Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Trend Micro Endpoint Activity Dictionary #48

Open
rrevuelta opened this issue Oct 11, 2022 · 4 comments
Open

Add Trend Micro Endpoint Activity Dictionary #48

rrevuelta opened this issue Oct 11, 2022 · 4 comments
Assignees
@Cyb3rPandaH
Labels
community documentation Improvements or additions to documentation

Comments

@rrevuelta
Copy link

Hi all!

I would like to contribute to this awesome project working on the addition of a new data dictionary related to the Endpoint Activity Data provided by Trend Micro EDR.

Reference: https://docs.trendmicro.com/en-us/enterprise/trend-micro-vision-one/common-apps/search-app/data-mapping-intro/data-mapping-endpoin/eventid-and-eventsub.aspx

Thanks in advance.
@Cyb3rPandaH Cyb3rPandaH self-assigned this Oct 11, 2022
@Cyb3rPandaH Cyb3rPandaH added documentation Improvements or additions to documentation community labels Oct 11, 2022
@Cyb3rPandaH
Copy link
Contributor

Hey @rrevuelta , I hope you are doing well!!

Thank you very much for your interest in contributing to the project 💜

I checked the link you shared above and I have a couple of questions so I can guide you when creating the dictionaries:

  1. Are all the eventId and eventSubId using the same schema under Data Mapping: Endpoint Activity Data?
  2. There is a data field that describes the OS version. Some samples values are Windows 10 (64 bit), Windows 10 Pro (64 bit) build 19044, Amazon Linux 2 (64 bit) (5.4.188-104.359.amzn2.x86_64). Which platform are you considering for your contribution?

@rrevuelta
Copy link
Author

Hi @Cyb3rPandaH , its a pleasure!

I will try to answer your questions:

  1. Data Mapping: Endpoint Activity Data describes all the attributes that can be found in the different Endpoint Activity events. However, not all events contains all the described attributes. For example, "5 - TELEMETRY_REGISTRY" events contains registry related attributes like "objectRegistryData" which are not present in "1 - TELEMETRY_PROCESS" events.

  2. As you say, osDescription field defines the OS version of the endpoint that generates the event. My first approach is to document the events generated in Windows systems (workstations and servers).

@Cyb3rPandaH
Copy link
Contributor

That's awesome @rrevuelta !! Let's start with Windows then 🍻 Are you part of our discord channel? So we can keep the conversation there 😃

Here is the invite just in case: https://discord.com/invite/AxnWauZxXN

Okay, so, what we can do is create a dictionary that describes the entire Endpoint Activity Data schema, since that would be the log_source, and also create dictionaries per type of element: registry, process, etc.

Are you familiar with our yaml schema?

@rrevuelta
Copy link
Author

I just joined the server!

We can continue there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Cyb3rPandaH Cyb3rPandaH

Labels
community documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rrevuelta @Cyb3rPandaH