Collect Trend Micro Vision One logs

Supported in:

This document explains how to collect Trend Micro Vision One logs by setting up a Google Security Operations feed. The parser pushes alerts, event data, container vulnerabilities, activity data, and audit logs to AWS S3 buckets managed by Trend Micro. Google SecOps retrieves this data using data feeds approximately every 15 minutes. Unretrieved data in the S3 buckets is retained for 7 days before being purged.

You can create multiple feeds in Google SecOps and configure the data obtained using the feeds individually.

Before you begin

  • Ensure that you have a Google SecOps instance.
  • Ensure that you have privileged access to Trend Micro Vision One.

Configure Trend Vision One Data Export to Google SecOps

  1. In the Trend Vision One console, generate the access key and specify the data to send to Google SecOps.
  2. Go to Workflow and Automation > Third-Party Integration.
  3. In the Integration column, click Google Security Operations.
  4. Under Access key, click Generate key to generate the access key ID and secret access key. Save the access key ID and secret access key for later use.
  5. Under Data transfer, turn on the toggle next to the data you want to send to S3 buckets. Whenever a data transfer is enabled, an S3 URI is generated and the data begins to be sent to the corresponding S3 bucket. Copy and store the S3 URI for later use.
  6. For Events and Activity data, click Edit to modify the scope of the data.
  7. To stop sending a type of data to Google SecOps, turn off the toggle next to the data. Re-enabling the data transfer generates a new S3 URI. You need to configure a new feed in Google SecOps.

Configure a feed in Google SecOps to ingest the Trend Micro Vision One logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed; for example, Trend Micro Vision One Workbench Logs.
  4. Select Amazon S3 as the Source type.
  5. Select the Trend Vision One data you want Google SecOps to ingest as the Log type. Available options include:
    • Trend Micro Vision One
    • Trend Micro Vision One Activity
    • Trend Micro Vision One Audit
    • Trend Micro Vision One Container Vulnerabilities
    • Trend Micro Vision One Detections
    • Trend Micro Vision One Observed Attack Techniques
    • Trend Micro Vision One Workbench
  6. Click Next.
  7. Specify values for the following input parameters:
    • Region: select Auto detect
    • S3 URI: enter the S3 URI obtained in the previous section.
    • URI is a: select Directory which includes subdirectories.
    • Source deletion options: select Never delete files.
    • Access Key ID: enter the User access key obtained in the previous section.
    • Secret Access Key: enter the User secret key with access to the S3 bucket obtained in the previous section.
    • Asset namespace: the asset namespace.
    • Ingestion labels: the label to be applied to the events from this feed.
  8. Click Next.
  9. Review your new feed configuration in the Finalize screen, and then click Submit.

Repeat this process to add multiple feeds for all the Trend Vision One data types you want to ingest into Google SecOps.

Need more help? Get answers from Community members and Google SecOps professionals.