elastic · kgeller · Dec 11, 2023 · Dec 8, 2023 · Dec 8, 2023 · Dec 11, 2023
@@ -1,5 +1,10 @@
 # newer versions go on top
-- version: "1.8.2"
+- version: 1.8.3
+  changes:
+    - description: Update ECS categorization field mappings.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/8681
+- version: 1.8.2
   changes:
     - description: Fix exclude_files pattern.
       type: bugfix

@@ -7,16 +7,13 @@
             },
             "event": {
                 "category": [
-                    "network"
+                    "malware",
+                    "threat"
                 ],
                 "code": "482",
                 "original": "<190>2021-10-06T01:29:43-07:00 192.168.1.20 CEF:0|Trend Micro|Deep Security Manager|12.0.327|482|Integrity Monitoring Rule Updated|3|src=192.168.1.20 suser=System target=1011144 - Microsoft Windows - AutoRun registries modified (ATT&CK T1547.001) msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0",
                 "severity": 3,
                 "type": [
-                    "connection",
-                    "access",
-                    "allowed",
-                    "denied",
                     "info"
                 ]
             },
@@ -58,16 +55,13 @@
             },
             "event": {
                 "category": [
-                    "network"
+                    "malware",
+                    "threat"
                 ],
                 "code": "190",
                 "original": "<190>2021-10-06T01:34:40-07:00 192.168.1.20 CEF:0|Trend Micro|Deep Security Manager|12.0.327|190|Alert Started|3|src=192.168.1.20 suser=System msg=Alert: Memory Critical Threshold Exceeded\\nSubject: 192.168.1.20\\nSeverity: Critical TrendMicroDsTenant=Primary TrendMicroDsTenantId=0",
                 "severity": 3,
                 "type": [
-                    "connection",
-                    "access",
-                    "allowed",
-                    "denied",
                     "info"
                 ]
             },
@@ -108,16 +102,13 @@
             },
             "event": {
                 "category": [
-                    "network"
+                    "malware",
+                    "threat"
                 ],
                 "code": "740",
                 "original": "<190>2021-10-09T01:54:56-07:00 192.168.1.20 CEF:0|Trend Micro|Deep Security Manager|12.0.327|740|Agent/Appliance Error|8|src=192.168.1.20 suser=System target=SMC-NewAPP (192.168.1.61) msg=The Agent/Appliance reported one or more warnings or errors. Details are found in the Agent/Appliance events listed below. TrendMicroDsTenant=Primary TrendMicroDsTenantId=0",
                 "severity": 8,
                 "type": [
-                    "connection",
-                    "access",
-                    "allowed",
-                    "denied",
                     "info"
                 ]
             },

@@ -4,6 +4,19 @@ processors:
   - set:
       field: trendmicro.event.category
       value: "app-control"
+  - set:
+      field: event.category
+      value: [intrusion_detection,package]
+  - append:
+      field: event.type
+      value: info
+      allow_duplicates: false
+  - append:
+      field: event.type
+      value: denied
+      allow_duplicates: false
+      if: ctx.trendmicro?.event?.signature_id != null && !['6002100','6002200'].contains(ctx.trendmicro.event.signature_id)
+
   - script:
       lang: painless
       params:

@@ -5,12 +5,6 @@ processors:
   - set:
       field: ecs.version
       value: "8.11.0"
-  - set:
-      field: event.category
-      value: [network]
-  - set:
-      field: event.type
-      value: [connection,access,allowed,denied,info]
   - set:
       field: trendmicro.event.signature_id
       value: "{{{event.code}}}"

@@ -4,6 +4,13 @@ processors:
   - set:
       field: trendmicro.event.category
       value: "firewall"
+  - set:
+      field: event.category
+      value: ["network"]
+  - set:
+      field: event.type
+      value: ["info"]
+
   - script:
       lang: painless
       params:

@@ -4,6 +4,13 @@ processors:
   - set:
       field: trendmicro.event.category
       value: "integrity-monitor"
+  - set:
+      field: event.category
+      value: ["configuration"]
+  - set:
+      field: event.type
+      value: ["info"]
+
   - script:
       lang: painless
       params:

@@ -4,6 +4,13 @@ processors:
   - set:
       field: trendmicro.event.category
       value: "intrusion-prevention"
+  - set:
+      field: event.category
+      value: ["intrusion_detection"]
+  - set:
+      field: event.type
+      value: ["info"]
+
   - script:
       lang: painless
       params:

@@ -4,6 +4,13 @@ processors:
   - set:
       field: trendmicro.event.category
       value: "log-inspection"
+  - set:
+      field: event.category
+      value: ["package"]
+  - set:
+      field: event.type
+      value: ["info"]
+
   - script:
       lang: painless
       params:

@@ -4,6 +4,12 @@ processors:
   - set:
       field: trendmicro.event.category
       value: "anti-malware"
+  - set:
+      field: event.category
+      value: ["malware"]
+  - set:
+      field: event.type
+      value: ["info"]
   - script:
       lang: painless
       params:

@@ -4,6 +4,13 @@ processors:
   - set:
       field: trendmicro.event.category
       value: "system"
+  - set:
+      field: event.category
+      value: [malware,threat]
+  - set:
+      field: event.type
+      value: [info]
+
   - script:
       lang: painless
       params:

@@ -4,6 +4,20 @@ processors:
   - set:
       field: trendmicro.event.category
       value: "web-reputation"
+  - set:
+      field: event.category
+      value: [network]
+  - append:
+      field: event.type
+      value: info
+      allow_duplicates: false
+      if: ctx.trendmicro?.event?.signature_id != null && ctx.trendmicro.event.signature_id == '5000000'
+  - append:
+      field: event.type
+      value: denied
+      allow_duplicates: false
+      if: ctx.trendmicro?.event?.signature_id != null && ctx.trendmicro.event.signature_id == '5000001'
+
   - script:
       lang: painless
       params:

@@ -1,11 +1,11 @@
 {
     "@timestamp": "2020-09-21T07:21:11.000Z",
     "agent": {
-        "ephemeral_id": "a938b7bf-cad0-499e-92cf-e1620b812710",
-        "id": "62a3937b-7175-47a1-bfa7-3594e38c01fa",
+        "ephemeral_id": "846f342d-d7ee-4e2c-862b-08da1c5b6631",
+        "id": "a4393c91-c8ae-478b-a4f1-fa6bc37aad87",
         "name": "docker-fleet-agent",
         "type": "filebeat",
-        "version": "8.10.2"
+        "version": "8.11.0"
     },
     "data_stream": {
         "dataset": "trendmicro.deep_security",
@@ -16,9 +16,9 @@
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "62a3937b-7175-47a1-bfa7-3594e38c01fa",
+        "id": "a4393c91-c8ae-478b-a4f1-fa6bc37aad87",
         "snapshot": false,
-        "version": "8.10.2"
+        "version": "8.11.0"
     },
     "event": {
         "agent_id_status": "verified",
@@ -27,14 +27,10 @@
         ],
         "code": "5000000",
         "dataset": "trendmicro.deep_security",
-        "ingested": "2023-10-03T10:38:39Z",
+        "ingested": "2023-12-08T20:46:55Z",
         "severity": 5,
         "type": [
-            "connection",
-            "access",
-            "allowed",
-            "denied",
-            "info"
+            "denied"
         ]
     },
     "host": {
@@ -46,8 +42,8 @@
     },
     "log": {
         "file": {
-            "device_id": 2080,
-            "inode": 91232,
+            "device_id": "113",
+            "inode": "100938580",
             "path": "/tmp/service_logs/trendmicro.log"
         },
         "offset": 20358,
@@ -76,4 +72,4 @@
     "url": {
         "original": "example.com"
     }
-}
+}
@@ -1,7 +1,7 @@
 format_version: "3.0.0"
 name: trendmicro
 title: "Trendmicro"
-version: "1.8.2"
+version: "1.8.3"
 description: "collect Trendmicro Deep Security events with elastic agent."
 type: integration
 categories: