[TrendMicro] malware event missing event type normalization (mapping to event name taxonomy event.category, event.type, ...)

[ck-ntt]

Integration Version 2.0.0

Issue: trendmicro.deep_security.event_category: anti-malware-event isn't enough, since this isn't neither a normalized field, nor a normalized value - it cannot be used for device independent alarm rules, because it is distinct for TrendMicro.

For malware events (and that's the primary Use Case for TrendMicro ! ), usable for device independent alarm rules (SIEM ready), I would expect something like that:

• event.category : malware
• event.type: info
• event.kind: alert (because it's a pre correlated alarm - however, here you can have different opinions)

The correct place should be the logs-trendmicro.deep_security-2.0.0-malware-event pipeline, which currently does not do very much.

[ck-ntt]

Proposal patch. (Precondition: the malware-event pipeline really is only executed for malware events. Currently executed from default.yml if condition ctx.trendmicro?.deep_security?.signature_id >= 4000000 && ctx.trendmicro.deep_security.signature_id <= 4999999 is met - are all of these events indicating found malware? I didn't check this part of your work)

diff --git a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/malware-event.yml b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/malware-event.yml
index 8cac9e955..fae6de42c 100644
--- a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/malware-event.yml
+++ b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/malware-event.yml
@@ -5,6 +5,15 @@ processors:
       field: trendmicro.deep_security.event_category
       tag: set_deep_security_event_category
       value: anti-malware-event
+  - set:
+      field: event.category
+      value: malware
+  - set:
+      field: event.type
+      value: info
+  - set:
+      field: event.kind
+      value: alert
 on_failure:
   - append:
       field: error.message

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[jamiehynds]

Hi @ck-nttl, thanks for taking the time to test the latest version of the package. We're keen to address your feedback and ensure we're correctly capturing and mapping malware alerts.

Currently, our anti-malware pipeline is capturing the anti-malware events, which seem more focused towards events to indicate that a scan started, stopped, was cancelled, etc as per the list of events here.

Going by Trend's documentation it's difficult to determine exactly which event code(s) indicates that malware has been detected, and should therefore be categorised as a malware alert (i.e. event.category:malware and event.kind:alert).

Could you confirm which event code(s) indicate malware detection and we can then make the necessary changes to our pipeline? A copy of the event.original field of a malware alert, would also be a great help. If you're willing to provide a sample alert, I can provide an upload link to share privately.

[piyush-elastic]

@ck-ntt - We have not mapped them to the Malware category as documents says it's Anti-Malware events(Scans log) with signature ids ranges from 4,000,000-4,999,999. Also we don't have anti-malware as a event.category in Elastic while mapping. So, we have created an extra field called trendmicro.deep_security.event_category and set value as anti-malware-event so incase if we want to create dashboards or filter out all those logs separately. Let me know your thoughts.

[ck-ntt]

@piyush-elastic @jamiehynds

Unfortunately I don't get meaningful events at this customer. For this one, I had to ask to produce an EICAR test. I understand, that it's difficult without samples. Exactly my problem why i didn't develop my own parser.

A sample for EICAR looks like that:

489 <134>2024-02-27T15:01:16Z deepsecurity CEF:0|Trend Micro|Deep Security Agent|50.0.2654|4000000|Eicar_test_file|6|cn1=XXX cn1Label=Host ID dvchost=XXX.eu-central-1.compute.amazonaws.com TrendMicroDsTenant=XXXX TrendMicroDsTenantId=XXXX cn2=197 cn2Label=Quarantine File Size filePath=C:\\Windows\\Malware Test2.txt fileInCompressedFile= act=Delete result=Deleted msg=Realtime TrendMicroDsFileSHA1=3395856CE81F2B7382DEE72602F798B642F14140 TrendMicroDsProcessPid=0

That's event.code: 4000000, which is "Anti-Malware - Real-Time Scan" per this event type list. Now, I neither know if all these Real-Time Scan events are indicating found malware, nor if 4,000,000-4,999,999 are indicating it.

I wold assume it, since the only events I can find between 4,000,000-4,999,999 are these EICAR events, and I can't find other 4,000,000-4,999,999 events except the multiple EICAR tests, even the Real-Time Scan enging is running. Maybe also because also no other events are reaching out per configuration !?

What I would do in this situation: using the action field act as criteria - since if it is filled, then Anti Virus did something, and the only reason why it did something can be a found Malware. But you don't have contact to the vendor?

[jamiehynds]

Thanks @ck-ntt. I'm currently discussing with our partner team at Trend to get a clear sense as who which events correspond to malware detections. They initiially provided the same list of 'anti-malware events' which are more focused towards scan start, stop, terminated etc and not actual malware alerts. I went to ensure we're not categorising these events as malware alerts. I've asked for further clarification from Trend and will let you know as soon as I have an update. Once we know exactly which events to categorise as alerts, we can easily adjust our pipelines and update our integration from there.

[jamiehynds]

@piyush-elastic based on guidance from Trend Micro, we can categorise the following event id's as malware alerts (i.e. event.category : malware, event.type: info, event.kind: alert). Can we please update our pipeline to ensure the event id's below are categorised corrected.

4000000 - Anti-Malware - Real-Time Scan 4000001 - Anti-Malware - Manual Scan 4000002 - Anti-Malware - Scheduled Scan 4000003 - Anti-Malware - Quick Scan 4000010 - Anti-Spyware - Real-Time Scan 4000011 - Anti-Spyware - Manual Scan 4000012 - Anti-Spyware - Scheduled Scan 4000013 - Anti-Spyware - Quick Scan 4000020 - Suspicious Activity - Real-Time Scan 4000030 - Unauthorized Change - Real-Time Scan

[piyush-elastic]

@jamiehynds - Thanks for the categorization you have provided. Surely we will consider this as an enhancement request and raise the PR soon.