis' || category == 'oat' || category == 'security playbooks'){ - eventCategory.add('authentication'); - eventType.add('info'); - } - if(category == 'network inventory'){ - eventCategory.add('network'); - eventType.add('info'); - } - if(category == 'threat intelligence'){ - eventCategory.add('threat'); - eventType.add('indicator'); - } - if(activity.contains('email')){ - eventCategory.add('email'); - } - if(activity.contains('file')){ - eventCategory.add('file'); - } - if(activity.contains('threat')){ - eventCategory.add('threat'); - } - } - if(!eventCategory.isEmpty()){ - ctx.event.category = eventCategory; + def eventCategory = new HashSet(); + def eventType = new HashSet(); + if (ctx.json?.category != null && ctx.json.category != '' && ctx.json?.activity != null && ctx.json.activity != '') { + def category = ctx.json.category.toLowerCase(); + def activity = ctx.json.activity.toLowerCase(); + if (['logon and logoff', 'saml single sign-on'].contains(category)) { + eventCategory.add('authentication'); + if (['log on', 'enable single sign-on'].contains(activity)) { + eventType.add('start'); } - if(!eventType.isEmpty()){ - ctx.event.type = eventType; + if (['log off', 'disable single sign-on'].contains(activity)) { + eventType.add('end'); + } else { + eventType.add('info'); } + } + if (['account management', 'product connector', 'Notifications', 'detection model management', 'workbench', 'response management', 'search', 'managed xdr', 'third-party integration', 'service gateway inventory', 'endpoint inventory', 'endpoint security policies', 'zero trust secure access', 'sandbox analysis', 'oat', 'security playbooks'].contains(category)) { + eventCategory.add('authentication'); + eventType.add('info'); + } + if (category == 'network inventory') { + eventCategory.add('network'); + eventType.add('info'); + } + if (category == 'threat intelligence') { + eventCategory.add('threat'); + eventType.add('indicator'); + } + if (activity.contains('email')) { + eventCategory.add('email'); + } + if (activity.contains('file')) { + eventCategory.add('file'); + } + if (activity.contains('threat')) { + eventCategory.add('threat'); + } + } + if (!eventCategory.isEmpty()) { + ctx.event.category = eventCategory; + } + if (!eventType.isEmpty()) { + ctx.event.type = eventType; + } - fingerprint: fields: - json.loggedDateTime @@ -76,7 +75,7 @@ processors: ignore_missing: true - date: field: json.loggedDateTime - if: ctx.json?.loggedDateTime != null && ctx.json?.loggedDateTime != '' + if: ctx.json?.loggedDateTime != null && ctx.json.loggedDateTime != '' formats: - ISO8601 - yyyy-MM-dd HH:mm:ss diff --git a/packages/trend_micro_vision_one/data_stream/audit/sample_event.json b/packages/trend_micro_vision_one/data_stream/audit/sample_event.json index 96508562793..6d6269dac65 100644 --- a/packages/trend_micro_vision_one/data_stream/audit/sample_event.json +++ b/packages/trend_micro_vision_one/data_stream/audit/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2022-02-24T07:29:48.000Z", "agent": { - "ephemeral_id": "680afd6e-4f98-4136-83fb-4216ea972672", - "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "ephemeral_id": "e0fe40df-fdde-412e-ae51-0e21efdcccd2", + "id": "747c1d31-3641-496d-b07e-abac6231f881", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -16,7 +16,7 @@ "version": "8.4.0" }, "elastic_agent": { - "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "id": "747c1d31-3641-496d-b07e-abac6231f881", "snapshot": true, "version": "8.4.0" }, @@ -25,9 +25,9 @@ "category": [ "authentication" ], - "created": "2022-08-05T08:55:09.322Z", + "created": "2022-08-17T12:13:11.273Z", "dataset": "trend_micro_vision_one.audit", - "ingested": "2022-08-05T08:55:12Z", + "ingested": "2022-08-17T12:13:14Z", "kind": "event", "original": "{\"accessType\":\"Console\",\"activity\":\"string\",\"category\":\"Logon and Logoff\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"},\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedRole\":\"Master Administrator\",\"loggedUser\":\"Root Account\",\"result\":\"Unsuccessful\"}", "outcome": "failure", diff --git a/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml index ccc5eb99561..865d316d325 100644 --- a/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml +++ b/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml @@ -30,7 +30,7 @@ processors: ignore_missing: true - date: field: json.eventTime - if: ctx.json?.eventTime != null && ctx.json?.eventTime != '' + if: ctx.json?.eventTime != null && ctx.json.eventTime != '' formats: - UNIX_MS on_failure: @@ -415,7 +415,7 @@ processors: - date: field: json.end target_field: trend_micro_vision_one.detection.end_time - if: ctx.json?.end != null && ctx.json?.end != '' + if: ctx.json?.end != null && ctx.json.end != '' formats: - ISO8601 on_failure: @@ -437,7 +437,7 @@ processors: - date: field: json.eventTimeDT target_field: trend_micro_vision_one.detection.event_time_dt - if: ctx.json?.eventTimeDT != null && ctx.json?.eventTimeDT != '' + if: ctx.json?.eventTimeDT != null && ctx.json.eventTimeDT != '' formats: - ISO8601 on_failure: @@ -624,7 +624,7 @@ processors: - date: field: json.rt target_field: trend_micro_vision_one.detection.rt - if: ctx.json?.rt != null && ctx.json?.rt != '' + if: ctx.json?.rt != null && ctx.json.rt != '' formats: - ISO8601 on_failure: @@ -634,7 +634,7 @@ processors: - date: field: json.rt_utc target_field: trend_micro_vision_one.detection.rt_utc - if: ctx.json?.rt_utc != null && ctx.json?.rt_utc != '' + if: ctx.json?.rt_utc != null && ctx.json.rt_utc != '' formats: - ISO8601 on_failure: diff --git a/packages/trend_micro_vision_one/data_stream/detection/sample_event.json b/packages/trend_micro_vision_one/data_stream/detection/sample_event.json index 42aa5a9c7ad..03eb615be81 100644 --- a/packages/trend_micro_vision_one/data_stream/detection/sample_event.json +++ b/packages/trend_micro_vision_one/data_stream/detection/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2020-10-15T01:16:32.000Z", "agent": { - "ephemeral_id": "f9918934-0175-4439-873b-b3c8c80eeacc", - "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "ephemeral_id": "9c996984-005e-415a-a658-fb03bbe7c4b9", + "id": "747c1d31-3641-496d-b07e-abac6231f881", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -23,7 +23,7 @@ "version": "8.4.0" }, "elastic_agent": { - "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "id": "747c1d31-3641-496d-b07e-abac6231f881", "snapshot": true, "version": "8.4.0" }, @@ -33,10 +33,10 @@ "category": [ "intrusion_detection" ], - "created": "2022-08-05T08:56:54.217Z", + "created": "2022-08-17T12:14:05.439Z", "dataset": "trend_micro_vision_one.detection", "id": "100117", - "ingested": "2022-08-05T08:56:57Z", + "ingested": "2022-08-17T12:14:08Z", "kind": "event", "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", "severity": 50, diff --git a/packages/trend_micro_vision_one/docs/README.md b/packages/trend_micro_vision_one/docs/README.md index 8e11170eae8..39ad9a0114c 100644 --- a/packages/trend_micro_vision_one/docs/README.md +++ b/packages/trend_micro_vision_one/docs/README.md @@ -8,7 +8,7 @@ Use the Trend Micro Vision One integration to collects and parses data from the ## Data streams -The Trend Micro Vision One integration collects three types of data streams: Alert, Audit, and Detection. +The Trend Micro Vision One integration collects logs for three types of events: Alert, Audit, and Detection. **Alert** Displays information about workbench alerts. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Workbench/paths/~1v3.0~1workbench~1alerts/get). @@ -35,6 +35,14 @@ This module has been tested against `Trend Micro Vision One API version 3.0`. ![Trend Micro Vision One generate API token ](../img/trend-micro-vision-one-api-token-generate.png) 4. Copy the Authentication token. +### Enabling the integration in Elastic + +1. In Kibana go to **Management > Integrations**. +2. In the "Search for integrations" search bar, type **Trend Micro Vision One**. +3. Click on **Trend Micro Vision One** integration from the search results. +4. Click on **Add Trend Micro Vision One** button to add Trend Micro Vision One integration. +5. Enable the Integration to collect logs via API. + ## Logs Reference ### alert @@ -49,8 +57,8 @@ An example event for `alert` looks as following: { "@timestamp": "2030-04-30T00:01:16.000Z", "agent": { - "ephemeral_id": "2c4b19a6-8652-4d61-8fb4-b6e544c17d09", - "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "ephemeral_id": "07f7cfd9-f8ce-47b1-9f6c-9e6742647c84", + "id": "747c1d31-3641-496d-b07e-abac6231f881", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -64,7 +72,7 @@ An example event for `alert` looks as following: "version": "8.4.0" }, "elastic_agent": { - "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "id": "747c1d31-3641-496d-b07e-abac6231f881", "snapshot": true, "version": "8.4.0" }, @@ -73,10 +81,10 @@ An example event for `alert` looks as following: "category": [ "email" ], - "created": "2022-08-05T08:53:29.385Z", + "created": "2022-08-17T12:12:17.444Z", "dataset": "trend_micro_vision_one.alert", "id": "WB-9002-20200427-0002", - "ingested": "2022-08-05T08:53:35Z", + "ingested": "2022-08-17T12:12:20Z", "kind": "alert", "original": "{\"alertProvider\":\"SAE\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"id\":\"WB-9002-20200427-0002\",\"impactScope\":{\"accountCount\":0,\"desktopCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"entityType\":\"host\",\"entityValue\":\"user@email.com\",\"provenance\":[\"Alert\"],\"relatedEntities\":[\"CODERED\\\\\\\\user\"],\"relatedIndicatorIds\":[1]}],\"serverCount\":0},\"indicators\":[{\"field\":\"request url\",\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"],\"id\":1,\"provenance\":[\"Alert\"],\"relatedEntities\":[\"user@example.com\"],\"type\":\"url\",\"value\":\"http://www.example.com/ab001.zip\"}],\"investigationStatus\":\"New\",\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"matchedEvents\":[{\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\",\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\"}],\"mitreTechniqueIds\":[\"T1192\"],\"name\":\"(T1192) Spearphishing Link\"}],\"name\":\"Possible SpearPhishing Email\"}],\"model\":\"Possible APT Attack\",\"schemaVersion\":\"1.0\",\"score\":63,\"severity\":\"critical\",\"updatedDateTime\":\"2030-04-30T00:01:16Z\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\"}", "severity": 63, @@ -306,8 +314,8 @@ An example event for `audit` looks as following: { "@timestamp": "2022-02-24T07:29:48.000Z", "agent": { - "ephemeral_id": "680afd6e-4f98-4136-83fb-4216ea972672", - "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "ephemeral_id": "e0fe40df-fdde-412e-ae51-0e21efdcccd2", + "id": "747c1d31-3641-496d-b07e-abac6231f881", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -321,7 +329,7 @@ An example event for `audit` looks as following: "version": "8.4.0" }, "elastic_agent": { - "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "id": "747c1d31-3641-496d-b07e-abac6231f881", "snapshot": true, "version": "8.4.0" }, @@ -330,9 +338,9 @@ An example event for `audit` looks as following: "category": [ "authentication" ], - "created": "2022-08-05T08:55:09.322Z", + "created": "2022-08-17T12:13:11.273Z", "dataset": "trend_micro_vision_one.audit", - "ingested": "2022-08-05T08:55:12Z", + "ingested": "2022-08-17T12:13:14Z", "kind": "event", "original": "{\"accessType\":\"Console\",\"activity\":\"string\",\"category\":\"Logon and Logoff\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"},\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedRole\":\"Master Administrator\",\"loggedUser\":\"Root Account\",\"result\":\"Unsuccessful\"}", "outcome": "failure", @@ -451,8 +459,8 @@ An example event for `detection` looks as following: { "@timestamp": "2020-10-15T01:16:32.000Z", "agent": { - "ephemeral_id": "f9918934-0175-4439-873b-b3c8c80eeacc", - "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "ephemeral_id": "9c996984-005e-415a-a658-fb03bbe7c4b9", + "id": "747c1d31-3641-496d-b07e-abac6231f881", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -473,7 +481,7 @@ An example event for `detection` looks as following: "version": "8.4.0" }, "elastic_agent": { - "id": "d8ba7a3b-9a31-49d3-a698-01e922f1a575", + "id": "747c1d31-3641-496d-b07e-abac6231f881", "snapshot": true, "version": "8.4.0" }, @@ -483,10 +491,10 @@ An example event for `detection` looks as following: "category": [ "intrusion_detection" ], - "created": "2022-08-05T08:56:54.217Z", + "created": "2022-08-17T12:14:05.439Z", "dataset": "trend_micro_vision_one.detection", "id": "100117", - "ingested": "2022-08-05T08:56:57Z", + "ingested": "2022-08-17T12:14:08Z", "kind": "event", "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", "severity": 50, From 883efb149b6b395d38211e55ab025cc0adf63fd5 Mon Sep 17 00:00:00 2001 From: vinit-elastic Date: Thu, 22 Sep 2022 23:19:41 +0530 Subject: [PATCH 4/6] Changes as per review comments --- .../_dev/deploy/docker/docker-compose.yml | 2 +- .../{ httpjson.yml.hbs => httpjson.yml.hbs} | 0 .../elasticsearch/ingest_pipeline/default.yml | 14 ++++---- .../data_stream/alert/sample_event.json | 12 +++---- .../{ httpjson.yml.hbs => httpjson.yml.hbs} | 0 .../elasticsearch/ingest_pipeline/default.yml | 8 ++--- .../data_stream/audit/sample_event.json | 12 +++---- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../data_stream/detection/sample_event.json | 12 +++---- .../trend_micro_vision_one/docs/README.md | 36 +++++++++---------- 10 files changed, 49 insertions(+), 49 deletions(-) rename packages/trend_micro_vision_one/data_stream/alert/agent/stream/{ httpjson.yml.hbs => httpjson.yml.hbs} (100%) rename packages/trend_micro_vision_one/data_stream/audit/agent/stream/{ httpjson.yml.hbs => httpjson.yml.hbs} (100%) diff --git a/packages/trend_micro_vision_one/_dev/deploy/docker/docker-compose.yml b/packages/trend_micro_vision_one/_dev/deploy/docker/docker-compose.yml index e9cc8f5a37a..1fb2d8d880a 100644 --- a/packages/trend_micro_vision_one/_dev/deploy/docker/docker-compose.yml +++ b/packages/trend_micro_vision_one/_dev/deploy/docker/docker-compose.yml @@ -1,7 +1,7 @@ version: '2.3' services: trend_micro_vision_one: - image: docker.elastic.co/observability/stream:v0.7.0 + image: docker.elastic.co/observability/stream:v0.8.0 hostname: trend_micro_vision_one ports: - 8080 diff --git a/packages/trend_micro_vision_one/data_stream/alert/agent/stream/ httpjson.yml.hbs b/packages/trend_micro_vision_one/data_stream/alert/agent/stream/httpjson.yml.hbs similarity index 100% rename from packages/trend_micro_vision_one/data_stream/alert/agent/stream/ httpjson.yml.hbs rename to packages/trend_micro_vision_one/data_stream/alert/agent/stream/httpjson.yml.hbs diff --git a/packages/trend_micro_vision_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml index 221d43cc163..b9b4ba94f3b 100644 --- a/packages/trend_micro_vision_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml +++ b/packages/trend_micro_vision_one/data_stream/alert/elasticsearch/ingest_pipeline/default.yml @@ -180,12 +180,12 @@ processors: if: ctx.json?.impactScope?.entities instanceof List source: > def impactscope_entities = ctx.json.impactScope.entities; - for (entitiy_object in impactscope_entities) { - if (!(entitiy_object.entityValue instanceof HashMap)) { - def entityValue = entitiy_object.entityValue; - entitiy_object.value = new HashMap(); - entitiy_object.value.account_value = entityValue; - entitiy_object.remove("entityValue"); + for (entity_object in impactscope_entities) { + if (!(entity_object.entityValue instanceof HashMap)) { + def entityValue = entity_object.entityValue; + entity_object.value = new HashMap(); + entity_object.value.account_value = entityValue; + entity_object.remove("entityValue"); } } - foreach: @@ -528,7 +528,7 @@ processors: - trend_micro_vision_one.alert.id - trend_micro_vision_one.alert.score - trend_micro_vision_one.alert.severity - if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) ignore_failure: true ignore_missing: true - remove: diff --git a/packages/trend_micro_vision_one/data_stream/alert/sample_event.json b/packages/trend_micro_vision_one/data_stream/alert/sample_event.json index 6186a9c3a10..68c704e89ee 100644 --- a/packages/trend_micro_vision_one/data_stream/alert/sample_event.json +++ b/packages/trend_micro_vision_one/data_stream/alert/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2030-04-30T00:01:16.000Z", "agent": { - "ephemeral_id": "07f7cfd9-f8ce-47b1-9f6c-9e6742647c84", - "id": "747c1d31-3641-496d-b07e-abac6231f881", + "ephemeral_id": "059354a1-f24d-45a9-b234-0c9163d9e3e7", + "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -16,8 +16,8 @@ "version": "8.4.0" }, "elastic_agent": { - "id": "747c1d31-3641-496d-b07e-abac6231f881", - "snapshot": true, + "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", + "snapshot": false, "version": "8.4.0" }, "event": { @@ -25,10 +25,10 @@ "category": [ "email" ], - "created": "2022-08-17T12:12:17.444Z", + "created": "2022-09-22T07:06:04.245Z", "dataset": "trend_micro_vision_one.alert", "id": "WB-9002-20200427-0002", - "ingested": "2022-08-17T12:12:20Z", + "ingested": "2022-09-22T07:06:07Z", "kind": "alert", "original": "{\"alertProvider\":\"SAE\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"id\":\"WB-9002-20200427-0002\",\"impactScope\":{\"accountCount\":0,\"desktopCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"entityType\":\"host\",\"entityValue\":\"user@email.com\",\"provenance\":[\"Alert\"],\"relatedEntities\":[\"CODERED\\\\\\\\user\"],\"relatedIndicatorIds\":[1]}],\"serverCount\":0},\"indicators\":[{\"field\":\"request url\",\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"],\"id\":1,\"provenance\":[\"Alert\"],\"relatedEntities\":[\"user@example.com\"],\"type\":\"url\",\"value\":\"http://www.example.com/ab001.zip\"}],\"investigationStatus\":\"New\",\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"matchedEvents\":[{\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\",\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\"}],\"mitreTechniqueIds\":[\"T1192\"],\"name\":\"(T1192) Spearphishing Link\"}],\"name\":\"Possible SpearPhishing Email\"}],\"model\":\"Possible APT Attack\",\"schemaVersion\":\"1.0\",\"score\":63,\"severity\":\"critical\",\"updatedDateTime\":\"2030-04-30T00:01:16Z\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\"}", "severity": 63, diff --git a/packages/trend_micro_vision_one/data_stream/audit/agent/stream/ httpjson.yml.hbs b/packages/trend_micro_vision_one/data_stream/audit/agent/stream/httpjson.yml.hbs similarity index 100% rename from packages/trend_micro_vision_one/data_stream/audit/agent/stream/ httpjson.yml.hbs rename to packages/trend_micro_vision_one/data_stream/audit/agent/stream/httpjson.yml.hbs diff --git a/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 23ab77223b2..446547324aa 100644 --- a/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -21,7 +21,7 @@ processors: source: > def eventCategory = new HashSet(); def eventType = new HashSet(); - if (ctx.json?.category != null && ctx.json.category != '' && ctx.json?.activity != null && ctx.json.activity != '') { + if (ctx.json?.category != null && ctx.json.category != '' && ctx.json.activity != null && ctx.json.activity != '') { def category = ctx.json.category.toLowerCase(); def activity = ctx.json.activity.toLowerCase(); if (['logon and logoff', 'saml single sign-on'].contains(category)) { @@ -39,11 +39,11 @@ processors: eventCategory.add('authentication'); eventType.add('info'); } - if (category == 'network inventory') { + if (category.contains('network inventory')) { eventCategory.add('network'); eventType.add('info'); } - if (category == 'threat intelligence') { + if (category.contains('threat intelligence')) { eventCategory.add('threat'); eventType.add('indicator'); } @@ -140,7 +140,7 @@ processors: field: - trend_micro_vision_one.audit.logged_user - trend_micro_vision_one.audit.logged_role - if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) ignore_failure: true ignore_missing: true - remove: diff --git a/packages/trend_micro_vision_one/data_stream/audit/sample_event.json b/packages/trend_micro_vision_one/data_stream/audit/sample_event.json index 6d6269dac65..5ef148c229c 100644 --- a/packages/trend_micro_vision_one/data_stream/audit/sample_event.json +++ b/packages/trend_micro_vision_one/data_stream/audit/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2022-02-24T07:29:48.000Z", "agent": { - "ephemeral_id": "e0fe40df-fdde-412e-ae51-0e21efdcccd2", - "id": "747c1d31-3641-496d-b07e-abac6231f881", + "ephemeral_id": "78c65a4a-cf16-4485-9c05-206f087560dd", + "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -16,8 +16,8 @@ "version": "8.4.0" }, "elastic_agent": { - "id": "747c1d31-3641-496d-b07e-abac6231f881", - "snapshot": true, + "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", + "snapshot": false, "version": "8.4.0" }, "event": { @@ -25,9 +25,9 @@ "category": [ "authentication" ], - "created": "2022-08-17T12:13:11.273Z", + "created": "2022-09-22T07:06:44.058Z", "dataset": "trend_micro_vision_one.audit", - "ingested": "2022-08-17T12:13:14Z", + "ingested": "2022-09-22T07:06:47Z", "kind": "event", "original": "{\"accessType\":\"Console\",\"activity\":\"string\",\"category\":\"Logon and Logoff\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"},\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedRole\":\"Master Administrator\",\"loggedUser\":\"Root Account\",\"result\":\"Unsuccessful\"}", "outcome": "failure", diff --git a/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml index 865d316d325..3ec96608462 100644 --- a/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml +++ b/packages/trend_micro_vision_one/data_stream/detection/elasticsearch/ingest_pipeline/default.yml @@ -946,7 +946,7 @@ processors: - trend_micro_vision_one.detection.os.name - trend_micro_vision_one.detection.user.domain - trend_micro_vision_one.detection.client_ip - if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) ignore_failure: true ignore_missing: true - remove: diff --git a/packages/trend_micro_vision_one/data_stream/detection/sample_event.json b/packages/trend_micro_vision_one/data_stream/detection/sample_event.json index 03eb615be81..3eeb2ddcaea 100644 --- a/packages/trend_micro_vision_one/data_stream/detection/sample_event.json +++ b/packages/trend_micro_vision_one/data_stream/detection/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2020-10-15T01:16:32.000Z", "agent": { - "ephemeral_id": "9c996984-005e-415a-a658-fb03bbe7c4b9", - "id": "747c1d31-3641-496d-b07e-abac6231f881", + "ephemeral_id": "0875d8d0-2f57-4724-bcd6-3e0ffacc0f7b", + "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -23,8 +23,8 @@ "version": "8.4.0" }, "elastic_agent": { - "id": "747c1d31-3641-496d-b07e-abac6231f881", - "snapshot": true, + "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", + "snapshot": false, "version": "8.4.0" }, "event": { @@ -33,10 +33,10 @@ "category": [ "intrusion_detection" ], - "created": "2022-08-17T12:14:05.439Z", + "created": "2022-09-22T07:07:23.390Z", "dataset": "trend_micro_vision_one.detection", "id": "100117", - "ingested": "2022-08-17T12:14:08Z", + "ingested": "2022-09-22T07:07:26Z", "kind": "event", "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", "severity": 50, diff --git a/packages/trend_micro_vision_one/docs/README.md b/packages/trend_micro_vision_one/docs/README.md index 39ad9a0114c..8e6921b91a5 100644 --- a/packages/trend_micro_vision_one/docs/README.md +++ b/packages/trend_micro_vision_one/docs/README.md @@ -57,8 +57,8 @@ An example event for `alert` looks as following: { "@timestamp": "2030-04-30T00:01:16.000Z", "agent": { - "ephemeral_id": "07f7cfd9-f8ce-47b1-9f6c-9e6742647c84", - "id": "747c1d31-3641-496d-b07e-abac6231f881", + "ephemeral_id": "059354a1-f24d-45a9-b234-0c9163d9e3e7", + "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -72,8 +72,8 @@ An example event for `alert` looks as following: "version": "8.4.0" }, "elastic_agent": { - "id": "747c1d31-3641-496d-b07e-abac6231f881", - "snapshot": true, + "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", + "snapshot": false, "version": "8.4.0" }, "event": { @@ -81,10 +81,10 @@ An example event for `alert` looks as following: "category": [ "email" ], - "created": "2022-08-17T12:12:17.444Z", + "created": "2022-09-22T07:06:04.245Z", "dataset": "trend_micro_vision_one.alert", "id": "WB-9002-20200427-0002", - "ingested": "2022-08-17T12:12:20Z", + "ingested": "2022-09-22T07:06:07Z", "kind": "alert", "original": "{\"alertProvider\":\"SAE\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"id\":\"WB-9002-20200427-0002\",\"impactScope\":{\"accountCount\":0,\"desktopCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"entityType\":\"host\",\"entityValue\":\"user@email.com\",\"provenance\":[\"Alert\"],\"relatedEntities\":[\"CODERED\\\\\\\\user\"],\"relatedIndicatorIds\":[1]}],\"serverCount\":0},\"indicators\":[{\"field\":\"request url\",\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"],\"id\":1,\"provenance\":[\"Alert\"],\"relatedEntities\":[\"user@example.com\"],\"type\":\"url\",\"value\":\"http://www.example.com/ab001.zip\"}],\"investigationStatus\":\"New\",\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"matchedEvents\":[{\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\",\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\"}],\"mitreTechniqueIds\":[\"T1192\"],\"name\":\"(T1192) Spearphishing Link\"}],\"name\":\"Possible SpearPhishing Email\"}],\"model\":\"Possible APT Attack\",\"schemaVersion\":\"1.0\",\"score\":63,\"severity\":\"critical\",\"updatedDateTime\":\"2030-04-30T00:01:16Z\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\"}", "severity": 63, @@ -314,8 +314,8 @@ An example event for `audit` looks as following: { "@timestamp": "2022-02-24T07:29:48.000Z", "agent": { - "ephemeral_id": "e0fe40df-fdde-412e-ae51-0e21efdcccd2", - "id": "747c1d31-3641-496d-b07e-abac6231f881", + "ephemeral_id": "78c65a4a-cf16-4485-9c05-206f087560dd", + "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -329,8 +329,8 @@ An example event for `audit` looks as following: "version": "8.4.0" }, "elastic_agent": { - "id": "747c1d31-3641-496d-b07e-abac6231f881", - "snapshot": true, + "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", + "snapshot": false, "version": "8.4.0" }, "event": { @@ -338,9 +338,9 @@ An example event for `audit` looks as following: "category": [ "authentication" ], - "created": "2022-08-17T12:13:11.273Z", + "created": "2022-09-22T07:06:44.058Z", "dataset": "trend_micro_vision_one.audit", - "ingested": "2022-08-17T12:13:14Z", + "ingested": "2022-09-22T07:06:47Z", "kind": "event", "original": "{\"accessType\":\"Console\",\"activity\":\"string\",\"category\":\"Logon and Logoff\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"},\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedRole\":\"Master Administrator\",\"loggedUser\":\"Root Account\",\"result\":\"Unsuccessful\"}", "outcome": "failure", @@ -459,8 +459,8 @@ An example event for `detection` looks as following: { "@timestamp": "2020-10-15T01:16:32.000Z", "agent": { - "ephemeral_id": "9c996984-005e-415a-a658-fb03bbe7c4b9", - "id": "747c1d31-3641-496d-b07e-abac6231f881", + "ephemeral_id": "0875d8d0-2f57-4724-bcd6-3e0ffacc0f7b", + "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -481,8 +481,8 @@ An example event for `detection` looks as following: "version": "8.4.0" }, "elastic_agent": { - "id": "747c1d31-3641-496d-b07e-abac6231f881", - "snapshot": true, + "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", + "snapshot": false, "version": "8.4.0" }, "event": { @@ -491,10 +491,10 @@ An example event for `detection` looks as following: "category": [ "intrusion_detection" ], - "created": "2022-08-17T12:14:05.439Z", + "created": "2022-09-22T07:07:23.390Z", "dataset": "trend_micro_vision_one.detection", "id": "100117", - "ingested": "2022-08-17T12:14:08Z", + "ingested": "2022-09-22T07:07:26Z", "kind": "event", "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", "severity": 50, From e113f923dcbc859f77be545f9f875e0d7815f439 Mon Sep 17 00:00:00 2001 From: vinit-elastic Date: Fri, 23 Sep 2022 15:02:29 +0530 Subject: [PATCH 5/6] Changes in conditions of audit data stream --- .../data_stream/alert/sample_event.json | 10 +++---- .../elasticsearch/ingest_pipeline/default.yml | 10 +++---- .../data_stream/audit/sample_event.json | 10 +++---- .../data_stream/detection/sample_event.json | 10 +++---- .../trend_micro_vision_one/docs/README.md | 30 +++++++++---------- 5 files changed, 35 insertions(+), 35 deletions(-) diff --git a/packages/trend_micro_vision_one/data_stream/alert/sample_event.json b/packages/trend_micro_vision_one/data_stream/alert/sample_event.json index 68c704e89ee..9569a762ea5 100644 --- a/packages/trend_micro_vision_one/data_stream/alert/sample_event.json +++ b/packages/trend_micro_vision_one/data_stream/alert/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2030-04-30T00:01:16.000Z", "agent": { - "ephemeral_id": "059354a1-f24d-45a9-b234-0c9163d9e3e7", - "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", + "ephemeral_id": "d6a02246-8518-4f79-9436-e7c03d23350d", + "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -16,7 +16,7 @@ "version": "8.4.0" }, "elastic_agent": { - "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", + "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", "snapshot": false, "version": "8.4.0" }, @@ -25,10 +25,10 @@ "category": [ "email" ], - "created": "2022-09-22T07:06:04.245Z", + "created": "2022-09-23T06:50:48.184Z", "dataset": "trend_micro_vision_one.alert", "id": "WB-9002-20200427-0002", - "ingested": "2022-09-22T07:06:07Z", + "ingested": "2022-09-23T06:50:51Z", "kind": "alert", "original": "{\"alertProvider\":\"SAE\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"id\":\"WB-9002-20200427-0002\",\"impactScope\":{\"accountCount\":0,\"desktopCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"entityType\":\"host\",\"entityValue\":\"user@email.com\",\"provenance\":[\"Alert\"],\"relatedEntities\":[\"CODERED\\\\\\\\user\"],\"relatedIndicatorIds\":[1]}],\"serverCount\":0},\"indicators\":[{\"field\":\"request url\",\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"],\"id\":1,\"provenance\":[\"Alert\"],\"relatedEntities\":[\"user@example.com\"],\"type\":\"url\",\"value\":\"http://www.example.com/ab001.zip\"}],\"investigationStatus\":\"New\",\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"matchedEvents\":[{\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\",\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\"}],\"mitreTechniqueIds\":[\"T1192\"],\"name\":\"(T1192) Spearphishing Link\"}],\"name\":\"Possible SpearPhishing Email\"}],\"model\":\"Possible APT Attack\",\"schemaVersion\":\"1.0\",\"score\":63,\"severity\":\"critical\",\"updatedDateTime\":\"2030-04-30T00:01:16Z\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\"}", "severity": 63, diff --git a/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 446547324aa..37d39000a53 100644 --- a/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/trend_micro_vision_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -39,21 +39,21 @@ processors: eventCategory.add('authentication'); eventType.add('info'); } - if (category.contains('network inventory')) { + if (category == 'network inventory') { eventCategory.add('network'); eventType.add('info'); } - if (category.contains('threat intelligence')) { + if (category == 'threat intelligence') { eventCategory.add('threat'); eventType.add('indicator'); } - if (activity.contains('email')) { + if (activity == 'email') { eventCategory.add('email'); } - if (activity.contains('file')) { + if (activity == 'file') { eventCategory.add('file'); } - if (activity.contains('threat')) { + if (activity == 'threat') { eventCategory.add('threat'); } } diff --git a/packages/trend_micro_vision_one/data_stream/audit/sample_event.json b/packages/trend_micro_vision_one/data_stream/audit/sample_event.json index 5ef148c229c..a3564f5f239 100644 --- a/packages/trend_micro_vision_one/data_stream/audit/sample_event.json +++ b/packages/trend_micro_vision_one/data_stream/audit/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2022-02-24T07:29:48.000Z", "agent": { - "ephemeral_id": "78c65a4a-cf16-4485-9c05-206f087560dd", - "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", + "ephemeral_id": "a1162a2d-fb56-4932-8cd0-2a62747cc0e4", + "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -16,7 +16,7 @@ "version": "8.4.0" }, "elastic_agent": { - "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", + "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", "snapshot": false, "version": "8.4.0" }, @@ -25,9 +25,9 @@ "category": [ "authentication" ], - "created": "2022-09-22T07:06:44.058Z", + "created": "2022-09-23T06:51:32.916Z", "dataset": "trend_micro_vision_one.audit", - "ingested": "2022-09-22T07:06:47Z", + "ingested": "2022-09-23T06:51:36Z", "kind": "event", "original": "{\"accessType\":\"Console\",\"activity\":\"string\",\"category\":\"Logon and Logoff\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"},\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedRole\":\"Master Administrator\",\"loggedUser\":\"Root Account\",\"result\":\"Unsuccessful\"}", "outcome": "failure", diff --git a/packages/trend_micro_vision_one/data_stream/detection/sample_event.json b/packages/trend_micro_vision_one/data_stream/detection/sample_event.json index 3eeb2ddcaea..c99ff9047c0 100644 --- a/packages/trend_micro_vision_one/data_stream/detection/sample_event.json +++ b/packages/trend_micro_vision_one/data_stream/detection/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2020-10-15T01:16:32.000Z", "agent": { - "ephemeral_id": "0875d8d0-2f57-4724-bcd6-3e0ffacc0f7b", - "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", + "ephemeral_id": "7b50e6a4-2166-468d-8de6-51093aa7ee5a", + "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -23,7 +23,7 @@ "version": "8.4.0" }, "elastic_agent": { - "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", + "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", "snapshot": false, "version": "8.4.0" }, @@ -33,10 +33,10 @@ "category": [ "intrusion_detection" ], - "created": "2022-09-22T07:07:23.390Z", + "created": "2022-09-23T06:52:15.093Z", "dataset": "trend_micro_vision_one.detection", "id": "100117", - "ingested": "2022-09-22T07:07:26Z", + "ingested": "2022-09-23T06:52:18Z", "kind": "event", "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", "severity": 50, diff --git a/packages/trend_micro_vision_one/docs/README.md b/packages/trend_micro_vision_one/docs/README.md index 8e6921b91a5..88f7629fdb7 100644 --- a/packages/trend_micro_vision_one/docs/README.md +++ b/packages/trend_micro_vision_one/docs/README.md @@ -57,8 +57,8 @@ An example event for `alert` looks as following: { "@timestamp": "2030-04-30T00:01:16.000Z", "agent": { - "ephemeral_id": "059354a1-f24d-45a9-b234-0c9163d9e3e7", - "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", + "ephemeral_id": "d6a02246-8518-4f79-9436-e7c03d23350d", + "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -72,7 +72,7 @@ An example event for `alert` looks as following: "version": "8.4.0" }, "elastic_agent": { - "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", + "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", "snapshot": false, "version": "8.4.0" }, @@ -81,10 +81,10 @@ An example event for `alert` looks as following: "category": [ "email" ], - "created": "2022-09-22T07:06:04.245Z", + "created": "2022-09-23T06:50:48.184Z", "dataset": "trend_micro_vision_one.alert", "id": "WB-9002-20200427-0002", - "ingested": "2022-09-22T07:06:07Z", + "ingested": "2022-09-23T06:50:51Z", "kind": "alert", "original": "{\"alertProvider\":\"SAE\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"id\":\"WB-9002-20200427-0002\",\"impactScope\":{\"accountCount\":0,\"desktopCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"entityType\":\"host\",\"entityValue\":\"user@email.com\",\"provenance\":[\"Alert\"],\"relatedEntities\":[\"CODERED\\\\\\\\user\"],\"relatedIndicatorIds\":[1]}],\"serverCount\":0},\"indicators\":[{\"field\":\"request url\",\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"],\"id\":1,\"provenance\":[\"Alert\"],\"relatedEntities\":[\"user@example.com\"],\"type\":\"url\",\"value\":\"http://www.example.com/ab001.zip\"}],\"investigationStatus\":\"New\",\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"matchedEvents\":[{\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\",\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\"}],\"mitreTechniqueIds\":[\"T1192\"],\"name\":\"(T1192) Spearphishing Link\"}],\"name\":\"Possible SpearPhishing Email\"}],\"model\":\"Possible APT Attack\",\"schemaVersion\":\"1.0\",\"score\":63,\"severity\":\"critical\",\"updatedDateTime\":\"2030-04-30T00:01:16Z\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\"}", "severity": 63, @@ -314,8 +314,8 @@ An example event for `audit` looks as following: { "@timestamp": "2022-02-24T07:29:48.000Z", "agent": { - "ephemeral_id": "78c65a4a-cf16-4485-9c05-206f087560dd", - "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", + "ephemeral_id": "a1162a2d-fb56-4932-8cd0-2a62747cc0e4", + "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -329,7 +329,7 @@ An example event for `audit` looks as following: "version": "8.4.0" }, "elastic_agent": { - "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", + "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", "snapshot": false, "version": "8.4.0" }, @@ -338,9 +338,9 @@ An example event for `audit` looks as following: "category": [ "authentication" ], - "created": "2022-09-22T07:06:44.058Z", + "created": "2022-09-23T06:51:32.916Z", "dataset": "trend_micro_vision_one.audit", - "ingested": "2022-09-22T07:06:47Z", + "ingested": "2022-09-23T06:51:36Z", "kind": "event", "original": "{\"accessType\":\"Console\",\"activity\":\"string\",\"category\":\"Logon and Logoff\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"},\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedRole\":\"Master Administrator\",\"loggedUser\":\"Root Account\",\"result\":\"Unsuccessful\"}", "outcome": "failure", @@ -459,8 +459,8 @@ An example event for `detection` looks as following: { "@timestamp": "2020-10-15T01:16:32.000Z", "agent": { - "ephemeral_id": "0875d8d0-2f57-4724-bcd6-3e0ffacc0f7b", - "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", + "ephemeral_id": "7b50e6a4-2166-468d-8de6-51093aa7ee5a", + "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -481,7 +481,7 @@ An example event for `detection` looks as following: "version": "8.4.0" }, "elastic_agent": { - "id": "ccb41db4-437b-4e37-a130-5f84e4883c18", + "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", "snapshot": false, "version": "8.4.0" }, @@ -491,10 +491,10 @@ An example event for `detection` looks as following: "category": [ "intrusion_detection" ], - "created": "2022-09-22T07:07:23.390Z", + "created": "2022-09-23T06:52:15.093Z", "dataset": "trend_micro_vision_one.detection", "id": "100117", - "ingested": "2022-09-22T07:07:26Z", + "ingested": "2022-09-23T06:52:18Z", "kind": "event", "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", "severity": 50, From 47b5dd80544849586687f243ec70d2028d015133 Mon Sep 17 00:00:00 2001 From: vinit-elastic Date: Fri, 30 Sep 2022 22:50:50 +0530 Subject: [PATCH 6/6] Add request.timeout parameter & update tag and user guide --- .../_dev/build/build.yml | 2 +- .../_dev/build/docs/README.md | 8 ---- .../alert/agent/stream/httpjson.yml.hbs | 3 ++ .../data_stream/alert/manifest.yml | 16 +++++-- .../data_stream/alert/sample_event.json | 12 ++--- .../audit/agent/stream/httpjson.yml.hbs | 3 ++ .../data_stream/audit/manifest.yml | 16 +++++-- .../data_stream/audit/sample_event.json | 12 ++--- .../detection/agent/stream/httpjson.yml.hbs | 3 ++ .../data_stream/detection/manifest.yml | 16 +++++-- .../data_stream/detection/sample_event.json | 12 ++--- .../trend_micro_vision_one/docs/README.md | 44 ++++++++----------- 12 files changed, 82 insertions(+), 65 deletions(-) diff --git a/packages/trend_micro_vision_one/_dev/build/build.yml b/packages/trend_micro_vision_one/_dev/build/build.yml index 2254d90483c..8d9e4bf7ac8 100644 --- a/packages/trend_micro_vision_one/_dev/build/build.yml +++ b/packages/trend_micro_vision_one/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: git@v8.4.0-rc1 + reference: git@v8.4.0 diff --git a/packages/trend_micro_vision_one/_dev/build/docs/README.md b/packages/trend_micro_vision_one/_dev/build/docs/README.md index 7b2c2a53eb6..b8b389f5954 100644 --- a/packages/trend_micro_vision_one/_dev/build/docs/README.md +++ b/packages/trend_micro_vision_one/_dev/build/docs/README.md @@ -35,14 +35,6 @@ This module has been tested against `Trend Micro Vision One API version 3.0`. ![Trend Micro Vision One generate API token ](../img/trend-micro-vision-one-api-token-generate.png) 4. Copy the Authentication token. -### Enabling the integration in Elastic - -1. In Kibana go to **Management > Integrations**. -2. In the "Search for integrations" search bar, type **Trend Micro Vision One**. -3. Click on **Trend Micro Vision One** integration from the search results. -4. Click on **Add Trend Micro Vision One** button to add Trend Micro Vision One integration. -5. Enable the Integration to collect logs via API. - ## Logs Reference ### alert diff --git a/packages/trend_micro_vision_one/data_stream/alert/agent/stream/httpjson.yml.hbs b/packages/trend_micro_vision_one/data_stream/alert/agent/stream/httpjson.yml.hbs index 2e3d045596d..c734c8fb695 100644 --- a/packages/trend_micro_vision_one/data_stream/alert/agent/stream/httpjson.yml.hbs +++ b/packages/trend_micro_vision_one/data_stream/alert/agent/stream/httpjson.yml.hbs @@ -8,6 +8,9 @@ request.ssl: {{ssl}} {{/if}} request.method: GET request.url: {{hostname}}/v3.0/workbench/alerts +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} request.transforms: - set: target: header.Authorization diff --git a/packages/trend_micro_vision_one/data_stream/alert/manifest.yml b/packages/trend_micro_vision_one/data_stream/alert/manifest.yml index e6afb172c11..07230e95c44 100644 --- a/packages/trend_micro_vision_one/data_stream/alert/manifest.yml +++ b/packages/trend_micro_vision_one/data_stream/alert/manifest.yml @@ -9,7 +9,7 @@ streams: - name: initial_interval type: text title: Initial Interval - description: How far back to pull the alert from Trend Micro Vision One. + description: How far back to pull the alert from Trend Micro Vision One. NOTE:- Supported units for this parameter are h/m/s. multi: false required: true show_user: true @@ -17,11 +17,19 @@ streams: - name: interval type: text title: Interval - description: Duration between requests to the Trend Micro Vision One API. + description: Duration between requests to the Trend Micro Vision One API. NOTE:- Supported units for this parameter are h/m/s. default: 5m multi: false required: true show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. NOTE:- Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s - name: tags type: text title: Tags @@ -30,7 +38,7 @@ streams: show_user: false default: - forwarded - - trend_micro_vision_one_alert + - trend_micro_vision_one-alert - name: preserve_original_event required: true show_user: true @@ -41,7 +49,7 @@ streams: default: false - name: preserve_duplicate_custom_fields required: true - show_user: true + show_user: false title: Preserve duplicate custom fields description: Preserve trend_micro_vision_one.alert fields that were copied to Elastic Common Schema (ECS) fields. type: bool diff --git a/packages/trend_micro_vision_one/data_stream/alert/sample_event.json b/packages/trend_micro_vision_one/data_stream/alert/sample_event.json index 9569a762ea5..70fae695a6d 100644 --- a/packages/trend_micro_vision_one/data_stream/alert/sample_event.json +++ b/packages/trend_micro_vision_one/data_stream/alert/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2030-04-30T00:01:16.000Z", "agent": { - "ephemeral_id": "d6a02246-8518-4f79-9436-e7c03d23350d", - "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", + "ephemeral_id": "11b64a19-0682-4a33-b385-4e6142171d69", + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -16,7 +16,7 @@ "version": "8.4.0" }, "elastic_agent": { - "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", "snapshot": false, "version": "8.4.0" }, @@ -25,10 +25,10 @@ "category": [ "email" ], - "created": "2022-09-23T06:50:48.184Z", + "created": "2022-09-30T11:50:26.826Z", "dataset": "trend_micro_vision_one.alert", "id": "WB-9002-20200427-0002", - "ingested": "2022-09-23T06:50:51Z", + "ingested": "2022-09-30T11:50:30Z", "kind": "alert", "original": "{\"alertProvider\":\"SAE\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"id\":\"WB-9002-20200427-0002\",\"impactScope\":{\"accountCount\":0,\"desktopCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"entityType\":\"host\",\"entityValue\":\"user@email.com\",\"provenance\":[\"Alert\"],\"relatedEntities\":[\"CODERED\\\\\\\\user\"],\"relatedIndicatorIds\":[1]}],\"serverCount\":0},\"indicators\":[{\"field\":\"request url\",\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"],\"id\":1,\"provenance\":[\"Alert\"],\"relatedEntities\":[\"user@example.com\"],\"type\":\"url\",\"value\":\"http://www.example.com/ab001.zip\"}],\"investigationStatus\":\"New\",\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"matchedEvents\":[{\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\",\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\"}],\"mitreTechniqueIds\":[\"T1192\"],\"name\":\"(T1192) Spearphishing Link\"}],\"name\":\"Possible SpearPhishing Email\"}],\"model\":\"Possible APT Attack\",\"schemaVersion\":\"1.0\",\"score\":63,\"severity\":\"critical\",\"updatedDateTime\":\"2030-04-30T00:01:16Z\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\"}", "severity": 63, @@ -46,7 +46,7 @@ "preserve_original_event", "preserve_duplicate_custom_fields", "forwarded", - "trend_micro_vision_one_alert" + "trend_micro_vision_one-alert" ], "trend_micro_vision_one": { "alert": { diff --git a/packages/trend_micro_vision_one/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/trend_micro_vision_one/data_stream/audit/agent/stream/httpjson.yml.hbs index ea5d7b361ef..4c6a8869bfb 100644 --- a/packages/trend_micro_vision_one/data_stream/audit/agent/stream/httpjson.yml.hbs +++ b/packages/trend_micro_vision_one/data_stream/audit/agent/stream/httpjson.yml.hbs @@ -8,6 +8,9 @@ request.ssl: {{ssl}} {{/if}} request.method: GET request.url: {{hostname}}/v3.0/audit/logs +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} request.transforms: - set: target: header.Authorization diff --git a/packages/trend_micro_vision_one/data_stream/audit/manifest.yml b/packages/trend_micro_vision_one/data_stream/audit/manifest.yml index 4f6fe7ad687..3376929cdb9 100644 --- a/packages/trend_micro_vision_one/data_stream/audit/manifest.yml +++ b/packages/trend_micro_vision_one/data_stream/audit/manifest.yml @@ -9,7 +9,7 @@ streams: - name: initial_interval type: text title: Initial Interval - description: How far back to pull the audit from Trend Micro Vision One. + description: How far back to pull the audit from Trend Micro Vision One. NOTE:- Supported units for this parameter are h/m/s. multi: false required: true show_user: true @@ -17,11 +17,19 @@ streams: - name: interval type: text title: Interval - description: Duration between requests to the Trend Micro Vision One API. + description: Duration between requests to the Trend Micro Vision One API. NOTE:- Supported units for this parameter are h/m/s. default: 5m multi: false required: true show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. NOTE:- Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s - name: tags type: text title: Tags @@ -30,7 +38,7 @@ streams: show_user: false default: - forwarded - - trend_micro_vision_one_audit + - trend_micro_vision_one-audit - name: preserve_original_event required: true show_user: true @@ -41,7 +49,7 @@ streams: default: false - name: preserve_duplicate_custom_fields required: true - show_user: true + show_user: false title: Preserve duplicate custom fields description: Preserve trend_micro_vision_one.audit fields that were copied to Elastic Common Schema (ECS) fields. type: bool diff --git a/packages/trend_micro_vision_one/data_stream/audit/sample_event.json b/packages/trend_micro_vision_one/data_stream/audit/sample_event.json index a3564f5f239..c198ffb7acb 100644 --- a/packages/trend_micro_vision_one/data_stream/audit/sample_event.json +++ b/packages/trend_micro_vision_one/data_stream/audit/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2022-02-24T07:29:48.000Z", "agent": { - "ephemeral_id": "a1162a2d-fb56-4932-8cd0-2a62747cc0e4", - "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", + "ephemeral_id": "804f8045-e600-48a3-85fc-958312d96c71", + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -16,7 +16,7 @@ "version": "8.4.0" }, "elastic_agent": { - "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", "snapshot": false, "version": "8.4.0" }, @@ -25,9 +25,9 @@ "category": [ "authentication" ], - "created": "2022-09-23T06:51:32.916Z", + "created": "2022-09-30T11:51:11.031Z", "dataset": "trend_micro_vision_one.audit", - "ingested": "2022-09-23T06:51:36Z", + "ingested": "2022-09-30T11:51:14Z", "kind": "event", "original": "{\"accessType\":\"Console\",\"activity\":\"string\",\"category\":\"Logon and Logoff\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"},\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedRole\":\"Master Administrator\",\"loggedUser\":\"Root Account\",\"result\":\"Unsuccessful\"}", "outcome": "failure", @@ -53,7 +53,7 @@ "preserve_original_event", "preserve_duplicate_custom_fields", "forwarded", - "trend_micro_vision_one_audit" + "trend_micro_vision_one-audit" ], "trend_micro_vision_one": { "audit": { diff --git a/packages/trend_micro_vision_one/data_stream/detection/agent/stream/httpjson.yml.hbs b/packages/trend_micro_vision_one/data_stream/detection/agent/stream/httpjson.yml.hbs index 5a44f63b54d..e40bef49beb 100644 --- a/packages/trend_micro_vision_one/data_stream/detection/agent/stream/httpjson.yml.hbs +++ b/packages/trend_micro_vision_one/data_stream/detection/agent/stream/httpjson.yml.hbs @@ -8,6 +8,9 @@ request.ssl: {{ssl}} {{/if}} request.method: GET request.url: {{hostname}}/v3.0/search/detections +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} request.transforms: - set: target: header.Authorization diff --git a/packages/trend_micro_vision_one/data_stream/detection/manifest.yml b/packages/trend_micro_vision_one/data_stream/detection/manifest.yml index 754ec9f9368..908ce8903cb 100644 --- a/packages/trend_micro_vision_one/data_stream/detection/manifest.yml +++ b/packages/trend_micro_vision_one/data_stream/detection/manifest.yml @@ -9,7 +9,7 @@ streams: - name: initial_interval type: text title: Initial Interval - description: How far back to pull the detection from Trend Micro Vision One. + description: How far back to pull the detection from Trend Micro Vision One. NOTE:- Supported units for this parameter are h/m/s. multi: false required: true show_user: true @@ -17,11 +17,19 @@ streams: - name: interval type: text title: Interval - description: Duration between requests to the Trend Micro Vision One API. + description: Duration between requests to the Trend Micro Vision One API. NOTE:- Supported units for this parameter are h/m/s. default: 5m multi: false required: true show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. NOTE:- Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s - name: tags type: text title: Tags @@ -30,7 +38,7 @@ streams: show_user: false default: - forwarded - - trend_micro_vision_one_detection + - trend_micro_vision_one-detection - name: preserve_original_event required: true show_user: true @@ -41,7 +49,7 @@ streams: default: false - name: preserve_duplicate_custom_fields required: true - show_user: true + show_user: false title: Preserve duplicate custom fields description: Preserve trend_micro_vision_one.detection fields that were copied to Elastic Common Schema (ECS) fields. type: bool diff --git a/packages/trend_micro_vision_one/data_stream/detection/sample_event.json b/packages/trend_micro_vision_one/data_stream/detection/sample_event.json index c99ff9047c0..00c77d025cc 100644 --- a/packages/trend_micro_vision_one/data_stream/detection/sample_event.json +++ b/packages/trend_micro_vision_one/data_stream/detection/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2020-10-15T01:16:32.000Z", "agent": { - "ephemeral_id": "7b50e6a4-2166-468d-8de6-51093aa7ee5a", - "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", + "ephemeral_id": "c1aa9508-1cfd-4e4e-892e-6537d5fd053d", + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -23,7 +23,7 @@ "version": "8.4.0" }, "elastic_agent": { - "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", "snapshot": false, "version": "8.4.0" }, @@ -33,10 +33,10 @@ "category": [ "intrusion_detection" ], - "created": "2022-09-23T06:52:15.093Z", + "created": "2022-09-30T11:51:54.629Z", "dataset": "trend_micro_vision_one.detection", "id": "100117", - "ingested": "2022-09-23T06:52:18Z", + "ingested": "2022-09-30T11:51:58Z", "kind": "event", "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", "severity": 50, @@ -110,7 +110,7 @@ "preserve_original_event", "preserve_duplicate_custom_fields", "forwarded", - "trend_micro_vision_one_detection" + "trend_micro_vision_one-detection" ], "threat": { "tactic": { diff --git a/packages/trend_micro_vision_one/docs/README.md b/packages/trend_micro_vision_one/docs/README.md index 88f7629fdb7..a0628ed587c 100644 --- a/packages/trend_micro_vision_one/docs/README.md +++ b/packages/trend_micro_vision_one/docs/README.md @@ -35,14 +35,6 @@ This module has been tested against `Trend Micro Vision One API version 3.0`. ![Trend Micro Vision One generate API token ](../img/trend-micro-vision-one-api-token-generate.png) 4. Copy the Authentication token. -### Enabling the integration in Elastic - -1. In Kibana go to **Management > Integrations**. -2. In the "Search for integrations" search bar, type **Trend Micro Vision One**. -3. Click on **Trend Micro Vision One** integration from the search results. -4. Click on **Add Trend Micro Vision One** button to add Trend Micro Vision One integration. -5. Enable the Integration to collect logs via API. - ## Logs Reference ### alert @@ -57,8 +49,8 @@ An example event for `alert` looks as following: { "@timestamp": "2030-04-30T00:01:16.000Z", "agent": { - "ephemeral_id": "d6a02246-8518-4f79-9436-e7c03d23350d", - "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", + "ephemeral_id": "11b64a19-0682-4a33-b385-4e6142171d69", + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -72,7 +64,7 @@ An example event for `alert` looks as following: "version": "8.4.0" }, "elastic_agent": { - "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", "snapshot": false, "version": "8.4.0" }, @@ -81,10 +73,10 @@ An example event for `alert` looks as following: "category": [ "email" ], - "created": "2022-09-23T06:50:48.184Z", + "created": "2022-09-30T11:50:26.826Z", "dataset": "trend_micro_vision_one.alert", "id": "WB-9002-20200427-0002", - "ingested": "2022-09-23T06:50:51Z", + "ingested": "2022-09-30T11:50:30Z", "kind": "alert", "original": "{\"alertProvider\":\"SAE\",\"createdDateTime\":\"2020-04-30T00:01:15Z\",\"description\":\"A backdoor was possibly implanted after a user received a possible spear phishing email message.\",\"id\":\"WB-9002-20200427-0002\",\"impactScope\":{\"accountCount\":0,\"desktopCount\":0,\"emailAddressCount\":0,\"entities\":[{\"entityId\":\"5257b401-2fd7-469c-94fa-39a4f11eb925\",\"entityType\":\"host\",\"entityValue\":\"user@email.com\",\"provenance\":[\"Alert\"],\"relatedEntities\":[\"CODERED\\\\\\\\user\"],\"relatedIndicatorIds\":[1]}],\"serverCount\":0},\"indicators\":[{\"field\":\"request url\",\"filterIds\":[\"f862df72-7f5e-4b2b-9f7f-9148e875f908\"],\"id\":1,\"provenance\":[\"Alert\"],\"relatedEntities\":[\"user@example.com\"],\"type\":\"url\",\"value\":\"http://www.example.com/ab001.zip\"}],\"investigationStatus\":\"New\",\"matchedRules\":[{\"id\":\"5f52d1f1-53e7-411a-b74f-745ee81fa30b\",\"matchedFilters\":[{\"id\":\"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e\",\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"matchedEvents\":[{\"matchedDateTime\":\"2019-08-02T04:00:01Z\",\"type\":\"TELEMETRY_REGISTRY\",\"uuid\":\"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5\"}],\"mitreTechniqueIds\":[\"T1192\"],\"name\":\"(T1192) Spearphishing Link\"}],\"name\":\"Possible SpearPhishing Email\"}],\"model\":\"Possible APT Attack\",\"schemaVersion\":\"1.0\",\"score\":63,\"severity\":\"critical\",\"updatedDateTime\":\"2030-04-30T00:01:16Z\",\"workbenchLink\":\"https://THE_WORKBENCH_URL\"}", "severity": 63, @@ -102,7 +94,7 @@ An example event for `alert` looks as following: "preserve_original_event", "preserve_duplicate_custom_fields", "forwarded", - "trend_micro_vision_one_alert" + "trend_micro_vision_one-alert" ], "trend_micro_vision_one": { "alert": { @@ -314,8 +306,8 @@ An example event for `audit` looks as following: { "@timestamp": "2022-02-24T07:29:48.000Z", "agent": { - "ephemeral_id": "a1162a2d-fb56-4932-8cd0-2a62747cc0e4", - "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", + "ephemeral_id": "804f8045-e600-48a3-85fc-958312d96c71", + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -329,7 +321,7 @@ An example event for `audit` looks as following: "version": "8.4.0" }, "elastic_agent": { - "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", "snapshot": false, "version": "8.4.0" }, @@ -338,9 +330,9 @@ An example event for `audit` looks as following: "category": [ "authentication" ], - "created": "2022-09-23T06:51:32.916Z", + "created": "2022-09-30T11:51:11.031Z", "dataset": "trend_micro_vision_one.audit", - "ingested": "2022-09-23T06:51:36Z", + "ingested": "2022-09-30T11:51:14Z", "kind": "event", "original": "{\"accessType\":\"Console\",\"activity\":\"string\",\"category\":\"Logon and Logoff\",\"details\":{\"property1\":\"string\",\"property2\":\"string\"},\"loggedDateTime\":\"2022-02-24T07:29:48Z\",\"loggedRole\":\"Master Administrator\",\"loggedUser\":\"Root Account\",\"result\":\"Unsuccessful\"}", "outcome": "failure", @@ -366,7 +358,7 @@ An example event for `audit` looks as following: "preserve_original_event", "preserve_duplicate_custom_fields", "forwarded", - "trend_micro_vision_one_audit" + "trend_micro_vision_one-audit" ], "trend_micro_vision_one": { "audit": { @@ -459,8 +451,8 @@ An example event for `detection` looks as following: { "@timestamp": "2020-10-15T01:16:32.000Z", "agent": { - "ephemeral_id": "7b50e6a4-2166-468d-8de6-51093aa7ee5a", - "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", + "ephemeral_id": "c1aa9508-1cfd-4e4e-892e-6537d5fd053d", + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.0" @@ -481,7 +473,7 @@ An example event for `detection` looks as following: "version": "8.4.0" }, "elastic_agent": { - "id": "9e4de15c-0247-41e8-bcd7-ce910fbf2745", + "id": "fcbfb418-43b4-4893-b170-e74a040560f2", "snapshot": false, "version": "8.4.0" }, @@ -491,10 +483,10 @@ An example event for `detection` looks as following: "category": [ "intrusion_detection" ], - "created": "2022-09-23T06:52:15.093Z", + "created": "2022-09-30T11:51:54.629Z", "dataset": "trend_micro_vision_one.detection", "id": "100117", - "ingested": "2022-09-23T06:52:18Z", + "ingested": "2022-09-30T11:51:58Z", "kind": "event", "original": "{\"act\":\"Clean\",\"actResult\":\"Quarantined successfully\",\"app\":\"HTTP\",\"appGroup\":\"HTTP\",\"aptRelated\":\"0\",\"behaviorCat\":\"Grey-Detection\",\"blocking\":\"Web reputation\",\"cat\":50,\"cccaDetection\":\"Yes\",\"cccaDetectionSource\":\"GLOBAL_INTELLIGENCE\",\"cccaRiskLevel\":3,\"clientFlag\":\"dst\",\"cnt\":\"1\",\"component\":[\"PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00\"],\"compressedFileSize\":\"0\",\"detectionType\":\"File\",\"deviceDirection\":\"outbound\",\"deviceGUID\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"deviceMacAddress\":\"00-00-5E-00-53-23\",\"deviceProcessName\":\"/snap/core/10126/usr/lib/snapd/snapd\",\"dhost\":\"samplehost\",\"domainName\":\"Workgroup\",\"dpt\":53,\"dst\":[\"81.2.69.142\"],\"dstGroup\":\"Default\",\"end\":\"2021-09-30T09:40:04-08:00\",\"endpointGUID\":\"1234-1234-1234\",\"endpointHostName\":\"abc-docker\",\"endpointIp\":[\"81.2.69.142\"],\"endpointMacAddress\":\"00-00-5E-00-53-23\",\"engType\":\"Virus Scan Engine (OS 2003, x64)\",\"engVer\":\"12.500.1004\",\"eventId\":\"100117\",\"eventName\":\"INTEGRITY_MONITORING_EVENT\",\"eventSubName\":\"Attack Discovery\",\"eventTime\":1602724592000,\"eventTimeDT\":\"2021-06-10T01:38:38+00:00\",\"fileHash\":\"3395856ce81f2b7382dee72602f798b642f14140\",\"fileName\":[\"Unconfirmed 145081.crdownload\"],\"fileOperation\":\"Deleted\",\"filePath\":\"/etc/systemd/system\",\"filePathName\":\"/etc/systemd/system/snap-xxxx-1246.xxxx\",\"fileSize\":\"0\",\"firstAct\":\"Clean\",\"firstActResult\":\"Unable to clean file\",\"fullPath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 145081.crdownload\",\"hostName\":\"samplehost\",\"httpReferer\":\"http://www.example.com/\",\"interestedHost\":\"abc-docker\",\"interestedIp\":[\"81.2.69.192\"],\"interestedMacAddress\":\"00-00-5E-00-53-23\",\"mDevice\":[\"81.2.69.192\"],\"mDeviceGUID\":\"C5B09EDD-C725-907F-29D9-B8C30D18C48F\",\"malName\":\"Eicar_test_1\",\"malType\":\"Virus/Malware\",\"mitreMapping\":[\"T1090 (TA0005)\"],\"mitreVersion\":\"v6\",\"mpname\":\"Cloud One - Workload Security\",\"mpver\":\"Deep Security/20.0.222\",\"objectCmd\":[\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe --profile-directory=Default\"],\"objectFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"objectFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"objectFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"objectFileName\":\"Unconfirmed 142899.crdownload:SmartScreen\",\"objectFilePath\":\"C:\\\\\\\\Users\\\\\\\\user1\\\\\\\\Downloads\\\\\\\\Unconfirmed 142899.crdownload:SmartScreen\",\"objectName\":\"CloudEndpointService.exe\",\"objectPid\":7660,\"objectSigner\":[\"OS\"],\"parentCmd\":\"C:\\\\\\\\os\\\\\\\\system32\\\\\\\\svchost.exe -k DcomLaunch -p\",\"parentFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"parentFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"parentFilePath\":\"C:\\\\\\\\os\\\\\\\\System32\\\\\\\\svchost.exe\",\"peerHost\":\"samplehost\",\"peerIp\":[\"81.2.69.192\"],\"pname\":\"Apex One\",\"processCmd\":\"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca\",\"processFileHashMd5\":\"761AEFF7E6B110970285B9C20C9E1DCA\",\"processFileHashSha1\":\"00496B4D53CEFE031B9702B3385C9F4430999932\",\"processFileHashSha256\":\"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7\",\"processFilePath\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\os\\\\\\\\Application\\\\\\\\msedge.exe\",\"processName\":\"string\",\"processPid\":0,\"processSigner\":\"OS Publisher\",\"productCode\":\"sao\",\"pver\":\"20.0.0.877\",\"request\":\"https://example.com\",\"requestClientApplication\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1\",\"rt\":\"2020-10-15T01:16:32.000Z\",\"rt_utc\":\"2020-10-15T01:16:32.000Z\",\"searchDL\":\"DDL\",\"spt\":58871,\"src\":\"81.2.69.192\",\"srcGroup\":\"Default\",\"tacticId\":[\"TA0005\"],\"tags\":[\"XSAE.F2140\",\"XSAE.F3066\"],\"threatName\":\"Malicious_identified_CnC_querying_on_UDP_detected\",\"uuid\":\"1234-1234-1234\"}", "severity": 50, @@ -568,7 +560,7 @@ An example event for `detection` looks as following: "preserve_original_event", "preserve_duplicate_custom_fields", "forwarded", - "trend_micro_vision_one_detection" + "trend_micro_vision_one-detection" ], "threat": { "tactic": {