Collect Trend Micro Vision One Observed Attack Techniques logs

Supported in:

This document explains how to ingest Trend Micro Vision One Observed Attack Techniques logs to Google Security Operations using AWS S3. The parser transforms the logs from JSON format into a Unified Data Model (UDM).

Before you begin

Make sure you have the following prerequisites:

  • Google SecOps instance
  • Privileged access to Trend Micro Vision One

Configure Logging on Trend Micro Vision One

  1. Sign in to the Trend Micro Vision One console.
  2. Go to Workflow and Automation > Third-Party Integration.
  3. Click Google Security Operations SIEM.
  4. Under Access key, click Generate key.
  5. Copy and save the access key ID and secret access key.
  6. Under Data transfer, enable the toggle next to Observed Attack Techniques.
  7. An S3 URI is generated and the data begins to be sent to the corresponding S3 bucket.
  8. Copy and save the S3 URL for use at a later time.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

  • SIEM Settings > Feeds
  • Content Hub > Content Packs

Set up feeds from SIEM Settings > Feeds

To configure a feed, follow these steps:

  1. Go to SIEM Settings > Feeds.
  2. Click Add New Feed.
  3. On the next page, click Configure a single feed.
  4. In the Feed name field, enter a name for the feed (for example, Trend Micro Vision One Observed Attack Techniques Logs).
  5. Select Amazon S3 as the Source type.
  6. Select Trend Micro Vision One Observed Attack Techniques as the Log type.
  7. Click Next.

  8. Specify values for the following input parameters:

    • Region: The region where the Amazon S3 bucket is located.
    • S3 URI: The bucket URI (the format should be: s3://log-bucket-name/). Replace the following:
      • log-bucket-name: the name of the bucket.
    • URI is a: Select Directory or Directory which includes subdirectories.
    • Source deletion options: Select Never delete files. Data in the S3 bucket is retained for 7 days before being purged.
    • Access Key ID: User access key with access to the S3 bucket.
    • Secret Access Key: User secret key with access to the S3 bucket.

  9. Click Next.

  10. Review your new feed configuration in the Finalize screen, and then click Submit.

Set up feeds from the Content Hub

Specify values for the following fields:

  • Region: The region where the Amazon S3 bucket is located.
  • S3 URI: The bucket URI (the format should be: s3://log-bucket-name/). Replace the following:
    • log-bucket-name: the name of the bucket.
  • URI is a: Select Directory or Directory which includes subdirectories.
  • Source deletion options: Select Never delete files. Data in the S3 bucket is retained for 7 days before being purged.
  • Access Key ID: User access key with access to the S3 bucket.
  • Secret Access Key: User secret key with access to the S3 bucket.

Advanced options

  • Feed Name: A prepopulated value that identifies the feed.
  • Source Type: Method used to collect logs into Google SecOps.
  • Asset Namespace: Namespace associated with the feed.
  • Ingestion Labels: Labels applied to all events from this feed.

Need more help? Get answers from Community members and Google SecOps professionals.