tsale
commented
1 year ago Thank you for this PR @zbeastofburden! Could you please provide the reasoning behind the each of the amber values? (Partially Implemented)
Closed zbeastofburden closed 1 year ago
tsale
commented
1 year ago Thank you for this PR @zbeastofburden! Could you please provide the reasoning behind the each of the amber values? (Partially Implemented)
zbeastofburden
commented
1 year ago Sure and I am happy to take any suggestions for more tests to verify.
The telemetry is sometimes collected in other events, meaning it could be present if the search is broad enough. Trend Micro doesn't have a discrete/specific EventId or EventSubId for some, and no occurrences of other documented EventId or EventSubId.
Process Termination - may change to "Via Eventlogs" eventSubId=3 - TELEMETRY_PROCESS_TERMINATE No occurrences from my testing. The only "eventSubId=3" in my console is from a Linux systemd log forwarded by EDR in the same test environment. It may be more accurate to categorize as "Via Eventlogs" for Linux. Logs data example: eventSubId= 3 - TELEMETRY_PROCESS_TERMINATE Process= /usr/lib/systemd/systemd-journald Path= /usr/lib/systemd/systemd-networkd hostOS= Ubuntu Linux 20 user= root
File Opened - undecided eventSubId=102 - FILE_OPEN No occurrences from my testing including command line (notepad.exe filehere) and "double-click", nor past 30 days in the console. However, filenames and paths are commonly included in other event's command line strings (where applicable).
File Deletion - may change to "No" eventSubId=103 - TELEMETRY_FILE_DELETE No occurrences from my testing including command line (del) and "right-click > delete", nor past 30 days in the console.
Local Account Creation - undecided eventSubId=501 No occurrences from my testing including command line (net user /ADD) and GUI. However, command line strings appear for separate eventSubId 901 - TELEMETRY_AMSI_EXECUTE in those logs as: Process= C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Command line= "net user telemetry_user Password! /ADD" eventId= 11 - TELEMETRY_AMSI eventSubId 901 - TELEMETRY_AMSI_EXECUTE
Local Account Deletion - may change to "No" eventSubId=502 No occurrences from my testing including command line (net user /DELETE) and GUI.
Local Account Modification - may change to "No" eventSubId=504 No occurrences from my testing including command line (net localgroup Administrators /ADD) and GUI.
URL - may change to "No" eventSubId=201,202,203,204 IDs are inconsistent. IP address only is present from my testing including command line (wget) and browser. There are not events for URLs as a separate category.
Added Trend Micro EDR
Description
Yes. Trend Micro's EDR sensor is called Basecamp, which collects telemetry from clients to deliver to the XDR console called Vision One. Reference doc for installing an agent on Windows
Though the docs show additional coverage, I only included coverage for the telemetry which I personally verified through testing. Further developments may be added as released. Data Mapping: General Event ID table
Type of change
How Has This Been Tested?
I have access to a console with my lab environment connected, and the lab is for active malware analysis so running the Telemetry Generator scripts supplemented previously generated logs. Screenshots or other evidence can be shared if requested.
Test Configuration: