Add Trend Micro Endpoint Activity Dictionary

[rrevuelta]

Hi all!

I would like to contribute to this awesome project working on the addition of a new data dictionary related to the Endpoint Activity Data provided by Trend Micro EDR.

Reference: https://docs.trendmicro.com/en-us/enterprise/trend-micro-vision-one/common-apps/search-app/data-mapping-intro/data-mapping-endpoin/eventid-and-eventsub.aspx

Thanks in advance.

[Cyb3rPandaH]

Hey @rrevuelta , I hope you are doing well!!

Thank you very much for your interest in contributing to the project 💜

I checked the link you shared above and I have a couple of questions so I can guide you when creating the dictionaries:

1) Are all the eventId and eventSubId using the same schema under Data Mapping: Endpoint Activity Data? 2) There is a data field that describes the OS version. Some samples values are Windows 10 (64 bit), Windows 10 Pro (64 bit) build 19044, Amazon Linux 2 (64 bit) (5.4.188-104.359.amzn2.x86_64). Which platform are you considering for your contribution?

[rrevuelta]

Hi @Cyb3rPandaH , its a pleasure!

I will try to answer your questions:

1. Data Mapping: Endpoint Activity Data describes all the attributes that can be found in the different Endpoint Activity events. However, not all events contains all the described attributes. For example, "5 - TELEMETRY_REGISTRY" events contains registry related attributes like "objectRegistryData" which are not present in "1 - TELEMETRY_PROCESS" events.

2. As you say, osDescription field defines the OS version of the endpoint that generates the event. My first approach is to document the events generated in Windows systems (workstations and servers).

[Cyb3rPandaH]

That's awesome @rrevuelta !! Let's start with Windows then 🍻 Are you part of our discord channel? So we can keep the conversation there 😃

Here is the invite just in case: https://discord.com/invite/AxnWauZxXN

Okay, so, what we can do is create a dictionary that describes the entire Endpoint Activity Data schema, since that would be the log_source, and also create dictionaries per type of element: registry, process, etc.

Are you familiar with our yaml schema?

[rrevuelta]

I just joined the server!

We can continue there.