New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TrendMicro VisionOne] Fix Detection API TMV1-Query header #8083
Conversation
🌐 Coverage report
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possible to test this in system test?
@bhapas Added system test for the same. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Package trend_micro_vision_one - 1.12.1 containing this change is available at https://epr.elastic.co/search?package=trend_micro_vision_one |
Regarding the TrendMicro integration for detection with the API path /v3.0/search/detections: When the header {'Authorization': 'Bearer ' + token, 'TMV1-Query': '(uuid:*)'} is added to the query, the result contains a significant amount of data — over 10,000 hits in the last hour. However, after updating to version 1.12.1, the output seems to be limited to roughly 10 events or fewer per hour from vision_one_detection. Is it accurate that when uuid is set as a wildcard, it should fetch all events? It seems that this expected behavior is not being observed in the recent update. Has this been thoroughly tested? |
@hussein759 Any notable logs in the agent logs? Like |
Thanks bapas, i think the request field is again causing issue after this update which was bug of earlier version for request field and it was fixed earlier,uploading the image where error.message shows field [request] not present as part of path which again i m assuming is an array expected but its not mapped correctly.. image attached for your reference |
Hey @hussein759 What Bharat meant was taking Elastic Agent diagnostics logs. For Fleet managed Elastic Agent, you can collect it this way. If not, you can take through cli. If you are seeing any errors or Dropped Events in Agent logs from TrendMicro VisionOne, can you open an issue and link this PR? Regarding above error on |
Thanks @kcreddy, request field issue is similar to #7871, this was bug and it was fixed, if u refer this issue for request field you will know exactly whats going on, as per trendmicro document it is not mention that request field will contain array however the elastic developer managed to fix it to include the array and @bhapas had raised this issue earlier for this! |
@kcreddy Just to add and be clear that now after this upgrade we started facing this bug again of request field. |
@hussein759 What @kcreddy is an example |
@bhapas, sure here is the event.original field {"act":["not blocked"],"aggregatedCount":"1","app":"SMB2","appGroup":"CIFS","aptRelated":"0","clientFlag":"src","cnt":"8","compressedFileSize":"0","dceHash1":"0","dceHash2":"0","detectionType":"1","deviceDirection":"outbound","deviceGUID":"73497B359ABF-4189A916-9CD9-23B1-C465","deviceMacAddress":"4c:d9:8f:aa:0a:12","devicePayloadId":"99:10786206:::","deviceRiskConfidenceLevel":3,"dhost":"aeadvsa044.internal.adsic.abudhabi.ae","dmac":"00:00:0c:07:ac:96","dpt":445,"dst":["192.168.15.25"],"dstGroup":"Default","dstZone":"1","dvc":["192.168.5.221"],"dvchost":"EUADVSATM05","eventId":"100119","eventName":"SECURITY_RISK_DETECTION","eventSourceType":3,"eventTime":1696921180000,"eventTimeDT":"2023-10-10T06:59:40+00:00","filePath":"\","filePathName":"\","fileSize":"0","hasdtasres":"No","interestedGroup":"Default","interestedHost":"sam-b-df-09.internal.samuel.eu","interestedIp":["192.168.20.233"],"isHidden":"Yes","logKey":"23497B359ABF-4189A916-9CD9-23B1-C465_DDI-3.8-CAV-JSONv1-en_10786206","malType":"OTHERS","malTypeGroup":"Others","overSsl":"Not over SSL/TLS","pComp":"NCIE","peerGroup":"Default","peerHost":"df-08.internal.samuel.eu","peerIp":["192.168.20.233"],"pname":"Deep Discovery Inspector","potentialRisk":"1","productCode":"pdi","pver":"6.5.1129","remarks":"["IP address: 192.168.20.233"]","rt":"2023-10-10T06:59:40.0000000Z","rtDate":"2023-10-10T00:00:00.0000000Z","rtHour":10,"rtWeekDay":"Tuesday","rt_utc":"2023-10-10T06:59:40.0000000Z","ruleId":3498,"ruleName":"DOWNLOAD FILE - SMB2(REQUEST) - BETA","searchDL":"DDL","senderGUID":"73497B359ABF-4189A916-9CD9-23B1-C465","senderIp":["192.168.5.221"],"severity":2,"shost":"pamm-l-df-09.internal.samuel.eu","smac":"98:72:5d:2d:13:06","spt":52066,"src":["192.168.20.233"],"srcGroup":"Default","srcZone":"1","threatType":"99","uuid":"f4b08e7d-716e-4bc9-9569-2645b7cdb958","vLANId":4095} |
@hussein759 In your sample above the field Going back to earlier issue with your reduced data, were you seeing higher data ingestion with earlier integration version and when upgraded to |
@kcreddy Observations on Vision One Detection Event Categories: Categories with request Data in the "trend_micro_vision_one.detection.request" field:
For above categories, the "trend_micro_vision_one.detection.request" field displays data. Categories Lacking Data in the "trend_micro_vision_one.detection.request" field mentioned below
For the uuid changes you have made with * the logs count are fine and that is no longer any issue Thanks for all the work!, if u need any more info pls let me know. |
@hussein759 Awesome, thanks for the explanation. That helps great deal! |
Proposed commit message
The Detection API for TrendMicro Vision One takes a required header
TMV1-Query
which needs to contain an operator to perform the query. Currently there is no operator which is causing the API to return zero results. This PR fixes the header and adds:*
to the existing operator to query all events containinguuid
.Checklist
changelog.yml
file.Related issues