[Trend Micro Vision One] Initial Release for the Trend Micro Vision One Package

.github/CODEOWNERS

@@ -168,6 +168,7 @@
 /packages/ti_threatq @elastic/security-external-integrations
 /packages/tomcat @elastic/security-external-integrations
 /packages/traefik @elastic/obs-service-integrations
+/packages/trend_micro_vision_one @elastic/security-external-integrations
 /packages/udp @elastic/security-external-integrations
 /packages/vsphere @elastic/obs-service-integrations
 /packages/websphere_application_server @elastic/obs-service-integrations

packages/trend_micro_vision_one/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: git@v8.4.0

packages/trend_micro_vision_one/_dev/build/docs/README.md

@@ -0,0 +1,68 @@
+# Trend Micro Vision One
+
+## Overview
+
+The [Trend Micro Vision One](https://www.trendmicro.com/en_in/business/products/detection-response.html) integration allows you to monitor Alert, Audit, and Detection activity. Trend Micro Vision One refers to the ability to do detection and response across email, endpoints, servers, cloud workloads, and networks via a single Trend Micro Vision One platform or the managed Trend Micro Vision One service.
+
+Use the Trend Micro Vision One integration to collects and parses data from the REST APIs. Then visualize that data in Kibana.
+
+## Data streams
+
+The Trend Micro Vision One integration collects logs for three types of events: Alert, Audit, and Detection.
+
+**Alert** Displays information about workbench alerts. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Workbench/paths/~1v3.0~1workbench~1alerts/get).
+
+**Audit** Displays log entries that match the specified search criteria. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Audit-Logs).
+
+**Detection** Displays search results from the Detection Data source. See more details in the doc [here](https://automation.trendmicro.com/xdr/api-v3#tag/Search/paths/~1v3.0~1search~1detections/get).
+
+## Requirements
+
+You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your hardware.
+
+This module has been tested against `Trend Micro Vision One API version 3.0`.
+
+**Note:** The authentication token generated by a user expires one year after being generated.
+
+## Setup
+
+### To collect data from Trend Micro Vision One APIs, the user must have API Token. To create an API token follow the below steps:
+
+1. Log on to the Trend Micro Vision One console.
+2. Go to **Administration -> User Accounts**.
+![Trend Micro Vision One console](../img/trend-micro-vision-one-console.png)
+3. Click on the account name having appropriate API access permission to generate an API token.
+![Trend Micro Vision One generate API token ](../img/trend-micro-vision-one-api-token-generate.png)
+4. Copy the Authentication token.
+
+## Logs Reference
+
+### alert
+
+This is the `alert` dataset.
+
+#### Example
+
+{{event "alert"}}
+
+{{fields "alert"}}
+
+### audit
+
+This is the `audit` dataset.
+
+#### Example
+
+{{event "audit"}}
+
+{{fields "audit"}}
+
+### detection
+
+This is the `detection` dataset.
+
+#### Example
+
+{{event "detection"}}
+
+{{fields "detection"}}

packages/trend_micro_vision_one/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,15 @@
+version: '2.3'
+services:
+  trend_micro_vision_one:
+    image: docker.elastic.co/observability/stream:v0.8.0
+    hostname: trend_micro_vision_one
+    ports:
+      - 8080
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: '8080'
+    command:
+      - http-server
+      - --addr=:8080
+      - --config=/files/config.yml

packages/trend_micro_vision_one/_dev/deploy/docker/files/config.yml

@@ -0,0 +1,19 @@
+rules:
+  - path: /v3.0/workbench/alerts
+    methods: ['GET']
+    responses:
+      - status_code: 200
+        body: |
+          {"totalCount":100,"count":10,"items":[{"schemaVersion":"1.0","id":"WB-9002-20200427-0002","investigationStatus":"New","workbenchLink":"https://THE_WORKBENCH_URL","alertProvider":"SAE","model":"Possible APT Attack","score":63,"severity":"critical","impactScope":{"desktopCount":0,"serverCount":0,"accountCount":0,"emailAddressCount":0,"entities":[{"entityType":"host","entityValue":"user@email.com","entityId":"5257b401-2fd7-469c-94fa-39a4f11eb925","relatedEntities":["CODERED\\\\user"],"relatedIndicatorIds":[1],"provenance":["Alert"]}]},"createdDateTime":"2020-04-30T00:01:15Z","updatedDateTime":"2030-04-30T00:01:16Z","description":"A backdoor was possibly implanted after a user received a possible spear phishing email message.","indicators":[{"id":1,"type":"url","field":"request url","value":"http://www.example.com/ab001.zip","relatedEntities":["user@example.com"],"provenance":["Alert"],"filterIds":["f862df72-7f5e-4b2b-9f7f-9148e875f908"]}],"matchedRules":[{"id":"5f52d1f1-53e7-411a-b74f-745ee81fa30b","name":"Possible SpearPhishing Email","matchedFilters":[{"id":"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e","name":"(T1192) Spearphishing Link","matchedDateTime":"2019-08-02T04:00:01Z","mitreTechniqueIds":["T1192"],"matchedEvents":[{"uuid":"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5","matchedDateTime":"2019-08-02T04:00:01Z","type":"TELEMETRY_REGISTRY"}]}]}]}],"nextLink":"https://api.xdr.trendmicro.com/v3.0/workbench/alerts?skipToken=MTA=&orderBy=score%20desc"}
+  - path: /v3.0/audit/logs
+    methods: ['GET']
+    responses:
+      - status_code: 200
+        body: |
+          {"items":[{"loggedDateTime":"2022-02-24T07:29:48Z","loggedUser":"Root Account","loggedRole":"Master Administrator","accessType":"Console","category":"Logon and Logoff","activity":"string","result":"Unsuccessful","details":{"property1":"string","property2":"string"}}],"nextLink":"https://api.xdr.trendmicro.com/v3.0/audit/logs?skipToken=<skipToken>","labels":{"property1":"string","property2":"string"}}
+  - path: /v3.0/search/detections
+    methods: ['GET']
+    responses:
+      - status_code: 200
+        body: |
+          {"nextLink":"https://api.xdr.trendmicro.com/v3.0/endpointActivities?...&skipToken=ewogICJvdXRlcl9zbGl...","progressRate":30,"items":[{"act":"Clean","actResult":"Quarantined successfully","app":"HTTP","appGroup":"HTTP","aptRelated":"0","behaviorCat":"Grey-Detection","blocking":"Web reputation","cat":50,"cccaDetection":"Yes","cccaDetectionSource":"GLOBAL_INTELLIGENCE","cccaRiskLevel":3,"clientFlag":"dst","cnt":"1","component":["PATTERN_VSAPI 17.101.92 2021-09-30 04:23:27-07:00"],"compressedFileSize":"0","detectionType":"File","deviceDirection":"outbound","deviceGUID":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","deviceProcessName":"/snap/core/10126/usr/lib/snapd/snapd","deviceMacAddress":"00-00-5E-00-53-23","dhost":"samplehost","domainName":"Workgroup","dpt":53,"dst":["81.2.69.142"],"dstGroup":"Default","end":"2021-09-30T09:40:04-08:00","endpointGUID":"1234-1234-1234","endpointHostName":"abc-docker","endpointIp":["81.2.69.142"],"endpointMacAddress":"00-00-5E-00-53-23","engType":"Virus Scan Engine (OS 2003, x64)","engVer":"12.500.1004","eventId":"100117","eventName":"INTEGRITY_MONITORING_EVENT","eventSubName":"Attack Discovery","eventTime":1602724592000,"eventTimeDT":"2021-06-10T01:38:38+00:00","fileHash":"3395856ce81f2b7382dee72602f798b642f14140","fileName":["Unconfirmed 145081.crdownload"],"fileOperation":"Deleted","filePath":"/etc/systemd/system","filePathName":"/etc/systemd/system/snap-xxxx-1246.xxxx","fileSize":"0","firstAct":"Clean","firstActResult":"Unable to clean file","fullPath":"C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 145081.crdownload","hostName":"samplehost","httpReferer":"http://www.example.com/","interestedHost":"abc-docker","interestedIp":["81.2.69.192"],"interestedMacAddress":"00-00-5E-00-53-23","malName":"Eicar_test_1","malType":"Virus/Malware","mDevice":["81.2.69.192"],"mDeviceGUID":"C5B09EDD-C725-907F-29D9-B8C30D18C48F","mitreMapping":["T1090 (TA0005)"],"mitreVersion":"v6","mpname":"Cloud One - Workload Security","mpver":"Deep Security/20.0.222","objectCmd":["C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe --profile-directory=Default"],"objectFileHashMd5":"761AEFF7E6B110970285B9C20C9E1DCA","objectFileHashSha1":"00496B4D53CEFE031B9702B3385C9F4430999932","objectFileHashSha256":"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7","objectFileName":"Unconfirmed 142899.crdownload:SmartScreen","objectFilePath":"C:\\\\Users\\\\user1\\\\Downloads\\\\Unconfirmed 142899.crdownload:SmartScreen","objectName":"CloudEndpointService.exe","objectPid":7660,"objectSigner":["OS"],"parentCmd":"C:\\\\os\\\\system32\\\\svchost.exe -k DcomLaunch -p","parentFileHashSha1":"00496B4D53CEFE031B9702B3385C9F4430999932","parentFileHashSha256":"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7","parentFilePath":"C:\\\\os\\\\System32\\\\svchost.exe","peerHost":"samplehost","peerIp":["81.2.69.192"],"pname":"Apex One","processCmd":"-ServerName:App.AppX9yct9q388jvt4h7y0gn06smzkxcsnt8m.mca","processFileHashMd5":"761AEFF7E6B110970285B9C20C9E1DCA","processFileHashSha1":"00496B4D53CEFE031B9702B3385C9F4430999932","processFileHashSha256":"7778ED68F4646BAA38C4F36B16A1AE393ACECD694948102B5CF0773AB08237D7","processFilePath":"C:\\\\Program Files (x86)\\\\os\\\\Application\\\\msedge.exe","processName":"string","processPid":0,"processSigner":"OS Publisher","productCode":"sao","pver":"20.0.0.877","request":"https://example.com","requestClientApplication":"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1","rt":"2020-10-15T01:16:32.000Z","rt_utc":"2020-10-15T01:16:32.000Z","searchDL":"DDL","spt":58871,"src":"81.2.69.192","srcGroup":"Default","tacticId":["TA0005"],"tags":["XSAE.F2140","XSAE.F3066"],"threatName":"Malicious_identified_CnC_querying_on_UDP_detected","uuid":"1234-1234-1234"}]}

packages/trend_micro_vision_one/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: '0.1.0'
+  changes:
+    - description: Initial Release.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3963

packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-common-config.yml

@@ -0,0 +1,4 @@
+fields:
+  tags:
+    - preserve_original_event
+    - preserve_duplicate_custom_fields

packages/trend_micro_vision_one/data_stream/alert/_dev/test/pipeline/test-pipeline-alert.log

@@ -0,0 +1,4 @@
+{"schemaVersion":"1.0","id":"WB-9002-20200427-0002","investigationStatus":"In Progress","workbenchLink":"https://THE_WORKBENCH_URL","alertProvider":"SAE","model":"Possible APT Attack","description":"Suspicious email followed by a possible backdoor implantation","score":63,"severity":"critical","createdDateTime":"2020-04-30T00:01:15Z","updatedDateTime":"2030-04-30T00:01:16Z","impactScope":{"desktopCount":10,"serverCount":0,"accountCount":1,"emailAddressCount":0,"entities":[{"entityType":"emailAddress","entityValue":"loki@jaguartm.onmicrosoft.com","entityId":"loki@jaguartm.onmicrosoft.com","relatedEntities":["CODERED\\\\loki"],"relatedIndicatorIds":[1]}]},"indicators":[{"id":1,"type":"url","field":"url","value":"http://www.DVftYKDtEi.com/ds7002.zip","relatedEntities":["loki@jaguartm.onmicrosoft.com"],"filterIds":["f862df72-7f5e-4b2b-9f7f-9148e875f908"]},{"id":2,"type":"url","field":"url","value":"http://www.DVftYKDtEi.com/ds7555.zip","relatedEntities":["loki@jaguartm.onmicrosoft.com"],"filterIds":["f862df72-7f5e-4b2b-9f7f-9148e875f908"]}],"matchedRules":[{"id":"5f52d1f1-53e7-411a-b74f-745ee81fa30b","name":"Possible SpearPhishing Email","matchedFilters":[{"id":"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e","name":"(T1192) Spearphishing Link","matchedDateTime":"2019-08-02T04:00:01Z","mitreTechniqueIds":["T1192"],"matchedEvents":[{"uuid":"123abc-123abc-123abc","matchedDateTime":"2019-08-02T04:00:01Z"}]}]}]}
+{"schemaVersion":"1.1","id":"WB-9002-20200427-0002","investigationStatus":"In Progress","workbenchLink":"https://portal-int.visionone.trendmicro.com/index.html#/workbench?workbenchId=WB-9002-20200427-0002","alertProvider":"TI","model":"Desktop, Mobile Phishing Campaign Targets South Korean Websites, Steals Credentials Via Watering Hole","campaign":"Soula","industry":null,"regionAndCountry":"eastern-asia/Korea (the Republic of)","createdBy":"Trend Micro Research","totalIndicatorCount":6,"matchedIndicatorCount":2,"reportLink":"https://THE_WORKBENCH_URL","score":63,"severity":"critical","createdDateTime":"2020-04-30T00:01:15Z","updatedDateTime":"2030-04-30T00:01:16Z","impactScope":{"desktopCount":10,"serverCount":0,"accountCount":1,"emailAddressCount":0,"entities":[{"entityType":"host","entityValue":{"name":"CODERED\\\\bonus-PC","ips":["89.160.20.128","89.160.20.112"],"guid":"5257b401-2fd7-469c-94fa-39a4f11eb925"},"entityId":"5257b401-2fd7-469c-94fa-39a4f11eb925","relatedEntities":["4257b401-2fd7-469c-94fa-39a4f11eb925"],"relatedIndicatorIds":[1]}]},"indicators":[{"id":1,"type":"url","fields":[["objectField-ip","objectField-ip"]],"value":"http://www.DVftYKDtEi.com/ds7002.zip","relatedEntities":["5257b401-2fd7-469c-94fa-39a4f11eb925","5257b401-2fd7-469c-94fa-39a4f11eb925"],"matchedIndicatorPatternIds":["74f7eb0f-1ca3-491a-b4cf-f4d54c83c87d"],"firstSeenDateTimes":["2020-04-30T00:01:15Z","2020-04-30T00:01:15Z"],"lastSeenDateTimes":["2019-06-14T18:25:55Z","2019-06-14T18:25:55Z"]}],"matchedIndicatorPatterns":[{"id":"74f7eb0f-1ca3-491a-b4cf-f4d54c83c87d","pattern":"[network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'oauth20.xyz']","tags":["STIX2.malicious-activity"],"matchedLogs":["Lengthy log string"]}]}
+{"schemaVersion":"1.11","id":"WB-123-123-00001","investigationStatus":"New","workbenchLink":"https://portal-int.visionone.trendmicro.com/index.html#/workbench?workbenchId=WB-9002-20200427-0002","alertProvider":"SAE","model":"Credential Dumping via Mimikatz","score":64,"severity":"high","createdDateTime":"2022-07-08T07:16:08Z","updatedDateTime":"2022-07-15T12:46:13Z","impactScope":{"desktopCount":1,"serverCount":0,"accountCount":1,"emailAddressCount":0,"entities":[{"entityType":"account","entityValue":"desktop-example\\dummy","entityId":"desktop-example\\dummy","relatedEntities":["ABC-123-ABC-123-ABC-123"],"relatedIndicatorIds":[]},{"entityType":"host","entityValue":{"guid":"ABC-123-123-ABC","name":"desktop-EXAMPLE","ips":["81.2.69.192"]},"entityId":"ABC-123-123-ABC","relatedEntities":["desktop-example\\dummy"],"relatedIndicatorIds":[1,2,3,4,5,6,7,8,9,10,11,12]}]},"description":"A user obtained account logon information that can be used to access remote systems via Mimikatz.","matchedRules":[{"id":"123123-456456-789789","name":"Potential Credential Dumping via Mimikatz","matchedFilters":[{"id":"123-456-789","name":"Possible Credential Dumping via Mimikatz","matchedDateTime":"2022-07-08T07:06:35.113Z","mitreTechniqueIds":["V9.T1123.001","V9.T1124.002","V9.T1125"],"matchedEvents":[{"uuid":"123-456-789","matchedDateTime":"2022-07-08T07:06:35.113Z"},{"uuid":"abcd-abcd-abcd","matchedDateTime":"2022-07-08T07:14:06.159Z"}]},{"id":"abcd-abcd-1234-1234","name":"Possible Credential Dumping via Mimikatz","matchedDateTime":"2022-07-08T07:14:06.159Z","mitreTechniqueIds":["V9.T1123.001","V9.T1124.002","V9.T1125"],"matchedEvents":[{"uuid":"1234-1234-1234","matchedDateTime":"2022-07-08T07:06:35.113Z"},{"uuid":"abcd-abcd-abcd","matchedDateTime":"2022-07-08T07:14:06.159Z"}]}]}],"indicators":[{"id":1,"type":"command_line","field":"objectCmd","value":"\"example\" ","relatedEntities":["ABC-ABC-123-123"],"filterIds":["ABC-ABC-123-123"]},{"id":2,"type":"command_line","field":"processCmd","value":"example","relatedEntities":["ABC-ABC-ABC"],"filterIds":["abc-abc-abc-123-123"]},{"id":3,"type":"command_line","field":"objectCmd","value":"\"example","relatedEntities":["ABC-ABC-ABC"],"filterIds":["abcd-abcd-abcd"]},{"id":4,"type":"command_line","field":"processCmd","value":"example","relatedEntities":["ABCD-ABCD-ABCD"],"filterIds":["abcd-123-abcd-123"]},{"id":5,"type":"file_sha1","field":"objectFileHashSha1","value":"H1E2L3L4O5","relatedEntities":["ABCDE1ABCDE2"],"filterIds":["abcd-1234-abcd-1234"]},{"id":6,"type":"file_sha1","field":"objectFileHashSha1","value":"H1E2L3L4O5","relatedEntities":["ABCDE-12345-ABCDE-12345"],"filterIds":["abcd-1234-abcd-1234"]},{"id":7,"type":"fullpath","field":"objectFilePath","value":"example","relatedEntities":["ABCDE-12345-ABCDE-12345"],"filterIds":["abcde-12345-abcde-12345"]},{"id":8,"type":"fullpath","field":"processFilePath","value":"example","relatedEntities":["ABCDE-12345-ABCDE-12345"],"filterIds":["abcde-1234-abcde-1234"]},{"id":9,"type":"fullpath","field":"objectFilePath","value":"example","relatedEntities":["ABCDE-12345-ABCDE-12345"],"filterIds":["abcd-1234-abcd-1234"]},{"id":10,"type":"fullpath","field":"processFilePath","value":"example","relatedEntities":["ABCDE-1234-ABCDE-1234"],"filterIds":["abcde-1234-abcd-1234"]}]}
+{"schemaVersion":"1.0","id":"WB-9002-20200427-0002","investigationStatus":"New","workbenchLink":"https://THE_WORKBENCH_URL","alertProvider":"SAE","model":"Possible APT Attack","score":63,"severity":"critical","impactScope":{"desktopCount":0,"serverCount":0,"accountCount":0,"emailAddressCount":0,"entities":[{"entityType":"host","entityValue":"loki@jaguartm.onmicrosoft.com","entityId":"5257b401-2fd7-469c-94fa-39a4f11eb925","relatedEntities":["CODERED\\\\loki"],"relatedIndicatorIds":[1],"provenance":["Alert"]}]},"createdDateTime":"2020-04-30T00:01:15Z","updatedDateTime":"2030-04-30T00:01:16Z","description":"A backdoor was possibly implanted after a user received a possible spear phishing email message.","indicators":[{"id":1,"type":"url","field":"request url","value":"http://www.DVftYKDtEi.com/ds7002.zip","relatedEntities":["loki@jaguartm.onmicrosoft.com"],"provenance":["Alert"],"filterIds":["f862df72-7f5e-4b2b-9f7f-9148e875f908"]}],"matchedRules":[{"id":"5f52d1f1-53e7-411a-b74f-745ee81fa30b","name":"Possible SpearPhishing Email","matchedFilters":[{"id":"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e","name":"(T1192) Spearphishing Link","matchedDateTime":"2019-08-02T04:00:01Z","mitreTechniqueIds":["T1192"],"matchedEvents":[{"uuid":"fa9ff47c-e1b8-459e-a3d0-a5b104b854a5","matchedDateTime":"2019-08-02T04:00:01Z","type":"TELEMETRY_REGISTRY"}]}]}]}